At an honest, yet fruitful brainstorm discussion, IT leaders relayed their biggest cybersecurity fears, and what they are doing to prepare.
During a brainstorm discussion at the CIO South Africa Cybersecurity Summit on 20 February, technologists revealed some of their great anxieties about cybersecurity, where South Africa fared in the great cyber-war and unanimously agreed that, “What stands between us, where cybersecurity is concerned, is between the seat and the keyboard.”
“We’re winning a few battles, but it just seems like we’re losing the war,” said Kevin Wilson, GM for group IT services at Stefanutti Stocks during his opening remarks.
Denzil Govender, CTO at iOCO, agreed, saying: “Attacks have become very sophisticated over the years, and this requires us to be continually running in the race. You will never get comfortable enough that you feel like you’re winning. In fact, you will sometimes feel like you’re falling a bit behind, but it’s important to stay in the race.
“As technologists, we need to take a slight step back from thinking about tech and starting thinking about the people. For example, what would happen if a hacker kidnapped your IT manager?”
Shortfalls in cybersecurity
The comment that Sasfin’s Josh Souchon made earlier that evening about people getting lost in the tools really resonated with Matthew Butler, CTO at Entelect. “The thinking is, oh, I’ve implemented the security tool, that should mean that we’re safe now, right? However, the truth is, the tools are only as good as the people who implemented them.
“The basics and people are very important: the people who are looking at those tools are by far the most valuable because they know who your people are, what they do, what the business does, and what kind of things go wrong – don’t get caught in the dragnet.
“Remember, defence is about layers: don’t become a victim, catch it before it happens. You need layers: train your people, cover the basics. As it stands, a lot of people aren't in good shape and we’ve seen the evidence.”
“When is enough, enough?” asked Norbit Williams, senior manager for group IT: governance services at Eskom. “I’ve seen this in multiple organisations, where the general approach is bolting on initial layers of security, using similar products that have the same intention, but different outcomes, which goes back to what was mentioned earlier in the evening: we start to focus on the technology and forget about the rest of the value chain that plays a big role in cybersecurity, the people,” he added.
“The bill attached to that becomes a very costly exercise in trying to overprotect.”
“I totally agree with most of what was said tonight, but in my environment, the weakest link is between the seat and the keyboard. Almost every attack can be linked to an individual. You need to protect your crown jewels, which will require you to spend some cash. However, I think the other elements of cybersecurity, the general stuff, is becoming mainstream now: you experience an attack, fix it up and move on – something that would’ve been a catastrophe 20 years ago,” said Toni Serra, CIO at AECI.
“It’s impossible to get to a stage where an attack never happens: there is an abundance of hackers. In fact, you even visit them: through our investigations, we managed to track down a guy as far as the Czech Republic – you simply can’t throw enough money at it, to ensure it never happens.”
One guest said that collaboration is also key in cybersecurity. As such, they’ve brought in government and companies like Liquid Intelligent Technologies, who have done the testing. However, he posed the question, "What sort of idiot-proofing can you introduce into your network?”
He believed that they’ll always be users who’ll click on a link, therefore how can that be managed. One solution he offered was to always conduct checks, checking administrative rights on the devices, and take away the ability to give an army the capability to weaponise your devices, and attack your network.
For Dr Denisha Jairam-Owthar, CIO at the Council for Medical Schemes, South Africa has to take a stance. Every time we look to the West for a solution, we should look at our own country for solutions too! “Localise the skills, and bring in those local partners who have the capability,” she said. “Also, where are the skills of a certified CISO who can interrogate the CIO? I’d be open to being interrogated myself”
She went on to question why the CEOs have not updated their policies and introduced a retainer for cyber. According to her, retainers would allow organisations to get in the necessary skills. “We’re not doing a good job on that front as things stand,” she added.
Norbit Williams added: “We have enough skills, but not enough appetite to start taking action. We need to be sincere about wanting to do things.”
Building blocks and educating people
Guests agreed that from a security perspective, the first thing one could do is change behaviour. Some even did this by bringing in a white hat [an ethical hacker], who logged into a bunch of home cameras and exposed how vulnerable people were through the live feeds he shared. The experiment was to drive a sort of shock factor.
Some deployed the cyber-awareness route and introduced cyber-awareness messaging all over their building, in restrooms and corridors – to maintain that awareness on a daily basis. However, the shock and awe, they said, was the selling factor in really driving the message home.
“Let’s look at behaviour: hacking a culture and culture hacking. Notably, we still call people users, which makes them passive. Stop talking to them as users, change the language from user to collaborator – if you treat someone by engaging with them in a way that gives them agency – that changes behaviour,” Webber Wentzel’s former CIO, Warren Hero, concluded.
