Originally broadcast on: Tuesday 30th March 2021, 16:00 (BST)

Making your people the CISO of their own homes

In this episode of teissTalk we discussed:

  • Aligning home-life security and company security in the “new normal”
  • Focusing on awareness for remote workers
  • Rewarding and recognising colleagues who do the right thing for security

full episode replay

Transcript

Jenny Radcliffe
Good afternoon, everybody, and welcome to another episode of teissTalk with me, your host, Jenny Radcliffe. We have got a great show for you today. Later, I'm going to be talking about aligning home life security and company security and making your people the CISO of their own home. Are they ready for it? Do they want the job and can we help prepare them for the challenges that will face?

Later we have a great panel, I'm joined by Jitender Arora who is CISO at Deloitte, Sudeep Venkatesh, who is the CPO at Egress and the Global Deputy CIO of Zoom Gary Sorrentino. But first, I'm going to speak with a remarkable lady who's had a great career in information security. I'm joined by Gaynor Rich, who is the Global Director of Cyber Security Strategy at Unilever.

Gaynor Rich
Hello.

Jenny Radcliffe
There you go. Hi Gaynor, welcome to the show.

Gaynor Rich
Hi, thanks. Looking forward to it.

Jenny Radcliffe
It's so lovely to have you joining us. I want to ask you, there are so many questions. I have so many questions for you. Firstly, I mean, the last year. We always ask all the guests, what was it like? We're a year in now to lockdown, remote working, but what was it like when the pandemic first hit? I can't imagine that a company that makes, well, soap wasn't incredibly busy? Ha ha.

Gaynor Rich
Yeah, yeah, it was. I mean, like everyone, it was quite a shock to the system. Although I think from a working perspective we were already operating in an agile way, so the shift to homeworking wasn't that big shift that some organisations had. We were able to sort of revert to that quite quickly from, or immediately, really, from an operating perspective in the offices. Slightly different, obviously, in a factory setup but a big transition and a responsible organisation that we are we turned a lot of our capability over to support the drive to support covid. Printing components for PPE and actually turning over to making hand sanitiser, which actually we've started doing. A lot of our well known brands are in sanitised space now.

Jenny Radcliffe
I know. I mean, you did make them before and now we can get all those nice smellies. I suppose, that must have been strange, though, in a way, to suddenly go, "Oh, wow, we missed a trick. Didn't expect that to happen", and then just be able to switch.

Gaynor Rich
Yeah, just being able to switch over. But I suppose it's the wonders of modern technology really been such a factory for producing one type of soap to adding in the hand sanitiser.

Jenny Radcliffe
So, I mean, let's talk a little bit about, you've been many, many years overseeing sort of strategy initiatives, cross-functional projects. I mean, a year and now what should people be focussing on in terms of strategy, in terms of going forward and looking to the next year or two now that we're hoping to come out of it all? What do you think the sort of security team should be looking at?

Gaynor Rich
I think 2020 was a pivotal year, I think, for cybersecurity. For any organisation, really. We have the rapid move to remote workforce, but it's also accelerated the digital transformation across most industries and that's put a strain on the cybersecurity team. It's stretching those resources very thinly across the organisation, but it's also expanded the attack surface and the vulnerability for an organisation. So it is about being able to adapt. I think we've adapted quite well. Most organisations have adapted well to that the homeworking scenario and got up to speed with that over time. But as we go forward, we're probably going to move into a more blended environment with people, some people shifting back into the office and some people continuing to work from home and we may have to flex that on an ongoing basis, depending on how we control the virus and deal with those sorts of things.

So I think it's very much about, for me, focusing the clarity of communication, making sure that we're clear about what we're saying to people in terms of security that reflects the types of audiences that we're dealing with. It won't be a one size fits all in terms of messaging, and we need to make sure that we're doing that in a way that we can effectively explain complex issues in a very simple way and that's easy for people to digest because there's a lot of noise out there. There's a lot of messages coming around, all sorts of things, not least of which covid at the moment. So it's about being able to hit people at the right time with the right message that that works effectively because they've got a lot of things to digest at the moment.

Jenny Radcliffe
I mean, absolutely. We're going to look at that in the panel as well. I mean, not that that's part of today's theme really, is the fact that everyone's taken off the mantle.

Gaynor Rich
Yeah. Yeah. No, I think it is really important. But as we, we're only going to achieve that are working collaboratively with the business partners, working with the individual functions and educate them about the changes that are needed and understand the different nuances of maybe those different functions, what they might need. So, for example, our Research and Development department might need a completely different approach to our office workers or those within particular markets, depending on what's going on. I see us moving to a more integrated approach, more integrated cyber approach across I.T., within I.T., rather than a separate function. The rapid pace of change, we've got to be able to keep pace with that and to keep operating as a separate function, I think is just going to slow that pace down. We can't scale if we don't actually have a more integrated approach and share the responsibility for cybersecurity more broadly across the organisation.

Jenny Radcliffe
That's really interesting that you say that. I don't think I've heard that, you know, that applied really to the function before, that we couldn't scale unless we do communicate properly. That's really interesting to me. Can you expand a bit on what you mean? Do you mean because we're all taking on the role or?

