Words: Urpo Kaila, Head of Security Policies, CSC, Finland
After a quarter century of hectic yet fascinating work in hands-on information security, I am transitioning from my operational responsibilities to an advisory role. This change has prompted some reflections that I would like to share with you. Consider them advice, if you will.
Resilience needs multi-layer security
We often think that technical information security controls such as firewalls, IDS, MFA, layered security and zero trust frameworks are our very first line of defence to mitigate security risks. What is then the last line of defence? Is it security related policies, guidelines, training and compliance certifications; the political layer, so to speak? These are for sure mandatory bits of security in a world where the attack vectors become more advanced and our dependencies of logistic chains of providers become ever more complex.
Personal data must be protected with cybersecurity controls
Also, we are currently flooded by overlapping and regulations, such as NIS2 (Network and Information Security Directive), CER (The Critical Entities Resilience Directive) and CRA (The European Cyber Resilience Act), to name a few. To me it seems that customers, technical staff and management appear to be utterly confused and overwhelmed by hundreds of detailed, but high abstraction level requirements. The confusion in data protection is in my very personal opinion even worse. I say this as a very keen supporter and enthusiast of data protection principles, I even wrote my master thesis on the topic during the last millennium. Data Protection should in my opinion be much more closely integrated to information security to be able to also materially protect our personal data. Instead, the legislators, supervising authorities and practitioners seem to over-prioritise squiggly legal formalities incomprehensible for the actual natural people – and forget on how the data is actually protected with access controls and other standard security measures. Consent forms do not really protect our personal data.
Have you ever properly read through a consent form or a privacy notice? With your hand on your heart?
Where does regulation meet implementation?
People and organisations seem to be struggling with the identification of how all security and data protection requirements can and should be met. The management levels in organisations are trying to guess what in the world politicians and bureaucrats mean. I can reveal to you that most probably legislators don’t know themselves either how to create nor maintain adequate cybersecurity. How could they, they are politicians who do not have education, skills nor experience in managing cybersecurity. That is why it is an area of expertise for only some of us and it is our job! Cybersecurity regulations and standards seem to provide us with never-ending lists of requirements which often leave sites and staff confused. These arduous lists exist to avoid accusations of omissions or misconduct.
In the real word, you need to focus, make choices and consider proportionality, usability and business interests when deciding on how to lead information security. That is of course no excuse for sloppy security.
People are the key
In addition to the tsunami of emerging security regulations, another challenge is in organisational cultures which also make it more difficult for us to meet our security challenges. Some traits of toxic discussion cultures on the internet and media can sometimes and partly also extend to the daily work of many organisations. For example, younger adults can sometimes try to compensate their insecurities by behaving in a way they think is expected, by bragging and trying to win their audience over with domineering behaviour. Most normal adults understand this is just a phase: they are not tough, but insecure. Perhaps we can sometimes see the same kind of behaviour in want-to-be security heroes, who like to name-drop or brag using irrelevant technical details.
Real security heroes and professionals support their communities. Real security heroes are not only the security nerds, but all of us. We must also do our part, regardless if we are teachers, researchers, managers, HR, finance, communication staff, trainees, students and more.
Security needs clarity, coherence and collaboration
At my home organisation, CSC, managing the Funet National Research and Education Network (NREN) in Finland, we achieved the ISO 27001 certification in 2013. Albeit our Information Management System needs to be continuously improved, I honestly (but very biased) believe that we succeeded to define security roles, policies and controls in a meaningful and resilient way. In addition to standard items such as management review, audits and access controls, we have created a framework where all our services should have internal business continuity plans. The idea is that such framework should support trust on security among our teams and people.
I truly believe that also among NRENs we must join our forces even more and beyond network connectivity. I have myself for many years been engaged in the Special Interest Group in Information Security Management SIG-ISM and found that it has been productive to share our best practices among peers with trust and in confidence, as some security details cannot be disclosed in public. During our last gathering I had a feeling of warmth when I noticed that our meeting room was named in honour of Karel Vietsch, who had been the great secretary general for TERENA, before it merged with DANTE to become GÉANT. I felt that we are continuing the work of Karel, to maintain reliable, affordable and secure network service for higher education institutions and research infrastructures in Europe and beyond.
I feel that our communities and funders don’t perhaps always understand how good are the services that we actually provide. Despite our good track record, it is crucial to understand that security cannot be delegated only to a network of engineers. We must think big and engage all roles to ensure our security and also to be able to show compliance to emerging regulations and security standards. The ISO 27001 standards is now updated, and the new version has been amended with many new challenging mandatory requirements. At the end of the day, we should never forget that cybersecurity is not primarily about regulations, but about risk management. Risk management in turn must rely on facts and observations, not on superficial or snarky comments. Please be advised, that Microsoft with its immense resources on security has noted, in the latest Microsoft Digital Defense Report 2024, that education and research is the second most targeted sector worldwide. I see that our networks are part of the European and national critical infrastructure which must be protected with state-of-the-art processes and tools.
All of us can be the defenders of cybersecurity
Back to my initial question, what is the last line of defence in cybersecurity?
This is question which I have thought about for many years and tried to elaborate it also in some previous writings. The last line of defence is not about listing requirements, regulations and standards, or the latest hype in cybersecurity tools. It is you! The organisation or the technology does not create security, you do. All our staff and other stakeholders too, have a significant role in our joint security. Our system administrators, data centre engineers, managers, senior management, HR, communications, legal team to name a few. We all need to have well defined roles, resources, and above all, trust that we can ensure our security together, as a team.
About the author
Urpo Kaila is the Head of Security Policies at CSC – IT Center for Science Ltd., which operates Funet, the Finnish NREN. Urpo is also the Security Officer for the LUMI supercomputer consortium and steering committee member of GÉANT SIG-ISM.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Your brain is the first line of defence‘. Read articles from cyber security experts within our community, watch the videos, and download campaign resources on connect.geant.org/csm24
