Our speakers are top experts in their fields. Expert guests in January include:
John is an established Information Technology trainer, with many years’ experience in Further and Higher Education and training in both the private and the public sector. He has been integral in the implementation of the Bank of England’s current security training programme, and is focused on the transition from passive compliance to active security. John has been a software trainer for most of his career, meaning he has a strongly honed sense of the frustrations normal people feel when faced with new technology. Training is, after all, mostly watching people make mistakes because of unfamiliarity. (And then helping them!)
Dr Mary Aiken is one of the world’s leading experts in Cyberpsychology – the study of the impact of technology on human behaviour. She is an Adjunct Professor at the Geary Institute for Public Policy University College Dublin, an Associate Professor in the Department of Law & Criminology at the University of East London, an Academic Advisor to the European Cyber Crime Centre (EC3) at Europol and member of the EC3 Academic Advisory Board.
She is a Fellow of The Royal Society of Medicine, Global Fellow at the Wilson Center, a leading US think tank, a member of the Medico-Legal Society of Ireland, an International Affiliate Member of the American Psychological Association (APA) and a Fellow of the Society for Chartered IT Professionals.
Her numerous research interests include; AI, Fintech, human factors in cybersecurity, organised cybercrime, online behavioural profiling, Internet psychology, personal cyber security and safety, online harms and youth protection online.
Sarah is an energetic and tenacious Director with over 20 years experience delivering, and advising c-suite on large scale Business & ICT Continuity, cybersecurity, data protection and resilience programmes.
Sarah has been voted one of the ‘most influential women in UK tech’ and ’top 50 most influential women in cybersecurity’ by her peers.
Glen has spent his working life involved in Policing and Security, falling into policing of a fashion joining the RAF Police in 1998 when he discovered University was expensive. During his time in the RAFP Glen carried out all aspects of policing finally settling into Counter Intelligence, responsible for carrying out Counter Espionage and Counter Terrorism duties for the RAF at home and abroad in some notable locations, some you’d want to go on holiday to but most you wouldn’t. Leaving the RAF as a regular in 2012, as part of the Strategic Defence Review of that year, he began his journey into the private sector. Firstly at Fujitsu Defence and National Security as their Head of Operational Security & Risk Management, before moving to Sopra Steria as Head of Operational Security for Government accounts. In 2016 he moved to the 3rd Sector taking up the role of Chief Security Officer at The Prince’s Trust as well as being appointed as the DPO in 2017 after opening his big mouth around GDPR. Glen moved to Save The Children International in November 2019 where he took up the role of Global CISO and Head of Data Protection for this prestigious charity.
Don't miss future guests including:
With twenty years an information security professional, Deborah has been at the sharp end of changing attitudes to this discipline. With experience across multiple industries, and a gift for telling it how it is, Deborah celebrates the highs, revels in lessons learned and is not afraid to face the pain points of 2020/21 to date.
Deborah is an ISACA Certified Information Security Manager, Fellow of the British Computer Society and Chartered IT Professional specialising in Information Security Management; Security Governance; Risk Management; Policy and Compliance; Cyber Defence and Response; Crisis Management; Operational Effectiveness; Complex Problem Solving; Motivation and Leadership.
As Global Chief Security Officer of ByteDance & TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's largest leading media, social, and online technology companies.
Originally Aired: 23rd February 2021
This episode is now available to view on-demand
What is wrong with recruitment and training in the cyber security industry?
There is a real need to attract new talent. But we are doing the same old things and things are still not working. It’s the people issue at heart. CISOs say “we don’t have budget” – but getting budget should be part of their job - we need to get the CEO’s attention. And we need to work more closely with HR and IT and operations to ensure that they do what we need. Understanding and helping to guide the whole organisation is the most interesting part of the job and it is also essential. And to make this happen you need to humanise technology roles.
Spotting new talent and building relationships is the interesting part of the industry. But it is where we are dropping the ball. We are having major problems recruiting and retaining people. W demand crazy job requirements – looking for people with certifications rather than people who can do the job. Certifications can be important of course but we shouldn’t rely on acronyms. We need to hire people with potential and not just qualifications.
