Tuesday 18th May 2021, 16:00 (BST)

The future role of the CISO

  • Understand various reporting structures and scopes of responsibility for Information Security Leaders
  • Examine the new “types” of CISOs
  • Discuss the CISO of 2022 and beyond

Full episode replay

Good afternoon, everybody, and welcome to another edition of teissTalk with me, your host, Jenny Radcliffe. We have got a cracking show for you today. Later, I will be talking all about these ransomware attacks, including all the high profile ones that would seem to be hitting us relentlessly this last week. AXA, HSC, and again, Colonial Pipeline.

I'll be joined by a cracking panel to talk about that, including we have Paul Raines, who's the CISO at the U.N. Development Programme. We have Ian Hill is the global director of cyber security at the Royal BAM Group and we have Steven Moore who is the vice president and chief security strategist of Exabeam. In a moment, I'll be joined by my special guest and Kathleen Mullin, who was the CISO at Healthmap Solutions.

But before we start, just to let you know that you can take part in this discussion, you can join us in the chat panel, asked me, myself and the panel, as many questions as you like. The best questions and most interactive participants does win the exclusive and sought after teissTalk mug. But for now, before we get onto all of that, I want to welcome to the show, Kathleen Mullin. Hi, Kate. How are you?

I am wonderful, Jenny, and I'm reaching out to you from lovely Tampa, Florida.

Well, it is lovely to have you with us, Kate. And, you know, I mean, given that where you are and where we are in terms of a year into and just over a year after the lockdowns, how are you? How have you and your team been coping over this last year or so?

Well, it's really interesting for my group. We're in health care, so it really hasn't slowed down that much. We initiated our pandemic plan. It was a little rough for the first week, but we've just been adjusting and adapting. As a matter of fact, my company has expanded greatly. Unfortunately, we specialise in chronic kidney disease and we've gotten a lot more patients because of covid. So it's actually, it's been sad on a lot of levels. And the one big thing that we've had to deal with is our team members who had family members that they lost.

I know because I've spoken to you before and during the pandemic that this wasn't something that was a surprise to you personally and to the group, I think, as well, because you had some experience looking at the Ebola on the swine flu pandemics, I think, as well? Can you tell us a little about that?

Yeah, sure. So in terms of the swine flu, I was CISO at Tampa Airport when the swine flu hit and I had a daughter who was in middle school at the time and was away at a summer camp. And I got a phone call saying, you need to come get her or we'll put her on a plane. And it's like, no, no, no, no. You cannot put somebody on a plane to come into my airport with a contagious disease. So I was quarantined with a middle schooler, which was exciting. And then later on in my career, because this keeps happening, as a CISO. So I was working for Adventist Health and unfortunately, there were folks that were associated at Adventist Health that were treating Ebola victims and some caught it. So we had all kinds of pandemic protocols that we put in place. I mean, the reality is Ebola was and is scary and a nasty disease and should have been a lesson that we learnt and followed before covid hit and spread. So we had pandemic plans in place because of my own. So we can either say paranoia or preparedness. I prefer preparedness.

I think preparedness sounds more on the money.

But it's really interesting because here in the States there's all kinds of governmental plans that exist. And there was a great resistance within my organisations over and over again to do a pandemic plan. And the way that I got them to do it is there's actually a zombie apocalypse plans. So I would let my team members adopt a zombie apocalypse plan as long as they also built a pandemic plan. And, you know, that's a great way to do buy in.

See this, ladies and gentlemen. I just want to say one of the main reasons I was so excited about having Kate on the show was exactly comments like that. You know, you get yourself a zombie apocalypse plan, everybody loves doing that. Gets everybody engaged but they can only do it if they plan for the pandemic as well. Kate, you deserve a medal. That's a brilliant, brilliant strategy. You mentioned thare a little bit about the sort of like response to the government and everything. Obviously, we've got a new administration in at the moment and I wanted to say, I mean, there's so much I wanted to talk to you about. But obviously, President Biden's new executive order is about cyber security and follows hot on the heels of the Colonial Pipeline ransomware event, we're supposed to call it now, I believe. I mean, just a broad overview. Is this a good start removing those barriers to collaboration within the industry, do you think? It couldn't be worse than nothing, could it?

