'To IT, or not to IT' is not the question

It is said that Cyber Security is no longer the responsibility of the IT Department. So whose line is it, anyway?

Whilst we may have enjoyed networking with others from the comfort of our own home during Covid, the novelty soon wore off.

Networking events are gradually kicking back into a regular pattern. And so it was that I found myself at an event on IoT security.

To be honest, this isn't really my "thing", but it's an area of growth for our sister company, CentriVault, and my colleague, Andrew (No, you're not seeing double. Yes, you have to change your name by deed poll if you work for us), who does lead on this, was otherwise engaged.

Anyway, it's good to give the grey matter a shake, right?

The event had been put together by Lancashire Cyber Alliance - a partnership of organisations in the North West which is now part of the new North West Cyber Corridor.

It was held at the Advanced Manufacturing Research Centre (AMRC)., near Preston.

Although we are now based at new offices at Lancaster University - more on that in a future blog post - much of our early work is in other parts of the country. And so it was great to meet some of our Lancashire "neighbours".

Challenges with IoT

The event really brought home some of the challenges we face with the rapid expansion of technology in the domain we call Internet of Things.

Such as?

By 2025, we will have collected 73.1 zettabytes of data. To put this in context, if I was to start to download this amount of data over the fastest connection BT are able to provide me, it would take over 400 MILLION years to complete. (That's almost enough time for me to reach my target weight on my current diet!)

And, that a new generation of secure enclave chips (which help protect processing of sensitive code and data) are now both small enough and cheap enough to be out into the small devices and sensors that are central to IoT, is certainly a step in the right security direction.

Which brings me to the topic of the post.

It's about computers, innit?

Originally, work on cyber security was given to the IT Teams. As time has gone on, it's been increasingly realised that the delivery of stronger security requires much wider organisational commitment and engagement, led from the very top. Thus, "Leadership" is now absolutely central concept within standards such as ISO 27001. Furthermore, that finance, HR, and supply chain management departments have critical roles to play. As, of course, do your users.

We can keep our people in order with a carefully-constructed information security management system, can't we? Well, no, not entirely, but that's going to be the topic of many posts to come.

Security is a sociotechnical system, with interactions of technology, processes and people.

What of the seemingly techno-centric needs of the sensors, gadgets and other electronic gizmos and appliances that make up the stars of the IoT universe? Surely this is still IT?

That's where the discussion at our Alliance event got really interesting. The enclave chip fitted in the IoT devices one company was using "sorted many of the security problems ..." it was said.

Then came an important qualifier "... providing it's used correctly." Along with another theme which had also been raised during the presentations - that of "trust" - this led to a fascinating discussion regarding the important contribution of people and processes even here in this highly technical area.

Security is not just IT's responsibility, it is everyone's responsibility. Technology, processes and people all have their part to play, and the "people" come from every direction, domain and department.. Even in the most detailed technical considerations.

Therefore, 'To IT, or not to IT' is not the question. What we need to ask ourselves is how we create a culture which effectively engages all our units of resilience. It's not as poetic, but it's the truth, innit?