Sergey Nivens - Fotolia

Human factors are critical to securing digital transformation

Sourcing the latest cyber security technology to support digital transformation projects is all well and good, but it’s meaningless if you fail to address your organisational culture and the people within it

Two-thirds of UK firms say cyber security concerns prevent them from adopting new technologies such as cloud computing and the internet of things, according to a 2019 report by Ernst & Young (EY).

Fears that many of the exciting technologies that underpin digital transformation risk introducing new security vulnerabilities is becoming a potential hindrance to innovation. Are such fears justified? Or do they indicate an underlying reality that too many organisations simply don’t have an adequate cyber security strategy for the digital economy?

At Computer Weekly’s latest CW500 Club, run in partnership with recruiter Spinks, a diverse panel of CIOs, chief technology officers (CTOs) and chief information security officers (CISOs) came together to pick over the often vague concept of digital transformation and its relationship to the world of cyber security.

It concluded that it’s as much about the humans developing and using IT, as it is about making sure you’ve bought the latest and greatest security products.

But it quickly emerged that top of mind for many of those present around the table was the issue of awareness of cyber security within the business, the positioning of IT security teams, and wider cultural acceptance of cyber security hygiene.

For large enterprises, internal collaboration is key

Airbus CyberSecurity is a business unit within the aircraft manufacturing giant that provides security services and products to external customers, but also supplies services and products to the internal business.

Airbus has its own security organisations, with a chief security officer for each of its four home nations – France, Germany, Spain and the UK – and additional resources across each of its business units.

For its CTO, Paddy Francis, who began his career in government communications, one of the biggest issues is the pace of change within the wider IT landscape, and the fact that in many organisations various line-of-business operations now have so much freedom to go their own way.

In more human terms, multiple people with multiple agendas and multiple preferred tools now work across multiple parts of the business, and that introduces complexity – this is troubling if, like Francis, you come from a more traditionalist IT background.

He highlights a mantra that many in the cyber sector probably know all too well: “You can’t protect what you don’t understand.”

Without going into specific detail, he cites a past example from his own career of a service deployment that went ahead in haste and left the security team trying to figure out how to protect it after the fact.

“That’s the case with all the new systems – every cloud provider has a different system, different configurations, different levels of complexity. So if you’re using a new cloud service, even if it’s just something like Google Cloud, you have to get security on board at the beginning,” says Francis.

“Configuring that and setting it up is a security activity, not just an engineering activity. So that’s where I am seeing most of the problems coming from – people not understanding the complexity, not understanding what the issues are.

“Typically, on some of these systems, to make it work, you maybe need to change 10% of the default configuration. To make it secure, you have to understand the other 90%.”

For startups, the challenge is code

As a startup, Primarybid.com CTO Jonathan Moreira says he sees substantially different challenges to an enterprise of Airbus’s breadth and scale.

Primarybid.com was set up with the objective of democratising investment for the man-on-the-Clapham-omnibus. Via partnerships with stock exchanges worldwide, it has built a centralised infrastructure that connects listed companies with everyday investors, with the goal of enhancing the “capital formation process” – that is to say, raising money. It’s raised more than £65m so far.

But in the world of startups, things move fast, and this means that Moreira doesn’t necessarily have the time or ability to pore over every IT decision.

“How do we make sure that the developers we have are knowledgeable enough to build systems at scale that are secure while moving at a fast pace? How do we make sure that the code is secure, and that nobody’s making a silly mistake? That’s the sort of thing that can really cost you,” he says.

The issue of securing the development process, by which he means the developers, is clearly high on Moreira’s mind, especially in light of the recent Capital One data breach, caused by an external software engineer.

To lighten the load, Moreira has implemented a good deal of automated functionality and tools that deploy some machine learning functionality to detect if something is right, wrong, or just behaving a bit weirdly.

He runs regular code scanning and nightly automated penetration testing, in addition to regular Crest penetration test audits.

In this way, he says, he can detect problems that might stem from careless or malicious developer activity in the brief window of opportunity that exists before the problem becomes a full-on data security incident.

