SASIG Scandinavia – a smörgåsbord of cybersec insight21 March 2019
Build it and they will come, they say.
And so they did. Nearly 100 delegates packed into the inaugural SASIG Scandinavia event in wind-wracked Copenhagen last week.
They were greeted by the gracious hosting and flawless facilities of TDC, lynchpin of the Danish telecom scene, and a seriously impressive roster of speakers, including a keynote by Alison Kirkby, the recently appointed CEO of TDC.
Sailing the SASIG into new waters
I was also there to speak. But foremost in my mind was the question of how the SASIG proposition would fare when thrust across the North Sea into cooler Scandi cultural climes. After all, this is culture reputed for its rigorous self-policing, a place where consensus can be seen as king.
Of course, the SASIG works because of its honesty. Big issues are tackled with bravery because people can talk without fear. Attribution is banned, so there is no mincing of words. Which is a good thing. There’s no doubt that progress in the world of cybersecurity is held back by the fear of fingers being pointed and the desperation to avoid the stain of a breach (or even of a near miss). We really need open forums like the SASIG.
But the revelation of the day was not so much the honest remarks and acute insights that peppered the presentations, but the cross-cultural dialogue. As this is the founding session for the region, several speakers were ‘imported’ from the UK. But the mix of luminaries from both sides of the North Sea worked out exceptionally well. It was a real treat to be privy to observations from both the Danish Centre for Cybersecurity and the UK’s NCSC.
Trust me, I’m a Dane
Much was made of the distinctive outlook in Scandinavia, especially in Denmark. In Scandinavia, people are trusted to enforce rules themselves, ‘from the inside, not from the outside’, as one delegate said. It could have been the elephant in the room, but neither attendees nor speakers shied from talking trust.
Requesting that people suspend trust, even for a moment, can be a big ask here. Some mentioned that installing security turnstiles can be seen as an affront. ”Don’t you trust me?” they say. That hurdle has, however, been successfully navigated by our hosts, TDC. Their front-entrance security married ‘polite’ and ‘robust’ seamlessly. But at least one UK speaker felt that this implicit faith in others could be a risk, saying: “Danes are just too trusting”.
That may partly be a reflection of a society where cybercrime, alongside other antisocial acts, has been enviously low. The most recent Security Intelligence Report from Microsoft had Denmark as among the lowest ranked when it came to the number of reported cyber attacks.
Of course, Maersk has shaken things up. It’s one thing to believe the best in others, another to be unprepared for the worst. And Danes are now taking action to bake resilience in, with more than one attendee being heard to remark that ’Maersk was the best thing that could have happened to us’. It was particularly interesting to hear from some of those involved in the post-incident clear up, where Herculean efforts did much to stop an undoubted crisis spinning out of control.
Five friends are better than none
The SASIG also works because it’s friendly. “Make at least five new friends” is Founder Martin Smith’s mantra for those attending. It was well heeded by all in Copenhagen. It was great that much of the networking came from the more junior members of the Scandinavian cyber community. I sensed this was a cohort that really felt it was both valued and respected.
That’s something of the utmost importance to the SASIG, too, as the recent launch of the SASIG Gateway initiative (for junior cybersecurity professionals) demonstrates. A key theme of the day was the criticality of not just nurturing the talent we have but bringing on board the talent we don’t. “Diversity is a discussion, not a gender or race,” one speaker remarked. The discussion on diversity was one of the most lively of the day.
On walls and rockets
Something I learned after the session had ended was that the Danes and Brits have had a somewhat rumbustious history beyond the rather bloody ‘cultural dialogue’ of the Viking Age. It seems British warships once rocketed Copenhagen, as part of efforts to stop Danish ships falling into Napoleon’s hands.
What struck me about this was the analogy in a presentation from a respected Danish threat intelligence analyst. It’s one thing to build your walls up and staff them to repel or neutralise threats at the point of impact. But it’s once you’ve been compromised that the real danger begins.
Lateral moves behind your walls can be difficult to detect, especially if intruders can find the resources to ‘live off the land’. Too often they’re gifted with opportunities to escalate privileges and work their way to your crown jewels.
Just like the plucky Copenhageners who fought the fires that British rockets started, we need to deprive threat actors of the fuel they need to spread. Our workforce is a vital part of helping shape the landscape behind the fortifications, to make sure it really is ‘fire-unfriendly’.
It’s good to talk
And the other lesson from that 19th century contretemps? The whole thing could have been avoided with a little more discussion. Denmark at the time was (at least in theory) neutral in the conflict between Britain and France. The primacy of talking within and between sectors, and, with this founding SASIG Scandinavia, between cultures, is a flag firmly flown by the folk at the SASIG.
So, bring on SASIG Scandinavia 2. And the rollout of SASIG banners more widely. After all, this is a time, more than ever, when the cybersecurity profession needs to think global.