Unpacking the Global Cyber Outlook Report 

Cyber security impacts everyone from private individuals to multinational firms. On Episode 46 of The Cyber Security Matters Podcast we spoke with Oliver Pinson-Roxburgh, the Co-Founder and CEO of Defense.com, about the biggest cyber security threats of today. Oliver is regularly quoted in prestigious press publications, and has been interviewed on the BBC World Service as a subject matter expert in cyber security. During the podcast, we asked him for his perspectives on the World Economic Forum’s Global Cyber Outlook report and what its findings mean for the cyber security sector. Here are his insights: 

“I think they’ve just genuinely looked at the industry and gone, ‘There’s some problems here, but there’s some there’s some light at the end of the tunnel’. The ultimate goal of the report seems to have been just to highlight those areas that all of us in the industry knew were a big issue, and put some stats around it. 

One of the key takeaways which is really interesting, is they found that there’s a big difference between how good cyber security is in enterprise organizations versus everybody else. That’s true to the point that a statistic within the report said there is a 31% decline in the baseline of cyber resilience in SMEs. That’s a significant decline. 

Now that might seem like we’ve found a report that aligns with what Defense.com is doing, but the data is there to back it up. When you go and speak to people or look at the statistics around these reports, you’ll see that SMEs don’t have the same amount of budget for talent. Businesses are saying, ‘I don’t have the expertise in my team, and I don’t think I can even hire people because we don’t have the budget’.

Is this an issue with education? It doesn’t matter if you want to get into cyber security or not, having some sort of cyber security awareness would stand you in good stead going into any business because companies are crying out for those skills. If you can promote cyber security as something that you care about and you’re interested in evolving within a business, even if you don’t want that to be your job, that would be amazing for your career because it is such a big target. Anybody who has that background knowledge would be worth their weight in gold. 

People assume that everybody in their business is a cyber security expert and won’t fall for a phishing attack. That’s not true. You’ve got people in every business who are not naturally cyber security savvy and haven’t spent years researching security. We’ve done phishing tests on our own team and we caught people who are pen testers and consultants. That just shows that everybody can get caught. 

The report highlighted these crazy statistics, like only 15% of organizations are optimistic about cyber security skills and education significantly improving in the next two years. That’s scary, isn’t it? It’s worrying to think that most organizations don’t think we’re going to get any better at cybersecurity. It puts into question some of the things we provide ourselves, like cybersecurity training, phishing awareness, etc. Are they working? Are people investing in those things? Again, it goes back to a lack of skills and lack of resources. 52% of organisations think they lack the right skills or resources, and that’s their biggest challenge in designing their own cybersecurity strategy. 

This might sound almost like a plug for recruitment in cyber security, but this is just what the report is saying. There are hacks every week. I know some parties think it’s probably because SMEs think attackers won’t target them, but phishers are so opportunistic that they’ll target anyone. They’re just hitting the internet. We did some statistics on this a few years ago, and we put a machine on the internet, and within 32 milliseconds, it had been scanned by something. If you make a mistake and expose something that’s unpatched just by clicking the wrong button, which is really easy to do these days, you could put it on the internet almost immediately. If that gets hacked, your whole company go down. 

Everybody should read the report. It sounds a bit nerdy, but there are some amazing statistics in there, and it shines a light on the fact that there’s a real need for businesses of all sizes to really think about security differently.” 

To hear more from Oliver, tune into Episode 46 of The Cyber Security Matters Podcast here.  

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Leadership & Soft Skills in Cyber Security 

Meet David DellaPelle, the Co-Founder & CEO of Dune Security. David’s an experienced strategist who joined us on The Cyber Security Matters Podcast to talk about his personal approach to leadership. He also has a diverse cybersecurity strategy and management consulting background and now specialises in AI-powered employee risk management. Read on for his insights into leadership, key talent topics and the most important soft skills in the sector. 

As a leader, your leadership style sets the tone for an entire company. How would you describe your approach to leadership, and how has it evolved over time?