“There’s only so much you can do around it, but it’s about scanning those things, having all these different toolsets,” he says. “And the rest is coding practice. Making sure your developers are aware of the different validations – especially at the back end where you can never do too much validation – and especially on critical services.

“Identify where your critical services are and open validation up because a lot of attacks can also come from indirect object attacks, such as an API [application programming interface] being exposed. Maybe it’s internal, maybe nobody really knows about it, but the developer didn’t validate for it.”

Balancing security and innovation

The discussion among the security experts zeroed in on how to build a solid security posture in the business while still enabling freedom to innovate in new digital environments. For both Moreira and Francis, who work extensively with technical teams, it’s about creating a culture in the IT organisation that prioritises absorbing, cutting-edge work.

In organisations such as Primarybid.com, with its focus on innovative fintech, and Airbus CyberSecurity, which is focused on threat hunting and defence, this is not such a hard task.

But when dealing with other parts of the organisation, getting buy-in for security is perhaps even more critical. So how should one go about making security interesting for sales, finance, marketing or human resources?

“One of the things we find is that if you lock down everything so that nobody can do anything, they will find a way around it, which is highly insecure”
Paddy Francis, Airbus

“It really depends on your industry,” says Moreira. “You’re going to have different stakeholders with different levels of education. For me, it’s just about trying to take baby steps to educate them, show them value and show them risks.”

Airbus’s Francis adds that it’s critical to demystify the security products you push to regular users – something his organisation is actively researching. For example, he says, it is important to understand how the user interface (UI) affects user behaviour, and to make sure it doesn’t inadvertently push users into incorrect behaviours.

“One of the things we find is that if you lock down everything so that nobody can do anything, they will find a way around it, which is highly insecure,” he says.

Make sure employees ‘get’ security

Chris Charlton, head of infrastructure and architecture for the Metropolitan Police, says making cyber security part of the organisational culture is vital.

“We’ve found that if you talk about security architecture, it isn’t just a bit of antivirus or firewalls, it’s about culture, making sure people understand it,” he says.

“It’s not just a case of going on a course and making sure you don’t hack stuff, it’s actually knowing that these are the threats. You must make your staff part of your security process.

“That doesn’t mean you don’t have all those other things, but it’s about layers and helping people understand why they must do things. If people know why they’re not allowed to do what they’re doing, then they don’t do it,” he adds.

“You have to make sure that your staff know why they’re doing this. We mention things like role-based access to make sure that people just have access to what they need. That's good working practice, not security practice.”

Sarah Shilling, chief marketing officer at marketing services organisation Unlimited Group, adds: “Your employees are your best advocates and your best security, so if they’re not on point with everything then everything’s flawed. You’re only as strong as your weakest point, and if that’s an employee then you’re flawed no matter what security software you put in.”

Neil Batchelor, chief operating officer (COO) of Lacero, a supplier of authentication, verification and security policy enforcement services, says: “That’s why they coined the phrase SecOps [security operations]. In the same way they coined DevOps, because at one point you had the development silo and the operations silo and that’s come together somewhat – now you have SecOps, which is trying to integrate all of those things.”

Change starts at the top and at home

Carl Henriksen, CEO of managed services provider Oryx Align, argues that cultural change has to begin in the C-suite and trickle down. “It really has to come from executive board level,” he says. “The only way to get down to the employees is if it is adopted from the top down.

However, Henriksen adds, this can be a mission too. “The issue with senior board members is that there seems to be this huge knowledge gap in terms of cyber security,” he says.

But Unlimited’s Shilling has another theory: “We’re all consumers, we’re all people, we’re all humans. We hate it when we get hacked, whatever platforms we use,” she says. “It’s taking that and putting that into the business world.”

Francis agrees that relating security to people’s own lives can help. “One of the ways of getting people aware is to give them the information to protect their own networks at home,” he says. “Then they realise what might happen to them and they bring that back into the workplace.”

Read more about security and digital transformation

Read more on Security policy and user awareness