Security professionals have done a good job of raising awareness of cyber security, but should avoid over-hyping some threats, according to RBS chief information security officer (CISO), Chris Ulliot.“The message is getting through, and we need to take the credit for that, but I think we are at risk of over-hyping some of the things we do,” he told information security professionals at CrestCon in London.
The “hysteria” around some of the vulnerabilities is starting to backfire, said Ulliot. “We need to have a much more balanced message about cyber risk, the incidents we are having, the vulnerabilities we are finding, and what it really means for business.”
Although very serious, he said issues such as Meltdown and Spectre did not deserve the hype that surrounded them.
“There were some very good, balanced comms out there, but they got drowned out by the hype, and as a group of professionals who want to promote security, we don’t really want hysteria to be the thing that drives awareness of what we do,” said Ulliot.
He voiced concerns that too much hype around certain threats might cause people to stop listening to security professionals if they are suspected of “crying wolf”, which would start to undo everything the profession has achieved in raising awareness around and interest in the topic.
NotPetya served as a warning
However, he said some high-profile cyber security incidents, such as the NotPetya global attacks in June 2017, were “fantastic” in driving awareness and good practice because they brought to life the real impact of what can happen if organisations fail to follow industry guidelines.
He said he had a lot of respect for Danish shipping firm Maersk for admitting it had been affected and telling people what had happened, how it had responded and the lessons it had learned.
“Maersk demonstrated a level of transparency I have not seen before, and shared its experience for the greater good of industry without any commercial motive of selling any products or services,” said Ulliot, adding that all security professionals and organisations should aspire to the same level of openness.
Fortunately, he said RBS was not affected by either NotPetya or WannaCry. “I pulled the emergency cord and asked for the immediate deployment of the SMB [server message block] vulnerability patch as soon as it was available because we predicted it would be wormable, and so we felt a little bit smug when that turned out to be the case.”
Ulliot called out security consultancies that jumped on the WannaCry and NotPetya bandwagon, and besieged him with calls claiming to be able to solve related challenges. “I received call after call from suppliers trying to sell their wares on the back of fear, uncertainty and doubt.
“Fortunately, I have a good security team behind me that keeps the bank in a good place. But not every organisation is that fortunate, and I worry that those behaviours start to taint our industry, and we need to look at how we are generating sales leads. Consultancies need to find a more open way of doing it.
“We need to have a much more balanced message about cyber risk, the incidents we are having, the vulnerabilities we are finding, and what it really means for business”
Chris Ulliot, RBS
“After a while, the sounds of sirens can start to fade into the background. When you hear them all time, you start to switch off. We need to be very aware as an industry that we do not fall into that trap.”
Need for understanding and trust
Instead, Ulliot advocates that consultants and other security professionals adopt a “trusted partner” approach, which works particularly well for small to medium-sized businesses that typically do not have a dedicated in-house cyber security team.
“There is a real role for security experts to build partnerships with commercial entities. We are always looking for partners that can grow and understand what drives and motivates us as a company, who understand our IT estate, understand our business objectives, understand our challenges, so that when an emergency arises, I can ask someone I trust for help,” he said.
According to Ulliot, the security industry needs to change its approach and take on the challenge of building trust and rapport with organisations, which will require a lot more upfront work before engaging with them. “And I suggest you leave the sales people behind,” he said.
Although praising the work of Crest and the Institute of Information Security Professionals (IISP), Ulliot said there were now almost too many organisations working to professionalise information security and improve standards within the industry.
“There are now so many organisations working to advance the profession that I just physically can’t engage with them all. It is time to reconcile the differences between all these organisations so that there can be some consolidation around a common goal, so there is a smaller number of organisations with a slightly broader remit because that would make it easier for security professionals to engage.”
Pen testing must move with the times
Turning his attention to the penetration testing industry, largely represented by Crest, Ulliot warned that security technologies that use machine learning were starting to be capable of performing some forms of analysis that were once the preserve of pen testing professionals.
He cited as an example an agent-based, machine learning-backed product he reviewed recently that is able to analyse the “health” of IT systems in real time, identifying potential compromises by chaining together multiple vulnerabilities.
“We, like many other banks and large organisations, are moving to a DevOps culture, and that is driving a change in the way we look at security, which means what we ask of pen testers, suppliers and security advisers is going to change.
“I think pen testing in its current form is dying, but the good news is that we need more people who can look at the design of a security solution and work out where the problems are. We need people who can give advice in the early stages to make sure silly mistakes are avoided in the design and development stages, which can add real value.
“So if you are a pen tester, and most of what you are doing is producing reports that list an organisation’s hosts and the patches that haven’t been applied, then you are probably going to go out of business because organisations are going to start dealing with the low-hanging fruit through automation.
“But there is a need for skilled pen testers who can work for longer periods of time, analysing the more complex threats we face and identifying any business logic errors that we have missed and can’t be found by automated tools. And if you are in that ball game, I think you have got a bright future,” he said.
In conclusion, Ulliot said security professionals should be working to tackle underlying issues, not to point out other people’s errors, and they should be making a genuine effort to raise awareness and educate the next generation, not pushing the hype for personal fame or to make a quick buck.