Creating A Safe Space To Operate | Chris Denbigh-White, CISO @ NextDLP

Creating A Safe Space To Operate | Chris Denbigh-White, CISO @ NextDLP

Creating A Safe Space To Operate | Chris Denbigh-White, CISO @ NextDLP

Jun 30, 2024

Episode Description

Chris Denbigh-White, CISO of NextDLP, shares his non-standard path into information security and how he ended up in his current role. He discusses the importance of understanding the business and providing a safe space for employees to work in. He emphasizes the need for companies to focus on addressing the basics of information security, such as asset inventory, application inventory, and network protections, rather than solely focusing on advanced threats. He also highlights the challenges and complexities involved in implementing these basic security measures. Chris Denbigh-White, Next DLP CISO, discusses the challenges of presenting information security in a way that engages the wider business. He emphasizes the importance of explaining security in business language and reducing business risk. Chris also shares his strategies for staying up-to-date in the rapidly changing field of cybersecurity, including using resources like the SANS Internet Storm Center and participating in information security meetups. He highlights the benefits of having a small security team and involving the wider company in security efforts. Chris discusses the different roles and responsibilities of a CISO in small and large companies and the need for both technical and business knowledge. He predicts that the cybersecurity field will continue to evolve with the adoption of AI and large language models, but emphasizes the importance of understanding the business problems that these technologies can solve. Chris offers advice for those interested in cybersecurity, encouraging continuous learning and not letting personal characteristics or self-doubt hold them back.

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

Adi (00:01.104)

Hi everyone. Welcome to the Hands -on CISO podcast. My name is Adi and today we're going to chat with Chris Denby -White, who's been in the security field for over a decade and is currently the CISO of NextDLP. Perfect. So Chris, before we even get into anything about what you're doing now, I'd love to hear how you got into security.

Chris Denbigh-White - Next DLP CISO (00:14.746)

Hi Eddie, great to be here.

Chris Denbigh-White - Next DLP CISO (00:27.77)

no problem at all. I have what they call a non -standard path into information security and it's kind of odd. So, rolled back many, many years and my university degree is in applied theology. So I was trained and I'm trained to be a minister of the church, which is, you know, you don't necessarily find a lot of CISOs who are, you know, trained to be church leaders. So my aim was to work in outreach and to work, you know,

doing aid work abroad and I met my wife on that course there. Some things in my family meant that my father passed away and my wife's mother did so we decided to spend some time putting down roots in the UK first. So I got a job, I joined the police and prior to that worked abroad, I speak a number of different languages and I got moved into kind of working in the town, working in the camera, to extremism.

which was an interesting field, then ended up working in cyber in that area and then building the computers and building the infrastructure that we would do our work, then ended up working outside in Transport for London, then worked in consultancy and then banking and then now it's, that's kind of how I got into it by, I've always been a massive geek and I've kind of pushed my career into...

doing the things I genuinely enjoy and it just so happens I genuinely enjoy being a CISO and running a security program. So that's the last 10 years -ish. So yeah.

Adi (02:07.024)

So you've been doing security in many different areas and before that you were something completely different, like what you thought you were going to do.

Chris Denbigh-White - Next DLP CISO (02:11.194)

Hmm.

Chris Denbigh-White - Next DLP CISO (02:17.082)

Exactly. I thought I was going to be working with homeless children in Mexico. But actually, I found myself, like I say, working kind of counter extremism for a while and then building the infrastructure that they would do the counter extremism work on in the UK and then building this properly. And back then, building infrastructure properly kind of was cyber security in a way, because I came in, I got brought in.

after somebody unexpectedly quit, because I was working at Intel and they were basically the parents that at the time were, Chris, you're a massive geek. You can run the database. And I said, yes, absolutely. I can do that. I know how to do this, but I'm not touching this very sensitive national security stuff until you put me through this course, this course, this course, and this course, the Microsoft stuff, the databases and security. So I kind of...

That's what I did. You know, they liked what I did. I could do it. And I kind of did the training and iterated from there. So I would be okay. So this needs securing now. I kind of know how to secure it because I've been playing and breaking stuff for years. Okay. This is, these are the courses that I'd like to do a pen testing course, a network forensics course, and then implementing those functionalities into the infrastructure that I was building for the unit I worked for. And then.

people liked what I did, so they asked me to third eye the designs of other people's work. And I'd say, well, actually, this makes sense. This doesn't make sense. And then kind of got into that line of work. So it was very much deciding what I wanted to do. And I was lucky enough to be able to push the boundaries to be able to almost make my job description what I wanted to do. So I was doing kind of my day job at the time, but also slowly but surely.

diverted what my day job was moreover to a cyber security designing defensible infrastructure if you see what I mean.