And we need to spend a lot of time engaging with the busines. A BT study recently found that more than 50% of CEOs didn’t even know the same of their CISO.
People that know things are great. But more important is people who can think! These are not mutually exclusive but you do need to encourage thinking. We are standardising the thinking out of things. Security frameworks say “this is how you do it”. But no plan survives contact with the enemy. Thays why so many security programmes are poor fits: organisations get breached because we are applying a cookie cutter approache.
What is the best approach for recruitment?
Don’t go for one sort of person. You need to figure out people’s interest. Some might like risk management, others might like offensive or defensive actions. You need to attract people because they are passionate and then develop them. The army doesn’t look for snipers or tank drivers. It takes people who want to sign up and then measures their expertise. Some become regular foot soldiers and others are specialist. We need to inspire people rather than looking for people who exactly fit the holes we have. At the moment we look for certification rather than considering a candidate’s passions and their cultural fit. And so we end up with a homogenous team where everyone is a reflection of how we see ourselves.
Most people in the industry blundered in from other walks of life. Yet we are now obsessed with specific qualifications. And leaders who are short on time are just outsourcing team building to HR and recruitment – people who don’t understand the role. And leaders make this worse by failing to communicate that we need soft skills as well as easy-to-define hard skills. So leaders should be getting involved with the entire recruitment process. For instance engaging with infosec communities and universities. Most JD are 50% regular skill requirements and 50% culture and soft skills. Leaders need to spend time on this . It takes time but it is short term pain for long term gain. And as part of this it helps to demystify the roles as far as possible. Technical JDs are not always the best descriptor.
Are apprenticeships a good way forward?
Apprentices may be one way forward. When you are 16 anything you learn will add value. You don’t need to know much when you go into an organisation at that age as long as you have the willingness to learn. But apprentices are often treated as free labour and the training is not well structured. Unfortunately the execution of apprenticeship schemes is often has to be done by the very people who put us into this situation where we have skills gaps and homogenous teams. Apprentices don’t get paid much – but it is a lot cheaper than paying for an IT course. However there must be genuine opportunities to learn given for apprenticeships to be credible.
How important is training?
Training is essential and needs to be built into any programmes budget. It needs to be specific for individuals – basic knowledge, practical skills, a particular project perhaps, and alignment with a particular role. That way we can create a customised bespoke career path for everyone. And we can enhance people’s happiness and satisfaction with their role.
But we don’t do that. So people leave their jobs often for more money because of the skills shortage. But money is never the no 1 reason that people leave. If you treat people badly, fail to train them and give them a career path, and at the same time fail to care for them and inspire them, then they will leave. People don’t quit jobs, they quit people.
How much has culture at senior level got to do with it?
Security culture is often very bad . IT is often very stressful for instance. HR departments recognise this. But often they make requirements such as regular 30 minute sessions with individual team members that simply are not appropriate. In security it may be more appropriate to envelope a collegiate approach where the while team gets together to explore issues.
Managers are not always good at that. In fact there is a need for management and leadership apprenticeships within organisations. That’s a way of avoiding the Peter Principle where people are promoted to their level of incompetence. So we need continuous training at all levels of an organisation. An individual who is shining as a technologist is made a boss and then he can’t shine as a manager. Their team is unhappy and they are unhappy. We need to think much more about these soft skills and increase their importance. Leadership is rarely stated as an important hiring criteria: it should be.
Cybersecurity agencies and companies have the technologies and products to beat hackers – but what they don’t have enough of is cybersecurity experts. Experts who can utilise these technologies and products effectively, to protect the world from cybercriminals.
For both technological and geopolitical reasons, the global cyberspace is becoming increasingly lawless – like a virtual Wild West – which poses a stark threat to the public, governments and enterprises. Consequently, the number of active cybercriminals is rising drastically too, which is becoming more costly for nation states and enterprises.
