Tuesday 25th May 2021, 16:00 (BST)

Securing your organisation’s hybrid working environment

  • Secure remote and hybrid workforces: Identifying and overcoming legacy security issues
  • Meeting the challenge of cyber security risks posed by the return to the office environment and managing the risks faced by your remote workers
  • How are the roles of the CISO and security teams changing through 2021/2 as they meet the security needs of their hybrid workforces

Full episode replay

Hi there and welcome back to another edition of teissTalk with me, your host, Jenny Radcliffe. We've got a great show for you today. Later, we'll be talking about securing your organisation's hybrid working environments. And what does that mean for the security staff and for the CISO role? I'll be joined by fantastic panel, including Marios Clark is the CISO at Zava and Paul Baird is the chief technology security officer at Qualys. In a moment, I'll be joined by Gary Sorrentino from Zoom but before I bring Gary to the stage, I just want to say hello to all of our audience tonight. Hello, everybody. Welcome back to the show. It's going to be a special one tonight in terms of how you can win that mug. So stay tuned and at the end of me interviewing Gary in a minute, we're going to tell you the special way that you might be able to win one of our very famous, very sought after teissTalk mugs.

Remember that you can put questions or comments in the questions and chat on the right hand side and we'll try and get through as many of them as possible tonight as we can. But for now, I would like to join me for my lead guest tonight is Gary Sorrentino is the global deputy CIO at Zoom and has already been on our show and is a friend of the show. Welcome back, Gary.

Jenny, how are you? Great to see you.

Great to see you. How are you?

Can't complain. Getting getting ready for the holiday weekend here in the States.

Yes. Yes. We have one coming up here, although you wouldn't think it was a summer holiday. It's more like October, the weather here.

But with all the changes, right, it's more like a freedom holiday, right? Now that we're allowed to do much more. I'm in New York, so New York is changed completely with the mask rules and things like that. it's re-opening up so.

Oh, well, listen, it's so lovely to have you back on. And it was great that you can come on as the guest for you to interview, because so many questions to ask you, because for you over this last kind of sixteen months, just over were sort of into the second half of this year, almost. I wanted to know last time when you were on the show, what what on earth was that like for you to go to be working for Zoom of all people in the middle of the year when the pandemic hit? Because suddenly I mean, I don't say videocall. A lot of people don't even videocall. They say do you want to Zoom? What must it have been like to just absolutely balloon like that and just take off the way it did?

Well, I think the first thing to say was crazy, but naturally. But, you know, video became the new voice. Zoom became the new verb. But I think the real thing in companies like that is Eric's passion for this kept it together. We made sure that the management team and the employees at Zoom, cause Zoom was a lot smaller company, maybe almost double through the pandemic. It was, marching orders were clear and I think that's really how we got through it. It was help people. That was our marching orders, help people. So how do we help people? One, enterprises need to be connected. So we need to work with enterprises. Children need to still continue to learn. And so then we focussed on schools. And I think in 2020 we supported one hundred and twenty five thousand K-12 schools and ninety five billion minutes of learning. Which was free, Zoom gave it away. And then the second part was people still need to go to doctors. So let's focus on telehealth. But then most important, families need it to stay connected. And so the goal, the marching orders were clear, help people. And that's what we did.

I mean, how did it, you know, take in the pandemic aside if you just sort of step back a bit. The growth, you must have known this was coming, because when I think of a videocall, the first time I think I ever saw one was in Aliens. Remember, in Aliens, and they had like a card? And I remember saying, oh, that's just so cool when we'll be able to do the video things. What was the plan before the pandemic? Did you think that, like, within a few years you were going to get to this stage or?

We went from ten million daily participants. That's when I started Zoom, becaused I started at Zoom very little, months before pre-pandemic, to three hundred million. Right. That's unbelievable. Right. At the end of the day, the need was there. To tell you the truth, we have Zoom phone also, my Zoom phone rang the other day. I think it's the first time in eighteen months that I got a phone call. Everything turned the video over overnight. But then, you know, but then comes with it is then there was a learning curve. So first there was how do you get people, how do you get people on board. How do you get people connected. That was the most important thing. People seeing each other. Companies needed large webinars.

It felt so weird, Gary. Because I remember even not that long ago, I had a friend of mine go, we need to Zoom and me going, what do I do? Like, I mean, just tell me what I need to.

Quick little story. So I came to Zoom because of somebody I work for, our CIOS, Harry Mosley, and in 2017 when he retired, he called me up and said, I'm retired from KPMG. I go, Great, I owe you dinner. Where you going? What are you doing? Because I'm retiring. Four days later he called me up and said I decided to take a job. I go where? This is 2017, he said Zoom. I said, what the hell is Zoom? In 2017, right? In 2019 I retire from JP Morgan. I call Harry, the same person. I said I'm retiring. You owe me dinner. He goes, why don't you meet Eric? And four days later retirement ended and I'm with Zoom.

