CONNECTING THE DEFENCE COMMUNITY WITH INSIGHT, INTELLIGENCE & OPPORTUNITIES

Officially Supported By: Defence Contracts International Defence Contracts Online
Official Media Partners for: Defence Procurement Research Technology Exportability Exhibition

As Defence Online takes an in depth look at cyber security in the month of November, Leron Zinatullin, Cybersecurity Specialist and Author of The Psychology of Information Security, examines the need to build transparency around cyber security.

In today’s corporations, information security professionals have a lot to grapple with. While facing major and constantly evolving cyber threats, they must comply with numerous laws and regulations, protect the company’s assets and develop their teams.

Back in the old days, security through obscurity was one of the many defence layers security professionals were employing to protect against attackers. On the surface, it’s hard to argue with such a logic: the less the adversary knows about our systems, the less likely they are to find a vulnerability that can be exploited.

There are some disadvantages to this approach, however. For one, you now need to tightly control the access to the restricted information about the system to limit the possibility of leaking sensitive information about its design. But this also limits the scope for testing: if only a handful of people are allowed to inspect the system for security flaws, the chances of actually discovering them are greatly reduced, especially when it comes to complex systems.

Cryptographers were among the first to realise this. One of Kerckhoff’s principles states that “a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”

Modern encryption algorithms are not only completely open to the public, exposing them to intense scrutiny, but they have often been developed by the public, as is the case, for example, with Advanced Encryption Standard (AES). If a vendor is boasting using its own proprietary encryption algorithm, I suggest giving that vendor a wide berth.

Cryptography aside, transparency can be approached from many different angles: the way we handle personal data, respond to a security incident or work with our partners and suppliers. All of these angles and many more deserve the attention of the security community. We see the shift away from ambiguous privacy policies and the desire to save face by not disclosing a security breach affecting our customers or downplaying its impact.

Communication is a key element in building transparency around security, and that extends to the way we work with people in our organisations. Understanding people is essential when designing security that works, especially if your aim is to move beyond compliance and be an enabler to the business.

Remember, people are employed to do a particular job: unless you’re hired as an information security specialist, your job is not to be an expert in security. In fact, badly designed and implemented security controls can prevent you from doing your job effectively by reducing your productivity.

The aim is not to punish people when they make a mistake, but to build trust. The security team should therefore be there to support people and recognise their challenges rather than police them.

Security mechanisms should be shaped around the day-to-day working lives of employees, and not the other way around. The best way to do this is to engage with employees and to factor in their unique

experiences and insights into the design process. The aim should be to correct the misconceptions, misunderstandings and faulty decision-making processes that result in non-compliant behaviour.

People must be given the tools and the means to understand the potential risks associated with their roles, as well as to recognise the benefits of compliant behaviour, both to themselves and to the organisation. Once they are equipped with this information and awareness, they must be trusted to make their own decisions that can serve to mitigate risks at the organisational level.

After all, even Kerckhoff recognised the importance of context and fatigue that security can place on people. One of his lesser known principles states that “given the circumstances in which it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and comply with a long list of rules.” He was a wise man indeed.

To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website

If you would like to join our community and read more articles like this then please click here.

cyber security Leron Zinatullin transparency

Post written by: Matt Brown


LATEST STAKEHOLDER

Become a Stakeholder today and benefit from an exclusive marketing package which will allow you to:

  • Engage with active defence buyers and key supply chain partners
  • Create your own branded micro-site which within Defence Online which is managed by you
  • Have a dedicated Digital Account Manager to help enhance your Stakeholder page
  • Promote your news, products, press releases, eBooks and Videos as a Defence Online partner which feeds through to our homepage and social media channels
  • Have your company promoted on our partner website Defence Contracts Online (DCO)
  • All news promoted in mynewsdesk, a major hub for all of our news articles which enables news to be picked up from trade magazines, national newspapers and many other publications which offers extra exposure at no additional cost!

Contact us today or call us on 0845 557 1315 to take advantage of this exclusive marketing package


.

RELATED ARTICLES

Labour Party targeted by cyber attack on its digital platforms

November 13, 2019

Homeland - Labour Party targeted by cyber attack on its digital platforms

The Labour Party has confirmed that it has been the subject of a cyber attack against its digital platforms. The attack,

Immersive Labs raises $40m to accelerate expansion of cyber skills platform

November 13, 2019

Homeland - Immersive Labs raises $40m to accelerate expansion of cyber skills platform

Bristol-based cyber security training platform, Immersive Labs, has closed $40 million in funding led by global growth equity investor Summit