Category: Cyber Security

The Cyber Security space is an exciting one to be part of. On The Cyber Security Matters Podcast we regularly ask our guests how they get into the industry, and on Episode 21 our guest had a fascinating answer. We were joined by the CISO of ExtraHop Mark Daniel Bowling, who has over 20 years experience in Cyber Security, beginning as a special agent and cyber crimes investigator for the FBI. Since then he’s transitioned into several roles, most recently as the Chief Risk, Security, and Information Security Officer at ExtraHop. He shared the story of his unusual career path and his advice for other people who want to make a similar journey. 

How did you first get into the cybersecurity industry?

It was almost entirely a consequence of my service in the FBI. I spent six years in the United States Navy, where I was supposed to go into submarines, but I ended up on a carrier because we won the Cold War back in ‘91, so we just didn’t need as many subs. I did a little bit of time in the corporate world and didn’t love it, then I joined the FBI in 1995. That was right as cyber was becoming a thing. We didn’t even have a cyber division in the FBI back then, but we had a cyber investigation section coming out of the white collar branch. We created what was known as NIPC, or the National Infrastructure Protection Centre, then eventually when Muller came in, in 1999 or 2000, he created the cyber division. I grew up in the FBI and cyber at the same time, because I was an Electrical Engineering and Computer Engineering technologist, so it was the right place for me to go. 

I made a great career in cyber in the FBI. When I retired from the FBI I went to another agency, which was the Department of Education, making a transition from a very serious law enforcement and intelligence community agency to the one that was more public facing. After that I retired from federal service and then I went into the public sector as a full time employee, but then I started to move into the consultant track where I’ve had multiple great partnerships with customers, and it was really good. I went back to full time employee status when I came to ExtraHop a couple of years ago. So that’s the route that I took, but I would say my experience in the FBI was really what pushed me into cybersecurity.

Who or what has been the biggest influence in your career?

Because much of my career was in public service, the biggest influence has been the amazing public servants that I met in my career. My role model was a man in the United States Navy named Admiral Larsen. He was a four star Admiral, and I worked for him in the Pentagon. He was just an amazing man. Anybody who knew Admiral Larsen recognises what a great leader he was. 

In the FBI there were a couple of amazing public servants too. I would say David Thomas, who was one of the early assistant directors of the cyber division, was also a great man. He helped build the cyber programme within the FBI. He was one of the great men I knew in the FBI. 

And then at the Department of Education there was a man named Chuck Cox. He was in the Air Force Office of Special Investigations before he went over to the Office of the Inspector General. He has since passed away, but he was a tremendous man. Each of those individuals modelled public service in an amazing way for me.

How do you feel your background within the FBI has shaped your career working for a security vendor like extra hop?

I think it’s absolutely vital that anybody who works in security understands the nature of threat and risk. If all you do is think about technology, you’re missing the boat. The job of the business is to stay in business, make money, acquire and retain customers, sell more products, provide better services and increase not just your profit margin, but also your presence in whatever sector you’re in. They don’t want to have to worry about cyber security, so the cyber security folks have to understand the threats to the business for them. 

You have to be able to see things in terms of risk, and that’s what the FBI did for me. One of the things that Muller did when he came into the FBI was created priorities, and we created those priorities based on the risks. After 1991, the number one priority in the FBI was counterterrorism, number two was counterintelligence, and of course, number three was cyber because of the growth of cyber attacks at that time. So what I learned in the FBI was to see things in terms of risk, understand a threat, appreciate the capabilities of the threat actors, and then turn around and prioritise and your resources appropriately to reduce the threat either by remediation or mitigation. If you can create compensating controls around the threat, it reduces the actual risk. At the FBI I learned that you can accept some threats, others you just have to remove, and some you can create compensating controls around. 

What one piece of advice would you give to someone entering the industry?

I would tell them to one, stay humble, two, listen, and three, be willing to do things that you’re not comfortable with so that you can learn from the experience. There’s different reasons for learning. You should learn how to do something you’re not comfortable doing so that you appreciate the people who do it on a daily basis. You should learn to do something to understand the level of effort that it actually takes, so that when you ask people to do it as a leader, you know what they’re going to do for you and what they’re going to have to give up to get it done. 

