‘Outsmart, outwit, outthink, outmanoeuvre’ by Jonathan Evans, Lord Evans of Weardale by Jonathan Evans, Lord Evans of Weardale, 19th August 2021
I have been interested in cyber security since I was running MI5. We were actively looking to attack our adversaries’ systems. It didn’t take long for the penny to drop that if we could infiltrate someone else’s defences, then they could do the same to us.
Fast-forward to today and as a Non-Executive Director and adviser to a diverse portfolio of organisations the role that security has to play has changed almost beyond measure. But the principles have remained the same, both for the front line of our critical National Security and the protection of the organisations that I now advise.
Before I began my journey with Ark Data Centres, I held a Board position with HSBC Holdings. I had the privilege of physically visiting some of their data centre pairings in various parts of the world. Aside from being interested in the engineering aspect, it was then when I realised the remarkable role these facilities play. Much like the adoption of cloud computing, security once seemed to be the biggest inhibitor to organisations considering a data centre provider but today (unless security really is your key specialism), there is a clear consensus that your data is safer in the hands of an organisation that can provide a specialist focus on reducing security risk. The diligence employed by a high quality data centre operator for physical resilience, access control, expertise of staff, security protocols, in addition to the digital safeguards, is a model that most organisations would struggle to match, let alone improve upon.
Data Centres, for example, must pay close attention to both physical and digital security in equal measure. These two factors are intricately intermeshed, particularly if you look at the problem with the mindset of a hacker. Many security stories have become so well-known, they have almost become industry folklore, which can lull organisations into a false sense of security that they ‘know what’s coming’. Tales of clumsily phrased emails and USB’s being left in car parks for hapless victims to plug into their machines, suggest that such attacks are predictable. In reality the landscape is infinitely more diverse and complex. Equally, the most sophisticated technology on the planet won’t constrain a member of staff with malicious motives and authority to access internal systems. Mischievous teenagers in their bedrooms, spies hunting Intellectual Property, organised criminal gangs and the military looking to sabotage systems all share a common goal – to outsmart their opponent. It is as simple – and complicated – as that.
The sophisticated and the simple
Take the Solarwinds attack in the United States. That cyber attack required a staggering level of sophistication and perseverance. From an attacker’s perspective it was like climbing the North Face of the Eiger, where every tiny movement matters.
It began by cleverly infiltrating the supply chain and then, with patient stealth and determination, it achieved access deep into corporate and Federal Government systems. The attention to detail of State attackers and some organised crime gangs may be impressive but is also arguably no more effective than an attacker successfully posing as your boss, sending you an email, and asking you to click on a document.
Today as a Non-Executive Director, it’s my job to ask the irritating questions, to place myself in the mindset an attacker and see where the fallibilities lie. My role isn’t just to question the robustness of the internal processes and infrastructure but equally to explore the partners and the people that we all work with in our networks and supply chains. I like to understand what the relationships look like today, whether there is mutual respect, shared risk, do they share and employ similar security methodologies, what are the relationships like between the senior leadership teams? It’s not my place to conduct a full security audit but I can help test whether the total process is credible and the mindset right.
My career in government spanned 33 years and I loved working for MI5. National and international security is unquestionably one of the most exciting and challenging roles imaginable. What has been particularly interesting in the 8 years since I moved mainly into the private sector is having access to other people’s worlds, different companies, cultures, and perspectives. I still remember my first HSBC Board meeting in Hong Kong, one of the largest banks in the world, and being amazed by how much I could learn simply by stepping into someone else’s shoes and, in turn, the value that diversity of experience can bring to the table.
Staying one step ahead
My relationship with Ark is no exception. The physical and digital security challenges of the data centre world are remarkably complex and, among my portfolio of companies, you’d be hard pushed to find a better run organisation, who put security and social responsibility at the very heart of every decision. In part it can be attributed to a high-class leadership team, but their facilitative structure means that important decisions are both informed and made quickly, which are critical characteristics when executing a robust security strategy.
To stay one step ahead of a growing spectrum of attacks requires both a curiosity and fascination with security. When people ask me why I enjoy being a Non-Executive Director, a big part of it is the desire to keep learning and to stay match-fit by working with companies who are committed to excellence, open to challenging discussions, and willing to ask themselves the toughest questions. For an organisation like Ark, that quest for excellence must be unyielding, the due diligence exceptional and every last aspect of our supply chain and team in perfect synchronisation.
Each year the cost associated with Cyber-Crime continues to grow, along with the appetite and ingenuity of the criminals themselves. The security landscape may have evolved significantly since my time in MI5, but one constant remains true – to stay one step-ahead of an enemy that you cannot see, you must put yourself in their shoes, understand their opportunity, their potential gain, explore every vulnerability, and be unrelenting in your aim to outsmart, outwit, outthink, and outmanoeuvre.