Gaynor Rich
I think because we're moving into an increasingly digital world, people are having to make decisions about cybersecurity on a daily basis. Almost every day, all day, people are making these decisions. It's not a point in time decision. It's not just around a solution or a particular process. It's literally everything they're doing on a day to day basis. So it's important that people are educated and understand that. We need to break down the mystique. It's a bit, it's seen as a bit of a magic art. As if only people in cybersecurity and can do cybersecurity and it's like, "Oooh."

Jenny Radcliffe
Did you call it a black box?

Gaynor Rich
It's a bit of a black box In the corner of I.T.

Jenny Radcliffe
In the corner of IT.

Gaynor Rich
It's like smoke comes out now and again and that, yeah, it is a bit hidden away, and I think it's actually it's not you know, it's not a dark art. It's just part of managing your I.T. infrastructure and it doesn't matter what the organisation is making or doing or, you know, we're all very dependent on I.T. today. So we need to make sure that that knowledge and capability is within the DNA of the organisation and that we need to really drive that, because if we're going to be agile and we want to grow with ambitions, we're going to have to enable everybody to be able to do it, not just.

Jenny Radcliffe
That's what the rest of the business is doing. We shouldn't see ourselves as separate, and this is a theme that comes up over and over again on this show, is that we are, it's a business function. It's not a separate function.

I'm going to ask you a question in a second, but I just want to say welcome to all of our audience who I can see are already chatting away there in the chat tab. If you have questions or comments for me or the guests, you can put it over in the chat tab and do remember that the best question or comment string will win the very coveted teissTalk mug, which even the guests do not have automatically. So please don't forget. Our Teiss elf there at the bottom. Still doesn't have a mug and isn't getting one either, I'm afraid, but yes. So do ask questions, do comments in the chat. We love to hear from you all.

You know, we're going to pick up on a little bit of what you said Gaynor there a little bit later on when we talk with both the article with the panel in just a moment. But I want to speak to you because obviously I researched the guests and I look at some of the sort of strengths and the passions that they have and I know you kind of touched on it there, but how do we go about making staff comfortable raising these issues when they make, they're bound to make these mistakes? We're going to talk about those in a minute with our panel and the article, but I know that you're very much about making people comfortable raising these issues. You've mentioned inclusivity and bringing everybody sort of on board to the function. Do you have tips for people? There's a lot of people who are doing CISO jobs or similar in our audience. What what kind of things do you find to be best practise there?

Gaynor Rich
I think it's, it's got to be within the context of the organisation. So the population within an organisation will operate and communicate in a certain way. So, for example, at Unilever, very much in that marketing arena. So I chose to use the approach of marketing cybersecurity to marketers, but it's about finding that that context so that it resonates in the right way. I think it needs to connect with people on a human level. It needs to be more about protecting the people and the data and something they can share with their friends and family as much as it is about the organisation. I don't want people having to think differently when they come to work I want them to be able to think naturally and to behave naturally in what they're doing because they don't trip up in that way because it's something they do naturally and it's equally something they can take in and protect their own homes and families with the same messages because the same sort of attacks are coming to people.

Gaynor Rich
But yeah, it's also about being open, having an open door. I always run a sort of non-penalty based approach. It's about encouraging people and being able to respond as an organisation quickly to that, because if if nobody tells you anything, there's lots of things hidden, hidden away, and you never know when that's going to come back to bite, and especially in today's social media driven world.

Jenny Radcliffe
Everyone will just get round it. If they can't come and talk to you, they'll just get around it their own way.

Gaynor Rich
They need to be, yeah, they need to be open and get people to come and tell you because, yeah, it might make your hair stand on end but you have to sort of do that the same way you do when you kids talk to you, you have to pretend all calm and normal when sorting it out.

Jenny Radcliffe
But not really, ha ha. No, I'm sure you are, I can't imagine you being being anything other than calm.

Gaynor Rich
But yeah, and what we found is if we sort of combine that sort of education and regular cadence of communication so that they're getting. It's not just a once a year thing, it's something that's happening on a regular natural cadence that there's a communication channel that's open and people know where to find information and they get acknowledgement when they actually come forward. So it doesn't just go into the black hole that is cyber security at times. So it is responsiveness and we found that engagement has really driven a huge increase in reporting and it's enabled us to be much more proactive on the defence side of things.

Jenny Radcliffe
That's, I mean, I think that's great advice and I'm sure no one would argue with trying to open up more, I think it's difficult to do it. I think what we're going to do is have a look and see what this article says about that, because this is, like an expert Gaynor led me naturally into our article. So I'd like to welcome up onto the stage Jitender Arora from Deloitte, Gary Sorrentino from Zoom, and Sudeep Venkatesh, who is from our lovely sponsors today, Egress. So welcome, gentlemen, to the stage and let's have a little look at this article in just a minute.

There we go, there's Sudeep and Gary. Hi, gentlemen, and I guess we will have Jitender any second. First of all, just another reminder, we do have some questions and some comments coming in and I will award a mug at the end of this show. OK, a little bit of background noise there. We're going to carry on like pros, ladies and gentlemen. Just to know that despite what Pendle says, the Teiss elves are not getting a mug. I vote 'no', and it's my decision.

