It was only recently that I remarked to a friend that I tend to forget what’s on my own doorstep when it comes to planning holidays and days out. This realization was further borne out when I was recently invited to a cybersecurity event run by CAE Technology Services Ltd (CAE) and Cisco at the Churchill War Rooms, one of the branches of the Imperial War Museum in Westminster, London on July 18, 2023.
As someone born and raised on the outskirts of London, as well as being something of a history buff, I immediately felt a little embarrassed when I realized I had never visited the historic war rooms, the underground center where Sir Winston Churchill and his government planned and directed Britain’s strategy during WWII.
Of course, I wasn’t visiting for pleasure reasons, but it was still great to get a sense of the nerve center and reflect on the critical decisions that were made down there that helped shape one of the most significant periods of the modern world.
Yet, despite it being a work event, I cannot deny I had a lot of fun. Held deep inside the vast network of corridors rooms out of bounds to the general public, the security briefing session began with a ‘Beat the Hacker’ immersive game.
With my own technical skills limited to say the least, I agreed to participate with a degree of trepidation. However, I needn’t have worried (too much). It was a game that required logic and problem-solving skills, and occasionally thinking outside the box, similar in style to the traditional ‘escape room,’ albeit without the need to physically escape from a room.
In the game, ran by cybersecurity training firm Capture the Talent, the 20 or so attendees were divided into teams and presented with a scenario faced by security professionals on an all too regular basis – a ransomware attack. The task sounded simple – we had one hour to discover the encryption key and recover the stolen files.
This time involved ‘hacking’ into various devices and other props, from suitcases to mobile phones, by working out various codes and passwords, which certainly underlined some important security lessons, such as password reuse.
The game required a range of people with different ways of thinking to reach the end goal, which seemed fitting amid the depths of the Churchill War Rooms, where problem-solving under pressure (albeit significantly higher pressure back then) was essential.
It is also a great metaphor for cybersecurity teams, where the need for diverse backgrounds and ways of thinking is being increasingly recognized in order to combat rising and more sophisticated threats.
The game also showed the dangers of overcomplicating tasks – very often the simplest answer is the right one. This is another good metaphor for cybersecurity, as was highlighted later on at the event.
Sadly, my team was last to finish, and required a few convenient tips from the Capture the Talent team to save the data just in the nick of time. But an entertaining and immersive experience nonetheless, and certainly a wake-up call on a Tuesday morning!
Reducing Complexities in Cybersecurity
Once sufficiently recovered from the mental excursions of Beat the Hacker, CAE and Cisco delivered their security briefing. The message was clear – that cybersecurity was becoming overly complex for both users and IT professionals, and this needs to change to deliver digital transformation securely.
Gisli Helgason, chief technologist for Network & Security at CAE, opened the session by observing that there are often “too many security tools,” making them hard to integrate into organizations.
He cited concerning figures from CAE’s 2022 What’s holding back more good days in IT security survey around organizations’ approach to security and impact on cyber professionals. For example, just 66% of respondents rated their organizations' security approach as positive and 27% of IT leaders say they “always” or “often” have a bad day at work.
Helgason also emphasized the importance of actionable threat intelligence to ensure organizations can be more efficient when managing their security. He gave the example of vulnerability management, where “most customers of ours can’t patch everything all of the time.”
However, actionable intelligence can demonstrate those vulnerabilities being actively exploited, which is around 1.7% of the overall number. These insights can therefore help security teams prioritize patching.
In a later presentation, Rob Lay, UKI security systems engineer leader at CISCO, noted that there are “masses of vendors” in the cybersecurity market, and attempting to integrate many different types of tools is putting an unnecessary burden on customers, particularly following the shift to multicloud environments. For example, “why ask users how they connect to networks?” he asked.
This in turn increases cyber risks for end users due to the extra complexities, Lay added.
He highlighted the Cisco Security Cloud strategy as a means of reducing such complexities, by providing a single, AI-driven platform to “drive your security from.”
Anthony Owen, a senior security solutions specialist at CAE, said that there needs to be a move towards “risk-based authentication,” which aims to “maximize user productivity without compromising security.”
This includes techniques like risk signal analysis to limit how often users have to authenticate themselves depending on factors such as their geolocation and WiFi network.
Therefore, it was a morning well spent – entertaining, engaging, with some vital security lessons and principles drilled home.
Image credit: Keith Heaton / Shutterstock.com