So here's the thing. It's a good start for the federal government and there will be some flow down that people can take advantage of. But the reality is, as evidenced by our pandemic and how America reacted to it, we are 50 separate states plus territories and local governments as well. And then you take in private business. The reality is that executive order really addresses the federal government and their contracting, which is big and has big weight, but it leaves almost everybody else out in the cold. And that actually kind of made me sad. So when I was a CISO in an organisation in California, when Kamala Harris was auditor general and back in 2016, she actually put out a report of the auditor general that said, if you don't implement the CIS, the Centre for Internet Security's, critical security controls, it constitutes a lack of reasonable security. I mean, this is back in 2016. And so I was actually sad that Biden didn't use the information from Kamala and that we all know and if we can't start talking about this is reasonable security for everyone, because here's the thing, Colonial Pipeline, not a federal entity. So all of those rules really don't even impact them.

I mean, he said that the federal government must lead the way. Just for those of you not across this order, it's removing barriers to sharing the threat of breached information, modernising and implementing strong cyber security standards in federal government, as Kate said, and the government must lead the way. I thought this would be interesting for you. The cyber security review board, who I can't imagine being anything other than rather busy, modelled after the National Transportation Safety Board, used after aeroplane crashes. I mean, what's your view on that? I mean, they're going to be full time, surely, at the moment?

Well, here's the thing. It actually having that type of an incident response is great. But the problem with that, again, is the National Transportation, they regulate everything related to airline flights. OK, so basically they have the power to say your plane is not flying today or at all. They have the power to shut down airports. The federal government really can't do that. And the thing is that, I mean, they can shut down the federal government, but they can't shut down the rest of business and they can't make people do things. I mean, don't get me wrong, there is stuff in there that I really like. The fact that they're even talking about Iot, the fact that they're talking about standards. So here in America, whenever you buy anything that plugs into the wall, there's actually a little tag that is on it that says that it's authorised. The fact that they're talking about doing something similar for IoT. Awesome. I mean, it's actually something that I've been talking about for years now, that there should be some minimum security standard for IoT, the same way we have a minimum security standard for electricity. So, I mean, there are some good pieces. It just really I was just disappointed, that's all.

You know, it's interesting. We've got some comments in the chat here, one's from Tony saying we share every single piece of information about any problem in air transport, but in infoset we do the opposite. There's a phrase that's becoming something that comes out on a lot our shows that, Steve from MasterCard coined, I think, which is the cloak of complexity. When I read Biden's executive order, I thought really what it was trying to get out was transparency, really, you know that seemed to me he was trying to get the ball rolling on.

But it's transparency at the federal level. So I'm in health care and in health care, we have to disclose everything. I mean, it is one of the requirements. So even if we reasonably suspect that there might be an incident, we have to disclose it. But those regulations in America are only applicable for things related to health care. And we have some more regulations that are EU GDPR light in terms of disclosure requirements. But the EU actually, because of GDPR, has more transparency in terms of letting people whose data is held know that there's a problem than we do here. So, I mean, there's a lot of services that, you know, if my auto mechanic is hacked, I'll never know it. And, oh, by the way, my auto mechanic, because I'm sure at some point I had unprotected energy charging with my car and my phone. My car probably has contact information in it that could be. I mean, it's one of those it's just this kind of slippery slope that we flow down. So, I mean, yes, it is better, but it's and look, perfect is the enemy of good. But really, it's small individuals, it's people. It's, you know, going around and looking at the fact that if we review firewalls and we have firewalls that we can review, and in every organisation I've worked, we have had to specifically block traffic from China, traffic from Russia, traffic from Iran. It's one of those you look at all of these locations that we're not doing business with that are sending us traffic. And my question is, wouldn't it have been great if this order also addressed having Internet service providers block known bad senders so that they can't attack small businesses that don't have information security teams?

I mean, maybe it's coming, Kate, maybe it's coming. I mean, maybe it's the start of a programme that's going to start taking advice from industry and then encompassing it all. I mean, I really hope so. I mean, when I talk to you, I always think about you've got long and wide experience in the sector and before I sort of finish up with you and bring you in with the rest of the panel today. I guess after after what happened with the with the executive orders and with what happens after, you know, we're over a year, I threw covid, although by no means I was out of the woods yet. I always wonder with yourself, I've seen you over the years have your eye on the future and predicting things very accurately. Are you optimistic about the industry and I guess about seeing the back of the pandemic any time soon? Watch your moods and advice right now?

