Cyber Security Archives - Page 4 of 6

The Future of Ransomware Protection

Posted on March 9, 2023 by Jake Sparkes

An increasing number of ransomware attacks are coming through emails. It’s clear that the ease of attack vector is changing, and not for the better. On Episode 13 of The Cyber Security Matters Podcast we spoke to Ronnen Brunner, an SVP at Ironscales, about his work in selling the future of phishing protection. He shared his insights on the increase of ransomware attacks in emails and told us how we can identify and protect against these attacks.

You don’t need to be an expert in order to send a successful ransomware attack, because there are services you can just download on the dark web that will do all the hard work for you as a hacker. You can spam attacks directly to customers – you don’t need to be the sophisticated hacker sitting down and programming a credential theft or phishing attempt. You can use existing engines to attack people, and because of the ease of it, it’s become a lot more common.

There’s a lot of variety when it comes to scammers who will spam hundreds or thousands of people and those who target specific individuals. A lot of hackers are just hoping that some of their attempts at phishing will be successful, and they’re the ones focussing on quantity. Especially when you’re looking at credential safe, or Spear Phishing, they are targeting specific people by sitting in their mailbox, getting to know the regular interactions that they have and then designing a targeted attack that they won’t see coming.

These scammers can learn your pattern of the behaviour, your invoices, forms, vendors etc, and create a legitimate invoice with different bank details on it. Once a payment has been made it’s often incredibly difficult to get back. Lots of these scammers are posing as big companies, because it’s easy to make an email look like it’s coming from a reliable source. You can emulate the domain name or make it look like it’s coming from a person in the company whose information you found on LinkedIn. From speaking to these companies we know that 60-70% of attacks are coming in through their emails. They’re being targeted because of the information they put online.

We’ve seen customers trying to stop it. It’s incredibly hard because of the quantities of emails that go in and out. Some of these attacks look very sophisticated. It’s all about training people to identify what’s a ‘known dead’ and what’s a potential red flag. People need to understand malicious content and intent, then utilise machine learning or AI to sift through the information and flag any anomalies that could point to an attack. In the business we have something called ‘zero day attacks’, where there is no other indication that this email isn’t genuine. There’s no markers from our list of ‘known dead’ elements to tip you off, and that’s when these attacks are their most dangerous.

Some things to look out for are language like ‘buy these amazon vouchers’ or requests to change bank details on an invoice. These could be very simple emails that look like legitimate communications from known senders. You should always question changes to your payments. Once bank details are changed and you make a payment, you’ll notice a massive increase in emails that ask you to change the bank details for other vendors, because these hackers have figured out how to effectively steal from you.

Everybody’s seen an increasing number of attacks since the COVID pandemic, because hackers had the time to fine-tune these attacks. They’re becoming incredibly successful and sophisticated, which is why we need next generation solutions. Everybody we’ve spoken to has a fishing problem, because they’re not preparing for these attacks in their systems. Even though sometimes these attacks are stopped our email providers, there are still several getting through. People need to report phishing attempts if we’re going to get an accurate idea of the problem, and sadly that’s not happening either. We should be crowdsourcing suspicious behaviour and building a safer world together.

To find out more about keeping yourself safe online, tune into The Cyber Security Matters Podcast here.

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.

The Dangers of Unsecured Data

Posted on January 13, 2023 by Jake Sparkes

On Episode 11 of The Cyber Security Matters Podcast we spoke to the incredible Dr. Rebecca Wynn about how we can all manage our privacy online. Dr. Wynn is an experienced global CISO and privacy expert, often named as one of the top women in Cyber Security. She has led large security teams in the investment and medical sectors and is currently consulting enterprise clients on their security strategies.

Can you tell us about the challenges covid posed for the healthcare sector from a security perspective?

Before covid we had a centralised workforce that was covered by certain policies and protocols within the business. Once people started working remotely, and in some cases in other countries, that situation changed. We were outsourcing our data protection and people didn’t have the same protections at home. People started working in shared spaces with people outside of the organisation. With these new conditions, companies need to look at how they are protecting their sensitive information, as well as that of their clients.

