Interview with Tony Collings
Email interview held on 11th September 2017 – as follows between Alan Radley (questioner) and Tony Collings (relator):
Q1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
Reply: Frankly I believe we are not in a good place. Wherever we look, the news, the IT magazines, all of whom are reasonably well informed it’s a tale of data breach, hacks or leaks that are largely a result of poor management, cost cutting or varying levels of incompetence or indifference between government and industry with the regulators sitting on the fence wringing their hands. What is more worrying is that what reaches the press is probably only about 10% of the real problem.
For organisations it ought to be worrying but my experience is that the CEO, Head of Risk and the Finance Director always face off requests for resource from the CIO or CISO with “what is the problem and what will it cost to fix when something fails; and balance that with what is the likely fine is the regulator cuts up rough?” The Cost-Risk-Cost balance invariably comes down to ‘it’s cheaper to do a little within a tight budget, hope the vulnerability never becomes a real problem and pay the lesser regulators fine if that ever happens, ie “it’s a once in a 100 year risk, forget it.
As a consumer I have real concerns about data security and privacy, especially of my key banking and identity information.
Q2. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?
Reply: Bottom line, the key issue is education at every level and stiffer penalties for lapses. The levels of naivity and ignorance of how our infrastructure, business and lives are totally dependent on our modern infrastructure which is badly cheaply (managed) managed and protected.
To balance the risks requires an understanding of how to predict and prevent requires a level of understanding and sophistication of both the particular business or service actually works; its dependencies and inter-dependencies and how to monitor and intervene as appropriate. That in turn requires operational management, teams with deep technical support able to monitor, understand what they see and be able to do something about it. Not easy, not cheap. It also calls for inspired leadership with technical knowledge and the delegated authority to act.
Cynically, why do most of us follow the speed limit on the roads, not out of a sense of public responsibility but because we don’t much want to get caught and fined with penalty points on our driving licence that puts up our insurance premiums. The same applies with the constant stream of breaches and failures.
And it would be different if instead of hunting down and penalising a whistleblower who gets so frustrated to the point of speaking out, instead to accept that the organisation has a vulnerability and making the brave soul part of the predict –prevent team.
Q3. Where do you go to find your “science” of cybersecurity?
Reply: Very few understand the interaction between science and cyber security, it is both a science with underpinning technology (scientific concepts operationally envisioned and deployed as hardware, communications and networks, software and warmware (the operational staff and users) and the Art of Managing the mish mash to achieve a service. Cyber is not new just a new name as we get more technologically sophisticated and dependent. They missing key component because it’s become unfashionable is security. Systems used to have Opsec (Operational Security) and ComSec (Communications Security) because we recognised that resilience and reliability for an ‘always there’ service also needed security. But security can be inconvenient and get in the way with rapid/agile development especially at the Application level of software development (almost all Apps have little or NO security). The Internet of Things (IOT) is extremely vulnerable for this very reason.
So we have cyber without the underlying design that allows expansion and resilience/reliability with inbuilt security that delivers protection to our data both in transit and at rest. The science has a long way to catch up to deliver effective universal cyber security.
Q4. Do you recommend a particular cybersecurity blog that our readers could follow?
Reply: NO, I don’t as a rule subscribe to blogs because most of them are superficial; the exception being the likes of Bruce Schnier…..Most of what I pick up from my own network of well places friends and professionals I would never publish anyway.
Q5. What keeps you up at night in the context of the cyber environment that the world finds itself in?
Reply: Our inability or unwillingness to get out of the habit of waiting for something to fail (because it is too technically fragile or lacking real resilience with notable ‘single points of failure’) before moving to a temporary and then longer term fix. Known as Fail-Fix.
Instead it makes more sense all round to adopt the Strategy of Predict-Prevent. This requires an understanding of Risk all the way to the top where Risk Ownership should belong with a clear understanding of the potential damage to the organisation and its customers should a Risk translate into a real Threat and happen. This strategy requires more engagement at all levels but in the end is far more cost effective and saves reputational damage.
Q6. One last question, what advice do you have for us on how to improve the ScienceOfCybersecurity.com site as we develop it into a platform for discussing and showcasing scientific methods for cybersecurity?
Reply: “We have a problem Houston” and we need a plan Alan. We have an unpalatable message but unless we get somewhere the science of cyber security may lack traction.
I have some ideas. Happy to your engage on ScienceOfCybersecurity.com as a resident expert.
Thank you kindly Tony Collings OBE for taking the time out of what must be a busy schedule to answer our questions in such a useful and purposeful way. We look forward to hearing more from you; and in relation to your deep knowledge of Cybersecurity topics, and as you become one of our resident experts on ScienceOfCybersecurity.com.
Interviewee: Tony Collings OBE.,
Chairman of ECA Group Ltd; Managing Director,
Founder of Electronic Commerce Associates Limited.
Tony Collings OBE – Biography
Tony has been widely interested in national and international efforts to rationalise Identity Proofing and Verification with key interest in the implications for Corporate and Government Identity Management, its Integrity, Security and Privacy issues and on Data and Control Centre design and operation.
A fellow of the British Computer Society, an experienced CLAS Security consultant and qualified UK Government Security Accreditor; Tony is a regular speaker, writer and authority on a wide area of associated issues, regularly publishing and speaking in both national and international forums.
He has huge experience in the practical and useful application of Security Policy, Physical and Technical Security Measures, Corporate Business Assurance, Business Continuity and Disaster Recovery, and is adept at working within all levels of an organisation.
Specialties: Particular expertise in HMG Security Policy including RMADS, all aspects of Data and Control Centre infrastructure, Information Systems, Resilience, Security, Privacy and Operational Procedures. Delivering business change and Information Management projects by re-establishing management focus and team spirit. A team Player with great personal and professional integrity, pragmatism, flexibility and a broad portfolio of skills dynamically applied with the application of common sense!!