So I am optimistic, although I am still wearing masks when I am not alone. I am fully vaccinated, but the reality is I am trying to set a good example to others. I am planning, I'm hoping the EU opens up its doors and the UK opens up its doors. I am planning some speaking engagements in the fall in Europe and I'm hoping that I'll be able to attend. So I am cautiously optimistic about those things. The words of caution are, though, this has been very traumatic for people. So having some patience with people as they start venturing out, it is going to be difficult and it's going to be difficult for people that weren't good with meeting with people on the outside anyway. And the other thing that we really have to keep our eyes on the ball is at least in the states, there is this enormous group of individuals that are saying once the pandemic is over, I'm leaving my job and going someplace else. So how we treated our employees in different companies, there may be this enormous movement of people. If there's an enormous movement, people usually ask for more money, which is inflationary. So, I mean, we just need to have this kind of wide open, things are likely to change and we're in security. Things change all the time. The other thing is that there is a greater need for people in security because of what happened last year with those hacks. I mean, people are getting hired away, left, right and sideways because people are realising they can't trust their own environments and they're replacing everything.

Absolutely. Well, listen, you know Kate, we could talk for a long time just to yourself about all your angles on this, but I'm going to look to you to join the panel now and I'm going to welcome to the stage my other three guests. Thank you so much, Kathleen Mullen, for a great interview of your insights onto this. Do remember our audience that you can ask questions of all of our panel today. Put your comments in the chat. We are going to talk now about those ransomware issues. Thank you, Kate, and welcome to the stage, Paul Raines, who's the CISO with the United Nations Development Programme. Ian Hill is the global director of cyber security at the Royal BAM Group. And Steven Moore, vice president and chief security strategist from Exabeam. Welcome, all of you. I couldn't avoid it this week, three days after different news item planned but there was no way that we could ignore this high profile ransomware attacks in the news from Colonial Pipeline to Ireland's Health Service and to date AXA. Ian, if I can come to you first, you've previously said we are entering, I mean, you said this prior to the couple I've mentioned, we are entering a dark and dangerous era. Is it safe to say that we're in it's and the exit's closed? I mean, what's your take, top level, on all these attacks?

I think where I'm coming from, from that perspective, is that we are seeing a huge escalation in the state sponsored or state and acted via the proxies. If you look back at last year with the solar wind's attack and now you got the Colonial Pipeline, you've got the NHS in Ireland. We're seeing a big escalation in the attacks. And these attacks are now affecting infrastructure in the case of the Irish Health Service are impacting people's lives. So, you know, what I'm seeing here is you see a drift from cyber crime for money, which a lot of it is anyway still, but we're seeing a drift, which now cyber terrorism and where does it go? Cyber war. As you know, last year, the government had a review, a strategic review, and as part of that review it was stated that the UK would consider using nuclear weapons.

Trident, in fact.

In response to a catastrophic cyber attack. So what we're seeing then is if cyber attacks are getting to the point, the technological point that a well coordinated, multifaceted cyberattack could cause devastating impact on a country to the point our response is something like that. Which is quite terrifying really but I think this is just the inevitability of like an all wars, technology plays a massive part and in most cases, technology has been a winner. The way technology has been used now, this is my concern for the future.

Absolutely. I mean, Paul Raines, CISO of the U.N. Development Programme and a man who has more experience than most of us and around the nuclear sort of capabilities. Perhaps you want to explain that comment in a moment, but what's your take on what Ian said? Cyber terrorism leading to cyber war, these attacks are getting geopolitical in nature?

I started out my career in the Air Force as an ICBM nuclear missile launch commander and then went on as a nuclear war planner, as if you can plan a nuclear war. But, you know, there's something called mutually assured destruction. And the idea was to leave some doubt in your opponent's mind as to what your reaction would be to some aggressive act on their part. And so while the US government, to my knowledge, hasn't said that they're going to use nuclear weapons? They say that they don't rule out a kinetic response to a cyber attack, which simply means dropping bombs on target. So I see that scenario is a possibility that's out there. And whenever you start talking about kinetic responses, then you always have the risk of escalation to a larger conflict in a more destructive conflict. So it is it is troubling. And I'll tell you the main thing that's different between, you know, planning a nuclear war and this situation is that and back in the days when we were worried about ICBMs, we had sensors so that when the the rockets took off, we had satellites, sensors that we could say, oh, yeah, they took off from this particular coordinates in this country. So we can attribute to the country that's attacking us is. Today, attribution is so very difficult in the cyber world that I wouldn't risk going to war or escalating a conflict with any certainty about trying to attribute it to a particular actor.

Let's go to Steven Moore from Exabeam. Steven, I mean, what's your view from across your desk? What's Exabeam seen at the moment? Would you agree with what Paul and Ian have said so far?