So let's have a little look at the article that we have today, which was in Information Security magazine and it was from, it's some statistics from a poll done by the company First Point. It polled a thousand UK adults who best understands how life under the lockdown was affecting corporate cybersecurity posture. There was some interesting in fads and fancies in this, folks. I mean, some of it was fairly obvious, I think. You know, over half of people reported increased personal pressure due to covid and younger respondents said that they suffered more than older respondents. That was younger, I think they were under thirty three or something like that. So that's kind of obvious and then it said that the main thing that that they were worried about or that they felt pressure was to be available for work outside of normal hours. If come to perhaps Gary, first of all, welcome to the show, Gary.

Gary Sorrentino
Thank you.

Jenny Radcliffe
Pressure to be always available to talk about work no matter what. You know, this technology, you know better than anyone, is fantastic, but people are saying they feel pressure from their firm to be available all the time. Any thoughts?

Gary Sorrentino
Well, I think that's true. I think especially today. Think about it. We all work in a, in a global community, a lot of us. And even if you don't work in a global community, I work for a West Coast company. And so today, asynchronous working is something that's new to us. In other words, before it was you usually work around the people that are close to you. You come in at a certain time, you probably take the same train every day. You work your same schedule. We all go to lunch for that same hour, if we get lunch. We all leave around the same time, especially if you if you live in the Manhattan area, it's very regimented. All of a sudden now you're hearing those bings because you are living at work and you're hearing that bing at eight o'clock at night from your superior, your boss, he's sending you an email eight o'clock at night. It probably says something like, "It's OK if you don't answer this tonight." You're a young employee. You're trying to move up in the company, right? Of course, you're going to answer that. So I think today there's a lot more pressure from people to extend their hours into what we're calling a synchronous working.

Jenny Radcliffe
I mean, I'd agree and I don't think it's necessarily the lockdown or anything else that brought that on, I think we were going that way anyway if we weren't careful. I mean, Sudeep, what about your thoughts on that? Do you think we were going that way anyway? It's just been exacerbated, if you like, by this remote working culture we were all plunged into immediately.

Sudeep Venkatesh
Yeah, absolutely. I mean even before, you know, covid and the lockdown had, we saw that people were under more pressure, you know, we felt with mobile devices now you're always forced to be always on. I'm embarrassed to say that, you know, the sort of the last thing that I look at before going tonight is my cell phone and the first thing in the morning as well. So those pressures, the blurring of home and life, plus the increased attacks that we're seeing now in the cyber security space, both in the home and office environment, I think that leads to more pressure and stress with with employees, definitely. So while, you know, to answer your question, while we're seeing this escalated post covid, we were certainly moving in that direction even a couple of years before that.

Jenny Radcliffe
Mm hmm. I mean, Jitender, its work life balance we're trying to achieve I'd imagine. I'm not sure that work from home has helped with that.

Jitender Arora
Yeah, I think the work life balance personally, I think it's the balance is completely gone. At least when the covid started, because I think it's all about being human. When everybody started working remotely, I think everybody started feeling anxious. We started missing the touch. So we wanted to be part of the conversations because you're not in the hallway anymore. You're not meeting people in the coffee shops. And also this uncertainty, it also came about the job security and everything else, so people wanted to be out there and nobody said no, that we should not be doing so many meetings. So I think it's so all of that uncertainty and insecurity and everything else combined together, I think created the culture where you are just chained to your desk, back to back meetings. And when your day starts and finishes, all those kind of boundaries kind of slowly and eventually at some point, I think the work life balance of that boundary completely diminished. The people didn't realise what time they actually can. Sometimes I was bit guilty, you know, making a sandwich while on the phone, you know, moving away from my desk and taking it on my handheld device and then trying to make something to eat. There, I'm not even paying attention to what I'm eating. I can't even remember what it tasted like, and in the same time I'm doing the meetings. So I think it's been, I think all of us have suffered from that kind of change that happened very rapidly before we can get our head around it.

Jenny Radcliffe
I think that's a great point and I think it's a good point for a poll. Let's ask our audience whether or not you feel more pressure post covid to be continually available the entire time. Yes or no? So let's see if our elves can get that posted up for us. You can answer the poll question in the tab should be on the right of your screen.

Jenny Radcliffe
I mean, I think there were great things as well. You know, we've spoken on the show before about flexibility. It gave people, in terms of people with disabilities, maybe it was proven it can work from home. People who have family responsibilities, who found it difficult to commute suddenly could work from home. There were great things. I wonder if some of the pressure we put on ourselves and I guess, like you all said, you were sort of going there anyway. But what's worrying and I'm going to come to Gaynor Rich on this one first, but what is worrying is what happened next, if you like, in the poll because, yes, the work life balance thing and the mental health thing is an issue. But it's what the polls seem to suggest was it was also translating into risky behaviour from a cyber security perspective from our colleagues at home. For example, increased use of shadow I.T., negative impact on decision making, people making decisions, grabbing emails like Sudeep at quarter to midnight at night. Last thing you do before you go to sleep, it comes in, do I answer? Things like, Gaynor, citing things like instead of BCC'ing the entire organisation, CC'ing the entire organisation. Obviously security risk, but they're stressed they're burnt out. Any comments on that?