To learn more about Mark Daniel’s experiences and insights, tune into Episode 21 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

APIs are a growing part of the tech industry, and impact a number of areas like Cyber Security. On Episode 20 of The Cyber Security Matters Podcast we spoke with Jeremy Ventura, who is the Director, Security Strategy & Field CISO at ThreatX, about how the rise of APIs is affecting the Cyber Security space. Jeremy has over 10 years’ experience in the Cyber Security industry, beginning his professional career as a security analyst for defence based manufacturing business radian before working his way up to his current position. He’s also the host of ThreatX’s eXploring Cybersecurity podcast, making him an experienced and informed member of the Cyber Security community. Read on for his insights on APIs. 

What should a regular person know about API security and how it affects the world around them?

We use API’s every single day, but most consumers, especially if you’re not technical, won’t realise it. Let’s think about ease of use. If I want to pay a bill I’ll do it with one of the three credit cards that I have. When I’m on an app, I’m just selecting whether I want to pay with Apple Pay or my Chase Card or my Amex card, whatever it might be. Those payments are all API connections. Here’s another good one; when you call an Uber or a Lyft, they’re looking for the closest Uber in your geolocation and the fastest route. Those are all API connections that are pulling that data down. Think about your phone – when you look at the weather today in your location, that uses API connections to pull together your geolocation and the weather from different weather providers. So even though API’s are all out there, they’re pretty much hidden by design. We use API’s on an everyday basis – probably hundreds of them on a normal day. 

Now, when it comes to API security, that’s where individuals need to be conscious. Just because it’s easy to use doesn’t mean it’s always secure. APIs in general are designed to connect multiple systems together and send business logic or business data. That’s not anything insecure. However, those transactions that are sent in the background sometimes can contain sensitive company information, or what we call PII, personally identifiable information. That’s things like usernames, passwords, credit card numbers, social security numbers, whatever it might be. That’s why the API security space is so hot right now, because they’re designed to send potentially sensitive data to each other. If that process or transfer is not secured properly, then we have big problems. Every individual – technical or not – needs to be aware of everything they’re putting out there on APIs. Your information is being sent to and from multiple different companies or products, which is a risk.

What is your take on the current state of the API space generally?

API’s are nothing new – they have been around for decades now. API security though is fairly new. That’s where we’re starting to see a lot of security vendors either incorporate technology that can help them in the API security space or we’re seeing a lot of big companies being completely transparent. 

I think with that we’re going to see a lot of acquisitions happen pretty soon as well. That’s normal when you have hot, new emerging technologies that are solving real world problems. Why wouldn’t I want to get my hands on that if I’m the largest security vendor? This is when the market can get a little confusing, where you have a lot of different vendors saying, ‘Hey, I do API security’, but they all do it differently. My recommendation is that when you’re evaluating vendors or you’re valuing the space, make sure you’re getting tools and products and services built with that in-depth approach. No one security tool is ever going to be perfect, so it’s important to take a layered approach. 

How much does AI affect API security?

AI in general is definitely affecting security. One thing I’ll be clear about is that attackers and hackers alike have been using AI for a long time. It’s actually nothing new. What’s happening now is that typical security may be a little bit behind. Now they’re starting to ask ‘how can I incorporate AI in my security tools like a security vendor? Can I incorporate AI into my products?’ 

An instant response company just announced that they included AI in their responses. They can create playbooks on the fly based upon the data that someone enters. Maybe I’ve experienced a phishing incident and I need to know who to contact. The AI model within that tool will actually spit out the exact task, or runbook that you need to do. If it’s used correctly, especially in security tooling, AI can definitely have an extreme power and effect for end users. 

Just like anything though, AI can also create a lot of false positives. We need to be very careful about 100% relying on AI and saying ‘this is the be all and end all’, because AI isn’t right all the time. AI in general security, including API security, is definitely starting to have an effect on both the security vendor side and the end user side.

To learn more about how APIs are affecting the Cyber Security space, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Securing the Cloud is a major challenge across the Cyber Security industry. On Episode 19 of The Cyber Security Matters Podcast we spoke to Abhishek Singh, the Co-Founder and CEO of Araali Networks, about how Cyber Security professionals are navigating the growing challenges of keeping the Cloud secure. Abhishek has 25 years’ experience in Cyber Security, including a period in which he led a team to build a data centre scale platform to enable micro segmentation and security in a virtual machine environment. This wealth of experience gives him some great insights into the current issues around securing the Cloud. 

