Enabling Deeper Board-Level Understanding
By Amanda McKeon on July 16, 2018
Our guest today is Bryan Littlefair. He’s CEO at Cambridge Cyber Advisers, and previously held the Global CISO position at Aviva and Vodafone Group. His current focus is working with board-level executives to enable a deeper understanding of cybersecurity and how it relates to business risk. He shares his thoughts on the communications gap between IT professionals and board members, effective ways to overcome it, and the importance of threat intelligence in gauging risk and setting priorities.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 65 of the Recorded Future podcast.
Our guest today is Bryan Littlefair. He’s CEO at Cambridge Cyber Advisers and previously held the Global CISO position at Aviva and Vodafone Group. His current focus is working with board-level executives to enable a deeper understanding of cybersecurity and how it relates to business risk. He shares his thoughts on the communications gap between IT professionals and board members, effective ways to overcome it, and the importance of threat intelligence in gauging risk and setting priorities. Stay with us.
I’ve worked with a lot of boards and a lot of executive teams in my time as a global CISO. And one of the things that I’ve observed is — I think it’s too harsh to call it a disconnect — but I think there isn’t really effective communication going on in some of the organizations that I’ve seen, between the security teams and the boards. I think there’s a little bit of challenge on both sides. I don’t think the security teams are really communicating in a way that the boards can understand, and equally, I think the boards need to allocate more time into getting up to speed on some of the security challenges and risks that their organization faces, and equally, have to get involved so that they can offer support.
That was my key driver. I thought, “Well, I think I’ve got the skills and experience.” I’ve always been told that I’m very good at communicating at a board level; I can articulate highly technical aspects in a language that a board can really grasp and understand. I wanted to really drive, approach, and change the way that security teams did actually communicate with the board. So, it’s not just a language — it’s a whole methodology around explaining and getting the board on sight with, what is the security strategy, the organization, and how are we going to address it. I think that was the major catalyst.
When you look at the history of both boards of directors and the coming up of IT groups, of security groups, why do you think we found ourselves in this situation? What, historically, led us to this situation where communication can be a challenge?
Actually, I saw an interview with Vint Cerf the other day — obviously, one of the godfathers of the internet, one of the creators and the founders — and he was asked that specific question. Did they really think that the security challenges that we’re facing today would be a key aspect of the internet? And honestly, they didn’t foresee that. They didn’t really look at what were, I suppose, the unintended consequences of their creation. I think that’s what we’re seeing today. I mean, I’ve had the benefit of working in telecoms for a large part of my career, and the benefit of telecoms is, it encompasses all of the infrastructure that a typical organization would, but equally, it’s a massive communications infrastructure. And then, an end user population as well, whether it’s from a mobile perspective or other aspects as well.
So, you get to have that good exposure of, what are the types of attacks that can happen? Whether it’s an enterprise or a critical national infrastructure component, or actually an end-user perspective. I think that we’ve gotten there by organizations not properly embracing the security challenges they could potentially face, not really looking at that radar and saying, “How do we best mitigate our security challenges strategically in the future and be proactive about it?”
I think that security, by its very nature, is reactive. You know, the bad guys come up with something and the security professionals have to come up with something to compensate that. But there are several initiatives and components that can be done proactively to mitigate that. I really think that a concertive, proactive drive by organizations is one of the key things that needs to happen in order to help get you on that front foot.
I’m curious about your take on this notion. I’ve heard it described as, when you are proactive and nothing happens, that doesn’t get the same attention from the board as if when you’re reactive and responding to a crisis. There’s all sorts of attention on that, there’s money spent on it, and that gets the board’s focus, gets their attention.
Yeah. I think the security team … There’s no doubt about it. When there’s a security incident in play, the security person becomes the most important person in the business. If you’re the media-trained one, you’re the one in front of the media answering the questions — effectively, you’re running the company for that period of time on behalf of the CEO. So obviously, you have the spotlight on you during that time, and I think that is when security teams either come into their own, or their weaknesses are significantly exposed. That is where you have significant board attention and focus on you to be able to drive that forward.
I think, in what I call “peace times,” when there isn’t an incident running, that’s where you need to demonstrate the value that a security function can add. I’ve first handedly witnessed boards and executive teams that honestly don’t understand the purpose of their security organization. They sometimes see it as, they’re the brand preservation people, or they’re just the team that runs antivirus on our laptops. But most security organizations have a very broad scope and I think that’s what I said about it. It’s the security team’s responsibility to drive that proactiveness. And part of that, honestly, is raising the visibility of the value that they add to the organization.