First off, Paul made an excellent point on attribution. I think many times the individual, the CISO in charge of a security programme of a non-government, people without satellites and guns and things, it's a bit of a distraction. And attribution is very difficult even for people who are well versed in the space. So that's an excellent point made. I think, taking it back home to the individual that that's not in government, that doesn't have the big resources, the reality is that the CISO in the security programme today are forced to sort of fight against foreign adversaries, nation states. So a private corporation or an entity, the reality is and this has been going on a while and it sounds silly, in fact, even five or 10 years ago, you would have sounded like a conspiracy theorist, but our entire notion of our security programme was never thought of, well, we're going to have to defend our programme against the Russians or the Chinese and we've seen this, whether you're looking at the host of breaches that happened around OPM and others, some direct involvement with that on the defensive side or solar winds and other groups. And so you have these catastrophic events. Where else do we have an example where private industry has to defend against the nation state? And that I think is interesting. I think it lends to the discussion into ransomware and specifically what that really is and the insurance that people are trying to buy to help offset that risk. And what the insurers are doing to say, well, it's a nation state, so it's an act of war. It violates policy. So we have this house of cards that are sort of that have been created kind of this no win scenario. And so the reality is, when do we need to match and how do we match the adversary, something that will help disrupt the cycle of compromise. That's what we all need to be marching toward as the as the individual beyond what our government talking presidential decrees say or what we read in the news.

I mean, I think you're right and I think our audience are agreeing with you guys emphatically here. We've got Lee Moore, and he's one of our regulars saying, life's starting to feel like a Die Hard movie over the past week, with Tony saying hopefully not Die Hard 4, that was a waste of time. It Is starting to feel more and more dramatic, Kate, isn't it? I mean, you know, I want to point out to you that the ransomware groups did say that they weren't, they didn't do anything that was a threat to life. So that was good of them. That's what they said.

So first of all, I will admit that there are some hackers, malicious hackers, that know more about environments than the people that run them. But in general, they don't know our systems. They don't know their integrations, so they don't know what the impacts are. And if you're attacking a critical industry, sorry, you should assume that it will have a life and safety impact. And the thing is that, to kind of tie back a little bit to what Steven was saying, there used to be a time when governments would protect private industries who were shipping across the Mediterranean and the Atlantic. So it is not unprecedented for governments to protect private industry. So it has happened before and it would be great if we could step up. But yes, I am I am fighting targeted attacks against foreign adversaries and I am still fighting the, oh, this is fud. And it's like, no, it's not fud.

Way beyond, way beyond fud at this point. Everybody, can I just remind you that we've got a cracking panel. Sorry.

Where's Jenny gone?

We lost her.

We need to get her back. Hold on, just a minute. I really shouldn't be on stage.

Kathleen, congratulations, it's now your show.

Oh, wonderful. So, I mean, here in the States, we're still very compliant and task focussed. In terms of doing full security, attribution of the attackers, I mean, it has always been two things that are kind of best practise. You should not do retaliation attacks, which the American government is now talking about doing, and they can do attribution better. And the other big piece of advice is don't pay ransom. And I don't know how you guys feel about it. Personally, in my organisation, we've always recommended against paying ransomware and being able to back up critical systems. So, Paul. You want to take that one?

I'm back, everybody, sorry about this. I think it's whenever you mentioned these Chinese and Russian ransom gangs, they just seem to be zapped clean off the stage. Kate, thanks very much. Paul, maybe you want to take that question from Kate?

Well, you know I work for the United Nations, so we couldn't pay ransom even if we wanted to. So that's completely off the table. But, you know, in general, I wouldn't recommend paying ransom anyway. It's like, you know, I've got problems with raccoons in my backyard getting my trash can. So I go to great lengths to make sure I secure the top of my trash cans with with bungee cords, because I don't want my yard to be viewed as a source of food for these guys. And it's the same way for a company. If you pay ransomware to hackers now, you're going to be seen as a source of income for them and they'll just keep coming after you.

Ian and Stephen, do you guys agree with that?

I completely agree that, you know, you can't pay ransoms because you're funding it. You're just going to make the whole situation worse. But if I could, I'd just like to take up a very important point that Steven made actually and I'd really like to bring up Steve, made a very good point, that businesses can't be expected all the time to be defending off a nation state attack. I did my degree in history and if you compare things like the Second World War, it's like saying to London during the Blitz, we got nothing to defend against the bombers, all you've got to do is build a bigger Anderson shelter and hide on the ground. I mean, I think it's getting to a point, and I think Steven made a very valid point here, it's getting to a point where governments have got to start doing something more proactive. Looking more to an offensive, rather than just telling us what to do from the defensive capability. So I think that's a very valid point Steven brought up.