One thing I did is look at cyber liability insurance. I met with external certification organisations, and we identified the safeguards I could put in place. I took our top 15-20 clients and walked them through our findings, and the majority of them asked me to quickly rebuild their security with a strategic plan, technical plan, and operational plan. It was a long process, and it cost me a lot of sleep, but we’ve helped protect people now.

When you talk about the changes we’re seeing from covid, we’re still seeing fallout from leaders who didn’t realise the additional residual risks that they were accepting. One thing I do notice consistently, is people not sharing the information that you need to know or telling colleagues what their blast radius is in the organisation. It’s all about managing risk. That’s the one thing I still see from a younger generation, they don’t know how to communicate that risk and things along those lines. CISOs don’t want to be the scapegoat officer, so we need to be more watchful than we were before.

How do you see the concept and the practical application of privacy evolving in this data-driven society?

One of the biggest problems with data privacy is developing a global set of privacy regulations. There’s so much red tape that you have to get through at the moment because everywhere has different legislation.

Another challenge is that data is being created but it’s not tagged. Does it have sensitive information in it? We wouldn’t know. If we could tag information with expiration dates and a level of privacy, we could handle it better. If you’re talking about healthcare, you should be able to say ‘it’s printed on this day, and it will absolutely expire in seven years’. The other thing is that once that data is created somewhere, it’s in your environment. Data gets shared through companies’ internal systems, which is a massive problem unless you can embed some sort of privacy key. If you could do that it would act like a GPS signal in your database. You could follow that, expire it or see if the data went to someone who’s not supposed to get it. That’s the kind of thing you need to do if you want to get a handle on privacy.

One of the scariest things right now is when people are creating avatars and stuff like that. To do that you upload 23 of your pictures, and then your biometrics are out there. People aren’t thinking about where their data goes when they do that.

It’s really hard to be invisible in the world today. Even if I’m not personally on social media, if someone takes my picture and tags me in it, I’m there anyway. They’re commingling their data with mine, and so on. It’s scary how much of our data is out of our control.

To hear more about how our data is being used, tune into The Cyber Security Matters Podcast here.

The Impact of Distributed Ledger Technology on the Cyber Security Industry

Posted on December 31, 2022 by Jake Sparkes

On The Cyber Security Matters Podcast we were delighted to be joined today by Marco Pineda, an international CISO with a particular specialism in the finance industry. Episode 10 saw us unpacking Marco’s 20 years of experience in information security and talking about the security impact of DLTs. Read on for his insights into the changes coming to the industry following recent concerns around blockchain and crypto.

What does distributed ledger technology (or DLT) and its applications mean for the future of the global financial industry?

As far as DLT is concerned, you need to understand what the application is. They’re great technologies for environments with a low trust atmosphere, such as cross-border cooperation or between companies where you need an intermediary to provide that trust. It’s a very interesting kind of technology. One of the best uses of DLTs is cross-border customs and documentation for bills of trading. Each government has their own systems, and people need to know how to get documents across that each government will trust.

What are the security challenges that these technologies present?

It’s mostly the distribution, but understanding and the maths behind it is certainly a challenge too. There’s the additional concern that your system might be sitting on top of other systems that you don’t control at all. That’s an interesting risk facet that might be unique to the DLT area, because if I put a ledger out there, by definition, somebody else is managing that ledger. They’ve got their own machine. They’re taking care of it themselves. It’s their copy of it. I haven’t yet heard a good risk analysis on what that actually means for a company.

How can security frame itself more positively to help enterprises reach their financial goals, instead of being viewed as a cost centre?

We can take a cue from our colleagues who are trying to see how they fit in with the overall business strategy. You need to show your value to the company, which comes from looking at your portfolio of services / products, and seeing how they can support the business’ strategy. Take some initiatives here and there, offer people proposals. At the end of the day, you need to prove your direct business impact. That means doing things like protecting documents so that your business can ship information and do secure collaboration. Those are the things that security professionals can do that helps a business directly. Get creative, take a look at what your skill sets are, what your services have, and see how they might be able to support the business in their goals.

To hear more about the impact of Cyber Security in your business, tune into the full episode of The Cyber Security Matters Podcast here.

