Beware the Breach: Building Cyber Resilience in the Digital World

Beware the Breach: Building Resilience in the Digital World

“It's always a case of playing catch up.” Senior technology leaders uncover how attackers exploit vulnerabilities, the challenges of distributed IT and the crucial role of cyber resilience.

Cyber resilience: an overview

As organisations look to achieve defence in depth and focus on both prevention and remediation, where does identity management and ‘passwordless’ sit? In an era of increasing cyber threats and rapid technological advancements, organisations are striving to create robust security architectures that offer both prevention and remediation measures, ultimately enhancing their cyber resilience.

In this roundtable debate, industry leaders discuss the importance of embracing digital transformation and security postures that evolve with emerging threats, while exploring solutions for C-suite decision-makers navigating this complex landscape.

With Mark Chillingworth moderating this roundtable debate, the speakers included:

• Alex Bazin, CTO, Lewis Silkin LLP
• Brian Brackenborough, CISO, Channel 4
• Jyotsna Chandrani, Director, Operational and Resilience Risk Tooling, HSBC
• Richard Corbridge, Director General - Digital, Department for Work and Pensions
• Doruk Aytulu, Director, ISV GTM and Marketplace, EMEA, Google Cloud
• Matthew Berzinski, Senior Director, Product Management, ForgeRock

Watch the roundtable highlights for Beware the Breach: Building Cyber Resilience in the Digital World

Building cyber resilience: key takeaways

1. What hackers are exploiting today
2. Distribution and the security issue
3. Cyber resilience solutions for C-suite leaders

What hackers are exploiting today

Moderator Mark Chillingworth kicked off the debate by asking the panellists what they think hackers are exploiting today, given their increasing sophistication and professionalism on top of the distributed nature of the IT environment today.

“What they're definitely doing is exploiting older and legacy types of authentication and security systems,” said ForgeRock’s Senior Director of Product Management, Matthew Berzinski. He made the case that there are a large number of organisations that are not modernising, not recognising the need for digital advancement. This leaves its systems vulnerable to all types of attacks, emphasising the critical role of cyber resilience in modern security measures.

Channel 4’s CISO, Brian Brackenborough, argued that attackers are looking for any vulnerabilities they can get their hands on and exploit. “It's very easy to run a vulnerability scan to see what weaknesses you have exposed to the outside world”, he said, pointing out that the race is on for attackers to exploit day while the company barely has any time to patch up its environment. “It's always a case of playing catch up, unfortunately”.

According to Doruk Aytulu, from Google’s point of view “the exposure is so massive, it becomes a real challenge for security posture”. With Google and Google Cloud’s 1 billion users, including around 65 percent of the Fortune 500, the physical security alone is substantial; covering all points of exposure is what Doruk calls a “24/7 job” for the security team. “It needs to be so robust; it needs to be front and centre.”

Distribution and the security issue

Mark continued with the debate, with the speakers highlighting the importance of a robust security architecture and the necessity for cyber resilience.

Brian agreed with Mark’s prompt outlining that the distributed nature of IT today has played a significant role in the security issue. “Long gone are those days where all the tin was in the basement, and that you had one firewall that was protecting it,” he said. As technology leaders start to use a variety of different clouds, they need to invest in different security tools to increase this security. In the context of broadcast, Brian explained that more people are streaming on Channel 4’s platform, which in turn requires “more tin up there and scale up” to cope with this higher demand. 

“If you can't unify that security policy, you know, attackers are like water, they're gonna go to the least resistance.” Matthew pointed out that the continued use of silos and different security policies will allow these attackers to find and exploit the weakest areas in the organisation’s security architecture. In his view, the more silos an organisation has, the bigger the attack vector, underscoring the need for a unified approach to enhance cyber resilience.

Rich Corbridge argued that five years ago, the business rationale for cloud adoption was seemingly straightforward—offload your data to the cloud, and subsequently, the security preparations and responsibility would fall on your cloud service provider. However, Rich highlighted the need for businesses to maintain a good understanding of their digital supply chains and security postures as “it's still my neck”.

In Alex Bazin’s view, mid-sized organisations such as Lewis Silkin LLP manage to benefit hugely from leaning into the capabilities of larger-scale global technology giants. This includes gaining a more robust cyber resilience and becoming better equipped in the face of attacks and malicious actors. This type of strategic outsourcing does not completely take away that aspect of responsibility. While this is not a case of “[having] a cybersecurity team 24/7 365 with the greatest kind of focus on threat actors,” Alex recognizes that it allows his team to achieve more with less, highlighting the efficiency gains associated with a strong focus on cyber resilience.

Cyber resilience solutions for C-suite leaders

Risk culture is important to Jyotsna Chandrani, Director of Operational and Resilience Risk Tooling at HSBC. Amid the AI and technology threats there resides a human element—this encompasses “the identification of it, the reporting of it, and the learning from it”. 

Jyotsna wants C-suite leaders to be able to recognise cybersecurity threats and champion it. When it comes to the cybersecurity function, “the absence of event[s] is the success of the investment,” in comparison to delivering other business cases.

This risk awareness culture is also something that needs to be “at every rung of the hierarchy” so that senior management are able to have a better understanding of how to handle cybersecurity operations. While the nature of cybersecurity threats are changing, Jyotsna argued that, surely, c-suite leaders will want to invest in different kinds of people as well, emphasising the human aspect of cyber resilience.

“We don't celebrate success. I think we often talk about cybersecurity when something's gone wrong,” she argued that the quieter moments in the cybersecurity function need to be recognised and called out more often. In line with her views, Rich explained that celebrating success in this field is similar to “pinning a new target on your back”, prompting others to throw “extra things” their way. 

This roundtable discussion was created in partnership with ForgeRock and Google Cloud.