The most important thing is to lead by example. Not to be cliché, but I think that if you want to lead a team of people, you have to believe in the company’s vision, especially in the early stages. Maybe you’re not able or allowed to pay a lot of money, or maybe you’re paying mostly in equity. It’s really just you and your vision keeping the team together. You need to firmly believe in the vision and communicate it properly. You have to paint a picture of what the future looks like for people to follow you. 

The other side is that leaders have to do the hard work in the trenches building the company. The most important thing is to lead from the front and be fair. It’s not about being nice, especially if you’re the CEO of your company. Oftentimes, people aren’t going to like you, and that’s just something that happens as you become a successful company and founder; you have to make some people unhappy.

In your view, what are the key talent topics that need addressing in cyber security? 

Location can be incredibly important. We’re a very hot cybersecurity company using AI in the heart of downtown Manhattan, so it’s been easy for us to recruit incredible talent from Columbia University and New York University. It’s quite difficult, though, as a startup, to start to hire your more senior leadership. That’s definitely challenging. Companies like Google, Facebook, Meta, Amazon, etc, can pay individuals a really high amount, so recruiting individuals away from those super high salaries takes a lot of salesmanship. You have to align those people with your vision for them to take a pay cut. Either that or you offer them more of an equity package. But overall, the hardest thing is hiring at the more senior levels.

What do you believe are the most critical soft skills for thriving in a startup business?

The most important thing is getting along with the team. Being someone who is personable, fair, and someone that other people want to be around is important, especially in startups. Candidly, startups will fail if they aren’t in person initially. That can change as the company expands and grows, when remote or even offshore might be a good option, but at least at the initial stages, if you’re trying to build a multi-billion dollar business, being in person is incredibly important. 

What we try to test for and control in our fourth or fifth round interview is a person’s cultural fit. We’ll bring them in in person and do lunch or coffee with their hiring team and with their management team to make sure that that person is a good fit for each group. Are they someone that you really want to spend time with? Being a person ready to roll up your sleeves and work super hard is important, but not as important as being a great part of the team. 

To hear more from David about his experiences as an early-stage entrepreneur, tune into Episode 44 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Exploring API Security 

On episode 43 of The Cyber Security Matters Podcast, we were joined by Tristan Kalos, the Co-Founder and CEO of Escape, to talk about all things API security. He shared his perspective on the future of the API security space, as well as the current challenges that Escape solves for its customers. Read on for some fresh insights into the API security sector. 

What’s the main thing customers are looking for, and how do you solve their challenges? 

The general idea is that in the past 10-15 years, the cloud appeared, and suddenly every company started moving to the cloud. Suddenly, the previous security tools that were designed for the on-premise infrastructure were not up to date anymore. There are cloud security companies that appeared to help those companies do their transition in a safe manner, but with the transition to the cloud, the technologies used to build applications and run applications also evolved. Mobile applications suddenly appeared. Then you had single page applications and APIs, which is the technology that allowed any companies in the world to exchange data with each other and their customers. APIs also let developers enhance their capabilities and communicate and exchange data. 

APIs have become central to every data transfer on the Internet and to every business that flows to the Internet. The legacy security tools do not understand APIs or how to secure them or find security issues, so they are very vulnerable. At Escape, our ambition is to create a platform that can properly secure cloud applications, starting with securing the APIs that represent 80% of the global web traffic today. What we do is create security and engineering teams create and provide more secure APIs to empower their business.

What do you think some of the trends will be in API security in the next three to five years?

First of all, I think IA will be a catalyst for exposing APIs. It’s like mobile apps 10-15 years ago when everyone wanted to have a mobile app, so websites were not enough anymore. We have had to expose a private API portal, which was the first API revolution. Soon everyone will have LLM agents working for them. We will use applications in a completely standalone way without humans intervening in the process. What happens if, in five years, we live in a world where everyone has their own LLM assistant that does a lot of things for them? They book plane tickets, Airbnbs, and car rentals. They could do everything for you, but only if they can interact with public APIs.

