Category: Cyber Security

Mobile application security is a growing part of the Cyber Security industry. To help us understand and address those challenges, we were joined by Chris Roeckl, the Chief Product Officer at Appdome, on Episode 31 of The Cyber Security Matters Podcast. He shared his perspectives on the state of the sector, his insights into the key challenges of keeping mobile applications secure and its impact on compliance. Read on to find out what he said. 

How do you assess the state of the mobile security space as a whole?

The mobile app security market is rapidly changing. There are lots of reasons for that. Probably the most important one is that mobile apps are now the dominant channel for interacting with digital brands. It’s not about websites anymore, it’s all about mobile. The bad news here is that people who break into networks are zeroing in on mobile apps, which is driving the mobile security market. 

The challenge, particularly in today’s economy, is that CISOs and other decision-makers within mobile app security don’t have as many resources as they had in the past. They are either freezing their hiring or letting go of developed cybersecurity engineering teams just to cut costs. It’s like that old analogy of cutting off your nose to spite your face, but it is the reality of business today. They’re also trying to zero in on how to do more with less because 

budgets are under scrutiny. The thing is, bad actors aren’t taking the day off because of budget cuts and personnel reductions. The number of attacks just continues to grow and grow and grow. 

We don’t like to focus on scaring our customers or prospects, we want to help them. We don’t spend much time talking about the bad actors doing bad things, but they are, and the mobile brands we support know that. We don’t have to take that message to the market, so our focus is on getting them to an outcome. How do we how do we solve this problem? Every mobile brand’s challenge is unique, and our goal is to make sure that we can solve those unique challenges for them. 

How are these key challenges within mobile application security addressed?

The first thing that you have to realise is that web-based and desktop apps basically all have the same technological components, which makes it fairly simple to solve security problems. Now, in the mobile world, apps are built with 15 different development frameworks, which you can mix and match. You may have heard of things like Swift, Java, or Kotlin. They’re all different languages that you can code in. That creates unique scenarios. It’s not homogenous; it’s heterogeneous, which makes mobile app security difficult. 

The other thing is that there are a couple of different approaches to solving that. If you go back 5, or 10 years, software development kits were developed by security companies for mobile, and they basically give you some code. Your job as an enterprise or mobile brand was to add and maintain that code in your own application, which had its own challenges. The most simple challenge was that the software development kit you got might only work with 3 of the 15 development frameworks, so as a mobile developer, you have to make a choice to say either I need to rewrite my app to get in the security bits, or I need to go look for some other solution and then cobble it all together. 

At Appdome, we decided to take a completely different look at the market. We built a machine that takes account of all these frameworks and then builds an implementation of the security based on the buttons you tick on the platform for the security protections you need, and delivers that solution, with no coding needed. In a world where you’re losing resources, we think the movement to more of a machine-based approach to mobile app security is going to win the day. 

How does that impact the compliance side of things?

Cyber compliance is a really critical topic. Firstly, there are external regulatory compliance requirements. Secondly, there are a bunch of internal-facing requirements. Mobile brands oftentimes publish some sort of cyber pledge on their website for general security, saying ‘We protect your data this way.’ What is becoming very apparent is that those cyber pledges apply to the mobile app too – it’s not just about the website anymore. It’s not just about the way that your data is protected in the backend infrastructure; it is all about the mobile end user using a mobile app. 

Being able to do things like ensure that the cyber protections are actually built into the app is a cyber requirement, but the work is done by developers. So how do you bring the developers and cyber team together? Do you produce artefacts within the production process that say, ‘This encryption was added’, ‘Obfuscation was added’, or do you reverse engineer whatever the features are that the mobile brand is looking for? The ability to do things like UI testing is super important too. All of those compliance elements have to fit together into this jigsaw puzzle called mobile app development. Over the last two years, we’ve seen this go from kind of a low-level thing to a high priority within cyber organisations.

To find out more about securing mobile applications, tune into Episode 31 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

There are talent shortages across the Cyber Security sector, and startups are no exception. On Episode 30 of The Cyber Security Matters Podcast we were joined by Crystal Poenisch, the Director of Product Marketing at Chainguard, to talk about her views on the talent issues facing the sector. Read on to find out what she said. 

What do you think companies can do to attract people from diverse and non-traditional backgrounds into the cybersecurity industry?