Gaynor Rich
I don't think I've seen anything quite like that. I think definitely there was people sort of feeling compelled to be in back to back meetings, whereas you might have had a meeting standing up by the coffee machine talking to somebody just because you bumped into them. You weren't having that, so that sort of 10 minute coffee chat turned into 30 minute Teams meeting, or Zoom meeting in what you were doing and certainly there's been a significant upswing in sort of pishing activity that we've seen and really, from my perspective, it's about sort of trying to communicate with people in a subtle way, not bombarding them with messages, but trying to keep it on a regular cadence, but at a subtle level and not trying to communicate or scare them with, like phishing exercises around covid and things like that, because there were a lot of messages and when we saw those messages coming through, we would actually start to generate some communications with the teams and the local teams to to make people aware of it. So it's more of a, "watch out for this type of thing" rather than a long lecture or a long piece of training or anything like that. And really and now we're looking at sort of nudge theory and technology to sort of help just give subtle nudges on a limited basis, not sort of bombarding people, but with those sort of reminders at the point of action so that it sort of learns what the user is doing and then gives them the right message is an appropriate time based on their behaviour. They're trying to sort of keep it subtle, I think, but keep it focussed and remind people.

Jenny Radcliffe
Yeah, I mean, I think, we had a question for you that came in from one of our regular audience members, Lee, who was saying there must have been different cultural differences. You know, you're talking about change and making people aware. The article actually says we should make them comfortable, raise awareness and model positive behaviours. But specifically to yourself, Gaynor, I'm going to come to the gentlemen in a minute about those three points, but there must have been cultural differences in training and then on top of that, there was the distance thing and the fact that, as you said, people can only absorb small amounts during a crisis. Do you want to comment on that question for us, how did you do it?

Gaynor Rich
Yeah, sure. So through the culture and education programme I've built up over the years, anyway, we established that local presence in our key markets so geographically and for exactly that reason, so that we could communicate in a way that's culturally appropriate, both business culturally in that particular geography, but also in within the country culture and that network of champions, one hundred and thirty strong now, have been a great help in driving the culture change and communication before covid and really came into play in that and we also learnt an awful lot about the different ways of communicating in the different regions. So it's a much more tailored approach, so we're able to communicate a similar message but in a way that lands appropriately within each of those geographies by leveraging that that skill and knowledge on the ground and we do a lot of communication in local language as well. So I think all of our training is now in about twenty six languages so we try to make it as personal as we can. You have to build from a base of very little, but we're fortunate that we've done that work before we got to the covid situation so I've been able to leverage that in this environment.

Jenny Radcliffe
Excellent. I think these are great tips. Coming to the gentlemen for a minute. I mean, I am building on what Gaynor said, they've said that the research that the company's needs to take into account the unique psychological and physical situation of home workers when it came to awareness in I.T. Training to make them comfortable, to raise awareness and to model positive behaviours. I mean, Sudeep Venkatesh, easier said than done in a crisis?

Sudeep Venkatesh
Yeah, definitely. While we were seeing an uptick in people working under more pressure, we're seeing more data breaches, especially in the email space with what we're calling human activity breaches. So this is where, under pressure, people make mistakes. I.e., you typed the wrong Jenny and autocomplete and that could be a big data breach. Second, people intentionally commit breaches. Now this sounds a lot more nefarious than it is. It could be you sending a sensitive document to your home printer, for example. You intentionally know that that's breaking I.T. security policy. And number three, people get fooled or they fall victim to phishing attacks and there was a statistic somewhere that said there are 60 more attacks every month created because of covid. People pretending to be the government, giving you refund checks, etc., as well, asking for your bank account details. So, you know, people making mistakes, people on purpose exfiltrate data and falling victim to phishing attacks. So these are sort of human activity breaches that we see, especially in the in the email security space because of additional added pressures of covid and working from home.

Jenny Radcliffe
I mean, we would say that socially engineered all the time, this is a perfect storm because people thought the information was terrible or at least varied coming from all governments because nobody knew what was happening and then we had the fear and everything else coming from it. I suppose there was one bit that I didn't like, which they did say that people should know the rules written and implied. I mean, to Gary, written and implied, Gary? Can we rely on people to know the implied rules in a situation like this?

Gary Sorrentino
I don't think we can about the implied rules, but there's something you said at the beginning here about the whole physical and psychological part. There's been a lot of studies about how we when we commuted to work, we used to change from our personal life to our professional life, and we all had two personas. Yeah, well, now that we're home, we're living a very casual, personal persona. And so we kind of forget those guardrails that we're reinstalled in us every morning when we walk in. Like, I worked in banks most of my life. There were, no one would pick up a camera and take a picture of a screen on a floor in a bank. But at home, if I wasn't able to print and I needed what was on the screen, I'd pick up my iPhone or my iPad, take a quick picture. So I think those rules being implied, the self-governing, the good behaviour we kind of lost because we never put on our professional life anymore and now what's happening is things that weren't used in the corporation. Shadow Technology, like you said, right, using your iPad a little more, that's not approved by work and things like that. They will come back into our lives. Look, I'm sure I have texted someone when I probably should have sent them an email that would have went through the corporate firewall at the end of the day, or I've received a text from a client who said, "hey, aren't we supposed to meet in 15 minutes?" Now, maybe that's benign, but at the end of the day, I'm still dropping my version of implied rules in benefit of I'm working from home and my personal persona is is being more strong than my business persona.