Adi (04:17.776)

Amazing. And what does your day to day look like now versus what it looked like when you were just starting out as a CSUN?

Chris Denbigh-White - Next DLP CISO (04:26.042)

day to day now is I run the security team for a security software company now. So it's kind of odd in a sense in that it's the day to day stuff you'd expect of a CISO. So I, we look at the things like our product security. So we have a piece of team that makes sure that as a security company, we build software that is in itself secure.

So that's all the things, all the good things, you know, like pipeline security, shifting lefts, static analysis, dynamic analysis, and teams to remediate the stuff. And that's all I oversee and look after that on one side. And on the other side, kind of your classic information security role of the business security. So things like ensuring that our email system is secure, people are adequately trained in cyber security, we're meeting and.

passing the right kind of compliance requirements in our case ISO 27001 and ensuring that that program runs and is consistently improving. So that's my day now. My day back, if we kind of go back to kind of when I was working in building and looking at infrastructure was 50 % of the day would have been.

tracking the movement of ISIS material. That's what the unit I worked for did. It was, you know, kind of a big video or some stuff would be brought out and we'd try and figure out where it was going, where it originated from and to be able to real world house those people, kind of big, OCEINT type work. And then the other 50 % of the time was looking to improve the infrastructure that that work was taking place on, you know, because it was very much 20 year old thinking of how that

should be done. So I was implementing a, an enterprise grade thing, which basically brought in kind of a lot of elements of logging and model monitoring, both for external attacks, but also for ensuring the safety of the users who we do using kind of the infrastructure as well. So back then it was really interesting challenge to have because normal business, normal companies would have

Chris Denbigh-White - Next DLP CISO (06:35.002)

you know, this is a business relevant website or business relevant activity to do. And that will be, you know, you allow a certain degree of shopping or you allow it to go into new sites and things like that or travel sites, you know, plan a trip on kind of the underground from here to here. Whereas that use case where I was working before be flipped entirely on its head. You know, we would want people, it would be expected for people to go to the darkest dirtiest parts of the internet. You know, the places would usually be banned out of hand.

yet because it was a quasi covert unit we wouldn't want them journey planning or doing anything to do with their real lives on the internet and leaving a trace that way. So there was a lot of reprogramming the behavior rules to allow what norm people would perceive as the horrific and bang relatively normal stuff. So it was really interesting in that sense and quite different to what I do now.

Adi (07:27.568)

It sounds like they're both security, but they're completely different like focuses.

Chris Denbigh-White - Next DLP CISO (07:34.682)

Yes, absolutely. Well, the focus is the same. You know, the outcomes are same. That's to ensure what the business needs to do is done in a secure way without compromising business security or compromising the staff and providing a safe environment for people who work for a company to work in. You know, almost like a health and safety thing. You know, in the physical security world, you know, we provide safe spaces for people to work off the system desks, you know, so people don't get

saw back or electrocuted by their plugs. In the same way I see being a CISO, information security is providing companies and providing the staff that work for my company a safe space to operate in the world of computers and data where, you know, to the most part, they have guardrails and safety around them so they can do their jobs in a safe way without risking leaking or losing data. That's kind of essentially whether it was back then or now that's,

always be my name.

Adi (08:34.224)

So it's interesting for me to hear your perspective on how different companies, obviously they relate to security in different ways, but specifically in the field of how much is the responsibility of the employee versus the CISO in terms of are the employees very educated? Like everyone's making sure that everyone is okay.

or are there actual systems that make sure no one makes mistakes in a way?

Chris Denbigh-White - Next DLP CISO (09:10.394)

That's a really great question. I think it's down to wider company culture and company size as well. For example, the company I work for now, in comparison to some of the companies I've worked for in the past, is relatively small. So it is possible to have, although I don't know everybody deep down personally inside the company I work for.

