“As a CISO, you want to be part of the communication mechanism” – Bridget Kenyon, Global CISO, Thales eSecurity
April 9, 2019
Bridget Kenyon has me hooked on her words; she flits from black holes to baking with equal confidence and enthusiasm. But today the topic is cyber security, on which she has some strong opinions and doesn’t hold back in expressing them.
Bridget’s entry into the industry was, to coin her phrase, “rather random”. After a degree in physics with astrophysics which she says was “quite fun”, she fell into an engineering job which led to a position at the former UK government agency, Defence Evaluation and Research Agency (DERA) looking at vulnerabilities in information security.
It was the early days of the internet. “It was new, exciting and different. Everything was changing,” she states spiritedly. With a penchant for future gazing, she had found herself in the right place at the right time.
She likens working in information security to writing a book. “The opportunity to do IT and to be creative at the same time, to find new problems and solutions and do stuff that no one's done before, was irresistible. It was catnip, frankly,” she admits.
Since DERA (now part of QinetiQ), she’s worked in systems’ administration, consulting, forensics and as Head of Information Security at University College London, eventually finding herself in her current position as Global CISO at Thales eSecurity.
For Bridget, the challenge that keeps recurring over the years is “neglecting the basics”.
“If you haven't got the foundations, you shouldn't keep building extra storeys on top of your house. There is a tendency to ignore the foundations and just keep building upwards and then wonder why everything fell over,” she highlights.
“Humans are not good at boring things, that's why the word boring has a negative connotation. If it was something we were good at and enjoyed, it wouldn't sound like a bad thing,” she explains.
Bridget, an ardent proponent of improving cyber security with technology, stresses that one of the things computers are good at is not being bored.
“If you can automate the boring stuff, you should automate it. People are going to make mistakes when doing the boring tasks,” she adds.
The more you push the detailed, boring and complex work to a computer, and keep the interesting, varied, and unpredictable work for the human, you've got the right balance of activities.
“It's ironic, really, because I tend to espouse the notion that technology is not your saviour. Technology is there to help you, but it won't do things for you. However in some cases, the things it will help you with are significant,” she states.
But how concerned is she about the advance of technology and the threat that it’ll take over mankind?
“I quite like watching everything progress. I liked sci-fi when I was a kid and this is starting to be sci-fi for real,” she recalls, inspired by the literature of Robert Silverberg, Isaac Asimov, and Arthur C. Clarke.
However, for now she remains calm. “I suppose ironically, one of the reassuring elements of this is the fact that people are tremendously unreliable and inconsistent.
“Human inefficiencies are impeding the ongoing advance of technology for both good and for bad, because it's slowing us down in a way so that we have a chance for our rules and our ethics to catch up with our capabilities. But it's also getting in our way when we want to make things easier,” she muses.
I ask her how she deals with that as a CISO.
She affirms: “Each organisation has its own special language and you have start by listening to their wording and what they're placing emphasis on, what their culture is like, how they talk about finance. Where does their focus lie? What can you build on? What are their drivers? What are their objectives?”
“I like to think of a CISO as being an enabler, a business enabler, because the business should be driving technology. Technology's there to serve the business, not to direct it,” she advises.
For Bridget, everything comes back to business objectives, which should include compliance with the law and protection of personal data and enabling one's customers and clients to have faith in one's capabilities to protect what they have given to you.
Getting the communication right is important but not always easy. Bridget’s advice is: “Get to know the culture”.
She feels that security messaging has to start with the communication channels which are already in place in the organisation and recommends getting into the weekly newsletter or asking for a slot in the monthly standard meeting presentation.
This method will gain you visibility within existing structures and processes, because in that way the business is giving you airtime and essentially saying that they endorse you.
“If you go independently of the rest of the business by sending out your own emails etc, it can conflict with what the communications team is saying. You want to be part of that communication mechanism,” she adds.
She also encourages monthly or quarterly updates to the executive. “You want to talk upwards as well as downwards,” she says. “Talking sideways is good for networking, but it's not good for encouraging people to change. That should be going from the organisation at the top, because that's where the money comes from,” she advises.
Almost everybody believes themselves to be a good person and that is often where security goes wrong. “You tell someone they've done something wrong and most people, whether they realise it or not, will hear, ‘you're a bad person’. They’ll interpret, “you've chosen a bad password as, “you are a bad person and make bad decisions”.
That hits up against their sense of who they are. So the message gets lost in the reaction to what they see as a personal criticism or insult.
“If you can talk them through that narrative and help them understand what they did that they shouldn't have done - without it being about them being a bad person and relaying that it was just a mistake, or an incorrect understanding - that works really well,” she explains.
If, however, they have consciously chosen to do something which is completely at odds with the organisation, it’ll be one for HR.
With the cyber skills shortage dominating most industry conversations, I ask Bridget what sort of people she’d like to see being recruited into the profession.
“I think the skills that we need desperately in information security are sales and marketing. How else do you liaise with people, negotiate with the business, get people on your side and recruit people to the idea that security is going to help them?” she deliberates.
She feels that people are falling into the trap of thinking that technological capability is all you need, whereas you need people with really well-developed communication skills.
Technology will help you, she explains, but in order to change cultures and to engage with the community that you're supporting, you need to understand their needs. You also need them to understand where you're coming from.
Being the future-gazing person that she is, I couldn’t help but ask what her thoughts are about where it’s all going. She says it’s down to politics and how things pan out on the environment.
“We're going to have to start balancing our enthusiasm for tech against the amount of energy we're using on it and how much we travel,” she states. She’d like to see tech get to the point where we don't need to travel to feel like we're in someone's presence.
“Right now, you can do video conferences, you can do teleconferences, but none of them feel like you're in front of the person and so people will still travel to be in front of each other and talk to each other,” she explains.
“If we could just jump to the point where the technology is good enough that we really feel that we're with someone else (in our heads) and we can talk and interact with them properly, one to one, then a lot of travel stops being necessary - business travel, specifically,” she adds.
When Bridget is not updating her own book - a textbook for people who are interested in applying ISO 27001 to their organisation (out later this year), she’s usually occupied with DIY, gardening or painting.
Baking is another pastime and she often shares her homemade brownies and biscuits around the office, doing her popularity no harm, no doubt.
On a final note, I ask Bridget what’s the best advice she’s ever been given, “If it doesn't work, try something else. Anything else. Just don't keep trying the same thing over and over again.”
And whether it’s cyber security or baking, there’s wisdom in that.