Steven, do you want to kind of close this part out for me?

I think the point I would add to that is in many cases, at least in the states, the private industry is sort of being attacked from all sides. And what I mean by that is there's the adversary, there's the belief that there may be protected with their existing sort of legacy controls and their insurance policy. And then there's our own government that will often penalise a failure. So you have and meanwhile, the government has an open door to fail all at once. And it's contractors with no sort of transparency and clarity back into the source of the failure, which I know where we're heading into some of the other examples but there's no transparency or very little there. There's no lessons learnt there because it's all classified and many times government licencing organisations and stuff will come at you if we win and if you do fail. And so it is an issue. Now, I think there's a minimum amount of things we need to do. We need to start thinking more of what are we creating and does that match the speed and velocity of the adversary. What is our definition of good? Which as a security programme leader, CISO, we need to get better at defining that because I think we do a very poor job of what is good. There's too many distractions and not enough clarity of what are the things. And moreover, what does the CISO agree to own going into the job? I'm even talking to CISOs about how they're interviewing differently based on all of what we've just discussed.

This is a great point, Steven. To get onto that the discussion of our topics today which we are going to move on to very shortly, which is the CISO of the future. I was wonder if our teiss elves who are very, you know, were willing to step into the breach then when my connection went again. Can just check as we got reports, live, as we speak from Reg, saying that Graham Cluely is reporting that the gang are claiming they have hit Moss Bros, which is a large sort of menswear retailer in the UK. Thanks for posting that, Reg. Was trying to see if he can find whether that's true before the end of the show. We've got some comments here from Chris Bacon saying acts of defence seems to be gathering a lot of traction. Attackers will get in regardless of how much you spent on prevention. So what next? What do you do once they're in? Create the illusion of an expanded attack surface? We've got some great comments coming through, some news, hopefully, the teiss elves are looking at it for me and seeing if that's true. If we can confirm that Moss Bros are now the subject of ransomware. I think for me just to close this out. I am a professional negotiator. I've been negotiate for years. I have helped clients negotiate when their insurance company and their lawyers and law enforcement have advised them to pay and to avoid things like GDPR fines and other things. Sometimes it's a business decision. I think it's of course, it's not plan A, B or C to to pay cyber terrorists, in the words of Ian. It isn't. But I think when you're calm, you're asking effectively with a gun to their head to see the wider picture. And sometimes in an individual case by case basis, that isn't always the case. And unfortunately, I think this is going to carry on. So I want to close out that section and say thank you to all of you on that. And just before we close this on ransomware, I've got such a fantastic panel today with such years of experience. What would your advice be to CISOs and to your colleagues, who are listening to the show now and will listen to it on record later on demand, to prepare for these huge ransomware attacks? What should they be doing if they haven't done already? Who wants to take that first? If anyone got the answer on the tip of their tongue. Just do this, it'll be fine.

I can only speak from the world I live in, construction, and we're not a big industry is not IT literate to a great extent. You don't have the money so very much looking at more automation and orchestration, security tools and capability, because we don't have the people or the wide area of expertise to deal with these sort of things. We looked more to the technology to take the initiative for us. So very much automation and orchestration is very much where we're going within the construction industry.

Thank you. Maybe, Steven. What would your recommendation be? What would your piece of advice be to people about on this topic?

You have to approach it from two angles, I believe. First is that an executive level replace ransomware with what if we couldn't sign in? What if we couldn't get into the building for a week? And it's just plain language as that. And moreover, what if we couldn't get into the building and all the stuff that was within the building, a copy was made and put down the street with someone that we don't like. So that's the gravity, right? So in somebody's risk profile of hurricanes or whatever it is, it needs to be very close to the top. We know from the Verizon DBIR that ransomware instances doubled this year. But at the flip side, eighty five percent of all breaches started with a human. Meaning, some sort of compromise credential or compromise endpoint. And so, again, we need to intentionally replace ransomware with infected endpoint, you know, some sort of cycle of compromised either to a lesser degree, it's a vulnerability, but generally we have an infected endpoint. Ransomware is a product of an upstream failure. So that is if we're not doing things to look at that and say, are we actually getting better? Also, more breaches happen in the cloud then on premise for the first time ever. So if we're not paying attention here, we're going to miss things yet again. And so I think it's a it's a communications thing and an honesty thing. Be honest with ourselves to say, is my security programme, what actually is it? And what is it not? How well can we actually defend against a relevant attack?

