Deloitte Sym - Cyber Security Executive Insights

Cyber
Intelligence
The Deloitte Symantec
Executive Dining Club
Critical security matters
The Deloitte Symantec Executive
Dining Club brings together the
leading users and thinkers in Cyber
Security at private dining events where
participants can speak openly and
in-depth about their Cyber challenges
and the latest ways to address them.
The latest event took place in Winter
2015 in Central London.
Facilitated by Paul Maher MBA
Peter Lawrence
The Tasting Menu
Neil Sparrow
Centrica
1. The Energy sector faces challenges like no other
Paul Jenkinson
A close-knit group, this highly competi-
3. Security professionals are
focusing on doing fewer things
right
tive sector stands to gain more than
Thanks to lengthy investment cycles and
most from the sharing of threat intelli-
the sheer size of the infrastructure, as
gence and best practices. With energy
well as regulatory and CNI consider-
prices falling, IT security budgets, need
ations, IT security professionals in this
to be spent wisely.
sector are under pressure to deliver.
2. Defending Critical National
Infrastructure (CNI) is harder
than ever
4. The IT security of this sector
affects all of us
Evidence of the tumbling costs of the
security remains a focus, with organisa-
hackers’ ‘tools of their trade’ is only
tions using the latest communication
increasing the challenge of securing CNI.
techniques to deliver key messages.
EDF
UK Power Networks
Joe Howard
DECC
Jeremy Wood
Deloitte
Rhiannon Jones
Deloitte
Antony Price
Symantec
Educating co-workers on information
Additionally broader public debate will
be needed as smart meters roll out.
The discussion was framed around four areas
“ If a retailer goes
down, their
business is
affected. If we go
down, there may
well be lives at
”
stake.
Contact
Sarah Jarvis
Alliances Marketing
Manager, Symantec
0203 637 0644
[email protected]
• The relationship between Regulators and those in charge
of the UK’s Critical National Infrastructure (CNI)
• The effects on IT security budgets of falling energy prices
• The rise of hacktivism in the sector
• How customer data privacy and smart meters are
changing the role of IT security professionals
The Main Course
How does regulation affect Critical National Infrastructure?
“The information sharing in this sector is
other. In particular the Cyber-Security
really important, specifically, the latest
Information Sharing Partnership is very
threat intelligence. Even though we
useful for us.”
compete commercially, we should share
more good practices around IT security
more often.”
“Trust becomes
an IT security
“There is good practice and then there is
compliance – they are different. Regulators need to be careful about layering
“We agree that information sharing is a
more and more compliance on organisa-
strength of the sector. We see industry
tions. Refreshing good practices on the
and government partnership here like no
other hand, needs to be done more often.”
Have falling revenues affected your IT security budgets?
issue with real
“Certain budgets have been trimmed by
budgets, which includes IT security, are
competitive
up to 30% as energy prices have
targeted - not ideal if you want to stay
dropped. This would suggest a good way
secure.”
consequences.
forward is to use a risk-based approach,
What the UK
to funnel IT security budget where it can
really needs is to
work best.”
“We work off a regulatory driven investment cycle, for which we need to have our
plans approved by regulators. They will
“We have seen evidence of hacker toolkits
set out our settlements and set quotas
available in the dark web for as little as
and we manage to them. Clearly this is
debate on what
$10. When used in combination with
fixed outside short-term oil price move-
is and what is
social media, this creates the most easily
ments. If the threat landscape changes
accessed malicious open source intelli-
we can and we will adjust. However,
gence network ever. Faced with very
compared to three years ago, our cyber
well-funded and determined attackers, IT
security budget is 70% of what it was.”
air a rational
not, personal
”
data.
security budgets should be going up, not
down.”
“Our issue is that we are dealing with
technology which has a 30 to 40 year life
“Coming into the sector, many people,
span. We are dealing with systems which
don’t realise how little of our cost base is
were designed to be kept internal forever,
variable. When you add up government
not exposed to the Internet. This is
levies on social and green taxes, there is
seldom the case today which means we
less cost reduction to go after. So our IT
are managing two sets of technology with
different cyber security issues.”
Hacktivism
“If a retailer goes down, their business is
“Our board is relatively switched on to
affected. If we go down, there may well be
Cyber issues. They know for instance that
lives at stake. We, at least today, have the
a DDoS (distributed denial-of-service)
manual control option. For me, though
attack may well be just a distraction and
there is a lot more on the transformation
part of a more worrying advanced threat.
agenda. To transform the energy sector,
We recently ran three scenarios as part of
we need to have all the data in one place.”
our crisis management preparation and
they performed well.”
“The threat moves on quickly. Hackers
people who have already won the trust of
once used instant messaging via ICQ and
the hackers embedded in the environ-
IRC. They are no longer there. Now to
ment. This can mean 24 hour monitoring
combat hacktivism, you have to have
and listening.”
How will customer data privacy evolve with smart metering?
“Faced with very
“The rollout of 60 million smart meter
tell me, I am at home at a specific time,
devices brings into scope IT security
[perhaps using hacked smart meter data]
issues like endpoint security. This is a big
you can identify me. This is not always
shift for a sector which has been so
true, especially in older and multi-
focused on control. Segregation of
tenanted properties, but even so, there
systems can help keep them secure.
are easier ways for criminals to gain this
Ultimately though someone will hack a
information such as, most obviously,
smart meter, because anything which is
social media.”
coded by man can be hacked. So it
becomes the network conduit which
“If we can’t be trusted to be secure, we
will lose customers. So customer trust
well-funded and
needs to be secure.”
determined
“We’ve seen deep concerns in other EU
competitive consequences. What the UK
attackers, IT
counties like Holland and Germany. The
really needs is to air a rational debate on
greater privacy argument is “If you can
what is and what is not, personal data.”
security budgets
should be going
”
up, not down.
becomes an IT security issue with real
How will the role of IT security professionals change?
“We are trying every day to get our
“I don’t just focus on what is hitting my
employees to recognise that security is
organisation. As a security professional,
everyone’s job. The weakest link is always
you need to concentrate on what’s
the people, which is why education is
high-value. What are worth focusing on
such a quick win.”
are the ‘knock on’ effects from board
“Training is the most cost-effective thing
you can do. The ‘At home’ section on our
security intranet is the most viewed.
Parents who are concerned at home
about what their children are accessing
decisions. This is what I need to own and
manage. For me, it is all about the
pressures of retaining talent. My team is
constantly being targeted and tempted to
move for another £15 to £20k a year.”
are very good learners. In the past,
“What have we done better this year than
security guys did all our cyber training.
last? Awareness, even more so than
This was thorough, but not compelling,
reaction. We are preparing procedure and
nor effective. Now we employ communi-
responses based on an accurate assess-
cations professionals and it is slick,
ment of the appropriate levels of risk for
relevant and professional.”
us to accept.”
Want to know more?
If you are a senior technology professional interested
in participating in future events, please contact
Sarah Jarvis at Symantec:
[email protected]