Gary Sorrentino
So I think that there's a lot there that we have to consider and I know Geithner talked about at the beginning is when we do these type of trainings and we talk to our staff, we have to take into account where they are and where they've been for 12 months. Then we need to take into account where they're going and I think the going is going to be a lot slower than any of us think right now, especially from a cyber training perspective.

Jenny Radcliffe
I mean, I think you're right and I just want to pick up on a couple of the comments about sort of the risk appetite and the changing risk landscape that are coming up in our comments from some of our attendees like Gary and John. Jitender, you've answered this sort of in the chat a little bit saying, can we expect colleagues to check patch certificates for home uses? Knowledge is a dangerous thing, do we have to change our risk appetite? You said it had to be reviewed and refreshed, do you want to just explain whether you think that's happening?

Jitender Arora
The thing is, the norms have changed because earlier you always used to think in the home network pyramid as something. Now everyone's home is in a pyramid and now you are connected to a home network where you have got smart devices connected. I was speaking to one of the colleagues and they said, "Oh, I don't have a lot of home devices." So I held the person saying, let's just log on to your router and basically see and there were around 15 devices. The person didn't even realise that 15 devices connected. So who keeping those devices up to date and your corporate asset, your corporate laptop is the only one device out of those 15 connected to the network. So the concept of the pyramid writing is changing. And that's where I think everybody needs to be and I say this interestingly to quite a lot of people, that everybody needs to be a CISO at home, even though it may sound daunting but some basic, fundamental things to do.

So risk appetite can change because very rapidly, a lot of organisations who are not used to at home working and flexible working, they had to pivot very, very rapidly and that to finding different ways. Example, if you didn't have enough laptops in stock, what do you do? You have to allow some of your people to connect to remotely into the network using your personal devices. People had to spin up the remote capability in aid of duress or to avoid that. All of this was happening very, very rapidly. In normal course, you will take months to kind of look at everything else and come up with the risk assessment for the right controls and right design. That luxury wasn't there because the demand was such that you had to adopt new technologies, new collaboration technologies very, very rapidly. I think Gary has been part of all the Zoom, the noise that happened in the market, a lot of which was basically the ignorance, lack of knowledge, but not be able to understand anything, even enabling some of these technologies.

So the risk appetite had to change at the spirit for the better good in terms of enabling the workforce not just to work, but to connect, to be able to interact with each other. You have to find new ways of working and at the same time go back and look at making sure when something has been adopted rapidly, the risk appetite has to change to say, OK, some things which were not acceptable in the previous norms then become more acceptable today in terms of facilities, in terms of the way you're going to do things and what also that meant retrospectively you have to go back and put some controls in place to be able to make sure that some of the risk that may not have been considered, you have been able to consider that properly.

Jenny Radcliffe
Yeah, I mean, I think it's interesting that there are practical elements, but like I said, there's also sort of that psychological element that's going on. And I think that sounds quite nice with this idea of of what you've just mentioned, Jitender, which is that CISO of home thing. I'm not sure people, I mean, that's a poisoned chalice at the best of times. I'm not sure people are ready for that.

Jitender Arora
I think people are ready I think the problem that we have today, I got a phone call and in fact, I put it on speaker to kind of make to make sure my wife and my elder son was home, can listen to them and that phone call was very professional. Automated voice, a very, very professional voice coming in saying "This is a call from National Crime Agency. Do not ignore this call. We have seen your Social Security number" and the number being used for fraud and everything else, and that would be cancelled within 24 hours, you must speak and then actually really emphasising you must speak to the agent and press one. Only one option was given on the call to press one. Now, if you think about it, attackers, all the people who are committing the fraud, they don't care what kind of level of diligence you have. So everybody has to uplift their knowledge about some of the basic fundamental principle. I think that's where for me cyber is becoming a mainstream topic than a corporate topic. It's a topic that applies to our daily lives, not just the corporate world anymore.

Jenny Radcliffe
And that goes back to today to Gaynor's point earlier, about sort of integration, a move in the function sort of laterally, if you like. I wonder if you're asking too much of people, Gaynor, you know, we're just about trying to get people used to know what pishing in and spearpishing is and now we're asking them to be a CISO.

Gaynor Rich
I think it's probably a bit daunting to sort of use that that title, really. I think in my experience it's about keeping it simple and making it, you know, cover the basics as much as anything. It depends on the industry that you're in if you're trying to protect those things but it is about I think it's just sustaining that communication and giving people the right tools and information but keeping it simple, because there's a tendency from a technology perspective to overcomplicate things and speak in a technical way, which we all understand. We will get it, and we totally understand all the risks. But it doesn't necessarily land in the same way because people are not. Their focus is in a different way, that their attention is directed in a different direction so they don't hear it in the way that it maybe be is communicated, so it's about really trying to tune into that. I found if you can catch them to the point that it happens like we're seeing, I just look at even my friends and family, the amount of post office messages they're trying to tap into the fact that everybody's ordering online and there's loads of deliveries. My husband's had about three messages saying there's a package waiting at the post office and you've got to pay some money and UPS packages. So it is sort of being able to tap into that and recognise those.