Thank you, Steve. Just very quickly, can I get maybe Paul and then Kate. Just piece of advice on this one before we, because I know we can talk about ransomware for the entire show but we need to get on to our topic. So, Paul.

Ransomware, at the end of the day, it's about one person clicking on an attachment or a link that they shouldn't. So I think you need to focus on technical controls. So, for example, we use Office 365 and we subscribe to advanced threat protection. So that actually scans those malicious attachments and prevents people from going after those malicious websites. And we put in multifactor authentication, which helps defend against these phishing attacks. So I think that's what CISOs need to be out there focussing on is trying to put in technical controls to try to take the human element out of the equation.

I couldn't agree. Emma has said a number of my clients over the last couple of weeks, unbelievably, just that one thing is prevented, really very serious breaches. Kate, would you just want to close this one out with one piece of advice? And then we'll all be fine.

I think one of the big things is having system monitoring and especially endpoint monitoring, and that includes laptops, workstations and servers and firewalls, the whole thing. You really need to have some monitoring. And the thing is, most people can't afford it, which means that you need to look at partnerships with companies that can do that monitoring for you and can actively defend your environment.

Brilliant. Thank you so much, Kate. Well, I can confirm it does seem that UK High Street retailer Moss Bro, they're the people in the UK just for our US guests, Moss Bros is the place where if you're going to get married or you're a groom or a best man or you're part of the wedding where you go and hire your suit. And it does seem to be that Moss Bros are confirming to staff initially that they suffered a data breach exposing employee information. This is, you know, we've got the actual pandemic. There's a pandemic of ransomware at the moment. It's everywhere. It's it's touching everybody. Thanks to Reg for raising it for Chris, for Carl, rather. And to Robert Sparks who is right now drinking his tea from his teissTalk mug because he did win in a previous episode. And so I want to say thanks to everyone. We are going to leave the topic around somewhere here. But I can imagine that going forward there'll be more discussions on ransomware on the show. So if you're here now, make sure you look out for that, because I'm sure we're going to roll with the news items. We've not got that long to go but the actual topic of the show today was the CISO at the future. And it kind of makes me laugh. We're doing this because I was doing some research on this for you guys and I did see the Forester reported in 2020 six different types of CISO, only one of whom was a post breach. There was ones called things like compliance guru, customer facing. I mean, Paul, which one are you? It feels like a horoscope.

Yeah. When I saw that, I had a little chuckle because I was thinking of, I'm a Trekkie, so there's a Doctor McCoy who has a taglines that's, "Dammit, Jim. I'm a surgeon. Not a blah, blah, blah."

You've done it now, you've mentioned sci fi shows.

That I could tell my boss to go, oh, dammit, Jim, I'm a steady state CISO. Every day you're playing one of those roles but you can't pick which one you are. You know, it's not like you're going out there and playing shortstop or wicked or, you know, it's just you play a lot of different roles as CISO.

Ian, we've got problems with the term even, don't we? We spoke to you in the past and saying it's different reporting structures, different scope. It's become a shorthand for a lot of different sort of takes on the role, hasn't it?

Yeah, I think you're right. I think the term for CISO and that has changed over the years. I mean, back when I first heard the term CISO, that was more of that sort of compliance risk guru. But I think as well, there's now a bit of a divergence between what we call a CISO and cyber director. My role, it's title is director for cyber security and I see that more as a slightly different from the traditional aspects of the CISO, which from my experience doesn't all come from the sort of compliance, the governance aspect. But it is different and it's different for different companies and different industries. Previously, where I came from a highly regulated telecommunications company, again, the role, the profile of the CISO was different within that industry than what I see here in the construction industry. If any of those six, I would put myself down as transformation CISO, because what I'm trying to do here in the construction industry is bring them screaming and kicking into the twenty first century. When I first got here it's a bit like the Wild West.

You can have that one. You could you can have compliance guru, slash transformation CISO. They're both parts of the the little grading that we've got there. Kate, there is a post breach CISO and I have to say that the one thing that is guaranteed to change after a ransomware attack of the nature we've been discussing this is the CISO.

Yes, well, and as I've said before, it is the crisis induced sacrificial officer. So you are frequently seeing CISOs being held accountable for things that they have no control over. Rarely, are you seeing CIOs or CEOs replaced because of these type of events when the CISO probably has been recommending things and the executive leadership has accepted the risk. So I do not know of any CISO that walks around saying, yeah, our environment's fine and we're never going to get hacked.

Doesn't seem to be a popular view.

