Jul 1, 2024
Episode Description
Don Gibson, CISO of Kinley, shares his journey into the security field and discusses various aspects of cybersecurity. He emphasizes the importance of the desire to protect and help others in the role of a CISO. Don also talks about the evolving approach to security in different companies and sectors, highlighting the common foundation of the CIA (Confidentiality, Integrity, Availability) triad. He discusses the role of a CISO in a small team and the need to balance the big picture with attention to detail. Don also addresses the challenges of managing stress and mental health in the cybersecurity field. In this conversation, Don Gibson discusses the mental side of being a CISO and the ability to unwind. He emphasizes the importance of management support and the freedom to make decisions. Don also talks about the challenges of being a solo CISO and the need for a team. He highlights the need for continuous learning in cybersecurity and shares his methods of staying updated. Don also discusses the future of cybersecurity, including the impact of quantum computing and the potential irrelevance of personal data. He advises aspiring cybersecurity professionals to have a genuine passion for the field and to prioritize self-care.
Watch On YouTube
Adi (00:12.894)
Hi everyone. Welcome to the Hands -On CISO Podcast. My name is Eti and today we're going to talk to Don Gibson. Don's been in the security field for over two decades and is currently the CISO of Kinley. Don, how are you doing today?
Don Gibson (00:37.81)
Hey, I'm doing okay. How's yourself?
Adi (00:40.158)
Perfect. I'm so excited to have you here. And before we even get into anything else, I'd love to hear how did you even find yourself a CISO? How did you get into security?
Don Gibson (00:52.178)
Okay, it's a bit of a funny story. Back in the early 2000s, there was something going on. I was working in investment banks and technology. And there was something that I called a boardroom recession, where the economy was fine. Everything was fine. But the banking question point blank refused to give any training or do anything. And just basically said, well, you're here working, get on with working, which is
traditional for an investment bank, one would imagine. So I was looking at the internal job board idly and for the first time ever a light bulb went on above my head when reading a job advert. And I just sat there and just went, I want that. I want that job. And I was luckily enough to get a junior role in the
brand new team that was being set up to bring in Sarbanes -Oxley. So it really dates me on that one. And yeah, so that's where I started. I had the privilege of having an amazing female CISO to start off with. A shout out to Vic Handavit, the Dr. Vic Handavit. And she was so inspiring that I just sat there and went, I've got to get there.
Adi (02:09.502)
You
Don Gibson (02:17.362)
I've got to be a CISO. So I worked through various BISO, Business Information Security Officer roles, then did contracting for a bit, then went into architecture, global architect across several firms, then one of the heads of cyber in the British government, and now the full CISO.
Adi (02:40.478)
Interesting. What was in that first ad that got you so excited?
Don Gibson (02:45.906)
You know what, I don't really know. Looking back, I think it may have been part of the headline, which was talking about protection and how to protect. And that's a big part of my makeup. And an awful lot of CISOs will also have that desire to protect and help, et cetera.
there's a kind of old adage that everyone is under our ages. It doesn't matter whether it's the CEO, the board or someone on the factory floor. We look after everyone. And that's something that really struck with me. So yeah, it was literally so going through school, etc. I had no idea what I was going to do. Nothing interested me to that degree. And I fell into investment banks by
luck and hard work. And, and then this came about. And since that, I've not had a boring day. I've got to say it's it's been I've had some horrific days. But none of them have been boring. Yeah.
Adi (03:59.038)
You
Adi (04:04.106)
wow, okay, I'll ask you about that later.
Don Gibson (04:06.866)
Whatever I can say under NDA, I will.
Adi (04:11.71)
So would you say that your job as in the security at first, not as the CISO, but later on, like in different roles, was it quite similar? Was it very different between different companies? Like how did it look?
Don Gibson (04:28.178)
Well, so I deliberately jumped around every couple of years to go to different sectors to experience different sectors to learn what there is and it was only about Must have been 2013 or 2014 I started realizing that an awful lot of cyber is cyber It literally does not matter where you are It all goes back to the three little letters of CIA and that's what we base everything on
The rest of it, it's the nuance that makes it interesting for the sector. For example, if you're looking at a highly automated manufacturing line, you need something that's low latency and high availability because if a robot arm arrives a quarter of a second late, that's the end of that arm or the entire line shuts down or whatever else.
But then you put that against say gaming or gambling, which I've also worked in, they need low latency, high availability systems. So it's kind of, hold on. And suddenly all the architecture is just going to be exactly the same. You just need to put in different concepts for it, such as the industrial control systems or SCADA for that. Or you need to make sure that everything's aligned up with the financial authorities requirements.
Et cetera. So there's a lot of things very similar, but in places that you really would not expect it to be.
Adi (06:07.486)
interesting. What does your day today look like now?
