On Episode 26 of The Cyber Security Matters Podcast we were joined by Simon Hunt, the Chief Product Officer at Reveald. Simon is a prolific industry leader and inventor within cybersecurity and technology, specialising in protecting financial information. He also sits on a number of boards within the Cyber Security industry and volunteers with the American Red Cross. During the episode, Simon shared his insights into the relationship between Cyber Security and AI, which you can read here:
“I am super excited about the possibilities of generative AI. But, let’s remember that generative AI is guessing what it thinks the most likely word to come next will be. It’s fascinating how much reasonable content it has created just by guessing what word comes next using statistics. That’s fascinating to me. Ask Chat GPT to write a children’s story or love letters to your wife and it’s amazing.
But the eye opener for me was that the systems I built create very complicated output, and you have to have a huge amount of expertise to interpret what it generates. We do a lot of work to turn that into stories that people understand. We found that we could throw that raw data into a generative AI model and it would make a readable explanation. If I wanted to tell somebody what their problem is, it would do that perfectly for me.
I realised I could do it in Japanese, or Baja, I could tell it to write it in any language – and it’s not translating the English output into Japanese, it’s translating the raw data into Japanese. The translation or output is still a beautiful, understandable story. My challenge was taking raw data and making it simpler, because there used to be a huge natural language problem. Now it’s generative AI’s problem.
Now, of course, we have the problem of misinterpretation, but we have the opportunity to eliminate the requirement for super talented experts and make our process more scalable. That is intriguing to me. I’m not trying to automate everything; I’m saying that we should automate as much as possible and redirect human talent.
For me, AI is not discovering new things, it’s making our discoveries consumable and actionable for a wider range of people. Who knows where it will go? But now we can take entry level people that are at the beginning of their cybersecurity awareness, and make them as powerful as the experts of today. If we can do that, then we can cut the legs off this problem.
Fundamentally, it’s not intelligence. AI is not adding any unique insight. It’s shocking how little unique insight we need to write a two page children’s story just by predicting the words that come next. However, we need to be careful with our expectations. You can’t ask it to solve cancer. If it came up with an answer, it would just have regurgitated something that a person has already tried.
There is a challenge. If you ask AI to compare two companies, it will generate an output that would take you hours to do by hand. As a timesaver it’s amazing, but schools are worrying because it’s becoming indistinguishable from natural language, so how do you tell it’s not plagiarism? It’s a tool that we should use to take complicated information and make it consumable by people who are not domain experts. I can solve that industry challenge with predictive text.”
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On Episode 25 of The Cyber Security Matters Podcast we were joined by Jaye Tillson and John Spiegel, who are passionate cyber security evangelists and the co-hosts of “The Edge” by SSE Forum podcast. Jaye has over 20 years of experience in the cyber security industry, across IT infrastructure and zero trust architecture, while John’s background in the industry includes overseeing major projects for global retailer Columbia Sportswear. Read on to find out their perspectives on why the cyber security industry is moving so quickly.
John: “I talked about paying off your security, which is also referred to in the industry as ‘defence in depth’. So why are people looking to move into this model? Security’s got to be simplified and streamlined. Visibility is hard when you have eight or nine point products that are chained together for remote access, or when your products don’t have API’s that integrate. Security is really hard when you just think about technology and you don’t think about the business outcomes.
Primarily, what’s driving this change is simplified platforms which bring together technologies that were siloed. Companies are also looking to reduce their costs, not only from a vendor perspective, but from an operational perspective. On top of that, both Jay and I fell into security because of the way applications and workforce are distributed. Now you’ve got to have a different approach to security. Similarly, the way networking and security is transformed and delivered is changing.
For you to be a player in it from a vendor perspective, you have to have the full stack. You can’t just be a networking vendor and rely on another vendor for the security aspect anymore, you have to bring both together because that’s what provides visibility, simplicity and the platform effect, which is what customers are looking for.
Another interesting piece is David Holmes (who is an analyst for Forrester) did some research, and they asked customers who had moved over to this SASE and SSE model if they are still using the same vendors as they were using previously. Is there any buyer’s remorse? Are they looking to go back or maintain that relationship? The answer in almost 85% of the cases was ‘No, there’s no buyer’s remorse, we’re happy and we’re not looking to go backwards. This is a better approach.’ What does that mean for the industry? It means that the incumbent vendors out there are under threat. That’s why you will continue to see consolidation within the industry.”
Jaye: “I realised that having people on my network who were able to go everywhere and see everything or potentially hack everything was concerning. That’s how zero trust came about, which is built on the concept of only giving access to devices and applications that people need access to for their roles. You constantly check in, monitor and give visibility, and both SASE and SSE are based on that structure.
Then you’ve got the consolidation element within the market. Recent statistics show that CISOs have over 100 security tools within their environment, which is impossible to manage. That’s because if you have a problem within the environment you won’t know which vendor to go to, where the gap is, what tool it is, or what you’re looking at. Consolidation is bringing more products under one banner and within one user interface, which simplifies your security. Cyber Security is a difficult place to work because you’re constantly under threat or being attacked, the legislation is constantly changing and it’s a very high pressure environment. If you can consolidate and become more simple, not only is it easier from a support perspective, it gives a better user experience.
There’s talk that ransomware is kind of dropping off, but that’s clearly not the case. We need to make everybody’s life simpler by removing and reducing the attack surface and simplifying administration, product and efficiency for the users. Zero trust is a huge thing in the USA, and the government is doing things about it which are flowing down into legislation across EMEA. Once people start to realise that their tools sit on top of that, there’s going to be a snowball effect.”
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
The Cyber Security industry faces challenges on a daily basis due to the nature of its work. However, its challenges aren’t just security threats. On Episode 24 of The Cyber Security Matters Podcast we were joined by Michele Chubirka, a Cloud Security Advocate at Google, to talk about the wider challenges in the industry. Michelle has led a remarkable two-decade career in cyber security and has a background as a cloud native expert, giving her a wealth of insights into the space. Here’s what she shared with us:
“Information security can be a struggle. There’s something called witnessing windows or common shock, which is when we see the small violence and violation that happens in our day to day lives. Well, that’s information security to a tee. You have the big breaches and traumatic events – you’re reading about it now with the movement hacks, ransomware, etc. – but every day you experience the vulnerabilities in your organisation. You report on them, saying ‘Hey, you have these vulnerabilities and they don’t get remediated’, and the solution technically seems very simple, but it’s really an adaptive challenge because it has a lot of dependencies and unpredictable human beings are involved.
A lot of security people experience burnout after a while, because you want to do the right things, but there’s a social issue where people don’t or won’t collaborate well enough to solve the problem. Cyber Security is a challenging field because people are drawn to doing technical things and being engineers, but then find out that they have to work with people, which is a very different skill set. When I started, teams were super small and you could solve a problem end to end yourself. That’s not the case anymore. Now you have huge teams of hundreds of people working on a single application. Now you have to worry about getting people to talk to each other. You have to resolve conflict.
I wish somebody had taught me to improve my people skills as well as focussing on my technical skills in my professional development. The social science that I’m studying is restorative practices and restorative justice, which is about building human capital or social capital by finding ways to repair harm, restore relationships and build community. If our organisations and companies aren’t communities, we’re going to struggle to build a truly secure cyber environment.
The problem is that people are really attached to this idea of security being like law enforcement or a military framework. We think of threats as attackers, and there’s a lot of accepted victim shaming. When something happens within an organisation and the bad guys leave, you’ve got to clean up and recover from the trauma of what happened. That’s when the blame shifts. People start asking ‘Who can we blame internally for this problem?’ Then you get some victim-perpetrator oscillation where there’s a blaming game. Then the victims are being held to account as perpetrators because they didn’t secure their systems or they didn’t do the things that you asked them to do. That’s not helpful.
There are a lot of reasons why developers don’t always write secure code or update their dependencies. Sometimes the systems that security people put in place are not friendly or easily consumable. Developers may be under really tight timelines and they’ve got way too much on their plates, so how much is really their fault? There are often swirling, interpersonal, conflict-ridden situations that create anger and resentment, because security professionals are doing their best but they feel like they can’t make enough change. This is exactly what happens when you’re faced with these witnessing windows, where people are disempowered but aware of what’s happening. When you’re in that situation, you know what the problem is but you can’t change it, the results are stress and eventual burnout.
That’s really the problem with information security right now. People are building great technologies and there are new techniques coming out every year, but the attacks only get worse, and the job seems to get harder. So what are we doing? I think the reason that the situation is the way it is is because we’re having people problems – it’s not simply a technology problem.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
In the Cyber Security industry, one of the biggest risk factors is human behaviour. On Episode 23 of The Cyber Security Matters Podcast we were joined by Ira Winkler, the Field CISO and VP at CYE. He shared his insights on the risks of human behaviour, as well as some great anecdotes from writing multiple books on cyber security. Read on to learn from his experience.
How have you seen cyber risk progress over your career?
When I do speaking events, I always ask people ‘how many of you are security professionals?’ Most of the audience raises their hands and I go, ‘Okay, you’re all failures, because there is no such thing as security. The definition of security is being free from risk, and you’re never going to be free from risk. So technically, we’re all cyber risk managers.’ If we’re all risk managers, how are we mitigating those risks? I do what I call cyber risk optimization, where we’re quantifying and mapping out the risks according to actual attack paths and vulnerabilities. That allows us to determine how we optimise risk by taking your potential assets, mapping them to vulnerabilities to get an actual cost, and then figuring out which are the best vulnerabilities to theoretically mitigate.
Now, we’re at a point where machine learning is actually able to start doing things we were not able to do before. Everybody thinks machine learning is this really fancy thing, but it’s taking big data and putting it through mathematical calculations that were not available to us 10 years ago. Now we’re actually able to crunch data, look at trends, and come up with actual calculations of how to optimise risk. I’m finally able to take the concepts I wrote about in 1996-97 and implement them today.
How do you balance user responsibility and the responsibility of the operating system?
The solution I’m putting together is human security engineering consortia, because here’s the problem: awareness is important. I wrote ‘Security Awareness for Dummies’ because awareness is a tactic. Data leak prevention can be important to stop major attacks, and anti malware can be important to stop major attacks, so those are tactics too. The problem is that currently, when we look at the user problem, it’s being solved with individual tactics that are not coordinated through a strategy. We need a strategy to look at it from start to finish that includes both the operating system and the user responsibilities.
You’ve got to stop and think, ‘what are my potential attack vectors? What capabilities does a user have?’ A user can only do things that you enable them to do, they only have access to data you allow them to have, they only have a computer that has the capabilities you provide them. You need to stop and think, ‘given that finite set of capabilities and data provided to a user, what is the strategy that looks at it from start to finish and best mitigates the overall risk?’ I’m not saying you can get rid of risk completely, but you need to create a strategy to mitigate as much risk as possible from start to finish, knowing the capabilities you provide to the user.
One of my books is ‘Zen and the Art of Information Security’, which includes a concept of what makes an artist, and it’s the person’s ability to look at a block of marble and see a figure in it. They can produce different pieces of art, but they’re all made the same way. There’s a repeatable process and what they use to get what they got. Now in the same way, there’s a repeatable process for looking at human-related errors. You look at the potential attacks against users and ask ‘What mighty users do, using good will, thinking they’re doing the right thing but accidentally causing harm?’ Most damage to computer systems is done by well-meaning users who inevitably create harm.
You don’t go around and see people saying, ‘I’m getting in my car and crashing into another car’ – that’s why they’re called accidents. We have a science in how we design roads, literally the curvature of roads is a science and when they assign speed limits to it there is a science to understanding what a user does, what their capabilities are, and how you can mitigate that to reduce the risks. In cyber risk, you should be asking similar questions, like ‘How can I proactively analyse how the user gets in the position to potentially initiate a loss and mitigate that proactively?’ Then you design the operating system to reduce the user’s inadvertent risks.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
In recent years there have been growing concerns around privacy and data loss. On Episode 22 of The Cyber Security Matters Podcast we spoke to Chris Denbigh-White, the Chief Security Officer at Next, about data loss and how it’s affecting the industry. Here are his thoughts:
Data loss prevention has always been the ugly friend of cyber security. If you mention DLP to 9 out of 10 cyber professionals they’ll say, ‘this doesn’t work, but we’ve got to do it’. It’s effectively a tick-box exercise, but it’s a box that does nothing. It’s the old adage of a firewall that has allow rules going both ways. We have to do it though, because otherwise some of our users either complain massively, or are blocked from doing their job. That’s something that Next aims to address; we’re trying to provide DLP that makes sense. That means using machine learning to understand user behaviour.
I like to understand people’s business processes and build guardrails around what they actually need for security. We’re here to ensure that people who do business and make money don’t lose all their data or have it stolen, as well as protecting them from getting massive GDPR fines. Security itself doesn’t make the business any money, but not having security can cost a business a lot. That means that we need to understand what is valuable to the business and find a way to protect it.
That’s different from typical data loss prevention tools. We need to understand things like ‘how does this company deal with things like insider risk and insider threats?’ We’ll think outside the box, like ‘Why don’t we address risks through behavioural change and training people on better cyber practices, rather than relying on draconian controls?’ I strongly believe that what we’re doing increases business cadence and reduces friction by approaching DLP in that way. That’s something that I think AI and machine learning are going to help people understand better, because they’ll be used to understand the people around us better and therefore they’ll uncover internal and external threat actors more effectively.
