I recently did an interview with Beecher Madden on winning the CISO of the year award:
https://www.beechermadden.co.uk/tablet/cm/news/2017/jul/awards
What does winning the award mean to you?
On a general level, I think the Cyber Security Awards provide the rubber stamp that cyber security is an important issue. Whereas In the pass it’s always been an after-thought; you had to work hard to get someone senior to look at it and now it’s such an important issue. The awards show the amount of recognition that security has these days. I think it’s a good way to promote security across sectors and the industry. We are seeing a lot of real action where security has been evaluated to the board of companies and in government, whereas before it was the IT tool. I think it’s exciting, although to me it’s not a recent thing, I’ve been in security for 20 years and it’s been a long journey to get here.
Since winning, I’ve been getting queries saying how did you get into security? And how did you become a CISO? I wrote a blog to show the journey and the path. It’s hard work but the effort does pay off. It’s not just a personal thing for me. Why I do security is to use the skills and the experience that I have, to help people. That’s what it’s all about for me. I’m doing whatever I can on a physical and digital sense to help people.
What are you most proud of in your career?
It’s really making a difference. I’ve worked on some really interesting projects. It’s a combination of being in the right position and the right organization in order to make a real difference to citizens and to people. I’ve done some cool things and some fun things as well. I did the security for Arsenal stadium for 3 years and I was asked to break into the stadium during a match; that was a fun highlight that I really enjoyed. I got into the stadium. We found a weakness in a system within in the stadium and how it works. That was a highlight. I have made a lot of impact in government, just having that impact to change the way a country operates. I worked in the treasury department and a lot of the changes I made, impacts the whole country to protect them better from threats. There is a lot of recognition that doing security at that government level has that dramatic change in people’s lives. When I was in the Australian government, 2 years ago, I managed to change the privacy laws. I made the case that we need this and it’s needed to protect citizens and give them better rights to privacy. I had a lot of resistance but I kept it up and I got 2 sections in the privacy laws.
I also like mentoring, I really enjoy talking to people and companies that are doing things in security to guide them. Or to help them, help the industry, because they are making things or doing things that will put them on a new path. Helping people or companies to become more effective and better at what they do.
For others looking to follow in your footsteps, what would you recommend?
To be effective in security you have to start at a technical level and understand everything due to the scale of what security covers. If you are a network person or a database person or developer, you are only looking at one thing. Security is across every single thing out there within IT. I think that it is a key thing to understand the building blocks, even better than the subject expects in that area. As a security practitioner, you need to be better than the network guys, better than the database guys, better than the developers, because you have to constantly help them and challenge them to do things better. That’s a good start for a good security practice. You need that technical skill to get the respect. If you are just quoting policy but not putting forward solutions, you lose respect very quickly.
Eventually, you leverage that technical skill. What you do next is get into the business, on the people side. It’s even more important to be people focussed and to have the soft skills. Security is a very complex technical field. It is extremely important to translate something that’s highly complex and highly technical, to something that normal business people and board members can understand. Putting yourself in their shoes. Understanding, what does it mean to them? What are they responsible for? The Head of HR doesn’t care about the security of the internal room booking system but they care if people are safe from the threats that are out there. Do they understand the risk around the way they operate or the way they use social media? So you need to understand the people your accountable to. Get out there and contribute, give back to the community and to the industry. It’s a very special area and skill, don’t just help one organization or one team or company. Go out there and try and help an industry, get involved in external bodies.
Is there anything you would go back and change?
I think it would have been good if we had the focus we now have on security many years ago rather than 2016/2017. It has taken a long time for people to recognise the importance of it and the dependence we have on technology has changed a lot in 10 years. With wireless internet and all the other digital things that have come out, it would have been good if all this happened in 2007. We are only at the beginning, the risk and threats that we are facing is right at the beginning of the chapter of the internet. We are just going into an era of everything being connected. We are going to have autonomous cars, autonomous ships. Our transport is going to be driven by machines and AI. We are connecting everything at home to the internet. TV’s, kettles, fridges, they are already on the internet. We are expanding the reach of people, of organizations and the way we trust each other. We are fundamentally changing how we operate as a society. Security is going to be more important for the next 20 years.
What is it like to work for your current company?
It is great! I was working in the government out in Australia. I was at the beach and I thought, wow, this is a cool opportunity. I joined just under a year ago and VocaLink have been supportive and given me all the things that I needed. Things we have needed to do, have been done and accepted; there hasn’t been much resistance. They are quite open to change the team and the security approach and how we are doing things. I’m constantly in the process of improving and delivering better security. We are part of MasterCard now, so we are taking a similar approach to them. We are trying to shape the thinking to be more global. It’s been good and exciting there’s a lot of new things we can do.
What do you think we will see from the cyber market in the next 12 months?
We need to see an improvement in the security around machine learning and AI. We can leverage machine learning and AI to become more effective security practitioners. What we really need is the foundation of AI to help compliment and increase the security effectiveness of what we already have. I’m seeing a lot of activity in that space and we will see a lot more.
The bad guys are getting even more creative than they used to be. They are taking highly weaponised exports that have been leaked from governments. We are going to see more of the recent WannaCry ransomware happening, which is unfortunate. It is unnecessarily effective, because the vulnerabilities they use, the industry hasn’t found or patched yet, so we have to respond each time.
The final thing is the human impact of these security threats. You are going to start seeing ransomware on your kettle and you can’t turn it on until you pay. Not being able to make tea is annoying but eventually it will be something bigger. Maybe you can’t leave the house because all the digital doors have locked, or you can’t start your car in the morning because someone has taken control of it. It is the human side of security which is not nice to experience. We are going to see something like that, probably in the next 12 months. My previous role was in healthcare and I did see the first incidents of security attacks impacting human life. I fixed some vulnerabilities where, potentially, you could end someone’s life from a security attack, and possibly, no one would know. We have connected pace makers, so the option is there to break into these devices. What we could see is someone being killed from this, and that is really scary. IT systems and networks not working are annoying but they don’t impact life. For IoT, we need to step up our security game. The market is changing but the risks exists already.