I think they’re already attracted – I think they’re desperately trying to get in. There are people more qualified than me that can’t get jobs. Companies need to make their company accessible and welcoming to diverse people from different backgrounds. I couldn’t be a director at a public company, they had to give me a ‘head of’ title because I didn’t have a master’s degree or an MBA. That was just five years ago. There are people who are attracted to the industry, so it’s about recognising the ones we can bring in and train up and not looking at it like we’re training them from the ground up. People from non-traditional and diverse backgrounds are often the fastest learners and the most agile and innovative people I’ve ever employed. 

How have you seen diversity kind of change in the industry since you joined?

It hasn’t changed as much as I’d like. I wish it would change more. I think one big thing that is really heartening for me is that there are male allies and allies across the board for people from all backgrounds, not just women. There is a lot more blatant support for these things and a greater recognition of the need for diversity. We need to hire more people, so more people are coming in and it is more welcoming. I see that the women who have come after me have had a much easier time, and it’s a lot easier to join now as someone from a non-traditional background.

You mentioned that bringing in people from a wide range of backgrounds benefits growth. Could you explain that a bit more? 

When building a startup, you need people with skin in the game who want to win as much as you do. People who have not been given a shot are gonna be pretty hungry to win, and I think that was our competitive advantage at Okta. We intentionally hired people from non-traditional backgrounds all over the world, and we adopted an international, remote-first style of work, even before COVID. 

We said, ‘Let’s get people from all different backgrounds who align with our values, and hire team players who are resilient, who want you to win, and who aren’t just in it for the paycheck. We’re looking for the people who are genuinely trying to change their lives, and get into cybersecurity to make their life better for their family.’ Those people are deeply invested in your success and are going to help you grow in ways you may not even imagine. They have so much to offer from different backgrounds, and that will come in handy when you really need utility players who are passionate about your company. 

What are the key talent topics that need addressing the most at the moment?

I can only speak for what I see in startups, but I think the Cyber Security industry faces a massive talent shortage. There are stats out there saying that there are a million jobs that we need to fill that we’re not filling. There’s a lot of people saying we could just automate those roles, we don’t need to increase diversity, equity and inclusion in the talent base, or that we could figure out a technical solution. I don’t want to say that’s naive, but we need to think bigger than that. 

Some leaders do this well, but I think we don’t hire for things like grit, resilience or people who have something different to bring to the table. When you have people always solving the same problems the same way from the same backgrounds, you become worse problem solvers. We need to adopt the mindset that we have done a less than sufficient job securing our critical infrastructure for the last however many years because no one has paid attention to the industry as a whole. It hasn’t been regulated, and diversity has not existed in Cyber Security. We’re seeing a lot of holes, and we’re seeing the pitfalls of that. 

There are a lot of problems we cannot solve in this industry right now because we don’t have enough innovative people involved. I speak from a Western and American perspective, but our biggest challenge is finding talented people. We need to learn to recognise talent in a more broad and cross-functional way because different people bring a lot to the table. If they haven’t been working in cybersecurity for 20 years, that might actually be a benefit. We need to learn to recognise different skill sets that maybe we haven’t had traditionally. 

To hear more from Crystal, tune in to Episode 30 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

In Cyber Security, we are always looking for new, innovative ways to secure critical infrastructure. On Episode 29 of The Cyber Security Matters Podcast we spoke to Dmitriy Viktorov, the CTO of Tosibox, about how he’s bringing his experience with cloud protection solutions to a new market. Read on to find out more about securing data through OT networks. 

What are the main challenges associated with securing critical infrastructure?

I’m coming mainly from the IT security world, but now I’m jumping into what we call the industrial operational technology world. There are many similarities, especially on crates, but the OT and maybe IoT domains are lagging behind. They’re more conservative compared with IP or cybersecurity in general.

One thing that is quite important for customers is operational continuity. You can take some IT systems down for a short period of time if you need to patch it, update it or migrate it. In OT, it’s very difficult to do that because you are providing critical services, such as buildings, manufacturers, careers – you name it. You can’t take them down. If you want to apply a patch or you need to reconfigure something, that’s a big thing. 

We also know that the lifecycle for cybersecurity products is way longer than you might think because you don’t see the whole lifecycle. I remember when we were defining the lifecycle model, we said it would be a maximum of three years in OT, but it might actually be around five or even ten years in total. 