The way that we approach things is by helping companies understand what normal is, and helping them to address the question ‘Am I happy with what that normal is?’ Our solutions are built by asking things like, ‘Do I want people uploading things to this web application and not that web application?’ That’s a well trodden path to data loss. Another common issue is the use of copy and paste. On one hand, I want users to be able to copy and paste because we’re advocates of strong and long passphrases and the use of password managers – all of which utilise copy and paste. But on the other hand, I don’t want people copying and pasting swathes of sensitive data from sensitive apps and into a text file that’s then emailed off.
We’ve moved away from just file based data loss, because people lose data in more ways than you’d think. There are copy and pastes, web uploads, Chat GPT prompts… being able to understand and control your data in those ways is its own tool. There’s a business process where we help companies identify their normal and their risks, then we set up specialised guardrails in a super simple process. I think that’s the future of the space. Companies that develop schooling to support security that’s done with people are going to succeed moving forward, whereas increasing levels of draconian control and intrusions are going to come to an end.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
The Cyber Security space is an exciting one to be part of. On The Cyber Security Matters Podcast we regularly ask our guests how they get into the industry, and on Episode 21 our guest had a fascinating answer. We were joined by the CISO of ExtraHop Mark Daniel Bowling, who has over 20 years experience in Cyber Security, beginning as a special agent and cyber crimes investigator for the FBI. Since then he’s transitioned into several roles, most recently as the Chief Risk, Security, and Information Security Officer at ExtraHop. He shared the story of his unusual career path and his advice for other people who want to make a similar journey.
How did you first get into the cybersecurity industry?
It was almost entirely a consequence of my service in the FBI. I spent six years in the United States Navy, where I was supposed to go into submarines, but I ended up on a carrier because we won the Cold War back in ‘91, so we just didn’t need as many subs. I did a little bit of time in the corporate world and didn’t love it, then I joined the FBI in 1995. That was right as cyber was becoming a thing. We didn’t even have a cyber division in the FBI back then, but we had a cyber investigation section coming out of the white collar branch. We created what was known as NIPC, or the National Infrastructure Protection Centre, then eventually when Muller came in, in 1999 or 2000, he created the cyber division. I grew up in the FBI and cyber at the same time, because I was an Electrical Engineering and Computer Engineering technologist, so it was the right place for me to go.
I made a great career in cyber in the FBI. When I retired from the FBI I went to another agency, which was the Department of Education, making a transition from a very serious law enforcement and intelligence community agency to the one that was more public facing. After that I retired from federal service and then I went into the public sector as a full time employee, but then I started to move into the consultant track where I’ve had multiple great partnerships with customers, and it was really good. I went back to full time employee status when I came to ExtraHop a couple of years ago. So that’s the route that I took, but I would say my experience in the FBI was really what pushed me into cybersecurity.
Who or what has been the biggest influence in your career?
Because much of my career was in public service, the biggest influence has been the amazing public servants that I met in my career. My role model was a man in the United States Navy named Admiral Larsen. He was a four star Admiral, and I worked for him in the Pentagon. He was just an amazing man. Anybody who knew Admiral Larsen recognises what a great leader he was.
In the FBI there were a couple of amazing public servants too. I would say David Thomas, who was one of the early assistant directors of the cyber division, was also a great man. He helped build the cyber programme within the FBI. He was one of the great men I knew in the FBI.
And then at the Department of Education there was a man named Chuck Cox. He was in the Air Force Office of Special Investigations before he went over to the Office of the Inspector General. He has since passed away, but he was a tremendous man. Each of those individuals modelled public service in an amazing way for me.
How do you feel your background within the FBI has shaped your career working for a security vendor like extra hop?
I think it’s absolutely vital that anybody who works in security understands the nature of threat and risk. If all you do is think about technology, you’re missing the boat. The job of the business is to stay in business, make money, acquire and retain customers, sell more products, provide better services and increase not just your profit margin, but also your presence in whatever sector you’re in. They don’t want to have to worry about cyber security, so the cyber security folks have to understand the threats to the business for them.
You have to be able to see things in terms of risk, and that’s what the FBI did for me. One of the things that Muller did when he came into the FBI was created priorities, and we created those priorities based on the risks. After 1991, the number one priority in the FBI was counterterrorism, number two was counterintelligence, and of course, number three was cyber because of the growth of cyber attacks at that time. So what I learned in the FBI was to see things in terms of risk, understand a threat, appreciate the capabilities of the threat actors, and then turn around and prioritise and your resources appropriately to reduce the threat either by remediation or mitigation. If you can create compensating controls around the threat, it reduces the actual risk. At the FBI I learned that you can accept some threats, others you just have to remove, and some you can create compensating controls around.
What one piece of advice would you give to someone entering the industry?
I would tell them to one, stay humble, two, listen, and three, be willing to do things that you’re not comfortable with so that you can learn from the experience. There’s different reasons for learning. You should learn how to do something you’re not comfortable doing so that you appreciate the people who do it on a daily basis. You should learn to do something to understand the level of effort that it actually takes, so that when you ask people to do it as a leader, you know what they’re going to do for you and what they’re going to have to give up to get it done.
To learn more about Mark Daniel’s experiences and insights, tune into Episode 21 of The Cyber Security Matters Podcast here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
APIs are a growing part of the tech industry, and impact a number of areas like Cyber Security. On Episode 20 of The Cyber Security Matters Podcast we spoke with Jeremy Ventura, who is the Director, Security Strategy & Field CISO at ThreatX, about how the rise of APIs is affecting the Cyber Security space. Jeremy has over 10 years’ experience in the Cyber Security industry, beginning his professional career as a security analyst for defence based manufacturing business radian before working his way up to his current position. He’s also the host of ThreatX’s eXploring Cybersecurity podcast, making him an experienced and informed member of the Cyber Security community. Read on for his insights on APIs.
What should a regular person know about API security and how it affects the world around them?
We use API’s every single day, but most consumers, especially if you’re not technical, won’t realise it. Let’s think about ease of use. If I want to pay a bill I’ll do it with one of the three credit cards that I have. When I’m on an app, I’m just selecting whether I want to pay with Apple Pay or my Chase Card or my Amex card, whatever it might be. Those payments are all API connections. Here’s another good one; when you call an Uber or a Lyft, they’re looking for the closest Uber in your geolocation and the fastest route. Those are all API connections that are pulling that data down. Think about your phone – when you look at the weather today in your location, that uses API connections to pull together your geolocation and the weather from different weather providers. So even though API’s are all out there, they’re pretty much hidden by design. We use API’s on an everyday basis – probably hundreds of them on a normal day.
Now, when it comes to API security, that’s where individuals need to be conscious. Just because it’s easy to use doesn’t mean it’s always secure. APIs in general are designed to connect multiple systems together and send business logic or business data. That’s not anything insecure. However, those transactions that are sent in the background sometimes can contain sensitive company information, or what we call PII, personally identifiable information. That’s things like usernames, passwords, credit card numbers, social security numbers, whatever it might be. That’s why the API security space is so hot right now, because they’re designed to send potentially sensitive data to each other. If that process or transfer is not secured properly, then we have big problems. Every individual – technical or not – needs to be aware of everything they’re putting out there on APIs. Your information is being sent to and from multiple different companies or products, which is a risk.
What is your take on the current state of the API space generally?
API’s are nothing new – they have been around for decades now. API security though is fairly new. That’s where we’re starting to see a lot of security vendors either incorporate technology that can help them in the API security space or we’re seeing a lot of big companies being completely transparent.
I think with that we’re going to see a lot of acquisitions happen pretty soon as well. That’s normal when you have hot, new emerging technologies that are solving real world problems. Why wouldn’t I want to get my hands on that if I’m the largest security vendor? This is when the market can get a little confusing, where you have a lot of different vendors saying, ‘Hey, I do API security’, but they all do it differently. My recommendation is that when you’re evaluating vendors or you’re valuing the space, make sure you’re getting tools and products and services built with that in-depth approach. No one security tool is ever going to be perfect, so it’s important to take a layered approach.
How much does AI affect API security?
AI in general is definitely affecting security. One thing I’ll be clear about is that attackers and hackers alike have been using AI for a long time. It’s actually nothing new. What’s happening now is that typical security may be a little bit behind. Now they’re starting to ask ‘how can I incorporate AI in my security tools like a security vendor? Can I incorporate AI into my products?’
An instant response company just announced that they included AI in their responses. They can create playbooks on the fly based upon the data that someone enters. Maybe I’ve experienced a phishing incident and I need to know who to contact. The AI model within that tool will actually spit out the exact task, or runbook that you need to do. If it’s used correctly, especially in security tooling, AI can definitely have an extreme power and effect for end users.
Just like anything though, AI can also create a lot of false positives. We need to be very careful about 100% relying on AI and saying ‘this is the be all and end all’, because AI isn’t right all the time. AI in general security, including API security, is definitely starting to have an effect on both the security vendor side and the end user side.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Securing the Cloud is a major challenge across the Cyber Security industry. On Episode 19 of The Cyber Security Matters Podcast we spoke to Abhishek Singh, the Co-Founder and CEO of Araali Networks, about how Cyber Security professionals are navigating the growing challenges of keeping the Cloud secure. Abhishek has 25 years’ experience in Cyber Security, including a period in which he led a team to build a data centre scale platform to enable micro segmentation and security in a virtual machine environment. This wealth of experience gives him some great insights into the current issues around securing the Cloud.
Could you explain what zero trust is and what the biggest problems are with implementing it?
Zero Trust has become a buzzword. Zero trust people say ‘trust nothing’, but zero trust is fundamentally a networking concept. That concept is actually very simple. Imagine it as a castle and moat problem, where you have a castle and a moat around it called a perimeter. Everything inside the castle is trusted. Everything outside the perimeter is untrusted. If you have to come into the castle, you come through a firewall, and then you are trusted. So it is a networking concept which relies on perimeter security and having an open interior.
The problem with that approach is that your perimeter has to be perfect. If there’s one bad guy coming in, you’re in trouble. If one Trojan horse seeps in, you’re in trouble. If you’re building a zero trust environment you have to keep your controls inside out. Even if your environment is not pristine, every resource has to defend itself.
The Cloud is very zero trust friendly in that it denies access by default, so if you want to expose anything online you have to explicitly open it up. However, egress is open. And that is the problem with zero trust, it’s too hard to close down egress. So if someone is already inside, going out is free, and that is what attackers abuse. So in spite of Cloud being very different, very novel, very thought through and upfront, egress is open. And that is the fundamental problem.
What do you see as the biggest challenges in securing the cloud itself?
The real question is, ‘is the Cloud more secure?’ That is the biggest thing that people need to understand, and there is no straight answer. Depending on who you ask, they will give you a different answer. Many people believe the Cloud is more secure because Amazon has done a lot of good work there, and other cloud providers have followed suit. But the real rub there is, it’s as secure as you make it. Security is a shared responsibility, and Amazon is very clear about it. They are saying ‘we have given you the tools to make it secure’, but they have not done your work for you. Amazon has not secured your stuff. Coming from an on-prem background, when you go into the Cloud where there are new paradigms, it’s very hard to fulfil your shared responsibility. If you have not done so, Cloud is not more secure.
The other challenge is attackers. On-prem Windows is a fertile ground for attackers to be doing things. They have not exploited Cloud. At some point though, that’ll change. Things like solar wind supply chain attacks used to be science fiction, right? The cloud is like that – it’s waiting to explode. It’s not that it’s more secure – it’s just that attackers have not diverted their attention to it yet. They’re still trying to go after Windows workloads on prem. The moment they come to Cloud, there’s a lot to be had.
Why do you think businesses like Waze have had such success over the last few years?
So the reason Waze has been successful is because of simplicity. Security has been very cumbersome over the years. Orca was the first company who came out and said, ‘We’ll give you a Cloud account, and without any agents we’ll go and survey it and show you visibility’. The ease of use itself was very compelling. My problem with that approach is that by showing your Cloud position, you’re making yourself more vulnerable. I know I’m vulnerable. I did not need to see a picture to get that insight. The thing I need to know is how do I not become exploitable? How do I remediate my vulnerabilities? That is still a hard problem, because the Cloud is hard. It’s difficult, which is why it is vulnerable. Showing me my visibility is not helping me become less vulnerable. The thing we should focus on is remediation, and that’s the language of zero trust. The reason this became so popular is because of the ease of installation in a world where Cyber Security is hard to work with. Time to value is unspoken.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
As recruiters, we’re often faced with a number of challenges when it comes to sourcing talent in the cyber security sector. On Episode 18 of The Cyber Security Matters Podcast we spoke to Jake Bernardes, the CTO for Whistic, about his perspectives on the topic. Here are his insights:
The reality is that there never has been a skill shortage in cyber security. That is completely fake news. The problems are actually between the hiring manager or hiring team and the candidate. And those issues are extensive. Let’s start with the kind of person that the hiring manager wants. Do they know what the key skills are that that person needs to have? Secondly, people are very bad at writing job descriptions. The next problem is that once you’ve written the job description it gets translated to a job ad.
We all rely on recruitment in our business. Usually HR are filling in for recruitment functions, and they don’t understand what I’ve told them they’re hiring for. Do they know what I’ve actually asked for? Are they translating something which doesn’t make any sense? Are they adding things because they are standard requests, like ‘must be college or university educated’, ‘must have this qualification’ etc, when I actually don’t care as a hiring manager? The problem is when that person HR misinterprets my request and does not put the right spin on it when it goes out to market.
There are then two more problems in that situation. Firstly, that description doesn’t make a lot of sense, and secondly it’s not focussing on the right keywords. We’re often having issues with the salary as well, because this is a high-paid field. We’re going out to recruiters who can’t fulfil a role where the requirements don’t make sense and the salary doesn’t work. It’s impossible to find someone that doesn’t exist, so it creates the illusion of a talent shortage.