If, in five years, or even less than that, your business doesn’t have a public API that LLM more external agents can connect to, you will let a lot of money slip off the table because half of the internet users will be IA and they can’t connect to your website. It’s like not having a website in 2009 – it’s already too late. My take is that the development of large language models, or large multi-model agents in general, will make having a public API required for every business. I’m pretty excited about what’s coming from the market. 

To learn more about the future uses of APIs, as well as the current API market, tune into Episode 43 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

How to Mitigate Insider Threats & Other Cyber Security Risks 

As we rely more and more on technology, our risk of cyber attacks or information leaks is also increasing. On a joint episode of The Cyber Security Matters Podcast we spoke with Jake Bernardes, the Field CISO at anecdotes, and Ido Shlomo, the Co-founder & CTO of Token Security, about their advice for people and companies who are looking to secure their cyber assets. Read on for their insights on how to reduce your cyber security risks, including insider threats. 

Jake: “Insider threats are divided into two categories; intent and incompetence. But insider threats are real. If I look at most attacks and incidents that I’ve worked out in my time, 90%  of the insider threats have been in the incompetence category. People accidentally hard-coded credentials into IDP. That’s like identity providers leaving the credentials for the entire customer database on a public-facing URL. But there are different ways to catch them. 

There is also the compliance piece, which is where anecdotes come in. We’re really good at identifying how people will divert from the norms and what control is best to use. We could connect a US to anecdotes and say, ‘This is what a normal VM looks like. This is what it has to look like to comply with PCI SOC or ISO’. As soon as someone creates one which doesn’t comply with that regulation, our system will flag a noncompliance and therefore show what was wrong. It gives you a chance to both logically correct it and then go and work with the person to educate them or uncover their intent. You have the visibility to fix it before it becomes an issue. That’s the key point of all compliance and regulation-based security; fixing things before you have a breach or before damage occurs.”

Ido: “Incompetence is a hard word, but most of the time, it’s just a lack of education or understanding. For example, one of them is people being off-boarded from a company, and the entire resource they’d created isn’t kept track of. That’s an insider threat, but the insider is still in the company because it’s people don’t take care of it that are the problem. You see a lot of those issues in identity space. People are so passionate about technology that they make every mistake possible. They plug in their CFO’s Excel, and they allow them to query all of the organization’s data with zero limiting on the permissions they have, and nobody’s keeping track of that. In the identity space, that’s crucial. We’ve just seen Ticketmaster, Santander Bank, and TNT suffering from those types of threats. Securing your own people is the hardest thing to do right now for security teams.”

Jake: “There are a few things ways to handle insider threats, one of which is slow down. We’re obsessed with being fast to market, so we almost encourage issues and errors. Look at the desire – and desperation – to get AI chatbots to the market last year. That resulted in a flight and a car that were both bought for $1 because these tools had been improperly tested. That will have happened because someone was pressured either internally by themselves or externally by their leadership to deliver and develop quickly, so they either skipped steps or just didn’t do them thoroughly enough. 

Another way to mitigate these threats is to understand what you’re doing. A lot of the time, people build stuff without really realising what they’re doing. It’s important to understand that a software development lifecycle goes from A to B, and it shouldn’t be limited. Understanding what the end goal is means you can make sure you have those steps lined up in the process. 

Finally, getting the client there when you talk about compliance and regulations always sounds boring, but when we get a bug, we can see everything happening in security. We can see everything from identity issues or cloud security issues, onboarding issues, lack of training and policies not being signed – all of that stuff. Once you get a holistic view, you can educate the leadership and filter down the necessary information.”

Ido: “It is still very important to keep the pace. You want to understand where you’re taking too big of a risk, and you need to understand how to do things securely. Security should really invest more time into the auto-remediation of problems; not when you have an incident but much before that.”

