Steve’s career spans the technical evolution from mainframe and SCADA systems of the late 80s through client-server systems to today’s utility cloud and serverless environments.
Steve works with diverse clients ranging from SMEs to multinational organisations and across public, private and not-for-profit sectors to improve security and operational effectiveness through reduced complexity and holistic risk management. He is a regular speaker at security events throughout Europe.
At Orion Health, Steve works with global operational teams and clients to secure regional digital health care services and emergent Precision Medicine programmes throughout Europe, the Middle East and Africa.
In his spare time, Steve voids warranties.
Are there any common traits to what makes a successful security program?
A ‘successful’ programme means an ‘effective’ programme. A few things are needed to make that happen.
First: Context awareness. What is important to the success of the business? How can I tailor a programme in a way that supports real business strategic and operational objectives, perhaps by reducing complexity or tackling one or more identified risks? That means talking with senior leaders to understand their commercial and strategy needs and talking with operational people executing that strategy to understand what gets in their way of getting the job done.
The Security Team isn’t an authority that says ‘’no’’; the Security Team are the people that say ’’okay - now that I understand, let’s talk about how we can do that safely so you can get your job done’’.
Second: Following on from that, to be successful the programme must have a defined benefit. What problem am I trying to help solve? Both risk and benefit can be quite subjective, so they need to be defined carefully in terms that both senior leaders and operational people can relate to. Transparency is fundamental to maintain trust and reinforce the value of information security as an enabler. Defining the benefit means you can evaluate the result openly. Was it as successful as we anticipated, or do we need to iterate and get closer to the target?
Finally: The programme is fundamentally about people, process and technology. People need to be empowered and in control of their activities. Process and technology are the tools we can use to enable that. Getting the balance right is tricky, but the aim is to ensure that a security control need does not introduce difficulties and complications. Information security should be part of doing business, baked-in to everyday activities, owned and operated by the people that do them.
How do you convey to the board the message that, with regards cybersecurity, you can minimize the risk but you are never going to be 100 percent secure?
Security is never going to be at the forefront of the CEO’s mind on a daily basis (unless something has already gone horribly wrong, of course). So, board-level discussions of security with the executive leaders are infrequent and generally only occur if there’s a significant change in legislation or regulation that might influence commercial operations.
Again, transparency is key: with the right metrics from the Security Operations Centre we can show the nature and volume of detected events that were automatically stopped by existing controls, the handful that warranted triage with the Security Team and the occasional one or two that involved direct intervention by the team to ensure that threats were defused and risks mitigated. And we can drive tests of those controls with Red-teaming events. Those metrics and tests demonstrate value and limitations attributable to resilience and risk that the board and executives can relate to when this is communicated using their vocabulary. Match your language to your audience.
The conversation always ends with this caveat: adversaries are endlessly creative and consistently leveraging technology to push the boundaries of what is possible. Motivation and opportunity costs are their only constraint. Security and resilience of the business is dependent on people. People are our greatest strength but also our weakest link. We’re doing everything that we reasonably can to anticipate mistakes and place guard rails and compensating controls to reduce them. But mistakes will happen. What matters is how we prepare to deal with that if it does.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
Without getting into a long discussion about organisational maturity and sector-specific cultural difficulties, I think there are some fundamental things that help accelerate and maintain a positive, security-minded culture.
I’m lucky to work with a fantastic Security Team of highly skilled individuals. To be effective, it is important that the team are not isolated or siloed somewhere. Placing people out in the organisation across a range of locations and business functions encourages conversation and collaboration; outreach events such as lunch-and-learns about keeping family safe online at home ensures what we do is relatable and promotes the right mindset about bringing that same awareness into the workplace. But again – adapt your vocabulary to your audience.
Fundamentally, there should be a ‘no blame’ culture. People need to understand that if mistakes are made, or they spot something unusual, that they can talk openly about this to their peers, managers and the Security Team. If I spot something odd and talk to someone about that, at best I can learn what went wrong and we can put things right. At worst I can learn why I misinterpreted something and shouldn’t be concerned in future. That’s real ‘security awareness training.’ It doesn’t come in an annual computer-based training package to tick a compliance box - it’s learning on the job about real events.
If leaders are concerned about ‘no blame’ conflicting with the risk of ‘insider threats’ and people taking deliberate action, that can be dealt with through contracted responsibilities statements, automated monitoring and alerting controls and root-cause analysis. Formal action has its place, but an encouraging, open and honest culture is priceless.
What unique security challenges does the health and social care sector face?
The first challenge is to rebuild trust. The health and social care sector in the UK has been the subject of a lot of bad press in recent years, biased by regulation mandating data breach reporting in public sector services.