So, I like to drive security teams and like them to get the visibility of actually underpinning the business strategy. Now, I know most other business functions would stay the same — finance would stay the same, marketing would stay the same. But it’s rare that if one of the strategies goes wrong, it can have such an impact on the organization — the security strategy. So, I think that’s really the job of the chief information security officer, to outline to the executive team that, this is the value that my team presents to you on a day-in, day-out basis. Yes, we manage incidents, and yes, we also do antivirus, but look at the plethora of other activities that we also do for you. It’s raising the visibility of that, and getting that buy in is key.
I’ve often heard it described that, the security folks will do better by putting what they do in terms that the board can understand, and specifically, framing it in terms of risk. Is that an accurate way to go at it, in your estimation?
Yes. I think that you have to speak in a language that the board can understand, and in my experience, that’s finance and risk. So, we are going to invest X or Y to mitigate this risk and if we don’t do it, the potential impact could be Y. That is something that they can understand as long as the activity is, I suppose, explained to them in a manner that they can understand easily. I think that they really do resonate with risk-based conversation, and one of the things that I really do advocate is that security professionals need to evolve their assessment of risk moving on from just looking at compliance to the security policy, or compliance to the internal controls framework.
Because risks are present whether you know about them or not — and if you don’t know about them, someone else might find them before you do — you need to take a more holistic approach to your risk assessment so that you can present an accurate view to the board. What you don’t want to be doing is going in there saying, “We’re 92 percent compliant to our security policy, therefore, we’re secure,” because you’re probably not. Unless you’ve done a proper holistic assessment against your organization … So, I’m talking red teaming. I’m talking ethical hacking, using the tools and techniques that the criminals or the bad guys may use to get into your function. You don’t actually know what some of your weak points might be. So, it’s really important that you give the board that holistic view as well.
How much of the responsibility, do you suppose, falls on the board members themselves? Certainly, there’s a pecking order here, right? I think most people would think that, well, the board is higher up than the workers, and they may think it’s the responsibility of those below me on the organizational chart to put things in a way that I can understand them. But how much is it up to the board to put in that effort?
Obviously, the board has an accountability to the shareholders, and in my view, boards don’t run companies — the executive teams run the companies. But obviously, the board has supervisory responsibilities over the executive team to make sure that the right things are happening. Several members of the executives typically sit on the board — the CEO, the CFO, and maybe a few others as well. I think when you’ve got a collection of people with those joint accountabilities, they have a very broad spectrum of controls and risks that they have to track on an organizational level.
I do think that they have a responsibility to get up to speed with the appropriate knowledge that’s needed for them to challenge, interrogate, provide guidance, and ultimately, support initiatives that are coming across the table. Now, I’m not naïve enough to say that’s just cyber — there’s a whole host of business challenges that they need to get across — but cyber is one of them as well, and they need to get up to speed with that.
Do you find that the two groups inadvertently find themselves in an adversarial position from time to time?
Certainly. I think that any IT team would like to be able to present a clean bill of health to the board, but it’s important that you actually present an accurate view of the world and what it’s actually looking like. I think that when you’re presenting to a board, and maybe you’re presenting on IT, or maybe you’re presenting the security strategy, what you want to do is educate them. You want to be able to — and I’m not saying this in a belittling way — but what you want to do is be able to bring them up to speed in terms of, what is the strategy of the organization. They’re responsible for setting out their business strategy. How is our business going to operate, what is our key strategy, and what markets are we going to operate in?
That then needs to be translated into an IT and security strategy. How are both of those functions going to support that business strategy in being effective? They need to be effective in order to support the business growth. So, I think there can be some tension and there can be some odds in terms of getting those strategies agreed, making sure of the right budget, making sure that the right resources are allocated to them so that they can be successful. Because ultimately, that’s what any CISO wants to do. They want to support the business, they want to protect the brand. They want to make sure that it effectively underpins the business strategy so that the organization can be successful.
Now, when you’re brought in to work with an organization, what’s your approach? How do you get the lay of the land and how do you get started?
My engagement is typically with the board level, so it’s either going in to support a member of the board, the executive team, the chief information officer, the chief risk officer, or sometimes, the chief operations officer. So, going in at that level, it might be to address a specific challenge or issue that they’re facing, but more normally, it’s to go in and help them understand if they have the right security strategy and if they’re doing the right things in the right order. They don’t understand enough about the topic, and they’d like some independent expert assurance to say, “Yes, we’re doing the right things and we’re doing them in the right order in order to achieve the maximum risk reduction,” which is ultimately what they’re trying to achieve.
My approach is to spend time. I think you have two ears and one mouth for a reason. I like to listen to the organizations around, what are you trying to achieve, what is your business strategy, and which markets are you going to be operating in? Things like geopolitical risk also play a factor but you need to understand the business because security is a business problem. I think too many people are trying to shoehorn security into the IT function, and that’s not the right place for it. The biggest challenge in security, at the moment, is around the holistic nature of it. It’s a very, very broad topic. And yes, we do need technology at play, but absolutely, we need to get security embedded into all of the business processes for it to be able to work effectively.