Could you explain what zero trust is and what the biggest problems are with implementing it?

Zero Trust has become a buzzword. Zero trust people say ‘trust nothing’, but zero trust is fundamentally a networking concept. That concept is actually very simple. Imagine it as a castle and moat problem, where you have a castle and a moat around it called a perimeter. Everything inside the castle is trusted. Everything outside the perimeter is untrusted. If you have to come into the castle, you come through a firewall, and then you are trusted. So it is a networking concept which relies on perimeter security and having an open interior.

The problem with that approach is that your perimeter has to be perfect. If there’s one bad guy coming in, you’re in trouble. If one Trojan horse seeps in, you’re in trouble. If you’re building a zero trust environment you have to keep your controls inside out. Even if your environment is not pristine, every resource has to defend itself. 

The Cloud is very zero trust friendly in that it denies access by default, so if you want to expose anything online you have to explicitly open it up. However, egress is open. And that is the problem with zero trust, it’s too hard to close down egress. So if someone is already inside, going out is free, and that is what attackers abuse. So in spite of Cloud being very different, very novel, very thought through and upfront, egress is open. And that is the fundamental problem. 

What do you see as the biggest challenges in securing the cloud itself?

The real question is, ‘is the Cloud more secure?’ That is the biggest thing that people need to understand, and there is no straight answer. Depending on who you ask, they will give you a different answer. Many people believe the Cloud is more secure because Amazon has done a lot of good work there, and other cloud providers have followed suit. But the real rub there is, it’s as secure as you make it. Security is a shared responsibility, and Amazon is very clear about it. They are saying ‘we have given you the tools to make it secure’, but they have not done your work for you. Amazon has not secured your stuff. Coming from an on-prem background, when you go into the Cloud where there are new paradigms, it’s very hard to fulfil your shared responsibility. If you have not done so, Cloud is not more secure. 

The other challenge is attackers. On-prem Windows is a fertile ground for attackers to be doing things. They have not exploited Cloud. At some point though, that’ll change. Things like solar wind supply chain attacks used to be science fiction, right? The cloud is like that – it’s waiting to explode. It’s not that it’s more secure – it’s just that attackers have not diverted their attention to it yet. They’re still trying to go after Windows workloads on prem. The moment they come to Cloud, there’s a lot to be had.

Why do you think businesses like Waze have had such success over the last few years?

So the reason Waze has been successful is because of simplicity. Security has been very cumbersome over the years. Orca was the first company who came out and said, ‘We’ll give you a Cloud account, and without any agents we’ll go and survey it and show you visibility’. The ease of use itself was very compelling. My problem with that approach is that by showing your Cloud position, you’re making yourself more vulnerable. I know I’m vulnerable. I did not need to see a picture to get that insight. The thing I need to know is how do I not become exploitable? How do I remediate my vulnerabilities? That is still a hard problem, because the Cloud is hard. It’s difficult, which is why it is vulnerable. Showing me my visibility is not helping me become less vulnerable. The thing we should focus on is remediation, and that’s the language of zero trust. The reason this became so popular is because of the ease of installation in a world where Cyber Security is hard to work with. Time to value is unspoken. 

To learn more about securing the Cloud, listen to Episode 19 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

As recruiters, we’re often faced with a number of challenges when it comes to sourcing talent in the cyber security sector. On Episode 18 of The Cyber Security Matters Podcast we spoke to Jake Bernardes, the CTO for Whistic, about his perspectives on the topic. Here are his insights: 

The reality is that there never has been a skill shortage in cyber security. That is completely fake news. The problems are actually between the hiring manager or hiring team and the candidate. And those issues are extensive. Let’s start with the kind of person that the hiring manager wants. Do they know what the key skills are that that person needs to have? Secondly, people are very bad at writing job descriptions. The next problem is that once you’ve written the job description it gets translated to a job ad. 

We all rely on recruitment in our business. Usually HR are filling in for recruitment functions, and they don’t understand what I’ve told them they’re hiring for. Do they know what I’ve actually asked for? Are they translating something which doesn’t make any sense? Are they adding things because they are standard requests, like ‘must be college or university educated’, ‘must have this qualification’ etc, when I actually don’t care as a hiring manager? The problem is when that person HR misinterprets my request and does not put the right spin on it when it goes out to market. 

