“I get quite frustrated with the cybersecurity industry” says Andy France, Deputy Director of Cyber Defence Operations at British Intelligence Agency GCHQ. “We have to think differently.”
France was speaking at the Telstra Cyber Security Forum at the company’s Sydney experience centre yesterday where he outlined how organisations are rethinking about protecting their data.
“What we haven’t realised is just like the Bronze Age, the Stone Age, the Industrial Age and the Internet Age, we have to think differently about what that means to in terms of security and privacy. We have to think differently about how we build systems.”
The biggest problem France sees in the industry itself are the lack of skills to build those secure systems, a situation he believes is partly created by the sector’s credentialism gaining certifications is several orders of magnitude more bureaucratic than becoming a fighter pilot.
In contrast the bad guys who France splits into five groups – script kiddies, hacker collectives, crime syndicates, hackers for hire and nation states – have no such concerns about certificates and accreditation.
“You have serial collectors of letters after their names,” he states. “We’re putting an artificial bar against the people with the new thought processes that are going to help us address this problem.”
“It feels like the criteria has been set up to create a nice little market so we can control day rates,” French says, “in a world where we’re screaming out for talent and need people to come along who are interested and challenged by the subject.”
Apart from the trap of credentialism, the real concern for businesses and users should be the integrity of data in France’s opinion. We need to be certain information is accurate, a problem that will be exacerbated as businesses processes are automated around data streams being connected by the Internet of Things.
France suggests three principles should underlie an organisation’s data defences; having systems in place to spot early indications of a problem, obey the five ‘knows’ and understanding your network.
Understanding your network, what France calls the ‘defender’s advantage’, is the most essential task of all for someone protecting their organisation’s data. “Is someone knows your network better than you then that should be a criminal offense,” he states. “To get the defender’s advantage in place you need to understand your network.”
“Technology in itself with not keep you safe.” French says and describes security as being subject to Pareto’s Law where most vulnerabilities are mundane background noise, “we need to have a balance where technology looks after the 80% and we have the people and processes in dealing with the unexpected 20%.”
“It’s certainly not going to get any better,” French warns about the trends for cyber security in 2016. For most companies and system administrators it’s going to be a matter of being alert and having the processes in place to deal with the unexpected.