27 September 2016 by Francesca Willis
Cyber security specialist Vicki Gavin talks about the evolving threat facing companies, the importance of employee engagement and how it is impossible to defend against everything
The stakes have never been higher in the world of information security. Company reputations and finances can be irretrievably damaged as a result of a single cyber security breach. The size and complexity of multi-national companies combined with the sophistication of the methods used by criminal gangs, mean that those responsible for protecting the assets of large companies have a formidable task ahead of them.
One such person is Vicki Gavin, Compliance Director and Head of Business Continuity and Information Security at the Economist Group. She previously headed information risk at Barclays and has also worked at Commerzbank and the Toronto Stock Exchange where information security formed part of her role.
She notes the identity crisis that cyber security has suffered over the years. In the past it was known as ‘IT security’. This became ‘information security’ and now ‘cyber security’. Regardless of the label, ‘the notion of security has always been at least an element of the computing experience,’ says Vicki.
To make her point she jokes that with all her years’ experience in the industry she would ‘challenge anyone to remember a time where there was not a user ID and password required to access a computer.’ In other words, the ‘first line of defence’ has always been there. It is the constantly evolving ways that these defences can be breached that present the greatest challenge to information security officers and in turn, boards.
Historically, information security was a relatively straightforward affair. For example, during the Second World War, when Alan Turing built the computer that broke the enigma code, keeping the machine safe just meant keeping the computer in a locked building with guards at the doors. Because it did not connect to anything apart from a power supply, to get anything out of it, you had to physically access the machine. Back then, as long as you kept people out of the room, the computer was secure.
The advent of the internet changed everything. The business world started to leverage technology and computers which meant companies could lower costs, do things faster and make more money. Naturally more and more business was done via networked computer systems. As the amount of valuable information stored and transmitted increased, so did the opportunities for criminals to make money. ‘While the growth of commerce brought criminals into the environment,’ says Vicki, ‘it is the ingenuity of criminals that keeps the world of security changing today.’
The fact is that modern day criminals are very well organised, ‘it is not some spotty teenager in the basement who’s just out for a few jollies’, explains Vicki, ‘these are call centres full of trained security professionals who are looking for ways to get around the ‘walls’ of your organisation. Therefore it is not a case of if but when.’
‘No organisation can stop the criminals from coming in – they simply have more resources than you do.’ It is therefore of utmost importance that those charged with defending against the cyber criminals do so smartly. She emphasises that it is almost impossible to defend against everything and so it is fundamental that organisations really understand what they are most likely to be hit with – be it malware, denial of service attacks, data breaches from hacktivists, etc. − and try to protect themselves against those things.
There can be a tendency for organisations to overprotect because they do not have a good enough understanding of the nature of the risk to the business. Accurate targeting and a strong response capability is essential. ‘At the Economist, one of our key risks is hacktivism so it can be helpful to take a moment to reflect on how hacktivists are likely to attack – it usually starts with a phishing email,’ says Vicki, and even with something as simple as a phishing email, organisations must ensure that every single employee, ‘from the tea lady in Hong Kong to the CEO’, is informed and aware of the security protocol. Imagine a fire drill but for cyber security.
Asking her about the role of the board, she repeats, ‘Know your organisation and know what you are actually at risk from. Most people hear the word cyber and start worrying, they do not really know what it means. The thing is that cyber can be defined and if the board takes the time to understand their risk and pays attention to their control environment it can be protected against.’
This simple point is made crystal clear. The recent FT−ICSA Bellwether research of FTSE 350 company boards found that 82% of respondents consider cybercrime to be the main operational risk to which their exposure is increasing. So, in knowing this and assuming organisations are preparing adequately for it, why does it keep going wrong?
Vicki admits that many boards are not done any favours by the vast majority of her colleagues in information security. Too often highly talented, technically astute security officers report to the board and just ‘yammer on about technical nonsense’. ‘The bottom line,’ Vicki says, ‘is that boards need to know if the bad things are being stopped from happening.’
At the Economist, Vicki reports twice yearly to her board. At those meetings she tells them how many people tried to break in and how many people made it. ‘The key thing is that fewer and fewer people are making it through.’ Boards need to make decisions based on knowledge and not fear because otherwise, you are not doing it right. ‘The other question to ask yourself is, are you vulnerable to an attack that other organisations may have recently suffered from?’ she says, alluding to the TalkTalk hack in 2015.
When asked if she could name some companies who do approach cyber security in the right way, and what we could learn from them, Vicki admits that she cannot really answer this question. ‘We collectively do not like to say who is doing a good job because as soon as you stick your head above the parapet, the criminals see it as a challenge.’
Despite not wanting to throw down the gauntlet on anyone’s behalf, we discuss her team regularly meeting with others in the industry. ‘You can learn from the best and the worst! The more people you can involve the better.’ In her opinion, ‘At a corporate level, nobody is going to win the cyber wars. Even if you are the best, it does not help you at all unless the people you are doing business with are also doing the same as you.’ As with best practice in any field, information sharing is key.
Surprisingly, given the hugely technical requirements of her role, she cites the most challenging part is promoting the importance of employee engagement, training and awareness in cyber security. Vicki speaks of her current role, where ‘the most challenging and rewarding thing, is turning 1500 people around the globe into security experts.’ It is an ongoing herculean task but nonetheless a satisfying one. To succeed in this, Vicki offers some simple and non-technical advice: ‘hire someone that actually knows how to educate adults.’
One of the secret weapons in Vicki’s arsenal is a postgraduate diploma in adult education. ‘Learning does not happen by accident but by design. Most organisations leave security education and awareness to talented security professionals but they get it wrong. Investing in someone who knows how to teach adults simply and effectively is crucial, and as a result you can be as prepared as you can be. After all, a machine can only find the pattern you told it to find.’
Vicki is giving the keynote presentation at the ICSA Technology conference on