I know everybody by name, I have an understanding of the work that they do and you know, they're not a name on a spreadsheet or a name outside. Whereas if you worked for a large company like the finance company I worked for previously with a hundred thousand dollars workforce globally, there's no way you could get to know everybody. So I think the approach is different based on the budget and the size of the company. However, the ethos I've seen is a lot like

Again, I spoke of guardrails a moment ago and providing a safe space in which for people to work. I think that that should be true regardless of where you work and what size of company you are. And it's a difficult problem with larger companies. It involves understanding business flows, what the business does and what the business needs to do first and then seeing security as a facilitator to that rather than coming at the problem with

this is a framework like ISO or NIST or something with a whole load of controls that we will switch on and block stuff essentially. And I think that's where a lot of my colleagues and I in the past as well have come and stuck a little bit by saying, okay, so this, we need to stop this happening and blah, blah, blah. It needs to not happen because it's bad universally without necessarily taking the time to understand what the business does. So I think.

In answer to your question, to achieve this across the board, I think it's about understanding what the business does and employing adequate communications strategy to be able to engage the wider business, if you see what I mean.

Adi (11:06.384)

Thank you.

Adi (11:12.464)

Interesting. Have you ever in any of your companies, the companies that you worked at or even now, although I guess in a cybersecurity company, there is more of an awareness, but did you ever feel like a bad cop? Like you were the one who's in charge that nobody's doing anything.

Chris Denbigh-White - Next DLP CISO (11:31.162)

I always try not to be the bad cop, but sometimes you have to be, you know, because it's always the interplay between what the business needs to do and making things have a lack of friction, you know, for the business and also having defensible security as well, you know. And if we take things to extreme, you know, if we want to the business to be like ultra like fast and be able to do everything, you know, then like

have no passwords for anything, just have somebody log on to a resource and they're in instantly with no authentication whatsoever. But that's not great for business because very, very quickly the business would lose all its data, be fined by everyone, and probably go out of business. So it's finding that sweet spot of being able to say no sometimes, but always provide reasons and alternatives.

Again, not wanting to consistently talk about guardrails, but I always try and be rather than a roadblock in the path of business. I always try and be kind of the bumpers on the side, you know, like in a bowling alley, you know, when you take your kids to bowling, you know, that's kind of the aim really is that if I do have to implement a block of stopping something specifically happening, then I need to also understand what the alternative is to achieve the business outcome.

And to do that, I need to understand what the business outcome is. And to do that, I need to engage with the business and ask them, what is your business outcome? What are you trying to achieve here? And if it is, you know, I want to watch Netflix during the working day, then, and if that's not something we allow our staff to do, then yes, of course, it's going to be a no and I have to be bad cop. But at least I've understood what the aim is, if you see what I mean.

Adi (13:12.304)

Yeah. Interesting. Have you ever encountered, obviously you don't have to say companies or anything, but a really bad security mess up that you had to sort of deal with real time?

Chris Denbigh-White - Next DLP CISO (13:27.482)

There's been a few and it would be really easy for me to start throwing mud, but you know, everybody has done, anybody that's worked in information security on IT for long enough has made mistakes. You know, anybody that's worked in networking has at one point in their career, I can guarantee you, switched something off remotely in a data center that they shouldn't have done and had to jump in a car and drive very, very fast, numerous miles to then manually go and switch it on. Anybody that says that they haven't...

been in that position and has worked in networking over a certain amount of time, I would probably say is lying, absolutely. But just a couple of things I've seen that have been like really quite bad is I worked in an environment that had fiber optic networks to the computers at the end point. They had that for security because they were very nervous about radio based attacks against normal network cables. Again,

Whether or not that was an actual risk is another thing, but the kind of the rules were there fiber optic cables for everything. They were quite the data that they processed was quite sensitive. And when I came in and took over and we're doing a security review, we saw a printer at the end of the office and we're like, huh, that isn't a, from what we know from the floor plans, there isn't a network, a fiber network pulled by that printer. How is this printer working? So we pulled it out and we had a look and we saw that.

what the person who had configured this old office had done was they've got a thing called a media converter, which is where you get one type of networking, you plug it in and it changes it to another. Now this media converter converted the very secure fiber network into a very insecure Wi -Fi network to beam the printer traffic across the office to where the actual port was and then back into the fiber network. Hideously horrible security failing and you know, we're glad we found it. So we've seen stuff like that. And again, it's...

The person that did that was, you know, it was foolhardy. But you can understand why they do that. They were trying to get the job done and under difficult circumstances, but that was something quite horrific. Things I see relatively...

Adi (15:37.456)

How do you deal with a situation like that? What are the, like, what do you do?