Don Gibson (06:11.826)
And currently, I've got a very small team here at Kinley. And Kinley themselves are going through a massive transformation, digital transformation. So it's a case of getting the requirements into the transformation teams and then building out processes that could be used with the small team. So instead of going belt and braces, going for the 80, 20 year old, what's the biggest impact?
the shortest amount of work in the nicest possible way. So it's a case of making sure that that means talking to the board top down as to what risks we're seeing, what impacts we're seeing, what threats are on the horizon. I've been deeply involved with a lot of the compliance returns to our customers because for the first time ever I'm customer facing.
I've always been end user before I deliberately chose something on the other side to see what that was like. And I found it interesting the, because I've now been there over a period of, I'm seeing second and third generations of these forms come through to me. And it's interesting to see the difference in the forms and thereby taking the temperature of the maturity of the team that are sending it.
but also in the fact that you can actually start seeing intelligence in there, such as they've got threat intelligence. They're asking things about, say, supply chain and dot, dot, dot. And you can see by the tone of the questions and how the questions are changing what that threat intelligence is. So thereby, we kind of reverse engineering that and using that as free threat intelligence for us to be able to continue to.
on our evolution and making sure that our product is good and our supply chain is good so they don't need to be quite so concerned on their side. So interesting things like that that you can kind of pick out in the nuance. But that's one of the big issues with CISO in a small team. And it's something that I had to learn in my in the previous role is that as an architect, it was all about the detail. It was all about the nuance.
Don Gibson (08:36.882)
And then occasionally you had to kind of pan back out, zoom back up to see the 10 ,000 foot view. What does the entire thing look like, et cetera. The CISO, some CISOs will be able to, with a big T, be able to zoom in and out easily because they've got people giving them the details and they can look at it. Others won't need to do quite so much because they've got the team in place that can do X, Y, Z.
people were like myself with small teams, occasionally you will feel like a yo -yo. You'll be going up and down, up and down, up and down. And that's fine. You just need to make sure you've got the internal thread and ability to actually understand that this is what you're doing and this is how it's gonna approach. So different strokes for different folks, but that's what I'm seeing at the moment.
Adi (09:34.974)
Interesting. Would you say that the way security is approached nowadays is very different than what you saw in the past in companies in general?
Don Gibson (09:50.45)
Generally, yes. And I think for that there are a couple of reasons. One, we've been around 20 odd years officially. As such, it is not exactly news. Two, the news, the media. Whenever there's something inside our arena that either looks like it could impact us or
Adi (09:53.342)
Mm -hmm.
Don Gibson (10:18.93)
We could learn lessons from it. I'm messaging the board and showing them this is this is being reported here. BBC News is saying this, this, that and the other. And therefore by using the media to educate on the board on that. And finally, I think there's been a lot of good work by our suppliers, by people like Microsoft, like Google, like Cisco, et cetera, et cetera, et cetera.
who themselves are driving security forward. Yes, they're doing it for the bottom line. And yes, they're doing it to earn more money and this, that and the other. Of course they are. We're a business, they're a business. This is what the world runs on, unfortunately. But the rest of it, they are improving themselves and thereby we are being lifted up with that improvement as well.
Overall, it's an easy conversation to have with the board as to security and security matters and requirements. And by that, things are improving. I think the board's also becoming a lot more cognizant, a lot more comfortable with the fact of things like zero days, where the brown stuff could hit the revolving object at any moment. We know this.
What process have we got in place? What tools have we got in place? What kind of sticking plasters do we have to put over the wound? ASAP. How do we look after ourselves? What tests are done on it? Et cetera, et cetera, et cetera. So I can remember for the first 15 years of my career, the CISO was often seen as it was a poison chalice. If something went wrong, it was the CISO's fault. And that was it. Done.
Now it's far more a case of if something has gone wrong, who has allowed it to go wrong? And the CSO is far less in the firing line. Now, obviously there's issues or concerns such as there have been court cases in the US of CSOs being put up and tried in a criminal case. We've seen that.
Don Gibson (12:43.762)
which is why you should always make sure that the numbers are 100 % correct. And it doesn't matter who or where you're reporting them to, make sure the numbers are correct.
Adi (12:57.054)
Interesting. In your different roles, have you felt like the part of the people, the employees of the companies? How much was it about educating them, helping them not make, let's say, a security problematic decisions and actions versus how much do you actually put actions into stopping it?
Don Gibson (13:13.458)
Thanks for watching!
Yes is the answer. A little bit of column A, a little bit of column B. It's, yeah, of course. So for me, your cyber security program lives and dies on the person, on the staff. Paradoxically, the human is the strongest and the weakest link. And if they're the weakest link, then I failed in making them the stronger link.
