Demystifying the ‘Dark Art’

To reflect on Cyber Awareness Month at Code Nation I wanted to say a few words about the field of Cybersecurity, or is it Cyber Security, or Cyber-Security?  
When people talk to me about my role and what it is that I do, there is a tendency to focus on the technological aspects. There is a perception that the role involves a deep understanding of technology and the way in which it is implemented in the modern world; this, however, is only part of the story.

There are requirements for practitioners to understand a broad range of products and services; however at the basis of all operations are these three fundamentals:

1.      People

2.     Processes

3.     Technology

Let’s look at People

Businesses function by the utilisation of assets in the right areas, at the right times, with in the right remit. People are one of the most important assets to any business, regardless of size, turnover, or sector. For this reason, they are the primary target for a lot of criminal adversaries.

The security posture of a business is not the purpose of the IT departments, as that department literally means Information Technology, it is dealing with the medium. Security is a management system or tool that needs to be treated as such – it is about ensuring continuous operation of the business against its objectives.

One way to ensure that risks are minimised within a business is by ensuring that the people employed are both competent and confident when undertaking their duties. This starts with understanding the value of the data that people have access to – by understanding how this could be used, and in conjunction with what, employees can then appreciate the importance of keeping data protected on any platforms.

Let’s talk about Processes

Every organisation requires a starting point from which to build – security is no different, there are a number of frameworks that have been devised over the years to provide such a starting point for different types of businesses. Once the framework has been selected, it needs to be tailored towards the needs of the business – it isn’t a case of picking one up off the shelf and then being secured.

The framework can aid in defining objectives and identifying specific items that need to be completed in order to achieve the named objectives. This leads to the development of processes that can be put in place in order to minimise the opportunities of failure in a given area.

Effective processes that can be implemented by any size business to improve their security posture including the implementation of simple policy items such as a clear desk policy to reduce opportunities of sensitive information being lost or exposed. This can then lead into the adoption of best practices in similar areas with a clearly defined means of implementing, monitoring, and reviewing each item.

The processes and subsequent procedures are not there as a punitive measure, they are there as a preventative tool to protect staff, data, and the business in its entirety. One way to increase effectiveness of any implementation is to get the people that are going to be adhering to the policy to aid in writing it – answer the question ‘Why don’t you do it this way?’ before the fact and this will aid in developing robust processes and operating procedures that have the people in mind.

Let’s consider Technology

By using the word Cyber when discussing security there is a cloud of doubt that can impact many businesses and individuals alike. The term to some, triggers visions of media backed imagery of hackers and spies working in the shadows in order to complete tasks of immense proportions.

There is a light reading blog by Jerald Dakins, PHD, CTO at CISO Global about the origin of Cyber that can be found here.

The technological aspect is one facet, and there is a requirement to have access to personnel with a strong understanding of any technologies that are employed by a business; however, this is only one small part of the overall picture. There are many organisations that can assist with this aspect, such as managed service providers and alike.

To wrap things up and tie off the proverbial loose ends I just wanted to emphasise that a deep technical understanding, whilst helpful, is not essential to improving the security posture of a business. There are large elements on a daily basis that are transferable to cybersecurity.

When I deliver training in the sector, I ask everyone to start at the same point, sitting at their desk or on their couch and looking about what is around them – the opened mail that is on display, the notes on the post-it that may have usernames or passwords on, then think about your own machine, think about the number of passwords stored on the device, and how many passwords are used on multiple accounts, and what you can do to check if these have been compromised.

If you are worried about the security of your online accounts, there are places that you can go to check if these have been compromised such as haveibeenpwned.com.

I would also encourage you to make yourself familiar with www.ncsc.gov.uk as there are numerous resources to help people navigate cybersecurity in the home and at work – thank you for your time and stay safe!

Paul Anderson 

Head of Cyber

Code Nation


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.