Chris Denbigh-White - Next DLP CISO (15:42.618)

Well, in that case, you have to kind of understand, you need to figure out how long the printer has been in that state, what has been transmitted down, a lot of reporting upwards and acrosswards in relation to calculating the risk exposure. OK, so if this has been the case and the printer and or the network has not been used, then that's quite small and limited. But then, you know, when you encounter those things, it's understanding, you know, some people call it blast radius, some people call it

scope of impact, of understanding worst case scenario of this happening, understanding most likely worst case scenario and then having a plan to do the various things that need to be done, either informing people or lessons learned. Obviously the lessons learned for this one's quite obvious, don't do it in the first place, but more regular inspections of networking equipment was one of the learning outcomes from that.

but no, it was interesting.

Adi (16:43.6)

Well, sounds like it's like what you were trained for has happened, which is terrible. But also now like things are being tested, like all the plans.

Chris Denbigh-White - Next DLP CISO (16:57.274)

Exactly. And I think you have to test these plans, tabletop exercises, although some people think, you know, let's do the yearly tabletop exercise. It's a bit of a drama. These things can actually be quite fun if you have a situation where people are safe to fail. I think it's important again, when we speak of good cop, bad cop, that if people make mistakes, if people, you know, click a link in a phishing email or if people do the wrong thing for whatever reasons they need to be.

confident to come forward. Because the worst thing that you can have in these situations in data security is a big gaping hole that people are afraid to report and afraid to report to the right people so remediation can take place. I'd much rather hear that something bad has happened from an internal member of staff very quickly after it's happened than to hear it three, four months down the line from an attacker who's either ransomware the entire infrastructure or from

customer or from a third party that's asking why my infrastructure is attacking their infrastructure. You know those are those are conversations CISOs never really want to have. So I think again back to my role now, breeding that openness of staff to be able to report and have that two -way communication with the CISOs office is really really important.

Adi (18:16.592)

Interesting. What would you say that in today's current security scene is the biggest threat for companies?

Chris Denbigh-White - Next DLP CISO (18:29.53)

I'm going to turn it on its head here and kind of say, I think the biggest threat for companies at the moment is underestimating the benefits of addressing the basics of information security first. I see a rather worrying trend propagated by vendors mostly, but also some CEC says as well is to have.

a very, very laser focused on the latest APT threats or zero day vulnerabilities and are we, you know, are we implementing AI to detect our zero days attacks from China, Russia, United States, Britain, you know, everybody attacked everybody else, you know, I'm not going to throw mud at one specific country, you know, because I think we're all grown up enough to know that, you know, everybody attacks everybody else. But the real risk isn't, you know,

APTs or nation state attacks, or even if it were, the majority of nation state attacks or large criminal gang attacks aren't going to use zero days because the sad fact remains that they don't need to because companies time and time again fail to do the basics of assets inventory, application inventory, network protections, properly configuring network, properly configuring user accounts. These are the really boring

quite hard basic things to do, but time and time again, you look at all the breaches that happen and ransomwares and you look, it's really simple thing like multifactor authentication not switched on, you know, so those are the risks. I think that companies don't do these really basic, really boring, quite tedious things and they tend to just purchase a box which will protect against something potentially, but there's a whole lot of basic initial work that needs to be done that I just.

time and time again I don't see being done in general.

Adi (20:24.432)

And just think, do you think they don't do it because they don't think it's a threat? Or do you think they just don't do it because they're not thinking about it?

Chris Denbigh-White - Next DLP CISO (20:36.89)

I think they don't do it because it's hard and it is hard. You know, it's say, you know, say, I'll do the basics. It seems quite simple, but when you think of something like, for example, an asset to inventory, you know, keeping track of all the laptops and computers that you have in a company, you know, our company is relatively small, but that's quite hard. But then you take it to things like cloud resources. Okay. So you have an asset inventory of every computer that you have, but okay. So does that include the VMs that exist in AWS or GCP or

How about these VMs that only exist for half an hour or these microservices or containers that get thrown up? How do we manage asset inventory with something that only exists for half an hour when it's in use and then ceases to exist? Is that then code security? So these are wider, larger problems that require design thought from the start. And the problem is that many companies haven't done that first. So they're almost trying to play catch up.

with things like identity, asset management, patching and stuff. So it is really hard. And some of these things are business -impactive as well. Even something as simple as patching, you know, a security professional or somebody who's ticking an audit box will say, a critical patch is released. You know, you need to have that patched within the shortest period of time whatsoever. You know, you need to patch it immediately within four hours, within 24 hours, certainly no longer than a month. But you speak to any IT person.

