With over 20 years in the IT industry, over 10 of which have been spent in information security, Ste Watts has worked in a number of sectors primarily tasked with protecting critical national infrastructure. Ste has been responsible for developing and managing key capabilities such as cyber forensics, penetration testing, cyber threat intelligence and incident response. Ste was recently appointed to the EC-Council’s Global Advisory Board, where his role is to help to build capacity and create awareness among businesses, government and citizens in the field of cyber incident response.
What is your overall approach to information security?
My approach is a fairly simplistic one: enable the business to meet its goals whilst reducing cyber risk. This is a lot easier in theory than in practice, but it is the corner stone of how I approach my role. Our role as security professionals is to show the business that we are an enabler for them but also, to help them to understand that this needs to be balanced with their risk appetite. Once that appetite is agreed it can be used to help support your future decisions and requirements in a way that the board understands.
How do you convey to the board the message that – with regards to cybersecurity – you can minimize the risk but you are never going to be 100 percent secure?
This is a really good question and one that caused me a lot of consternation in my early days in my cyber security career when I wanted to solve all the problems in front of me. Over time I realised that there is no such thing as 100% protection, and I stopped trying to “boil the ocean” so to speak. Focus should be on reducing the likelihood of a compromise as much as possible given the constraints that we have to work with whilst also ensuring sure that, should the worst happen, plans are in place to respond effectively so that any potential impact is minimised.
When we hear of multi-million pound companies, who have the latest technology, who employ the most skilled people in the industry and have access to the latest threat intelligence but are still getting compromised, you soon realise that it’s not a case of if but when. It’s a business’ ability to react to an incident and minimize impact that will set them apart and ensure their longevity. A good board understands this and realises that it’s all part of the company’s risk management process.
Some people call for daily security drills and exercises at all levels of an organization to help re-enforce defensive strategies. What is your take on this?
I am a big believer in security drills, cyber threat exercises and such. They help to test a company’s playbooks and processes in a controlled manner to help increase “muscle memory” whilst providing a no blame environment where “failure” is an opportunity to improve and succeed. Conversely though, over-testing can lead to a “boy who cried wolf” mentality that dilutes any potential benefit, so it is imperative to strike the right balance.
Tests should include table-top exercises where key responders sit around a table and walk through a potential scenario using their playbooks as well as “live fire” drills whereby responders are tested without prior knowledge. This is key to evaluating how well staff respond when they are not in a controlled environment with time on their side. This can make all the difference in a real incident.
Security and IT professionals are bombarded with news about cyber security issues. How can they filter out the noise and determine what issues really matter?
Firstly, you need to establish what is a relevant risk to your organisation. For example, if your company only has a brochureware site then DDoS may be less of a concern compared to a business that relies on its Internet presence to attract and retain customers and to generate revenue on a daily basis. Therefore your threat intelligence requirements may not focus heavily on DDoS.
In a world full of so-called “cyber intelligence sources” it is key to establish which sources are relevant, reliable, timely and provide actionable intelligence. Choose sources that are well established within your sector that collect information from a wide number of trusted sources.
In the finance sector these could be groups such as FSISAC (Financial Services Information Sharing and Analysis Center), CCGs (Cyber Co-ordination Groups) that are relevant to your business area, as well as cross sector sources such as the CiSP (Cyber Security Information Sharing Partnership) provided by the NCSC.
Digitization is a double-edged sword, offering incredible benefits but also entailing serious risks. What are your thoughts on this inevitable development?
Businesses want to do things that are inherently at odds with traditional security practices; share data, provide access from any device, anywhere at any time whilst ensuring the least possible friction to the user experience. A good cyber security professional realises that this is an inevitable challenge and works with the business to ensure that security is applied in a way that is commensurate with the risk posed. It’s about finding the balance where business needs are met without compromising security. I always say that our team’s mantra is “Know, not no”. In other words, our role isn’t to block initiatives – it is to provide the business with the relevant advice and knowledge that enables them to make an effective decision based on their agreed risk appetite.
How important is information sharing within the sector to keep abreast of new threats and cyber security best practices?
Intel sharing is imperative. Intel sharing acts as a force multiplier, especially for smaller companies that don’t have the time, budget or experience to be able to invest in a fully fledged cyber threat intelligence capability. The ability to know what is occurring in the sector and indeed other sectors, provides companies with the ability to prepare themselves for threats that they may not have otherwise considered and subsequently provide focus in the right areas. Sharing intelligence also enables law enforcement to build cases against threat actors that are more likely to lead to successful interdiction, resulting in less criminals and less criminal infrastructure.
As the threat landscape develops and the line between nation state sponsored actors and organized crime groups blurs, cyber security teams will need to find new and innovative ways to keep pace with the evolving threat landscape. As cyber security leaders we will continue to be challenged to understand technology down to a bits and bytes level whilst also ensuring that we apply strategic thinking to ensure that we align to the goals of the business. One thing is for sure, security professionals of all industries need to come together and share information in order to stay abreast of the latest threats. It won’t be easy but collectively we can make a difference. Stay safe out there.