The other challenges in ICT and OT cybersecurity are the emphasis on legacy systems. There are several technologies in OT that are used by customers that rely on protocols, which have nothing to do with TCP IP. On the IT side, there are limited skills and technologies. It’s also about complexity and interdependencies – and again, a lack of patching and updates – and insider threats. Some infrastructures are physically exposed, which allows threats to get closer to them. 

How is Tosibox unique, and how does it solve some of those challenges?

Tosibox is in the specific niche of the whole of OT cybersecurity. However, we like focusing on network security. We are helping customers with at least one – or maybe a few – particular problems when it comes to OT cybersecurity and network segmentation. We are implementing access control, and we are making sure that our customers can do it easily, securely, and more automatically. Because, as I said previously, customers might use different technologies or different protocols, our unique proposition is that our platform is actually protocol-agnostic and even industry-agnostic. Even if you use old legacy technologies and devices, Tosibox makes it easy to connect with your IT network and then manage it remotely.

To hear more from Dmitriy, tune into Episode 29 of The Cyber Security Matters Podcast here.

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Diversity and inclusion have been prevalent topics across the Cyber Security industry for a number of years. On Episode 28 of The Cyber Security Matters Podcast we spoke to Aarti Gadhia, the Principal Security Specialist at Microsoft and the Founder & CEO of Standout To Lead, about her perspectives of diversity in the industry. With over 15 years of experience in the Cyber Security space, as well as being named as one of the Top 20 Women in Cyber Security Canada, Aarti has some incredible insights on the topic. She also shared her advice for companies who are looking to address diversity at a grassroots level, which you can read below. 

“Change is taking place – which is good – but we need to accelerate that change. There are so many statistics that show how far we still have to come. ERG’s have been formed to influence changes at an organisational level, but everyone has to solve this problem. We shouldn’t just leave it to the affected groups to solve it. The first thing we could do better for diversity is acknowledge that everyone has a bias, including me, and we need to challenge it. Hiring managers need to find ways to challenge their own biases, which means starting by looking at your existing process and seeing where you could improve it. Each hiring manager needs to challenge their own process and look beyond just having 50% of resumes that are from diverse candidates. That process needs to be changing. 

The industry as a whole has been talking about changing the requirements. Instead of putting the emphasis on the number of years’ experience that you need to have in order to get a management position, the emphasis should be on demonstrating strong leadership qualities, right? Just changing that will give people an opportunity. There’s a great one that I saw on LinkedIn, where men get hired on what they’ll bring to the company or role, versus women, who are hired based on what they have to prove. Give everyone an opportunity! Instead of pursuing the standard or traditional qualification you’ve always hoped for, change your requirements to give other people a chance. 

After that you need to look at retention. The industry is doing a good job in bringing more women, but that’s not what it’s about, because at the same time women are leaving the industry. There are two reasons for this: the first is a barrier for growth opportunities, and the second is a lack of inclusion or belonging. We’ve heard in one of your other podcasts someone who shared that she was told she was emotional at work. The issue is that feeling of being labelled. We don’t feel welcomed when we can’t bring our true authentic selves to work, and that’s why we leave. 

I’ve seen many organisations try to solve this problem by sending us all on leadership courses, but it’s not about a lack of leadership skills. It’s about opening the doors and fixing that broken rung on the ladder. You’ve got women in your company, but what are you going to do to retain us? Are you going to give us the opportunity to develop? That’s another thing that the industry needs to really think about; how do we grow diverse talent and retain them? How do we make sure that they can continue to be their authentic selves? 

Finally, we need allies. We’re seeing allies in the industry who are supporting us, but we need more to take action. I get so many allies that come to me saying, ‘this is important because I’ve got daughters’. My next question to them is, ‘if you didn’t have daughters, would this still be important to you?’ It shouldn’t be a checkmark exercise for individuals. Everyone needs to solve this problem. It shouldn’t be hard to solve this problem if everybody’s on board. For allies, think about what you can do. Start thinking about what you can start implementing – don’t wait to be told. Don’t worry about saying the wrong things, because what really matters is that you’re genuine. We just need your voices. We need everyone to be on board, because that’s how change is going to take place. Try different things out – even try reverse mentoring. There’s a lot that you can learn. Try seeing things through our lens to better understand what’s happening. 

There’s a lot I could talk about when it comes to what needs to change. Fundamentally though, it comes back to those three things: bias, retention, and allies.

