The Importance of a Capability Model

This post was written by: Jake Sparkes

On Episode 3 of The Cyber Security Matters Podcast we were delighted to be joined by Caleb Barlow. He’s an entrepreneur with a technical background and he’s equally comfortable presenting at TED talks or primetime news as he is consulting the board of a major health care provider. As VP of threat intelligence at IBM, he built one of the largest incident response platforms, including the world’s first immersive cyber range. He went on to be President and CEO of supply chain security business Redspin, helping them become the DoD’s first approved third party assessor, at the same time as taking the helm at parent company Synergist Tech, a cyber services firm with an emphasis on health care. He’s currently heading up his own business, Cylete, where he advises private equity firms on the right cyber businesses to target. It’s an impressive professional history! 

We covered topics from diversity in the industry to the ways that Covid has impacted the landscape of cybersecurity. Here are some of the highlights from that conversation. 

What one piece of advice would you give someone entering the industry?

This is an industry that has a language to it, and you really need to understand that language to be credible. This is an industry where information has a shelf life, because attacks and defences are constantly changing. I mean, this is not an industry that you could easily pack up and leave for a year or two and come back, because everything’s going to have changed. What I tell people is they have to stay informed of the news of the industry every single day. I think of it like Game of Thrones, right? If you’re a Game of Thrones fan, the first few episodes, you have no idea what’s going on. It takes a season or two before you start to get that all these things are connected. I think the cybersecurity industry is the same way. Whether it’s through the cyber wire or your podcast or a threat feed, you have to stay informed about this stuff, and you have to do it every day. What I’ve always said to my teams is that if you haven’t read the news, don’t come into work today. I test because if you don’t know what the latest attack was and what it means, and you get asked by a customer, you’re totally not credible.

How has the term critical infrastructure broadened in recent years?

I think we need to redefine it. When most people talk about critical infrastructure, they refer to health care, energy, finance… It’s a very World War Two mentality in terms of ‘what is critical infrastructure’. Let me ask you this, at the start of the pandemic, what did you really need? I don’t know about your household, but the critical infrastructure in my household was getting access to goods and materials during a supply chain crisis and being able to communicate with friends and colleagues and being able to send my kids to school. One of the things we have to do is realise that the pandemic brought us a whole new way to work and a whole new way to educate, so our critical infrastructure has to change. We’ve got to look at cloud providers like Microsoft, Amazon and Google; that’s critical infrastructure. Now, we’ve got to look at things like zoom, which is how my kids went to school and how I went to work. It’s an absolutely critical infrastructure. I couldn’t care less about my phone system, I need my Zoom. Suppliers that deliver things like Amazon and Instacart and large retailers that were able to keep supply chains moving like Walmart – they were critical. A lot of what we have to do is really rethink how we think about critical infrastructure and what critical infrastructure is. 

You’ve made high profile media appearances over the years and also specialised in consulting the C suite on information security, is there a major or unifying message that you strive to get across?

It’s really all about having a capability model versus just having procedures and documentation. You need to build capability in four key areas. The first is obviously cybersecurity skills and incident response. Number two – and this is surprising to most people – is communication skills. If you don’t know how to communicate internally, externally, with your partners and with your customers, things aren’t going to end well. If, during a crisis, you can’t communicate what to do, people are going to fill that void with their own speculation. I would argue that the vast majority of high profile breaches we’ve seen over the last 10 years are down to poor communication. Lacklustre communications in decision making causes more damage than the threat actor in most companies, because people either don’t communicate, which is a decision in and of itself, or they communicate bad data, not knowing what to say and how to say it, or they go sideways with regulators. The third area you need is legal, and the fourth capability you need (and this is the tough one), is business resiliency skills. On any cybersecurity response team, it is critical to have business skills that can understand what can the business handle, what alternatives might we have and how could we stand up the business in another way. Our threats aren’t any different than a fire or a flood or a natural disaster. You have to think about resiliency if you can’t get access to your IT systems.

What do you see as the prospects for cyber during the next decade? 

The simple fact of the matter is that we are still in an industry where we do not have enough people to fill the open jobs. The need for those skills only continues to grow. We are starting to solve some of the problems though, we’re starting to become a more diverse industry, which is great. Some of the pipeline of getting skills is starting to get solved, but like any industry, the next round of innovations may, in some cases, be repeats of things we’ve seen before. Ultimately what I do think we’re likely to see now is kind of the second generation of companies starting to step in. A great example of this would be as the EDR market moves to XDR, we’re starting to see the next generation companies coming in and solving the same problem but with a very different business model. Like any industry, those optimization companies will probably be the ones that win in the long term as the industry turns over.

To hear more about the future of the cyber security industry, tune into the full episode of The Cyber Security Matters Podcast here.

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Let's talk

    Or contact us on one of our social profiles.

    Facebook Icon Twitter Icon LinkedIn Icon