Author: Jake Sparkes

APIs are a growing part of the tech industry, and impact a number of areas like Cyber Security. On Episode 20 of The Cyber Security Matters Podcast we spoke with Jeremy Ventura, who is the Director, Security Strategy & Field CISO at ThreatX, about how the rise of APIs is affecting the Cyber Security space. Jeremy has over 10 years’ experience in the Cyber Security industry, beginning his professional career as a security analyst for defence based manufacturing business radian before working his way up to his current position. He’s also the host of ThreatX’s eXploring Cybersecurity podcast, making him an experienced and informed member of the Cyber Security community. Read on for his insights on APIs. 

What should a regular person know about API security and how it affects the world around them?

We use API’s every single day, but most consumers, especially if you’re not technical, won’t realise it. Let’s think about ease of use. If I want to pay a bill I’ll do it with one of the three credit cards that I have. When I’m on an app, I’m just selecting whether I want to pay with Apple Pay or my Chase Card or my Amex card, whatever it might be. Those payments are all API connections. Here’s another good one; when you call an Uber or a Lyft, they’re looking for the closest Uber in your geolocation and the fastest route. Those are all API connections that are pulling that data down. Think about your phone – when you look at the weather today in your location, that uses API connections to pull together your geolocation and the weather from different weather providers. So even though API’s are all out there, they’re pretty much hidden by design. We use API’s on an everyday basis – probably hundreds of them on a normal day. 

Now, when it comes to API security, that’s where individuals need to be conscious. Just because it’s easy to use doesn’t mean it’s always secure. APIs in general are designed to connect multiple systems together and send business logic or business data. That’s not anything insecure. However, those transactions that are sent in the background sometimes can contain sensitive company information, or what we call PII, personally identifiable information. That’s things like usernames, passwords, credit card numbers, social security numbers, whatever it might be. That’s why the API security space is so hot right now, because they’re designed to send potentially sensitive data to each other. If that process or transfer is not secured properly, then we have big problems. Every individual – technical or not – needs to be aware of everything they’re putting out there on APIs. Your information is being sent to and from multiple different companies or products, which is a risk.

What is your take on the current state of the API space generally?

API’s are nothing new – they have been around for decades now. API security though is fairly new. That’s where we’re starting to see a lot of security vendors either incorporate technology that can help them in the API security space or we’re seeing a lot of big companies being completely transparent. 

I think with that we’re going to see a lot of acquisitions happen pretty soon as well. That’s normal when you have hot, new emerging technologies that are solving real world problems. Why wouldn’t I want to get my hands on that if I’m the largest security vendor? This is when the market can get a little confusing, where you have a lot of different vendors saying, ‘Hey, I do API security’, but they all do it differently. My recommendation is that when you’re evaluating vendors or you’re valuing the space, make sure you’re getting tools and products and services built with that in-depth approach. No one security tool is ever going to be perfect, so it’s important to take a layered approach. 

How much does AI affect API security?

AI in general is definitely affecting security. One thing I’ll be clear about is that attackers and hackers alike have been using AI for a long time. It’s actually nothing new. What’s happening now is that typical security may be a little bit behind. Now they’re starting to ask ‘how can I incorporate AI in my security tools like a security vendor? Can I incorporate AI into my products?’ 

An instant response company just announced that they included AI in their responses. They can create playbooks on the fly based upon the data that someone enters. Maybe I’ve experienced a phishing incident and I need to know who to contact. The AI model within that tool will actually spit out the exact task, or runbook that you need to do. If it’s used correctly, especially in security tooling, AI can definitely have an extreme power and effect for end users. 

Just like anything though, AI can also create a lot of false positives. We need to be very careful about 100% relying on AI and saying ‘this is the be all and end all’, because AI isn’t right all the time. AI in general security, including API security, is definitely starting to have an effect on both the security vendor side and the end user side.

