The Mishcon Academy Digital Sessions
Joe Hancock
Thank you for joining us today. This is ‘Can we reduce the cost of cyber security?’ Talking through some strategies to cut costs while maintaining a good level of security for all of us. Security is one of these areas that’s very much in its infancy. I think we’ve been an industry of increasing budgets every year. So, we thought it was a good idea to try and tackle some of those issues. I’m joined by Alexandra Whiston-Dew, who’s going to be chairing this session. Alex is from our Reputation Management Team and I’ll let Alex introduce herself.
Alexandra Whiston-Dew
As Joe said, I’m a Partner in the Reputation Team here at Mishcon and tend to deal with companies that are going through the crisis times of when cyber security goes wrong but more importantly are the other panellists today and we have from MDR Cyber, Mike Owen who is a Director of Cyber Consulting at Mishcon and also we have Simon Lamb. Simon is the European Regional Risk and Security Officer for Compass Group. The level of cyber-attacks increases as people continue to rely on or as they, people continue to rely on technology more and more. So, we were talking about the amount of money that you spend on implementing technological solutions or developing technology and then balancing that out with cyber costs. Is that something that can be done and especially now, is it reasonable to reduce the cost of cyber security?
Joe Hancock
What we’re seeing is you know, there’s greater reliance on technology which we’ve been talking about for the past decade. And if we accept partly that technology and cyber risk are intertwined then instinctively you think the more you spend on technology, the more you spend on digital, the more you’ll have to spend on cyber security. It used to be that you would apply good risk-management principles. You try and work out what all your risks were, work out what to do about them and every cyber security person is taught that you can accept risk and you can transfer it as well as trying to protect against it. However, in reality I have never really seen a structured process for someone just saying, ‘Actually you know what we’ve got that cyber security risk over there. We’re not going to spend any money on it. We are going to accept that that will happen’. If we are going to accept that every business is going to be digitally transformed and we’re going to live in this different world, we can’t carry on with a sort of steady march of increasing cyber security budgets. At some point we have to think about how we do some of these things differently.
Alexandra Whiston-Dew
Simon, from your perspective are you, are you coming from this at the same angle as Joe? That it’s not possible to get that proportion level with the amount of money that’s spent on technology?
Simon Lamb
Absolutely I think for me it’s very much a case of being able to focus on doing the basics brilliantly. I echo Joe’s thoughts around the whole sort of risk management piece and really identifying where your Crown Jewels are and focusing your attention on there and really starting to make sure you’re doing things like patch management, asset management, multi-factor authentication. The basic stuff that any reasonable organisation would expect you to have in place.
Alexandra Whiston-Dew
And Mike, from your experience from both working within organisations that have this problem but also advising clients who have this problem, what can you add to Simon’s practical tips there, in terms of doing the basics very well?
Mike Owen
We are moving beyond the days when everyone in security is going to be able to have a joint team doing everything that you could ever want to from a cyber security perspective. What we need to start thinking about doing is figuring out how we can work with other teams to enable them to do cyber security, empowering people to actually make informed security decisions on your behalf.
Alexandra Whiston-Dew
Quite a difficult balance to achieve isn’t it? Because you can imagine a CEO not being particularly happy with that kind of unexplained level of risk so Simon how do you explain that to people who need to understand how to be more mature at this time when technology’s growing so quickly?
Simon Lamb
My thoughts are very much along the line that it should be a business-led cyber security strategy and simple things like making sure you’ve got the right level of representation on your various steering and governance boards. Previous companies such as Royal Mail very much started to invite people to be more part of the journey and actually get some really good input and thoughts from these people. One thing I very much used to encourage my previous teams is that you need to take accountability for making sure that people understand what you’re trying to tell them. So, rather than being the sort of the techy and being, ‘Oh, we need these firewalls and these various ports open etcetera, etcetera’ 90% of the people within the business just won’t understand that and it’s our job to translate that and make sure that they do understand it and take accountability for that.
Alexandra Whiston-Dew
And Joe, from your experience of talking to people at those various different levels in the business, how do those conversations go and how is money involved in those conversations?