No nation in the world currently has the resources required to implement requisite technologies and systems effectively, and this is the crux of a wider set of challenges that are leaving the world vulnerable to cybercrime. Governments especially need to commit real investment in expertise, training and skill development to start tackling the problem, while businesses need to recruit and develop enough cyber-defenders to protect our increasingly digital world.
Rises in cybercrime are nothing new. The general curve has been pointed upwards for the best part of 30 years now. It’s a less savoury staple of the global digital infrastructure that has evolved. However, this trend has traditionally increased on a steady curve according to the general progress of digitisation.
This year has seen a much more pronounced leap in crime figures, though. The reason: COVID-19. A recent Teiss report revealed that, between February and March, a private sector partner of Interpol saw a 569% growth in malicious registrations, including malware and phishing, as well as a 788% growth in high-risk domain registrations.
It’s quite logical, and it was predicted early on in the pandemic, but the figures are still alarming. More people are at home using devices that may not be protected. There’s been an even greater rise in people working from home, exposing any gaps in corporate infrastructures as workers move to siloed networks.
Achieving the same levels of security in these new environments, at a moment’s notice, inevitably presented a large security gap. And opportunist cybercriminals pounced. In April, there was around a 23% rise in brute force attacks on database servers, while our virus lab reported around an 8% increase of new malicious applications and code. By July, that latter figure had also risen to 25%, meaning that Kaspersky’s everyday catch of new malicious applications was topping 400,000, as opposed to 300,000 pre-pandemic.
The fact that COVID-19 has had a global impact isn’t detached from those statistics. While cyberthreats have certainly increased over the course of this year, collaborative defences certainly haven’t. Cybercrime doesn’t have borders, and criminals often hack victims in other nations.
Conversely, cyber police are often limited by national borders, and there’s very little cooperation between respective law enforcement right now as nations try to get a handle on their own state security. The result? Criminals have been afforded a global opportunity and a global pathway at the same time.
The answer in part is heightened collaboration and a more cohesive defence plan, and this is already being combated at the highest level virtue of the World Economic Forum’s Partnership Against Cybercrime initiative.
“To truly solve the problems that are not only happening out 'in the wild', but are escalating and intensifying, we must partner with law enforcement. This includes organizations like the FBI and INTERPOL, as well as local agencies and departments, and the lawyers and prosecutors that make up the criminal justice systems of countries around the world,” the Association stated in early October.
However, in addition to the collaboration issue, what events of this year have more immediately exposed is the mismatch between those who would attack, and those available to defend.
We anticipate there are hundreds of thousands of active cybercriminals in the world today, most of them only junior who may well be caught. But many will evolve, become smarter and more experienced, and eventually carry out highly complicated attacks. To add to the aforementioned perfect storm of 2020, this wouldn’t have been seen even five years ago. But now we see several independent, ‘mercenary’ hacker groups who are able to make big impacts on a global scale. Junior hackers are just the bottom of a pyramid that continues to rise. Individual, corporate and critical infrastructure are all under threat from this pyramid, even before you get to the state-sponsored assortment.
The mismatch derives from the fact that we do actually have the technologies and products to overcome the threat. We just don’t have the manpower. In order to implement all required systems in the right way, we need engineers and cybersecurity experts. And there is no nation in the world that currently has enough resources to cater for that need.
The global problem of not finding enough security experts and engineers, at face value, is not having a strong team of blockers – of those who can protect mere civilians. It goes deeper than that, though. What an increase in manpower could really fulfil is a dire need for education. More widespread promotion of IT security education would facilitate a more population-driven defence to cybercriminal activity, but most countries don’t have the resources or the infrastructure to enable such a response.
Of course, education and the sharing of information would ease the challenge to an extent, but this once again sheds light on the geopolitical side of the situation. Despite each individual nation not having the requisite manpower to offset criminal threats, and those criminals taking a very international approach to attacks, the collective response is still far from united.
National data generated through everyday products and digital use manifests as information about you – about transportation, urban facilities, infrastructure, production. And all of this data becomes critical if misused. Critical for the individual implicated, for businesses, and ultimately for national security and its core structures.