To learn more about how APIs are affecting the Cyber Security space, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Growing companies often face cyber security challenges as they manage teams that are scattered across the world. On The Cyber Security Matters Podcast we were joined by Ivan Milenkovic to discuss how companies can manage those challenges, even inside the industry. With over 20 years of expertise in information security, Ivan is currently a Group CISO at WebHelp, where he’s managed a large security team that doubled in size to over 140,000 people. He’s a security evangelist and a huge advocate of addressing cultural and leadership factors rather than relying solely on technology to protect your teams. 

What were the security challenges involved in scaling so fast at WebHelp, and how did you overcome those?

When I joined three years ago, WebHelp was just shy of 58,000 people. Throughout COVID we started growing to address the way that our clients worked, and what was happening to the sector at the time. We are very aggressive when it comes to acquisitions and expanding into new markets, and that brings some very interesting challenges. We’re a very large global company. That’s how our clients see us, and they expect a certain level of quality across the board, regardless of where their services come from. 

We effectively needed to bring everybody up to speed and bought-in to our culture. I’m a big believer that people are a very important part of the picture when it comes to security. That’s why it’s very important to get everybody on board to recognise certain values that must be respected. The challenge is to get people on this journey, and for them to understand that when it comes to security, it’s not just that you’re trying to enforce boundaries, it’s actually about supporting the qualities. You need to be able to lead and take people on that journey, rather than providing rigid boundaries that they don’t understand.

How do you balance managing a large security team with meeting the demands of internal stakeholders?

WebHelp is split into what we refer to as regions. They’re not necessarily geographic regions, but logical parts of the business that operate as semi-dependent companies tied together at a group level. Because of how everything came together, we’re talking about various teams spread around the world. InfoSec is a very large team, so you have all the daily challenges when it comes to the InfoSec itself. Because it is a rather big team, not everybody is my direct report. Whenever you work with people though, you need to respect their different needs and requirements, and understand what’s going on. We’re blessed with the quality and enthusiasm of people that are part of the team, which helps a lot. Most of my time is actually spent dealing with senior stakeholders from the business rather than my team. It’s been important to make sure that my people are bought-in enough to carry on without much management. 

You’re a really passionate advocate of the idea that technology alone can’t solve security problems, so the leadership aspects of cybersecurity are key. Why is that? 

It boils down to two things. One is that culture we touched on, because when people understand why certain things need to be done in a certain way, that’s half the job done. If you have people that are trying their best, that are not scared to report problems, that are educated well enough to understand, appreciate and communicate when something goes bad, everything is easier to deal with. 

If you look at what can be done with technology today, you cannot do without it. We live in a really technological era where there is too much going on, so without technology you wouldn’t have the right level of visibility and you wouldn’t be able to react fast enough. People are very creative, sometimes too creative for their own good. It’s not hard to imagine a multitude of scenarios where a very creative person can easily get around even the best piece of technology. So that’s why you must find the right mix. You cannot rely on just your technology. It’s your processes that glue it all together. So, unless you take people with you on that journey, you don’t stand a chance.

To learn more about managing risks within the industry, tune into the full episode of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cyber Security is a growing concern for the majority of organisations. On Episode 15 of The Cyber Security Matters Podcast we were joined by Adam Gwinnett, the CTO & CISO of Nine23. With a legal background, he’s experienced in managing stakeholders in the heavily regulated state sector, with 10 years of experience at the Department for Constitutional Affairs, the UK Ministry of Justice, and the Metropolitan Police. Adam joined us to talk about how cyber security impacts state systems, from the challenges facing the police to the government’s response to major incidents. 

What challenges are the police facing from the increase of cyber crime?

I think because of the global pandemic, when people were locked at home with their computers, cyber crimes and quantum growth crime grew dramatically. That raises some really interesting challenges generally, because cyber crime is often transnational. The person committing offences against you is very unlikely to live in your jurisdiction, so even if you do report it, investigation can be very frustrating. As a result, under-reporting is rife. One of the fundamental challenges you have from a law enforcement point of view is that you don’t actually know how much it’s occurring or how impactful it is, because people are quite embarrassed to admit when they’ve had issues with it. They’re often worried about being scrutinised, and worry that people will be critical of their responses to it or how they handled it. People end up suppressing certain information which otherwise could be very interesting and beneficial, not only to the investigation process, but actually to their peer group who might have suspiciously similar looking things in their environment. 