To hear more about securing your cyber assets, tune into Episode 39 of The Cyber Security Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

AI Governance, Security and Compliance

On Episode 38 of The Cyber Security Matters Podcast, we discussed changes to AI governance with Patrick Sullivan, the VP of Strategy and Innovation at A-Lign. He shared his insights on changing legislation and what that means for organisations that use AI as part of their workflow, as well as his definition of ‘AI governance’. Here’s what he said:

What does the term ‘AI governance’ actually mean? 

ISACA through COBIT has introduced control objectives for AI and has defined governance as a value-creation process. When we think about governance, we think about value creation. COBIT says that governance is creating desired outcomes at an optimized risk and cost. So for us, we need to ask ‘What do we want to create? What risk are we willing to bear? And what budget do we have to support all these things?’ Our practices are processes that are employed to ensure that we’re creating the outcomes that we want as an organization in both a risk-appropriate and resource-appropriate way. 

What frameworks or guidelines can organizations adopt to ensure AI systems are used responsibly and ethically, and does this vary based on the size of the organisation? 

Generally, we won’t see the applicable frameworks vary based on organizational size. In the market today, there are two frameworks that most organizations are using to build their AI governance systems to adhere to X number of regulations. For neuco as an example, we saw that the EU AI Act was written into the Official Journal last week. These regulations are pressing, which means many organizations that are bound to the AI Act now need to take significant action to prepare themselves. 

How do those frameworks and guidelines actually physically enhance trust within the supply chain?

ISO 42001 is a certifiable standard and management system. Organisations that implement ISO 42001 as their AI management system can have a third-party auditor certification body, of which A-lign is one, independently validate that appropriate processes are in place, that appropriate procedures and commitments have been made, and that the management system is running effectively to meet the intent of the standard. So there’s a certification mechanism that organisations can use to offer assurance to others in their supply chain and their value chain. 

Many in the security space are already very familiar with security questionnaires. We’re currently seeing a lot of pressure on organisations to answer AI questions because the market is really educating itself about what’s important. That is then driving the need to respond to those questions or unknowns to or from suppliers. While regulation will always be a pressing concern, self-policing in the market is where I see us go with responsible AI use.

How do you expect AI governance and compliance to change in the coming years?

Over the next five years, I think we’ll see the skills gap become more pronounced. I don’t know that there’s necessarily the awareness that there needs to be. We’re seeing groups come online like a group called the International Association for Algorithmic Auditors, which helps new algorithmic auditors or AI auditors understand what skills they need to be successful, and I think we’ll see more organisations like that come online as the recognition of the AI governance and AI assessment skills gap becomes more pronounced. As that happens, the market will really largely start self-policing, and we’ll enter the hype cycle. But, once that begins to simmer down, AI governance will become more of an operational process just like any other governance, risk governance, or vulnerability management process. 

To hear more from Patrick, tune into Episode 38 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Exploring the Relationship Between APIs and Cyber Security

APIs are a growing part of the tech industry, and impact a number of areas like Cyber Security. On Episode 20 of The Cyber Security Matters Podcast we spoke with Jeremy Ventura, who is the Director, Security Strategy & Field CISO at ThreatX, about how the rise of APIs is affecting the Cyber Security space. Jeremy has over 10 years’ experience in the Cyber Security industry, beginning his professional career as a security analyst for defence based manufacturing business radian before working his way up to his current position. He’s also the host of ThreatX’s eXploring Cybersecurity podcast, making him an experienced and informed member of the Cyber Security community. Read on for his insights on APIs. 

What should a regular person know about API security and how it affects the world around them?

We use API’s every single day, but most consumers, especially if you’re not technical, won’t realise it. Let’s think about ease of use. If I want to pay a bill I’ll do it with one of the three credit cards that I have. When I’m on an app, I’m just selecting whether I want to pay with Apple Pay or my Chase Card or my Amex card, whatever it might be. Those payments are all API connections. Here’s another good one; when you call an Uber or a Lyft, they’re looking for the closest Uber in your geolocation and the fastest route. Those are all API connections that are pulling that data down. Think about your phone – when you look at the weather today in your location, that uses API connections to pull together your geolocation and the weather from different weather providers. So even though API’s are all out there, they’re pretty much hidden by design. We use API’s on an everyday basis – probably hundreds of them on a normal day. 