And they say, well, a brand new patch from NS has been released. Are we going to push this to our entire infrastructure blindly within two hours? Certainly not, because some of these patches break systems. So it's a wider risk question between, OK, so is the risk of this critical patch not being put in place higher, lower than the risk of

the estate not being functional for a certain period of time because the patch has broken something or we have to bring the systems down in order to patch first or to test the patches. So, you know, although these things are basic, they're time consuming, somewhat tedious and they're not especially sex exy. So I think given a big list of kind of quite boring stuff that, you know, and new stuff, I, you know, I can't speak for other C's, but you can ask this question, it's hard.

Chris Denbigh-White - Next DLP CISO (22:55.098)

The basics are hard, but the basics are foundational and without them, you know, the top can't survive as with all foundations.

Adi (23:03.792)

Interesting. What is something that is as a see -saw keeping you up at night? Like something that you think should be getting more attention.

Chris Denbigh-White - Next DLP CISO (23:15.546)

Well, the basics that keeps me up at night, but also I think figuring out ways in which to present the quite dry topic of information security to engage the wider business as well. Cause when we talk about the need for patching and the need for visibility of what's happening on endpoints and stuff, I always try and always aim to be not that.

Adi (23:18.16)

Yeah.

Chris Denbigh-White - Next DLP CISO (23:41.306)

geek in the corner that throws around kind of technical words at board level, you know, because to be honest with you, that's not their job. Their job is to run it. You know, if they're, you know, on the board and they're in charge of finance, their job is to understand finance or, you know, if it's marketing, it's to understand marketing. My job's to understand security and my job's to be able to explain that in a way that is in business language and is about reducing business risk as opposed to just my own little kingdom of cyber security. So

I think that keeps me up at night, you know, trying to figure out ways as different attacks happen and different technologies happen and also keeping my eye on random bits of news that make the mainstream media as well. Because I see so as we always get asked, you know, 80 % of the time is an irrelevant question from somebody else on the leadership team where they've read something that, you know, is the worst possible thing happening ever. And it's what, and, you know, we spend a reasonable amount of time writing.

What I like to refer to as we really need to calm down response documents and PowerPoints. I've done this in my past. It's like, actually, no, we don't have this technology. This attack is only theoretical and quantum computing is not quite there yet for this attack. So let's focus again on the things that matter today as opposed to looking at the future. So those are the kinds of things that keep me up at night is ensuring I maintain being relevant to the company I work for. And I don't fall into that trap of a rabbit hole of

deeply technical stuff, which I find is already interesting as well, but not everybody else does.

Adi (25:16.048)

interesting. How do you keep, like, how do you navigate on the one hand, doing all the tasks that you have to do and working with other people and just like the daily things. And at the same time, learning so much about this field that is changing, it seems every day and every day new things are coming out and you have to like keep on top of it.

Chris Denbigh-White - Next DLP CISO (25:39.002)

It's really hard and I think it's kind of a discipline thing. I'll throw out some resources I use, which I find really useful. And I say this to people I work with in my team as well. There's something called the SANS Internet Storm Center's daily Stormcast. It's a bit of a mouthful, but there's a chat called Dr. Johannes Ulrich, who is a big SANS instructor. And he has a team of threat researchers and he does a daily six minute podcast, which is

This is what's happening in cyber security. These are the vulnerabilities. This is what attackers are generally doing. They've got honey pots and stuff entirely free. And it's a really great way to kind of have some bite -sized information of what's happening today. You know, what things are in the Microsoft Patch Tuesday of notes and a rundown without necessarily having to read all of the documentation. That's super useful. Again, I have threat feeds, largely free ones and news feeds come in, you know,

to read around stuff that's happening. Taking part in the information security community, I think is really important as well. Something I've always done is go to these meetups. Pre -COVID, it was a lot easier. There were a lot more of them. But these meetups where you're able to discuss information security and discuss CISO and cybersecurity with peers in a friendly environment, you build up those relationships where you can go, I've got this problem with this.