To hear more from Aarti, tune into Episode 28 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

The role of a Chief Technology Officer develops as rapidly as the technology that they work with. On Episode 27 of The Cyber Security Matters Podcast, we were joined by Nurettin Erginoz, the CTO at Radiflow, to explore his experiences in the role. Here’s what he said:

Can you tell us about your journey to becoming Radiflow’s CTO? 

I had just started as a teaching assistant at the University when DDoS attacks became much more popular in some hacking groups. They were targeting some government places and agencies. I got an invitation from one of the companies that is famous for innovative application firewalls and DDoS mitigation and protection services. I joined them as an information security management and technical director. 

Then IBM has a role there too. I was initially responsible for Central and East Europe there, but they upgraded my position to the whole of Europe. That gave me the chance to meet different cultures and see different attacks in different geographies and sectors. 

A big milestone for me is going to big educational places or different sectors like government, military, etc. to see exactly what is happening there. I built a team as a Deputy General Manager from scratch – I created the whole cybersecurity team and SOC and forensics labs as well. Afterwards, I jumped into a startup, which we took to exit in three years. I got hands-on experience with mergers and acquisitions, then transitioned directly into this CTO position, concentrated on the strategic part, because security is a live sector. 

Even day-to-day, everything is changing in our sector, so strategy is very important here. From a product perspective, the attack surface and technical elements, together with the strategic selling points, mean that there is a lot to stay on top of—even before reaching regulatory milestones.

What are the main challenges that are that are faced by any CTO?

For any CTO, it is a challenging role. Previously, it would have consisted of managing the research and development team and focusing on coding, but now everything is changing. We have DevOps teams and SEC ops teams, and everything is connected. The threat landscape is changing too, so CTOs have to understand whether they’re coming from cyber or not. All CTOs have to understand the threat landscape, because of the concerns around security and balancing it with business goals. The product should be running without security blocking its process or development. 

Compliance and regulations are another challenge for CTOs. The number of regulations is increasing day by day, so CTOs are having to get familiar with the area that their product or company is in. When their management adds another topic connected to the supply chain, that adds more security as well that we have to understand. It’s a CTO’s responsibility to manage the vendors and understand performance and risk levels as well. 

There are so many challenges to juggle, like incident response, cloud security, IoT mobility, and the board and executive committees’ coordination. Communication is another big topic that all CTOs must concentrate on because we are always talking with stakeholders. 

To find out more about life in a CTO role, tune into Episode 27 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 26 of The Cyber Security Matters Podcast we were joined by Simon Hunt, the Chief Product Officer at Reveald. Simon is a prolific industry leader and inventor within cybersecurity and technology, specialising in protecting financial information. He also sits on a number of boards within the Cyber Security industry and volunteers with the American Red Cross. During the episode, Simon shared his insights into the relationship between Cyber Security and AI, which you can read here:

“I am super excited about the possibilities of generative AI. But, let’s remember that generative AI is guessing what it thinks the most likely word to come next will be. It’s fascinating how much reasonable content it has created just by guessing what word comes next using statistics. That’s fascinating to me. Ask Chat GPT to write a children’s story or love letters to your wife and it’s amazing. 

But the eye opener for me was that the systems I built create very complicated output, and you have to have a huge amount of expertise to interpret what it generates. We do a lot of work to turn that into stories that people understand. We found that we could throw that raw data into a generative AI model and it would make a readable explanation. If I wanted to tell somebody what their problem is, it would do that perfectly for me. 

I realised I could do it in Japanese, or Baja, I could tell it to write it in any language – and it’s not translating the English output into Japanese, it’s translating the raw data into Japanese. The translation or output is still a beautiful, understandable story. My challenge was taking raw data and making it simpler, because there used to be a huge natural language problem. Now it’s generative AI’s problem. 

Now, of course, we have the problem of misinterpretation, but we have the opportunity to eliminate the requirement for super talented experts and make our process more scalable. That is intriguing to me. I’m not trying to automate everything; I’m saying that we should automate as much as possible and redirect human talent. 

For me, AI is not discovering new things, it’s making our discoveries consumable and actionable for a wider range of people. Who knows where it will go? But now we can take entry level people that are at the beginning of their cybersecurity awareness, and make them as powerful as the experts of today. If we can do that, then we can cut the legs off this problem. 