Adi (13:29.982)
Expand, please.
Don Gibson (13:56.85)
So it's a case of making sure that training awareness and it's quite often a change of culture around it as well. So that's something that you need to chip away at. The only thing that would make something change very quickly is a big incident. And that suddenly people go, my God, blah, blah, blah.
So that's the one thing that will change a culture overnight. As for the rest of it, I say that cybersecurity should be a bit like a force field in Star Trek. Odourless, tasteless, invisible. But if you run up against it, you know about it. So that's the sort of thing. Also to say that cybersecurity should be enabling the business.
So by that, I mean, we should and the architects, etc. should be working with our suppliers, such as Microsoft, AWS, whomever, to understand what's on the horizon, what's coming over, what's coming in beta, what can we possibly use to enhance our service and thereby give the business a bigger chance of doing something. This was something that I came about.
probably about a decade ago. And it was something the business learned to understand was, was if I said no, it's for a dang good reason. Because it's normally followed up with what about a suggestion of a different thing and they'd go, they realized that they could come to me with a question, a problem, and generally a solution would come out of it. If no solution was coming out of it.
then it was for a very good reason. And that needed to stop right there at that point. So for me, that's, that's, yeah, it's how to change the culture in the company in the nicest way to enable yourself and get them, the employees, the staff to act responsibly and to drive security forward.
Don Gibson (16:21.746)
that way altogether as kind of an all in approach.
Adi (16:26.686)
Obviously without any names, but have you experienced working with leadership that was more understanding to security versus the leadership that kind of saw it as something that kind of needs to be done, but didn't really see it as importantly?
Don Gibson (16:47.442)
Yeah, I have. I mean, I've worked in highly regulated industries. They've now lost the contract. So I'll mention the name. It was Camelot, the UK national lottery. And so therefore, if you turn around to the CEO and went, we have a problem with X, they can listen to you very closely. So there's that versus, I say other companies that
technology doesn't need to be invested in cyber, what's that? That changed very quickly when items were found, shall we say. So that was an education piece. The beautiful thing about that was getting a red team test in. When I have red teams in, I refuse to give them scopes.
I give them targets. And so I don't care how you get there, get there. And so that everything basically literally everything in anything. This team were taking selfies beside the target and then smuggling out the the the pictures. So literally it was impossible to defend. So it's like, right, this is where you are. This is where it is. What are we going to do about it? So
It was that kind of conversation that was needed.
Adi (18:19.678)
Interesting. Did you ever feel like a bad col -
Don Gibson (18:25.714)
Not often, not often. I mean, I obviously clothe myself in righteousness because I'm doing the right thing. No, no, there's there's some that sometimes that I've seen, I've had to get involved with, say investigations or the like. And I've seen people have been trying to do the right thing, but doing it the wrong way and getting getting in trouble with that, which is
Adi (18:33.854)
You
Don Gibson (18:56.338)
is a shame, but there's not a lot you can do about it. But then there are others that I just sit there and still shake my head and just go, that's abhorrent. I can't believe you were trying to do that, which fine. I mean, when you have to go to...
British police to understand how to get or how to protect your team from imaging, then that was a different one.
Adi (19:37.753)
Interesting. What's the worst security situation that you were involved in or that you heard about personally?
Don Gibson (19:50.417)
heard about.
Adi (19:52.414)
Okay, maybe not heard about in big, but like someone that you know or in one of the companies that you worked at.
Don Gibson (20:02.77)
the one I've talked about and I can vaguely talk about, is travel X. So I was at travel X when it went pop or global ransomware. that was not pretty. it was, it was, yeah, that was a real wake up. So I talk on podcasts and at conferences and the like about, the
output of that, not the actual incident itself, because I am actually covered under NDA with that, but the output. So how to protect your team during high impact events, how to make sure the business is ready for such things, and how to look after the CISOs mental health, and how to stop burnout and adaptability.
things like that which have which has grown from that. So yeah, to give you an idea, January 2020, I lost count at over 275 hours worked. That's three months work. And then a few months later, at age 44, I had heart surgery, but I directly attribute to that. So I'm eternally grateful to my boss.
Adi (21:15.262)
I'm sorry.
Don Gibson (21:28.882)
at that time and his boss who looked after me and is one of the things it's like you basically you look after the people you've been in the trenches of people you look after them and so that that's something that I try to instill across every team I've been part of.
Adi (21:48.478)
It seems like the whole subject of mental health and stress is so prevalent within CISOs. There's a lot of understanding that it's a very stressful job. Every day things can happen. What are some ways that you see people handling it for the better?
Don Gibson (22:05.714)
Mm -hmm.
Adi (22:17.502)
not just letting it burn them out completely.