But you're such an evangelist for them as well. I mean, we've spoken before. You're like you've got to get on Zoom, we could do that. And I love that you're so passionate about it. Let me ask you, and this is not meant to be a difficult question, but in the middle of it all, as Zoom just grew and grew and ballooned, did it ever feel a little bit strange in as much as I know you've been helping people, I mean, you couldn't help grow in the middle of it was sort of almost I don't want to say benefiting from it, but did you have to think, if it hadn't been for the pandemic, this wouldn't have happened. How did you kind of feel about that?

I mean, like all companies that were doing the pandemic. Right? Even some of the telehealth stuff that was going on, this conversion was going to happen, right? People were going to work from home was going up. Was only three percent before pandemic it's, who knows what the number is going to be after the pandemic. I think it accelerated plans for everybody. And so, like, I don't know what Zoom plan was to get the three hundred million daily participants, but I'm sure it wasn't twelve months. Not in our wildest dream. But I think it was keep everybody informed inside our own company. Make sure we're all pointed in the right direction. Right. It was very important for leadership to be vocal. It was very important to make sure that, hey, not only us, but our clients understand what's going on and where we're going and that took work.

I can imagine, when everyone else was like stepping back a bit and you guys must have been insane recruiting and then everything as well.

At the same time. Right. So now we're onboarding people who have never actually been to a Zoom office, ever. Have never met. We are onboarding people now in the last year and a half who have said I've only met people through glass.

We've had so many CISOs on the show and in our audience saying the same thing, just saying we've not met in person so many people we work with. Gary. I just need to say there's some funny comments coming through here. We've got Dave saying the least convincing movie videocall was in Jurassic Park. Nedry has a phone call which is clearly just a quick time movie. And the call ends just as the progress indicator reaches the end. John saying, what the hell is Zoom? We're going to hear that again. And then Danny saying, we were all brought up with expectations of a future of leisure through automation and video calls. It does, it felt like the future kind of met us. I wanted to ask a little bit about your role in amongst it, because obviously Zoom was widely praised in the community because obviously with that level of adoption and it's a business to consumer service as well as B2B. There was people trying to get used to doing things like post the passwords and things online before people got used to it. How stressful, how did you and your team cope with that? Because the transparency and the way that you guys got through it was really held up to be best practise in the industry. So I want to commend you for that, because I hear that all the time. But how does it feel to know that these things are going to happen? I guess.

So, when we sat down with Eric and we had some of those issues at the beginning, the right thing to do was publicly announced we're going to stop development of features for 90 days and put the right things in place and the right things in place were, Zoom was working with enterprises and enterprises do you think, we've all talked to enterprises. They take applications, they review them, they set them up for their security posture. They train their employees. Great, great model. What happens when you don't have an enterprise? I think what we learnt is when we got into education, almost every classroom is its own company.

Yes.

I was working with teachers and I said they were like, well, we don't get the security. I said, well, what don't you get? And they said, well, you know, all these different controls. I said, well, let's talk about your day. And she said, well, I teach fourth grade? I said, so how's your day? She goes, I stand outside the classroom and I wait for the kids to come in. I go, OK, and what are some six foot five guy tries to get into your fourth grade class? She tells them this is not your class. I said, we call that waiting room. I said, now what happens after the 30 kids come in? She goes, I say, good morning. I go, what do you do before that? She said, I closed the door. We call that walk meeting. She says, why don't you just call that close the door? She's probably right, so we looked at the changes and said, look, there are things that we need to put on. I think it's we had to become and I don't know if this is the right way to look at it, but we had to be the CISO for a lot of these.

For, like, everyone who was using it. All of a sudden.

And unfortunately, everybody treated it like consumer products. Just turn it on and you don't look at the switch settings. So maybe it's better that we turn things on. So while we did about one hundred feature changes during that 90 days, a lot of it was enforcing pass codes, enforcing waiting room, turning stuff on and then saying you have to look for it to turn it off. And I think you said it great. So many senior people in the world were figuring out Twitter and things like that, so they were taking pictures of their Zoom meetings with all their new content and then they were posting in probably the first time they were even on Twitter on it.

Exactly.

And they didn't realise, you know, what that 10 digit number is? That's the phone number of the meeting. And then you get a call and they go, the world tried to join my meeting.

Well, we had that in the UK because I think our Prime Minister did it.

I wasn't going to say that, I was going to let you say that.

Literally anyone can do it.

And so we decided, let's move it under a button. And when you want to see that, the other thing we came out with recently is we do mine out there. If we find your zoom ID out in public media, we let the admins know, hey, by the way, your digits are found here. Someone posted something you might want to at least change that meeting. So it's constantly keeping up with the user.

I was going to say it's a pretty unique situation that you're in because you really are sort of CISO for, well, CIO, but like all of you sort of. Almost like even in a massive organisation that's educating their own team, there's some kind of like security teams can get across security awareness but you've got the world to deal with and everything that that entails, the culture and everything else. I mean, what advice? Well, just a couple of tips might you give to our lovely audience. You know, a lot of whom are responsible for their own team security and awareness amongst the teams. What sort of things would you say have sort of risen to that challenge over the last year or so?