From the law enforcement point of view, I was keen to couple cyber security with the cybercrime division. One of the things that we focused on was ‘How can I take my investigation of a cyber incident, and turn that into a potential initial bundle for the investigating officer to take forward? How can I give the best evidence? How can I provide you with the best material?’ I didn’t have the mandate to do the investigation and proceed because I was civilian styled, but I could take the information from my logs in the digital forensics team and give them the best chance of bringing the offender to justice. I used to talk about it at conferences, where people would just say ‘That’s not our jurisdiction. We haven’t really thought about how we could give them a leg-up or considered how we could best enable them.’ How many SOC analysts can say they’ve actually put a cyber criminal in prison? Several lawyers could say that I contributed to making sure that that offender actually went to prison, and that’s the ultimate closure for me. 

How do cyber security decisions get made within big government departments? 

Some of it’s quite straightforward. Effectively, most decisions that impact the risk appetite, risk acceptance, or risk tolerance will go to a named individual on their board of advisors. They will then review it, look at the balanced risk case like ‘Why are we doing this? What are we hoping to gain through it? What are the potential mitigations we can put in place? Are they proportionate? What is the net impact on our risk position? Does that take us outside of tolerance?’ That makes it quite straightforward. It’s an interesting one, because those people are fundamentally dependent on the advice they’re given. The people asking them to make decisions, accept the risk or present the view will seldom be impacted when the risk emerges. They’re incredibly challenging positions for people in the regulated and public sectors. 

What are the challenges facing cyber security leaders in the sector?

One of the things that can be really challenging is that it can be really hard for those people to understand the net effect of the things they’ve agreed to. So I’ve spoken to CROs from other organisations that said, ‘I’ve had like 40 risk acceptances presented to me this year.’ It’ll happen every couple of weeks where I’m asked “Can we accept this risk?” I don’t know if I can reliably tell them what the net impact on our overall risk is, or the cumulative effect of all of those things that we’ve agreed to.’ In large, complex enterprises, can you understand all the systems, processes and risks that are undertaken? Because the people who own those systems, processes and fundamental aspects of the business will be separate from the people doing the risk acceptance. They don’t always have the mandate to go in and correct all of the issues. They won’t normally have a budget or available resources to do it. If they don’t, it just becomes one of 100 other competing priorities that organisation has to deal with.

In the event of a major security incident, what does the internal decision making process within a big government department look like?

It’s very dynamic. You’ll normally find war rooms and incident response teams almost immediately. Most large organisations have very mature, robust and practised responses, because it’s never quiet. Even when I worked at the Met, I was talking to people from banks, insurance companies and financial services who were a big target, and they had a 10th of the attempted attacks that I did in a week. Our response and investigation processes are incredibly well drilled, because somebody’s always trying something. One of the biggest challenges is that your teams end up being in high alert and response mode all of the time. That level of anxiety, stress and mental overload is not useful for people. It leads to poor decision making. What you will find is that a lot of organisations start putting things like shift rotations in place to tackle those issues. If your response mechanisms are really effective and really well tested, you can rely on them slightly too much. Actually preventing issues is dramatically less problematic than being able to respond to and deal with them effectively, but if you’re always able to jump out in front of it and catch the issue, people will get relaxed about the fact that that’s what will happen. 

To learn more about the threats facing cyber security teams, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cyber Security is becoming a growing concern for businesses across the globe. On Episode 14 of The Cyber Security Matters Podcast we were joined by Hajar El Haddaoui, who is an international executive. She speaks four languages: French, Arabic, German and English, which has allowed her to lead a large sales team in multiple continents. She is currently leading Swisscom’s managed security services, as well as serving as a board member for the Chamber of Commerce, MOD-ELLE and WIN Women’s International Conference, where she works to support women in business. With such an extensive and exciting background, we were keen to hear her insights on global leadership in cyber security. 

