#BHEU: Focus on Security Fundamentals, Not Adversarial Sophistication
Focus on the fundamentals of security to ensure you keep on top of incidents and have the best company culture.
Speaking in the opening keynote of Black Hat Europe 2020, Pete Cooper, deputy director for cyber-defense at the Cabinet Office, said “hacking is a mindset” and it is about being resourceful and finding solutions.
Comparing his time in government to his time in the RAF, he said that it is cool to fly Tornados, but preparation needed to be done in “learning the basics, building the applications and learning key critical skills, as you can learn how to fly and do the fundamentals every single time without thinking about it and the fundamentals have to become second nature.” This is because, irrespective of what the adversary throws at you, you have to be able to do the basics right.
He said: “When it all starts to go wrong, it’s your fundamentals that will keep you moving forwards and doing the right thing.” He also said that, in cybersecurity, it is very easy to get excited about “the latest sharp, pointy thing” but being able to detect and protect against cybersecurity attacks, and minimizing those attacks, enables everything else.
Winning and losing is not defined by technology, he added, as adversaries do not have access to technology that defenders do, and “our thinking allows us to make the most of our technology.” Also, there needs to be assurance that technology is safe out of the box and with trust in the system to know how it will work. “There is a key element in getting it right as the user can get it wrong,” he said.
This is why a culture of safety is important, where an engaged culture begins with reporting “problems, errors and near misses” and where acceptable and unacceptable behavior is understood. “If your organization or team is raising these issues, then you need to have a flexible culture, as the adversary has evolved and therefore we need to do so too, as security is not a static task and we need the flexibility at both a technical and organizational layers to respond to our challenges,” he said.
When those challenges are understood, there needs to be a culture of learning so it is about more than fixing, and understanding why and how something happened “so we can change and adapt all the way through.” If users are empowered, it brings the power of the individual to the organization, and the culture will help you understand that unique risk to your data and company.
Cooper said there similarities between his time in the RAF and what he does now, but his former career helped shape his thinking “and it is basics such as staying absolutely focused on the fundamentals, and no matter what your adversaries throw at you, you keep going back to those fundamentals and manage to keep plugging through.” He explained that incidents are the tip of the iceberg, and there is a need to understand what the ideas and problems are and to bring together skills, knowledge and data.
Concluding, he said this will require collaboration which takes time and effort, but if it is done, we can form “shared perspectives” and make a difference across “joint horizons” in partnering with communities across the industry, and the better it will be for everyone in tackling key risks we will face going forwards.