Jenny Radcliffe
What Jitender said putting it on the speakerphone. Let's make sure you all hear this, this isn't real. I mean, I suppose I'm going to go to Gary just because I couldn't let you on without asking. Zoom was really one of the heroes of lockdown, in a way. I mean, it was certainly a success story and you've been praised for lots of things. And also how you handled the transparency and the clear communication, even after security issues that you fixed yourself in the early days of it. It sort of emerged, I mean, nobody says a video, I don't say a Teams or a video call, I say Zoom. I think it's become part of the lexicon after covid. I mean, what sort of lessons would you give on those comms and being clean and adapting to all of this, Gary?

Gary Sorrentino
Open and clear communication is number one. People will trust you then, right? I think that, even taking off from your last topic sorry, we've all had a CISO title in our background, right? And we were all Dr. No's along the way, right? And so when you say CISO of your own home, that's a negative connotation for most people. So I think open and clear transparency is there, I think, two, really sitting in where the users are. What you saw with Zoom as we went through it, a lot of it was just we used to sell to enterprises and enterprises would take our package and they would go through all the settings and they would set them up for their security posture. Great. When schools started to use it, there wasn't an enterprise CISO to do that. So now they have to figure it out. And one of the things that we looked at was we had to change the product to say, let's turn certain functionality off. You need to figure out how to shut off the password and the waiting room now rather than leaving it off and then you heard those meeting interruptions. Please don't use that are the word. But at the end of the day, what we had to do was we had to be very clear about the tools and controls that we already had in the product and amplify them a little bit so that this way people would learn how to use them. I think one of the things we did is we said, how do we show people how to use our product in the world they're living today? Not the world we're living in pre-covid. And I think that's been some of the problems along the way is too many people are doing things in this cyber world from security based on what we knew. And those guardrails don't work anymore. It's more about here you are. You are going to use shuttle technology. You are going to have your iPhone and your iPad right next to you because you're home. But if you are going to use those products, here's how we recommend it. And I think that's what we missed a lot of times when we first went through this. Look, we were all caught with, hey, everybody, go home in the United States. It was basically March 13th, go home, grab as much stuff off the desk as possible when people were driving monitors that didn't work at home and they were grabbing printers that they couldn't get to work at home, but they grabbed as much stuff as possible and we went home unprepared. And then I think for the next three months, we tried to keep teaching and training people in a legacy manner. Because we didn't even get up to date, because here's the problem, we're trying to teach people how to work in a virtual environment while we're still in a virtual environment ourselves. So you sent home all the employees and you sent home all the clients, right? And everybody's trying to learn at the same time. So I think one of the things we did was we did the we did the weekly message out to everybody. It was clear and transparent. We came out with a roadmap of what we're doing. I think we did a really good job of explaining why we would do things. I'm not just saying, hey, you can no longer use your iPhone for work purposes, no that's not good enough anymore.

Jenny Radcliffe
And it's not realistic.

Gary Sorrentino
No, it's not realistic, because first of all, at home, there's no one looking at me. There's no camera here. I can do what I want.

Jenny Radcliffe
And there's no one to check. There's no one to look at and say "Am I supposed to do this?" I think that's a brilliant summary Gary of what was an excellent way I thought of handling some of the issues at the beginning. I mean, Sudeep, I wonder whether you'd agree sort of context and transparency are very key here, but both enterprise and for all employees?

Sudeep Venkatesh
Absolutely and I think, you know, my fellow panellists all work for absolutely amazing brands that you would instinctively know that they would have, you know, business continuity plans in place and security policies in place. But in the first three or four months of covid last year, we talked to thousands of customers, many of them local authorities in remote parts of the UK, small hospitals in the mid-west of the US, as well as large investment banks on Wall Street and with different levels of funding and different levels of planning, which all, as Gary said, had to start working from home day one. And the concerns were very different. You know, some of the poorer charities or organisations were like, "Hey, we don't even have laptops to give to our employees to take home. What are you talking about, security software?" So the pain and the readiness and what people have to do to hustle and get through those first few months was very, very different, depending on where they were based and what sort of a business they work for.

Jenny Radcliffe
Yeah, absolutely. Well, I mean, I think, you know, I'm really enjoying this discussion and I'm glad that the chat and the questions, don't forget to answer our poll folks, we are looking at an award of this nice mug. I have an idea who might get in it this week already. So get a question in if you want to be in the running.

We're a year now, and we're a year into this idea of, I had a conversation with someone last week and said we're a year in still it's because of the covid thing about where when it didn't work because of this. And my patience is running out with them. Like, we're a year in. You've got a year to adapt. What's the plan? And we've got a partial return to work looming. What do you think people's plan, where should they start planning on this? Maybe if we go to Jitender first, what do you think organisations and security departments should be looking at for this highbridge return that's coming up, certainly in the UK, in the next week or next month or two?

