An interview with Steve Durbin, CEO of the Information Security Forum
With the Covid-19 pandemic forcing so many organisations to alter their strategies and practice remote working, new possibilities have opened up for cyber criminals. Yet, many believe that the pandemic has ultimately been a catalyst, highlighting the vital importance of cyber hygiene. If cyber crime is the new normal, does our approach to security need rebooting in the post-pandemic world? The European spoke to Steve Durbin, CEO of Information Security Forum (ISF) – the independent authority dedicated to cyber, information security and risk management, providing research, practical tools and guidance for organisations defend against the security challenges that impact business today.
It has been a tumultuous last year. How has the cyber security landscape changed during this period?
Steve Durbin: The last 12 months have been completely unpredictable. From a security standpoint, the cyber exercises and methodologies that most businesses had in place before the pandemic did not foresee any eventuality such as this. Having said that, I think that security has held up very well. This is due to the vital role that security professionals play in pretty much every sector, as it is difficult to find a business in the modern day that is not digitally-enabled in some way, shape or form. If you are digital, you need cyber security, and that means you need a professional that knows how to protect your digital assets from any unexpected events. The pandemic is the most perfect example of an unexpected event that we have experienced in a very long time.
Looking ahead, and with so many continuing to work from home, is it going to take more than just technology to protect us from cyber crime?
Technology is the answer to a certain extent. But for me it is about balance. Aspects such as artificial intelligence have an incredibly valuable role to play in the security space. A lot of the more monotonous tasks like network monitoring are operations that are perfectly suited to the application of technology. However, there is always a role for people to play in security. For instance, technology would not have been able to cope on its own given the instability and change that the pandemic wrought, we needed people there to be able to use the right skills, tools and processes to get our businesses up and running. After a certain period of stability, technology is then able to take over once again. That for me is people and technology working in harmony, to the benefit of cyber security.
We’re living in an age of global sociopolitical and economic instability, with a world economy dependant on online resources. Is this the perfect breeding ground for cyber crime?
One of my main concerns at this current time is cyber fatigue. You should only ever spend a certain amount of time in front of a screen. I have been practicing restraint and ensuring I spend time away from my devices, as the tendency is to always do that next Zoom call. This attitude can cause tiredness very quickly, and that is a major opportunity for a cyber criminal. When we are tired, we make mistakes. We click on something that we shouldn’t, and these individuals are very aware of that.
Economic instability can also pose a serious threat, as cyber attackers are opportunistic but also think through their approach. If they know there is going to be a significant value in pharmaceuticals or biometrics over a certain period, they will aim their attacks at institutions in those sectors. The advantage of time is on their side, they don’t need to be successful with every attack, they just need to break through the defences once. Businesses are constantly having to defend, and that in itself is tiring. As much as cyber fatigue and global instability give cyber criminals an advantage, so too does some technology. There is a case to be made that the skill level required to mount an attack is slightly diminishing, as individuals can simply buy a tool or programme to carry out the attack for them.
What do you believe will be the next major target for cyber criminals?
There are several developing issues that should be seen as potential targets. Biometrics is certainly one of these. Many people wear or have devices that are linked to their own biometrics, that opens up all sorts of opportunities for cyber crime. Ransomware will unfortunately remain one of the biggest risks to businesses, one that I do not see going away in the short-term. The exploitation of supply chain loopholes and the infiltration of systems that are stretched over multiple geographies involving many different suppliers is also progressively attractive to cyber criminals.
This increasing multitude of threats all have to be considered by security organisations when weighing up the deployment of resources, time and money. The best advice I can offer is to reset and understand what is absolutely critical to protect, because you simply cannot protect everything across the corporate landscape anymore. Simply put, it is a shift from prevention and protection to response and resilience.
We are in an economic downturn and cash is tight. Should organisations prioritise cyber security products and strategies?
A lot of it has to do with focus. There is a new aspect to the Chief Information Security Officer’s (CISO) role of trying to demonstrate a return on investment. This is not an aspect that security has been good at in the past, but the fact is that it is now more important than ever. Senior management are expecting to see a return on spend. If we look at sectors that have suffered the most from the pandemic like retail and aviation, the job of the CISO across these sectors has become very tough as they are constantly in conversation with those above them, who are expecting to see positive results.
As life gradually returns to normal, what can businesses take forward from this period of upheaval?
We must see this situation as an opportunity to raise awareness of how exposed we are online. In the last 12 months we’ve become so dependent on the internet and technology, so from a security standpoint it should be much easier to demonstrate the need for safety when online. This needs to be reflected in training and awareness courses, there is a need to make every part of that educational cycle very relevant, right the way down to the individual. Initiatives like “gamification” of security, or having small bite-sized awareness exercises that employees can dip in and out of on mobile devices and tablets, that is the future for security awareness. Take it out of the corporate environment and bring it to people where they are comfortable.
How do you see geopolitical tensions playing into the issue of cyber security?
We are moving away from a world and a system of governance that is open to sharing, and entering into an atmosphere of isolation, and tighter in-country control of data. The concern here is that we may lose out on essential collaboration. We need governments to work closely with the private sector and collaborate across geographic boundaries, especially with large groups of people coming online for the first time in parts of Africa and Asia. The combination of increased access to technology and growing isolationism creates new opportunities for cyber criminals. However, I do think there is a burgeoning awareness from governments that they need to prioritise cyber security. For instance, we’ve recently seen a sharpened focus on cyber in the USA from the Biden administration. In the UK, a recent government report (the Integrated Review of Security, Defence, Development and Foreign Policy) named cyber security as one of its four key objectives. There is a marked shift in understanding that cyber issues are real, and something that government must pay attention to. The challenge is how governments implement regulation. We want broad guidelines and protection where it is needed. But we must avoid a highly regulated, forcibly compliant environment that frustrates business, especially as we emerge from the global pandemic.
What happens to those that fail to update their systems and security plans?
For a lot of larger organisations, such as banks for example, they are not going to be able to migrate from legacy systems within a short timeframe. That said, there is a difference between having a migration plan that is helping to build resilience as it is slowly carried out and completely ignoring the need to change. If you ignore the threat, it is likely you won’t survive. Every organisation will be a digital organisation to some extent, this is the case across all sectors. This means it is vital to consider how you are going to secure your assets, whether on legacy systems or new emerging systems. The best way to do this is to start with the data, understanding what is critical to your businesses success and how you can protect it, and build out from there.