There are then two more problems in that situation. Firstly, that description doesn’t make a lot of sense, and secondly it’s not focussing on the right keywords. We’re often having issues with the salary as well, because this is a high-paid field. We’re going out to recruiters who can’t fulfil a role where the requirements don’t make sense and the salary doesn’t work. It’s impossible to find someone that doesn’t exist, so it creates the illusion of a talent shortage.  

The flip side is that I don’t have a shortage of candidates. What I have is an inability to screen candidates properly because everyone has realised that there’s money in cyber so they’ve made their resume cyber orientated. If HR does the screening, they don’t have the competence to know what is or isn’t relevant. They often miss potential gems because the resumes are quite simple but have one really interesting line at the bottom. They just go and find an SRE or cybersecurity analyst. HR puts on a layer of nonsense that they think makes sense, including a salary banding which is completely unrealistic, then throws it to recruiters and hopes that they can turn carbon into diamonds. 

Our industry is a weird one. There are so many people who are very good, but on paper they shouldn’t be good. On paper they should never have even been in the interview. Standard education and experience doesn’t allow me to spot the people who are going to excel, but people’s passion projects do. And so I stand by my statement, there is no skill shortage here. There is a fundamental disconnect and a poor process between cybersecurity leaders and the candidates who are applying. Everything in between those two dots is broken currently.

To learn more about the talent challenges in the Cyber Security sector, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

AI has been sweeping the internet for months since the release of Chat GPT 3. As the world looks at the implications of these powerful new AI models, the cyber security industry is no exception. On Episode 17 of The Cyber Security Matters Podcast we spoke to David Stapleton, the CISO at CyberGRX, who we met at the RSA conference. With over 20 years of experience in business administration, cyber security, privacy and risk management, David has a unique expertise that makes him the perfect person to share insights on the relationship between Cyber Security and AI. Read on to hear his thoughts! 

A lot of attention has been paid to AI – with good reason. I have this mental model where if my mother is aware of something that’s in my field, that’s when it’s really reached the public Zeitgeist. When she asked me a question about the security of AI, I knew it wasn’t a niche topic anymore. 

Artificial intelligence is an interesting phenomenon. Conceptually, it’s not that different from any other rapid technological advancement that we’ve had in the past. Anytime these things have come up, the same conversations have started to happen. With the advent of cloud there was a real fear that was sparked – particularly in the cybersecurity community – around the lack of control over those platforms. We had to trust other people to do the right thing. How do I present that risk to the board and get their approval for that? Maybe it’s a good financial decision, but we are introducing unnecessary risks. 

Another example of that may have been the movement towards Bring Your Own Device (BYOD) and allowing people to connect their personal devices to company networks and data. That sounds terrifying from a security perspective, but you can see how that opens the door to increased productivity, efficiency and flexibility. 

AI is not too dissimilar from that perspective, and we can see plenty of positive aspects to the utilisation of artificial intelligence. It’s a catalyst for productivity which could provide exposure to multiple different data points and bring together salient insights in a way that it’s hard for the human mind to do at that kind of a speed. It can also reduce costs, bring additional value to stakeholders and potentially help companies gain competitive advantages. 

Conversely, there are potential risks. It is such a new technology, and we’re still learning about how it works as we’re using it. There’s a lot of questions from a legal perspective about the ownership of the output of different AI technologies, particularly with the tools that produce audio visual outputs. The true implementation and impact of that isn’t going to be known until the courts have worked those details out for us. 

We’re in a position now where some companies have taken a look at AI and said, ‘We don’t know enough about this, but we feel the risk is too great, so we’re going to prohibit the utilisation of these tools.’ Other companies are taking the exact opposite approach: ‘We also don’t know a whole lot about this, but we’re going to pretend this problem doesn’t exist until things work themselves out.’ 

At CyberGRX we’re taking a middle of the road approach where we’re treating AI models as another third party vendor that we’re using for work purposes. We’re going to share access or data with that tool, but we need to analyse it from a security risk and legal risk perspective before we approve its utilisation. That’s a fairly long-winded way of saying that there are amazing opportunities for AI but there are risks. 