So, I like to spend time with the person that’s responsible for setting the business strategy and understand how security can become a part of that, and then understand how it cascades down within the organization. That’s starting from the top, but equally, you have to start from the bottom as well. So, what are the foundations that we’re building upon here? Have the basics been done? What are the hygiene factors that are present within the IT estate? What are the internal audits that have been carried out? How many vulnerabilities or issues are known within the estate, and what testing is carried out to find the unknowns?
All of those factors come into play when you’re helping an organization understand their strategy and helping them devise a program of activity. Because unless you know that holistic view … You can kick off programs and activities, and yes, they will deliver, but are they delivering in the right place? Are you putting a sticking plaster over one issue when there’s a bigger problem that you just don’t know about? So, it’s the planning and preparation, making sure that you’ve got that good holistic view before any activity commences so that you know you’re going to be delivering the right outcome for the company.
Are there any common themes that you run into — common problems — with organizations who are struggling with this? Do you see similar things over and over again?
Yeah. I think the organizations that have been around for some time, obviously, have the constraints of legacy. By legacy, I don’t mean in terms of history and “10-year legacy,” I mean in terms of old infrastructure and IT equipment that is still around in the estate and sometimes is really difficult to turn off. It might be a core, critical component to the business, and even planning to replace that system and platform might take a couple of years. And obviously, you see the competition popping up with all new modern equipment, probably cloud-based and lower cost base to manage so they can actively price better within the market.
I think that organizations of a certain size are always going to be grappling with some form of legacy, so we need to understand how they can effectively manage that within their estate. I think one of the biggest challenges I see within organizations is around identity. How do they identify not just the people within their organization … Yes, it is their employees, but it’s their contractors, their third-party supply chain, their fourth-party supply chain. And equally, how do they identify the equipment on their network? How do they identify which applications they are allowed to run? How do they identify which applications they aren’t allowed to run?
If you look at the nature of any typical attack that happens at the moment, you know the person is the target, the staff member is the target. So, all someone has to do is potentially click a link, and that laptop is compromised. Then, that behavior becomes legitimate. They’re using a legitimate credential to carry out legitimate tasks that that person might have normally performed if they’ve been targeted. So, from a security professional’s perspective, that becomes very hard. That is the true “needle in a haystack” moment. You’re trying to differentiate an attack from a very genuine business behavior, and that’s where it gets very, very complicated. I think one of the biggest challenges we have to solve this is getting better at managing inherent vulnerabilities within our estate, and then, getting better identification not just to people, but of data assets, applications, and infrastructure.
One of the focuses on this show is threat intelligence. What part do you think threat intelligence plays in the work you do and how boards and security teams should approach their work?
I think it’s absolutely critical. I advocate an intelligence-led, or threat-led, strategic approach. Many times, I go into an organization and I sit down and I review the current security strategy. Typically, it reads reasonably well. You can look at it without knowing the context in which it was created, and you see a series of activities that are looking at people, looking at process, and looking at technology. But then, you actually start to understand, well, how was this created, how did you come about these things that you’re actually going to prioritize upon.
Normally, you would find that these are the issues that have been found within the organization. Maybe it’s from internal audits, or maybe it’s from known issues or fires that have been created over a recent time. So actually, this is your list of problems that you know about that you’re trying to address. It’s not a security strategy, it’s closing down audits and closing down known issues. I think a security strategy needs to take in all of the threat intelligence based on that organization, and then, obviously, devise a security strategy from the testing they carried out from that.
So, what do I mean? An organization would engage with a threat intelligence provider and say, “Okay, I’m a telecommunications company. I operate in 10 markets. These are the markets. We need to know who the threat actors are that would potentially try to compromise us, obviously including internal, including third parties, including supply chain.” That intelligence is really, really useful to say, “Okay, what is the nature of the attack that might happen? What skills do they have? What has happened to others in my sector?” Then, equally carrying out the red teaming and an ethical hacking based on that threat intelligence.
So actually, getting an organization to try and compromise you in an ethical way is a great learning journey, and it’s using that threat intelligence as the recipe, if you like, of how you could potentially attack that organization. What that does is give you greater insights and a far richer activity of work that needs to be completed to secure the organization than just compliance to a security policy and controls framework. They are important, but grouped together, it becomes a lot more enriched.
So, I think threat intelligence is absolutely key from a strategic perspective. But equally, it has a day-to-day value as well around brand preservation. If someone registers a domain name that’s similar to yours and is going to use a phishing campaign to perhaps drive your customer base toward clicking on that, or sensitive documents are somehow online, it allows you to get those insights and allows you to effectively manage that organization’s exposure in that way. So, grouping together is a really important tool for a CISO’s armory.
Our thanks to Bryan Littlefair from Cambridge Cyber Advisers for joining us.
If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.