Jacky Fox: Mind your people and your third parties for good security in 2020

15 Nov 2019

Jacky Fox, managing director, Accenture Security. Image: Accenture

Jacky Fox’s top tips for cybersecurity in 2020 are to train the technology to help protect your people, and make sure your security standards apply to any third-party suppliers.

With more than 20 years’ experience in cybersecurity, Jacky Fox recently stepped into a new role as managing director of Accenture Security. “It’s a different stepping stone for me,” she said.

Key to the decision was the opportunity to work across what she sees as the three pillars of cybersecurity: strategy, implementation and operation.

“A lot of organisations have one or two of those elements but not the three of them,” said Fox. “Accenture has the whole piece going on. For me, that’s brilliant because I can play in all those areas now, and I like all those areas.”

‘If people are going to circumvent the controls you’ve put in because they don’t care or they don’t understand, then there’s just no point at all’

It’s clear that Fox has a passion for cybersecurity, but that’s not something that has historically been shared outside of security teams in organisations. In her reckoning, people used to see security as an overhead that delivered a ‘computer says no’ response to projects and innovation. “Now, people are actually really beginning to see the value of securing their business properly.”

These days, IT decision-making is so business critical it’s brought to the boardroom. “These are board and exec-level decisions,” said Fox.

Bringing cybersecurity out of a silo and into everyday consciousness at work is a great benefit. The wider the awareness, the less chance of employees falling foul to scams that affect an entire organisation.

Fox said GDPR was a game-changer in this respect, because it put the topic of data protection on everyone’s lips. In effect, the mass attention paid to this EU-wide data protection legislation was a milestone in cybersecurity communication.

“It really encouraged people to put champions out into the broader business, so every department would have a security or data champion,” said Fox. These employees then served as conduits for vital messaging around risk.

“Sometimes, people who are brilliant at security mightn’t be great communicators or vice versa, so having somebody sitting in the business, it really helps. They can mediate.”

‘Communication is king’

As with all sectors, cybersecurity needs good communication to function effectively as a cog in the larger machine.

“If you are a security person working inside, embedded in a typical organisation, your communication skills are important. But if you decide to work in consulting, your communication skills are very important,” said Fox.

Cybersecurity consultants need to be able to understand and delve into a problem even when a client has misinterpreted it themselves. “Sometimes, the problem they have is not what they perceive they have, so you need to be able to draw that out of somebody, and work with them and their business.”

This collaborative approach from the outset means cybersecurity consultants need to bring clients on a journey with them. They can’t just dictate what needs to be done with rigid step-by-step edicts, Fox explained. They have to convince the users and bring them along, or modify the framework to suit their business. “There is really no one size fits all,” she said.

And even the best, most secure controls will be thwarted if badly communicated to end users. “If you don’t have people with you, if people are going to circumvent the controls you’ve put in because they don’t care or they don’t understand, then there’s just no point at all. Communication is king,” said Fox.

Security trends in 2020

Along with this user-centred approach to cybersecurity solutions, Fox is concerned with the various traps people can fall into when it comes to cyber threats. “The human element is still enormous,” she said. “My belief is that humans keep getting caught because we don’t have the technology to protect [them].”

For her, the solution is not more training for humans but training for the technology to map what people are doing and give them nudges and hints to guide good behaviour and better decision-making. This can be a pop-up that warns users before they send an external email or double-checks if they want to open a file from an external source. “Little things like that make a huge difference,” said Fox.

‘I’d say in the majority of investigations we do, there’s either some poor human who has been duped into doing something or it’s a third party’

Another key risk area she identified is that of third parties. “We definitely see a lot of attacks and penetration through a third party, so making sure that any third party who is handling your data or who has access to your information or your buildings has the same level of security controls that your organisation has [is important]. I think we’re going to see a lot more emphasis on managing third-party risk in the security space – more emphasis than we have to date.”

Fox said people are only just beginning to realise that the full scope of third-party risks and how to adequately assess them. “The question to me is, do they have access to data? It’s a fundamental, binary question.”

This goes beyond digital access, too. A provider with access to the building merely to water the plants could come across an unattended phone or a laptop, and that’s a vulnerable access point to your organisation. In some way, every third party is introducing an element of risk. “It’s the supply chain, and it’s called ‘chain’ for a reason. It’s not a blob,” said Fox.

Speaking in computer terminology, she added: “You need to be able to trust that your first ‘hop’ is actually putting proper controls around their hops, and that it all permeates out like that.”

This requires tight policy and procedures that force everyone in your supply chain to do the necessary checks and audits on all routes back to your business.

It stands to reason that both these risk factors are high on Fox’s 2020 agenda as they are so commonly uncovered in breach investigations. “I’d say in the majority of investigations we do, there’s either some poor human who has been duped into doing something or it’s a third party,” she said.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.