We’ve already seen threat actors starting to use artificial intelligence to beef up their capabilities. You could understand logically how artificial intelligence gives a fledgling or would-be threat actor the ability to get in the game and take action sooner than they otherwise would be able to. When Chat GPT first was released to the public, the very first thing that I put into it was ‘Write a keylogger in Python’. That’s a little piece of malware that will log your keystrokes and collect things like passwords or credentials. It just did it. It was there on the screen as a perfectly legitimate piece of software. Since then they’ve tightened the controls, but there was a time when someone with bad intent could start producing different types of malicious software without even learning to code.

To learn more about the uses of AI in Cyber Security, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Growing companies often face cyber security challenges as they manage teams that are scattered across the world. On The Cyber Security Matters Podcast we were joined by Ivan Milenkovic to discuss how companies can manage those challenges, even inside the industry. With over 20 years of expertise in information security, Ivan is currently a Group CISO at WebHelp, where he’s managed a large security team that doubled in size to over 140,000 people. He’s a security evangelist and a huge advocate of addressing cultural and leadership factors rather than relying solely on technology to protect your teams. 

What were the security challenges involved in scaling so fast at WebHelp, and how did you overcome those?

When I joined three years ago, WebHelp was just shy of 58,000 people. Throughout COVID we started growing to address the way that our clients worked, and what was happening to the sector at the time. We are very aggressive when it comes to acquisitions and expanding into new markets, and that brings some very interesting challenges. We’re a very large global company. That’s how our clients see us, and they expect a certain level of quality across the board, regardless of where their services come from. 

We effectively needed to bring everybody up to speed and bought-in to our culture. I’m a big believer that people are a very important part of the picture when it comes to security. That’s why it’s very important to get everybody on board to recognise certain values that must be respected. The challenge is to get people on this journey, and for them to understand that when it comes to security, it’s not just that you’re trying to enforce boundaries, it’s actually about supporting the qualities. You need to be able to lead and take people on that journey, rather than providing rigid boundaries that they don’t understand.

How do you balance managing a large security team with meeting the demands of internal stakeholders?

WebHelp is split into what we refer to as regions. They’re not necessarily geographic regions, but logical parts of the business that operate as semi-dependent companies tied together at a group level. Because of how everything came together, we’re talking about various teams spread around the world. InfoSec is a very large team, so you have all the daily challenges when it comes to the InfoSec itself. Because it is a rather big team, not everybody is my direct report. Whenever you work with people though, you need to respect their different needs and requirements, and understand what’s going on. We’re blessed with the quality and enthusiasm of people that are part of the team, which helps a lot. Most of my time is actually spent dealing with senior stakeholders from the business rather than my team. It’s been important to make sure that my people are bought-in enough to carry on without much management. 

You’re a really passionate advocate of the idea that technology alone can’t solve security problems, so the leadership aspects of cybersecurity are key. Why is that? 

It boils down to two things. One is that culture we touched on, because when people understand why certain things need to be done in a certain way, that’s half the job done. If you have people that are trying their best, that are not scared to report problems, that are educated well enough to understand, appreciate and communicate when something goes bad, everything is easier to deal with. 

If you look at what can be done with technology today, you cannot do without it. We live in a really technological era where there is too much going on, so without technology you wouldn’t have the right level of visibility and you wouldn’t be able to react fast enough. People are very creative, sometimes too creative for their own good. It’s not hard to imagine a multitude of scenarios where a very creative person can easily get around even the best piece of technology. So that’s why you must find the right mix. You cannot rely on just your technology. It’s your processes that glue it all together. So, unless you take people with you on that journey, you don’t stand a chance.

To learn more about managing risks within the industry, tune into the full episode of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cyber Security is a growing concern for the majority of organisations. On Episode 15 of The Cyber Security Matters Podcast we were joined by Adam Gwinnett, the CTO & CISO of Nine23. With a legal background, he’s experienced in managing stakeholders in the heavily regulated state sector, with 10 years of experience at the Department for Constitutional Affairs, the UK Ministry of Justice, and the Metropolitan Police. Adam joined us to talk about how cyber security impacts state systems, from the challenges facing the police to the government’s response to major incidents. 