Joe Hancock
You see this in all disciplines, is an inability for people to talk in the language of somebody else. But no, I think that is money involved? I mean, yes. When you’re having those senior-level discussions you know, money is always involved. Once you get past a certain point you need to be saying, ‘Well, this is how much it’s going to cost to run the team. This is what the people are going to cost. This is what I’m going to have to spend on technology. But here’s actually how much this is going to cost as an organisation if we don’t get it right. What’s the cost of our reputation? What will the impact on various areas of our business be?’ There’s definitely more of a trend in those conversations, I think, to talk about quantifying cyber security risk but to have those conversations in the first place, you need to be speaking the language of the people you’re speaking to.
Simon Lamb
So, one of the things I found quite powerful was enabling those conversations was defining a company’s risk appetite and then by working with the board and saying or with the risk committee in this case ‘Right okay. Our risk gap is this and defining a statement against it we can then map enhancement and maturity programmes against a target level of maturity as well’ and that then enabled the conversation to say, ‘Right we’re not going to achieve perfection here, we’re not a, a Government company that’s making very, very secret stuff and therefore we don’t need to aim for a five out of five maturity in lots of our areas’.
Alexandra Whiston-Dew
How do you make that pound stretch further in times of the global pandemic, Brexit where budgets are getting really, really tight?
Simon Lamb
First of all the focus on do you really need the most expensive solution? The second thing then, a lot of us work in outsourced IT environments so it’s making sure we get the most out of our IT outsourced partner, working with the vendors directly and saying, ‘Right can you come up with something creative and something a bit more entrepreneurial when it comes to your licensing models?’ The other piece for me is that in a large complex outsourcing environment it’s very easy for the detail to slip through the net.
Alexandra Whiston-Dew
Mike, what else might you be looking to in terms of preserving what you need as a core and what can we take away from the budgets?
Mike Owen
It sort of goes back to prioritisation around the threats that you honestly see the business facing and how what you have in place addresses those threats. If the business were to come back to you with, for example, a lower budget than you had asked for and you had a good, quantified means of justifying all the elements in that budget then it comes back down to a mature conversation with the business. Modern businesses run with a number of risks. The only reason why they have previously assumed that they weren’t running with cyber risks was because we didn’t have those mature conversations where we were properly explaining to the business why certain things couldn’t be done. So, if money’s tight that makes it even more important that you have those mature conversations.
Alexandra Whiston-Dew
And Joe, what have you seen from the wider market that feeds back into these points?
Joe Hancock
Risk management used to be the be-all and end-all of cyber security. You know, ‘We’re going to identify our risk and we’ll do no more or less than the risk dictates and that means we’re doing exactly what we need to do’. I just don’t think that’s true anymore. I think that risk management has become this huge beast where we identify all of this huge amount of risk and now we have to do something about all of it because look it’s really risky. I think actually we’re seeing some trends mainly coming out of US Government and actually are not necessarily becoming risk-based but becoming threat-based. So, working out exactly what the people you care about are going to do to you and how they’re going to do it and in there that means that you know. you have to make some decisions. Sometimes you have to admit that sometimes you’re not very interesting as a business. The people who are going to attack us look like this. Maybe you’re worried about ransomware gangs. They’re going to do it in this way and I’m going to make sure I’ve dealt with those things specifically based on some data and hard science. The other thing I think is that actually there’s a need to do some of the more boring stuff in cyber security. So, this is looking at how you manage cyber security as a function or as a process. Everyone has all these great playbooks or great processes on how the process should work, very few people look at how the process does work on the ground. I think seeing cyber security professionals start to look at what they’re actually doing, where there’s waste in those processes and those processes can be tailored down to deliver exactly what is needed to prevent those threats, feels like the direction of travel for me and we’re seeing some early signs of this on the threat-based side of things.
Alexandra Whiston-Dew
And Mike, have you seen other organisations try a similar thing? Where’s it gone well, where’s it gone wrong?
Mike Owen
People are starting to take threat assessments much more seriously and obviously you can get that done in-house. You can get third parties to do it for you but it has proven a very valuable way to do exactly what Joe’s describing. So, you figure out what your threats are, you figure out how they act and then using something like the Mitre Att&ck framework. You start to decompose that into what they do.