Now, when it comes to API security, that’s where individuals need to be conscious. Just because it’s easy to use doesn’t mean it’s always secure. APIs in general are designed to connect multiple systems together and send business logic or business data. That’s not anything insecure. However, those transactions that are sent in the background sometimes can contain sensitive company information, or what we call PII, personally identifiable information. That’s things like usernames, passwords, credit card numbers, social security numbers, whatever it might be. That’s why the API security space is so hot right now, because they’re designed to send potentially sensitive data to each other. If that process or transfer is not secured properly, then we have big problems. Every individual – technical or not – needs to be aware of everything they’re putting out there on APIs. Your information is being sent to and from multiple different companies or products, which is a risk.

What is your take on the current state of the API space generally?

API’s are nothing new – they have been around for decades now. API security though is fairly new. That’s where we’re starting to see a lot of security vendors either incorporate technology that can help them in the API security space or we’re seeing a lot of big companies being completely transparent. 

I think with that we’re going to see a lot of acquisitions happen pretty soon as well. That’s normal when you have hot, new emerging technologies that are solving real world problems. Why wouldn’t I want to get my hands on that if I’m the largest security vendor? This is when the market can get a little confusing, where you have a lot of different vendors saying, ‘Hey, I do API security’, but they all do it differently. My recommendation is that when you’re evaluating vendors or you’re valuing the space, make sure you’re getting tools and products and services built with that in-depth approach. No one security tool is ever going to be perfect, so it’s important to take a layered approach. 

How much does AI affect API security?

AI in general is definitely affecting security. One thing I’ll be clear about is that attackers and hackers alike have been using AI for a long time. It’s actually nothing new. What’s happening now is that typical security may be a little bit behind. Now they’re starting to ask ‘how can I incorporate AI in my security tools like a security vendor? Can I incorporate AI into my products?’ 

An instant response company just announced that they included AI in their responses. They can create playbooks on the fly based upon the data that someone enters. Maybe I’ve experienced a phishing incident and I need to know who to contact. The AI model within that tool will actually spit out the exact task, or runbook that you need to do. If it’s used correctly, especially in security tooling, AI can definitely have an extreme power and effect for end users. 

Just like anything though, AI can also create a lot of false positives. We need to be very careful about 100% relying on AI and saying ‘this is the be all and end all’, because AI isn’t right all the time. AI in general security, including API security, is definitely starting to have an effect on both the security vendor side and the end user side.

To learn more about how APIs are affecting the Cyber Security space, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Managing Cyber Security Within the Industry

Growing companies often face cyber security challenges as they manage teams that are scattered across the world. On The Cyber Security Matters Podcast we were joined by Ivan Milenkovic to discuss how companies can manage those challenges, even inside the industry. With over 20 years of expertise in information security, Ivan is currently a Group CISO at WebHelp, where he’s managed a large security team that doubled in size to over 140,000 people. He’s a security evangelist and a huge advocate of addressing cultural and leadership factors rather than relying solely on technology to protect your teams. 

What were the security challenges involved in scaling so fast at WebHelp, and how did you overcome those?

When I joined three years ago, WebHelp was just shy of 58,000 people. Throughout COVID we started growing to address the way that our clients worked, and what was happening to the sector at the time. We are very aggressive when it comes to acquisitions and expanding into new markets, and that brings some very interesting challenges. We’re a very large global company. That’s how our clients see us, and they expect a certain level of quality across the board, regardless of where their services come from. 

We effectively needed to bring everybody up to speed and bought-in to our culture. I’m a big believer that people are a very important part of the picture when it comes to security. That’s why it’s very important to get everybody on board to recognise certain values that must be respected. The challenge is to get people on this journey, and for them to understand that when it comes to security, it’s not just that you’re trying to enforce boundaries, it’s actually about supporting the qualities. You need to be able to lead and take people on that journey, rather than providing rigid boundaries that they don’t understand.

