On The Cyber Security Matters Podcast we were joined today by Isabel Bardley-Garcia. She is the Director of Information Security at Helion Energy, driving company wide security strategies, programmes and initiatives. They are currently building the world’s first fusion generators and enabling a future with unlimited clean electricity. Isabel has over 18 years of experience in the cybersecurity sector, including leading and driving the transformation and automation of National Cybersecurity consulting services. With all of that experience, Isabel has some fascinating views on the evolution of the cybersecurity industry, the highlights of which are below.
How have you seen the role of security and risk management within cyber security mature and evolve during your career?
The role of security and risk management has gone from being just a compliance issue, either to a regulation like Sox or GLBA, or standard like PCI DSS due to more companies, and especially the government, taking it seriously. It’s more about protecting the organisation from major losses, crippling interruptions, or even failures of the organisation, and also about helping organisations to grow and to succeed. We’ve gone from doing things because we’re told to do it to doing something because it makes sense to actually do it.
Do you think that cybersecurity is taken more seriously in 2022, rather than the early 2000s of them when you were first starting out?
Back in the early 2000s it was very frustrating to be an information security consultant, or just a cybersecurity professional. Like I said, companies didn’t really take it that seriously if they didn’t have a regulation or standard. As professionals, we saw the attacks and we had to protect our companies against them. When we saw that the attackers or the threat actors were getting bolder and more sophisticated, our companies and even the government at that time felt further and further and further behind in this cyber warfare, to the point that many of them denied it was even happening. They were like an ostrich with their head in the sand. They just didn’t believe that they would be targets, because they sold blouses instead of missiles. They didn’t think they had anything that the threat actors wanted, and even the government thought of warfare as a physical thing and not a cyber thing. We were watching it all happen, and it was very frustrating.
20 years later, after so many breaches and after learning about all the foreign actors from different countries who are trying to cripple other nations, down to their infrastructure, to steal intellectual property. The regular threat actors who are trying to steal intellectual property to sell credit cards, social security numbers, personal identifiable information for identity theft… they’re still there, but having breaches is being taken more seriously. It’s reactive more than proactive, and now more and more companies, as well as the government, have really gotten into beefing up their security. They’re seeing it more as a risk management issue instead of a compliance issue.
We still have a way to go, because there’s still a lot of companies that have that old mentality that is still very pervasive. Some companies still think that they can just offshore or push off securities, saying ‘we have service providers taking care of that, we have third parties taking care of that, we don’t have to worry about it’. Now we’re getting more and more breaches, where the third parties are being breached in order to be able to get to their whole client base. That’s starting to be taken more seriously, and companies are being more proactive, which is a great direction to go to. We’re still a couple of decades behind, so we need to hurry this up.
How do you see the industry developing in 10 years time?
I think that with all the different frameworks that we have now, companies don’t really have much of an excuse to not know what they’re supposed to be doing. And a lot more of them are taking those frameworks and implementing them into their own organisations, and they’re using the risk assessment management approach a lot more than just checking the box for whatever compliance, so it’s become more holistic. Companies are becoming more educated as to what cybersecurity is and how it pertains to their company, the C level are educating themselves about it, and realising that it’s not an IT problem, that it really is a risk management problem. Even boards of directors are bringing on people with security experience to advise them. It’s becoming more mature and more known in companies.
The way that I see this going for the cybersecurity profession is that cybersecurity roles are going to become more focused and better defined. I think that the workforce framework is going to really help with that. We won’t have cybersecurity professionals being asked to perform three or more roles, so the firewall administrator isn’t also expected to be the database administrator, they’re just strictly the firewall administrator. A lot of the burnout we’re having in the profession is that we were expecting our professionals to wear many different hats that are very different from each other. From an education perspective, we’re going to start having more places of education with a wider variety of more mature cybersecurity degrees and training programmes to choose from. I’m hoping that by that time, cybersecurity will be its own separate department with its own head that then reports to like the CEO, or legal or something that makes a bit more sense than like the CIO.
From a vendor perspective, it’s going to keep growing, we’re going to get more tools and platforms. Because the buyers are going to be a lot more sophisticated in their knowledge of threats, vulnerabilities, control frameworks and how it pertains to their domain’s responsibility, they’re going to be a lot more discerning and selective in their purchasing decisions. They’re going to be looking for products that fix a specific problem, which then will force the vendors to start focusing on the core functions of their products instead of trying to build them all-in-ones. Vendors are going to have a harder time getting people to buy the shiny new thing, because the sophistication of the buyers will be much greater by that time.
To hear more about the future of the cybersecurity industry and Isabel’s unique perspectives, listen to the full episode of The Cyber Security Matters Podcast here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.