Martin Lee CEng, EMEA Lead at Talos, Cisco, spoke at Governance 2022 about cybersecurity and how to manage cyber risk.
Having worked in cybersecurity since the mid-90s, Martin’s depth and breadth of knowledge were clear. At the conference, his ability to describe the challenges of cybersecurity in a way that feels accessible was evident. He described investigating cybercrime as being similar to looking ‘at the scene of any crime; there are fingerprints. As a security researcher, your job is to find out where those fingerprints are and what they look like.’
When reflecting on the changes that had taken place over his career, Martin noted that, ‘As our use of technology changes – and technology is a wonderful thing and brings us all sorts of advantages – so those negative actors look for ways to subvert that technology to their own ends.’
The WannaCry and NotPetya attacks in 2017 were a watershed moment for many organisations and, while lamenting the fact that the situation had to get to that point, Martin pointed out that from then on, ‘Boards could no longer ignore the cyber security point of view even if they wanted to. Technology is touching everything that we do in business.’
Outlining the kinds of mechanisms that organisations can put in place to make sure that they’re preventing and detecting attacks, Martin says, ‘It’s a matter of understanding what it is you’re trying to do and thinking about the risks associated with it. I’d hesitate to say that there’s a one size fits all, however, there are some very clear, easy things that will go a long way in achieving protection.
‘At a bare minimum, make sure that you’re authenticating your users. Two-factor authentication is an absolute must. We need to make sure that our data is encrypted, both at rest – by having an encrypted disk on the laptop – and in transit – by using encrypted connections such as a VPN. The other part is having desktop antivirus or a programme that can detect and remediate attacks, and that should be running on every system – not just on laptops but on the servers and the cloud. This way, if something bad does happen you can spot it and you can block it very early on. For day-to-day work those measures will take you a long way.
‘Reviewing the decisions and assumptions that have been made and checking whether those are still true annually would be a very good way of staying on top of things. If you’re not worrying until things go wrong, that’s where you’re going to get into trouble.’
‘Ultimately, good cyber risk governance is based around understanding the risks associated with what we’re trying to achieve and questioning what the bad guys could do to subvert it, or what unintentional human consequences could cause it to go wrong. Then you look at how you prevent these bad things from happening and how you detect them early if they do. If you follow any kind of risk management process for your technology projects, cybersecurity will be part of that, and you’ll identify what cybersecurity controls you need to have in place. It doesn’t have to be complicated; we are equal to the threat.’
The role of the governance professional
Martin believes that governance professionals can help to build the ‘understanding that any project will have a technological component with associated cybersecurity risk. Cybersecurity must be something which is raised for every project that a board is kicking off. Many organisations will already be doing risk management for so many other things, it’s just a case of taking that process of reflection and applying it to technology and cybersecurity.’
This is an excerpt adapted from an interview featured in the August 2022 issue of G+C.