Bake it in, don’t sprinkle it on – a holistic approach to cyber security

rubiks cube

Jeremy Jones has recently joined Theta in a newly created role, Head of Cyber Security. In his first post in our new cyber security blog, he outlines his vision for cyber security at Theta.

If you are in business today – whether you are a plumber, a real estate agency or a retailer – you are likely to use cloud services, online payment and invoicing social media and other digital tools to drive efficiency and competitive advantage.  It is also likely that survival of your business depends on access to the internet, business information or the Radio Frequency (RF) spectrum (including WIFI, Bluetooth and cellular networks). You will need to hire people that can be trusted, your working locations may need physical controls in place to keep out threats and you may have desirable intellectual property that a foreign power wants to steal. The plethora of threat vectors and potential vulnerabilities can be overwhelming.

Raising the cyber security game

A common misconception is to conflate IT security with cyber security. While many vulnerabilities are technical in nature, the weakest link in the chain is usually the person, process or policy. Cyber security at Theta looks at the end-to-end assessment of weaknesses and threats across all aspects of an organisation, as well as strengths and opportunities. Our vision is to ‘bake in’ cyber security regulatory requirements and best practice into everything we do - the solutions we develop for our customers as well as our own internal systems.

A Rubik’s Cube is a useful metaphor for visualising cyber security. It's a puzzle with several dimensions as well as relationships and dependencies between the different factors and characteristics. It has complexity and it can be difficult to see the entire problem all at once, while the inner workings are often hidden and not widely understood.

We aim to provide a powerful yet transparent security-enhanced offering to help solve your particular Rubik’s Cube. Too often security solutions are obstructive, peevish and are perceived as detracting from organisational efficiency. We aim to deliver good cyber security that preserves business agility. And organisational culture has as important a role to play as the technology and processes that enable it.

The critical requirements: People, Process and Technology

Most exploits have a human aspect to them. By preparing people as much as we do information and networks, an organisation can have a defence-in-depth – multiple layers of defence - against even the most sophisticated threats.

Trojan Phalanx - defence in depth

Defence in depth is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space to buy time. 

People need to be educated about social engineering techniques, develop skills through training in their respective areas and be made aware of the consequences of their decisions on the attack surface. Above all, preparing people is about ensuring they have the confidence to detect absence of the normal and presence of the abnormal.

Process is an important aspect of cyber security too. Developing appropriate governance gives an organisation somewhere to prioritise and organise their security controls. Cyber governance is also a prerequisite if an organisation seeks certification to a standard such as ISO 27001:2013 or PCI-DSS. Certification is not an absolute defence against a cyber attack, but it is a hallmark of an organisation on the path to increased cyber security maturity. Developing unobtrusive security governance at Theta is key to maintaining our agility and flexibility. 

Our technology experts deliver best-of-breed cloud, analytics, integration, digital and business software solutions. We also invest strategically in research and innovation. Cyber security is an important consideration across all these technologies. Ensuring our customers understand the risks of using a cloud environment is as important as realising the benefits, for example.

We also take the opportunity to work with vendors on cyber security. We are the sole New Zealand Microsoft partner in their Cloud & Enterprise Security Product Group where we help shape the planning and delivery of next-generation Microsoft security products. We’re also exploring the security products of other vendors we work with, including MicroStrategy.

Cyber security needs to be considered in a holistic way, across people, processes and technology within an organisation. We’re prioritising those aspects here at Theta and in the solutions we build for our customers. This in turn will drive sustainability, innovation and growth – for us and our customers.

Coming up on our cyber security blog

We like to use plain language so future blog posts will examine the cyber lexicon to help decode an industry charged with acronyms and jargon. We care about the SME base that makes up the bulk of New Zealand’s wealth so we will also look at some practical steps we can all take to improve our cyber security.

Jeremy likes

Schneier on Security

The UK National Cyber Security Centre

The NZ Internet Task Force

F-Secure Labs

Crowdstrike

@DAlperovitch

Jeremy Jones.jpg

Jeremy Jones is Theta's Head of Cyber Security.