Pauline Neville-Jones is the U.K's special representative to business on cybersecurity, appointed by the prime minister. Her job is to find ways for U.K. government agencies and private companies to work together to protect their nation's critical infrastructure from cyberattacks. She sat down with SearchCIO's Christina Torode at the Information Systems Security Association conference in Nashville, Tenn., to talk about steps the public and private sectors must take to improve cybersecurity, including paying greater attention to the supply chain and tapping the help of state government. In the final segment of this three-part video series, Neville-Jones discusses the impact of managed cloud services on security standards, and why government and business must do a better job of mapping IT enterprise infrastructure.
When it comes to security, we have a spectrum of technology, from antivirus software on the one end to very sophisticated security tools at the other end -- and then this middle ground. What can the technology vendor do to help improve cybersecurity?
Pauline Neville-Jones: I think the gap in the market that exists [can be closed when] when you take some of the well-known stuff which is already on the market and you put it into an organizational framework, which really gives it effectiveness. At the bottom end, everybody knows how to shove in … your anti-malware and what have you, because the ISP will do it for you.
On the top end, [companies] have got links into government and have got real-time information on what's coming in on threats. In the middle, certainly you must have threat information, but your dependence, really, is on a combination of what you've learned technically and how you manage yourself organizationally; it's about the level of maturity of your controls. I think there's room there for the private sector in being its own adviser. There's a great deal of work that the private sector companies can do to help those who need that advice actually to get going.
Does this tie into what's termed security by design, in which security is baked from the start to be secure?
Neville-Jones: Absolutely it does. Security by design -- it's a great word, isn't it? Clearly, our computers are a great deal better than they were. And companies now who manage the cloud [must design security for the]. . . people taking advantage of the cloud's many services. Why do you use the cloud? You use it because it should reduce your costs. You can't tell companies that they mustn't attempt to do that when it's absolutely right. At the same time, you mustn't cut the costs so much that you actually neglect a key part in ensuring that in the end, the cloud remains an enabler and it doesn't become a risk for you.
I think that there, the cloud managers and the managed services is a very important way forward, provided that when companies enter a managed service situation, they make sure that you [have] done enough work on your supply chain to ensure that it doesn't actually become a source of vulnerability to you. I think when you make a decision like that, as a CEO, for example, makes a decision [to use cloud] and the board backs him, they have got to look at not just 'How are we [in our efforts to improve cybersecurity]?' but 'How are we in relation to all the people we deal with and the companies we're dealing with?'
You're in an interesting position now, in terms of where your program stands and the next phase for you -- scaling it out. What do you think is the key challenge in getting it to scale? Is it cost?
Talking ways to improve cybersecurity with Pauline Neville-Jones
Private and public sectors need to join forces to thwart cyberattacks
The role of state government in cybersecurity
Neville-Jones: No, I don't actually think it's cost. OK, yes, you've got to spend some money, [but] I think it's not too difficult on the whole in the end to convince companies to [spend on improving cybersecurity], once they've understood the issue -- that actually, the downside to the company of insecurity could be very great. There still are companies that make a calculation of a pretty narrow kind and end up saying, 'I'm not going to spend this. I'll take the risk.' I think they don't realize how catastrophic that can be. But I think that attitude is slowly changing.
And shareholder awareness is increasing on the subject, too. They do get asked questions. It's getting to be pretty mandatory in the U.K. to have a report on this in your annual report; the chairman is going to have to take responsibility. All of these things are incentives to be aware and to be active.
I think that the next task is the one which takes us into an area which hasn't yet had the degree of attention, which in a sense … is wealth creation, because infrastructure is support for wealth creation.
Part of the problem is actually understanding their IT relationship. One of the problems with infrastructure is that it's grown over the years, in all our countries. The links between the different bits are functional, but they are not really mapped, not terribly well-understood. The criticalities -- the really critical dependencies -- they may be known somewhere in the system, but that knowledge isn't brought together anywhere. And it needs to be. There's a big mapping job to be done.
I don't think people think enough about how security actually creates business value.
Neville-Jones: No, certainly not. I think the whole business of being an enabler is the key perception. For a lot of companies, particularly smaller ones, the initial cost is a barrier. That's where … I hope the cost of security will come down. If we can find ways of making validation of security controls cheaper, because it is very time-consuming doing that -- that would be a good thing.