This has resulted in an instinct to store data within national borders in a bid to limit overall impacts on the state. To localise hackers’ impacts. While that is understandable from a civilian perspective, it then leads to localized protection efforts, too.
Compounding the manpower issue that we already know is there, domestically, we then have more of an international transparency issue; something which Kaspersky has looked to rectify and assist since 2017 via our Global Transparency Initiative. Created to provide risk-minimisation measures for citizens, businesses and – as a result – states, it’s an initiative that promotes more open and visible adherence to security and protection standards. Our Transparency Center and Data Processing Center in Zurich epitomise these efforts and hopefully represent a step in the right direction.
While countries and companies need to invest more seriously into the manpower side of the equation, enhanced transparency and collaboration across borders can at least stem the tide of international hacking trends that have sky-rocketed this year. The hope in the future is that these two facets come together to mitigate cyber-vulnerabilities at any time.
Originally Aired: 25th February 2021
This episode is now available to view on-demand
How important is psychology as a skill for cyber security?
Most companies get hacked because of human factors. Technology plays a role but it is less important than humans. That’s good because it means we are doing a good technical job. But we are bad at designing usable security systems and secure business processes. It is social engineering that lets the attackers in most of the time.
AI gives attackers a chance to do social engineering at scale. Text-generating Ais are getting better and better. The most successful model is a hybrid one. Criminals start at scale, using AI, and then sort out the most promising opportunities, where they will invest in manual hacking. Social Engineering is about creating trust with people. AI can do this by building a colloquial relationship with targets – a chatbot gets the relationship going by asking a couple of questions or perhaps asking for small favours. In a way this is what has always been done with computers – we automate as much as we can and why shouldn’t attackers do that as well?
How is AI used in defensive security?
AI is something that helps pen testing. It is something that is particularly useful for cracking passwords. If an environment is being tested to see if you can move laterally across a network and some form of accreditation will be needed to do this. People use patterns to set these very often. And AI is better than humans at detecting these patterns.
However, people tend to want a human element in penetration testing – they don’t necessarily believe whether AI-powered penetration testing really works. There needs to be a balance of efficiency created by a machine and trust created by a human. Penetration testing already uses automation though, and has for decades. It’s certain that there will be a place for more automation. However you will always need humans to understand context and the whole environment of what is being tested, together with a trust model and a risk model.
In addition, AI is only ever as good as the training data that is supplied it. There will always be the danger of blind spots because the test data is incomplete. People don’t always perform successful of course but there is a danger that they wont feel confident enough to over-ride a machine. It isn’t just about training data for AIs. End users also need training: experience of what works and what doesn’t is essential.
Pen testers take a lot of time looking for hard-to-find bugs. Automation is used to get most of the way there and then there is a need for a human analyst to pinpoint the exact vulnerability.
How is AI used in security recruitment?
AI can also be used in things like recruitment. Success is about ensuring the right models are used in the AI. The right rules and controls need to be in place, right from the start of the development. Ethics need to be written in from the very start and there must be checks and balances.
AI is still new in the recruitment space. There is still wariness about it: is it doing the same amount of background research for instance. And AI can be effective but it does need to be programmed properly.
Recruiting often requires diversity. It does happen that diversity is hard to generate when using AI in recruitment. This may require human s to oversee. But there are other techniques. So for instance you could ask the AI to randomly pick some applicants as well as the applicants is “wants” to pick. The results of the random tests and how successful they are will then be used to improve the AI’s decision making.
We’re all familiar with the quote “the definition of insanity is doing the same thing over and over and expecting different results”. This is especially true when it comes to cyber security.
Organisations spend millions of pounds trying to keep their networks protected from cyber attack, but more often than not this fails. They assume that if they allocate a substantial pot of money and purchase the right products and services, they will be secure.
Evidence shows this isn’t the case as some of the largest and most expensive data breaches in history occurred at companies with significant investments in cybersecurity tools and platforms.
The key issue here is that organisations can have all the tools and talent at their disposal, but if they don’t understand where the weaknesses are in their infrastructure - and many don’t until a breach occurs - they will always be on the cyber security back foot.