Don Gibson (22:20.946)
Well, so this is let's rewind it slightly and go to why. So if you think about evolution, evolution in nature, I think the fastest evolution we've seen due to the very nasty issues in Chernobyl is within about 40, 50 years, we're starting to see evolution in nature. So that's the fastest.
evolutionary response we've seen as inside the human race. So we're talking like a third half a year, half a century to change. Inside our world, you can go to sleep, wake up and your entire world's changed. Congratulations, you got a zero day as being open on your network and
data is going out and you've got to respond. How do you evolve to that that quickly? In addition to that, obviously that's the worst you can see. But all the time we're looking for threat, we're looking for risk, we're thinking about how the worst that could happen. And with that, all the time with that,
our brain is constantly drip releasing hormones, chemicals, et cetera, that put us on the kind of the pre adrenaline. It's fight or flight. And so you're constantly on edge and you're constantly kind of ready to go, et cetera. And that is what causes burnout. So how would you therefore stop that?
couple of ways. You need to be adult enough to recognize it. And by adult enough, I'm talking to myself here, because up until 44, I just about thought I was immortal. No, I'm not. And that came as a shock. So you need to listen to your body. You need to you can't just push through. I say in my talks that alcohol is not a solution.
Don Gibson (24:45.362)
Technically it's a solvent, but it's not a solution. Our world is changing. We are having far more underrepresented people in there, ladies included, but currently we're a male dominated environment. Toxic masculinity is a thing and it needs to be recognized as such. It is toxic by standing up there and going, I'm doing this on four hours sleep. I'm doing this, I'm doing that. Rubbish.
If you can get by in four hours sleep and that's what your body needs, brilliant. I need eight. A lot of people need eight or less, slightly less or slightly more. The whole beating your chest is complete rubbish. What else is there? Pragmatic things you can do to fix it. Exercise is a really big one. It will help so much. Even if it's a case of getting up and walking around your garden.
or walking to the shops for lunch or something, getting up and moving, getting away from your desk. Really, really important. Another one is holidays and actually being able to switch off. How do you actually switch off? The trick is to have a team that you trust and that are empowered. The fact that if somebody sees something and they think they need to shut down a server, they go and do it.
They don't need to ask. They don't need to fire it up the chain. It happens. And there's a playbook and that playbook is tested and run and attested to. And that means that if something is going wrong, your team is able to go and sort it and you can hear about it. You don't need to be hands on. And that means when you go off a holiday, your phone can go off. You don't need to be bothered.
you can actually recover. And that's what that's really, really important. I've heard that some places, especially in the US, expect the CISO, expect the senior staff to be able to be on call 24 7 3 6 5. Why? Seriously, why? Boiling that down, the apparently the average length of tenure for a CISO
Don Gibson (27:11.058)
in the US is about two years, two, two and a half years. Why? Why do they need to be that short? If they're choosing to be that short, fine. If it's too much, too much effort, too much stress, and you then start looking at the knock -on effects of that, both to the company of the cost of recruitment, cost of hire, onboarding, offboarding, bringing up to time.
No see, no see, so he's truly got their feet under the desk inside three months. Therefore, what's going on? There needs to be a different approach to it. And I'm not going all soft or cotton wool wrap or whatever else. I'm saying there just needs to be a sensible conversation about it.
Adi (28:03.582)
Amazing. Well, I think it's so interesting because I do see that it is a very male dominated field. And as such, even when you hear people talk about these things, often there is like a hint of like, but it's not a big deal or or something like that or saying, yeah, I really struggled and I got help.
Don Gibson (28:28.274)
Thank you.
Adi (28:33.694)
But everything's okay. Like there's a bit of that. Do you have any idea of anything that could be changed to open that up more? I guess it's a society in general problem, but like, what do you think?
Don Gibson (28:53.346)
It's the society in general thing. It's also the fact that the the seesaw needs to be the kind of the stalwart, the base of the pillar, et cetera, that everything everything sits on.
I think that the previous answer of A, the team of that, but B, you've also got to walk the walk as well as talk the talk. So I had previous teams. I can remember it was literally the first nice day after winter. And it was, it's not going to mean much, but it's like kind of 15, 16 degrees and warm sunshine in the UK. I mean, that's just about summer anyway for us, but.
But, but it was that, and I was on my, my, my team call and just went, look, team call, not going to happen. Everyone go outside and get some fresh air, get some sun on the face. If you need to talk to me, my messenger's on and we'll talk in half an hour or whatever else, but go outside. Actually just do, and it's little things like that, that the team will go, okay.
And the team see me talking on stage and whatever else and it's like, well, if he can, if that big lump can do it, then surely we can. I mean, yes, there is a slight privilege, I guess, of being this person and standing up there and doing that and blah, blah, blah. But hopefully that means that other people can and they feel empowered to be able to do it.