Jitender Arora
One thing is, I think we have been doing a lot of work and in the leading the work in the industry on the future of workplace. So I think it's going to change. I think a lot of people have realised, I can tell you some examples within my team where people are now talking and they're coming and saying, you know, having having kids and wanting to be closer to the families and now showing for the one year that how are more working is so effective that coming back to the work life balance question, that they can have a much better life if they are not confined to one specific location they can work for. And that is basically not just coming from the corporate strategy perspective, but that's coming from the employee perspective. That's that's also opening up a completely different dimension in terms of the talent pool available you have to be able to get the right people. So I think the future workplace is going to be very different. I don't think this is about this is going to we're going to go back to the old normal. It's going to be a completely new normal and what that would mean is I think it's still the same principles apply. What does it mean, working remote? How do you conduct those meetings safely and securely? How do you exchange the information? So it's about different rules of, I think, the digital adoption happened very rapidly. I think digitisation was happening. But if you look at the digital adoption that happened at a scale and at a pace over the last 12 months, I think that's phenomenal. And what that means is now there are different rules to operate in a true digital hybrid environment and what it means from the security point was about educating our people in terms of what security means in this new world, in the personal life, and just like secure, cybersecurity savvy behaviour in the digital world, and we have to start kind of debunking that a bit more. Or I use a community in a way they understand, and that's what I think about sometimes. I think I was making the analogy from our Neighbourhood Watch email list that we have in the area. We have seen more issues actually in the neighbourhood than ever before, but the advantage we get that is every time the Neighbourhood Watch contact the Police Department, they share with us what's happening in the neighbourhood where something has been taken from and some simple tips, everybody's learning very rapidly. So we need to talk about those stories. I think we need to explain what what can go wrong, why some small action that may have happened so people can start opening up their mind about what are the real threat environment that we live in. And once we start being a bit more open about it and sharing simple tips, I think people start connecting a lot more to this topic.

Jenny Radcliffe
Yeah, I mean, I can't help thinking that Gaynor, you'd agree with the idea of, we've got Gary here on the chats saying "I'm not going back to commuting by ScotRail." I mean, there's going to be advantages of people being able to do different hours and focus on different things in the kind of hybrid model that's going to come before whatever it looks like in a year or two. Isn't there? I'm sure you applaud that.

Gaynor Rich
Yeah, yeah, I think it will be a more blended approach. We're not we're not going to lose offices all together. People want to collaborate, they do want to meet face to face and I think we're all desperate for that sort of physically meeting people and being able to have a more flexible way of working. I mean, I've been working in that environment for 20 odd years now so it is not strange to me to be sort of mixing between office and home so I'm quite good. But I agree with Jitender it is about making it, you know, helping people understand in a much more simple way, making it relevant by sharing those stories. I think organisations have historically moved very close to their chest about things. It was almost like a shameful or embarrassing thing to share, whereas actually it is a bit more like the the community security programme. The more we share about what's going on, the more we let people know what's going on in their immediate environment, the more you know it's not something that happens to other organisations. It's something that's happening to every organisation and everybody and can to anybody. I hesitate to use the term 'normalise' it, but it is a normal thing. So we need people to be alert to that and be open to sharing those experiences, but also reporting those experiences so that they get the help they need when they need it as well.

Jenny Radcliffe
Absolutely. Sudeep, a few final words on maybe this hybrid going back a little bit and what we've learnt maybe from the last year?

Sudeep Venkatesh
Yeah, absolutely, and we actually conducted a poll in our business about what people would want to get back to and 98 percent said that they would like a hybrid working environment. So I think it's going to be more of, you know, having a strategy towards that everyone can agree to. Some of our teams, like development teams, are saying that they would like to promote more of the time. Some of our sales teams obviously want to be in three or four days a week so they can collaborate and learn from each other. I don't think there's going to be one policy that works for every employee of your business. I think different teams will have different needs and demands for hybrid working that I think we'll all have to cater to.

Jenny Radcliffe
I have to leave the final words from the panel to Gary, because if one thing's for sure in this uncertain world, one thing for sure is that we're certainly going to be on video calls a little bit more. So any any thoughts for the next couple of years going forward?

Gary Sorrentino
I think we all have to have a realisation the past is gone and it's not coming back. OK, we need to just put that down in writing and say that because there's still a lot of very senior leaders out there who think that we're going to return to a greater than what it was before, and I think I agree with Sudeep when he said 98 percent, everybody's going to want some sort of hybrid work environment. And to tell you the truth, I think that scares us the most because companies know how to handle people who come to work and they know how to handle people that work 100 percent from home. And that middle ground, especially from a security perspective, is how do we treat those people? Because they're really two people. Sometimes in a company, they're an at work worker and they're an at home worker. And we can we have enough trouble teaching them one security policy. It's going to be a little difficult to teach them two. Now, there shouldn't be two security policy, but how do we blend it together so they understand that there are professional guardrails that apply, whether you're here or here, because as someone said, we've enhanced the four walls to be our homes now. We always talk about protecting the four walls. You have a thousand employees and all have a thousand four walls. And we have to make people understand what the new age of work is going to look like. And I think if we can get the balance of what is the new age going to look like, what are the tools? Look, videos, the new voice, so what are the tools you're going to use going forward and how you balance that?