What challenges are the police facing from the increase of cyber crime?

I think because of the global pandemic, when people were locked at home with their computers, cyber crimes and quantum growth crime grew dramatically. That raises some really interesting challenges generally, because cyber crime is often transnational. The person committing offences against you is very unlikely to live in your jurisdiction, so even if you do report it, investigation can be very frustrating. As a result, under-reporting is rife. One of the fundamental challenges you have from a law enforcement point of view is that you don’t actually know how much it’s occurring or how impactful it is, because people are quite embarrassed to admit when they’ve had issues with it. They’re often worried about being scrutinised, and worry that people will be critical of their responses to it or how they handled it. People end up suppressing certain information which otherwise could be very interesting and beneficial, not only to the investigation process, but actually to their peer group who might have suspiciously similar looking things in their environment. 

From the law enforcement point of view, I was keen to couple cyber security with the cybercrime division. One of the things that we focused on was ‘How can I take my investigation of a cyber incident, and turn that into a potential initial bundle for the investigating officer to take forward? How can I give the best evidence? How can I provide you with the best material?’ I didn’t have the mandate to do the investigation and proceed because I was civilian styled, but I could take the information from my logs in the digital forensics team and give them the best chance of bringing the offender to justice. I used to talk about it at conferences, where people would just say ‘That’s not our jurisdiction. We haven’t really thought about how we could give them a leg-up or considered how we could best enable them.’ How many SOC analysts can say they’ve actually put a cyber criminal in prison? Several lawyers could say that I contributed to making sure that that offender actually went to prison, and that’s the ultimate closure for me. 

How do cyber security decisions get made within big government departments? 

Some of it’s quite straightforward. Effectively, most decisions that impact the risk appetite, risk acceptance, or risk tolerance will go to a named individual on their board of advisors. They will then review it, look at the balanced risk case like ‘Why are we doing this? What are we hoping to gain through it? What are the potential mitigations we can put in place? Are they proportionate? What is the net impact on our risk position? Does that take us outside of tolerance?’ That makes it quite straightforward. It’s an interesting one, because those people are fundamentally dependent on the advice they’re given. The people asking them to make decisions, accept the risk or present the view will seldom be impacted when the risk emerges. They’re incredibly challenging positions for people in the regulated and public sectors. 

What are the challenges facing cyber security leaders in the sector?

One of the things that can be really challenging is that it can be really hard for those people to understand the net effect of the things they’ve agreed to. So I’ve spoken to CROs from other organisations that said, ‘I’ve had like 40 risk acceptances presented to me this year.’ It’ll happen every couple of weeks where I’m asked “Can we accept this risk?” I don’t know if I can reliably tell them what the net impact on our overall risk is, or the cumulative effect of all of those things that we’ve agreed to.’ In large, complex enterprises, can you understand all the systems, processes and risks that are undertaken? Because the people who own those systems, processes and fundamental aspects of the business will be separate from the people doing the risk acceptance. They don’t always have the mandate to go in and correct all of the issues. They won’t normally have a budget or available resources to do it. If they don’t, it just becomes one of 100 other competing priorities that organisation has to deal with.

In the event of a major security incident, what does the internal decision making process within a big government department look like?

It’s very dynamic. You’ll normally find war rooms and incident response teams almost immediately. Most large organisations have very mature, robust and practised responses, because it’s never quiet. Even when I worked at the Met, I was talking to people from banks, insurance companies and financial services who were a big target, and they had a 10th of the attempted attacks that I did in a week. Our response and investigation processes are incredibly well drilled, because somebody’s always trying something. One of the biggest challenges is that your teams end up being in high alert and response mode all of the time. That level of anxiety, stress and mental overload is not useful for people. It leads to poor decision making. What you will find is that a lot of organisations start putting things like shift rotations in place to tackle those issues. If your response mechanisms are really effective and really well tested, you can rely on them slightly too much. Actually preventing issues is dramatically less problematic than being able to respond to and deal with them effectively, but if you’re always able to jump out in front of it and catch the issue, people will get relaxed about the fact that that’s what will happen. 