How would you deal with it? And just being able to surround yourself with people you can bounce ideas around with in a safe and far environment. I think that's vital. I think it's really bad when you get in a situation where you feel quite alone and unable to lean on anyone else for support. Because in most companies, CISOs are quite alone. Very rarely is there the security budget to have a cost of thousands. So those are some of the things that I would prioritize to do.

alongside the day -to -day tasks. And I think by doing that, you kind of fulfil two things really. You have the knowledge objectives of being able to keep up to date with things, but you also give yourself that segmentation of the work that you do as well. And I think it makes you feel more supported in an emotional and professional sense as well.

Adi (28:01.56)

Interesting. Right now in the company that you work in that is not a huge company, are you working as a CISO? Like as I'm assuming from what you said, you're not the only person who's doing security. So you have a team.

Chris Denbigh-White - Next DLP CISO (28:16.89)

Yes, I have quite a small team and we've embraced a, again, it's a buzzword, a shift left scenario with our company as well. And I hate buzzwords usually because sometimes they're masks not actually doing the thing that buzzword is for, but in our case we have. So I have a small team, but also with product security, we cycle in members of the dev team into the product security team as well, almost like an exchange program. So they will work.

with the current security team and where there are bugs or things that need fixing in the product, they're identified throughout the process, they will go and take ownership of that. So they will kind of fix the bug, understand it, write the vulnerability disclosure piece as well, look for similar. So although we have quite a small team, we kind of co -opt the rest of the company to be part of it as well, which is brilliant for the dev team in that example, because they then...

fix one of the bugs so they then identify the type of things when they go on to then write more stuff inside of our product. They essentially will have more of a mind for security. So it trains them in secure coding at the same time as brings the awareness and it works really well. I'd love to take credit for that. I didn't set that up. That was my predecessor prior to me taking on the role. But I've certainly nurtured that further and that seems to be working really well. And that for a smaller company, I think is vital.

to be able to co -opt as many people inside the company to do security without necessarily realising that doing security is a cultural thing in a lot of ways.

Adi (29:53.232)

Is that something that is common in companies?

Chris Denbigh-White - Next DLP CISO (29:55.93)

I don't know. I think a lot of people are trying to do that, but I think it's always, there's always going to be a tension, especially in a small software company between dedicating the resources to do that kind of thing for the wider development side to see the value in giving up a development resource for the piece of program periodically. I think a really good way to kind of sell this into the dev side is to show them actually the time saved by.

building things well, and also to senior management. By having one of these programs, third party risk management conversations are a lot easier as well. It shows quite a mature security program. The people doing assessments of us as a company really seem to like that. So I think, I'm not sure how common it is, but it is certainly achievable.

Adi (30:47.664)

Cool. How would you say being a CISO in a company that is a hundred person people or even really smaller companies versus being a CISO in a huge company like thousands, tens, hundreds of thousands?

Chris Denbigh-White - Next DLP CISO (31:03.93)

That's great. Just to be clear, I wasn't a Csonic huge company. I was kind of senior security people there as well. But I think the role differs. At the moment, I have teams and people that do various things, but I'm also still quite hands on. You know, if something needs all hands to the pump, I'm able to do it. And it's right and proper for me to get in and start configuring stuff. And that's absolutely fine. I think

The larger the company you work for and the more staff you have under you, it becomes more of a management and setting the general direction type role. And I think the skill there is firstly in having the lines of reporting and ensuring efficiency takes place between the different teams, but also having the discipline to not micromanage too much as well. I think there's that phrase, I can't remember where it's from is, you know,

Leadership is having the serenity to let somebody else do a job that you deep down feel you could do better than they could. You know, it's, you know, true or not true, but I think it's important to, you know, where I have worked in larger kind of come and even have teams under me. I think that's where you have to be quite careful to set strategic goals for your teams, especially if you're sitting at a kind of overseeing a manager.

three tiers down to the people that actually do the work, set the overarching goals and let your managers manage. Because I think you can burn through a whole load of time as a lead leader, invoke a whole load of stress by not trusting your teams. And I think that you either need to trust your teams or get some new teams, or develop your teams. You can't fall into that trap of having your hand on too many things because...

larger companies you're not going to have the time and you're either going to burn yourself out or you're going to thoroughly annoy your teams and they'll either leave or you know not perform as well as you hope they would. So yeah I think it's a different kettle of fish.

Adi (33:09.616)

Interesting. How do you see the cybersecurity field changing within the next two, five, 10 years?