Jenny Radcliffe
Absolutely.

Gary Sorrentino
Not just work life balance. How do you balance that? And I think if we can all go forward with an open mind, we'll be successful.

Jenny Radcliffe
Well, I really hope so and I know that I've really enjoyed this panel discussion, which in my mind has been incredibly successful. We've had some, we'll be looking at our poll in just to see if the elves could get us the results. We've got some great comments from our audience and from people like Gary and Lee talking about a place of collaboration and meeting and looking forward to go back in the odd day a week. We've had to lose Jitender because he's on another call.

So, our poll results then. I asked the question whether you felt more pressure post covid to be available all the time, and I'm afraid 19 percent is about the same but 50 percent said yes, that they do. So we do all feel more, post covid, to be more available. I'm going to say thank you very much to my lovely panel to Jitender in his absence, to Gary Sorrentino from Zoom, to Sudeep Venkatesh from the lovely Egress who have been our sponsor today. Thank you, Sudeep. And to my lead guest today, Gaynor Rich, for fantastic insights into leadership and management through this crisis. I also want to say thank you to all of you for listening to the show. And this week, I think there is no contest. We had a great question and some great comments from him. So this week the teissTalk mug goes to Limor and thank you for your collaboration. Thanks again to the teissTalk elves and to all of you and I'll see you not next week because we have an Easter break with the following week. But do tune in to Geoff White's show on Thursday, the next edition of teissTalk.

Host

Jenny Radcliffe

Jenny Radcliffe, also known as “The People Hacker,” is a world renowned Social Engineer, hired to bypass security systems through a no-tech mixture of psychology, con-artistry, cunning and guile. 

Jenny is a sought after keynote speaker, panelist and moderator at major conferences and corporate events, both in-person and online,  is a  TEDX contributor and is host of her own multiple award winning podcast series.

Guests

Gaynor Rich

Global Director Cyber Security Strategy
Unilever

As a director of information security (CISO), I am known for my expertise in Cyber Security, Data Protection, Payment Security (PCI DSS), Business Resilience, and Risk Management, leveraging technical acumen to generate solutions for complex issues. I specialize in championing strategic initiatives to deliver effective results, participating in critical decision-making processes while working proactively with cross-functional teams to produce strategic business enabling cybersecurity governance, operational frameworks and regulatory requirements. With a strategic mindset, I am committed to cultivating exceptional stakeholder relationships, meeting their needs and expectations at every step.

Gary Sorrentino

Global Deputy CIO
Zoom

Gary Sorrentino currently serves as Global Deputy CIO for Zoom Video Communications. A former Managing Director for J.P. Morgan Asset & Wealth Management, Gary was the Global Head of Client Cyber Awareness and Education.  For over 12 years, Gary was the Chief Technology Officer for J.P. Morgan AWM’s global technology infrastructure initiatives, where he managed its Data Privacy program and was responsible for Infrastructure, Application and End User Technology Production Support. In 2014, he assumed a new role as the lead for their Cybersecurity efforts and developed a firm wide “Protect the Client” Cyber program designed to raise cybersecurity awareness among employees and clients.  With almost 40 years of experience in Information Technology, Gary has served in various other IT leadership positions in firms across the financial services industry. Prior to joining J.P. Morgan in 2005, Gary was Head of Global Infrastructure and Head of Technology Efficiencies at Citi Private Bank, where he was responsible for Global Infrastructure Support and strategic technology initiatives. Other roles he has held include Global Technology CFO at Credit Suisse and North America IT Controller at UBS

Jitender Arora

Chief Information Security Offier
Deloitte

A highly accomplished, innovative and strategic Global Senior Executive with over 19+ years of experience in Cybersecurity, Cyber Resilience, Information Security, Technology Risk, Operational Resilience, Operational Risk, Governance, Risk and Compliance domains. An expert with a proven track record of success in strategy definition and execution, leading business transformation initiatives, managing efficient operations, building and managing CxO and Board level relationships.

Sudeep Venkatesh

Chief Product Officer
Egress

Sudeep Venkatesh is a noted expert on data protection, bringing two decades of industry and technology experience in this area. His expertise spans the protection of data in both structured and unstructured data ecosystems, with an emphasis on solving real-world business problems through encryption, authentication and key management. He has an in-depth understanding of regulatory compliance standards, including the EU GDPR, PCI and NYDFS, etc. Sudeep has worked on numerous data security projects with Fortune 500 firms in the US, the UK and globally.

At Egress, Sudeep works as Chief Product Officer with responsibility for product strategy, product management and the delivery of pre and post-sales technical services to customers. Prior to this, he was the Global Head of Pre-sales for the Data Security division of Hewlett Packard Enterprise (HPE), leading a global team of Sales Engineers. Sudeep joined HPE through its acquisition of Voltage Security, where he was part of the executive team.

Copyright 2021, Lyonsdown Limited

23-29 Hendon Lane
London, N3 1RT
020 8349 4363
press@teiss.co.uk
teiss® is a registered
trademark of Lyonsdown Ltd

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]