So one of the things is I'm actually run the Zoom CISO council and during that 90 days, we brought in thirty five CISOs of some of our most prestigious companies to talk to them because we learn from each other. And I think that never stops. Learn from each other. Don't think you have it correct, because as you know, for what you do for a living, people set up things and you just figure a way right around it. So if you think that it's set up correctly, it's probably not. And one factor I think we learnt about is the human factor. You just can't look, we have to change a lot of things. I know we'll talk about things later, but we have to figure out the right way to make the humans work the way we need them to work and how do we put controls in place for them. And I think you've said it a couple of times here. We do need to think about security. Security is foreign to people. Right. They just decide to get in the car and drive. OK, now we have rules and everything. But but in security, there is no rules. There's a comedian who talks about passwords and he talks about how we started out with the dog's name. And then we put the capital and then we put on it and you listen to it and you laugh and then you go. Most senior people in the world, that's how they created their password. It's the dog's name, capital letter one at the end. And when you wanted that special character, it was a it was an exclamation point.

It's a nightmare.

And you laugh about it, but you say we have to do the thinking for them. And I think that was an excellent way to put it. We had to do the thinking for them. We actually trained thirty five thousand teachers over the summer on how to teach on the video platform, but also to make sure they identified some of the rules they need to do.

Well, you know, Gary, I want to say thanks because you're a great guest. It's always exciting and fun to talk to you and it's always exciting, fun to hear what happened at Zoom and the way you guys keep it going, because there's nothing more to immediate for me. There's an awful lot of comments coming up of people there's Mike who saw the traffic to the site rocket, many people still waiting for the most important privacy protection. Make disconnect camera and mute buttons bigger. I mean you're going to get all this always, Gary.

I'm looking at it now, they put Michael on. You laugh at it and then you sit back as a CISO and you go, yeah, but every senior in my company does that.

And another one for large mute buttons. I have to say, you know, for me now it's in my lexicon. I don't really do, everyone will tell you I don't do calls, I do Zoom. I want to say thanks for that and I want to say for being a brilliant guest and stay with us for the panel and everything. And I am going to say, because you are all demanding to know. So we have a little thing tonight in terms of winning your fabulous teissTalk exclusive mug, which is, I asked our lead guest, Gary, earlier if he could have a Zoom with anyone alive or dead. Hi Paul. I asked Gary, anyone alive or dead, one person because you could have a Zoom with and Gary gave me his answer. So the first person to guess that answer and can win the teissTalk mug. And if you don't guess it, I will give some hints as to what it is a little bit later in the show. Paul's already joined us. I'm going to ask for our second guess, which is Marios. Marios is the CISO at Zava and Paul Baird is the chief technology security officer at Qualys. Welcome to the show, gentlemen. It's lovely to see you. Welcome back, Paul.

Thank you, Jenny. Nice to be back.

Great for you to be here. Today's show is all about securing the hybrid working environments, and I think more from the point of view, really, of what we do is sort of CISOs and security people in doing that, as opposed to like the general discussion that we've had before. And I'm going to get on that a little bit later. But one of the things that I have noticed is today's news article that we are not practising what we are preaching, gentlemen. According to this article all about Constella Intelligence, one of our teissTalk elves will put this up shortly, Constella Intelligence did a survey and it's all about the fact that in a poll, a lot of CISOs were saying that they did not practise what they preach and they had poor cyber security practises and risky behaviour online. Now, I will get to some of these suggestions coming up in the chat a little bit later in terms of who Gary wants to have his Zoom with, but I also know that we've got a lot of CISOs and senior security people in our audience, and you might be surprised here. So let me throw a few statistics at you. Of the CISOs that they put their poll to, 24 percent said that they reuse their passwords on both their work and personal devices. Should we start with that one, Paul? Does this surprise you? That your chief information security officers are reusing their passwords. Isn't this what we tell our people not to do?

It doesn't surprise me in the slightest. Over my years, I've met two distinct CISOs. Ones that come up through the ranks and ones that have been born into the role. And I think you'll find their working habits distinctly different. If you've been there at three o'clock in the morning dealing with a security threat, you will always make sure your password is three hundred characters long. And 2FA, and biometric. Whereas the other CISO is little bit more lax, I think they spend a lot more time with the board and forget some of the principles that they are preaching to the rest of the company.

I think you were a quoted in our marketing today where we put on our LinkedIn saying this is the ivory tower CISO. So that is that what you meant? The ones who are not really being at the coalface as much as perhaps those.

Absolutely. Although they're certainly so separated from those security teams now that they don't understand, you know, what's going on at the coalface.

Oh, well, I think you said yesterday that you might expect that to be quite controversial. I wondered if it is I wonder if our audience agree with Paul that there are such a thing as Ivory Tower CISOs who've not spent the time at the coalface. Let's have a look at this next or maybe Marios could look at this next one. Forty five percent of the CISOs that were interviewed said that they connect regularly, not regularly, but they connect to public Wi-Fi without a VPN.

So I've personally found this a bit shocking because we in security advocate security top down. I did find them shocking, but then when you look at how they are going to fall, we need to look at what kind of CISOs got interviewed and separate them into two categories. The ones that come from the ranks have been technical. And they went through dealing with those incidents and the ones that compliance checkers, a quick exercise, and they have been through those incidents. So when you look at public Wi-Fi, again, if you've been through an incident, you understand why you need a VPN to connect. And it's quite controversial but I can see why this makes sense.