I'm hopeful that able to make a small difference, that people can do this and etc. As for the male domination, yeah, we need more underrepresented people in this great world. I've got a number of female CISO peers and they are absolutely brilliant and we need more. We need more people.
Adi (31:10.11)
Amazing. Okay. Let's transition. Actually, well, you'll tell me if maybe you're staying in the same subject, but what do you think is the biggest problem right now in cybersecurity?
Don Gibson (31:26.546)
Russians. Russians. No, I think slightly flippant. The biggest issue we've got with cybersecurity, I think, honestly, a geopolitical because I'll expand on that. The world's in flux at the moment. There's a number of active war zones.
Adi (31:28.67)
Again.
You
Don Gibson (31:55.186)
There's a number of issues like that. There's political strife going on. I mean, you've seen the...
thing about Trump, the far right rise in France, Brexit, the absolute mess the UK political system is in, etc, etc, etc. All of that means there's more threats out there. People are more concerned. There's a cost of living crisis across a number of countries.
people are having to do more with less. Therefore, there are more scams out there that people getting desperate. All of that, it just kind of ratchets the pressure up as to as to what's going on. And so with that, I honestly think that there's even there needs to be some cold water poured on a few people. Or there's something
going to go badly wrong. And so therefore, it's a case of
How do we make sure that the people we're trying to look after, once again, the protection thing, are safe, the business is safe? And how do we make sure that that is, the board understands the threat landscape of what we're looking at? Obviously the board aren't stupid. They know that stuff's going on, but how is this potentially going to impact us? Occasionally they'll need to be shown a few items.
Adi (33:45.654)
Interesting. What keeps you up at night in terms of the seesaw work?
Don Gibson (33:53.938)
I try to not let things keep me up at night. I try to deal with stuff during the day and put most things off my plate and onto other people's before the end of the workday. If not, then I'll sit there and turn around and give people clear expectations of when they'll be hearing from me. If they've got an expected deliverable, am I going to slip on that and start to manage things that way?
I found that towards the end, I always shower before going to bed. I can't stand going to bed dirty. And I find that I've been ranting in all this couple of years ago, I was ranting in my head in the shower, going, this isn't right. That's not right. This isn't happening. Blah, blah, blah, blah, blah. And I realized that I was then carrying that into bed stressed. So what I do is I have a pen and paper outside the bathroom.
When I finish the shower, I'll go, right, OK, I've identified this now. Dry myself off, go out, write down the problem. And that's a problem for tomorrow's Dom, which means I can go to sleep and I'm not going to sleep stressed. And that's it's sort of little things like that that that are able to add up. And yeah, it's not going to work for everyone, but it works. It works for me. The trick is finding.
finding the items that work for you and how you can improve yourself or understand yourself better and then how do you then therefore turn the wheel on that.
Adi (35:37.214)
Amazing.
I'm thinking, how do you...
You talk a lot about the mental side of you constantly thinking about risk. You're constantly evaluating things and that puts a lot of stress on you. And as the seat go, you have some sort of, by the way, do you hear me, Debil? Cause I hear myself sometimes when I talk.
Don Gibson (35:56.53)
Mm.
Don Gibson (36:08.05)
No, I'm hearing you fine. There's no echo on my side.
Adi (36:11.358)
Perfect. But nevermind. I'll just mark this moment so I know how to cut it out. So you talk about the mental side and as a CISO you're a bit higher up. So you have more of the freedom to decide how you manage it. But when you were in more early stage security positions, do you feel like you had the same ability to allow yourself to
Don Gibson (36:16.786)
Yeah
Adi (36:40.926)
unwind or is that something that really depends on which see -saw you're working for?
Don Gibson (36:44.978)
I
Don Gibson (36:49.906)
Yeah, something's frozen.
Adi (36:57.117)
I think I lost you.
Don Gibson (37:20.658)
It's okay, buddy.
Don Gibson (37:52.254)
Sorry, that was this end.
Adi (37:54.878)
That was okay. What was it?
Don Gibson (37:57.342)
It was something went wrong this end. My router was fine. My PC's fine. I think it must be the cabinet. Something up that end went. So, sorry.
Adi (38:09.342)
well, I missed you, but I got through it.
Okay, so I was... Yes, I was...
Don Gibson (38:17.854)
So you were asking about, so if you want to just mic, I can just start.
Adi (38:27.966)
if I want to what?
Don Gibson (38:30.334)
do it to markets and I'll try to get like that. Okay, so the entirely depends on the boss. If you're just a small cog and whatever else, then it depends on the structure that the management have put in. So if you're seeing something and raising it, then that should
Adi (38:33.118)
yeah, yeah, yeah, no, I marked it. It's good.
