Last week fortune smiled on me (again) as I was invited to Westminster Palace to debate cyber security. Did you know that fraud via the internet is now worth £34 billion in the UK alone? The face of organised crime has shifted from the Don Corleone’s to the Mark Zukerberg types, and it’s mostly coming from outside the UK.
I could write a whole blog on the experience of being in such a hallowed building, it really was spell binding and a giant privilege to be there. (I can hear my Dad now, ‘…we own the bloody building, they should be inviting us in and asking how many sugars we take our tea. None of this bloody keeping us out, by invitation only, nonsense…’.
Now I’ve been inside, going over Westminster Bridge on the number 12 bus will never be the same again.
The room was filled with navy-blue pin-stripped suits. Me and my lovely colleague, CISO for Channel 4, were also wearing navy blue trousers. Made of denim. For some reason when we said we worked in the media industry it generated a huge laugh. Given the phone hacking scandal, perhaps security and media in the same sentence could be viewed as oxy-moronic.
The debate was fascinating. The Commissioner of Police, Adrian Leppard, Andrew Miller MP, Lord Errol, the MOD, to name-drop a few, all had an interesting perspective. Although I fear far too esoteric and academic for the challenges that face me in the organisations I work in.
I’m still struggling with trying to educate senior business leaders around the need for secure file sharing solutions rather than using the plethora of free products out in the market place. One company I work in, regularly shares VERY sensitive financial data using Google Docs. The company has a news black out once a quarter while they prepare for releasing to the city, yet they still share their documents in a non-secure, far from enterprise grade, file sharing solution.
I know, it’s bonkers.
The move towards ‘Bring Your Own Device’ (BYOD) will be interesting around this, especially creating policy and governance for such an initiative. Technology departments can invest in secure user and device access controls. However if business sensitive data is on a USB stick or a Dropbox somewhere, it’s a waste of money. Competitive edge could be lost in the most mundane of circumstances. Someone getting a job elsewhere for example. The technology department would be totally powerless to shut down a file-sharing application that does not sit on their network. That’s if they even knew about it.
Andrew Miller MP, was right when he said ‘ it’s a question of culture, training needs to happen from the top down’. Shifting cultural, mass behaviours is hard, and we really don’t have a road-map for it. The need to help key influencers in organisations (and they don’t need to be senior, sometimes it’s the personal assistants who hold all the power) understand the vagaries of data loss and the business impacts it could have is critical to generating empathy towards the import of this stuff.
Any security transformation strategy (and there are many of them about as we gear up to the Olympics) needs to have the cultural and behavioural aspects front and centre of the strategy.
At the heart of this is communication and trust – between technologists and their business partners. Along with a belief, on both sides, that purpose and intent are aligned. Rather than another cold-eyed technology process and policy roll out.
It doesn’t have to be all carrot, but Lord Errol, it doesn’t have to be all stick either.