Nina Paine was recently appointed to the board of the Chartered Institute of Information Security (CIISec), who have also awarded her a fellowship. teiss was fortunate to catch up with her to ask her about this new role and how she sees the future of the cyber security profession.
Nina is Global Head, Cyber Stakeholder and Government Engagement at Standard Chartered. Her role there is to build strong public-private partnerships that improve the way that cyber risks are addressed by all stakeholders. And with a background in banking and law enforcement (she spent 13 years at the National Crime Agency and its predecessors) she is well placed to act as a bridge between government and business in this area.
She told me about her work at the National Crime Unit where she worked on cyber-crime prevention, which was growing massively at the time. Cyber was seen by perpetrators as a largely risk-free crime. One of her objectives was to shift the perceived balance between risk and reward, so as to prevent more people viewing cyber-crime as an easy option.
Sadly, people still see cyber-crime as a low-risk/high-reward activity. As a society, we need to intervene right from the start which means education at primary school, both in how to keep safe and why cyber-crime is wrong. Later, at secondary school, we can be telling children about the range of exciting and worthwhile careers available in cyber security. Another message is that AI won’t take people’s jobs away in cyber security. Instead it will empower them to do even more interesting things.
Of course, children will always be interested in cyber-crime, for a variety of reasons. And some will go on to dabble in it. Prevention is better than cure here. We shouldn’t always be moving to strict enforcement immediately. A better approach may be to say “You have dipped your toe into cyber criminality. These are the potential consequences – for you and for others. We want to tell you that there are alternatives that are just as exciting e.g. red teaming”.
Managing the pandemic
I asked Nina about how she viewed the effect that the pandemic is having on cyber security. Of course, we have all come across the usual Covid-based phishing emails. In fact, she told me, over 40% of British people have been targeted by them.
A particularly nasty method the criminals are using at the moment is to exploit bereavement. When people have been bereaved they are unusually vulnerable. Criminals are looking for people who have been bereaved, typically by scanning social media posts, and then launching covid-related and other scams.
The unfortunate reality is that the pandemic has increased the attack surface for cyber-criminals. The result is an increase in ransomware attacks, for instance on hospitals and universities. Remote working is a risk that many organisations have not properly secured. Employees may be using insecure endpoints, vulnerable home networks and unauthorised (or badly set up) communications tools.
Keeping cyber safe
There are technical defences that can be put in place to make remote working more secure: VPNs, 2FA, DLP and the like. But technical defences can only go so far and can be subverted by staff misconduct. But ultimately the solution has to be ensuring greater cyber awareness and encouraging positive security behaviours – a key goal of CIISec.
Take the Bank of Bangladesh cyber heist of 2016. A number of fraudulent instructions were issued by hackers to illegally transfer around US$ 1 billion from a Bangladesh Bank account. Five of these instructions were successful and over US$ 100 million was stolen. But the majority of the fraudulent instructions failed. Why? Because an alert bank employee spotted a typo: one instruction was to transfer money to the Shalika Foundation, but the hackers had misspelled “foundation” as “fandation.”
Vigilance: it’s essential, Nina tells me. But how can we keep people vigilant when they spend all day staring at screens. Well, we could start by making sure that people working from home know that it is acceptable (indeed required) that they take regular breaks. But also, we can try to grab people’s attention through the gamification of training and the rewarding of positive behaviours. A really powerful way is to educate people alongside their families, teaching everyone how to keep safe, at home and not just at work: using emotion in this way means that messages are better remembered and appreciated as more important.
Protection through process
Process is also important. If you have a hotline to report suspicious activity it needs to be easy to access. And people reporting doubtful behaviour need to be taken seriously, applauded and given feedback about what happened as a result of their call.
Another point is that processes need testing regularly. This isn’t just to see if they work during a crisis such as a cyber breach. It’s to give people experience of working in a crisis. Nina quotes Mike Tyson: “Everyone has a plan until they get punched in the mouth”. Practising the plan means that when you do get punched you are far less likely to fold immediately.
And practising, testing the plan, has to happen now – during a crisis. If people say “But we are in a crisis. We don’t have time to test” answer them by saying “Really? This is the most important time to test!”. Everyone, especially top management, needs to be involved in these tests.
The difficulty may be that top management isn’t always involved. That’s not true in the industries Nina comes from – government and financial services. But some organisations in other industries are less aware of the criticality of cyber security. In that case, it’s important to explain the benefits of a strong approach to cyber security, to position it as an enabler of business rather than an obstacle (just as the brakes on a car enable you to travel at speed).
Diversity in cyber security
The conversation moves on to diversity, something Nina has long been passionate about. It’s clear to both of us that diverse businesses have the advantage. Organisations that embrace diversity deliver a 53% higher return on equity than those that don’t, and 22% more revenue per employee.
Many organisations are forecasting a shortfall of cyber security experts. And to fill that gap we need to welcome a broad range of people, to get away from the “male geek” stereotype and look for a wide range of talents. Nina’s first degree is in Law, not computer science, but she has the CIISP certification, so she is a perfect example. The industry needs a far greater diversity of thought, people from different backgrounds, and people with different skill sets – such as critical thinking, problem solving and communication.
Gender and ethnicity is a good place to start when looking for diversity but we need to go wider – class, age, educational background, experience, personality – these are all important elements of diversity.
And to encourage greater diversity, we need to develop outreach programmes aimed at different audiences – school leavers (there are some excellent cyber apprenticeship schemes), new graduates, University events, ex-forces, mums returning to work, career changers in their fifties and sixties. The number of existing initiatives is good but perhaps we need to publicise them better
And we need to change the language too. The tone of the cyber security industry can sometimes be inappropriate. Why do brochures have to feature sexy female robots? Why do people talk about “opening the kimono”? It’s creepy and frankly off-putting, and not just to young women.
Recruitment also needs to reflect the need for a diverse workforce. One example is including a list of required skills for a position. Men are more likely than women to apply for roles where they do not fit all the requirements. A simple change from “required skills” to “desired skills” might make a huge difference to who applies. (Who is writing these job adverts? Is it people who don’t really understand what is needed?) Even the recruitment process could change – an insistence on a rapid response, say 48 hours may well put off people, including many women, who prefer to “think before they ink”.
We could go on, but I have taken up too much of Nina’s time already. But it seems to me that her pragmatic and people-focused approach is what the cyber security industry needs to take it out of the IT department and into business strategy. And it’s what is needed to ensure that the profession evolves alongside society and its changing requirements. CIISec will certainly benefit from her wisdom, experience and energy.
The Chartered Institute of Information Security (CIISec)
CIISec was set up to promote professionalism, integrity and excellence within information and cyber security. Its principal objectives are:
- To promote, for the public benefit, the advancement and dissemination of knowledge in the field of information security
- To develop high ethical standards for practitioners in information security and to promote professional standards in the UK and overseas
- To act as an authoritative body for the purpose of consultation and research in matters of education or public interest concerning information security
It received a Royal Charter in December 2018. You can find out more about the Chartered Institute of Information Security here.
Main image courtesy of iStockPhoto.com