"The two main threats I've had to deal with have been regulators and criminals", said Stephen Bonner as he opened Thursday's SC Roundtable.
"The promise of our industry is by being compliant with regulation we are secure," added Bonner, explaining that at least on paper, the purpose of regulation in cyber-security is to make sure companies, organisations and their customers have a baseline level of security with which to meet this increasingly dark threat landscape.
Stephen Bonner, an independent consultant on cyber-security and our speaker
It was at that point that Sol Cates, CSO of Vormetric and our sponsor, interjected with an audible, 'no'.
"It may be a little more complicated," added Bonner.
But, the important question here is how is threat different when dealing with cyber-criminals and where does regulation help or hinder dealing with that threat?
There are two different kind of regulations: old and new testament. The old testament, filled as it is with precise rules and heavy punishments, represents the kind of checkbox regulation that many are used to. The new testament has to do with acting in the spirit of the law.
What's seductive about the first approach "is that it works", it provides clarity, a good starting off point and if organisations are not doing the basics like encrypting files, then chances are they'll fail pretty early on.
Sol Cates, CSO at Vormetric and today's sponsor
However, "that clarity leads to false incentives", often leading organisations to follow the letter, but not the spirit of the law. When regulators eventually realise that, they often switch foot. That in turn, leads to massive grey areas.
So what's the distinction between these two threats? Well, criminals know what they want, they have a very clear set of goals. Unlike regulators who are trying to balance a complex set of societal needs, criminals are just "trying to make as much money as they can".
What's more is they're constantly evolving, making any kind of regulation, in letter or spirit, even more complex.
Ransomware, for example, said Bonner cleaves away from what we've classically come to expect from attacks on enterprises. While many are expecting attackers to quietly breach and then slip away into the night, ransomware depends on its visibility to be effective. DDoS attacks are supposed to be spotted, too.
Once Bonner concluded his talk, Michael Everall, formerly deputy chief risk officer and head of information security at Fidelity jumped in to say that the fundamentals must be dealt with first. New regulation coming out of New York, for example, deals with basics like account management processes: "none of this stuff is the big stuff but quite frankly not enough of us are doing it."
Michael Everall, deputy chief risk officer/head of infromation security, Fidelity
Do we even know what the threat landscape actually looks like though? No, said Chris Mann information security and data protection officer at BNP Paribas, plainly: "I don't think we honestly do. The landscape changes so quickly."
"We're always having to play catch up against the baddies," he said, adding, "you can only have so much protection in place, you're always going to be firefighting."
Different sectors have different challenges, argued Mo Philip, senior manager operational security and risk at John Lewis Partnership.
Mo Phillip, senior manager operational security and risk, John Lewis Partnership
Everall agreed: "It's not the container, it's the contents". But, said Nic Miller, a security professional, especially if you're in oil and gas, there are big differences: "how much effort and how much money you need to be spending, depends on who is attacking you."
Gary Brailsford-Hart, Director of information, CISO, City of London Police
Gary Brailsford-Hart, CISO of the City of London Police said that "it's almost old school thinking about what people want". After all, "criminals are opportunists" and will get in however they can.
But, he added, "we are approaching an era of cyber-austerity", and we're going to have to be very careful with how we spend that money.
Bonner thought it a good point, adding that "to get a project approved you often have to gauge it in a compliance justification."
At which point the problem of FUD (fear uncertainty and doubt) came to the fore. It is of course, easier to get your board to spring for a larger security budget if you couch the argument in apocalyptic terms. Unfortunately, it so often works on the basis of ignorance about the threat landscape.
However, said Alison Sergeant, VP of IT infrastucture and services at RenaissanceRe the "people who spend the money need to be constantly educated, not just employees."
So what does a secure system look like? Breaches appear to be an inevitability so it may no longer be appropriate to define success as the fictional unbreachable network.
Miller added that exercises like penetration tests are a really good way of measuring a more nuanced, realistic idea of success. Specifically, not how unbreachable are you, but once you've been breached how fast do attackers get to your important data and how fast can you detect them and kick them out?
Rachel Mulligan of Conserva Consulting and eBay's GDPR Privacy Consultant said, "I think one of the most important things is the simplicity of the response process," adding, "speed is definitely of the essence once you've discovered a breach."
Alison Sergeant, VP IT infrastucture and services, RenaissanceRe
"Too many times", said Miller, and especially in financial services, "penetration tests are a tickbox exercise," rather than an opportunity to actually learn.You can't just say 'we're covered', added Sergeant, "if you say that you should be fired."
Chris Mann, Information security and data protection officer, BNP Paribas
Nic Miller, CISO
Rachel Mulligan of Conserva Consulting and eBay's GDPR Privacy Consultant