Former UK Security Minister Leads CompTIA Discussion of Cybersecurity Trends

One of the most anticipated events of the morning session at this year’s CompTIA EMEA Conference was the cybersecurity panel led by Pauline Neville-Jones, patron of the Cyber Security Challenge and former UK Security Minister. The panel consisted of James Lyne, director of Technology Strategy at Sophos, who was described as spending “countless hours locked away from sunlight working with the world’s most paranoid businesses,” Sarah Winter from the Bank of England and Clinton Walker of Security Aware.

Neville-Jones introduced the session, describing the UK’s IT security skills shortage and her concern as to how the UK might source the 500,000 people needed to be trained in IT security to fill the current gap. A lack of British students, apprenticeships and career prospects, as well as undervaluation of the IT role, were all identified as challenges to reaching that 500,000 target. Essentially, Neville-Jones summarized, everyone is aware that cybersecurity is a “big opportunity going begging” that the UK is slow to address. “Most people fall into cybersecurity; fall into it sideways or get into it by accident,” she said.

Overall, the panel session was focused on businesses generally, rather than just the IT industry. Companies were encouraged to ensure they understood the levels of cybersecurity ignorance amongst their staffs, and to identify the key issues and resolve them. All the panel members agreed that creating personal relevance to staff was essential; basic understanding of cybersecurity within a company needs to be addressed before moving into certifications and training.

Workplace policies were highlighted as an example. These should not be large manuals that nobody reads; they should be relevant and accessible so that the everyday user is easily able to consume them. Lyne said the challenge isn’t writing the policies but getting buy-in and highlighting the risks in a form that people can easily understand.

The panel agreed that cybersecurity should be a part of modern risk management. From the top of companies on down, failure to integrate cybersecurity into the risk, strategy and collective understanding of a company still needs to be addressed. “Just like a board director being able to read the company accounts, you need to be able to protect the company’s assets,” Neville-Jones said.

The panel also discussed how companies can only move their focus to workforce training once the broader issue of lack of awareness has been addressed. It is this lack of awareness that breeds insider threats – both malicious and unplanned. The best way of minimizing an insider threat is for organizations to have regular training and discipline on cybersecurity. A phrase frequently mentioned by the panel was good “cyber hygiene,” cultivating clean habits.

Lyne encouraged everyone in the audience to get everyone around them to think differently – both at home and at work – and to help their families, friends, contacts and kids become more cyber-aware. In his experience, he said, most security failures are from people’s own poor practices, such as poor password management and basic security negligence.

The panel also highlighted the issue of personal vulnerability and tailoring risks to different users. Winter said that awareness and training for social media natives needed to be different compared to training for members of the older generation, who, for example, still write their passwords down on paper. The panel said that amongst business professionals there is still little attention paid to the security of mobile phone apps, which Lyne called the “smartphone invulnerability complex.” Too many business professionals think security threats only apply to their PCs, failing to realize that their phones are just as vulnerable.

The panel concluded that cybersecurity grows most effectively through the personal experiences of individuals. Cybersecurity is transformative; it is changing and will continue to change the way we run our daily lives, both professionally and personally.