The current UK Data Protection Act is helping to redress that balance, aligning reporting requirements with GDPR and applying to all business sectors. Nevertheless, past mistakes need to be transformed into tangible improvement.
Maintaining security of operational systems and services is not easy. Complexity is part of that difficulty: it is the breeding ground for human error and surprising outcomes when interconnected systems behave in unpredicted ways. As advancing technology accelerates ubiquitous, interconnected technical environments, complexity is unavoidable. But as a consequence, it needs a change in mindset from management of defined risks to management of uncertainty. Reduce complexity and diversity as far as practicable to reduce uncertainty. And where residual uncertainty remains, compensating controls are needed as guard rails to improve certainty of outcomes and to identify unexpected events if they do occur.
It’s no secret that health records are rich in data that can trade for high values on the dark web.
The risk is that data can be abused for such activities as identity fraud, medical insurance fraud, even blackmail, impacting individuals when they may be at their most vulnerable. Maintaining the security and integrity of those records across a diverse range of IT systems and operational workflows - while at the same time ensuring their accessibility to clinical professionals delivering care - remains a continuing challenge.
The resilience of systems supporting medical care, combined with record integrity, is also paramount. Unplanned downtime or presentation of incorrect information can have clinical safety consequences.
Across all of the above areas, NHS Authorities in the UK are making solid progress to improve and assure safe and continuous care for patients. Orion Health has a role to play in supporting our health and social care customers to achieve that. That is what drives our security programmes.
How can CISOs balance security and innovation?
Innovation is important, but it’s only successful if it’s built on solid foundations. So before thinking about anything innovative, it is essential to get those foundations of security right. By reducing complexity and diversity of processes and technologies it enables improved and more cost-effective application of controls to a manageable scope. That consolidation helps to simplify getting the basics of security awareness, culture, and practice right, supported by the controls outlined in sector standards from NIST and ISO. In the UK the National Cyber Security Centre (NCSC) provides excellent on-line guidance about basic security requirements that scales to organisations of all sizes.
‘Innovation’ needs to be considered in a couple of ways.
For threat actors, innovation is essential for their objectives, as they devise new and creative ways to exploit vulnerabilities in technology and workflows to their advantage. Here, the Security team have a role to play in monitoring threat intelligence and responding either by adapting and evolving established controls or with an eye for new tools, techniques and services that could be adopted.
And on the subject of ‘innovative’ security tools and services, I’m always wary of ‘The Next Big Thing’ rising up the hype cycle. It can be fun to meet with sales people at conferences to probe the depth of their understanding of what they’re trying to sell, ticking-off the buzz-word bingo card as we talk. But when I’m looking for real innovation, I avoid the big, flashy stands and head straight to those tiny booths with one or two people. I’ve met far more inspiring people in start-ups than at any big commercial stand.
For the business, innovation of products and services to support customers is essential for competitive advantage. The Security team need to be part of those activities, promoting ‘Security by Design’, working with and empowering developers and customers with advice and tools to assure safe and secure creativity, delivery and operation. The role of customers in innovation is often overlooked. Customers and end-users often have limited technical capabilities or resources that must be acknowledged and understood so that the products and services are designed with usability in mind and security controls baked-in ‘under the hood’.
And we mustn’t overlook the natural consequence of innovation: obsolescence. Forecasting and facilitating exit, transition and migration to new products and services is part of the job of supporting the business and customers.
You’ve been in the IT industry for 30 years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organization?
30 years ago, I don’t think the CISO role existed. Back then, private sector businesses were simply driven by competitive, functional advantage and constrained by commercial resilience risks. ‘Security’ was a physical thing controlled with perimeter fences, locks and people in uniform. With hindsight I appreciate that the SCADA systems that I worked on at the time had no concept of technical security, only operational functionality.
Contrast those experiences with today’s environment where phenomenal technical evolution has created a world where data processing fuels commercial activities and national economies globally.
Crime, activist and nation state activities have naturally evolved with that. Thanks to press reporting of other’s experiences, cybersecurity is a recognised risk at Board level. The response to that risk does still vary. Immature organisations still perceive that risk as ‘an IT problem’ and/or something that relates to parochial business resilience or tick-the-box compliance. More mature organisations recognise that beyond protecting and defending the business, cybersecurity is part of a bigger picture: information security has a part to play in improving the effectiveness of business operations, adding value to product and service development and supporting brand trust with customers and end users.
My role is not just to protect the commercial interests of the business; it is to work with security team colleagues to support everyone at Orion Health, our customers and end users to do their job safely and mindful of how mistakes can happen. And if they do, we can help to put that right.
Security is a partnership – a shared responsibility of business innovators, service providers, customers and end users. Everyone has a role to play and that needs to be clearly communicated, discussed openly and mutually supported. As security professionals we need to initiate and maintain that collaboration.
