With Cayman’s economic stability now heavily vested in financial services, as tourism remains closed, keeping assets ‘cyber secure’ within that industry and within government is not just a reputational concern, but crucial to the country’s very survival.
Those within government’s Cyber Security Unit, led by Chief Information Security Officer Pamela Greene, are charged with keeping Cayman’s digital assets firewalled against cyber attackers.
Greene, speaking with the Cayman Compass in a recent interview, said Cayman has not suffered any significant breach, but that was not by luck.
“We don’t rest on our laurels. We continuously monitor, we continuously respond to… let me call them ‘security events’. Security events are different from security incidents… it’s anything that may arouse suspicion; we continue to look into things. We are very risk averse, that’s the approach we take,” she said.
Cyber security a priority
Government, she said, has invested in world-class artificial intelligence and machine learning tools that will assist in monitoring the network.
“We also do need to protect our assets. We look to, metaphorically speaking, put a ring of steel around it and monitor everything that goes in and out of our network,” she said.
Government has introduced an information security control framework that sets out some 300 preventative and defensive controls, so that “we can build resilience, cyber capability, capacity into the way that we operate so that it becomes business as usual in terms of what we do when we launch a new product. When we launch a new system, we build security in by design from the outset,” Greene said.
She said once that’s done, the systems are adequately security-tested before they are made live.
However, part of achieving cyber security, she said, also includes internal measures.
“It’s about information security, information in all forms. We make people aware, through training and various other things… We don’t tolerate insider leaks. We’ll be vigorous in investigating those, if they do happen, and we have systems in place that can alert us to that kind of thing, whether it’s somebody on the outside… or somebody on the inside,” she said.
She pointed out that there is no doubt that, when looking at the global landscape, there are “unprecedented levels of cyber attacks” being perpetrated against private-sector entities, or even within government or public-sector departments, somewhere in the world.
“We know that the public and people who choose to operate from our jurisdiction have trust and confidence in our jurisdiction,” she said.
Cayman, she added, has not suffered major breaches.
“We work hard, very hard, within the corridors of government to make sure we’re constantly vigilant, we’re risk averse. We’re looking at everything that may be indicative of an attack because the attack has a life cycle; it has to start somewhere and it has a gestation period and it could last five days, it could last 35 days. It could last 350 days. If you’re vigilant, you’re looking out for it [and] that’s how you don’t fall victim to it,” she said.
Local assessment under way
Greene said focus remains the key to protecting local assets against those who seek to infiltrate and exploit any vulnerabilities within the system.
Government, she said, has embarked on a National Cyber Risk Assessment.
“It’s really critical for us at this stage to understand across the whole of the jurisdiction how we stand in terms of our cyber-risk profile,” she said. That way, they can understand what needs to be done, she added, “to secure that ecosystem between [the] public and private sector and across our whole jurisdiction with the focus on critical and essential services that we provide”.
“The outcome of this exercise will inform our national cyber-security strategy and provide a baseline upon which we can objectively measure our cyber-security maturity across our jurisdiction.” Premier Wayne Panton.
Premier Wayne Panton, in announcing the assessment last month, said it is the first time Cayman will have conducted such a broad evaluation across government, critical statutory authorities and government companies, and private-sector entities.
“The outcome of this exercise will inform our national cyber-security strategy and provide a baseline upon which we can objectively measure our cyber-security maturity across our jurisdiction,” he said.
“It will also enable us to determine what investments are necessary over time to maintain an appropriate level of cyber security.”
Greene, who is leading the initiative, said world leaders have seen the importance of such assessments and investing in initiatives to cyber-secure their own jurisdictions.
“Cyber adversaries are very skilled, very joined up, they communicate very well,” she said, adding that it is incumbent upon a jurisdiction like Cayman that is heavily reliant on digital services, and the trust and the confidence in its financial services, to have that partnership with the private sector.
“Failing to do so, potentially we’re leaving ourselves exposed to, maybe, gaps,” Greene added.
Greene said she would also like to see more local interest in cyber-security careers as there’s a global shortage of cyber-security competence around the world.
“We cannot rely on bringing in people from abroad to do this important work. It has to be the homegrown talent,” she said.
Her plan is to open opportunities for those who want to take this non-traditional route and have the aptitude for it.
“Internships are a big thing and possibly in the future, I’m looking at setting up an apprenticeship programme. I’m really passionate that we have homegrown talent and a pool of talent wide enough to serve… the public sector, the statutory authorities and the private sector in the years to come, because that’s critical,” she said.