Unpacking Vulnerability Management

Posted on December 26, 2022 by Jake Sparkes

On Episode 9 of The Cyber Security Matters Podcast we spoke to Jennifer Cox, the Head of Communications at Cyber Women Ireland, about her work with vulnerability management in the sector. Jennifer is a multi-award winning advocate for women in tech, using her knowledge to mentor women as they join the workforce. She also speaks at global events, bringing her expertise to a wider audience.

Read on for Jennifer’s insights on vulnerability management in the Cyber Security industry.

What do you think are the three big takeaways on vulnerability management?

At the core of vulnerability management, you need to be able to identify where you’ve got problems. It’s not just laptops, it’s every device that’s possibly connected to the internet. You need to focus on what’s important to remediate first. Vulnerabilities are growing almost exponentially, but the teams that handle those issues aren’t growing the same way. The challenges are not always exclusive to the products that we sell – many times you’ve only got two people on the team, but 40,000 vulnerabilities that you need to fix.

How do you think vulnerability management is changing in today’s world?

What’s changed most dramatically since COVID is this overnight remote workforce. Companies no longer have control over every single device on the network, and more and more people are bringing their own device into the office. Companies still need to make sure that those devices are secure. When people are at home they often have wide open home networks. We’re improving education around vulnerabilities and teaching individuals how to put better practices in place at home. People forget that web applications are also vulnerability risks, so they haven’t included them when they’re doing the assessment of their mobile devices, which is a huge factor. Having a team to do vulnerability management within the team is probably the biggest change.

What do you think is the biggest obstacle to vulnerability management as a whole?

Hands down it’s budgets and bodies. When you don’t get reports about anything going wrong and being fixed by the cybersecurity team, you often don’t appreciate that the team is doing a really great job. If you’re hearing from your cybersecurity team, then there’s a problem – they’re either understaffed or under-educated so they’re struggling to cope. That silence is a problem, because when companies are trying to strip back budgets, they’ll look at reducing that team because it’s quiet. That’s actually the worst thing that they can do, because that’s the team that’s protecting them the most.

The challenge has been resources all the way along. We don’t have enough people to remediate all these issues. What you’ll do in that case is educate your team on prioritisation using a scoring system called ‘CVSS score’. We also have an algorithm that we use called vulnerability prioritisation rating. It takes the CVSS score and a multitude of other different things into account. Based on all of these things, it tells us what is most likely to become a problem over X number of days. The struggle is that of 40,000 vulnerabilities, 30,000 of those are critical. I can’t remediate 30,000 vulnerabilities in a weekend, but that’s the only time I’m allowed to do it. Add to that things like needing a 99.9% uptime, restarting the server after patches, and that becomes a challenge in itself.

To hear more about vulnerability management and the work that Jennifer is doing to improve diversity in the industry, listen to The Cyber Security Matters Podcast now.

The Diversification of the Cyber Security Industry

Posted on December 13, 2022 by Jake Sparkes

On Episode 5 of The Cyber Security Matters Podcast we spoke to Sean Blenkhorn about his experiences in the Cyber Security industry. Sean has worked in cyber for over 20 years, and during that time he has held a variety of strategic leadership roles, from heading pre-sales to taking on Chief Product Officer and Chief Experience Officer positions. Sean is currently Worldwide VP of Sales Engineering for Axonius, where he takes a proactive role in encouraging diversity in the sector, both in the upcoming technologies and in his teams.

Do you see the diversification and expansion of the security market as a trend is set to continue?

The macroeconomic conditions we’re seeing today will have an impact on that, undoubtedly. We’ll continue to see companies tighten their belts and have to make tough decisions from time to time. There may even be tightening around companies that are getting investment from the VC or private equity firms. However, the industry will continue to grow. Even given all of the macro economic conditions, we’re still seeing good growth compared to businesses outside of technology or security. It’s not as fast as what we want to see, but it’s still crazy growth. You have to keep things in perspective. Tech is the future, and people will want to protect that.

There are still so many opportunities and technologies out there to look at and get involved with. Innovation happens in the startup world, which is where you see diversification come in. People from all over are having these ideas and disrupting the market with their new tech. Typically the model is that the smaller companies innovate, then the larger companies acquire that innovation and take it to the broader market, hopefully in a way that doesn’t destroy the innovation. That’s the way the industry evolves.

How can we diversify the people within the cyber security profession?