And the thing is, I look at Forester's and I'm four out of the six. I dream of steady state. But by the way, because I'm a CISO, I rarely sleep. So those are waking dreams. I think our roles are changing. I think that what I'm seeing is more and more CISOs are reporting to executives and more and more CISOs are reporting on security state to boards. But we're not there yet, it's a really new rule. I mean, new role within organisations. I mean, systems just haven't been there and our roles are changing. And some of us can change and adapt as I said, I'm 46, I'm not steady state and fortunately have not had to be post incident, although it's not that any CISO doesn't have an incident a day.

No, I mean the night is young. We need to be careful with that, don't tempt fate. Everybody touchwood. I mean, Steven, thank's Kate for that, but I want to go to Steven. I suppose we've got to get everyone's final thoughts on this, but looking forwards into the future, how is that going to change, Steve? Do you think we can even predict anything anymore given the last 18 months?

Predictions are usually worth about as much time as it takes to put them together and even then.

Unless they're from Kate, by the way. Who predicts the whole thing.

I think that it's interesting that we have a six versions of a CISO which are not untrue. It's all very true. But I think it goes to show that maybe the lack of maturity or mixed expectations of the position where we have these sort of flavours out there and until we mature and get better at saying what we are and are not going to do, and until business in general sees the role as a way to influence making of money and supporting it, we're going to have the sort of flavours right. You're seeing sort of like, not to get religious, but it's like the splits and the different types of Christianity based on leaven and unleavened bread, right? You've got these things in there the same way with CISOs. You have these flavours and there's, again, no central definition of good or even great. And one of the greatest experiences I had is post breach, dealing with a massive problem that costs a sizeable amount of money leading the response, the view that the business had of security. Specifically, I found that the board cared about two things. How well does your programme attract and now retain logos? And what is the role of convincing a new customer in that and literally your connectivity to that? So I think that is that was an interesting moment, an eye opener for me to say as a security programme, how many new customers have you helped attract and retain based on the capabilities that you've created? I think that's something worth pondering.

Coming from yourself as chief strategist, I think it's a very valid point to make, actually. Let's just get Ian and Paul's final thoughts on the role in the future. I know that the ransomware has taken up a lot of the show today, but just going forward Ian what would you say the role of a CISO is in the future? I mean, would you agree with what Steven and Kate said?

Yeah, I think the role is going to adapt to the future. I like these the six terms in that but I think I'd agree to a certain extent what Steven was saying, you know, it's a bit of each. I think what will happen is you'll see varying degrees of each one of those in any specific CISO roles moving forward and I think that will change as the threat landscape change and the world we live in changes.

Thank you, Ian. Paul, are we going to have to start recruiting different types of people to cope with the way the role's going to change going forward? What's your final thoughts on all of this?

No, I think, you know, essentially the job of the CISO is going to remain the same. And that is it's a job of risk management. It's a job of being able to demonstrate to your superiors that you are exercising due diligence and following best practises. I know a lot of things changed, especially in technology and the threat landscape. At the end of the day, that's what it's about, managing risk and following best practises.

Well, I want to say thank you to my fantastic panel today. And I just want to comment and just let you know that Colonial are apparently looking for a new CISO. So if anyone's up for a bit of excitement, it does look as if that position is open and might well be, as Lee has pointed out here, might well be something where, you know, we don't know whether their CISO was pushing for patching and everything else. We don't know. I think today that the teissTalk mug has to go to Reg because she broke the story of Moss Bros live on air, which is something that, I don't know if Geoff White, who's also host, has ever broken a story live on air. But I have now. But we do know that Geoff will be talking on Thursday about cyber career paths with, amongst others, the wonderful Danny Dresner. I want to say thank you to my guests, to Kate Mullin, Ian Hill, Paul Raines, Steven Moore for their brilliant insights into all of this, I really appreciate you being on the show. It's been fantastic. I want to say thank you to our fantastic audience. Tune in and take part. We are an interactive show, and it's lovely to have you all here. Join Geoff on Thursday at 10. And all I would say is I think it was Einstein that said we don't know how the Third World War will be fought, but we know that the following one will be fought with sticks and stones. I've been your host, Jenny Radcliffe, thanks everyone for a great show. We'll see you next time.

Your host:

Jenny Radcliffe

Jenny Radcliffe, also known as “The People Hacker,” is a world renowned Social Engineer, hired to bypass security systems through a no-tech mixture of psychology, con-artistry, cunning and guile. 

Jenny is a sought after keynote speaker, panelist and moderator at major conferences and corporate events, both in-person and online,  is a  TEDX contributor and is host of her own multiple award winning podcast series.