How do you balance managing a large security team with meeting the demands of internal stakeholders?

WebHelp is split into what we refer to as regions. They’re not necessarily geographic regions, but logical parts of the business that operate as semi-dependent companies tied together at a group level. Because of how everything came together, we’re talking about various teams spread around the world. InfoSec is a very large team, so you have all the daily challenges when it comes to the InfoSec itself. Because it is a rather big team, not everybody is my direct report. Whenever you work with people though, you need to respect their different needs and requirements, and understand what’s going on. We’re blessed with the quality and enthusiasm of people that are part of the team, which helps a lot. Most of my time is actually spent dealing with senior stakeholders from the business rather than my team. It’s been important to make sure that my people are bought-in enough to carry on without much management. 

You’re a really passionate advocate of the idea that technology alone can’t solve security problems, so the leadership aspects of cybersecurity are key. Why is that? 

It boils down to two things. One is that culture we touched on, because when people understand why certain things need to be done in a certain way, that’s half the job done. If you have people that are trying their best, that are not scared to report problems, that are educated well enough to understand, appreciate and communicate when something goes bad, everything is easier to deal with. 

If you look at what can be done with technology today, you cannot do without it. We live in a really technological era where there is too much going on, so without technology you wouldn’t have the right level of visibility and you wouldn’t be able to react fast enough. People are very creative, sometimes too creative for their own good. It’s not hard to imagine a multitude of scenarios where a very creative person can easily get around even the best piece of technology. So that’s why you must find the right mix. You cannot rely on just your technology. It’s your processes that glue it all together. So, unless you take people with you on that journey, you don’t stand a chance.

To learn more about managing risks within the industry, tune into the full episode of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Unpacking State Responses to Cyber Security Challenges

Cyber Security is a growing concern for the majority of organisations. On Episode 15 of The Cyber Security Matters Podcast we were joined by Adam Gwinnett, the CTO & CISO of Nine23. With a legal background, he’s experienced in managing stakeholders in the heavily regulated state sector, with 10 years of experience at the Department for Constitutional Affairs, the UK Ministry of Justice, and the Metropolitan Police. Adam joined us to talk about how cyber security impacts state systems, from the challenges facing the police to the government’s response to major incidents. 

What challenges are the police facing from the increase of cyber crime?

I think because of the global pandemic, when people were locked at home with their computers, cyber crimes and quantum growth crime grew dramatically. That raises some really interesting challenges generally, because cyber crime is often transnational. The person committing offences against you is very unlikely to live in your jurisdiction, so even if you do report it, investigation can be very frustrating. As a result, under-reporting is rife. One of the fundamental challenges you have from a law enforcement point of view is that you don’t actually know how much it’s occurring or how impactful it is, because people are quite embarrassed to admit when they’ve had issues with it. They’re often worried about being scrutinised, and worry that people will be critical of their responses to it or how they handled it. People end up suppressing certain information which otherwise could be very interesting and beneficial, not only to the investigation process, but actually to their peer group who might have suspiciously similar looking things in their environment. 

From the law enforcement point of view, I was keen to couple cyber security with the cybercrime division. One of the things that we focused on was ‘How can I take my investigation of a cyber incident, and turn that into a potential initial bundle for the investigating officer to take forward? How can I give the best evidence? How can I provide you with the best material?’ I didn’t have the mandate to do the investigation and proceed because I was civilian styled, but I could take the information from my logs in the digital forensics team and give them the best chance of bringing the offender to justice. I used to talk about it at conferences, where people would just say ‘That’s not our jurisdiction. We haven’t really thought about how we could give them a leg-up or considered how we could best enable them.’ How many SOC analysts can say they’ve actually put a cyber criminal in prison? Several lawyers could say that I contributed to making sure that that offender actually went to prison, and that’s the ultimate closure for me. 

How do cyber security decisions get made within big government departments? 

