Security Strategy, Plan, Budget

InfoSec 2018. TalkTalk hack – lessons learned – the board perspective

Baroness Dido Harding, former CEO of Talk Talk provided the opening keynote at InfoSecurity Europe 2018 - and while she may be best known by infosec professionals for getting it wrong when trying to explain the hack on the telco two years ago, her experience certainly has lessons for the boards of most UK organisations.

When the attack first happened the tech teams at Talk Talk advised caution, wanting to be sure they had identified and solved the problem, while the sales side wanted to be up and selling.

This initial difference in approach was repeated throughout the experience and was clearly something that existed long before the incident - with the board and sales not wanting to hear what the cyber-security people might be saying - and the cyber-sec team not being forceful enough in expressing their concerns. And also not explaining themselves in simple English, while the board failed to try to even try to grasp a proper understanding of the technology.

But through it all Harding emphasised what she described as the company's desire to focus on protecting the customers and their data - and thus the company's existence. In fact she commented, "We were the only ones whose objective was to protect customers and the company.  The Metropolitan Police wanted catch criminals, GCHQ want to protect the country."  But she did emphasise that both were very supportive throughout.

Another observation was that when the TalkTalk hack happened there was no NCSC, "... and it was difficult to negotiate the different agencies and discover who to talk to, whereas with WannaCry, the  NHS and  NCSC were able to work together,  and provide useful information to mitigate the problem. They did that very well last year." 
Prior to the hack, Harding said, "We thought we took cyber-security seriously. But we were a fast growing company, acquiring others, and were hit by a simple SQL vulnerability in a legacy website that no one noticed.

"It's legacy within acquisition that gets you. And leaders not getting the message from their cyber-security teams of the need to decommission."

One of the things she says she learned is that boards are not asking the right questions. Their temptation is to ask, 'Are we OK, is the security good enough?'  Most boards want to abdicate cyber-security responsibility, but they cannot be let do that.

The answer should always be no, as no one can say they are 100 percent OK. Teams that say their cyber-security is really good are the ones to worry about.

Harding suggests that what boards should ask is: "What are the risks, what are we 'happy' with, or able to live with, and what do we need to mitigate?"

In Harding's case, she says that the most difficult decision was deciding when it was safe enough to come back online as the organisation had become  a honeytrap for every hacker, whether script kiddie or nation state.  

"The security team wanted to be the ones to make the decision themselves, they wanted more time to fix things.  But as CEO I needed to know what risks I was taking if we opened up online services again.  The security team needed to articulate what are the risks if we do that.  If I gave them two weeks, which risks go away.  They were more comfortable with eight weeks, but by then cyber-risk and business risk had crossed and the company would be gone and cyber-risk had become less important than the business risk. I needed to understand the risk to make the decision.  And that was when I realised that cyber was a board risk."

Consequently she suggests that there should have had shorter lines of communication from security to the board. "And you need a 45 minute session on cyber-security at every board meeting."

Harding then reiterated the need for engineers to explain cyber-risk to non-tech staff, and non-tech lean in to understand the tech issues, "and we learnt that because we had to."  She adds that boards need to listen to introverted experts, who need to be courageous and challenging - and speak truth to power.  Both sides need to hear each other properly to reach the right balance. 

Harding suggests that learning this lesson transformed way TalkTalk worked as a company, with non-techie business leaders engaging in tech issues that are vital to deliver business issues. And its nothing new really as business leaders are always leading and managing things they don't fully understand at the practical level.

Harding suggested that GDPR is a good thing, as it will force greater transparency, so will increasingly see generalists  treat cyber-security risk in same way they treat physical risks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.