Fundamentally, it’s not intelligence. AI is not adding any unique insight. It’s shocking how little unique insight we need to write a two page children’s story just by predicting the words that come next. However, we need to be careful with our expectations. You can’t ask it to solve cancer. If it came up with an answer, it would just have regurgitated something that a person has already tried. 

There is a challenge. If you ask AI to compare two companies, it will generate an output that would take you hours to do by hand. As a timesaver it’s amazing, but schools are worrying because it’s becoming indistinguishable from natural language, so how do you tell it’s not plagiarism? It’s a tool that we should use to take complicated information and make it consumable by people who are not domain experts. I can solve that industry challenge with predictive text.”

To hear more from Simon, tune into Episode 26 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 25 of The Cyber Security Matters Podcast we were joined by Jaye Tillson and John Spiegel, who are passionate cyber security evangelists and the co-hosts of the Zero Trust Forum podcast. Jaye has over 20 years of experience in the cyber security industry, across IT infrastructure and zero trust architecture, while John’s background in the industry includes overseeing major projects for global retailer Columbia Sportswear. Read on to find out their perspectives on why the cyber security industry is moving so quickly. 

John: “I talked about paying off your security, which is also referred to in the industry as ‘defence in depth’. So why are people looking to move into this model? Security’s got to be simplified and streamlined. Visibility is hard when you have eight or nine point products that are chained together for remote access, or when your products don’t have API’s that integrate. Security is really hard when you just think about technology and you don’t think about the business outcomes. 

Primarily, what’s driving this change is simplified platforms which bring together technologies that were siloed. Companies are also looking to reduce their costs, not only from a vendor perspective, but from an operational perspective. On top of that, both Jay and I fell into security because of the way applications and workforce are distributed. Now you’ve got to have a different approach to security. Similarly, the way networking and security is transformed and delivered is changing. 

For you to be a player in it from a vendor perspective, you have to have the full stack. You can’t just be a networking vendor and rely on another vendor for the security aspect anymore, you have to bring both together because that’s what provides visibility, simplicity and the platform effect, which is what customers are looking for. 

Another interesting piece is David Holmes (who is an analyst for Forrester) did some research, and they asked customers who had moved over to this SASE and SSE model if they are still using the same vendors as they were using previously. Is there any buyer’s remorse? Are they looking to go back or maintain that relationship? The answer in almost 85% of the cases was ‘No, there’s no buyer’s remorse, we’re happy and we’re not looking to go backwards. This is a better approach.’ What does that mean for the industry? It means that the incumbent vendors out there are under threat. That’s why you will continue to see consolidation within the industry.”

Jaye: “I realised that having people on my network who were able to go everywhere and see everything or potentially hack everything was concerning. That’s how zero trust came about, which is built on the concept of only giving access to devices and applications that people need access to for their roles. You constantly check in, monitor and give visibility, and both SASE and SSE are based on that structure. 

Then you’ve got the consolidation element within the market. Recent statistics show that CISOs have over 100 security tools within their environment, which is impossible to manage. That’s because if you have a problem within the environment you won’t know which vendor to go to, where the gap is, what tool it is, or what you’re looking at. Consolidation is bringing more products under one banner and within one user interface, which simplifies your security. Cyber Security is a difficult place to work because you’re constantly under threat or being attacked, the legislation is constantly changing and it’s a very high pressure environment. If you can consolidate and become more simple, not only is it easier from a support perspective, it gives a better user experience.

There’s talk that ransomware is kind of dropping off, but that’s clearly not the case. We need to make everybody’s life simpler by removing and reducing the attack surface and simplifying administration, product and efficiency for the users. Zero trust is a huge thing in the USA, and the government is doing things about it which are flowing down into legislation across EMEA. Once people start to realise that their tools sit on top of that, there’s going to be a snowball effect.”

To hear more from Jaye and John about their work in the industry, tune into Episode 25 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

The Cyber Security industry faces challenges on a daily basis due to the nature of its work. However, its challenges aren’t just security threats. On Episode 24 of The Cyber Security Matters Podcast we were joined by Michele Chubirka, a Cloud Security Advocate at Google, to talk about the wider challenges in the industry. Michelle has led a remarkable two-decade career in cyber security and has a background as a cloud native expert, giving her a wealth of insights into the space. Here’s what she shared with us: 

“Information security can be a struggle. There’s something called witnessing windows or common shock, which is when we see the small violence and violation that happens in our day to day lives. Well, that’s information security to a tee. You have the big breaches and traumatic events – you’re reading about it now with the movement hacks, ransomware, etc. – but every day you experience the vulnerabilities in your organisation. You report on them, saying ‘Hey, you have these vulnerabilities and they don’t get remediated’, and the solution technically seems very simple, but it’s really an adaptive challenge because it has a lot of dependencies and unpredictable human beings are involved. 