How does Switzerland’s approach to Cyber Security differ from other key European markets?

Switzerland is one of the most innovative countries I’ve worked in. Cyber Security is a part of the business transformation of any company, and in Switzerland they are sensitive to where the data goes and is used. They create security by design, which weaves their Cyber Security into the fabric of their products. 

Do you expect adoption of managed security solutions to continue to increase as a proportion of the overall cybersecurity marketplace?

Absolutely. There are many challenges facing our clients, including the complexity of digital business, where there is an increasing skills and resource gap. There’s a 3.1 million gap in resources and talent worldwide for Cyber Security. Lots of our clients don’t know how to use the hybrid cloud. Therefore, managed services are key for those clients in order to respond to their challenges. We want to transform the industry by making products and services that are secure by design, but there are several clients who need someone to manage those products for them anyway. It’s important to have management in your Cyber Security portfolio in order to meet that need in the market and address the challenges that clients are facing. 

Silicon Valley is seen as leading innovation. How influential are they to Cyber Security?

Research and development are key to innovation, not just in Cyber Security. They give you confidence to innovate and inform how you take a digital solution and rapidly provide insurance to our customers. We’re not just providing security to our customers, we are providing consultancy, technical support services and managed security services too. It’s those three layers where innovation needs to be. Research and development can be applied to intelligent and managed security services to identify and respond to threats, giving us a proactive level of protection. 

There’s a lab in Silicon Valley that is the hub of innovation, not merely for Cyber Security. There are also labs in Israel and Japan, but Silicon Valley is still playing a huge part in global Cyber Security efforts because of the amount of investment that they’re able to attract. Everyone needs to invest in innovation and in hub centres for security. Silicon Valley aren’t the only one doing it, but they are still big players. 

What have the different places you’ve worked taught you in a business and leadership context?

Working internationally has given me the ability and agility to deal with challenges. Being a resilient leader is essential to what we do. The second thing is confidence. Moving from one country to another I’ve learned to build a community and a support system, which plays into that self confidence. The third lesson is humility. I’ve become a continuous learner, because the technology field in Cyber Security is rapidly changing, and I have to accept that I’m not going to stay an expert if I don’t learn from other people. The market is fast and furious, so to be fit for the future I have to learn skills and humility. 

To hear more about global Cyber Security efforts, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Asset management is a growing area in the Cyber Security industry. On Episode 12 of The Cyber Security Matters Podcast we were joined by Huxley Barbee, a CISSP and CISM. He is currently a Security Evangelist at runZero, which is the latest role in a glowing career in the cyber security industry. We spoke to Huxley about the advancements he’s seeing in the asset management sector, including his predictions for the future.

How do you see Asset Management evolution over the next few years?

There have been a number of technological trends that have caused a divergence of environments. For example, smart speakers like your Alexa are changing our home environments, because this tech used to be simple, non-connected devices. Now they’re connected to the internet, which exposes you to a higher risk. There’s also been a rise of ‘bring your own device’ culture, where people bring their own phones and tablets to the corporate network. There’s also the move to cloud associated with the DevOps revolution. 

A lot of companies will see the cloud as a way of transforming their capabilities to both lower costs and increase speed and agility. Folks are empowered to just spin up new computing devices left and right, but the old devices are not actually decommissioned, so you have a sprawl of this attack surface out in the cloud as well. There are also more and more mergers and acquisitions happening, where a purchasing company has to take on the risks and vulnerabilities in the target company. All these different trends have led to this divergence of environments where companies are not just protecting their corporate IT assets, but also their OT, the factory, their IoT devices, your personal devices, the cloud and whatever else goes on in remote employees homes. 