It’s going to happen by continuing to break down the barriers. Organisations need to put a real effort into creating diversity. It’s people like myself who are in managing roles and leadership roles that need to focus on diversity. You need to look at your team and understand what’s going to be valuable, and having that diversity of opinions, views and experiences is really important. It’s not just limited in terms of women getting into the roles, but also enabling them to climb the ladder within an organisation. Diversity thrives when leadership organisations put commitment into diversity in that way too.

We need to build the future generation and we need to have the teams and resources ready to come up behind us. We’re working with educational institutions and working with our teams to make sure that when we’re working with recruiting firms and internal recruiters that we put real emphasis on looking for diversity in our candidates. It starts from the top down, but there’s also the bottom up route of making sure that we’re supporting the next generation of kids. We need to be showing them what those opportunities are in this industry, and that there’s opportunity for everyone. We have to promote diversity at the grassroots level as well.

To hear more news and insights into the cyber security industry, tune into The Cyber Security Matters Podcast from neuco now.

Including Women in the Cyber Security Industry

Posted on December 13, 2022 by Jake Sparkes

Diversity is at the forefront of discussions in recruitment, and in Episode 7 of The Cyber Security Matters Podcast we spoke to Karla Reffold about how we can diversify the sector. Karla is the General Manager at Orpheus Cyber, a Board Advisor and American Cyber Award judge. She has also founded and sold two award winning businesses in the cybersecurity industry, hosted her own podcast, and was one of the top three finalists in the Entrepreneur of the Year category at the Cyber Security Women of the Year awards in 2022. Read on to hear her perspectives on improving representation in the Cyber Security industry.

Do you think you’ve faced barriers in the industry that your male counterparts haven’t?

It’s hard to know when things aren’t explicit. One of the stories that I tell is from a couple of years ago, when I’d sold the business. I worked in the company that bought us and one of my new colleagues said, ‘You leave early every day to pick your kids up, it must be nice being part time.’ I worked every evening and I was in the office earlier than almost everybody else; I worked a lot of hours. That comment really annoyed me, and I called him out on it. I complained about it and he apologised, but the feeling was that it wasn’t a big deal, I should get over it. I definitely felt that from then on I was seen as a little bit difficult, and that’s really unfair.

I’m glad I spoke out about it, because there are other people that weren’t in a senior position who wouldn’t have felt that they could say anything. I do feel a responsibility, given that I have a platform and some seniority, to call those things out, even when it’s uncomfortable or they seem small. That one stands out to me, maybe not as a barrier but like one of those negative experiences.

Do you think big vendors and individuals within cybersecurity do enough to tackle the lack of diversity in our market?

I’m not sure vendors do, I think teams do when their clients care about it. What’s interesting now is that you’re seeing a lot of the VCs and private equity firms ask about your diversity stats. They see it as a risk, that’s a really interesting change. Money drives these decisions. It’s relatively easy to stick a load of women in marketing, HR and maybe sales. That’s partly reflective of where the market is right? You can’t always hire people that don’t exist. I don’t see the drive coming from vendors as much as I see it coming from internal security teams.

How has the representation of women changed since you started your career?

It’s definitely improved. I joke that I don’t want it to improve too much because I don’t want to queue for the bathroom. It’s changed across the board. There’s a lot of young women who are studying something cyber related. I think the biggest change for me in the last couple of years has been how many men support diversity initiatives and how many men talk about things. If you’re a man, particularly if you’re a parent, you can now talk about picking your kids up or dropping them at school and I needing some flexibility. That really makes it safe for everybody to do that. I’ve seen some really big positive changes in that way.

What else do you think can be done to encourage minorities into the sector more broadly?

Consider what images you’re using. I haven’t used that image of a man in a hoodie in a dark room for five years, because it’s telling people what we are as an industry. Let’s not have that type of image. That makes a difference. Get rid of degrees as one of your requirements. If you’re getting 300 applicants, you are looking for ways to rule people out rather than rule them in, but white men are earn engineering degrees at 11 times the rate of black women here, so if you’re putting degrees into your hiring process, you are just building in economic discrimination. We know that affects different races differently, so get rid of that. Think about your culture too. Stop making this a recruitment problem. It’s not just ‘Hey, recruitment company, go find me a diverse list of candidates’. It’s actually considering what do you do with those people once you’ve got them. How inclusive is your culture? And how do you make everybody feel like they can be authentic at work? Those are my three quick takeaways.