Don Gibson (39:00.254)
automatically be the process that's in there. If you're seeing something raising it and raising it to nothing, to silence, then is it going to the right person? Is it going to the, do you need to escalate it? What will happen if you escalate it? Things like that. It's, so for me, that's entirely down to a management thing.
Have I ever worked in a place where that was like that? Yes, I have. Did I work there very long? No, I didn't. And that just about sums it up. So yeah, if the management are putting in the right processes, then I don't care if you are day two on your job, brand new in at the lowest of low and you find something and
turn around to your boss and go, I found this and the boss goes, yeah, you have. Let's ship that up the line. Brilliant. My team's made the right decision. You've just about passed your probation on that one thing. Congratulations. So yeah, it's that kind of level for me or that kind of thought process.
Adi (40:22.206)
how would you say, is it different to be a CISO when you don't have a team versus when you have a team? Because I've talked to a lot of CISOs who also are just like the solo CISO or maybe one more person.
Don Gibson (40:36.67)
Yeah.
I personally don't like it. I understand the need for it in my current role. And it's not a, it's not a, I'm not slamming my company or their approach. I knew what it was when I accepted the role. But you need to be a jack of all trades to do that. And for me, that's not really what a CISO is and does. The CISO should be caring about strategy.
helping build the company, helping enable the company again, et cetera. They shouldn't be needing to be hands -on in investigations or this, that, and the other. There should be, that there are so many different facets of cybersecurity that if you're expecting one person or two people to cover
everything, then you're unhiding to nothing. You're going to have to just do a very, very skim over the top of everything and just cover as much as possible. It's like the old adage of if you're able to put a drop of olive oil on a swimming pool, an Olympic -sized swimming pool, that olive oil will slowly go across the entire top. It's like one molecule thick, but it's across the entire pool. And that's what it feels like sometimes. There's the...
Yes, you've got coverage, you've got to see so this, that and the other. Are you actually truly delivering what the company needs? That's going to be up to the processes again. Have you been able to outsource? How good is the outsourcing? What have you been able to put in line? The advent of AI, quote unquote, machine learning to everyone else that's not working in marketing.
Don Gibson (42:38.59)
The use of automated systems to give automated responses and therefore reduce the amount of people that need to be sitting on seats. Very important. Very, very important. We're seeing more and more attacks come in from machine attacks, machine based attacks. The only thing that can stop machines is machines. And so therefore everything's got to be in there. But once again, you're looking at the strategy.
And once again, we're talking about strategy and the entire overlay piece and how to use ML, AI, how to use this, how to use that. All of those items require thought process. How are you going to be doing the hands -on stuff when you're supposed to be doing that? It's, once again, it's the balance. And to follow on from that, how do you get that across the board?
You need to educate the board. You have to lead them through what's going on. And then the final thing is you have to have risk. You have to have a risk saying that the board, this is what the board wants. This is how they're approaching cybersecurity. This is what we're leaving ourselves open to. Not a lot I can do about that. There's literally what can I do? I'm a person. So approaching it with education, letting the board understand.
truly what's going on without resorting to fear, uncertainty and doom. Always a good thing.
Adi (44:14.526)
Nice. Okay. How do you keep updated with, I see cybersecurity, it's like a field that keeps changing, keeps updating every day. There's new stuff. There's everything's going on at the same time. And I loved, I don't remember who told me this, but recently someone told me like, you're always, you always need to be like one step ahead from like the, anyone from like the leadership leadership asking you.
Don Gibson (44:26.814)
Yeah.
Adi (44:42.782)
Did you read about that thing that, and you're like always on. How do you have time to both really keep learning about what the new threats are, what is going on in this field and actually doing your job?
Don Gibson (44:46.494)
Yeah.
Thank you.
Don Gibson (44:58.046)
I listen to podcasts occasionally when I have time. I am a member of a number of mailing lists that I actually trust. And it's curated stuff for the CISO. So I can sit there and go, OK, I've seen this, I've seen this, I've seen this. And I'm a member of a number of CISO WhatsApp groups where we
literally will, if we see something like, okay, that's interesting, and put it up there. And so I call it a cabal. But we have this self help group would be another way of putting it where we Yeah, we literally will sit there and see things and go, okay, what's this? What's that? How's this? How's that? For example, the snowflake items that have been hitting in the data losses.
that have been around that. We've been sitting, we were sitting there last month going, hold on, hold on a second. I know we know what's being said, but this is a bit strange. And so we kind of think, percolate through things like that.
Adi (46:18.686)
interesting. How do you know? I'm thinking the WhatsApp group is like genius. I guess, I guess it's like, it's the same way in many different industries, but you, it's interesting insecurity because do people feel comfortable like sharing things or is it more, you don't really talk about what's going on at your house and everybody's looking around.