I mean, Lee, in our audience is saying, surely you have to connect with a VPN to start with and then Danny's saying, well, do they even know what VPN stands for? Which is funny. What I think about is I wondered when I saw that, Gary, whether it was semantics a little bit and let we were playing with some managers saying, well, yes, I connect to the WiFi and then I put my VPN. What do you think of these stats, Gary?

So I agree with my colleagues here. Think about this. The people on the security side that actually help people. Well, I came up to the banking, so I haven't been on a vendor by trade. I did twenty five years with some of the larger banks. When you work with people who have had material loss, material loss due to bad security practises, you automatically learn, one, teach it as much as you can to as many people that will listen, and two, follow the rules yourself. Right. And I think it's really about that. It's the practitioners who are really working with people to figure out how did I lose X dollars or my identity or my privacy. And to tell you the truth, it scares you to see how normal people, the amount of normal people who are suffering loss. And so I really do agree that it depends on where you are. And I think Paul said it right. It's really the ones who are connected with the people who are having issues that figure out I need to do this. But isn't it the shoemaker's shoes, at the end of the day?

See, that was what I was wondering about. One of the things I wondered was whether this was sort of a Spartacus moment where they were kind of because, you know, I work with a lot of CISOs and obviously we have a lot of security people on this call and on this on the show. And I think one of the things that they always talk about is admitting that they're not perfect. I wondered whether it was perhaps, I'm Spartacus, Paul. Let's go back to Paul. What do you, maybe they were trying to be honest?

Can you hear me OK? I'm back again.

Yeah,

You can make a mistake once, you can make a mistake twice, but how many times are they repeating that mistake? What the statistic doesn't show is they you know, they use LinkedIn, they use Facebook, they use, you know, an unprotected Wi-Fi. But how many times are they doing this? Was it a one off. Still not good. But, you know, they may be you know, the CIO or the COO was demanding a report they had to connect and they openly admitted to that. But are they going off to Costa Coffee and regularly connecting to their Wi-Fi every single day of the week and finding out it's actually a pineapple or something like that. They're giving away their worldly secrets.

Maybe they were packet sniffing? Who knows?

You never know.

Maybe that's what they mean. There was a couple of others that, you know, I mean, like this one. We often watch sometimes is in the news article, sometimes the sort of hysteria and this one says seventy seven percent accept a friend request from people they don't know, and particularly on LinkedIn. But I mean, isn't that how everybody grows the network? Marios is nodding there. I mean, you know, that's how we grow our networks these days, isn't it, Marios? You can't know everyone in person.

When it comes to security, we like to go and have a community. The more people we connect, the more we learn, the more we stay connected with the industry. So that's an interesting one. And I agree with it. And of people will connect with people that don't know. I've actually connected with two individuals that I've never met. And they are on this call with me. So we are connected with them before I met them and we don't really know who they're representing. I'm fine with connecting but why are you sharing on these social medias? You're sharing a lot of sensitive information? Are you sharing company secrets? For me, the way I treat LinkedIn is it's a public forum. I wouldn't put anything on there that I wouldn't want anyone knowing.

I think that's the thing. I had people email me and say, you're connected to the. Apparently, MI5 said that there were ten thousand people connected to some Chinese spies on LinkedIn, and that was one of them. And I was like, well, just because it connected doesn't mean I told them everything. I mean, Gary, you know, in your job, you must be inundated.

You do an event like you. You do an event. Right. Then all of a sudden you get five hundred LinkedIns. Right. But it's about what you do with it. I think what Marios said about it is that it's about I look at it as a public forum, like a phone book. But here's what happens. I'm OK linking into people. That's great. But when you send me an IM and then ask me for something, that's where the value comes in of thinking about, I don't know this person. And just because someone said, hey, I've seen you on teissTalk today and then ask something else, I probably will ignore that. But I might accept the LinkedIn. The other thing is, you know, I'm probably a little bit more careful, right. I've been in the security business for a long time also in and I look and find out that they're not linked in to anybody I know, which is quite impossible sometimes. Right. So I do my fair share of ignores and I apologise right now if I ignore someone. Right. Because better to be safe than sorry.

Last call because I've just got to say this. I mean, Paul, 74 percent said they'd been phished or vished in the last thirty days. That doesn't mean they got called out. That means they recognise a phish or vish. I always wonder what the percentage of phishing versus vishing, because as an SE I see a kind of hate the vishing calls but it's necessary. I mean, that's surely just the most common attack act of phishing, isn't it?

I'm surprised it's not 100 percent, to be realistic about it. You know, it's like the old days of receiving junk mail through your door. You always got it every single day of the week. And now you expect, you know, those phishing and vishing to come through. It's what we get every day now.