Alexandra Whiston-Dew
Is there enough people with the right skills in these organisations or not?
Simon Lamb
I think the people within the organisation are going to know their business the best but I think then bringing in you know, external third parties who have done this maybe a few times before and helped and guided companies through that and then can bring their experience. But making sure that you’re not just being you know, you’re not just, you’re not just taking what your third party is telling you, you’re applying a level of your own business context against it.
Alexandra Whiston-Dew
How does that resonate with you Mike?
Mike Owen
If you think of a security team that’s been working a certain way for a number of years, suddenly turning up to the board and saying, ‘We’ve come up with this completely new idea’ can raise a few eyebrows and in cases like that it definitely is worth having someone behind you who has done that change before. I can also say having worked in-house at security teams, there is this unfortunate truth that Simon’s pointing out that if a consultant comes in and says the exact same thing that you’ve just said, it may have more weight behind it and that’s just a fact of life for us, unfortunately.
Alexandra Whiston-Dew
Joe, what… can you add anything to that point?
Joe Hancock
There is no doubt a skill shortage in certain areas. We need more people in cyber security. We also need cyber security to be a lot more diverse. As you can see from this panel, cyber security is not a diverse industry at the moment. I am buoyed by you know, we see cyber security apprenticeships now. We have some ourselves inside our organisation. There are more and more pathways are leading to cyber security which will lead to a better, more diverse industry with better outcomes and ultimately, reduced cost.
Simon Lamb
I think there’s also things that we can do as security professionals to try and encourage people to be interested in our subject. Before Covid I was planning on speaking at my boy’s secondary school and doing a series of workshops just to show them, this is what cyber security’s all about and try and encourage those interests. I think as professionals the more we can do to encourage people to be part of this, of this environment, the better.
Alexandra Whiston-Dew
We’ve got a bit more time before we need to conclude the session. I was wondering if there was any point from the panellists that you wanted to raise in connection with this subject?
Joe Hancock
The one things I thought it was perhaps worth us talking about, Alex, is since we’ve got you here and your rather unique skill set in cyber security, Alex as she mentioned in her introduction is one of our Reputation Manager lawyers so, Alex spends a lot of time either stopping people getting into high-profile trouble or potentially getting them out of it which can include a cyber incident and we lean heavily on Alex and her team for that. So, one of the things that we see a lot from security vendors is the you know, your company’s reputation will cost you X, and reputation is held out as this kind of almost the holy grail of the thing that can be damaged the most. I wondered if you had any thoughts on actually kind of what does reputation cost? What is reputational damage?
Alexandra Whiston-Dew
One of the major issues when you’re trying to bring a claim in Court in relation to reputation damage is actually demonstrating the damage that has been caused. It’s a general erosion of confidence that I think is the real determining factor in these times of crises. When a crisis like a cyber attack comes along that trust is eroded and people will just start voting with their feet by just choosing alternative organisations to provide their products or systems that they have been purchasing from the client.
Joe Hancock
In terms of kind of protecting reputations then, do you think it is better that organisations invest in protecting reputation first and early or actually is it the same as the cyber security strategy we’re proposing which is to you know, detect if there’s an issue that might affect your reputation and respond to it?
Alexandra Whiston-Dew
I think there are some maybe three key things to remember when it comes to a reputation crisis. The first thing is to make sure that you’re doing at least the industry standard in terms of protection of your customers or information or whoever your stakeholders are. The second is to do what you’re… do what you say you’re going to do and don’t over-promise and then finally, I think the key thing is have your team ready. Make sure that you can turn to the best people that you can to help you when things do go really wrong. If you’re bored, do not understand about cybersecurity and the risks of any fallout and they are going to be the poster person or the spokesperson, give them the language that they need to understand and explain to your customers, shareholders or any other third party.
Joe Hancock
Thanks Alex, that’s really useful.
Alexandra Whiston-Dew
I should probably conclude this section by saying thank you very much to the panellists, Joe Hancock, Mike Owen and Simon Lamb for taking us through this very interesting, interesting discussion of cyber security and costs and look forward to speaking with you all again.
The Mishcon Academy Digital Sessions
To access advice for businesses that is regularly updated, please visit mishcon.com.