JC's Column /

The real questions UK Boards should ask following the TalkTalk data breach

JC Gaillard's column on cybersecurity

The cyber attack against UK Internet Services Provider TalkTalk in October 2015 has received an enormous amount of domestic media coverage, leading to at least 15 to 20% of TalkTalk’s market cap being wiped off.

Traditional and social media have all been gripped by the topic for several weeks, and some Cyber Security specialists are even talking of the UK cyber market entering a “post TalkTalk” era. Parliament has launched an inquiry into the matter which may lead to individual hearings. There is no doubt that, in the midst of such frenzy, countless CIOs and CISOs would have been asked the proverbial “could it happen to us?” question by their board members.

“Could it happen to us?” is the wrong question, but should it be raised, the simple answer is YES

The TalkTalk security breach, all things considered and on the basis of the information publically available at the moment, is relatively limited. Earlier breaches in the US have exposed tens of millions of personal records (Heartland, TKMaxx etc). These events have been happening regularly for years and some have received exceptional levels of media coverage (Sony). In addition, since 2012, the UK government has been asking boards in very specific terms to take Cyber Security seriously.

A situation where Board members could wake up today to a problem of such magnitude is unimaginable – and should raise fundamental corporate governance questions.

So “could it happen to us?” is simply the wrong question, but should it be raised, the simple answer is YES. The time has passed for the Board to think about Cyber Security in terms of risks i.e. things that may or may not happen. Cyber attacks should be simply treated as a matter of WHEN, not IF. The problem can no longer be approached as a balancing act between costs, risk and the need to ensure regulatory compliance. The time has come for the Board to take control and drive real action.

It is not WHAT happened at TalkTalk that matters, but WHY it happened

A vast amount of media coverage has been focused on what actually happened at TalkTalk, both from a technical standpoint and from a crisis management perspective. CEO Baroness Harding received an enormous amount of criticism for her handling of the situation (and little praise for facing the music instead of hiding behind spin doctors – even if it was a bit clumsy at times).

Sadly for eminent journalists and pundits who spent days analysing the problem, the bottom line is tragically simple: Basic security controls that have been known and regarded as good practice for years were not in place. In addition to this, senior executives were poorly prepared to face the amount of media coverage the story received.

So the real questions should revolve around WHY TalkTalk ended up in such situation. It is dangerous to consider that the problems at TalkTalk were purely of a technical nature, and it is essential to understand the governance context that surrounded the incident:

  • Who was in charge and was there a Cyber / Information Security function?
  • Who was reporting to whom and how was the operation staffed and funded?
  • What was it working on, what were its priorities and who determined them and why?
  • What was it reporting on to the Board and how often?
  • Did the Board understand the topic and how much time did the Board dedicate to the topic over the past year?

It is almost inconceivable that on the Board of what is ultimately a tech company, there could be no-one with an interest on these matters

There is no silver bullet, technical or otherwise, only removing past roadblocks can lead to lasting change

Answers to these questions should gradually emerge, and the role of the Board will be scrutinised. Politicians, at least in the developed world, may start painting the protection of citizens’ personal data as a fundamental matter of corporate social responsibility for large organisations. This is a topic Boards could endorse, particularly once it is proven that consumers support it and react to it.

The problem may be easy to diagnose, but the road towards cyber resilience could be incredibly steep for some organisations. The 2015 EY Global Information Security Survey highlights that 88% of its respondents do not believe their Information Security measures meet the needs of their organisations. It echoes similar headlines from the RSA Cyber Security Poverty Index published in June 2015 – and earlier ones from McKinsey & Co for the World Economic Forum in 2014.

It is key to realize that technology alone cannot help organisations get out of this dead-end once such low levels of maturity have been reached. Most of them have been focusing for too long on merely tactical solutions to their Cyber Security challenges, in search of technical silver bullets that simply don’t exist.

Those organisations – guided in that by their Board – need to reflect on where the roadblocks are that have prevented them from reaching a satisfactory level of maturity in the face of current threats. For some, this is in spite of decades of spending in the IT and Information Security space. They need to rethink and rewire their approach in a way that enables them to demonstrate a degree of genuine cyber resilience, instead of merely throwing money at the latest technology product.

The Board must focus on ensuring that the necessary controls are properly implemented across the true perimeter of the enterprise. This includes taking into account, without complacency, the geographical footprint of the business – as well as the roles of external partners and suppliers.

Lasting change in that space will be complex and will take time. The Board must ensure that a long-term Cyber Security roadmap is in place – and stick to it. Changing approach every time an incident happens elsewhere, or every time the CISO changes, will simply kill any change momentum.

The Board must also incentivise and reward key players consistently for protecting the organisation – not simply for generating revenue, supporting the business or cutting costs. It must ensure that these leaders remain in place for long enough to enact change, and this is more likely to be over a 6 to 7 year horizon than 2 or 3.

The time has come for the Board to focus on the reality of the situation around Cyber Security (instead of the risks), take genuine Management action and drive the implementation of protective Controls against the genuine Cyber Threats their business faces. It should not be a matter of budget or resources anymore, but a very simple matter of priorities.

Read our full analysis here, covering the 6 real questions the Board of Directors needs to ask around cyber security, as published on Information Security Buzz in August 2015.

 

JC Gaillard

Managing Director

Corix Partners


Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.