[ad_1]
In Part 1 of this article, we sat down with Derrick Michelson, Field CISO at Check Point, a global cyber security solutions company, to discuss how vulnerable critical infrastructure was to cyber attack – particularly in the UK, which has the National Health Service as an extra. A target in its overall critical infrastructure attack surface. In Part 2, Derrick outlined some radical first steps toward reducing risks to critical infrastructure, including pay equity with cyber professionals in the commercial world and potentially outsourcing critical infrastructure security to existing specialist organizations.
While Derrick was outlining these options, he touched on how to really strengthen cyber protection for critical infrastructure.
THQ:
It takes political buy-in to do anything you mentioned, doesn’t it? Are politicians sufficiently aware of the risk?
DM:
I think awareness is growing – that’s why we have updated NIS (Network and Information Systems) regulations. But we need to move away from what I call the checkbox compliance place, where politicians potentially think we’re in a better place than we are. We are not in a good place at all. And checkboxes are not the answer. We also need to conduct proper incident response exercises, so that we can further rehearse when a problem actually occurs.
But we are miles Far from it.
This is not something we can fix this year, next year, in three years. We’re talking about stepping back and making sure we have a 10-year plan to deliver to maturity, and we can only manage that if we get year-over-year investment, which doesn’t happen often. And CNI requires a multi-year investment, so it’s hard to really deliver things and get proper traction. But that’s what I want to see. A unified architecture around security is a huge thing right now, and especially not within CNI (Critical National Infrastructure). It’s something that will shrink the vendor landscape and create a strategy around consolidation. A small number of suppliers, managed services vendors, I think that’s a really good starting point.
THQ:
Do we think CISOs and politicians are taking this risk as seriously as they need to? And if not, how do we get them?
DM:
I will always say no. I absolutely do not think we are doing enough. I don’t see a coherent conversation around these issues. I don’t see the investment that we need to get across CNI. I don’t see that executive level sponsorship. I think we are in a better place than ever. But we need good quality talent there too. So we need to attract really good CISOs, and they need to deliver the programs I’m talking about, the strategy. These CISOs need to sit at the right level, around the executive table, so they can actually influence in the right way.
As far as the impact on healthcare comes from cybersecurity and digital security, we need CISOs to communicate strategies and plans. But until we get things together and start doing this holistically, we’re going to continue to see the same types of breaches, outages and vulnerabilities that we’ve seen this year.
So no, I think CISOs need to step up in a big way. And it would be really reassuring to see the level of expertise across all agencies. We need people who have many years of experience delivering these types of complex programs. It is obviously necessary. And to do it holistically rather than at the Scottish level and the English level and the Northern Irish level. We need to start engaging in these conversations more than we do today.
That’s where we’ll start to step things up. Despite devolved powers and responsibilities, these conversations need to be more engaging. Cybercriminals don’t care about distributed strengths, they only care about weaknesses. So I would say we need more money, better governance, better senior roles and joined-up conversations – that’s what’s needed.
But no, I still don’t think we’re taking it seriously enough. We will still break many next year, I have no doubt, within the CNI. And we’ll still be talking about how we’re investing more and what we’re doing around that, how the regulations are improving, we’ll still be talking about things next year. I really want to see us doing things
THQ:
We’ve said that critical infrastructure is “critical” by definition—it exists at a rapid pace, with little time for reflection and strategy. Is it impossible, as you say, to make strategic progress without the kind of conversation that cuts through the current layers of administration?
DM:
Is it impossible? No, but to engage in dialogue, that’s the right way to do it. This is what it comes down to – if it’s the right way to do something, those who are responsible need to find a way to make it work, with a joint approach. That’s pretty much what I’m saying. So, you know, we’re very lucky, a lot of money has been invested in MCSE (Microsoft Certified Systems Engineering) in the UK. The level of expertise probably exceeds what we see at the federal level in the United States. So that’s the level we run on. As far as event response goes it’s perfectly fine, and as far as you can actually deliver some best practices are concerned.
Now what we need to do is lead below. Below the MCSE, we have fields that can help in healthcare and fields that can help in utilities. So we have to start engaging in strategy, conversations, and then we can really start influencing how the NCSC (National Cyber Security Center) can run some of these services as well.
I don’t think it works as well as it should. And I see no reason why we can’t engage in the conversation that we’ve already engaged in in response to Covid. Covid forced four nations to come together and try to talk about data sharing in terms of how you can access your health records across different services. For example, you can get a contact-trace in one country, even if you live across the border.
I want us to go ahead and say that this is the way to deal with cyber threats. Why would NHS England want to do anything different than NHS Scotland or vice versa? We are all working towards the same goal at the end of the day.
Politicians have to start by saying we’re going to do things right for once. Nor do we need three separate, national ways of doing things. We need an approach that applies across the board.
THQ:
Should there be some new supreme authority specifically to deal with this and to go into all those different areas where there are critical structural weaknesses? And if so, how should it work? What should its powers be?
DM:
Well, my suspicion is that it’s coming anyway. We are now in a world where we are going to see more regulation. We’ve reached that tipping point where we’re probably going to see in the way of more regulation than we have governance, more than we have compliance. If it’s going to be asked, we need to understand where the responsibility sits. Where is that level of executive sponsorship and governance for this?
I’m talking about bringing these connected strategies, conversations, and dialogues together. They need to come together in “somewhere”. What that looks like somewhere, I’m not really sure, but I don’t think it would be particularly difficult for the responsible bodies to sit down and agree on how this would actually work.
We have various security sources across the United Kingdom that I know they already collaborate on. I think it’s an extension of that idea. The CNI needs to ensure that it has proper governance and accountability, which starts to drive it forward.
There are already ways to determine maturity against compliance – we get exactly the audit score when complying with NIS rules. That kind of audit score can drive a joined-up strategy, driving the innovations that feed needs across the nation, so we can learn across the board, identify impacts, weaknesses and help each other.
That’s certainly not happening right now.
THQ:
How do we convince politicians that it should be something that happens critically?
DM:
It starts with influencing bureaucrats and politicians. It starts with chief executives who want to communicate with their agencies and their directorates as far as what we’re doing. The reason I say we’re not doing enough is because I suspect that cybersecurity budgets will either be flat or cut in the near future.
I don’t think we’ll see anything like sufficient investment anytime soon. But we are starting from a very low maturity base, so that is required. We won’t get that level of investment unless our top chief executives ask for it.
That means they need to understand themselves what is at stake in their organizations, they need to be able to make a case that we need more nurses, doctors, MRI scanners, we need better lab systems, but we need better The need for digital health. as well Better physical health. And underneath all of these things there needs to be a proper, secure by design, digital infrastructure. If you only invest in nurses, doctors, scanners, you suddenly find that your systems were vulnerable, and your risk landscape was much larger than you thought. That is my fear.
I think it will be interesting to see how investing in security looks in the short-term future. Whatever it is, that investment has to filter into the strategy and design that sits beneath it. That’s what I want to start looking at.
But I don’t think we’ll see that. I think any additional investment will go to wages and pensions and not underpin our services. We will leave ourselves open. You may have more nurses than you have at the moment, but if they’re not able to access complex services like electronic health records to see what patients’ prescriptions are, if the lab isn’t able to return results, healthcare services. It will be very, very difficult to provide. In terms of strategy, everything has to be done from the top down, but delivered from the bottom up.
We are not in that space. And we need more investment in cybersecurity than we’ve gotten.
[ad_2]
Source link
