Reflections on CyberUK
It is fair to say that we have truly arrived.
NCC Group is proud to have been a lead sponsor for the National Cyber Security Centre’s (NCSC) CyberUK conference for the third year running.
Giving our talented people the opportunity to share their passion and skills with our peers and stakeholders, engaging in countless thought-provoking conversations and contributing to the ever evolving cyber security debate has been an absolute delight.
And having done so in our hometown of Manchester has been a very special experience indeed, truly worthy of our unique position in the UK’s cyber ecosystem.
So what have we learned from the keynote speeches, track and stream panel debates, industry insights and lightning talks at CyberUK 2018? These are seven main takeaways:
- Did someone say “proactive”? The NCSC/NCA’s “cyber threat to UK business 2017/18” report, published to coincide with CyberUK’s first day, emphasised that the UK had adopted a proactive approach to deal with the increasingly challenging cyber landscape. And indeed, that mantra echoed across Manchester Central, forming a battle cry to predict and prevent, to actively hunt for the next threat rather than wait and defend against it reactively.
- Cyber security is a team sport. We heard this more than once, and it is a spot-on summary of the approach that is required. From the way in which the Parliamentary Digital Service team pulled together to defend UK democracy against foreign state-backed adversaries …if we want to win the race to stay ahead of our adversaries, we need to collaborate and learn from each other. Vendors and customers, government and industry, small and large businesses, start-ups and established organisations, academics and researchers, across all industry sectors and disciplines need to work as, and become trusted partners. We need to share our expertise, our experience, our skills, our information and our intelligence, and we need the right tools, rules and mechanisms in place to make this as easy, and as natural as possible.
- People really are the strongest link. Acknowledging that the skills gap remains a clear threat to progress, the diversity theme ran through all strands of CyberUK 2018. The industry - both defenders and service providers must alter their recruitment and reward approaches quickly to appeal to the widest range of people. As our own Katy Winterborn put it so brilliantly: we have a responsibility to represent the reality we experience everyday to make our world relatable and attractive. If we are going to tap into the talents of our society, this must include embracing diversity in its widest sense (age, gender, race, LGBTQ and neuro) and opening non-traditional and creative routes into cyber security careers.
- Preparedness matters. It has become conventional wisdom these days that falling victim to a cyber attack “is a matter of when, not if”. But there is a growing consensus that this does require organisations to stay alive to the threat. Sticking with the sports metaphors, the best way of doing this is to exercise that muscle regularly, so that when the day comes, everyone within an organisation knows what to do. GCHQ Director Jeremy Fleming, in his first public speech, talked about the UK’s national cyber exercise Cyber Warrior that continually tests and exercises the UK’s cyber capabilities , and Home Secretary Rt Hon Amber Rudd MP announced plans for the UK’s first live national cybercrime exercise to test the response of security and intelligence agencies, police and first responders . And NHS Digital and the Parliamentary Digital Service, talking about the sense of panic in the face of the WannaCry and password spraying attacks, brought home the importance of having a tried and tested response to revert to in those situations.
- Doing the basics well can have a big impact. During the conference, the US National Security Agency (NSA) disclosed that they haven’t responded to the use of a zero-day vulnerability (i.e. previously unknown) in 24 months, a fact that resonated widely across the audience. Instead, attackers are leveraging known issues, common misconfigurations and lack of resilience in order to achieve their outcomes. And the NSCS/NCA’s report on “Cyber threat to UK business 2017/18”  concluded that one of the root causes of last year’s 34 successful significant cyber attacks remains the lack of implementation of basic security measures. So the challenge of getting the basics right persists. But it also offers potentially huge returns on little investment: doing the basics well can greatly improve organisations’ ability to operate.
- The ubiquity of data requires innovative approaches. Beyond the headlines and buzzwords, there was a real sense that the ever increasing availability of data and information on threats, bugs and vulnerabilities, while welcome and valuable, risks overwhelming a purely human approach to dealing with it, and requires new and innovative ways to reviewing and acting on that data. From new resourcing models such as bug bounties and crowdsourcing bug hunting to embracing machine learning, artificial intelligence and data science, the industry is evolving and maturing, just as the threat landscape around us does.
- And finally, nobody said it was easy. Despite exhibitors’ slogans promising protection from every side of cyber, stopping breaches and adversaries and securing anything from data to digital transactions, from networks to individuals, we all know, deep down, and were reminded, that there is no quick fix, no easy solution. As Ollie Whitehouse, our global CTO, put it: “Security is hard. It’s not unicorns and rainbows every day”. That means we need to do the difficult things, we need to take risks. Whether it is employers embracing diversity, organisations accepting and addressing vulnerabilities or indeed, as the Home Secretary said, the government not shying away from the tough decisions in publicly attributing cyber attacks. We all have a responsibility to get stuck in. Or, to steal a phrase from the NCSC: “We all should do the right thing…because it is the right thing to do”.
We hope you, too, enjoyed this year’s CyberUK.
If you want to know more about our services – from full spectrum attack simulation to tackle your preparedness for a cyber attack, to creating your own bug bounty programme to stay ahead of adversaries exploiting vulnerabilities, do get in touch.
And if you are interested in joining us as we continue creating a truly diverse team of talent, do let us know, too.
Published date:  16 April 2018
Written by:  Katharina Derschewsky