Security Insights

This week's episode is an insider's account of exactly what it takes to review, and build up, an business' cyber defences.

When John Stenton took over as head of IT at housing provider Thrive Homes, he admits technology was a "bit of a mess". And a lot needed to be done, both to review security and to reassure the board.

Thrive Homes is fairly typical of the type of mid-sized organisation that didn't see itself as being in the cyber front line. But, as Stenton explains, any organisation can be a target especially when they are handling seven-figure property transactions.

Here, he talks about his decision to bring in an outside consultancy, the work they did, and the impact this had on Thrive's security capabilities. And we are also joined by Kerry Jones from that partner, DigitalXRAID, where she is head of compliance and information security.

Interview by Stephen Pritchard

Cybersecurity is about technology, processes and above all, people.

And with CISOs' growing emphasis on resilience in the face of cyber attacks, perhaps it is time to look at the human factors involved in combatting and recovering from an incident.

How can we help our teams make the right decisions, and cope under pressure?

In this episode, we look at an investigation into workforce resilience, carried out by Osterman Research for Immersive Labs. Our guest is Immersive Labs' VP of Cyber, Max Vetter.

The next few years will see the European Union introduce new laws governing cybersecurity.

These include the Cyber Resilience Act, and DORA.

DORA -- or the Digital Operational Resilience Act -- looks to improve overall ICT resilience in the financial services sector. But as our guests this week point out, its impact is likely to be felt by other sectors too.

The Cyber Resilience Act is more broadly based, and sets out baseline security requirements for both hardware and software or, as the text states, anything with a digital element.

Security Insights editor Stephen Pritchard discusses the background to the new laws, and what they mean for business with CREST EU council chair, Rodrigo Marcos Alvarez, and Dominik Samociuk, of Future Processing and the Silesian University of Technology, Poland.

In our second podcast from CRESTCon Europe 2023, we catch up with Rowland Johnson, CREST President.

CREST is a non profit organisation focused on building standards in cyber. This includes accreditation of companies and certification of individual cybersecurity professionals.

The cybersecurity sector faces a number of challenges: professionalisation, improving diversity, dealing with a stubborn skills shortage and the potential, and potential threats, of AI.

So how does the industry — and the organisations it serves — move from what Johnson describes as a “market failure” to a collaborative world based on a network of trust?

And how can cybersecurity professionals harness technology to do more?

Interview by Stephen Pritchard

In this second part of our analysis of nation state cyber attacks, we look at how threats are evolving, and how increasingly private businesses are their targets.

According to research by analysts Forrester, nation state attacks are becoming both more frequent, and more severe. And attackers have widened both their objectives, and their methods.

But can organisations, especially in the private sector, defend themselves against these attacks? Forrester has put together a model setting out one way to do just that.

Our guest is Allie Mellen, senior analyst covering cybersecurity at Forrester, and lead author on the research, which is summarised here.

Over the last few years, security professionals have become increasingly concerned about where software, and software components, come from.

A growing number of significant security breaches have been caused by vulnerabilities in the software supply chain.

But should we now start to look beyond just software, and look at data too?

Jon Geater thinks we should. The keynote speaker at this year’s CRESTCon Europe, Jon is co-founder at RKVST and co-chair if the IETF’s supply chain integrity, transparency and trust working group.

Here, he discusses with editor Stephen Pritchard how we need to go beyond just software bills of materials and start to look at documents and data too, if we are to prevent disruption to the business.

Any system that is connected to the public internet is at risk of cyber attack. And any system that connects to a network or other system connected to the internet, is also at risk.

This poses dilemmas for operators of critical infrastructure.  Devices and applications developed to run on standalone infrastructure, often with specialist operating systems, are not designed to work safely online.

How, then, can organisations operating critical national infrastructure, protect their systems from cyber attack and still benefit from connectivity to the outside world, as well as the economies of off the shelf technology?

Our guests today are both experts in protecting health care systems.

Jonathan Langer is COO Claroty Medigate, which focuses on securing the Internet of Things in health care.

And Adam Zoller is cyber security lead for Providence, a system of compassionate healthcare providers on the west coast of the United States.

They joined editor Stephen Pritchard to discuss why attackers target CNI and health care technology, where the weak spots lie, and how organisations can improve their security without disrupting vital business operations.

ISACA today is one of the principal organisations providing accreditation and skills training for infosecurity professionals.

But that's not all it does. The organisation is involved in standards as well as developing developing tools for secure and software development and driving areas such as digital trust.

That puts ISACA in a very good position to take the pulse of the cybersecurity industry. Our guest for this episode is Chris Dimitriadis, who is their Chief Strategy Officer.

In a wide ranging interview, he discusses the growth of nation state threats and cybercrime, the industry’s focus on ransomware, and how organisations need to pay more attention to response and recovery from a cyber attack. We also cover the need for better collaboration between firms, and government to counter cyber threats.

And, of course, we look at industry’s on-going skills crisis.

Nation state attacks are now an unavoidable part of the cybersecurity landscape.

And increasingly, these attacks are either targeting commercial organisations, to gather intelligence, steal intellectual property or simply for political or diplomatic leverage.

Even if there is no specific hostile intent, businesses and public sector bodies risk being caught in the spill over from attacks aimed elsewhere.

Can organisations defend themselves against an attacker with the resources of a nation state behind them? And how does the nation-state threat rank against other risks?

Our guest this week is Rafe Pilling, principal security researcher at Secureworks’ counter threat unit. He is also a specialist in nation state attacks, with a focus on Iran and the Middle East.

In this episode he breaks down the modus operandi of attacks originating from, and targeting, that region. But, he suggests, there are defensive measures organisations can take that will protect against both nation state attacks and other threats, such as ransomware.

Interview by Stephen Pritchard

The cybersecurity industry has long complained of a skills shortage.

But is the industry itself at least partially to blame?

From recruitment processes to training, development and retention, and a lack of diversity, there is certainly work to be done. And with no let up in cyber threats, and a growing demand for skilled staff, this needs to be tackled with urgency.

Our guests this week are setting out to do that. Sally Walker is a former director of cybersecurity at GCHQ. She is now neurodiversity champion at WithYouWithMe, a social impact company looking to change the way we hire staff across the technology industry. And she is joined by former police officer Jim Fox, now a security consultant at Capita.