It's just I mean, I just think that's a fact of life, Marios. You know, it's so I think they might have been being honest and trying to make a point that it happens to everyone. That was my conclusion. Maybe not. My three distinguished guests go, Mhm. Yes. Well, they should be more careful. Let's have a look at some of the suggestions, Gary, for your Zoom guest of choice. If you could choose anyone. We've had an Elon Musk, we've had a Steve Jobs, Jerry Seinfeld, DaVinci, Barack Obama. None of these quite right yet. Some of them getting a little bit close and we'll talk about it at the end. but nobody is quite right yet. Now to Charlie Chaplin from John there. So these are all great comments. Don't forget that you can ask questions. We do have a question that's come up for Gary from Dave. Just very quickly, before we go into a general topic, he said early in lockdown, the press went wild about the lack of end to end encryption. Did this turn out to be a big impediment to growth of Zoom users or were you able to brush that off?

I don't like to use brush off, but it was something that we did focus on and we did we did come out with AS245 GCM with version five. And then right after that we acquired key basing and came out with true end encryption. I think it was something we needed to fix and we did.

Thank you, Gary. I hope that answered your question. Well, I suspect it really does. And Neil King is saying Sir Francis Walsingham for Zoom. Might be one I would like to have met Walsingham for various reasons. He'd have been on LinkedIn Neil, rather than Zoom as well, I would have said. OK, so let's talk a little bit more about let's get onto our topic of the day, gentlemen, while these suggestions keep coming in to you. Dave says that was spot on, Gary. Thank you. So just getting onto our chat and this is secured in this hybrid working environment. Now, what we've got at the moment with the UK, certainly, hopefully and tentatively, there are 26 days before the UK is expected to loosen nearly all of its lockdown measures. Now, depending on variants, that remains to be seen. For many of us, the next chapter in this pandemic is going to be something hybrid, isn't it? I mean, people hate that. And if I can come to Paul Baird first. What do you think that's going to look like for security teams in terms of protecting sort of people who have, you know, some go back home somewhere between what's the challenge going to be for security teams?

I think what's the challenge going to be for the CISO? You know, a lot of CISOs should be looking at a three to five year strategy and that's been thrown out of the water last year. You know, all of a sudden they were looking to you know, they knew where the perimeters were. They knew where the defences needed to go and that which is broken down overnight when, you know, people were walking out the door, not only with laptops, with desktops underneath their arms, you know, these things should have stayed, you know, in the office.

We've spoken about that before, we said there's just this migration.

What's it going to be? Because, you know, budget is limited and it always has been limited. Now you're having to potentially pay for more VPN licences, bigger VPN concentrators to allow that traffic through. New technology to allow parching on the endpoint, as well as keeping your traditional, you know, security going as well as, you know, your perimeter firewalls. Do you keep those licences? You keep those VPNs up to full strength knowing that this could happen again? You know, we could get another round of covid, something else could happen. So budgets are.

Don't say something else could happen. What's going to happen? Remember when we all thought 2021 was going to be a bit easier?

Yeah. Yeah, life is going to be easier. So I think it starts at the CISO. First of all, they've got to get their strategy right. They've got to listen to their board. The board have got to get a clear message on what they're going to do with their workforces. There is a lot of organisations still haven't been very clear about allowing, you know, three days, five days. You know, some people have shut their offices completely to start at the board, get down to CISO then they can then redefine the strategy.

I mean, Marios, it's down to the CISO to re-think the strategy. What's keeping you awake at night about this?

So for me, I agree with everything Paul said there that when I looked at the scenario, it was very risk based and tolerance had to increase. Because we couldn't afford to have the same security measures across the board for fairly remote workforce, so we had to increase our risk tolerance and accept a bit more risk. Now, the issue is now when we going into hybrid, how do we adjust for that risk tolerance? Acknowledges in the office over high level of controls, our risk profile was defined, but now is a bit more vague and we accepted that because it was forced for us to be remote. But in a hybrid environment how did you get the balance between the two in the culture, between the two? You have workforce now that used to working in the same way, going back to the office. The technical contrast could be different. What they have to be doing is different or the policies that are applied remotely are different now. One of the things that you just mentioned, we have individuals that were walking out with screens. I just went for a nicer compliance. And one of the things that I was looking at and laughing was the policies that you have to sign everything out if he leaves the premises. We migrated our whole office into people's homes.

I mean, this is the thing, I mean, just coming to you, Gary. I mean, I think what Marios says there is your tolerance has to go up and our understanding needs to stay up, doesn't it? Because if we force people back to work when they don't want to go, aren't we going to create an army of insider threats apart from anything else? People who are disgruntled, right?

Yeah, I agree with everything that everybody said. But at the end of the day, the tolerance has to go up. But remember, we've had 14 months to think about this. And I think that what's happened is I hope that a lot of the companies have, we always know the weakest link in security is probably the human. And I hope that we've spent the last 14 months upskilling them. Making sure they're more aware of what the problems are. Remember, if we can really train our full remote workforce on some level of security, right. When they do come back into the four walls, we have provided a little bit of a more secure centre there. Right. And at the end of the day, I think we have to get away from what I've worked for a lot of companies. We have to get away from training that's about passing eight of 10 at the end. Right, because we don't teach cyber, we teach how to pass eight of 10. OK, and if you ask them three days later one of the questions, they probably get it wrong. Right. So at the end of the day, I think we need to get to real life training. We get to need to get to story based. We need to take advantage of the time now when people are working from home and upskill them. Look, we need to make our users, our security partners. Not just end users, and I think that we need to change that a little bit and as we go forward in that hybrid, we can't have two security policies, right? It's bad enough for them to remember one. Right. But how do we teach them how to be that full employee that some days you're going to be working here and there are some controls that are here and you've got to stop walking out with stuff because that's right, that there's going to be a person in the lobby now because I can imagine it was March 13th in the United States, right. March 13th that Friday afternoon. You got that email. I agree with Paul. You grab a desktop that are not going to work at home. But they still grab them. Now, we had to learn 14 months later, hopefully we got better, we got smarter, they got better, they got smarter.

