The BBC CISO says she is a “consummate cynic” about cybersecurity certifications. Helen Rabe believes schemes like the widely recognised ISO 27001 standard are “time consuming” and “cumbersome” to maintain for tech teams, and could be ripe for reform.
Rabe was speaking as part of a panel at the Infosec Europe conference in London, where she joined Munawar Vallji, CISO at rail ticketing platform Trainline, and Dr Emma Philpott, of advisory group the IASME Consortium for a panel on the future of cybersecurity certifications.
BBC CISO ‘cynical’ about cybersecurity certifications
Cybersecurity certifications are designed to ensure organisations have an appropriate level of security across their teams. The most common certification is the ISO 27001 from the International Organisation of Standards, which was updated last year and is held by more than 30,000 companies.
While these certifications are not a legal requirement, they can be a contractual stipulation for IT buyers, particularly in public sector organisations. Speaking to Tech Monitor last year, Alan Calder, founder and executive chairman of cyber risk and privacy management company IT Governance, said: “The Department of Work and Pensions, for instance, requires organisations it is contracting to have ISO specification.
“You, therefore, have a situation where the fact that you failed to get it means the DWP will not consider your contract.”
But Rabe questioned the benefit of such schemes. “I find more often than not the big certifications are executed to please the regulatory owner,” she said. “They are time-consuming and often cumbersome to maintain.”
When it comes to ISO standards specifically, Rabe added that maintaining the standards is an onerous task for IT teams. “I don’t have the budget to continuously do the upkeep, or even to do a one-off,” she said. “When I am told I need an ISO certification I say ‘why?’.”
Trainline’s Vallji agrees. “You are always under immense cost pressure and then you want to do compliance to ISO,” he said. “These are big-ticket items that are generally costly [and] take time and effort in terms of resourcing.”
Philpott, meanwhile, called for more education to help companies understand what is needed when it comes to cybersecurity standards.
The certification process may be ripe for reform, particularly in light of fast-evolving cybersecurity legislation being introduced around the world in various business sectors. In the past year, the UK government has launched new rules for telecoms companies and manufacturers of connected devices, as well as other industries.
The BBC and the MOVEit Transfer hack
The BBC was recently revealed as one of many victims of the MOVEit Transfer vulnerability which is being exploited by Russian hacking gang Cl0p.
Using the vulnerability, the cybercriminals were able to gain access to information on the system of payroll company Zellis, allowing it to steal data on employees at the BBC, which is a Zellis client, as well as other companies such as British Airways and Boots.
Zellis appears to be ISO 27001 accredited, with an up-to-date certification running until July 2024.
Victim companies of the MOVEit Transfer vulnerability, including the BBC, have been presented with ransom demands by Cl0p, and as yet none of the stolen data has been published online.
Other businesses hit by the breach include Shell Oil, US news network CNN and UK communications regulator Ofcom. The companies have been given until the end of today to co-operate with the criminals or see their data posted online.