Don Gibson (46:46.846)
Everything is under Chatham House rules automatically, but you rarely talk about things that are actually happening unless you need somebody's input on it or the thought of the group on it. But in which case, everybody in those groups, we know, we literally know face to face. We've been around each other for years.
So therefore there's an internal trust. And if somebody is causing one of us trouble, that's outside of the group, then that's group will know, etc. So there's, there's with that, there's also there are other ones out there. So there's some professional ones, and some semi professional ones, shall we say.
but we'll all, yeah, we know each other. We talk to each other. Even for stuff that kind of fun things, things that make us laugh that are cyber -based. For example, there was a picture I saw last week, which was a question on, I think it's Twitter or Reddit of what screams insecure to you?
And the first response was HTTP. And that was it. And that's perfect. And so that went versus the other things, other things we see. So yeah, there's a good knowledge base people trying to find. So another one is your team. If there's a really good team person who's basically gone as far as they can in
Adi (48:18.238)
fuck.
Don Gibson (48:44.126)
side of your team and the next step is your job, then and you're not looking to go then well, how would you therefore try to help that person take the next step? You need to let them fly, you need to get them that they're good enough. You they're there. How do you get them doing that? I turn around to these groups and go, is anyone aware of dot dot dot? Have we got have we got any?
Are we aware of any openings? Who are good people to talk to? Who are good recruiters or headhunters? Et cetera. So it's all kinds of additional information that's actually going to help you, help your team, help other people, and just melding it all together.
Adi (49:32.83)
What do you think is one thing that most CISOs don't really pay enough attention to?
Don Gibson (49:38.43)
themselves.
Adi (49:41.15)
That's hard.
Don Gibson (49:45.598)
Yeah, that's because it's it's yeah. The longevity of a CSO is based around a number of things. But if you're in our role, there is constantly something and you're never going to have the ability to have a perfect day that something is going to happen at any point. And therefore.
Adi (50:13.63)
Yeah, it's kind of the job definition, like catching all these.
Don Gibson (50:18.974)
Yeah, and therefore, do you do you have the ability to switch off? Do you have the ability, for example, for me, do I have the ability to sit down and read a comic and just take my brain out and not think about something? Or do I have the ability to go outside? Do I have the ability to turn my decks on as those the people that can't see those disco lights? And I yes, enough said.
Do I do I have the ability to do that? Do I have the ability to go and exercise and listen to a podcast? More often than not, I'm getting to the end of the day and my brains are crawling out of my ears. And it's just a case of, do I really want to do this? So it's a case of making sure that you are looking after yourself and getting the right processes in place, giving yourself enough time, making sure that the team can.
protecting your team, but your team needs to protect you as well. You can't become the weak link in that. So all those kind of bits and pieces together, you need to do. But yeah, for me, that's the first one. The second one, especially in the UK, if you're a reporting officer, you need to be protected under insurance.
which something a bit different.
Adi (51:44.19)
Interesting.
Okay, two more questions. Do you have time by the way? Because we're a bit over time.
Don Gibson (51:53.47)
Yeah, yeah, let's run this.
Adi (51:56.158)
All right, cool. So two more questions. Yeah, I do that.
Don Gibson (51:58.27)
actually. He says that. Let me just check my calendar. I'm fairly sure. Yeah, let's go for it.
Adi (52:07.166)
Okay, cool. So one, what do you think the cybersecurity field is going to look like in two, five, 10 years? What's going to be different?
Don Gibson (52:23.326)
Two years.
Don Gibson (52:32.094)
In two years, I think we're not going to see any change in the geopolitical climate. I think we're still going to have the same issues with the economies. The US will be either...
either trying to come to terms with the output of the election or.
further output.
Don Gibson (53:04.254)
I think Ukraine will still be fighting.
Don Gibson (53:11.486)
Everything else will be about the same. Five years. We've got the potential of quantum coming online with that. I think definitely in 10. And that will be a massive difference to how people perceive data and how they protect it. I mean, from what I understand, two, possibly three algorithms are
quantum resistant and an awful lot of the data because obviously thieves are stealing terabytes of data at the moment. On average ransomware will try to take about 500 terabytes if they can. And they'll just they'll have it. I mean, yeah, all we give them data back. Yeah, sure. You have so yeah. They haven't. It's all that data data theft that's going on from nation state down. It's just sitting there waiting to be
decrypted and therefore what happens? I think one of the huge questions is going to be what happens when personal data becomes completely irrelevant because all personal data is now open or it's out there? What happens at that point? That's going to be a really different approach. Then there'll be, for example, how to use
I know the Chinese a couple of years ago were working at how to use DNA to encrypt. So everyone's got a different DNA stream to that. Therefore, how do you encrypt data with that? What happens when nation states have all your biometrics, including your DNA? How does that work? So there's, yeah, it carries on like that. There's some really, really interesting things going to be occurring.