Some of it’s quite straightforward. Effectively, most decisions that impact the risk appetite, risk acceptance, or risk tolerance will go to a named individual on their board of advisors. They will then review it, look at the balanced risk case like ‘Why are we doing this? What are we hoping to gain through it? What are the potential mitigations we can put in place? Are they proportionate? What is the net impact on our risk position? Does that take us outside of tolerance?’ That makes it quite straightforward. It’s an interesting one, because those people are fundamentally dependent on the advice they’re given. The people asking them to make decisions, accept the risk or present the view will seldom be impacted when the risk emerges. They’re incredibly challenging positions for people in the regulated and public sectors. 

What are the challenges facing cyber security leaders in the sector?

One of the things that can be really challenging is that it can be really hard for those people to understand the net effect of the things they’ve agreed to. So I’ve spoken to CROs from other organisations that said, ‘I’ve had like 40 risk acceptances presented to me this year.’ It’ll happen every couple of weeks where I’m asked “Can we accept this risk?” I don’t know if I can reliably tell them what the net impact on our overall risk is, or the cumulative effect of all of those things that we’ve agreed to.’ In large, complex enterprises, can you understand all the systems, processes and risks that are undertaken? Because the people who own those systems, processes and fundamental aspects of the business will be separate from the people doing the risk acceptance. They don’t always have the mandate to go in and correct all of the issues. They won’t normally have a budget or available resources to do it. If they don’t, it just becomes one of 100 other competing priorities that organisation has to deal with.

In the event of a major security incident, what does the internal decision making process within a big government department look like?

It’s very dynamic. You’ll normally find war rooms and incident response teams almost immediately. Most large organisations have very mature, robust and practised responses, because it’s never quiet. Even when I worked at the Met, I was talking to people from banks, insurance companies and financial services who were a big target, and they had a 10th of the attempted attacks that I did in a week. Our response and investigation processes are incredibly well drilled, because somebody’s always trying something. One of the biggest challenges is that your teams end up being in high alert and response mode all of the time. That level of anxiety, stress and mental overload is not useful for people. It leads to poor decision making. What you will find is that a lot of organisations start putting things like shift rotations in place to tackle those issues. If your response mechanisms are really effective and really well tested, you can rely on them slightly too much. Actually preventing issues is dramatically less problematic than being able to respond to and deal with them effectively, but if you’re always able to jump out in front of it and catch the issue, people will get relaxed about the fact that that’s what will happen. 

To learn more about the threats facing cyber security teams, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Global Leadership in Cyber Security

Cyber Security is becoming a growing concern for businesses across the globe. On Episode 14 of The Cyber Security Matters Podcast we were joined by Hajar El Haddaoui, who is an international executive. She speaks four languages: French, Arabic, German and English, which has allowed her to lead a large sales team in multiple continents. She is currently leading Swisscom’s managed security services, as well as serving as a board member for the Chamber of Commerce, MOD-ELLE and WIN Women’s International Conference, where she works to support women in business. With such an extensive and exciting background, we were keen to hear her insights on global leadership in cyber security. 

How does Switzerland’s approach to Cyber Security differ from other key European markets?

Switzerland is one of the most innovative countries I’ve worked in. Cyber Security is a part of the business transformation of any company, and in Switzerland they are sensitive to where the data goes and is used. They create security by design, which weaves their Cyber Security into the fabric of their products. 

Do you expect adoption of managed security solutions to continue to increase as a proportion of the overall cybersecurity marketplace?

Absolutely. There are many challenges facing our clients, including the complexity of digital business, where there is an increasing skills and resource gap. There’s a 3.1 million gap in resources and talent worldwide for Cyber Security. Lots of our clients don’t know how to use the hybrid cloud. Therefore, managed services are key for those clients in order to respond to their challenges. We want to transform the industry by making products and services that are secure by design, but there are several clients who need someone to manage those products for them anyway. It’s important to have management in your Cyber Security portfolio in order to meet that need in the market and address the challenges that clients are facing. 

Silicon Valley is seen as leading innovation. How influential are they to Cyber Security?

