“Human beings have an exaggerated view of their ability to manage risk” – Craig Rice, CSO at BACS and Faster Payments
January 22, 2019
Craig Rice decided, early on in life, that he didn’t want a conventional lifestyle. “I chose an option with a hint of adventure over a steady, conventional lifestyle,” he reveals as we sit drinking tea on London’s South Bank.
That adventure came in the form of the military where he worked as a career intelligence and security officer, including cyber network operations, a background which also lent itself well to a cyber security.
Affable, discerning and a keen observer of human behaviour, Craig says that the military trained him to “unpick a problem and peel back the layers”, as well as not to accept things at face value.
He asserts: “What I did was infinitesimally insignificant compared to the contributions other people have made. But in my own small way, I've seen a little bit of life and I've seen it from other people's perspectives.”
He credits the experience to have expanded his thought processes which has been invaluable throughout his career.
“Human beings generally have an exaggerated view of their ability to manage risk rather than their actual ability to manage risk, myself included,” Craig observes.
“Some of the things we deal with really aren't in our control - the adversary chooses to attack us or a threat network has decided that it will strike a target. Protection arguably is not where our skills are going to be tested, but rather in the response and recovery to that incident,” he explains.
As The Chief Security Officer at BACS and Faster Payments, organisations that play a critical role for the UK economy, Craig tries to help the board make better decisions by presenting complex issues in a way that they can easily assimilate and synthesise down into where they can add value.
When presenting decision-making issues to the board, he tries to frame it as: “This is what I know, this is what I think, and this is what I sense”. He finds it a useful strategy as it lets them know the limit of the knowledge at hand, and they can weigh their decision accordingly.
“They can also test the chain of causation of my analysis back to the data, which I think is important,” he adds.
“Diversity” is a word that’s bandied around so often these days, one might lose sense of its true meaning.
Not so for Craig, who holds the term in high regard. For him, diversity is not necessarily an ethical issue, it's a professional one. “If a person is creating a team that is just an image of themselves, I would suggest that indicates that there is a lack of confidence in their own skill-set and not understanding the value of challenge. Effective cyber resilience requires a culture that encourages and respects challenge from a variety of perspectives," he states.
Challenge, for Craig, is essential in cyber security. He adds, “Cyber is a team sport and that doesn't just mean diversity within the team. That means diversity across the whole company; the audit team, the board, the risk committee and the security committee all have roles to play. There can't be just one impassive vision of the future. Cyber threats originate from across the spectrum from state motivated actors and networks to hobbyists and the curious, cyber is highly dynamic."
When, in jest, I call him an idealist, he doesn’t deny the claim.
“I think if you ever meet a cyber security professional that isn't passionate, then you haven't met a very good one. Cyber security professionals inherently want to do the right thing; they want to protect people and not just make businesses safe but society in general,” he stresses.
I broach the topic of Craig’s own leadership style, however he prefers the term “servant leadership”. “You're not there for your own benefit, you're there for the benefit of the team,” he believes.
“You are, as the leader, responsible and accountable. Your job is to provide the framework for the team to achieve the best possible results they can, usually above their own expectations. You're trying to create an environment where they can grow,” he explains.
He thinks we could learn something from the military which has a high tolerance of failure because that's how the military understands that people develop, unlike a corporate environment which has a more stringent view.
“In the military they say: this is what I want you to achieve, go away and figure out how you're going to do it. Come back and tell me how you're going to do it, and then crack on and let me know if you hit any problems,” he says. The military call it mission command.
He adds, “It's proving your course of action is the right one by selling that analysis and then saying, that sounds great, crack on. Have you thought of this, this, and this? No, I haven't. OK, go back and examine those issues.”
He also says it’s important to vary your communication style. “There isn't a sort of the ‘follow me, charge, off we go’ leadership style. That doesn't even work in the military,” he advises.
“I like to think that there's a bit of humility to the way I lead, and that sometimes I'm the butt of the joke. There's a very Western cultural view of the leader as the hero leader but it's OK for the boss not to have every idea or ‘win’ every discussion.
I wonder how Craig keeps the cyber security message relevant and fresh.
“This is where the networked approach comes in. The value of your network and challenging your thought processes. The adversary gets a vote too. We used to say the enemy gets a vote in the military; he gets the biggest vote because what he does can change everything overnight,” he explains.
He credits the 2017 NotPetya cyber-attack as being a pivotal moment which changed people's assumptions on what we're trying to achieve.
“Now we're getting to the level where a destructive attack can wipe out your complete network. And if you're very lucky, as in Maersk’s case, you'll have a domain controller offline in Ghana that you can then fly to England and rebuild your network. Where was that in anybody's planning assumptions before NotPetya? And where is it now?”
So keeping the message “fresh” isn’t too much of a problem because, for Craig, stale is the last thing that cyber is. “We are racing to keep up and we are not ahead of the power curve on this one,” he points out.
Craig doesn't doubt there is a cyber security shortage, however, he queries the nature of that shortage because industry is starting to document processes and to apply augmented intelligence to commoditised tasks, previously carried by humans.
The question Craig thinks we should be asking is, where do we want our critical thinkers?
“We want them on the novel and complex tasks; interesting and meaningful work that challenges their thought processes and gives them a chance to apply their creativity,” he says.
“If you were to ask people, ‘Do you want interesting, meaningful work that challenges your creativity?’ 90% of people wouldn't say cyber security fits that bill,” he states. However, he argues that that’s exactly what cyber security is, yet many shy away from the industry presuming it to be too technical.
I suggest whether the industry requires a rebranding of sorts. “I think rebranding it is artificial, it will change over time,” Craig responds.
Even though Craig believes we are seeing a change in the industry, he has questions: “Why is personnel management leadership not central to cyber as it is to any other? If we have a talent shortage, why aren't we doing more to grow our own talent? What advice are we putting out there? How are we helping?”
Craig admits to being more tech-connected than he would like to be. Yet, there is downtime and that’s when he’s at home with the family.
Ever the eternal student, with an insatiable appetite to learn, when he is not absorbed in reading about cyber security, you’ll find Craig in the Military History section of the book shop.
Which makes me wonder, with so many of his own stories from his military days, deployed internationally - including Northern Ireland, Bosnia and Afghanistan – whether we’d ever see his own literary contribution to that section of the book shop...One day soon, I hope.
The European Union's new EU Law Enforcement Emergency Response Protocol will allow Europol's European Cybercrime Centre (EC3) to coordinate with EU law enforcement authorities in responding to major cross-border cyber-attacks …