“They also focus too much on box-ticking and compliance, but that is not necessarily synonymous with good security, which requires good, basic cyber hygiene and an establish culture of security,” he told Infosecurity Europe 2018 in London.
“All the compliance and certification in the world is no substitute for a solid foundation for cyber defences, and I know of organisations that have been breached by pen testers, even though the CISO had a string of certifications and he had implemented a host of high-grade security controls.”
On paper, the organisation looked solid, said Watts, but pen testers were able to access sensitive company data within an hour by socially engineering employees, discovering unprotected passwords on the network, and moving laterally with ease because a technician had used the same password for his password safe as for his personal accounts.
Successful companies, said Watts, are those that have not only recognised that people and process are key to security, but have acted upon that by engaging with the business to understand how it and its people work and investing in security training and awareness programmes.
“By understanding the business and how people work, security teams can work with the business to be enablers and ensure they do not block people from doing their jobs, because then they will just go around and find other ways to do things, which are inevitably less secure,” he said.
Better communication between the business and IT security means that IT security teams understand what services are critical to the business, said Watts.
“When IT security is aware of these things, they can ensure that there a backup services available to prevent any interruptions to business processes when conducting essential IT security maintenance processes, for example,” he said. “This approach of having honest conversations around confidentiality, integrity and availability ensures better security and that there are no surprises for anyone.”
Information security teams also need to engage with the board, and those who do typically find that the board is much more likely to support security projects because they understand the associated business risks and benefits, said Watts.
“Another important reason to engage with the board is that failure to do so and communicate around cyber risks may create the illusion that everything is OK, and that is a big mistake,” he said.
“Honesty is important. Work with the board and make sure they understand the business implications of all the cyber risks you have identified."
One area that IT teams tend to avoid having conversations around with the business and board is the issue of legacy equipment, software and systems, said Watts.
“The board and the business need to be made aware of the real costs of maintaining legacy, which is typically greater than they think, as well as the security implications of sweating assets beyond the expiration of support,” he said.
“Boards need to understand that sweating assets often means accruing risk, so by having the conversation, the board is aware and there are no surprises when the need arises to invest in new kit that typically has better security facilities.”
Cloud is another area that IT security teams need to have honest conversations about, said Watts, to ensure that the business can tap into the efficiency and cost benefits of cloud computing without losing control by ensuring there are good management processes in place early on.
In summary, Watts advised organisations to be transparent about the risks and have a strong balance between cyber security risk and reward.
“Have a good cyber security culture and spend the proportionate amount of time, money and energy on educating people in the organisation, and finally get the buy-in from the board,” he said. “Be transparent, communicate regularly with them, and ensure they understand the risks and the rewards.
“All of these things will drive important conversations about being better and more hygienic when you run your IT service organisation for the benefit of the business.”