The flip side is that I don’t have a shortage of candidates. What I have is an inability to screen candidates properly because everyone has realised that there’s money in cyber so they’ve made their resume cyber orientated. If HR does the screening, they don’t have the competence to know what is or isn’t relevant. They often miss potential gems because the resumes are quite simple but have one really interesting line at the bottom. They just go and find an SRE or cybersecurity analyst. HR puts on a layer of nonsense that they think makes sense, including a salary banding which is completely unrealistic, then throws it to recruiters and hopes that they can turn carbon into diamonds.
Our industry is a weird one. There are so many people who are very good, but on paper they shouldn’t be good. On paper they should never have even been in the interview. Standard education and experience doesn’t allow me to spot the people who are going to excel, but people’s passion projects do. And so I stand by my statement, there is no skill shortage here. There is a fundamental disconnect and a poor process between cybersecurity leaders and the candidates who are applying. Everything in between those two dots is broken currently.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
AI has been sweeping the internet for months since the release of Chat GPT 3. As the world looks at the implications of these powerful new AI models, the cyber security industry is no exception. On Episode 17 of The Cyber Security Matters Podcast we spoke to David Stapleton, the CISO at CyberGRX, who we met at the RSA conference. With over 20 years of experience in business administration, cyber security, privacy and risk management, David has a unique expertise that makes him the perfect person to share insights on the relationship between Cyber Security and AI. Read on to hear his thoughts!
A lot of attention has been paid to AI – with good reason. I have this mental model where if my mother is aware of something that’s in my field, that’s when it’s really reached the public Zeitgeist. When she asked me a question about the security of AI, I knew it wasn’t a niche topic anymore.
Artificial intelligence is an interesting phenomenon. Conceptually, it’s not that different from any other rapid technological advancement that we’ve had in the past. Anytime these things have come up, the same conversations have started to happen. With the advent of cloud there was a real fear that was sparked – particularly in the cybersecurity community – around the lack of control over those platforms. We had to trust other people to do the right thing. How do I present that risk to the board and get their approval for that? Maybe it’s a good financial decision, but we are introducing unnecessary risks.
Another example of that may have been the movement towards Bring Your Own Device (BYOD) and allowing people to connect their personal devices to company networks and data. That sounds terrifying from a security perspective, but you can see how that opens the door to increased productivity, efficiency and flexibility.
AI is not too dissimilar from that perspective, and we can see plenty of positive aspects to the utilisation of artificial intelligence. It’s a catalyst for productivity which could provide exposure to multiple different data points and bring together salient insights in a way that it’s hard for the human mind to do at that kind of a speed. It can also reduce costs, bring additional value to stakeholders and potentially help companies gain competitive advantages.
Conversely, there are potential risks. It is such a new technology, and we’re still learning about how it works as we’re using it. There’s a lot of questions from a legal perspective about the ownership of the output of different AI technologies, particularly with the tools that produce audio visual outputs. The true implementation and impact of that isn’t going to be known until the courts have worked those details out for us.
We’re in a position now where some companies have taken a look at AI and said, ‘We don’t know enough about this, but we feel the risk is too great, so we’re going to prohibit the utilisation of these tools.’ Other companies are taking the exact opposite approach: ‘We also don’t know a whole lot about this, but we’re going to pretend this problem doesn’t exist until things work themselves out.’
At CyberGRX we’re taking a middle of the road approach where we’re treating AI models as another third party vendor that we’re using for work purposes. We’re going to share access or data with that tool, but we need to analyse it from a security risk and legal risk perspective before we approve its utilisation. That’s a fairly long-winded way of saying that there are amazing opportunities for AI but there are risks.
We’ve already seen threat actors starting to use artificial intelligence to beef up their capabilities. You could understand logically how artificial intelligence gives a fledgling or would-be threat actor the ability to get in the game and take action sooner than they otherwise would be able to. When Chat GPT first was released to the public, the very first thing that I put into it was ‘Write a keylogger in Python’. That’s a little piece of malware that will log your keystrokes and collect things like passwords or credentials. It just did it. It was there on the screen as a perfectly legitimate piece of software. Since then they’ve tightened the controls, but there was a time when someone with bad intent could start producing different types of malicious software without even learning to code.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Growing companies often face cyber security challenges as they manage teams that are scattered across the world. On The Cyber Security Matters Podcast we were joined by Ivan Milenkovic to discuss how companies can manage those challenges, even inside the industry. With over 20 years of expertise in information security, Ivan is currently a Group CISO at WebHelp, where he’s managed a large security team that doubled in size to over 140,000 people. He’s a security evangelist and a huge advocate of addressing cultural and leadership factors rather than relying solely on technology to protect your teams.
What were the security challenges involved in scaling so fast at WebHelp, and how did you overcome those?
When I joined three years ago, WebHelp was just shy of 58,000 people. Throughout COVID we started growing to address the way that our clients worked, and what was happening to the sector at the time. We are very aggressive when it comes to acquisitions and expanding into new markets, and that brings some very interesting challenges. We’re a very large global company. That’s how our clients see us, and they expect a certain level of quality across the board, regardless of where their services come from.
We effectively needed to bring everybody up to speed and bought-in to our culture. I’m a big believer that people are a very important part of the picture when it comes to security. That’s why it’s very important to get everybody on board to recognise certain values that must be respected. The challenge is to get people on this journey, and for them to understand that when it comes to security, it’s not just that you’re trying to enforce boundaries, it’s actually about supporting the qualities. You need to be able to lead and take people on that journey, rather than providing rigid boundaries that they don’t understand.
How do you balance managing a large security team with meeting the demands of internal stakeholders?
WebHelp is split into what we refer to as regions. They’re not necessarily geographic regions, but logical parts of the business that operate as semi-dependent companies tied together at a group level. Because of how everything came together, we’re talking about various teams spread around the world. InfoSec is a very large team, so you have all the daily challenges when it comes to the InfoSec itself. Because it is a rather big team, not everybody is my direct report. Whenever you work with people though, you need to respect their different needs and requirements, and understand what’s going on. We’re blessed with the quality and enthusiasm of people that are part of the team, which helps a lot. Most of my time is actually spent dealing with senior stakeholders from the business rather than my team. It’s been important to make sure that my people are bought-in enough to carry on without much management.
You’re a really passionate advocate of the idea that technology alone can’t solve security problems, so the leadership aspects of cybersecurity are key. Why is that?
It boils down to two things. One is that culture we touched on, because when people understand why certain things need to be done in a certain way, that’s half the job done. If you have people that are trying their best, that are not scared to report problems, that are educated well enough to understand, appreciate and communicate when something goes bad, everything is easier to deal with.
If you look at what can be done with technology today, you cannot do without it. We live in a really technological era where there is too much going on, so without technology you wouldn’t have the right level of visibility and you wouldn’t be able to react fast enough. People are very creative, sometimes too creative for their own good. It’s not hard to imagine a multitude of scenarios where a very creative person can easily get around even the best piece of technology. So that’s why you must find the right mix. You cannot rely on just your technology. It’s your processes that glue it all together. So, unless you take people with you on that journey, you don’t stand a chance.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Cyber Security is a growing concern for the majority of organisations. On Episode 15 of The Cyber Security Matters Podcast we were joined by Adam Gwinnett, the CTO & CISO of Nine23. With a legal background, he’s experienced in managing stakeholders in the heavily regulated state sector, with 10 years of experience at the Department for Constitutional Affairs, the UK Ministry of Justice, and the Metropolitan Police. Adam joined us to talk about how cyber security impacts state systems, from the challenges facing the police to the government’s response to major incidents.
What challenges are the police facing from the increase of cyber crime?
I think because of the global pandemic, when people were locked at home with their computers, cyber crimes and quantum growth crime grew dramatically. That raises some really interesting challenges generally, because cyber crime is often transnational. The person committing offences against you is very unlikely to live in your jurisdiction, so even if you do report it, investigation can be very frustrating. As a result, under-reporting is rife. One of the fundamental challenges you have from a law enforcement point of view is that you don’t actually know how much it’s occurring or how impactful it is, because people are quite embarrassed to admit when they’ve had issues with it. They’re often worried about being scrutinised, and worry that people will be critical of their responses to it or how they handled it. People end up suppressing certain information which otherwise could be very interesting and beneficial, not only to the investigation process, but actually to their peer group who might have suspiciously similar looking things in their environment.
From the law enforcement point of view, I was keen to couple cyber security with the cybercrime division. One of the things that we focused on was ‘How can I take my investigation of a cyber incident, and turn that into a potential initial bundle for the investigating officer to take forward? How can I give the best evidence? How can I provide you with the best material?’ I didn’t have the mandate to do the investigation and proceed because I was civilian styled, but I could take the information from my logs in the digital forensics team and give them the best chance of bringing the offender to justice. I used to talk about it at conferences, where people would just say ‘That’s not our jurisdiction. We haven’t really thought about how we could give them a leg-up or considered how we could best enable them.’ How many SOC analysts can say they’ve actually put a cyber criminal in prison? Several lawyers could say that I contributed to making sure that that offender actually went to prison, and that’s the ultimate closure for me.
How do cyber security decisions get made within big government departments?
Some of it’s quite straightforward. Effectively, most decisions that impact the risk appetite, risk acceptance, or risk tolerance will go to a named individual on their board of advisors. They will then review it, look at the balanced risk case like ‘Why are we doing this? What are we hoping to gain through it? What are the potential mitigations we can put in place? Are they proportionate? What is the net impact on our risk position? Does that take us outside of tolerance?’ That makes it quite straightforward. It’s an interesting one, because those people are fundamentally dependent on the advice they’re given. The people asking them to make decisions, accept the risk or present the view will seldom be impacted when the risk emerges. They’re incredibly challenging positions for people in the regulated and public sectors.
What are the challenges facing cyber security leaders in the sector?
One of the things that can be really challenging is that it can be really hard for those people to understand the net effect of the things they’ve agreed to. So I’ve spoken to CROs from other organisations that said, ‘I’ve had like 40 risk acceptances presented to me this year.’ It’ll happen every couple of weeks where I’m asked “Can we accept this risk?” I don’t know if I can reliably tell them what the net impact on our overall risk is, or the cumulative effect of all of those things that we’ve agreed to.’ In large, complex enterprises, can you understand all the systems, processes and risks that are undertaken? Because the people who own those systems, processes and fundamental aspects of the business will be separate from the people doing the risk acceptance. They don’t always have the mandate to go in and correct all of the issues. They won’t normally have a budget or available resources to do it. If they don’t, it just becomes one of 100 other competing priorities that organisation has to deal with.
In the event of a major security incident, what does the internal decision making process within a big government department look like?
It’s very dynamic. You’ll normally find war rooms and incident response teams almost immediately. Most large organisations have very mature, robust and practised responses, because it’s never quiet. Even when I worked at the Met, I was talking to people from banks, insurance companies and financial services who were a big target, and they had a 10th of the attempted attacks that I did in a week. Our response and investigation processes are incredibly well drilled, because somebody’s always trying something. One of the biggest challenges is that your teams end up being in high alert and response mode all of the time. That level of anxiety, stress and mental overload is not useful for people. It leads to poor decision making. What you will find is that a lot of organisations start putting things like shift rotations in place to tackle those issues. If your response mechanisms are really effective and really well tested, you can rely on them slightly too much. Actually preventing issues is dramatically less problematic than being able to respond to and deal with them effectively, but if you’re always able to jump out in front of it and catch the issue, people will get relaxed about the fact that that’s what will happen.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Cyber Security is becoming a growing concern for businesses across the globe. On Episode 14 of The Cyber Security Matters Podcast we were joined by Hajar El Haddaoui, who is an international executive. She speaks four languages: French, Arabic, German and English, which has allowed her to lead a large sales team in multiple continents. She is currently leading Swisscom’s managed security services, as well as serving as a board member for the Chamber of Commerce, MOD-ELLE and WIN Women’s International Conference, where she works to support women in business. With such an extensive and exciting background, we were keen to hear her insights on global leadership in cyber security.
How does Switzerland’s approach to Cyber Security differ from other key European markets?
Switzerland is one of the most innovative countries I’ve worked in. Cyber Security is a part of the business transformation of any company, and in Switzerland they are sensitive to where the data goes and is used. They create security by design, which weaves their Cyber Security into the fabric of their products.
Do you expect adoption of managed security solutions to continue to increase as a proportion of the overall cybersecurity marketplace?
Absolutely. There are many challenges facing our clients, including the complexity of digital business, where there is an increasing skills and resource gap. There’s a 3.1 million gap in resources and talent worldwide for Cyber Security. Lots of our clients don’t know how to use the hybrid cloud. Therefore, managed services are key for those clients in order to respond to their challenges. We want to transform the industry by making products and services that are secure by design, but there are several clients who need someone to manage those products for them anyway. It’s important to have management in your Cyber Security portfolio in order to meet that need in the market and address the challenges that clients are facing.
Silicon Valley is seen as leading innovation. How influential are they to Cyber Security?
Research and development are key to innovation, not just in Cyber Security. They give you confidence to innovate and inform how you take a digital solution and rapidly provide insurance to our customers. We’re not just providing security to our customers, we are providing consultancy, technical support services and managed security services too. It’s those three layers where innovation needs to be. Research and development can be applied to intelligent and managed security services to identify and respond to threats, giving us a proactive level of protection.
