Dr Ciaran McMahon was right when he called IRISSCON “the most influential of the Irish cybersecurity conferences. Hosted in Ballsbridge in the heart of Dublin’s leafy southside, the conference brings together some of the latest thinking and developments within the cybersecurity world.
But what makes IRISSCON stand out from other events is that it’s not a trail of speakers showing fault logs and other technical products. Instead, IRISSCON’s distinguishing feature is that the speakers talk about the big ideas that are impacting on the industry.
Here at Integrity360, we’re lucky to be a part of it, and we’ve selected a few nuggets of wisdom for those of you who couldn’t attend this year’s conference.
Dr Ciaran McMahon, from Dublin’s Institute of Cyber Security explained how he and his wife survived a 6.7 magnitude earthquake while on their honeymoon in Kos (an island off Greece) in June 2017. McMahon was struck by the similarities between the response to an earthquake and the response to a cybersecurity incident. He recommends five steps to survive such an incident.
When the earthquake struck the hotel McMahon was staying in shortly after 1.30 am, McMahon’s first instinct was to protect his wife. But once the initial shock was over, they went downstairs with passports, phones and most importantly, warm clothes (as they would not be allowed back indoors until the next day). This foresight stood to McMahon as they were relatively comfortable in the immediate aftermath of the earthquake.
When it comes to cybersecurity, McMahon advises that companies have a plan in place for the worst-case scenario. “Whether that means having the cyber equivalent of a go-bag or having unused, uninfected laptops or SIM cards on standby, that level of preparedness will stand to you,” he said.
In the week following the earthquake on Cos, there were 21 smaller aftershock quakes. While none of these were at the same severity of the first one, they did cause some additional damage. McMahon says the same thing applies to cyber attacks. “Cyber events aren’t one-offs,” he explained. “It’s more of a constant level of activity. Think of the attacks on TalkTalk, HBO or Sony. They weren’t one-time events. Instead they were hacked multiple times because once criminals saw a weakness, they all wanted a go.
While the staff at the resort McMahon was staying in responded well to the earthquake, McMahon said the tour company who arranged his package holiday showed a lack of leadership. “In the midst of an attack,” he said, “formal leadership roles will be tested. If it doesn’t feel like someone is in control, then pretty soon it’s every man for themselves.”
This means that in cyber events, managers should enact a clear chain of command and let everyone know they are in control.
When the earthquake struck, McMahon’s first instinct was to contact his mother back in Ireland so that she wasn’t worried. He also contacted his sister who lived next door to his mother so that she could reassure their mother.
But when it comes to cybersecurity incidents, McMahon recommends that a more comprehensive plan is in place. Who needs to be told? Regulators, media or shareholders? Who do you contact first? What are your legal obligations? “All of these questions have to be answered,” said McMahon. “Because you don’t want your shareholders or venture capital investors finding out about an incident in a newspaper.”
McMahon explained the importance of the corporate culture by showing the reaction that the tour company had to the earthquake. They posted one notice in the lobby of the resort saying that there had been an earthquake and apologising for any inconvenience. None of the holidaymakers were satisfied with this (and eventually the tour company had to refund some of the money they paid for the holiday) but the staff at the resort were great.
But then McMahon gave the contrasting example of one staff member at the resort who was in the bar where people died only 20 minutes before the earthquake. He was literally minutes from death but after he checked his family was safe, he went straight to the resort where he worked and he worked for 24 hours straight. McMahon says that that’s not an uncommon response and that in cyber incidents, “informal leadership will often crop up and you’ll be surprised by the leadership that some people will show in times of crisis. And it’s often people you wouldn’t expect.”
Another theme at this year’s IRISCON was the skills gap that exists within the infosec ecosystem. Employers are crying out for experienced staff with the requisite certifications and qualifications but there is a chronic shortage of such employees out there.
There are many solutions to this but whatever the conclusion it’s clear that traditional recruitment is not working.
Two people with a new perspective on this problem are Lee Munsen and Thom Langford. Langford is the Chief Information Security Officer of Publicis Groupe and comes from a traditional infosec background. But when looking for staff, his golden rule is that “passion is key when looking for new staff. Look for the passionate ones. People aren’t just the certifications and qualifications they possess. You can’t teach values but you can teach technical skills.
Munsen is a case in point of this approach. He now works with Langford’s infosec team at Publicis and has also worked with Brian Honan. But Munsen’s background was in retail and he was deeply unhappy with his job. So he started teaching himself about the world of cybersecurity and blogging about it. That blog was eventually getting 8,000 hits a day.
And after a few years - he started getting noticed by people in the infosec world and that lead to his current roles - where, in his own words, “he loves his job and gets to do what I love every day”.
Langford hired Munsen because he saw past the CV. He says the days of hiring “round pegs for round holes are over. It’s far more important to hire motivated people and inspire them than to hire the most technically proficient candidates.” But Langford doesn’t see his approach as charitable. “Instead of seeing it as taking a chance,” he said, “I see it as giving an opportunity. If somebody from outside the norm is popping up on my radar, it’s probably because they are doing good work and that means they are already motivated.
Dr Jessica Barker is a sociologist and cyber-expert who recently founded RedactedFirm and also runs cyber.uk. Her speech focused on the human side of cyber technology. She said that social proof is a compelling power within our industry. “Everyone relies on social proof,” she said. “Like TripAdvisor or AirBnB. If you don’t know how to make a decision, you look to other people. Is there social proof that this is okay? We see social proof examples around us all the time.”
Look at the notices that you see in hotel rooms about towel washing and saving the environment. The most successful notices are not those that concentrate on the environment but on social proof. “Saying that the last person who stayed in this room didn’t wash their towels halved the laundry rate in one hotel that tried it.”
Social proof exists in cybersecurity when we see reports of people using bad passwords or bad security measures. But what regular people think when they see these reports is that it can’t be that bad if everyone else is using bad passwords.
Something Dr Barker says goes alongside this is optimism bias. The ‘it’s never going to happen to me’ bias. No matter how stark the statistics, people are likely to be overwhelmingly optimistic.
The approach Dr Barker says works best for cybersecurity awareness is not to scare people into using stronger passwords or safer email etiquette, but instead focus on the positives. “It’s hard to beat the optimism out of people using facts,” she explained. “It’s more useful to harness that optimism. Optimism makes people try harder. Highlight the rewards that come as a result of being secure and people will react to that.”
So, all in all, a really interesting conference with very good insights shared. If you have any questions about your own cybersecurity needs, then contact our team right now for more information and we’ll be happy to assist.