You know what? You're right and, you know, I have to bring up Daniela's point here, because this is honestly Daniella. Great point, because what what they've said is exactly what my next question was. And it's this. This is what about physical security controls and checks during reduced use of the office, whilst returning to the office? Nobody knows anybody anymore. And you said it yourself. There's people that all of you work with I'm sure that you've never met in person. Habbits at home won't be easy to quit. And I'm what I'm going to succeed is, you know, I've already done physical penetration tests. I can say anything. People do not know which way is up. I mean, you know, there's got to be and I think someone else has said it as well. We have got to be at the point where we're looking at refresher training, particularly on hybrid and physical. Right, Paul? I mean, don't you think that like in between everything else everyone's got to cope with now we've got to tell them what to expect when they have back into work carrying that desktop and little trolley behind.

I mean, does anybody know what they're going to expect when they walk through the door? You know, how many of their colleagues are going to be coming? Is there still the two metre rule? Is your team going to be spread across three quarters of the office now? And you're absolutely right. You know, we were always, you know, visually aware of our surroundings and the people. You know, I joined Qualys in February this year in the middle of the pandemic and I have never met any of my colleagues in person yet. You know, coming into the office, I wouldn't be able to challenge anybody. I wouldn't know who anybody was.

It's exactly what's going on. It's exactly I mean, you can literally just say this is a covid rule, I'm a covid inspector. And I know I've stated before on this show, and I know those people just go, OK, because they're not sure. I mean, I think it's a great opportunity, Danny said it's a great opportunity. Let's stop the complacency of the physical and the office being a physical DMZ. I mean, Marios, in terms of do you think helping them at home while we just help people at home, that's going to help them when, you know, fingers crossed, we do start coming back to the office, what the security teams do to help them from that home environment?

I'm always been advocating teaching security across to the home life and bringing their skills back into the workforce. But now we have home Wi-Fi and we have confidentiality around home living documents, confidential, personal identifiable data on there. So we don't have big enough things to teach and educate those. So it has to be some kind of a learning but I think we need to slowly start educating what security looks like a home versus what it looks like in a corporate environment. Having devices connected to the home networks. We can protect using VPNs, but without devices that could be listening in and recording. I work in the medical field, and we have potentially customer service agents with patient records that could be talking to a patient. We have doctors who those conversations need to remain confidential and at home with IoT devices. It's something that we need to train the end users.

We're back to packet sniffen again, I'm obsessed. I mean, you're right, it's so, so difficult. We just got a few more suggestions. Danny saying the calendar is still on John Pertwee, everyone's saying, this wasn't it 2020 just yesterday? This is a good point, everyone's timezones are just. Your calendar's up the wall. This is the way it goes, I wonder whether this will affect the way we recruit the people we recruit. Because I think what's been mentioned a little bit here, you know, Gary mentions it, Marios and Paul, the idea of it's still going to come down to the humans, the people sometimes in their own environment, sort of constantly being made aware of the dangers, constantly sort of, you know, being educated and in small doses, because cognitive load, I think is so high. Will this affect the way we recruit security professionals do you think, Gary? Do we need people with a different skill set in the hybrid model, do you think?

Oh, yeah, for sure, I think I think we need people who can relate to people, and it's always been, look, come on, we've all been in some security role. We were all called Dr. No. At one time. Right. We were the guy that you went to to get a no. And now we have to be the person that goes to that says, how do we work that out? Right. There is a balance. And I know Paul said at the beginning that there is a balance between security professionals, also business professionals. They have to have that balance right. Here's the problem. If we push people to rules that they can't work with because they went home. Right. Consumer technology. Right. They're using probably stuff on their desk that we wouldn't allow when they come back the office. And so I think now we have to actually find people that ride that balance. OK, don't be Dr. No, don't be Dr. Give-Away, but you got to find that what is the right business balance for what you need and how can we work together to put controls in place where you can effectively do your job securely? And I think we need to interview people in a much different way.

I mean, Paul, it was going this way, wasn't it, anyway? Like we're already expanding the skill set and the people skills required to do this job, I think.

I think security roles have changed. And that is, you know, very you know, gone are the days where you're in a locked room. You never see anybody else in the office or never see anybody else is up front and centre role now. And that's not just the CISO, that's all of the security team. And they need to learn those personal skills. Gary's absolutely right on that aspect. They have to relate to, you know, the challenges that people have gone through working from home. You know, if you're a parent, you know, you've got kids screaming around you. You know, you're you're looking after your family while doing your day job in the same place. So it's challenging. And you can't just apply those hard and fast rules that you did in the office. You've got to be more flexible, but not to a point of allowing holes within your environment. But there is a very fine balance.