There’s a lab in Silicon Valley that is the hub of innovation, not merely for Cyber Security. There are also labs in Israel and Japan, but Silicon Valley is still playing a huge part in global Cyber Security efforts because of the amount of investment that they’re able to attract. Everyone needs to invest in innovation and in hub centres for security. Silicon Valley aren’t the only one doing it, but they are still big players.
What have the different places you’ve worked taught you in a business and leadership context?
Working internationally has given me the ability and agility to deal with challenges. Being a resilient leader is essential to what we do. The second thing is confidence. Moving from one country to another I’ve learned to build a community and a support system, which plays into that self confidence. The third lesson is humility. I’ve become a continuous learner, because the technology field in Cyber Security is rapidly changing, and I have to accept that I’m not going to stay an expert if I don’t learn from other people. The market is fast and furious, so to be fit for the future I have to learn skills and humility.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Spring is blossoming in San Francisco, the highly anticipated #RSAC2023 commences attracting leaders and companies from around the world.
Being my first conference, I embarked on this journey with a mix of excitement, nerves, and curiosity.
The big takeaways from the conference were the valuable insights into the cybersecurity industry, the strong sense of community and the hot topics of investments, the impact of AI and talent shortages. Additionally, we had the opportunity to explore the vibrant food scene of San Francisco, which added a cultural touch to the conference experience.
Grand Opening and Impressive Booths
The conference kicked off with great anticipation, as attendees gathered in the entrance hall, the atmosphere was electric, and the buzz of excitement was palpable. As the doors opened, a polite stampede of cybersecurity enthusiasts filled Moscone South Hall. The sight of numerous booths was awe-inspiring, with companies investing substantial resources to impress and display the immense potential of the cyber security world with exhibits highlighting the industry’s advancements and potential.
Networking calls and conversations up to this point had evolved around RSA Conference, emphasising its values as a place to connect and meet face-to-face.
Community – Diversity & Inclusion
The most profound takeaway from my first RSAC was the vibrant and supportive community within the cybersecurity industry.
As a newcomer, the community came across as surprisingly friendly and collaborative.
I had the privilege of attending the Women in CyberSecurity (WiCys) drinks event, where representatives from Microsoft, Amazon and Google gathered to promote diversity, the motto “not done yet” resonated strongly emphasising the importance of the continuous effort needed to enhance diversity in this tech space.
The next morning, I attended the Women’s in Cyber breakfast, featuring a panel discussion with founders, CEOs and CISOs. The conversation revolved around the challenges faced by successful women in maintaining work-life balance. It was inspiring to witness the support within the community, with ideas exchanged freely, fostering growth and empowerment.
Insights and trends
Apart from the community aspect, RSA Conference 2023 offered valuable insights into trends and concerns.
Investments
One notable takeaway was the significant investment in the Cybersecurity sector. Funding for Cybersecurity start-ups increased from $2.4 billion in Q4 2022 to nearly $2.7 billion in Q1 2023, underscoring the industry’s growth and the recognition of its importance in the digital landscape.
AI – Changing the landscape.
Discussions throughout the conference highlighted the transformative role of artificial intelligence in the Cyber security industry. AI technologies are reshaping the landscape, influencing threat detection, incident response, and overall security operations. The integration of AI into cybersecurity practices has become indispensable for organisations to stay ahead of evolving threats.
Talent shortage and calls for solutions.
Addressing the shortage of talent has become a top priority for organisations with discussions focussing on strategies to attract and retain skilled professionals. Collaborative efforts are necessary to bridge the talent gap and nurture a diverse and competent cybersecurity workforce.
Amid networking and business meetings, we took the opportunity to explore San Francisco’s renowned food scene, indulging in the famous Clam Chowder, Oysters, and the Buena Vista Irish coffee.
While RSAC is over, another key takeaway is that the fight is not over, so we look forward to next year to witness the continued growth in the industry and learn new and innovative ways to disrupt cybercrime.
Asset management is a growing area in the Cyber Security industry. On Episode 12 of The Cyber Security Matters Podcast we were joined by Huxley Barbee, a CISSP and CISM. He is currently a Security Evangelist at runZero, which is the latest role in a glowing career in the cyber security industry. We spoke to Huxley about the advancements he’s seeing in the asset management sector, including his predictions for the future.
How do you see Asset Management evolution over the next few years?
There have been a number of technological trends that have caused a divergence of environments. For example, smart speakers like your Alexa are changing our home environments, because this tech used to be simple, non-connected devices. Now they’re connected to the internet, which exposes you to a higher risk. There’s also been a rise of ‘bring your own device’ culture, where people bring their own phones and tablets to the corporate network. There’s also the move to cloud associated with the DevOps revolution.
A lot of companies will see the cloud as a way of transforming their capabilities to both lower costs and increase speed and agility. Folks are empowered to just spin up new computing devices left and right, but the old devices are not actually decommissioned, so you have a sprawl of this attack surface out in the cloud as well. There are also more and more mergers and acquisitions happening, where a purchasing company has to take on the risks and vulnerabilities in the target company. All these different trends have led to this divergence of environments where companies are not just protecting their corporate IT assets, but also their OT, the factory, their IoT devices, your personal devices, the cloud and whatever else goes on in remote employees homes.
Because of a need to find talent, organisations have started looking at a wider geographic spectrum, and a rise in this ‘work from home’ culture became compounded by the pandemic. That is now also part of what cyber security needs to protect. Over the last 20 years, this evolution of assets has resulted in a decentralisation of control. Meanwhile, it’s the same security team that’s being expected to protect all that. There are numerous statistics out there about how the number of devices connected to the internet is going to continue to go up. Security teams will be more and more challenged, which is a fundamental problem. If you don’t have this foundational capability of knowing what you have, you are absolutely not protected. We’re going to have to see some change in order to address this growing challenge.
How can the industry address those issues?
There are a number of different approaches that have been tried over the last 20 years. There’s the use of agents and authenticated active scans, but they don’t solve the problem of unmanaged devices. If you can put software on a machine, then it probably needs managing. There are other vendors who try and pull data from multiple other sources to try and cobble together some sort of asset inventory. The trouble is, if they’re pulling from limited data sources, they’re not really solving the problem of unmanaged devices either. There’s also a passive network monitor, which theoretically can learn about more devices on the network, but its ability to identify those assets correctly is limited, because it’s only looking at network traffic to make that determination. There’s another approach, which is using an unauthenticated scanner with a security research-based approach for fingerprinting alongside API integrations. We found that this is the winning combination to help you get both breadth and depth of your assets, no matter where they are, no matter what type they are.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
An increasing number of ransomware attacks are coming through emails. It’s clear that the ease of attack vector is changing, and not for the better. On Episode 13 of The Cyber Security Matters Podcast we spoke to Ronnen Brunner, an SVP at Ironscales, about his work in selling the future of phishing protection. He shared his insights on the increase of ransomware attacks in emails and told us how we can identify and protect against these attacks.
You don’t need to be an expert in order to send a successful ransomware attack, because there are services you can just download on the dark web that will do all the hard work for you as a hacker. You can spam attacks directly to customers – you don’t need to be the sophisticated hacker sitting down and programming a credential theft or phishing attempt. You can use existing engines to attack people, and because of the ease of it, it’s become a lot more common.
There’s a lot of variety when it comes to scammers who will spam hundreds or thousands of people and those who target specific individuals. A lot of hackers are just hoping that some of their attempts at phishing will be successful, and they’re the ones focussing on quantity. Especially when you’re looking at credential safe, or Spear Phishing, they are targeting specific people by sitting in their mailbox, getting to know the regular interactions that they have and then designing a targeted attack that they won’t see coming.
These scammers can learn your pattern of the behaviour, your invoices, forms, vendors etc, and create a legitimate invoice with different bank details on it. Once a payment has been made it’s often incredibly difficult to get back. Lots of these scammers are posing as big companies, because it’s easy to make an email look like it’s coming from a reliable source. You can emulate the domain name or make it look like it’s coming from a person in the company whose information you found on LinkedIn. From speaking to these companies we know that 60-70% of attacks are coming in through their emails. They’re being targeted because of the information they put online.
We’ve seen customers trying to stop it. It’s incredibly hard because of the quantities of emails that go in and out. Some of these attacks look very sophisticated. It’s all about training people to identify what’s a ‘known dead’ and what’s a potential red flag. People need to understand malicious content and intent, then utilise machine learning or AI to sift through the information and flag any anomalies that could point to an attack. In the business we have something called ‘zero day attacks’, where there is no other indication that this email isn’t genuine. There’s no markers from our list of ‘known dead’ elements to tip you off, and that’s when these attacks are their most dangerous.
Some things to look out for are language like ‘buy these amazon vouchers’ or requests to change bank details on an invoice. These could be very simple emails that look like legitimate communications from known senders. You should always question changes to your payments. Once bank details are changed and you make a payment, you’ll notice a massive increase in emails that ask you to change the bank details for other vendors, because these hackers have figured out how to effectively steal from you.
Everybody’s seen an increasing number of attacks since the COVID pandemic, because hackers had the time to fine-tune these attacks. They’re becoming incredibly successful and sophisticated, which is why we need next generation solutions. Everybody we’ve spoken to has a fishing problem, because they’re not preparing for these attacks in their systems. Even though sometimes these attacks are stopped our email providers, there are still several getting through. People need to report phishing attempts if we’re going to get an accurate idea of the problem, and sadly that’s not happening either. We should be crowdsourcing suspicious behaviour and building a safer world together.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On Episode 11 of The Cyber Security Matters Podcast we spoke to the incredible Dr. Rebecca Wynn about how we can all manage our privacy online. Dr. Wynn is an experienced global CISO and privacy expert, often named as one of the top women in Cyber Security. She has led large security teams in the investment and medical sectors and is currently consulting enterprise clients on their security strategies.
Can you tell us about the challenges covid posed for the healthcare sector from a security perspective?
Before covid we had a centralised workforce that was covered by certain policies and protocols within the business. Once people started working remotely, and in some cases in other countries, that situation changed. We were outsourcing our data protection and people didn’t have the same protections at home. People started working in shared spaces with people outside of the organisation. With these new conditions, companies need to look at how they are protecting their sensitive information, as well as that of their clients.
One thing I did is look at cyber liability insurance. I met with external certification organisations, and we identified the safeguards I could put in place. I took our top 15-20 clients and walked them through our findings, and the majority of them asked me to quickly rebuild their security with a strategic plan, technical plan, and operational plan. It was a long process, and it cost me a lot of sleep, but we’ve helped protect people now.
When you talk about the changes we’re seeing from covid, we’re still seeing fallout from leaders who didn’t realise the additional residual risks that they were accepting. One thing I do notice consistently, is people not sharing the information that you need to know or telling colleagues what their blast radius is in the organisation. It’s all about managing risk. That’s the one thing I still see from a younger generation, they don’t know how to communicate that risk and things along those lines. CISOs don’t want to be the scapegoat officer, so we need to be more watchful than we were before.
How do you see the concept and the practical application of privacy evolving in this data-driven society?
One of the biggest problems with data privacy is developing a global set of privacy regulations. There’s so much red tape that you have to get through at the moment because everywhere has different legislation.
Another challenge is that data is being created but it’s not tagged. Does it have sensitive information in it? We wouldn’t know. If we could tag information with expiration dates and a level of privacy, we could handle it better. If you’re talking about healthcare, you should be able to say ‘it’s printed on this day, and it will absolutely expire in seven years’. The other thing is that once that data is created somewhere, it’s in your environment. Data gets shared through companies’ internal systems, which is a massive problem unless you can embed some sort of privacy key. If you could do that it would act like a GPS signal in your database. You could follow that, expire it or see if the data went to someone who’s not supposed to get it. That’s the kind of thing you need to do if you want to get a handle on privacy.
One of the scariest things right now is when people are creating avatars and stuff like that. To do that you upload 23 of your pictures, and then your biometrics are out there. People aren’t thinking about where their data goes when they do that.
It’s really hard to be invisible in the world today. Even if I’m not personally on social media, if someone takes my picture and tags me in it, I’m there anyway. They’re commingling their data with mine, and so on. It’s scary how much of our data is out of our control.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On The Cyber Security Matters Podcast we were delighted to be joined today by Marco Pineda, an international CISO with a particular specialism in the finance industry. Episode 10 saw us unpacking Marco’s 20 years of experience in information security and talking about the security impact of DLTs. Read on for his insights into the changes coming to the industry following recent concerns around blockchain and crypto.
What does distributed ledger technology (or DLT) and its applications mean for the future of the global financial industry?
As far as DLT is concerned, you need to understand what the application is. They’re great technologies for environments with a low trust atmosphere, such as cross-border cooperation or between companies where you need an intermediary to provide that trust. It’s a very interesting kind of technology. One of the best uses of DLTs is cross-border customs and documentation for bills of trading. Each government has their own systems, and people need to know how to get documents across that each government will trust.
What are the security challenges that these technologies present?
It’s mostly the distribution, but understanding and the maths behind it is certainly a challenge too. There’s the additional concern that your system might be sitting on top of other systems that you don’t control at all. That’s an interesting risk facet that might be unique to the DLT area, because if I put a ledger out there, by definition, somebody else is managing that ledger. They’ve got their own machine. They’re taking care of it themselves. It’s their copy of it. I haven’t yet heard a good risk analysis on what that actually means for a company.
How can security frame itself more positively to help enterprises reach their financial goals, instead of being viewed as a cost centre?