To get more in-depth about diversity in the industry, tune in to The Cyber Security Podcast here.

Creating Gender-Diverse Communities in the Cyber Security Industry

Posted on December 13, 2022 by Jake Sparkes

On The Cyber Security Matters Podcast we often talk about diversity. On Episode 8 of the podcast we spoke to Alexandra Godoi, the Information Security GRC Lead at Oxfam, about the work she does to actively improve gender diversity in the industry. Alexandra was named as one of the Top 30 Female Cyber Security Leaders of 2022, thanks to her work as a speaker and panellist at conferences and her role in increasing awareness around the need for cybersecurity in the world of NGOs.

Read on to learn more about reducing the gender imbalance in our industry!

What do you think can be done to increase women’s voices and presence in a company?

Designs should influence a company’s decisions in developing products. It’s not just about listening to the women in your company, because they might not have a full picture. Go through that route of participatory design, which is where you go and ask the community, ‘What do you think about this? How would this impact your life? Do you have any concerns?’ Actually talk to people – that will help everybody move towards having security and privacy by design. We have a lot to learn from each other.

What do you think it means to be a woman in cyber?

I don’t particularly see myself as a woman in cybersecurity, I’m just somebody that works in cybersecurity who cares about human rights issues. I don’t think we should focus on this disparity between men and women, because I’m not doing anything differently than my male counterparts. We’re all here to do our jobs.

What can be done to help address the digital gender gap and internet access imbalance?

There are different aspects that we can look at when we’re talking about the digital gender gap. One of the points that I’ve seen being made is the fact that there are not enough women in STEM, for example, but it runs deeper than that. It depends on the context and where in the world we’re talking about. A good example is that in India and Pakistan, access to technology like mobile phones is reserved to the man of the house. Because of this, women don’t have access to the digital space in the way that their male counterparts do.

The way technology is designed also puts a lot of pressure on the end user. You are expected to know how a computer works, you’re expected to know what a virus is and how to protect yourself, you’re expected to know that you need to set up strong passwords. Not everybody has access to the same level of education around those topics. Putting that pressure on the end user is not a fair point to start with, because you’re making the assumption that everybody who uses technology has access to equal opportunities.

Diversity is being used as a checkbox by tech giants. How do you think they can better level that diversity playing field?

Creating industry standards for security could be a way to push diversity as a non-political agenda. It is slightly political, because we’re talking about human and digital rights, but it is a way to push for more inclusivity. If we come up with a standard that means security risks are taken into consideration from the get-go, we should push for that, because it removes the pressure from end users and makes the digital space more equitable.

To hear more about the work that Alexandra and Oxfam are doing to promote human rights in the Cyber Security space, tune into the full episode of The Cyber Security Matters Podcast here.

Securing the API Industry

Posted on November 21, 2022 by Jake Sparkes

On Episode 6 of The Cyber Security Matters Podcast we sat down with Chuck Herrin, the CTO of industry leading API security business WiB. Chuck has over 15 years of experience in senior and board level IT security roles, and now sits as an advisory board member for multiple organisations in the cyber security space. He’s acted as an attacker, defender, and most recently a builder. With so much knowledge and expertise in the space, we were fascinated to hear his insights into the API industry. 

What is your take on the state of the API security space at the moment?

It’d be great if there was some API security. I’m being flippant, but it’s another example of history repeating. The most recent example of this phenomenon is when we knew for 10 to 15 years that adoption of the cloud was inevitable. There are so many benefits and cost savings, we all knew it was going to happen. For some reason, defenders didn’t try to figure out how to do it safely. They resisted the change. We saw all kinds of issues and eventually had to catch up. People are still really worried about cloud issues. I saw an article that said around 94% of companies anticipate having a cloud breach in the next 12 months. 

API’s are experiencing the same phenomenon. The adaptation is inevitable because the benefits are massive. There’s no way that we aren’t going to rapidly continue to adopt API and micro service based architectures. The point of business isn’t security, the point of business is delivering value. If you aren’t adopting APIs and micro services, you’re gonna be out-competed and you won’t survive, and if you adopt it incorrectly or insecurely, you’re exposing your back end systems, data and business logic. Adoption right now is rapidly outpacing security. 

