Tags


Latest Posts


Latest Comments


Authors

A robust security-first culture will tackle any security threat

mark-hall.jpg

Posted by |

I’m going to keep this blog post short and sweet because I’ve been banging this particular drum for a while. The beat will be familiar so I don’t need to press the point at length

Earlier this year there were plenty of headlines around the news that infrastructure firms could face fines of up to £17m if they do not have adequate cyber-security measures in place.

The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under the EU Network and Information Systems (NIS) Directive, which comes into effect next May. The NIS Directive relates to loss of service rather than loss of data, which falls under that other headline-magnet the General Data Protection Regulations (GDPR). Both have, rather neatly, settled on 4% of global turnover as the maximum level of fine for the most serious failings.

My problem with stories like these is whether they unwittingly misdirect people. They always revolve around ‘cyber-security measures’ as if it’s a simple matter of having solid security tech, with the standards to back it up. If only it were that easy. In the current climate, the security threat is morphing every day; the only way we have a hope of dealing with it is to have a robust security culture in place, a culture that flows from the top and permeates every part of the organisation. That way you get the tech, the process, the people, the know-how and the experience, all synthesised into an assured, engaged, security-centric whole.

And when you have that, new strictures and eye-popping penalties don’t tend to unsettle you, however hard the headline writers try. That’s because with the right fundamentals in place, you only ever have to look at the deltas, the one or two points of difference that you need to address; without those fundamentals, without that security DNA, anything new can assume gigantic proportions and be hugely destabilising: you’re not sure where to look first and how to move forward for the best.

Here at Redcentric I’m aware that we are dealing with a fast-moving cast of attack vectors and that this challenge is only going to intensify. But we are well placed to defend ourselves and our clients because we have aligned our culture, our structure, our people, our policies and our training to embed a security-first governing framework across the business. We can cope with emerging threats, and we are comfortable with new regulations. For us, these represent a minor adjustment, rather than a seismic change.

And let’s go back to those regulations for a second. Because if you read the actual stories or government advice that accompanies things like NIS, you should see a recurring theme: no-one is going to throw the book at those who have tried their best. The strongest punishment will be for those who have been wilfully negligent. Implicit in negligence is a lack of care, a disregard for both protective measure and prudent mindset. That puts you right in the crosshairs of both regulator and attacker. A security-first culture is predicated on care, and if you can evidence that care in every dimension, from tech to people, investment to strategy, procedure to certification, you’re never going to be one of the 4% brigade.

I think I’m going to put a ban on the term ‘cyber-security measures’. Because if you’re relying on them to save you, the game is already lost.

Comments

 

Post a comment

Comment submitted! Comments needs approval before being displayed.