A lot of security people experience burnout after a while, because you want to do the right things, but there’s a social issue where people don’t or won’t collaborate well enough to solve the problem. Cyber Security is a challenging field because people are drawn to doing technical things and being engineers, but then find out that they have to work with people, which is a very different skill set. When I started, teams were super small and you could solve a problem end to end yourself. That’s not the case anymore. Now you have huge teams of hundreds of people working on a single application. Now you have to worry about getting people to talk to each other. You have to resolve conflict. 

I wish somebody had taught me to improve my people skills as well as focussing on my technical skills in my professional development. The social science that I’m studying is restorative practices and restorative justice, which is about building human capital or social capital by finding ways to repair harm, restore relationships and build community. If our organisations and companies aren’t communities, we’re going to struggle to build a truly secure cyber environment. 

The problem is that people are really attached to this idea of security being like law enforcement or a military framework. We think of threats as attackers, and there’s a lot of accepted victim shaming. When something happens within an organisation and the bad guys leave, you’ve got to clean up and recover from the trauma of what happened. That’s when the blame shifts. People start asking ‘Who can we blame internally for this problem?’ Then you get some victim-perpetrator oscillation where there’s a blaming game. Then the victims are being held to account as perpetrators because they didn’t secure their systems or they didn’t do the things that you asked them to do. That’s not helpful. 

There are a lot of reasons why developers don’t always write secure code or update their dependencies. Sometimes the systems that security people put in place are not friendly or easily consumable. Developers may be under really tight timelines and they’ve got way too much on their plates, so how much is really their fault? There are often swirling, interpersonal, conflict-ridden situations that create anger and resentment, because security professionals are doing their best but they feel like they can’t make enough change. This is exactly what happens when you’re faced with these witnessing windows, where people are disempowered but aware of what’s happening. When you’re in that situation, you know what the problem is but you can’t change it, the results are stress and eventual burnout. 

That’s really the problem with information security right now. People are building great technologies and there are new techniques coming out every year, but the attacks only get worse, and the job seems to get harder. So what are we doing? I think the reason that the situation is the way it is is because we’re having people problems – it’s not simply a technology problem. 

To learn more about the challenges facing the Cyber Security industry, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

In the Cyber Security industry, one of the biggest risk factors is human behaviour. On Episode 23 of The Cyber Security Matters Podcast we were joined by Ira Winkler, the Field CISO and VP at CYE. He shared his insights on the risks of human behaviour, as well as some great anecdotes from writing multiple books on cyber security. Read on to learn from his experience. 

How have you seen cyber risk progress over your career?

When I do speaking events, I always ask people ‘how many of you are security professionals?’ Most of the audience raises their hands and I go, ‘Okay, you’re all failures, because there is no such thing as security. The definition of security is being free from risk, and you’re never going to be free from risk. So technically, we’re all cyber risk managers.’ If we’re all risk managers, how are we mitigating those risks? I do what I call cyber risk optimization, where we’re quantifying and mapping out the risks according to actual attack paths and vulnerabilities. That allows us to determine how we optimise risk by taking your potential assets, mapping them to vulnerabilities to get an actual cost, and then figuring out which are the best vulnerabilities to theoretically mitigate. 

Now, we’re at a point where machine learning is actually able to start doing things we were not able to do before. Everybody thinks machine learning is this really fancy thing, but it’s taking big data and putting it through mathematical calculations that were not available to us 10 years ago. Now we’re actually able to crunch data, look at trends, and come up with actual calculations of how to optimise risk. I’m finally able to take the concepts I wrote about in 1996-97 and implement them today. 

How do you balance user responsibility and the responsibility of the operating system? 

The solution I’m putting together is human security engineering consortia, because here’s the problem: awareness is important. I wrote ‘Security Awareness for Dummies’ because awareness is a tactic. Data leak prevention can be important to stop major attacks, and anti malware can be important to stop major attacks, so those are tactics too. The problem is that currently, when we look at the user problem, it’s being solved with individual tactics that are not coordinated through a strategy. We need a strategy to look at it from start to finish that includes both the operating system and the user responsibilities. 