Kathleen Mullin, Chief Information Security Officer, Healthmap Solutions

Executive leader and influential information security practitioner with over 15 years of success in n information security, audit, risk, governance, and accounting roles. Expert in mitigating risk and meeting the highest standards in security across industries, including Healthcare, Education, Government, and Banking.

Chief Information Security Officer for Healthmap Solutions with experience as a CISO and Executive Security Advisor for publicly traded, private equity, start-ups, not-for-profit, and governmental entities.
Firm believer that Information Security, as a division of the company, can be a powerful partner to Operations and Sales. As a collaborative C-Suite Executive, I have worked closely with executive peers and Boards of Directors to ensure information security strategies support rapid enterprise growth while keeping business and customer data safe.

Respected international speaker and panelist for webinars, seminars, and conferences, delivering presentations on diverse topics related to presenting to the board, cyber-security, data protection, risk, and IT governance, social engineering, ethics, incident response, and more.

Specialties: Board Presentations, Strategic Planning, Information Security Awareness, Cybersecurity, Risk Assessment & Mitigation, Risk-Based Security & Data Protection Programs, Information Security Governance, Social Engineering, High-Performance Team, Enterprise Training, Coaching & Development

Paul Raines, Chief Information Security Officer, United Nations Development Programme

Paul Raines is the Chief Information Security Officer for the United Nations Development Programme. In that capacity he is responsible for the information security and disaster recovery planning for the organization’s 177 locations around the world. His unit is the first and only United Nations unit to be both ISO 9001 and ISO 27001 certified. His information security unit has won international awards for outstanding performance including an Honors Laureate award from Computer World magazine in 2013 and CSO50 awards from CSO magazine for 3 consecutive years, 2014, 2015 and 2016—the first organization in the history of the award to have won 3 consecutive years. The CSO award honors the top cyber security organizations in the world for business value and thought leadership. Recently, Computer World magazine selected him for its Premier 100 award for being among the 100 most influential IT leaders for 2016—the second time Mr. Raines has won this award in his career.

Prior to UNDP, Mr. Raines worked for the Organization for the Prohibition of Chemical Weapons (OPCW) where he and other members of the organization were joint recipients of the 2013 Nobel Peace Prize. Prior to working for the United Nations he was the Chief Informations Security Officer for Bloomberg LP, Barclays Capital and the Federal Reserve Bank of New York. He is a graduate of the United States Air Force Academy and Harvard’s Kennedy School of Government. For relaxation he enjoys opera, Shakespeare, French wine and sometimes just sitting in a cafe with an espresso and croissant reading a good book on Roman history.

Ian Hill, Global Director of Cybersecurity, Royal BAM Group

An Information & Cyber Security Professional with over 25 years’ experience at all levels within the IT, Telecommunications, Managed Services and Internet Service Provider industries, across Consumer, SMB, Enterprise and Public/Government sectors, Ian is also an accomplished technical writer, published author, lecturer & international conference speaker in Information & Cyber Security.

In 1996 he founded Drakken Ltd, a successful specialist web application ISP, responsible for designing & implementing highly secure managed hosting environments and real-time applications for Nokia, DS Smith & the London Stock Exchange. Drakken developed the first commercially successful web-based vehicle tracking system for ACIS (now VIX). After selling Drakken, in 2007, Ian moved to KCOM Group PLC, a UK based telco, ISP and UC Managed Services company. There, he created a dedicated security team and was instrumental in defining and implementing the groups Information Security strategies, assessing and reducing risk, defining and guiding the implementation of innovative security processes, leading edge technology & solutions, and owning the end to end security lifecycle & posture.

Ian now heads up and is responsible for the Royal BAM Group’s Cyber Security posture & response capability. Working into the CIO, he has created a dedicated security team, and effected a series of tactical and strategic plans leveraging people, processes & technology to transform and align cyber security across the group as part of a global transformation project. Ian currently holds the CISSP, CISM, CISSP-ISSMP, CCSP, CSTP, & CFIP Information Security certifications as well as being a certified ISO27001 Lead Auditor.

Steve Moore, Vice President and Chief Security Strategist, Exabeam

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast” and a Forbes Tech Council member. Prior to Exabeam, Moore served as Staff VP of Cybersecurity Analytics at Anthem, a Fortune 30 healthcare company. Moore’s experience includes leading the investigation of state sponsored cyberespionage campaigns, breach response, associated legal depositions, and client management. He’s passionate about cybersecurity, teamwork and leadership excellence.

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]