We’ve been doing threat modelling for 20-25 years, and we know that you need to know your assets, actors, interfaces and actions in any environment or ecosystem. Then you see who’s doing what to what, via what, and the AI and API interface. Lots of API’s are completely unmanaged and unmonitored. APIs and their adoption made it around the world before security teams got their boots on. Now we’re frantically trying to help companies catch up and keep up. It’s like a one legged man chasing a rabbit, the longer it goes on, the further apart they’re getting. While we’re working really hard to solve these problems at a macro level, it’s only getting worse. We’re not catching up. 

Where do you see the API security space in 10 years time?

I really hope that we can close these blind spots and treat API security the way we should.  API’s exist to make developers jobs easier, and they do a great job of that, but if you don’t know what’s exposed to the outside world, you can’t monitor it or manage it. We’ll catch up eventually because we have to. 

What I’m hoping for in the interim period is that we don’t have massive national crises, critical infrastructure implications or life safety issues. There are safety issues at the individual level where people’s data is exposed. Bad actors could figure out how to abuse these API’s and target API abuse at political figures.  We have critical infrastructure issues with with water treatment, or the power grid, or nuclear plants where a lot of companies that have been around a while are going to introduce APIs to their systems and there will be a risk. I worry about those attack surfaces more as a citizen than a software vendor, because if something goes wrong there we’re going to have to figure this out as a species. I hope we can address these security risks before that happens.

To hear more about the state of the API industry and Chuck Herrin’s work in protecting it, tune into the full episode of The Cyber Security Matters Podcast. 

The Indian Cyber Start-Up Scene

Posted on November 8, 2022 by Jake Sparkes

On our first episode of The Cyber Security Matters Podcast, we were delighted to be joined by Girish Redekar, Co-Founder of Sprinto.

His trajectory is incredible – from starting, scaling, and exiting RecruiterBox through to now growing Sprinto, all in less than a decade.

We hope you enjoy listening to this episode as much as we did recording it.

Why is India such a major innovation hub for the startup/cybersecurity space?

“Great question. So, I’m definitely not an expert in the area. But basically, whatever I know, is just viscerally connecting with other Founders that I see in the ecosystem.

And one of the things that’s really happening in India, is that there is a sudden exponential increase in just the sheer number of startups that you see in the space. They’ve entered mainstream, so to speak. So, you take a national daily and there’s basically a page which is dedicated to startups and the funding rounds that have happened and what’s going on over there.

So, I remember the time when we started our previous company, which was back in 2008. And I didn’t know that what I was doing was a startup, we thought we were just doing a business and the word startup hadn’t entered our vocabulary yet.

Fast-forward to about 14 years later, it’s really definitely entered the mainstream. You know, mindspace people talk about it, it’s very common – my neighbour next door in my apartment is another startup founder.

Especially in some places like Bangalore and Pune and Gurgaon and some places, there are startup hubs, and it’s very common for you to find startups over there. And that sort of brushes over any aspect of startups. So, you have a very thriving consumer startup business. But we have a lot of b2b startups as well.

And that touches on cybersecurity as well. So, I’m seeing a lot of interesting Cybersecurity startups coming from in the country, including those who are working in spaces like privacy. Some of them were working in spaces related to password protection, and so on, so forth. Therefore, that sort of grabs on to pretty much all the spaces that you can think of that makes sense in a b2b software scenario!”

To listen to the full episode of The Cyber Security Matters Podcast click here.

The Future of the Cyber Security Industry

Posted on November 7, 2022 by Jake Sparkes

On The Cyber Security Matters Podcast we were joined today by Isabel Bardley-Garcia. She is the Director of Information Security at Helion Energy, driving company wide security strategies, programmes and initiatives. They are currently building the world’s first fusion generators and enabling a future with unlimited clean electricity. Isabel has over 18 years of experience in the cybersecurity sector, including leading and driving the transformation and automation of National Cybersecurity consulting services. With all of that experience, Isabel has some fascinating views on the evolution of the cybersecurity industry, the highlights of which are below.