Research and development are key to innovation, not just in Cyber Security. They give you confidence to innovate and inform how you take a digital solution and rapidly provide insurance to our customers. We’re not just providing security to our customers, we are providing consultancy, technical support services and managed security services too. It’s those three layers where innovation needs to be. Research and development can be applied to intelligent and managed security services to identify and respond to threats, giving us a proactive level of protection. 

There’s a lab in Silicon Valley that is the hub of innovation, not merely for Cyber Security. There are also labs in Israel and Japan, but Silicon Valley is still playing a huge part in global Cyber Security efforts because of the amount of investment that they’re able to attract. Everyone needs to invest in innovation and in hub centres for security. Silicon Valley aren’t the only one doing it, but they are still big players. 

What have the different places you’ve worked taught you in a business and leadership context?

Working internationally has given me the ability and agility to deal with challenges. Being a resilient leader is essential to what we do. The second thing is confidence. Moving from one country to another I’ve learned to build a community and a support system, which plays into that self confidence. The third lesson is humility. I’ve become a continuous learner, because the technology field in Cyber Security is rapidly changing, and I have to accept that I’m not going to stay an expert if I don’t learn from other people. The market is fast and furious, so to be fit for the future I have to learn skills and humility. 

To hear more about global Cyber Security efforts, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

The Future of Asset Management

Asset management is a growing area in the Cyber Security industry. On Episode 12 of The Cyber Security Matters Podcast we were joined by Huxley Barbee, a CISSP and CISM. He is currently a Security Evangelist at runZero, which is the latest role in a glowing career in the cyber security industry. We spoke to Huxley about the advancements he’s seeing in the asset management sector, including his predictions for the future.

How do you see Asset Management evolution over the next few years?

There have been a number of technological trends that have caused a divergence of environments. For example, smart speakers like your Alexa are changing our home environments, because this tech used to be simple, non-connected devices. Now they’re connected to the internet, which exposes you to a higher risk. There’s also been a rise of ‘bring your own device’ culture, where people bring their own phones and tablets to the corporate network. There’s also the move to cloud associated with the DevOps revolution. 

A lot of companies will see the cloud as a way of transforming their capabilities to both lower costs and increase speed and agility. Folks are empowered to just spin up new computing devices left and right, but the old devices are not actually decommissioned, so you have a sprawl of this attack surface out in the cloud as well. There are also more and more mergers and acquisitions happening, where a purchasing company has to take on the risks and vulnerabilities in the target company. All these different trends have led to this divergence of environments where companies are not just protecting their corporate IT assets, but also their OT, the factory, their IoT devices, your personal devices, the cloud and whatever else goes on in remote employees homes. 

Because of a need to find talent, organisations have started looking at a wider geographic spectrum, and a rise in this ‘work from home’ culture became compounded by the pandemic. That is now also part of what cyber security needs to protect. Over the last 20 years, this evolution of assets has resulted in a decentralisation of control. Meanwhile, it’s the same security team that’s being expected to protect all that. There are numerous statistics out there about how the number of devices connected to the internet is going to continue to go up. Security teams will be more and more challenged, which is a fundamental problem. If you don’t have this foundational capability of knowing what you have, you are absolutely not protected. We’re going to have to see some change in order to address this growing challenge. 

How can the industry address those issues? 

There are a number of different approaches that have been tried over the last 20 years. There’s the use of agents and authenticated active scans, but they don’t solve the problem of unmanaged devices. If you can put software on a machine, then it probably needs managing. There are other vendors who try and pull data from multiple other sources to try and cobble together some sort of asset inventory. The trouble is, if they’re pulling from limited data sources, they’re not really solving the problem of unmanaged devices either. There’s also a passive network monitor, which theoretically can learn about more devices on the network, but its ability to identify those assets correctly is limited, because it’s only looking at network traffic to make that determination. There’s another approach, which is using an unauthenticated scanner with a security research-based approach for fingerprinting alongside API integrations. We found that this is the winning combination to help you get both breadth and depth of your assets, no matter where they are, no matter what type they are. 

To learn more about asset management, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.