Because of a need to find talent, organisations have started looking at a wider geographic spectrum, and a rise in this ‘work from home’ culture became compounded by the pandemic. That is now also part of what cyber security needs to protect. Over the last 20 years, this evolution of assets has resulted in a decentralisation of control. Meanwhile, it’s the same security team that’s being expected to protect all that. There are numerous statistics out there about how the number of devices connected to the internet is going to continue to go up. Security teams will be more and more challenged, which is a fundamental problem. If you don’t have this foundational capability of knowing what you have, you are absolutely not protected. We’re going to have to see some change in order to address this growing challenge. 

How can the industry address those issues? 

There are a number of different approaches that have been tried over the last 20 years. There’s the use of agents and authenticated active scans, but they don’t solve the problem of unmanaged devices. If you can put software on a machine, then it probably needs managing. There are other vendors who try and pull data from multiple other sources to try and cobble together some sort of asset inventory. The trouble is, if they’re pulling from limited data sources, they’re not really solving the problem of unmanaged devices either. There’s also a passive network monitor, which theoretically can learn about more devices on the network, but its ability to identify those assets correctly is limited, because it’s only looking at network traffic to make that determination. There’s another approach, which is using an unauthenticated scanner with a security research-based approach for fingerprinting alongside API integrations. We found that this is the winning combination to help you get both breadth and depth of your assets, no matter where they are, no matter what type they are. 

To learn more about asset management, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

An increasing number of ransomware attacks are coming through emails. It’s clear that the ease of attack vector is changing, and not for the better. On Episode 13 of The Cyber Security Matters Podcast we spoke to Ronnen Brunner, an SVP at Ironscales, about his work in selling the future of phishing protection. He shared his insights on the increase of ransomware attacks in emails and told us how we can identify and protect against these attacks.

You don’t need to be an expert in order to send a successful ransomware attack, because there are services you can just download on the dark web that will do all the hard work for you as a hacker. You can spam attacks directly to customers – you don’t need to be the sophisticated hacker sitting down and programming a credential theft or phishing attempt. You can use existing engines to attack people, and because of the ease of it, it’s become a lot more common. 

There’s a lot of variety when it comes to scammers who will spam hundreds or thousands of people and those who target specific individuals. A lot of hackers are just hoping that some of their attempts at phishing will be successful, and they’re the ones focussing on quantity.  Especially when you’re looking at credential safe, or Spear Phishing, they are targeting specific people by sitting in their mailbox, getting to know the regular interactions that they have and then designing a targeted attack that they won’t see coming.  

These scammers can learn your pattern of the behaviour, your invoices, forms, vendors etc, and create a legitimate invoice with different bank details on it. Once a payment has been made it’s often incredibly difficult to get back. Lots of these scammers are posing as big companies, because it’s easy to make an email look like it’s coming from a reliable source. You can emulate the domain name or make it look like it’s coming from a person in the company whose information you found on LinkedIn. From speaking to these companies we know that 60-70% of attacks are coming in through their emails. They’re being targeted because of the information they put online.  

We’ve seen customers trying to stop it. It’s incredibly hard because of the quantities of emails that go in and out. Some of these attacks look very sophisticated. It’s all about training people to identify what’s a ‘known dead’ and what’s a potential red flag. People need to understand malicious content and intent, then utilise machine learning or AI to sift through the information and flag any anomalies that could point to an attack. In the business we have something called ‘zero day attacks’, where there is no other indication that this email isn’t genuine. There’s no markers from our list of ‘known dead’ elements to tip you off, and that’s when these attacks are their most dangerous. 

Some things to look out for are language like ‘buy these amazon vouchers’ or requests to change bank details on an invoice. These could be very simple emails that look like legitimate communications from known senders. You should always question changes to your payments. Once bank details are changed and you make a payment, you’ll notice a massive increase in emails that ask you to change the bank details for other vendors, because these hackers have figured out how to effectively steal from you. 