How have you seen the role of security and risk management within cyber security mature and evolve during your career?

The role of security and risk management has gone from being just a compliance issue, either to a regulation like Sox or GLBA, or standard like PCI DSS due to more companies, and especially the government, taking it seriously. It’s more about protecting the organisation from major losses, crippling interruptions, or even failures of the organisation, and also about helping organisations to grow and to succeed. We’ve gone from doing things because we’re told to do it to doing something because it makes sense to actually do it.

Do you think that cybersecurity is taken more seriously in 2022, rather than the early 2000s of them when you were first starting out?

Back in the early 2000s it was very frustrating to be an information security consultant, or just a cybersecurity professional. Like I said, companies didn’t really take it that seriously if they didn’t have a regulation or standard. As professionals, we saw the attacks and we had to protect our companies against them. When we saw that the attackers or the threat actors were getting bolder and more sophisticated, our companies and even the government at that time felt further and further and further behind in this cyber warfare, to the point that many of them denied it was even happening. They were like an ostrich with their head in the sand. They just didn’t believe that they would be targets, because they sold blouses instead of missiles. They didn’t think they had anything that the threat actors wanted, and even the government thought of warfare as a physical thing and not a cyber thing. We were watching it all happen, and it was very frustrating.

20 years later, after so many breaches and after learning about all the foreign actors from different countries who are trying to cripple other nations, down to their infrastructure, to steal intellectual property. The regular threat actors who are trying to steal intellectual property to sell credit cards, social security numbers, personal identifiable information for identity theft… they’re still there, but having breaches is being taken more seriously. It’s reactive more than proactive, and now more and more companies, as well as the government, have really gotten into beefing up their security. They’re seeing it more as a risk management issue instead of a compliance issue.

We still have a way to go, because there’s still a lot of companies that have that old mentality that is still very pervasive. Some companies still think that they can just offshore or push off securities, saying ‘we have service providers taking care of that, we have third parties taking care of that, we don’t have to worry about it’. Now we’re getting more and more breaches, where the third parties are being breached in order to be able to get to their whole client base. That’s starting to be taken more seriously, and companies are being more proactive, which is a great direction to go to. We’re still a couple of decades behind, so we need to hurry this up.

How do you see the industry developing in 10 years time?

I think that with all the different frameworks that we have now, companies don’t really have much of an excuse to not know what they’re supposed to be doing. And a lot more of them are taking those frameworks and implementing them into their own organisations, and they’re using the risk assessment management approach a lot more than just checking the box for whatever compliance, so it’s become more holistic. Companies are becoming more educated as to what cybersecurity is and how it pertains to their company, the C level are educating themselves about it, and realising that it’s not an IT problem, that it really is a risk management problem. Even boards of directors are bringing on people with security experience to advise them. It’s becoming more mature and more known in companies.

The way that I see this going for the cybersecurity profession is that cybersecurity roles are going to become more focused and better defined. I think that the workforce framework is going to really help with that. We won’t have cybersecurity professionals being asked to perform three or more roles, so the firewall administrator isn’t also expected to be the database administrator, they’re just strictly the firewall administrator. A lot of the burnout we’re having in the profession is that we were expecting our professionals to wear many different hats that are very different from each other. From an education perspective, we’re going to start having more places of education with a wider variety of more mature cybersecurity degrees and training programmes to choose from. I’m hoping that by that time, cybersecurity will be its own separate department with its own head that then reports to like the CEO, or legal or something that makes a bit more sense than like the CIO.

From a vendor perspective, it’s going to keep growing, we’re going to get more tools and platforms. Because the buyers are going to be a lot more sophisticated in their knowledge of threats, vulnerabilities, control frameworks and how it pertains to their domain’s responsibility, they’re going to be a lot more discerning and selective in their purchasing decisions. They’re going to be looking for products that fix a specific problem, which then will force the vendors to start focusing on the core functions of their products instead of trying to build them all-in-ones. Vendors are going to have a harder time getting people to buy the shiny new thing, because the sophistication of the buyers will be much greater by that time.

To hear more about the future of the cybersecurity industry and Isabel’s unique perspectives, listen to the full episode of The Cyber Security Matters Podcast here.