We can take a cue from our colleagues who are trying to see how they fit in with the overall business strategy. You need to show your value to the company, which comes from looking at your portfolio of services / products, and seeing how they can support the business’ strategy. Take some initiatives here and there, offer people proposals. At the end of the day, you need to prove your direct business impact. That means doing things like protecting documents so that your business can ship information and do secure collaboration. Those are the things that security professionals can do that helps a business directly. Get creative, take a look at what your skill sets are, what your services have, and see how they might be able to support the business in their goals.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On Episode 9 of The Cyber Security Matters Podcast we spoke to Jennifer Cox, the Head of Communications at Cyber Women Ireland, about her work with vulnerability management in the sector. Jennifer is a multi-award winning advocate for women in tech, using her knowledge to mentor women as they join the workforce. She also speaks at global events, bringing her expertise to a wider audience.
Read on for Jennifer’s insights on vulnerability management in the Cyber Security industry.
What do you think are the three big takeaways on vulnerability management?
At the core of vulnerability management, you need to be able to identify where you’ve got problems. It’s not just laptops, it’s every device that’s possibly connected to the internet. You need to focus on what’s important to remediate first. Vulnerabilities are growing almost exponentially, but the teams that handle those issues aren’t growing the same way. The challenges are not always exclusive to the products that we sell – many times you’ve only got two people on the team, but 40,000 vulnerabilities that you need to fix.
How do you think vulnerability management is changing in today’s world?
What’s changed most dramatically since COVID is this overnight remote workforce. Companies no longer have control over every single device on the network, and more and more people are bringing their own device into the office. Companies still need to make sure that those devices are secure. When people are at home they often have wide open home networks. We’re improving education around vulnerabilities and teaching individuals how to put better practices in place at home. People forget that web applications are also vulnerability risks, so they haven’t included them when they’re doing the assessment of their mobile devices, which is a huge factor. Having a team to do vulnerability management within the team is probably the biggest change.
What do you think is the biggest obstacle to vulnerability management as a whole?
Hands down it’s budgets and bodies. When you don’t get reports about anything going wrong and being fixed by the cybersecurity team, you often don’t appreciate that the team is doing a really great job. If you’re hearing from your cybersecurity team, then there’s a problem – they’re either understaffed or under-educated so they’re struggling to cope. That silence is a problem, because when companies are trying to strip back budgets, they’ll look at reducing that team because it’s quiet. That’s actually the worst thing that they can do, because that’s the team that’s protecting them the most.
The challenge has been resources all the way along. We don’t have enough people to remediate all these issues. What you’ll do in that case is educate your team on prioritisation using a scoring system called ‘CVSS score’. We also have an algorithm that we use called vulnerability prioritisation rating. It takes the CVSS score and a multitude of other different things into account. Based on all of these things, it tells us what is most likely to become a problem over X number of days. The struggle is that of 40,000 vulnerabilities, 30,000 of those are critical. I can’t remediate 30,000 vulnerabilities in a weekend, but that’s the only time I’m allowed to do it. Add to that things like needing a 99.9% uptime, restarting the server after patches, and that becomes a challenge in itself.
To hear more about vulnerability management and the work that Jennifer is doing to improve diversity in the industry, listen to The Cyber Security Matters Podcast now.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On Episode 5 of The Cyber Security Matters Podcast we spoke to Sean Blenkhorn about his experiences in the Cyber Security industry. Sean has worked in cyber for over 20 years, and during that time he has held a variety of strategic leadership roles, from heading pre-sales to taking on Chief Product Officer and Chief Experience Officer positions. Sean is currently Worldwide VP of Sales Engineering for Axonius, where he takes a proactive role in encouraging diversity in the sector, both in the upcoming technologies and in his teams.
Do you see the diversification and expansion of the security market as a trend is set to continue?
The macroeconomic conditions we’re seeing today will have an impact on that, undoubtedly. We’ll continue to see companies tighten their belts and have to make tough decisions from time to time. There may even be tightening around companies that are getting investment from the VC or private equity firms. However, the industry will continue to grow. Even given all of the macro economic conditions, we’re still seeing good growth compared to businesses outside of technology or security. It’s not as fast as what we want to see, but it’s still crazy growth. You have to keep things in perspective. Tech is the future, and people will want to protect that.
There are still so many opportunities and technologies out there to look at and get involved with. Innovation happens in the startup world, which is where you see diversification come in. People from all over are having these ideas and disrupting the market with their new tech. Typically the model is that the smaller companies innovate, then the larger companies acquire that innovation and take it to the broader market, hopefully in a way that doesn’t destroy the innovation. That’s the way the industry evolves.
How can we diversify the people within the cyber security profession?
It’s going to happen by continuing to break down the barriers. Organisations need to put a real effort into creating diversity. It’s people like myself who are in managing roles and leadership roles that need to focus on diversity. You need to look at your team and understand what’s going to be valuable, and having that diversity of opinions, views and experiences is really important. It’s not just limited in terms of women getting into the roles, but also enabling them to climb the ladder within an organisation. Diversity thrives when leadership organisations put commitment into diversity in that way too.
We need to build the future generation and we need to have the teams and resources ready to come up behind us. We’re working with educational institutions and working with our teams to make sure that when we’re working with recruiting firms and internal recruiters that we put real emphasis on looking for diversity in our candidates. It starts from the top down, but there’s also the bottom up route of making sure that we’re supporting the next generation of kids. We need to be showing them what those opportunities are in this industry, and that there’s opportunity for everyone. We have to promote diversity at the grassroots level as well.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Diversity is at the forefront of discussions in recruitment, and in Episode 7 of The Cyber Security Matters Podcast we spoke to Karla Reffold about how we can diversify the sector. Karla is the General Manager at Orpheus Cyber, a Board Advisor and American Cyber Award judge. She has also founded and sold two award winning businesses in the cybersecurity industry, hosted her own podcast, and was one of the top three finalists in the Entrepreneur of the Year category at the Cyber Security Women of the Year awards in 2022. Read on to hear her perspectives on improving representation in the Cyber Security industry.
Do you think you’ve faced barriers in the industry that your male counterparts haven’t?
It’s hard to know when things aren’t explicit. One of the stories that I tell is from a couple of years ago, when I’d sold the business. I worked in the company that bought us and one of my new colleagues said, ‘You leave early every day to pick your kids up, it must be nice being part time.’ I worked every evening and I was in the office earlier than almost everybody else; I worked a lot of hours. That comment really annoyed me, and I called him out on it. I complained about it and he apologised, but the feeling was that it wasn’t a big deal, I should get over it. I definitely felt that from then on I was seen as a little bit difficult, and that’s really unfair.
I’m glad I spoke out about it, because there are other people that weren’t in a senior position who wouldn’t have felt that they could say anything. I do feel a responsibility, given that I have a platform and some seniority, to call those things out, even when it’s uncomfortable or they seem small. That one stands out to me, maybe not as a barrier but like one of those negative experiences.
Do you think big vendors and individuals within cybersecurity do enough to tackle the lack of diversity in our market?
I’m not sure vendors do, I think teams do when their clients care about it. What’s interesting now is that you’re seeing a lot of the VCs and private equity firms ask about your diversity stats. They see it as a risk, that’s a really interesting change. Money drives these decisions. It’s relatively easy to stick a load of women in marketing, HR and maybe sales. That’s partly reflective of where the market is right? You can’t always hire people that don’t exist. I don’t see the drive coming from vendors as much as I see it coming from internal security teams.
How has the representation of women changed since you started your career?
It’s definitely improved. I joke that I don’t want it to improve too much because I don’t want to queue for the bathroom. It’s changed across the board. There’s a lot of young women who are studying something cyber related. I think the biggest change for me in the last couple of years has been how many men support diversity initiatives and how many men talk about things. If you’re a man, particularly if you’re a parent, you can now talk about picking your kids up or dropping them at school and I needing some flexibility. That really makes it safe for everybody to do that. I’ve seen some really big positive changes in that way.
What else do you think can be done to encourage minorities into the sector more broadly?
Consider what images you’re using. I haven’t used that image of a man in a hoodie in a dark room for five years, because it’s telling people what we are as an industry. Let’s not have that type of image. That makes a difference. Get rid of degrees as one of your requirements. If you’re getting 300 applicants, you are looking for ways to rule people out rather than rule them in, but white men are earn engineering degrees at 11 times the rate of black women here, so if you’re putting degrees into your hiring process, you are just building in economic discrimination. We know that affects different races differently, so get rid of that. Think about your culture too. Stop making this a recruitment problem. It’s not just ‘Hey, recruitment company, go find me a diverse list of candidates’. It’s actually considering what do you do with those people once you’ve got them. How inclusive is your culture? And how do you make everybody feel like they can be authentic at work? Those are my three quick takeaways.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On The Cyber Security Matters Podcast we often talk about diversity. On Episode 8 of the podcast we spoke to Alexandra Godoi, the Information Security GRC Lead at Oxfam, about the work she does to actively improve gender diversity in the industry. Alexandra was named as one of the Top 30 Female Cyber Security Leaders of 2022, thanks to her work as a speaker and panellist at conferences and her role in increasing awareness around the need for cybersecurity in the world of NGOs.
Read on to learn more about reducing the gender imbalance in our industry!
What do you think can be done to increase women’s voices and presence in a company?
Designs should influence a company’s decisions in developing products. It’s not just about listening to the women in your company, because they might not have a full picture. Go through that route of participatory design, which is where you go and ask the community, ‘What do you think about this? How would this impact your life? Do you have any concerns?’ Actually talk to people – that will help everybody move towards having security and privacy by design. We have a lot to learn from each other.
What do you think it means to be a woman in cyber?
I don’t particularly see myself as a woman in cybersecurity, I’m just somebody that works in cybersecurity who cares about human rights issues. I don’t think we should focus on this disparity between men and women, because I’m not doing anything differently than my male counterparts. We’re all here to do our jobs.
What can be done to help address the digital gender gap and internet access imbalance?
There are different aspects that we can look at when we’re talking about the digital gender gap. One of the points that I’ve seen being made is the fact that there are not enough women in STEM, for example, but it runs deeper than that. It depends on the context and where in the world we’re talking about. A good example is that in India and Pakistan, access to technology like mobile phones is reserved to the man of the house. Because of this, women don’t have access to the digital space in the way that their male counterparts do.
The way technology is designed also puts a lot of pressure on the end user. You are expected to know how a computer works, you’re expected to know what a virus is and how to protect yourself, you’re expected to know that you need to set up strong passwords. Not everybody has access to the same level of education around those topics. Putting that pressure on the end user is not a fair point to start with, because you’re making the assumption that everybody who uses technology has access to equal opportunities.
Diversity is being used as a checkbox by tech giants. How do you think they can better level that diversity playing field?
Creating industry standards for security could be a way to push diversity as a non-political agenda. It is slightly political, because we’re talking about human and digital rights, but it is a way to push for more inclusivity. If we come up with a standard that means security risks are taken into consideration from the get-go, we should push for that, because it removes the pressure from end users and makes the digital space more equitable.
To hear more about the work that Alexandra and Oxfam are doing to promote human rights in the Cyber Security space, tune into the full episode of The Cyber Security Matters Podcast here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On Episode 6 of The Cyber Security Matters Podcast we sat down with Chuck Herrin, the CTO of industry leading API security business WiB. Chuck has over 15 years of experience in senior and board level IT security roles, and now sits as an advisory board member for multiple organisations in the cyber security space. He’s acted as an attacker, defender, and most recently a builder. With so much knowledge and expertise in the space, we were fascinated to hear his insights into the API industry.
What is your take on the state of the API security space at the moment?
It’d be great if there was some API security. I’m being flippant, but it’s another example of history repeating. The most recent example of this phenomenon is when we knew for 10 to 15 years that adoption of the cloud was inevitable. There are so many benefits and cost savings, we all knew it was going to happen. For some reason, defenders didn’t try to figure out how to do it safely. They resisted the change. We saw all kinds of issues and eventually had to catch up. People are still really worried about cloud issues. I saw an article that said around 94% of companies anticipate having a cloud breach in the next 12 months.
API’s are experiencing the same phenomenon. The adaptation is inevitable because the benefits are massive. There’s no way that we aren’t going to rapidly continue to adopt API and micro service based architectures. The point of business isn’t security, the point of business is delivering value. If you aren’t adopting APIs and micro services, you’re gonna be out-competed and you won’t survive, and if you adopt it incorrectly or insecurely, you’re exposing your back end systems, data and business logic. Adoption right now is rapidly outpacing security.
We’ve been doing threat modelling for 20-25 years, and we know that you need to know your assets, actors, interfaces and actions in any environment or ecosystem. Then you see who’s doing what to what, via what, and the AI and API interface. Lots of API’s are completely unmanaged and unmonitored. APIs and their adoption made it around the world before security teams got their boots on. Now we’re frantically trying to help companies catch up and keep up. It’s like a one legged man chasing a rabbit, the longer it goes on, the further apart they’re getting. While we’re working really hard to solve these problems at a macro level, it’s only getting worse. We’re not catching up.
Where do you see the API security space in 10 years time?
I really hope that we can close these blind spots and treat API security the way we should. API’s exist to make developers jobs easier, and they do a great job of that, but if you don’t know what’s exposed to the outside world, you can’t monitor it or manage it. We’ll catch up eventually because we have to.
What I’m hoping for in the interim period is that we don’t have massive national crises, critical infrastructure implications or life safety issues. There are safety issues at the individual level where people’s data is exposed. Bad actors could figure out how to abuse these API’s and target API abuse at political figures. We have critical infrastructure issues with with water treatment, or the power grid, or nuclear plants where a lot of companies that have been around a while are going to introduce APIs to their systems and there will be a risk. I worry about those attack surfaces more as a citizen than a software vendor, because if something goes wrong there we’re going to have to figure this out as a species. I hope we can address these security risks before that happens.