Everybody’s seen an increasing number of attacks since the COVID pandemic, because hackers had the time to fine-tune these attacks. They’re becoming incredibly successful and sophisticated, which is why we need next generation solutions. Everybody we’ve spoken to has a fishing problem, because they’re not preparing for these attacks in their systems. Even though sometimes these attacks are stopped our email providers, there are still several getting through. People need to report phishing attempts if we’re going to get an accurate idea of the problem, and sadly that’s not happening either. We should be crowdsourcing suspicious behaviour and building a safer world together. 

To find out more about keeping yourself safe online, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 11 of The Cyber Security Matters Podcast we spoke to the incredible Dr. Rebecca Wynn about how we can all manage our privacy online. Dr. Wynn is an experienced global CISO and privacy expert, often named as one of the top women in Cyber Security. She has led large security teams in the investment and medical sectors and is currently consulting enterprise clients on their security strategies. 

Can you tell us about the challenges covid posed for the healthcare sector from a security perspective? 

Before covid we had a centralised workforce that was covered by certain policies and protocols within the business. Once people started working remotely, and in some cases in other countries, that situation changed. We were outsourcing our data protection and people didn’t have the same protections at home. People started working in shared spaces with people outside of the organisation. With these new conditions, companies need to look at how they are protecting their sensitive information, as well as that of their clients. 

One thing I did is look at cyber liability insurance. I met with external certification organisations, and we identified the safeguards I could put in place. I took our top 15-20 clients and walked them through our findings, and the majority of them asked me to quickly rebuild their security with a strategic plan, technical plan, and operational plan. It was a long process, and it cost me a lot of sleep, but we’ve helped protect people now. 

When you talk about the changes we’re seeing from covid, we’re still seeing fallout from leaders who didn’t realise the additional residual risks that they were accepting. One thing I do notice consistently, is people not sharing the information that you need to know or telling colleagues what their blast radius is in the organisation. It’s all about managing risk. That’s the one thing I still see from a younger generation, they don’t know how to communicate that risk and things along those lines. CISOs don’t want to be the scapegoat officer, so we need to be more watchful than we were before. 

How do you see the concept and the practical application of privacy evolving in this data-driven society?

One of the biggest problems with data privacy is developing a global set of privacy regulations. There’s so much red tape that you have to get through at the moment because everywhere has different legislation. 

Another challenge is that data is being created but it’s not tagged. Does it have sensitive information in it? We wouldn’t know. If we could tag information with expiration dates and a level of privacy, we could handle it better. If you’re talking about healthcare, you should be able to say ‘it’s printed on this day, and it will absolutely expire in seven years’. The other thing is that once that data is created somewhere, it’s in your environment. Data gets shared through companies’ internal systems, which is a massive problem unless you can embed some sort of privacy key. If you could do that it would act like a GPS signal in your database. You could follow that, expire it or see if the data went to someone who’s not supposed to get it. That’s the kind of thing you need to do if you want to get a handle on privacy. 

One of the scariest things right now is when people are creating avatars and stuff like that. To do that you upload 23 of your pictures, and then your biometrics are out there. People aren’t thinking about where their data goes when they do that. 

It’s really hard to be invisible in the world today. Even if I’m not personally on social media, if someone takes my picture and tags me in it, I’m there anyway. They’re commingling their data with mine, and so on. It’s scary how much of our data is out of our control. 

To hear more about how our data is being used, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On The Cyber Security Matters Podcast we were delighted to be joined today by Marco Pineda, an international CISO with a particular specialism in the finance industry. Episode 10 saw us unpacking Marco’s 20 years of experience in information security and talking about the security impact of DLTs. Read on for his insights into the changes coming to the industry following recent concerns around blockchain and crypto. 

What does distributed ledger technology (or DLT) and its applications mean for the future of the global financial industry?

As far as DLT is concerned, you need to understand what the application is. They’re great technologies for environments with a low trust atmosphere, such as cross-border cooperation or between companies where you need an intermediary to provide that trust. It’s a very interesting kind of technology. One of the best uses of DLTs is cross-border customs and documentation for bills of trading. Each government has their own systems, and people need to know how to get documents across that each government will trust. 

