Security Insights

ISACA today is one of the principal organisations providing accreditation and skills training for infosecurity professionals.

But that's not all it does. The organisation is involved in standards as well as developing developing tools for secure and software development and driving areas such as digital trust.

That puts ISACA in a very good position to take the pulse of the cybersecurity industry. Our guest for this episode is Chris Dimitriadis, who is their Chief Strategy Officer.

In a wide ranging interview, he discusses the growth of nation state threats and cybercrime, the industry’s focus on ransomware, and how organisations need to pay more attention to response and recovery from a cyber attack. We also cover the need for better collaboration between firms, and government to counter cyber threats.

And, of course, we look at industry’s on-going skills crisis.

Nation state attacks are now an unavoidable part of the cybersecurity landscape.

And increasingly, these attacks are either targeting commercial organisations, to gather intelligence, steal intellectual property or simply for political or diplomatic leverage.

Even if there is no specific hostile intent, businesses and public sector bodies risk being caught in the spill over from attacks aimed elsewhere.

Can organisations defend themselves against an attacker with the resources of a nation state behind them? And how does the nation-state threat rank against other risks?

Our guest this week is Rafe Pilling, principal security researcher at Secureworks’ counter threat unit. He is also a specialist in nation state attacks, with a focus on Iran and the Middle East.

In this episode he breaks down the modus operandi of attacks originating from, and targeting, that region. But, he suggests, there are defensive measures organisations can take that will protect against both nation state attacks and other threats, such as ransomware.

Interview by Stephen Pritchard

The cybersecurity industry has long complained of a skills shortage.

But is the industry itself at least partially to blame?

From recruitment processes to training, development and retention, and a lack of diversity, there is certainly work to be done. And with no let up in cyber threats, and a growing demand for skilled staff, this needs to be tackled with urgency.

Our guests this week are setting out to do that. Sally Walker is a former director of cybersecurity at GCHQ. She is now neurodiversity champion at WithYouWithMe, a social impact company looking to change the way we hire staff across the technology industry. And she is joined by former police officer Jim Fox, now a security consultant at Capita.

Is data privacy still something businesses need to worry about?

With financial pressures, rising inflation, the continuing aftermath of the pandemic and the ongoing challenge of recruiting skilled people – especially for technical roles – it would be understandable, if privacy had slipped down the agenda.

Our guest this week, though, argues that it is wrong to overlook privacy concerns and data protection.

Camilla Winlo is head of data privacy at Gemserv. She points to new legislation, the need to use data to create competitive advantage and even the growth of AI as reasons to pay attention to data privacy.

So should it still be a board level concern?

Over the last few months, AI has attracted even more attention than usual. Much of this is driven by OpenAI's ChatGPT tool, which allows anyone to create convincing, "human sounding" text from just a web browser.

But GPT-3 and generative AI can be misused, and could make it easier to carry out cybercrime or create fake news. Although ChatGPT has safeguards built in, the tools to create natural language text are becoming cheaper.

Security researchers at Finnish firm WithSecure put this to the test, in an EU supported project. They used a range of scenarios to see how "prompt engineering" could be misused, and how we can guard against it.

Our guest is WithSecure's intelligence researcher, Andy Patel. The full research report is also available for download.

IT security and business resilience are often viewed as separate disciplines. But both are now squarely board-level issues.

The challenge for IT directors and cybersecurity leaders, though, is that teams, technologies and practices exist in their own silos. This makes it harder for a business to defend itself, and harder for it to recover if defences are breached.

Our guest this week is Elizabeth Green. She is European advisory and cyber leader at Dell Technologies. Her background is in data and data protection – joining Dell when it acquired storage vendor EMC – so she has a deep understanding of both the need to protect data, as well as the need to link data protection and recovery.

She is also an advocate for greater diversity in cybersecurity and the wider tech industry – without that diversity, organisations will always be more vulnerable than they should be.

It’s often said that the cybersecurity and data privacy worlds rely too much on checkbox compliance exercises – and fail to get to grips with the real issues that put data and systems at risk.

But how true is that? Organisations face both increasing threats and increasing regulatory burdens. And often, CISOs and other business leaders lack a true picture of good practice.

This has prompted security researchers at Panaseer to develop a series of real-world security benchmarks.

The research came up with 18 steps, that look more deeply at security standards and controls. The paper also sheds light on why some organisations still fail to carry out basic cyber hygiene measures, and how businesses can improve.

We asked the report’s author, Charlotte Jupp, to explain the ideas behind the research.

In this episode we look at the continuing threats to critical national infrastructure, or CNI.

National infrastructure is under attack from both nation state actors, and from ransomware gangs and other crime groups.

And, as the war in Ukraine has shown, energy and power generation is especially vulnerable. Are we set to see more politically motivated cyber attacks, and are we likely to see more use of cyber warfare, alone or in combination with conventional military tactics?

Our guest this week is Jon Moran, a law enforcement veteran and former incident response consultant. He is now technical director at Tufin, where he is a close watcher of CNI and the risks it faces.

In this extended episode, we review the key cybersecurity events of 2022, and analyse likely developments, and priorities, for 2023.

We look at Log4J, ransomware and "wiper" malware; the geopolitical situation and how the war in Ukraine is impacting cyber security, and the ongoing challenge of the industry's skills shortage.

And we review CISOs' priorities for the coming year, changes in both the threat environment and the regulatory landscape, and discuss security teams will need to handle ever more complex relationships as they look to protect supply chains.

Our guests are Sue Milton, of ISACA, and ISC(2)'s Jon France. Interviews by Stephen Pritchard.

Russia's invasion of Ukraine has brought war to the European continent once again.

And the conflict has, inevitably, brought an increase in cyber attacks against both Ukraine and its supporters.

That those attacks have not done more damage, or achieved a higher profile, is largely down to the defensive capabilities both of Ukraine and NATO.

But increasingly Russia is trying to combine cyber with physical attacks on critical infrastructure in Ukraine. How can states defend themselves against these blended attacks, and new vectors such as wiper malware? And what can NATO, and other countries, learn from Ukraine's experience?

Our guest this week is Lauri Almann. He was working at Estonia's Ministry of Defence when his country came under cyber attack in 2007. He is now co-founder and chairman of CybExer, a company that runs cyber attack simulations for NATO and other governments, as well as industry.

Here, he analyses what we have seen so far in Ukraine, and what it means for cybersecurity in the West.