To learn more about the threats facing cyber security teams, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cyber Security is becoming a growing concern for businesses across the globe. On Episode 14 of The Cyber Security Matters Podcast we were joined by Hajar El Haddaoui, who is an international executive. She speaks four languages: French, Arabic, German and English, which has allowed her to lead a large sales team in multiple continents. She is currently leading Swisscom’s managed security services, as well as serving as a board member for the Chamber of Commerce, MOD-ELLE and WIN Women’s International Conference, where she works to support women in business. With such an extensive and exciting background, we were keen to hear her insights on global leadership in cyber security. 

How does Switzerland’s approach to Cyber Security differ from other key European markets?

Switzerland is one of the most innovative countries I’ve worked in. Cyber Security is a part of the business transformation of any company, and in Switzerland they are sensitive to where the data goes and is used. They create security by design, which weaves their Cyber Security into the fabric of their products. 

Do you expect adoption of managed security solutions to continue to increase as a proportion of the overall cybersecurity marketplace?

Absolutely. There are many challenges facing our clients, including the complexity of digital business, where there is an increasing skills and resource gap. There’s a 3.1 million gap in resources and talent worldwide for Cyber Security. Lots of our clients don’t know how to use the hybrid cloud. Therefore, managed services are key for those clients in order to respond to their challenges. We want to transform the industry by making products and services that are secure by design, but there are several clients who need someone to manage those products for them anyway. It’s important to have management in your Cyber Security portfolio in order to meet that need in the market and address the challenges that clients are facing. 

Silicon Valley is seen as leading innovation. How influential are they to Cyber Security?

Research and development are key to innovation, not just in Cyber Security. They give you confidence to innovate and inform how you take a digital solution and rapidly provide insurance to our customers. We’re not just providing security to our customers, we are providing consultancy, technical support services and managed security services too. It’s those three layers where innovation needs to be. Research and development can be applied to intelligent and managed security services to identify and respond to threats, giving us a proactive level of protection. 

There’s a lab in Silicon Valley that is the hub of innovation, not merely for Cyber Security. There are also labs in Israel and Japan, but Silicon Valley is still playing a huge part in global Cyber Security efforts because of the amount of investment that they’re able to attract. Everyone needs to invest in innovation and in hub centres for security. Silicon Valley aren’t the only one doing it, but they are still big players. 

What have the different places you’ve worked taught you in a business and leadership context?

Working internationally has given me the ability and agility to deal with challenges. Being a resilient leader is essential to what we do. The second thing is confidence. Moving from one country to another I’ve learned to build a community and a support system, which plays into that self confidence. The third lesson is humility. I’ve become a continuous learner, because the technology field in Cyber Security is rapidly changing, and I have to accept that I’m not going to stay an expert if I don’t learn from other people. The market is fast and furious, so to be fit for the future I have to learn skills and humility. 

To hear more about global Cyber Security efforts, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Spring is blossoming in San Francisco, the highly anticipated #RSAC2023 commences attracting leaders and companies from around the world.

Being my first conference, I embarked on this journey with a mix of excitement, nerves, and curiosity.

The big takeaways from the conference were the valuable insights into the cybersecurity industry, the strong sense of community and the hot topics of investments, the impact of AI and talent shortages. Additionally, we had the opportunity to explore the vibrant food scene of San Francisco, which added a cultural touch to the conference experience.

Grand Opening and Impressive Booths

The conference kicked off with great anticipation, as attendees gathered in the entrance hall, the atmosphere was electric, and the buzz of excitement was palpable. As the doors opened, a polite stampede of cybersecurity enthusiasts filled Moscone South Hall. The sight of numerous booths was awe-inspiring, with companies investing substantial resources to impress and display the immense potential of the cyber security world with exhibits highlighting the industry’s advancements and potential.

Networking calls and conversations up to this point had evolved around RSA Conference, emphasising its values as a place to connect and meet face-to-face.

Community – Diversity & Inclusion

The most profound takeaway from my first RSAC was the vibrant and supportive community within the cybersecurity industry.

As a newcomer, the community came across as surprisingly friendly and collaborative.

I had the privilege of attending the Women in CyberSecurity (WiCys) drinks event, where representatives from Microsoft, Amazon and Google gathered to promote diversity, the motto “not done yet” resonated strongly emphasising the importance of the continuous effort needed to enhance diversity in this tech space.