What are the security challenges that these technologies present?

It’s mostly the distribution, but understanding and the maths behind it is certainly a challenge too. There’s the additional concern that your system might be sitting on top of other systems that you don’t control at all. That’s an interesting risk facet that might be unique to the DLT area, because if I put a ledger out there, by definition, somebody else is managing that ledger. They’ve got their own machine. They’re taking care of it themselves. It’s their copy of it. I haven’t yet heard a good risk analysis on what that actually means for a company. 

How can security frame itself more positively to help enterprises reach their financial goals, instead of being viewed as a cost centre?

We can take a cue from our colleagues who are trying to see how they fit in with the overall business strategy. You need to show your value to the company, which comes from looking at your portfolio of services / products, and seeing how they can support the business’ strategy. Take some initiatives here and there, offer people proposals. At the end of the day, you need to prove your direct business impact. That means doing things like protecting documents so that your business can ship information and do secure collaboration. Those are the things that security professionals can do that helps a business directly. Get creative, take a look at what your skill sets are, what your services have, and see how they might be able to support the business in their goals. 

To hear more about the impact of Cyber Security in your business, tune into the full episode of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 9 of The Cyber Security Matters Podcast we spoke to Jennifer Cox, the Head of Communications at Cyber Women Ireland, about her work with vulnerability management in the sector. Jennifer is a multi-award winning advocate for women in tech, using her knowledge to mentor women as they join the workforce. She also speaks at global events, bringing her expertise to a wider audience. 

Read on for Jennifer’s insights on vulnerability management in the Cyber Security industry.

What do you think are the three big takeaways on vulnerability management?

At the core of vulnerability management, you need to be able to identify where you’ve got problems. It’s not just laptops, it’s every device that’s possibly connected to the internet. You need to focus on what’s important to remediate first. Vulnerabilities are growing almost exponentially, but the teams that handle those issues aren’t growing the same way. The challenges are not always exclusive to the products that we sell – many times you’ve only got two people on the team, but 40,000 vulnerabilities that you need to fix. 

How do you think vulnerability management is changing in today’s world? 

What’s changed most dramatically since COVID is this overnight remote workforce. Companies no longer have control over every single device on the network, and more and more people are bringing their own device into the office. Companies still need to make sure that those devices are secure. When people are at home they often have wide open home networks. We’re improving education around vulnerabilities and teaching individuals how to put better practices in place at home. People forget that web applications are also vulnerability risks, so they haven’t included them when they’re doing the assessment of their mobile devices, which is a huge factor. Having a team to do vulnerability management within the team is probably the biggest change. 

What do you think is the biggest obstacle to vulnerability management as a whole?

Hands down it’s budgets and bodies. When you don’t get reports about anything going wrong and being fixed by the cybersecurity team, you often don’t appreciate that the team is doing a really great job. If you’re hearing from your cybersecurity team, then there’s a problem – they’re either understaffed or under-educated so they’re struggling to cope. That silence is a problem, because when companies are trying to strip back budgets, they’ll look at reducing that team because it’s quiet. That’s actually the worst thing that they can do, because that’s the team that’s protecting them the most.

The challenge has been resources all the way along. We don’t have enough people to remediate all these issues. What you’ll do in that case is educate your team on prioritisation using a scoring system called ‘CVSS score’. We also have an algorithm that we use called vulnerability prioritisation rating. It takes the CVSS score and a multitude of other different things into account. Based on all of these things, it tells us what is most likely to become a problem over X number of days. The struggle is that of 40,000 vulnerabilities, 30,000 of those are critical. I can’t remediate 30,000 vulnerabilities in a weekend, but that’s the only time I’m allowed to do it. Add to that things like needing a 99.9% uptime, restarting the server after patches, and that becomes a challenge in itself. 

To hear more about vulnerability management and the work that Jennifer is doing to improve diversity in the industry, listen to The Cyber Security Matters Podcast now. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.