To hear more about the state of the API industry and Chuck Herrin’s work in protecting it, tune into the full episode of The Cyber Security Matters Podcast.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
His trajectory is incredible – from starting, scaling, and exiting RecruiterBox through to now growing Sprinto, all in less than a decade.
We hope you enjoy listening to this episode as much as we did recording it.
Why is India such a major innovation hub for the startup/cybersecurity space?
“Great question. So, I’m definitely not an expert in the area. But basically, whatever I know, is just viscerally connecting with other Founders that I see in the ecosystem.
And one of the things that’s really happening in India, is that there is a sudden exponential increase in just the sheer number of startups that you see in the space. They’ve entered mainstream, so to speak. So, you take a national daily and there’s basically a page which is dedicated to startups and the funding rounds that have happened and what’s going on over there.
So, I remember the time when we started our previous company, which was back in 2008. And I didn’t know that what I was doing was a startup, we thought we were just doing a business and the word startup hadn’t entered our vocabulary yet.
Fast-forward to about 14 years later, it’s really definitely entered the mainstream. You know, mindspace people talk about it, it’s very common – my neighbour next door in my apartment is another startup founder.
Especially in some places like Bangalore and Pune and Gurgaon and some places, there are startup hubs, and it’s very common for you to find startups over there. And that sort of brushes over any aspect of startups. So, you have a very thriving consumer startup business. But we have a lot of b2b startups as well.
And that touches on cybersecurity as well. So, I’m seeing a lot of interesting Cybersecurity startups coming from in the country, including those who are working in spaces like privacy. Some of them were working in spaces related to password protection, and so on, so forth. Therefore, that sort of grabs on to pretty much all the spaces that you can think of that makes sense in a b2b software scenario!”
To listen to the full episode of The Cyber Security Matters Podcast click here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On The Cyber Security Matters Podcast we were joined today by Isabel Bardley-Garcia. She is the Director of Information Security at Helion Energy, driving company wide security strategies, programmes and initiatives. They are currently building the world’s first fusion generators and enabling a future with unlimited clean electricity. Isabel has over 18 years of experience in the cybersecurity sector, including leading and driving the transformation and automation of National Cybersecurity consulting services. With all of that experience, Isabel has some fascinating views on the evolution of the cybersecurity industry, the highlights of which are below.
How have you seen the role of security and risk management within cyber security mature and evolve during your career?
The role of security and risk management has gone from being just a compliance issue, either to a regulation like Sox or GLBA, or standard like PCI DSS due to more companies, and especially the government, taking it seriously. It’s more about protecting the organisation from major losses, crippling interruptions, or even failures of the organisation, and also about helping organisations to grow and to succeed. We’ve gone from doing things because we’re told to do it to doing something because it makes sense to actually do it.
Do you think that cybersecurity is taken more seriously in 2022, rather than the early 2000s of them when you were first starting out?
Back in the early 2000s it was very frustrating to be an information security consultant, or just a cybersecurity professional. Like I said, companies didn’t really take it that seriously if they didn’t have a regulation or standard. As professionals, we saw the attacks and we had to protect our companies against them. When we saw that the attackers or the threat actors were getting bolder and more sophisticated, our companies and even the government at that time felt further and further and further behind in this cyber warfare, to the point that many of them denied it was even happening. They were like an ostrich with their head in the sand. They just didn’t believe that they would be targets, because they sold blouses instead of missiles. They didn’t think they had anything that the threat actors wanted, and even the government thought of warfare as a physical thing and not a cyber thing. We were watching it all happen, and it was very frustrating.
20 years later, after so many breaches and after learning about all the foreign actors from different countries who are trying to cripple other nations, down to their infrastructure, to steal intellectual property. The regular threat actors who are trying to steal intellectual property to sell credit cards, social security numbers, personal identifiable information for identity theft… they’re still there, but having breaches is being taken more seriously. It’s reactive more than proactive, and now more and more companies, as well as the government, have really gotten into beefing up their security. They’re seeing it more as a risk management issue instead of a compliance issue.
We still have a way to go, because there’s still a lot of companies that have that old mentality that is still very pervasive. Some companies still think that they can just offshore or push off securities, saying ‘we have service providers taking care of that, we have third parties taking care of that, we don’t have to worry about it’. Now we’re getting more and more breaches, where the third parties are being breached in order to be able to get to their whole client base. That’s starting to be taken more seriously, and companies are being more proactive, which is a great direction to go to. We’re still a couple of decades behind, so we need to hurry this up.
How do you see the industry developing in 10 years time?
I think that with all the different frameworks that we have now, companies don’t really have much of an excuse to not know what they’re supposed to be doing. And a lot more of them are taking those frameworks and implementing them into their own organisations, and they’re using the risk assessment management approach a lot more than just checking the box for whatever compliance, so it’s become more holistic. Companies are becoming more educated as to what cybersecurity is and how it pertains to their company, the C level are educating themselves about it, and realising that it’s not an IT problem, that it really is a risk management problem. Even boards of directors are bringing on people with security experience to advise them. It’s becoming more mature and more known in companies.
The way that I see this going for the cybersecurity profession is that cybersecurity roles are going to become more focused and better defined. I think that the workforce framework is going to really help with that. We won’t have cybersecurity professionals being asked to perform three or more roles, so the firewall administrator isn’t also expected to be the database administrator, they’re just strictly the firewall administrator. A lot of the burnout we’re having in the profession is that we were expecting our professionals to wear many different hats that are very different from each other. From an education perspective, we’re going to start having more places of education with a wider variety of more mature cybersecurity degrees and training programmes to choose from. I’m hoping that by that time, cybersecurity will be its own separate department with its own head that then reports to like the CEO, or legal or something that makes a bit more sense than like the CIO.
From a vendor perspective, it’s going to keep growing, we’re going to get more tools and platforms. Because the buyers are going to be a lot more sophisticated in their knowledge of threats, vulnerabilities, control frameworks and how it pertains to their domain’s responsibility, they’re going to be a lot more discerning and selective in their purchasing decisions. They’re going to be looking for products that fix a specific problem, which then will force the vendors to start focusing on the core functions of their products instead of trying to build them all-in-ones. Vendors are going to have a harder time getting people to buy the shiny new thing, because the sophistication of the buyers will be much greater by that time.
To hear more about the future of the cybersecurity industry and Isabel’s unique perspectives, listen to the full episode of The Cyber Security Matters Podcast here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
On Episode 3 of The Cyber Security Matters Podcast we were delighted to be joined by Caleb Barlow. He’s an entrepreneur with a technical background and he’s equally comfortable presenting at TED talks or primetime news as he is consulting the board of a major health care provider. As VP of threat intelligence at IBM, he built one of the largest incident response platforms, including the world’s first immersive cyber range. He went on to be President and CEO of supply chain security business Redspin, helping them become the DoD’s first approved third party assessor, at the same time as taking the helm at parent company Synergist Tech, a cyber services firm with an emphasis on health care. He’s currently heading up his own business, Cylete, where he advises private equity firms on the right cyber businesses to target. It’s an impressive professional history!
We covered topics from diversity in the industry to the ways that Covid has impacted the landscape of cybersecurity. Here are some of the highlights from that conversation.
What one piece of advice would you give someone entering the industry?
This is an industry that has a language to it, and you really need to understand that language to be credible. This is an industry where information has a shelf life, because attacks and defences are constantly changing. I mean, this is not an industry that you could easily pack up and leave for a year or two and come back, because everything’s going to have changed. What I tell people is they have to stay informed of the news of the industry every single day. I think of it like Game of Thrones, right? If you’re a Game of Thrones fan, the first few episodes, you have no idea what’s going on. It takes a season or two before you start to get that all these things are connected. I think the cybersecurity industry is the same way. Whether it’s through the cyber wire or your podcast or a threat feed, you have to stay informed about this stuff, and you have to do it every day. What I’ve always said to my teams is that if you haven’t read the news, don’t come into work today. I test because if you don’t know what the latest attack was and what it means, and you get asked by a customer, you’re totally not credible.
How has the term critical infrastructure broadened in recent years?
I think we need to redefine it. When most people talk about critical infrastructure, they refer to health care, energy, finance… It’s a very World War Two mentality in terms of ‘what is critical infrastructure’. Let me ask you this, at the start of the pandemic, what did you really need? I don’t know about your household, but the critical infrastructure in my household was getting access to goods and materials during a supply chain crisis and being able to communicate with friends and colleagues and being able to send my kids to school. One of the things we have to do is realise that the pandemic brought us a whole new way to work and a whole new way to educate, so our critical infrastructure has to change. We’ve got to look at cloud providers like Microsoft, Amazon and Google; that’s critical infrastructure. Now, we’ve got to look at things like zoom, which is how my kids went to school and how I went to work. It’s an absolutely critical infrastructure. I couldn’t care less about my phone system, I need my Zoom. Suppliers that deliver things like Amazon and Instacart and large retailers that were able to keep supply chains moving like Walmart – they were critical. A lot of what we have to do is really rethink how we think about critical infrastructure and what critical infrastructure is.
You’ve made high profile media appearances over the years and also specialised in consulting the C suite on information security, is there a major or unifying message that you strive to get across?
It’s really all about having a capability model versus just having procedures and documentation. You need to build capability in four key areas. The first is obviously cybersecurity skills and incident response. Number two – and this is surprising to most people – is communication skills. If you don’t know how to communicate internally, externally, with your partners and with your customers, things aren’t going to end well. If, during a crisis, you can’t communicate what to do, people are going to fill that void with their own speculation. I would argue that the vast majority of high profile breaches we’ve seen over the last 10 years are down to poor communication. Lacklustre communications in decision making causes more damage than the threat actor in most companies, because people either don’t communicate, which is a decision in and of itself, or they communicate bad data, not knowing what to say and how to say it, or they go sideways with regulators. The third area you need is legal, and the fourth capability you need (and this is the tough one), is business resiliency skills. On any cybersecurity response team, it is critical to have business skills that can understand what can the business handle, what alternatives might we have and how could we stand up the business in another way. Our threats aren’t any different than a fire or a flood or a natural disaster. You have to think about resiliency if you can’t get access to your IT systems.
What do you see as the prospects for cyber during the next decade?
The simple fact of the matter is that we are still in an industry where we do not have enough people to fill the open jobs. The need for those skills only continues to grow. We are starting to solve some of the problems though, we’re starting to become a more diverse industry, which is great. Some of the pipeline of getting skills is starting to get solved, but like any industry, the next round of innovations may, in some cases, be repeats of things we’ve seen before. Ultimately what I do think we’re likely to see now is kind of the second generation of companies starting to step in. A great example of this would be as the EDR market moves to XDR, we’re starting to see the next generation companies coming in and solving the same problem but with a very different business model. Like any industry, those optimization companies will probably be the ones that win in the long term as the industry turns over.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
In our second episode of The Cyber Security Matters Podcast we sat down with intelligence specialist AJ Nash. He is the VP of intelligence for external cybersecurity company ZeroFOX, and he spoke to us about his journey through the Intel sector and how that’s lead him to where he is today. Read on for his perspectives on accessing the cyber security and intelligence industry.
How did you first get into the Cyber Intelligence industry?
That’s a good question, and like a lot of people, I didn’t have a straight path. It wasn’t intentional, but I frankly don’t know if there’s a single thing in my career that’s got me here. I originally joined the Air Force, my intent was to be a police officer and go to law school, and my test did relatively well. I was in the Air Force for nine and a half years, then I medically retired and moved into defence contracting. And so I started doing traditional Intel work in counterterrorism, counterinsurgency, things like that.
I was recruited for an opportunity. I had an interview with a defence contractor, and I literally interrupted them about five minutes into the interview, and said ‘I think I’m in the wrong room’, because all we were talking about was maths, science, computer science, operations research and cybersecurity. I didn’t know anything about most of the stuff. I told them ‘I’m an intel guy, where’s the terror? Where are the bombs?’ And they said, ‘No, no, we got people for all these things. What we need is some intel folks, we’re trying to build a new concept for how to do intel analysis specifically for cyber, and we need to have experts. We need people who can translate this to make sure this is useful.’ That ended up becoming what we called at the time cyber intelligence preparation of the battlespace.
It was a great opportunity, and I accidentally got into cyber and helped work and develop that programme with amazing, smart, brilliant people. I was one of the folks who helped write the book along with my five or six colleagues. A couple of folks did the training. This ended up becoming foundational training for contracts at NSA and Cyber Command for a lot of cyber work. And so I learned a lot from a lot of people much smarter than myself. And that’s how I ended up in cyber, which was very much accidental like I said. So you know, from a career standpoint, it’s great to do terror and terrorists, there was certainly funding there, and then you go into cyber and it was a lot of funding there too. And so that led to a career doing cyber intelligence work at the agency and cyber command. I went into the private sector also by accident to be honest. A friend of mine convinced me to join LinkedIn, although I had never had a social media account for obvious reasons with my career, I would have been immediately compromised. That was always fun! But somebody recruited me through LinkedIn, and I moved to the private sector.
I had a really winding path from a kid who’s gonna be a competent lawyer to a guy who does cyber intelligence work with one of the greatest companies in the world. So I’m a lucky guy, they say you put yourself in the right position. Maybe I own a little bit of it, but people have helped me along and I’ve just ended up in really good spots.
We talk a lot about barriers to entry into cybersecurity. Is security intelligence still a good route into the industry?