The next morning, I attended the Women’s in Cyber breakfast, featuring a panel discussion with founders, CEOs and CISOs. The conversation revolved around the challenges faced by successful women in maintaining work-life balance. It was inspiring to witness the support within the community, with ideas exchanged freely, fostering growth and empowerment.

Insights and trends

Apart from the community aspect, RSA Conference 2023 offered valuable insights into trends and concerns.

Investments

One notable takeaway was the significant investment in the Cybersecurity sector. Funding for Cybersecurity start-ups increased from $2.4 billion in Q4 2022 to nearly $2.7 billion in Q1 2023, underscoring the industry’s growth and the recognition of its importance in the digital landscape.

AI – Changing the landscape.

Discussions throughout the conference highlighted the transformative role of artificial intelligence in the Cyber security industry. AI technologies are reshaping the landscape, influencing threat detection, incident response, and overall security operations. The integration of AI into cybersecurity practices has become indispensable for organisations to stay ahead of evolving threats.

Talent shortage and calls for solutions.

Addressing the shortage of talent has become a top priority for organisations with discussions focussing on strategies to attract and retain skilled professionals. Collaborative efforts are necessary to bridge the talent gap and nurture a diverse and competent cybersecurity workforce.

Amid networking and business meetings, we took the opportunity to explore San Francisco’s renowned food scene, indulging in the famous Clam Chowder, Oysters, and the Buena Vista Irish coffee.

While RSAC is over, another key takeaway is that the fight is not over, so we look forward to next year to witness the continued growth in the industry and learn new and innovative ways to disrupt cybercrime.

Asset management is a growing area in the Cyber Security industry. On Episode 12 of The Cyber Security Matters Podcast we were joined by Huxley Barbee, a CISSP and CISM. He is currently a Security Evangelist at runZero, which is the latest role in a glowing career in the cyber security industry. We spoke to Huxley about the advancements he’s seeing in the asset management sector, including his predictions for the future.

How do you see Asset Management evolution over the next few years?

There have been a number of technological trends that have caused a divergence of environments. For example, smart speakers like your Alexa are changing our home environments, because this tech used to be simple, non-connected devices. Now they’re connected to the internet, which exposes you to a higher risk. There’s also been a rise of ‘bring your own device’ culture, where people bring their own phones and tablets to the corporate network. There’s also the move to cloud associated with the DevOps revolution. 

A lot of companies will see the cloud as a way of transforming their capabilities to both lower costs and increase speed and agility. Folks are empowered to just spin up new computing devices left and right, but the old devices are not actually decommissioned, so you have a sprawl of this attack surface out in the cloud as well. There are also more and more mergers and acquisitions happening, where a purchasing company has to take on the risks and vulnerabilities in the target company. All these different trends have led to this divergence of environments where companies are not just protecting their corporate IT assets, but also their OT, the factory, their IoT devices, your personal devices, the cloud and whatever else goes on in remote employees homes. 

Because of a need to find talent, organisations have started looking at a wider geographic spectrum, and a rise in this ‘work from home’ culture became compounded by the pandemic. That is now also part of what cyber security needs to protect. Over the last 20 years, this evolution of assets has resulted in a decentralisation of control. Meanwhile, it’s the same security team that’s being expected to protect all that. There are numerous statistics out there about how the number of devices connected to the internet is going to continue to go up. Security teams will be more and more challenged, which is a fundamental problem. If you don’t have this foundational capability of knowing what you have, you are absolutely not protected. We’re going to have to see some change in order to address this growing challenge. 

How can the industry address those issues? 

There are a number of different approaches that have been tried over the last 20 years. There’s the use of agents and authenticated active scans, but they don’t solve the problem of unmanaged devices. If you can put software on a machine, then it probably needs managing. There are other vendors who try and pull data from multiple other sources to try and cobble together some sort of asset inventory. The trouble is, if they’re pulling from limited data sources, they’re not really solving the problem of unmanaged devices either. There’s also a passive network monitor, which theoretically can learn about more devices on the network, but its ability to identify those assets correctly is limited, because it’s only looking at network traffic to make that determination. There’s another approach, which is using an unauthenticated scanner with a security research-based approach for fingerprinting alongside API integrations. We found that this is the winning combination to help you get both breadth and depth of your assets, no matter where they are, no matter what type they are. 

To learn more about asset management, tune into The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.