Hopefully inside 10 years, the geopolitical areas would have calmed down. The world will not be quite so on edge. Hopefully we would have found something to arrest global warming or at least stop it instead of retracting it.
Don Gibson (55:34.814)
Who knows? Aliens come down and peace and love comes out across the world.
Adi (55:38.238)
Yeah. Yeah, interesting. Like you said about the geopolitical situation. I'm like, I hope so. Like, I hope everything comes down. I guess we'll have to.
Don Gibson (55:49.982)
Yeah, I mean, what just touched on aliens, this is a really interesting one. So we're conditioned, we're conditioned if aliens land, if they haven't already, of course, they're going to be small little gray, big eyes, etc. What happens when an alien ship lands and humans walk out?
Adi (55:57.758)
Okay.
Don Gibson (56:14.014)
What happens at that point?
Don Gibson (56:19.038)
D -
Adi (56:19.486)
Honestly, I have never thought about this question and it's very interesting because I think what we do is probably looking at human history, get into war with them. What happens next? I don't know.
Don Gibson (56:38.974)
Yeah, it's weird because I mean, yeah, everyone's, the entire belief structure or everything is turned on its head at that point. I mean, if you look at traditionally to humankind, if a more technologically advanced tribe, race, country, etc. goes and finds a less technologically advanced race, then that's the answer.
Obviously, these alien humans would be such a dumb thing to say, would be more technologically advanced and therefore we would have trouble.
Adi (57:21.982)
unless the other way around happens and we find a place. Well, that's not going to happen in 10 years, but...
What if we're the ones getting to a planet where there's alien humans?
Don Gibson (57:35.454)
Yeah, it's, yeah, I do, I do find it a really dumb thing from people like Musk or the like was saying, we're gonna spend all our money trying to get off the planet, instead of fixing the planet that we're already on.
Yeah, never mind.
Adi (57:53.534)
Interesting. Okay. Interesting side topic. That was the word I was looking for before. Okay. Last question. What advice do you have to anyone who's getting into cybersecurity or about to become a CSO or is a CSO and
Don Gibson (57:54.685)
No.
Don Gibson (58:00.286)
and tangents.
Don Gibson (58:07.006)
Yeah.
Adi (58:16.286)
and wants to continue to be one.
Don Gibson (58:18.558)
Run! Run away! Don't do it! No!
Adi (58:20.19)
Hahaha
Hahaha
Don Gibson (58:26.845)
Seriously, I think cyber security is the most interesting place you can be. I know people in other jobs that love their job will poo poo that. I'm fair play to them, but I love it. I'm so happy to have got where I've got and done what I've done and hopefully been able to help. I'd say without being all gatekeeping,
approach it for the right reasons. Do it because you want to do it. Don't do it for reasons that could be less than. For example, I've got a number of people who have approached me saying, we want to get into cyber security because of the money. And it's like, yeah, okay, that's a fairly good reason, but that's not going to sustain you.
that's not going to fulfill you. So yeah, if you do that and jump across, fair place, yeah. But if you're looking to be in this long term, I'd suggest that you need to have a real passion for what you're doing and how you're doing it. There's a t -shirt I had in the 90s, which basically see it as it is, leave it as it was. So always try to make things slightly better.
always start always try to improve things. And I think I think that's a that's a really good approach. Try to remember that there's more than this out there. It's more than yes, your career is important. And yes, your life is important and everything else. There's more to life. There really is more to life. And some perspective on that is really important. Also, the CISO is not a destination.
It's not the end of your career. You haven't got to see so gone. Right, I've got here.
Don Gibson (01:00:33.182)
What's next? What is next? And so this is one of the questions I've been having with some of my groups is to what is next? Do you go Chief Risk Officer, Chief Security Officer? Do you go to CIO? Do you go to a director of something? What do you do? Do you sit in the company and slowly rise the CISO up onto the board?
How does that work? And so it's all those kind of items that you need to, and thought processes you need to look at. But at the end of the day, the one thing that's gonna make sure that you truly enjoy your job is you. So you need to look after yourself. You need to make sure that you're looking after people as much as they're looking after you. And good luck. It's a great place to be.
Adi (01:01:30.558)
Amazing. Well, thank you so much Dawn for everything. This has been a really interesting conversation. I loved hearing your different perspectives and how you look at the, you look at the whole industry in a very human way, which I love.
Don Gibson (01:01:47.998)
Thank you.
Adi (01:01:51.294)
Of course. Well, it was great meeting you.
Don Gibson (01:01:54.078)
And you have a good one, Eddie. I'll see you later on.