Not to the point where 74 percent of people or whatever it was who were actually CISOs and use public Wi-Fis without VPNs. I mean, Marios, when you're recruiting into the security team, are you looking for those people skills these days as well to cope with this kind of empathy required for the hybrid model?

So I was recruited remotely for this role and I have since recruited remotely and one that will be fully remote. So when we looking for those, yes, we are. It requires a different set of skills and communication skills, because when you're working remotely and especially in security, we need to be overcommunicating sometimes. So you need to make sure that the person individual that you hire has the skills that is able to balance the business and the technical. The technical side can be done offline without interruption but a lot of the education and a lot of the interactions with the different teams have to have that communication. Yes, we are. It's an interesting time because actually for me is a benefit because these kind of diversified who I can hire.

You know, we've had that right throughout that actually that it's shown that we can have people don't have to be within commuting distance anymore, which seems to be self-evident. I mean, Gary, yes, we would say that, at Zoom. But, it's true, right? I mean, it should mean greater diversity. We spoke about this on the prep call yesterday. This should mean that we get all those things that we've been asking for. I mean, is that the answer to the skills shortage in quotation marks?

Yeah, well, there's always going to be a skills shortage in security, right? I think there's always going to be that right, at least for the next couple of years. But I think right now, you're right, the talent pool is so much larger for us now to take for. Right. I do agree there needs to be people who can communicate and do it remotely. But I also agree that some companies are looking at bringing part of the company back and some of the people that they want to leave home remote are going to be the IT people. Well, the security people should get to the office because at the end of the day, we do need some human factor in the office, talking about security, talking, walking around, talking to people at their deskside, being more of an adviser and not that person that we don't normally talk to him. He sits over there on that floor in that other building. At the end of the day, it's about getting ourselves in front of the users in very creative ways and being an adviser. Right. It's about, OK, tell me what you have at home. How do we help you? How do we make the transition better for you? We have to be leaders in that place. They're not going to come to us, we have to go to them.

I mean, we've seen some brilliant comments here. We've got Lee saying a business need to ask early to remove the nose. Security needs to be an adviser, not a compliance need. You know, we've got John saying this is surely about ensuring cyber risk and awareness. It's an integrated approach. And also, the CEO, Lee CEO last week asked us can we work from another country? Well, yes. As it turns out, we can. Surely that's the answer. We can't continue to be this magic black box in the corner anymore. And I don't think any of the guests that we've had on the show, you know, this show started in 2021. Very proud of the way that our audience can interact like this. And nobody who's been on it has been anything other than, we've adapted. And the innovation has been amazing. So, you know, I think that's the case. I think just before we get all of fabulous panel's final thoughts on all of this, and we haven't yet had the correct answer for Gary's famous historical figure that you'd have on a Zoom call. Everybody immediately starts going, we've had David saying is it Neil Armstrong will give you a little, a little. The teiss elf does not get the mug by default, teiss elf, no you don't. You'd be very lucky if you can get one as a Christmas present. Yeah go on, Gary, can you give a hint.

Not alive.

So that narrows it. So we're talking about someone who isn't alive, we've had a couple of guesses that weren't too far off. Let's just say, Gary, you're coming in from New York, aren't you?

I am.

New York might be a bit of a clue, let's see. So let's just get this final thoughts on this hybrid security model and really, you know, maybe some advice from the three of you to our audience to people. Sorry, it's just going crazy.

Statue of Liberty, I can't even believe that.

Let's just say, Statue of Liberty. There were three words there. That might be a clue. Final thoughts or words of advice maybe for people for the hybrids working model. Paul, can I maybe come from yourself, first?

What we haven't talked about is the leaders of teams, the disconnection with our teams now that working from home. You can pick up on emotional issues when you're in the office. Very difficult over technology to try that emotional intelligence, trying to connect back to your teams, trying to understand your teams a little bit more, to pick up on some of the things that are certainly hard, harder now in emails and texts and Zoom calls.

I think that's really, really good advice. Marios, would you add to that would you echo it?

As I say overcommunicate. And again, the human aspect and element, it's something that we need to bridge that human back into play that hasn't been for a bit of time now.

I couldn't argue with that. Gary, final words before we disappoint everyone who hasn't managed to guess yet.

Empathy. Got to have empathy for both your own staff and for your users. You have to really go out of our box. Technology people sometimes aren't very social. Right. Sorry for all my peers who are going to probably write a whole bunch of notes about it, but at the end of the day, they're not. And so at the end of the day, we really have to figure out how do we make them, how do we have empathy? How do we discuss things that probably aren't easy for us to discuss? Right. How do we how do we make sure that we befriend our users so that we're there again? I think someone said it before, adviser. Right. Let's stop being that black box in the corner. Right. Let's get ourselves let's be leaders and let's try to understand our environment and our users. And I think that's the best thing we can do right now.

And you know what? That's the same advice no matter what we're talking about. So, look, guys, I want to say that the right answer has turned up in the chat. It has happened. Can you see it there, Gary? Because maybe you can.

I can. Can I announce the name?