You’ve got to stop and think, ‘what are my potential attack vectors? What capabilities does a user have?’ A user can only do things that you enable them to do, they only have access to data you allow them to have, they only have a computer that has the capabilities you provide them. You need to stop and think, ‘given that finite set of capabilities and data provided to a user, what is the strategy that looks at it from start to finish and best mitigates the overall risk?’ I’m not saying you can get rid of risk completely, but you need to create a strategy to mitigate as much risk as possible from start to finish, knowing the capabilities you provide to the user. 

One of my books is ‘Zen and the Art of Information Security’, which includes a concept of what makes an artist, and it’s the person’s ability to look at a block of marble and see a figure in it. They can produce different pieces of art, but they’re all made the same way. There’s a repeatable process and what they use to get what they got. Now in the same way, there’s a repeatable process for looking at human-related errors. You look at the potential attacks against users and ask ‘What mighty users do, using good will, thinking they’re doing the right thing but accidentally causing harm?’ Most damage to computer systems is done by well-meaning users who inevitably create harm. 

You don’t go around and see people saying, ‘I’m getting in my car and crashing into another car’ – that’s why they’re called accidents. We have a science in how we design roads, literally the curvature of roads is a science and when they assign speed limits to it there is a science to understanding what a user does, what their capabilities are, and how you can mitigate that to reduce the risks. In cyber risk, you should be asking similar questions, like ‘How can I proactively analyse how the user gets in the position to potentially initiate a loss and mitigate that proactively?’ Then you design the operating system to reduce the user’s inadvertent risks. 

To learn more about human behaviour and risk in Cyber Security, tune into Episode 23 of The Cyber Security Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

In recent years there have been growing concerns around privacy and data loss. On Episode 22 of The Cyber Security Matters Podcast we spoke to Chris Denbigh-White, the Chief Security Officer at Next, about data loss and how it’s affecting the industry. Here are his thoughts: 

Data loss prevention has always been the ugly friend of cyber security. If you mention DLP to 9 out of 10 cyber professionals they’ll say, ‘this doesn’t work, but we’ve got to do it’. It’s effectively a tick-box exercise, but it’s a box that does nothing. It’s the old adage of a firewall that has allow rules going both ways. We have to do it though, because otherwise some of our users either complain massively, or are blocked from doing their job. That’s something that Next aims to address; we’re trying to provide DLP that makes sense. That means using machine learning to understand user behaviour. 

I like to understand people’s business processes and build guardrails around what they actually need for security. We’re here to ensure that people who do business and make money don’t lose all their data or have it stolen, as well as protecting them from getting massive GDPR fines. Security itself doesn’t make the business any money, but not having security can cost a business a lot. That means that we need to understand what is valuable to the business and find a way to protect it. 

That’s different from typical data loss prevention tools. We need to understand things like ‘how does this company deal with things like insider risk and insider threats?’ We’ll think outside the box, like ‘Why don’t we address risks through behavioural change and training people on better cyber practices, rather than relying on draconian controls?’ I strongly believe that what we’re doing increases business cadence and reduces friction by approaching DLP in that way. That’s something that I think AI and machine learning are going to help people understand better, because they’ll be used to understand the people around us better and therefore they’ll uncover internal and external threat actors more effectively. 

The way that we approach things is by helping companies understand what normal is, and helping them to address the question ‘Am I happy with what that normal is?’ Our solutions are built by asking things like, ‘Do I want people uploading things to this web application and not that web application?’ That’s a well trodden path to data loss. Another common issue is the use of copy and paste. On one hand, I want users to be able to copy and paste because we’re advocates of strong and long passphrases and the use of password managers – all of which utilise copy and paste. But on the other hand, I don’t want people copying and pasting swathes of sensitive data from sensitive apps and into a text file that’s then emailed off. 

We’ve moved away from just file based data loss, because people lose data in more ways than you’d think. There are copy and pastes, web uploads, Chat GPT prompts… being able to understand and control your data in those ways is its own tool. There’s a business process where we help companies identify their normal and their risks, then we set up specialised guardrails in a super simple process. I think that’s the future of the space. Companies that develop schooling to support security that’s done with people are going to succeed moving forward, whereas increasing levels of draconian control and intrusions are going to come to an end. 

To learn more about protecting your data, tune into Episode 22 of The Cyber Security Matters Podcast. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.