Baroness Dido Harding, former CEO of Talk Talk provided the opening keynote at InfoSecurity Europe 2018 - and while she may be best known by infosec professionals for getting it wrong when trying to explain the hack on the telco two years ago, her experience certainly has lessons for the boards of most UK organisations.
When the attack first happened the tech teams at Talk Talk advised caution, wanting to be sure they had identified and solved the problem, while the sales side wanted to be up and selling.
This initial difference in approach was repeated throughout the experience and was clearly something that existed long before the incident - with the board and sales not wanting to hear what the cyber-security people might be saying - and the cyber-sec team not being forceful enough in expressing their concerns. And also not explaining themselves in simple English, while the board failed to try to even try to grasp a proper understanding of the technology.
But through it all Harding emphasised what she described as the company's desire to focus on protecting the customers and their data - and thus the company's existence. In fact she commented, "We were the only ones whose objective was to protect customers and the company. The Metropolitan Police wanted catch criminals, GCHQ want to protect the country." But she did emphasise that both were very supportive throughout.
"It's legacy within acquisition that gets you. And leaders not getting the message from their cyber-security teams of the need to decommission."
One of the things she says she learned is that boards are not asking the right questions. Their temptation is to ask, 'Are we OK, is the security good enough?' Most boards want to abdicate cyber-security responsibility, but they cannot be let do that.
The answer should always be no, as no one can say they are 100 percent OK. Teams that say their cyber-security is really good are the ones to worry about.
Harding suggests that what boards should ask is: "What are the risks, what are we 'happy' with, or able to live with, and what do we need to mitigate?"
In Harding's case, she says that the most difficult decision was deciding when it was safe enough to come back online as the organisation had become a honeytrap for every hacker, whether script kiddie or nation state.
"The security team wanted to be the ones to make the decision themselves, they wanted more time to fix things. But as CEO I needed to know what risks I was taking if we opened up online services again. The security team needed to articulate what are the risks if we do that. If I gave them two weeks, which risks go away. They were more comfortable with eight weeks, but by then cyber-risk and business risk had crossed and the company would be gone and cyber-risk had become less important than the business risk. I needed to understand the risk to make the decision. And that was when I realised that cyber was a board risk."
Consequently she suggests that there should have had shorter lines of communication from security to the board. "And you need a 45 minute session on cyber-security at every board meeting."
Harding then reiterated the need for engineers to explain cyber-risk to non-tech staff, and non-tech lean in to understand the tech issues, "and we learnt that because we had to." She adds that boards need to listen to introverted experts, who need to be courageous and challenging - and speak truth to power. Both sides need to hear each other properly to reach the right balance.
Harding suggests that learning this lesson transformed way TalkTalk worked as a company, with non-techie business leaders engaging in tech issues that are vital to deliver business issues. And its nothing new really as business leaders are always leading and managing things they don't fully understand at the practical level.