It’s time for organisations to recognise that the technology ecosystem and the threat landscape have evolved, and that a new approach is necessary for more effective cybersecurity.
The combination of a crippling skills shortage, a continuously changing landscape due to digital transformation, and the fact that humans make mistakes, have all combined to create a perfect storm whereby it’s simply impossible to see the cyber security wood for the trees. Let’s look each of those in turn:
By relying on manual inspections of systems and data for evidence of unexpected activity and indicators of compromise, cyber security teams will find themselves on the losing side.
A study from Forrester recently warned that IT security professionals are becoming increasingly concerned about the rise in cyber crime powered by artificial intelligence (AI). But it could also be part of the solution.
Businesses of all sizes continually seek ways to increase efficiency and profitability in all areas of their organisation - and cyber security is getting in on the act. Regardless of the industry or application, automating mundane and repeatable tasks that are people-driven allows businesses and individuals to concentrate on more productive problem-solving network defending activities.
An added benefit is that it’s these problem-solving activities that foster innovation and can lead to a more resilient cybersecurity organisation. According to a Research and Markets study, the market for cyber security automation is anticipated to grow for the foreseeable future and is projected to exceed $38 billion by 2026.
There are several signs indicating that your organisation needs security automation, including a breach, lagging response times, overwhelming false positives and a need for more efficient and cost-effective operations.
The good news is that cybersecurity products designed to automate much of these processes are already widespread, and the likelihood is that most organisations will have already implemented automation tools somewhere within their organisation. Adoption rates vary but a recent study predicted that the majority of companies (77 percent) will plan to use automation in the next three years.
One of the top benefits of automation is that it gives your team members more time to focus on other security issues. At the same time, it’s an opportunity for your team to map out the very processes that enable successful automation. It enables organisations to be proactive about improving their cyber resilience rather than being target practice for any new malware that’s out there.
Automated penetration testing is a great example. Focused on the inside threat, automated penetration-testing platforms mimic the hacker's attack. These tools "deliver" a pen test by using either an agent or a virtual machine (VM) that simulates the pen tester's laptop and/or attack proxy plugging into your network. The pen testing bot then performs reconnaissance on its environment by doing identical scans as a human would do.
Once the automated tools have established where they sit within the environment, they will filter through what they've found. Detailed reports are produced together with proposed remediations, and all one one step ahead of tomorrow's malicious hacker.
Automation and integration of cyber-security in business operations is becoming a critical way of saving resources – revenue, data, and reputation. Implementing automation could be vital in order to reliably protect organisations and ensure resilience through robust and repeatable processes.
Dave Henderson has a wealth of cyber security expertise after spending more than two decades helping many of the world’s leading enterprises defend their digital assets. As Co-Founder of BlueFort Security since 2007, David and his partner have been working with household names and central and local government to strengthen, optimise and mature their cyber security solutions.
Air Date: Tuesday 2nd March 2021, 16:00 (GMT)
Allan Alford - CISO/CTO, TrustMAPP
Vicki Gavin - Head of Information Security & Compliance, Kaplan International
Bridget Kenyon - Chief Information Security Officer – EMEA, Thales Digital Identity and Security
Nick Martin - Consulting Director, Iomart
Air Date: Thursday 4th March 2021, 10:00 (GMT)
Deborah Haworth - Chief Information Security Officer Penguin Random House
Nick Thimianis - Chief Information Security Officer Caresocius
Ian Brown - Group Cyber Security Director Spectris Plc
Air Date: Tuesday 9th March 2021, 16:00 (GMT)
James Hamon - Chief Information Security Officer. Financial Ombudsman Service
Christian Toon - Chief Information Security Officer, Pinsent Masons
Nir Chervoni - Head of Data Security, Booking.com
Air Date: Thursday 11th March 2021, 10:00 (GMT)
Cristian Cucu - Chief Information Officer, Societatea Nationala Nuclearelectrica
Russell Favell - Head of Security Operations, Close Brothers
Ste Watts - Head of Security Operations, Aldermore Bank PLC
David Petty - Cyber Specialist, OpenText