‘Cyber literacy at the top levels of companies should be a given’

14 Apr 2022

Colm Murphy. Image: Huawei

With cybersecurity constantly evolving, Huawei’s Colm Murphy believes cyber literacy is becoming just as important as financial literacy for board members.

Click here to view the full Infosec Week series.

One of the most common warnings that I’ve heard from cybersecurity experts over the years is that malicious actors and cybercriminals only have to get it right once, while cybersecurity practitioners have to get it right every single time in order to protect companies and systems.

This requires an immense amount of buy-in from every level of an organisation in order to build up a strong cyber resilience and a good security posture.

Colm Murphy is a senior cybersecurity adviser in Huawei’s global cybersecurity transparency centre in Brussels. He echoed these same sentiments, adding that cybersecurity needs to be “a board-level issue”.

“The tone comes from the top. It is no longer acceptable for a board to delegate cybersecurity as someone else’s problem. It is a central component of risk management,” he said.

“Just as it is assumed that a board member will have some level of financial literacy, in the coming decades of everything connected, everything sensing and everything intelligent, cyber literacy at the top levels of an organisation should be a given.”

‘In the new cyberspace, no person, no system, no connection, should be trusted’

Murphy’s role focuses on communicating Huawei’s cybersecurity strategy to the centre’s visitors, hosting workshops and events with the European cybersecurity community, and facilitating testing and validation of the company’s products from a security perspective.

He has almost 20 years of experience in the security space and said one of the most common mistakes he has seen among the community is forgetting the fact that cybersecurity is a shared responsibility.

“This means a broad and diverse range of stakeholders each have varied responsibilities. It requires that all of the various actors do all of the right things all of the time.”

These stakeholders range from equipment vendors such as Huawei delivering security technology to the market, to standards organisations defining what good security looks like. It continues all the way down to citizens practising good cyber hygiene by installing patches and updates and using strong authentication mechanisms.

“If we are to solve the cybersecurity challenge, what matters most is the commitment of all of these actors across the entire supply chain to transparency, their willingness to share the responsibility of achieving and maintaining good cybersecurity, and their inclination to cooperate and collaborate,” said Murphy.

“As security leaders, we need to be careful that we don’t make the mistake of forgetting that our efforts to tackle cybersecurity are a shared responsibility, and a perpetual cycle of collaboration, cooperation and open discourse.”

How the industry has evolved

With two decades in the industry, Murphy has seen how security has evolved from being considered “a luxury item” for a select number of large organisations to a central topic on virtually every company’s agenda.

“The newfound prominence and importance of cybersecurity has created many challenges, most notably the shortage of skilled cybersecurity professionals,” he said.

“From an Irish perspective, Cyber Ireland is doing great work in raising the awareness around a career in cybersecurity. Last year, I delivered a career talk to students to talk them through what I do on a daily basis. It was an engaging session with lots of interesting questions and I hope some students might consider studying cybersecurity.”

With the threat landscape constantly evolving, he said that zero trust is rightly getting more attention, especially with an ever-growing attack surface.

“In the new cyberspace, no person, no system, no connection, should be trusted,” he said. “An adversary doesn’t care what system you have or where you got it from. They will look for and exploit vulnerabilities wherever it is that they want to find them.”

According to Murphy, solving the technical challenges in today’s security landscape requires technical measures.

“A central element of this is being open to comprehensive technical verification mechanisms and independent oversight that demonstrate conformance to common standards of international best practice,” he said.

“For example, the broad promotion of the Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, to provide an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry is a welcome development.”

Finally, he said that one of the more interesting developments in cybersecurity in recent years is the changing attitude towards incident response.

“Cybersecurity has arrived at the point that the maturity of an organisation’s cybersecurity posture is not only the measures it takes in terms of prevention, but also in terms of how well it responds if and when something goes wrong,” he said.

“How quickly can an incident be detected and contained, how transparently does it communicate with the affected parties as well the relevant regulatory authorities if necessary, what lessons does it learn for future defences, how does it share the threat intelligence with its peers (even if they are competitors) and the wider community in general?

“All of these things are the measure of true cybersecurity maturity.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Jenny Darmody is the editor of Silicon Republic