Why don't we announce it just at the end and I'll cue you in. But I want to say thank you to an amazing panel. I want to say thank you to Gary Sorrentino from Zoom, from Paul Baird from Qualys who were our wonderful sponsors today. So thank you very much to Qualys. And to Marios Clark from Zavas. You've all been amazing panellists on the show, I want to say thank you to our amazing audience. You guys are awesome. And this is so, so great that you guys can come in and we can laugh and we can joke and all these things. We have many, many answers to our question. And I'm going to cue Gary in because today the mug goes to the person who guessed who was.

Well, first, Charley had it out there, but he ended up on both sides of the equation, but his right answer was JFK.

So Gary's dream Zoom guest would be JFK. If no one would have got it, it would have gone to Neil for Walsingham because that would have been mine, or even to Chris, you guessed Elon Musk who would have been your living guest, but it was JFK and we did lock that in prior to the show. So well done Charlie, a teissTalk mug will be coming your way. Join Geoff White, my amazing co-host, at 10:00 on Thursday for another edition of teissTalk. But for now from me, Jenny. Thanks a lot for everyone for listening to the show. And goodbye for now. Bye bye.

Featuring:

Jenny Radcliffe, Host, teissTalk

Jenny Radcliffe, also known as “The People Hacker,” is a world renowned Social Engineer, hired to bypass security systems through a no-tech mixture of psychology, con-artistry, cunning and guile. 

Jenny is a sought after keynote speaker, panelist and moderator at major conferences and corporate events, both in-person and online,  is a  TEDX contributor and is host of her own multiple award winning podcast series.

Gary Sorrentino, Global Deputy CIO, Zoom

Gary Sorrentino currently serves as Global Deputy CIO for Zoom Video Communications. A former Managing Director for J.P. Morgan Asset & Wealth Management, Gary was the Global Head of Client Cyber Awareness and Education.  For over 12 years, Gary was the Chief Technology Officer for J.P. Morgan AWM’s global technology infrastructure initiatives, where he managed its Data Privacy program and was responsible for Infrastructure, Application and End User Technology Production Support. In 2014, he assumed a new role as the lead for their Cybersecurity efforts and developed a firm wide “Protect the Client” Cyber program designed to raise cybersecurity awareness among employees and clients.  With almost 40 years of experience in Information Technology, Gary has served in various other IT leadership positions in firms across the financial services industry. Prior to joining J.P. Morgan in 2005, Gary was Head of Global Infrastructure and Head of Technology Efficiencies at Citi Private Bank, where he was responsible for Global Infrastructure Support and strategic technology initiatives. Other roles he has held include Global Technology CFO at Credit Suisse and North America IT Controller at UBS

James Mckinlay, Chief Information Security Officer, Barbican Insurance Group

With over 20 years in IT, with nine years in roles within financial services. Specialist knowledge of producing working information security policies and procedures from international standards and frameworks such as CIS, NIST, Cyber Essentials, ISO27000.

A passion for promoting Cyber Defence based on knowledge of offensive techniques – constantly learning and in daily conversation with a global network of internationally recognised red team professionals and blue team defenders.

Ability to set the directions and strategy; to achieve immediate bottom line benefits, proven track record of success in providing solutions that improve the efficiency of IT Security and business operations. Strong understanding of the relationship between technology and strategic business objectives.

A gifted technologist with extensive experience in areas of IT Governance, Risk Management, Compliance, Business Continuity, Threat Intelligence Services, Forensic Investigation, Application Security, IT Infrastructure Security, SOC setup, SOC maturity, Vulnerability Management and Penetration Testing engagements.

Experienced at liaising with senior leadership teams to CX and board level to educate key stakeholders on the benefits of good security practice, changing cyber threats and a risk based approach to committing resource. Specialist knowledge of producing working information security documentation from international standards such as CIS, NIST, HMG, SANS, NSA, AusDSD, NESA and “Cyber Essentials”.

Paul Baird, Chief Technology Security Officer, UK, Qualys

Paul moved from Scotland to London in the late 90’s to start his first IT job as a systems administrator for Elonex PLC, at the time one of the biggest UK P.C. manufacturers. Being exposed to multiple vendor operating systems and enterprise applications early on in his career gave him the opportunity to learn a broad range of skills in a short period of time which in turn allowed him to shape his career.
Paul has always worked within an I.T. function, having the opportunity to wear many hats has helped him progress into the highest levels of System Engineering / Architecture. Wanting to make the move into cyber he seized the opportunity when it came about and has never looked back. After building a security ethos in a UK FTSE 250 from the ground up he took on the challenge of building a new SOC function within Jaguar Land Rover before his final move to Qualys.
Joining Qualys in February of 2021 as the UK and North EMEA Chief Technical Security Officer Paul is helping to drive Qualys’ vision at C-Level across the customer and partner base. Supporting the Qualys sales teams with his knowledge and experience of delivering cyber security operations to enterprise customers at a global scale. Paul will be representing Qualys at forums and conferences to help support the wider cyber security community.
Paul mantra is “Perfection is not a destination; it is a never-ending journey”

Marios Clark, Chief Information Security Officer, Zava

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]