I guess it was for me. Intelligence is enduring, Intel feeds everything. I don’t think it’s going anywhere, so I think it’s a great way to work in this industry. I don’t know if it’s the easiest way to get in, necessarily, but for folks who are coming out of government and military we’ve already got the background and experience. That’s actually where private sector companies probably should be hiring their first Intel leaders. For those who are in university right now, wondering ‘how do I get into cyber?’, it may or may not be the easiest route, because again, only maybe 10% of companies out there have Intel teams, but there is a lot of demand. So if they’ve done the research, if they’ve got the education to back it up, and they can make the pitch, there’s opportunity there. But I also think there’s nothing wrong with somebody who’s coming in and wants to be a SOC analyst or do threat hunting or incident response, they’re all great ways to get in, as long as people understand those are different careers. If you want to transition from one of those to Intel, it isn’t just changing a title and moving desks. There’s some study and work that needs to go into that. From what I’ve seen, most folks who are getting into cyberspace are not coming in through Intel.
Is diversity improving within cybersecurity?
I think diversity is better now than it was, but we have a long way to go. So you know, I think if you go look at any panel discussion, chances are you’re gonna find four white guys on it. If you look at most Intel teams, most cyber security teams, the majority of them are likely to be white males especially in the US and UK areas. But I do think it’s changing. Our teams are great – we have three senior directors on the team, two women and a guy. They do all happen to be white, but one was an immigrant, so we’re not all Americans. I think part of the challenge is the talent that we still have to grow, right? There’s still a challenge in many ways, women are still not being encouraged enough as girls to go into STEM, so there’s still a lot of cultural challenges. The trouble we have is where do you hire the people from if they don’t go through the funnel, if we don’t build people with these skill sets? I think we really need to encourage young people, all ages, races, genders, to, you know, to embrace technology and embrace these opportunities. And we need to put funding in place for them and give them opportunities to do it so that we have more diversity across the board. So that’s a challenge. For people in my position, if you’re hiring folks, you have to keep in mind, I don’t want 10 people on my team that are the same person 10 times over. There’s a value to it for the team standpoint. I think a lot of folks are putting a lot of effort into this. But it’s hard, and it’s a long way to go. So better, yes, but not nearly good enough yet.
You mentioned a few really interesting things there about potential barriers to entry into the sector. So what would you say are the barriers to entry? And what practical steps can we take to reduce those?
Access to education is a barrier. I’ve talked about this around the world. There’s a privilege that I’ve had to get where I am, and certainly access to education has been there. I think we have to develop programmes that give people opportunities, regardless of their socio-economic standing. There are there are great programmes that do these things, other mentorship programmes, and there are other education programmes, that give people some of these options, but we need more of that. We’re seeing at least in this industry a move away from the bias towards everybody having to have a degree. Certifications are really valuable, and being able to demonstrate you have a skill is really valuable. On the other side, I know self taught people who are brilliant but they have a hard time getting the interview. I think folks are trying to do a better job of saying, ‘let’s get them in the room. They say they can do things, let’s test them out.’ We can be more creative in our education, but also much more creative in our hiring.
I think that the biggest barrier to entry right now is still having the resources, funding and opportunity to get the education, skills or certifications needed. We then need to have the creativity on the hiring side to look beyond a paper and a resume and say, ‘who is this person? What do they bring to the team? Can we give them a position and a shot?” That is tough because we’re for profit companies, and a lot of companies don’t want to invest in training, they would prefer to hire somebody who’s plug and play, because it saves them time and energy and money. I think we have some challenges to solve in that area as well, especially as we keep saying that we’re 3 million people short in cybersecurity, and the number goes up every year, so it’s gonna take a collective effort to get there. Some of that might involve the industry buckling down and saying ‘we’re gonna hire people we know are qualified, we’re going to train them up.’ I think we’re seeing some of those areas improve as well.
What one piece of advice would you give to someone who is entering the cybersecurity industry?
My one piece of advice is to be bold. I think a lot of people self-select themselves out of opportunities. Confidence is a challenge. Imposter syndrome is real – I can attest to it. I think be bold, and don’t undersell yourself. If it’s something you think you can do, and you want to do it, even if your resume says nothing about it, try to throw your hat in the ring, Try to get into the interview, try to have a discussion. The worst thing that could happen is you’re right where you left off. You gotta go do the thing, right? Try to get in there and find a way and be persistent with it. If you don’t get it one time, try another time, you know, talk to people. That includes things like just reaching out to somebody on LinkedIn. Don’t stop yourself by thinking ‘that person is really important, they don’t have time for me’. Reach out! That’s how I did a lot of it. I built a lot of my connections just by saying ‘let’s have a conversation’. Now people do that with me, I have had tons of folks reach out to me. They always seem surprised when I answer and I say ‘yeah, let’s have a conversation instead of a call.’ And people seem shocked by that. Listen, I’m not that important. I’ve got time for you, and if it’s something I can help with I will. I think a lot of people think that these people with these great titles and great roles and great amazing things won’t be interested. But you reach out, and you realise they’re awesome, and they’re happy to talk to you, they want to help. If you’re not bold, you don’t ask the question. So what if they don’t answer and move on to the next person? A lot of them will, though. People want to help each other. My best advice is always to be bold.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
In this episode we unpacked everything from his career trajectory through to the nitty gritty world that is cybersecurity.
We hope you enjoy this episode as much as we did recording it.
What challenges does the internet being the network now create in the cyber security space?
“Oh, my, the internet really is is the is the is the future for connectivity.
And it’s good and it’s also bad. The good is that you have this ubiquitous connectivity out there that for the most part is is inexpensive.
If you think about the cost per megabit of an internet line versus an MPLS line, it’s significant. And, as a result, it’s enabling this incredible amount of productivity from companies.
You don’t have to do constant maintenance, or patch upgrades, and the ability to access that from anywhere is amazing. But, on the other hand, we have this challenge of if businesses can get to any application at anytime, anywhere.
The same thing is true for the bad cyber actors, you know, they can easily get into your network. Maybe because you misconfigured everything or something or maybe you know, you left something open. And that’s that’s a huge challenge.
What I’m excited about is this rise of this concept called zero trust. And I know there’s a lot of marketing around it. But it’s probably, in my mind, the most important thing that has happened. we had an opportunity to interview interview John Kinder bog a few days ago, he was one of the fathers of, of zero trust.
And, his whole journey started because he started working on a pix firewall. And, he did not like the concept that there was one side that was untrusted and one side was untrusted. And he’s like, “come on, this is a computer. A computer is not a human.” You know, we built a society built on trust. you know, we trust one another that, you know, when you pay for something you trust that person.
Every interaction you do is built on this concept of trust. Computers don’t understand trust, they are built of silicone, rare metals, and they think in zeros and ones, trust is not a concept for them. So, that kind of started sparked him on this journey of zero trust.
And if you think about how wins are built and what I did with SD win what I did in my past, building out these networks, these global networks for Columbia, sportswear and others.
And I spent my career building these these artefacts, artefacts of of trust, and to me that was completely wrong. I should have gone a different way. And I think the future about branch connectivity is not good. it’d be about interconnections between a branch and, and a location, it’s going to be about building islands.
Essentially companies are going to be building these islands. And the connections going out are going to be these almost you could say “zero trust” connections out to a SaaS application, or it’s a remote worker. Those sorts of things!”
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
With 20 years of experience, he’s a subject-matter expert in cyber risk and compliance and a regular conference speaker, most recently holding a Chief Compliance Officer role.
Earlier in his career, Chris founded and built the global compliance and risk strategy arm of carbon black, which became a fast-growing and critically important business unit.
We hope you enjoy this episode as much as we did recording it.
How has the relationship between risk compliance and securities changed over the past few years?
I’ve experienced the good and the bad with this – a bit of both. I would say, “they’ve” – and it’s not by choice, but they have converged. And this is where I say there’s the good and the bad. There are a lot of folks in the industry that for obvious reasons, see the Risk and Compliance angle as a negative thing.
And I understand why – they’ve grown together, out of necessity. You fast-forward to today, and there are a lot of regulations, in fact, there’s too many regulations and frameworks, it’s confusing and mind-boggling. But, it’s still a necessity.
Look at the state of the security industry right now. I mean, we’re under a barrage of threats, they’ve grown more than I could ever imagine when I started out in my career. So, you know, with that, you can observe almost a 45-degree angle of increase in the number of regulations, frameworks, and mandates; the privacy laws that we see the national and regional types of mandates around privacy and data that have grown. So, they’re all in one place, because we have a need to try to measure our effectiveness to protect that data.
And again, I don’t view it as a negative, but sometimes it is a negative because we’re under such threat, right? It’s sort of like, why do you have five locks on your door now, whereas, you know, 10 years ago, you only had one – and now we do this because there have been more break-ins, it’s the same thing. We don’t like to see the world becoming a more dangerous place.
How have you found getting back into things such as conferences?
So, I found it extremely refreshing. I think most of us are social creatures. And I actually tend to be a very introverted person. I’m uncertain if that would surprise people because I love being in front of people, but on the other hand, I am a bit of an introverted person. So, it’s sort of a weird mix. But, since I’ve been able to get out in back into the public, back face to face and speaking with people, I can never look back.
I mean, it’s the most refreshing thing I’ve ever experienced, and a very surprising feeling as well, it was a euphoric feeling at the time!
What has the ubiquity of cloud platforms and services for enterprises meant in terms of risk management?
It’s thrown a wrench into risk management for sure. Because the accessibility of the cloud alone, I mean, there are so many security themes that we can talk about such as the move to the cloud, and what’s happened over the last five, six years or so. It’s definitely created a lot of stress for risk managers that are trying to work with what they used to see as closed systems.
But one of the main themes that have become a huge thing and has helped evolve and create a lot of data privacy laws is the fact that data now is much more accessible than has ever been with the cloud.
Now, that data is way more accessible, there are so many different threat vectors to that data that we’ve never ever had before we’ve never had to deal with. So, it’s made risk managers’ lives much more difficult, because there are a million more variables that you have to consider when you’re measuring the threat to that data.
What major lessons do you feel that organisations need for this decade to better manage risk and compliance?
When I think of lessons, it’s hard for me to say what a particular lesson is because I don’t want to sound like I’m preaching to organisations, and to say, you know, you should have learned this, you should have been doing this from day one etc.
But I do think that there are a few lessons that we can look at. And one of the big things is, and this is very hard to talk about with different businesses is the transparency of their business process.
The more transparent you can be with how secure your data is, the easier it can be to find faults. But, you’re basically asking someone to talk about their weaknesses.
And businesses think “I don’t want to make it sound too weak”. Because, hey, if I’m an assessor, and I’m in an assessment with a retailer, let’s say, you know, and I’m asking them, where are all your faults and such? They’re thinking, Hmm, I don’t know if I want to tell you this. Because the minute I do, what if this gets out? What if I don’t trust this individual? Right? What if we don’t have a trusting relationship between us, and this gets out, and my brand gets damaged.
But, the lesson is to be transparent as it’s done good for many organisations.
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
With 20 years of experience, he’s a subject-matter expert in cyber risk and compliance and a regular conference speaker, most recently holding a Chief Compliance Officer role.
Earlier in his career, Chris founded and built the global compliance and risk strategy arm of carbon black, which became a fast-growing and critically important business unit.
We hope you enjoy this episode as much as we did recording it.
How has the relationship between risk compliance and securities changed over the past few years?
I’ve experienced the good and the bad with this – a bit of both. I would say, “they’ve” – and it’s not by choice, but they have converged. And this is where I say there’s the good and the bad. There are a lot of folks in the industry that for obvious reasons, see the Risk and Compliance angle as a negative thing.
And I understand why – they’ve grown together, out of necessity. You fast-forward to today, and there are a lot of regulations, in fact, there’s too many regulations and frameworks, it’s confusing and mind-boggling. But, it’s still a necessity.
Look at the state of the security industry right now. I mean, we’re under a barrage of threats, they’ve grown more than I could ever imagine when I started out in my career. So, you know, with that, you can observe almost a 45-degree angle of increase in the number of regulations, frameworks, and mandates; the privacy laws that we see the national and regional types of mandates around privacy and data that have grown. So, they’re all in one place, because we have a need to try to measure our effectiveness to protect that data.
And again, I don’t view it as a negative, but sometimes it is a negative because we’re under such threat, right? It’s sort of like, why do you have five locks on your door now, whereas, you know, 10 years ago, you only had one – and now we do this because there have been more break-ins, it’s the same thing. We don’t like to see the world becoming a more dangerous place.
How have you found getting back into things such as conferences?
So, I found it extremely refreshing. I think most of us are social creatures. And I actually tend to be a very introverted person. I’m uncertain if that would surprise people because I love being in front of people, but on the other hand, I am a bit of an introverted person. So, it’s sort of a weird mix. But, since I’ve been able to get out in back into the public, back face to face and speaking with people, I can never look back.
I mean, it’s the most refreshing thing I’ve ever experienced, and a very surprising feeling as well, it was a euphoric feeling at the time!
What has the ubiquity of cloud platforms and services for enterprises meant in terms of risk management?
It’s thrown a wrench into risk management for sure. Because the accessibility of the cloud alone, I mean, there are so many security themes that we can talk about such as the move to the cloud, and what’s happened over the last five, six years or so. It’s definitely created a lot of stress for risk managers that are trying to work with what they used to see as closed systems.
But one of the main themes that have become a huge thing and has helped evolve and create a lot of data privacy laws is the fact that data now is much more accessible than has ever been with the cloud.
Now, that data is way more accessible, there are so many different threat vectors to that data that we’ve never ever had before we’ve never had to deal with. So, it’s made risk managers’ lives much more difficult, because there are a million more variables that you have to consider when you’re measuring the threat to that data.
