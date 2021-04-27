'The real reason you've got brakes on a car is to let you go safely at speed'

Effective cyber security begins with good communication. Explaining the risks to people and making them feel confident of handling or escalating incidents is every bit as important as installing the latest firewalls, network monitoring and anti-malware systems.

Zakki Ghauri, interim head of cyber security & information governance at London's Royal Borough of Kensington and Chelsea and Westminster City Council, has made cyber risk communication something of a mission. As someone whose background is change management and transformation rather than cyber security, he says he approaches the issue from a different angle than a typical CISO.

"I have a really good team around me, very knowledgeable, and I think a lot of what I try to do is pull out their expertise and use it in slightly different ways of working," he said. "What I'm doing is around culture change."

Ghauri arrived at Kensington and Chelsea shortly after the Grenfell disaster. Amidst personnel changes and numerous FoI and data access requests, the council also became the target of cyber attacks as it struggled with the horrific aftermath of the fire.

The top-down, hierarchical cyber security apparatus it shared with Westminster was problematic in the face of the suddenly increased risk, Ghauri said, because it promoted passivity and inaction.

"The old way of doing things security wise was ‘can you sign this off' and that was my pet peeve," he said. In contrast, the current approach with projects at the councils is very much ‘shift left', advising rather than blocking.

"Generally, what we are here to do is let you know what the risks are, and it's for you to make a decision on all those risks that are acceptable for your part of the organisation, because you can manage those far better than what we can."

If you report spam email, regardless of whether it's genuine or not we'll say ‘thank you so much'

Ghauri and his colleagues spend a lot of time visiting different departments and inserting themselves into meetings to spread the word. He prefers to frame the approach as ‘security online' rather than ‘security at work', he says, because this allows department heads to offer security advice as a perk to employees, particularly when may are working from home. To give the approach momentum, he regularly badgers the council's IT partners for freebies - mugs, lanyards and the occasional iPad or John Lewis voucher - that can be handed out as rewards for reporting a phishing email or offered in a prize draw for completing training. To ensure good practice spreads, it's important to show that efforts are appreciated.

"If you report spam email, regardless of whether it's genuine or not we'll say ‘thank you so much' and we've got security lanyards and security mugs and RFID wallets to give out just as a thank you for reporting it."

A key technique is putting a picture into peoples' heads by relating issues to something familiar. Non-techies glaze over as soon as firewalls and network monitoring solutions, or even ‘cloud', are mentioned, Guari said, explaining that he always tries to lead with an analogy.

The real reason you've got brakes on a car is to let you go safely at speed

"If I asked you what why you have brakes on a car, the response is normally to slow us down. But the real reason you've got brakes on a car is to let you go safely at speed."

Framed this way, the security department becomes an enabler rather than a blocker.

One of the main threat vectors is third-party suppliers, of which the council has more than 600. Hackney Council recently suffered such a supply chain attack, which came as a surprise to Guari as the Hackney security team is highly regarded and the infrastructure "pretty good". It goes to show that every council is vulnerable and the threat is very real, but again it's no good talking in technical terms to non-techies.

"A big, big risk process is third parties. We can have the most secure infrastructure in the world, but if our third parties are insecure then we're going to be at risk," he said. "We try not to bore the execs and general staff, so we'll give them an analogy where your front door can be really secure, but if somebody else [is looking after] a key to your door, and their house is not secure and they leave their windows open, then if someone steals your spare keys they can get into your house."

If you say we have network monitoring in place and deep scans from Trend Micro blah blah they tend to switch off

The attack on Hackney also came as a nasty shock to executives at Westminster and Kensington councils, who wanted assurance that safeguards were in place to guard against something similar. The fortifications are strong, Gauri said, "but if you say we have network monitoring in place and deep scans from Trend Micro blah blah they tend to switch off. So again, it's about storytelling and analogies.

"So, we'll say something like, ‘if you had a plumber come over to service your boiler, and then you walked in to offer them some tea and they were walking around your house, looking in drawers you'd be suspicious right? Well, we've got some technology that can detect network traffic behaving that way.

"And if your windows don't close, you could maybe put some bars on them to stop people getting in. If there's a bouncer at the door we'll put two bouncers at the door, rather than one."

Of course, stories only get you so far, and the team is currently undertaking security audits of all its suppliers. They have also been beefing up security for councillors, who are often targets of phishing attacks.

"We are really proud of the security we offer to our councillors. They have got equivalent if not better security than members of staff." he said.

