Richard Knowlton, Director of Group Security at Vodafone, reveals the three big questions a multinational organisation must ask when it comes to investment in cyber security.
The scale of the issue facing businesses today and why it’s not just an issue for ‘the technology people’ to deal with.
Q: How often is a large multinational organisation targeted by cyber criminals?
Each month we see 70 billion cyber ‘events’ on our networks. We process 72 million emails, of which 44.5 million are spam, and we block around 250,000 direct attempts to hack into our networks.
We hold customer data of course, but there’s also stock market-sensitive information around pricing, market strategy and procurement. We operate in more than 100 countries, have more than 100,000 employees and around 430 million customers.
So our risk landscape is dense, large-scale and complex, and we have much that organised criminal groups would be keen to steal.
Q: With lots of focus around return on investment within the business world, how do you prove the worth of a cyber security product or service?
It’s obviously an important question when it comes to investment in security measures, which can be expensive and have an unclear return on investment.
The attitude of publicly-traded companies when it comes to the investment climate at the moment is very tough. And this is a situation where it’s extremely difficult, if not impossible, to accurately calculate a return on investment for security protection.
Our approach is to look at a slightly different measure – called a ‘return on risk’ – which places a greater emphasis on business impact. In any event, this issue has led to debate around the need to incentivise businesses to invest in cyber security.
Q: What questions do you ask yourself when it comes to where to invest?
So to manage cyber security threats which are highly complex and sophisticated, our boards expect me to take a strict risk-based approach to investment.
This means my team needs to define:
- What are our most sensitive assets?
- Where are they?
- Who needs to have access to them?
These three questions underpin all resilience planning, with business impact analysis as an essential ingredient.
Q: Is cyber security the sole responsibility of people in technology?
A fundamental point for me is that while technology is central to it, cyber security is NOT just a technical issue. A holistic approach is crucial.
We need to deploy the full range of corporate security disciplines in defending ourselves against cyber attack – physical and personal security, security awareness, business continuity, crisis management and so on. In other words, cyber security must not just be left to the technologists.
Correspondingly, there needs to be a full engagement across a range of non-security functions – legal, media relations and corporate affairs, among others – because of the need to engage not just internal stakeholders, but also external stakeholders, like governments, security agencies, regulators and the media, when something happens.
And this can be problematic – not least because different functions may be using different vocabularies in discussing the issues.
Richard appeared at a recent corporate security summit at the Tower of London, along with other leading minds in the field from a range of multinational corporations. Experts spoke on three key topics – securing your organisation, securing your reputation and securing your ’things’ – from which we have compiled a guide to download covering the top security insights from the event.