What major lessons do you feel that organisations need for this decade to better manage risk and compliance?
When I think of lessons, it’s hard for me to say what a particular lesson is because I don’t want to sound like I’m preaching to organisations, and to say, you know, you should have learned this, you should have been doing this from day one etc.
But I do think that there are a few lessons that we can look at. And one of the big things is, and this is very hard to talk about with different businesses is the transparency of their business process.
The more transparent you can be with how secure your data is, the easier it can be to find faults. But, you’re basically asking someone to talk about their weaknesses.
And businesses think “I don’t want to make it sound too weak”. Because, hey, if I’m an assessor, and I’m in an assessment with a retailer, let’s say, you know, and I’m asking them, where are all your faults and such? They’re thinking, Hmm, I don’t know if I want to tell you this. Because the minute I do, what if this gets out? What if I don’t trust this individual? Right? What if we don’t have a trusting relationship between us, and this gets out, and my brand gets damaged.
But, the lesson is to be transparent as it’s done good for many organisations.
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
In episode #62 of The Tech That Connects Us, we were excited to be joined by Hash Basu-Choudhuri. He is the current GM at Cribl, and has held advisory and senior roles across the world, mostly in the EMEA region.
We touched on his career so far, as well as specific topics around data challenges, crypto, and D&I.
We hope you enjoy this episode as much as we did recording it.
What would you say are the major IT data challenges currently facing enterprises and government?
“Just complexity, look at the rate of change, I think if you look at the rate of change from 2000, it was not that high. Things weren’t being innovated at the rate they’re being innovated today.
The problem today is that every three years there’s a new cycle riding. You had the mobile cycle, the cloud cycle, now you have the container cycle. And now, we’re moving into completely trustless environments using blockchain technology.
Airbnb disrupted travel, and not even seven years later, Airbnb is probably going to get disrupted by blockchain! I think the biggest challenge is that.”
How has the UAE handled COVID differently to other parts of the world?
“This is a great question. So, this has literally been a business case study in probably how to do it right. The UAE has looked at the impact, looked at the facts, looked at the science, and been ahead of the game.
I deal a lot with Emirates Airlines and Dubai airports. I would say 70 to 80% of the world’s vaccines fly through Dubai, because they’re manufactured in India. This is their distribution hub. And then from here, Emirates Airlines repurposed god knows how many planes into vaccine carriers. And then from here, they’re distributed globally. So, they’ve got the distribution for the world sorted.”
What novel cybersecurity challenges does the growth of cryptocurrency prevent present?
“When you’re talking about cryptocurrency, it gives you immense power, you do not have to trust the third party, there is no centralised system. But the problem with security from a blockchain perspective is that you are responsible for your keys, for your wallet, for your assets right now.
Sounds simple, but how do you secure it? You just have to be very, very careful with the way you manage such assets. There are a couple of tech players out there that are trying to solve it with escrow accounts, and the ability to have extensive multi-party certificates.”
What is your assessment of how well tech industries are tackling diversity?
“So for me, obviously, you know, I fall into that category. But for me, it’s not about this, It’s about the diversity of thought. My background is not going to be exactly the same as your background.
But, if you can attract talent and have multiple different mindsets, it’s good for business. Look at your target audience, which is the world, right? If you want mass adoption, it’s everyone. So, you kind of have to mirror that. And you can’t mirror it if you don’t have a diversity of thought.
I think a lot of these companies are leading with just hard metrics. And it’s like a sales process, right? You can do metrics one, two, and three, and you don’t do anything at the end of that, right? When really, it’s the way you interpret that data. It’s the way you apply it. And it’s really what you do with it once you have met those targets.
I think a lot of companies are just laser-focused on “we need to have this many Asians this many, you know, blah, blah, blah” right. And I don’t particularly like the topic because I think it’s an over-rotation, it should always be merit-focused. And it should always be diversity of thought that you get from it over anything else.”
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
2022, where’s it going to go, what does it have in store?
We’ve collated key trends from some of the influential figures across the 4 sectors we recruit into – Cyber Security, Connectivity, Content & Media and Satellite & NewSpace.
We’ve spoken to experts from companies such as Sky, Orbit Fab, Casa Systems, and A5G Networks.
If you want to find out what we think will be the key trends for cyber security this year, then just click the link below to download now!
Joining us for episode 50 of The Tech That Connects Us was David Brown Vice President and General Manager, International Sales – ZeroFOX. We heard his insights on the OT domain – where he’s headed up both IPOs and acquisitions, what really keeps CISOs up at night, alternative models for industry events, how to recognise the potential in new hires and that’s just the tip of the iceberg.
One question Jake Sparkes and John Clifton put to David was ‘What does the threat landscape look like right now for OT?’ Here’s what he had to say.
“There’s no doubt that there are more types of attacks now on OT. We’re seeing ransomware popping up a lot more commonly, or at least we’re hearing about that more now.
One of the interesting bits about OT is actually when you look at the infrastructure it’s built on. I’d still say that Windows NT and XP are probably the most prevalent operating systems in an OT environment around the world.
So what does that mean? It means that there’s a tonne of exploits available straight off the internet, you don’t need to be that smart. But if you work up through the levels of sophistication and if we’re talking about large organisations they’ve got quite a sophisticated security posture.
The two things that I think are really interesting at the moment in that space is the consolidation of the technology to see what’s going on in your OT network. Because if you are a CESO or an information security director then you’ve got more flashing lights than you know what to do with. You may also have an ageing workforce without the domain expertise to understand what’s going on.
So I think there’s going to be a bigger drive for how do you consolidate all that stuff into a single pane of glass, there’ll be a drive to provide either AI or a managed service that provides recommended actions and remedial work for the top three to five actions that the organisation needs to be focused on. And those actions will be evidenced by what’s going on outside in the rest of the world.
The second thing that’s of interest at the moment is risk. So you’re seeing now there are new bills going through in the US, and CESOs are looking at what’s the risk across all of my platforms IT and OT. A drive for this is that it’s not been so easy to understand what’s going on with OT, because you’ve had all these flashing lights and an unconnected system, with a lot of tech but it’s just not connected.
The reason they want to know what their risk is because there’s also a developing insurance market where a number of insurers are getting together and looking at how they can take IT and OT cyber risk and turn that into a sellable product. When we look at the potential of that market it’s probably 30-40 times the size of the complete OT market. What I can see we will get to in the next 2-3 years is a similar system to the black boxes currently being used by vehicle insurers, so you’ll have a premium and it will vary depending on your attitude to risk and your controls that are in place across the whole estate. That then allows organisations to make an economic decision because you might say I will stand the increase in premium which justifies me doing these things across my plant.
This then becomes a very much return on investment decision. It’s not about fear, uncertainty and doubt it’s actually about economic imperative.”
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Joining us on episode 47 of The Tech That Connects Us was Trish Cagliostro Head of Worldwide Alliances at Wiz. Trish joined Laurie Scott and Andrew Ball. They only scratched the surface in a conversation that spanned Cloud Security, threat intelligence, the partner landscape, Cyber’s diversity challenge, the joys of softball and much more!
Trish is a thought leader in the cyber security industry, so whilst we had her on the podcast we needed to find out if the industry was getting cloud security wrong as is mentioned by commentators in the industry. Here’s what Trish had to say.
“Cloud security is hard. It’s hard and it’s a little bit different from what the rest of the industry says. Cloud security isn’t so much of a problem for the born in the cloud companies, such as Netflix, they’re fine. Where this does become an issue is when a traditional enterprise goes to the cloud. Organisations go to the cloud for innovation, the costs savings are nice, but it’s the elasticity and the ability to endlessly expand and instantly expand globally that is powerful.
However, the way these traditional organisations go to the cloud typically looks like this. They look at their applications on-premise, they go with what’s easy and upload some VMs into the cloud and expect to take their on-premise security structure with them. 6 months then go by, and the customer is thinking that they can’t innovate and they aren’t saving much money. So they want to look at what they can do differently from here. They’ll then start to refactor some of their applications, containerise, embrace some more modern application architecture, replatform and kick the Oracle legacy databases to the curb.
Now the organisation will have a stopping point on their cloud adoption, they have their legacy on-premise tools supporting the legacy workloads. So now they need to go out and use some cloud-native services as all the cloud providers have cloud-native services. But they’ll have some very different types of computing that are very different in the cloud than they are on-premise. Then there’s the idea of a managed service which comes with the complication of the shared responsibility model. So at this point, the company will be looking at different tools from different vendors for niche cloud security. This is where the breach happens, all of a sudden, there are three separate data silos, the traditional on-premise tools, the cloud-native services from the cloud providers and the new types of security tools that were brought in to deal with the new types of cloud computing.
So now these organisations still can’t innovate, they’re probably spending just as much money as they were in the first place, Then the cloud provider comes in and says ‘let me tell you about serverless’. The whole model is then broken. So in this instance, I don’t think it’s fair to blame the cyber security industry. It’s a shared responsibility between the industry and the customers as well, to think differently about security in the cloud.
I meet with partners all the time, and they’ll say to me ‘Okay got it, it’s the same way we dealt with data centre security. But you can’t think that way. You have to think of a customer and the entire cloud journey they’re going on, and then understand how to build a security strategy that supports them across that.
The other part of this is beyond just helping them with the security strategy and explaining that the customer will need to have an unusually long term vision with this and that we need to be transparent, understanding and really dig into what we’re doing in the cloud. A lot of time to the customers it’s not obvious, they’re normally using a managed service and think they’re good. You need to have a clear understanding of what your responsibilities are as a vendor, then make sure you have the controls and mitigation in place to account for what’s really important.
I really do think that when we think about this we can’t just think about it in phases, we have to think about it holistically through the journey.
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
In the episode, we heard Reubens thoughts on the marketing trends that are emerging in the cyber industry.
“Anything that we talk about regarding marketing trends, is actually a bit different to what we’d be talking about 18 or 19 months ago before we had the COVID 19 pandemic.
Before the pandemic, it was different because we could travel and meet people face to face and be present. What I’m seeing now is that the world is ready for a more hybrid model of business, so our marketing needs need to focus on gearing up and being part of the virtual events and conversations, we’re having over Zoom right now. It’s something that is now more acceptable even for business meetings with CEOs, CMOs etc. So, we have to be ready for a hybrid business model.
On the other side, we need to understand that people are going to be hit with a lot of virtual requests and that ‘Zoom fatique’ is real. All the different vendors and suppliers will want to have virtual briefings which will start to take its toll on our customers.
The best strategies I’m seeing currently are around creating thought leadership content that can be circulated to your target audience, companies need to be building more blogs, building more thought leadership content and educating your market.
When you’re building content you should be focusing on your perfect customers, understanding their pain points and doing your best to help them by being consultative with your approach.
As a marketing department, you must be doing targeted research, and then use an account-based marketing approach, not just a shotgun approach trying to hit everybody. If you can build a library of very good content that can educate your audience and continue to educate them then that’s something that will have a massive impact on your business.
In my first 6 months at Cyberint, our first task has been to build up our content library, I really believe that creating great engaging content will work wonders for not only engaging with your current and potential clients, but it’ll really help with our website SEO. Once you’ve built up that library of content potential customers will understand that you’re a player in the marketing, and they’ll start to differentiate your business from the competition.
Virtual meetings and virtual events are starting to have their toll on people, and people would rather consume content at their leisure rather than at a set time.
There’s also a lot to be said too for building out good automation and allowing 70-80% of your customers journey to be done through marketing automation. The more content you can give your potential client the more they’ll know about you and the more they’ll see you as the business to work with over your competition.”
Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
Investors have been chomping at the bit so far in 2021, creating a record-breaking* 12 galloping Unicorns to fight global cyber criminals.
Most recently, the end of April saw Vectra AI join the club, winning $130M in their latest funding round and a valuation of $1.2B.
In other news, UK stallion Darktrace went public, after a very thorough examination of its dental records.
*“A record was set in the first quarter of 2021, with 12 cybersecurity unicorns created globally, which is more than double the previous quarterly ” PitchBook (Private market data provider)
Google’s growth fund leads investment in the Tel Aviv-based cybersecurity firm set up 2 years ago by former execs of Check Point Software Technologies.
Cybersecurity asset management startup Axonius Inc. today revealed it has raised $100 million in new funding on a unicorn valuation of above $1 billion.
Lacework, a five-year-old cybersecurity company that automates security across enterprise cloud deployments, has reached unicorn status with the closing of a $525 million round of Series D financing.
These latest additions mean that there are now 31 Cyber Security Unicorns due to go public.
So what’s behind these huge valuations, is it set to continue – and what does it mean for the Cyber market in general?
Rather than dampen cyber spending, the rapid digitalisation caused by the pandemic has revealed worrying gaps in IT Infrastructure – further exposed by the accelerated move to Cloud and home working.
And it’s this exponential growth in demand that is causing investors to feel bullish and make sure they are on the right side of these major technological shifts.
Cyber is a huge growing market with healthy competition and – so far – few monopolies to keep a lid on sky-high valuations, so the trend certainly seems set to continue.
Manage Cookie Consent
We use cookies to ensure you get the best experience on our website. By clicking Accept, you agree to the storing of cookies on your device to enhance site navigation and analyse site usage.
Strictly necessary cookies
Always active
These are cookies that are required for the operation of our website.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Analytical/performance cookies
They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Functionality cookies
These are used to recognise you when you return to our website. This enables us to personalise our content for you, and remember your preferences (for example, your choice of language or region). By using the Website, you agree to our placement of functionality cookie.
