Defence contractor warns of false cyber security beliefs

Powered by SC Magazine
 

Four 'mindsets' that trip up specialists.

BAE Systems Australia's cyber security head has warned against four mindsets preventing security specialists from effectively dealing with cyber threats.

According to the defence contractor's Tim Scully, an overemphasis on all-encompassing defensive measures or on compliance with standards or regulations could be counterproductive.

Scully, who was also the chief executive officer of BAE subsidiary Stratsec, chaired a work group on Cyber Threat and Fortress Mentality at the second national cyber warfare conference in Canberra this week.

Fortress mindset

He described the "fortress mindset" as the traditional approach to security, where specialists aimed to keep all threats outside of their networks.

Defensive measures in a "fortress" approach focused on systems and infrastructure rather than focusing on protecting the organisation's most valuable information.

That approach was as naïve as thinking that everything inside the network was secure, he said.

“If your network is connected to the Internet, and you have something of value to a threat actor, you are likely already compromised," he said.

Compliance mindset

Scully's description of the "compliance mindset" applied to security professionals who believed that compliance with standards or regulations necessarily meant that their information was safe.

“That is not the case. You can be compliant but not secure,” Scully said.

Techie mindset

He argued that cyber security had to be incorporated as a routine agenda for executives and be subject to risk management at the most senior level.

As such, cyber security practitioners that engaged mainly with each other or their peer groups could be part of the security problem.

“They tend to confine their discourse at that technical level, engaging with others at the techie level,” Scully said.

Scully said that those in the "techie" mindset were rarely at ease communicating with anyone outside their specialist group.

An organisation could be compromised because they failed to share their impressions with senior management, he said.

Executive mindset

On the flip side -- and partly as a consequence -- of the techie mindset was the executive mindset, in which security professionals over-simplified their concerns when communicating with business managers.

“What happens is that senior managers of organisations are denied an appreciation of the problem,” he said.

But those senior executives should understand better than anyone else the risks they had to deal with, Scully argued, adding that they also held the purse strings.

Fragmented and ineffective communication often resulted in techies complaining of not getting enough resources to do their jobs, he said.

“There can be a vicious cycle there,” Scully said.

Copyright © iTnews.com.au . All rights reserved.


Defence contractor warns of false cyber security beliefs
Football player with a "fortress" mindset
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Football player with a "fortress" mindset
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1791

Vote
Do you support the abolition of the Office of the Information Commissioner?