Chris Denbigh-White - Next DLP CISO (33:18.01)

Not wanting to harp on about AI and large language models, but I am going to comment on it because everybody else seems to be commenting on it. People tend to fall into like various categories. Either it's the best things in sliced bread and AI and large language models are going to mean that I have to do virtually no work whatsoever. I'll just press the do see so button on my computer and the LLM will do the rest for me. Or there's the do naysayers that

think it's going to be something akin to Terminator 2 judgment day and you know, the robots are going to take over the world. Whereas I think probably what will happen is going to be somewhere in the middle really. You know, there are, there are lots, large language models are great tools, but they are tools and they don't solve business problems. I think what is going to happen over the next few years certainly is that security leaders like myself,

business leaders across the board are going to have to figure out, okay, so we have this tool, we have this hammer or this screwdriver, which is a large language model. We need to figure out the business problems we want to solve with it and figure out whether or not it's the right tool for it. You know, it's not a, let's simply ask the LLM what it thinks it can do. I think that there's going to be that rationalization of kind of adopting this technology in a safe way, understanding the data flows of it from a security perspective.

But I've no doubt it will be part of our everyday business world. But I think the companies and the executives that are going to be successful are the ones that understands the questions they would like to answer first before they implement AI, rather than assume that the technology is going to give them answers. And that's been the case for any technology. It's the same with kind of Seem was five, 10 years ago. You know, everybody purchased Splunk or ArcSight or whatever Seem.

they wanted and they piped all of their data into it. And then they asked themselves the question, why am I not more secure? Where are my dashboards? And, you know, the security professional said, well, what questions do you want to ask of the data? And the security leaders were like, well, we hope the product would tell us that. And it's actually, well, no, you still need as a leader in the security or in business to know what you want to do and to have a strategic plan. You know, technology is not going to write that for you.

Chris Denbigh-White - Next DLP CISO (35:41.818)

So I think that's going to be one of the major changes I see over the next five years is looking at how the adoption of AI in LLMs and the security side of this evolves based on how well people can figure out what they're good for, what they're not good for and what they want to do.

Adi (36:01.264)

Interesting. Would you say that the job of a CISO is more techie, more business, or does it sit like right in the middle? Because it seems that different CISOs have their different approaches or what they prefer, but how do you see it?

Chris Denbigh-White - Next DLP CISO (36:24.634)

I think the role of CISO is very undefined at the moment as well. Because, for example, I report into the CEO at the moment, and I believe that's the right place for a CISO to report into. I'm on the senior leadership team, I've got a C title and the responsibility that goes with it. But that's not universal. And there are many CISOs that report into CTOs or CIOs or are actually, by and large, upper middle management as opposed to senior management.

So I think it depends on the role title. You've even got regional CEOs in large financial companies like banks, for example. You've got CISOs for the UK and CISOs for EMEA and CISOs for America who report into somebody who reports into a global CISO. So that's, they have a job title because there's various rules and regulations that require that job title to exist in a specific region. Whether or not that's the same job as a CISO who

reports into a CEO that runs an entire security function. So yeah, I think it's, I think it's different in relation to kind of whether or not they should be technical or whether or not they should be business focused. My personal opinion is I think they should be both. I think that it is vital for a CISO to know enough of the technology stack to understand when their technical teams or indeed vendors trying to sell them things or trying to pull the wool over their eyes. They need to

They don't necessarily need to be able to code, but they need to understand the fundamentals of what the technology is trying to achieve. But on the flip side, they also need to be able to speak a business language. They need to understand the strategic imperatives of the business that they serve and be able to speak in those terms. Now, that isn't necessarily always possible in one person. So if the person is more

business inclined, then they need to ensure that they have trusted people reporting into them who are technical advisors into the CISO's office. So somebody in the CISO can say, okay, so explain this to me, this technology or this problem and this threat, and then, you know, a buffer. And that, I think, depends varying on size of the company as to kind of how you can have that. And on the flip side, if somebody's overly technical, then maybe a trusted project manager or a trusted

Chris Denbigh-White - Next DLP CISO (38:46.266)

business architects working into the CISO's office to temper what the CISO says in relation to communicating with the wider business. But in answer to your question, I think both are vital because I think we need to understand the technology that we're wanting to protect and the technology that looks after the data. But on the other side, we also are serving a wider business. You know, there isn't necessarily cyber security risk or data security risk. There's business risk of which

data security and cyber security feed into that wider business risk. I think distinguishing between the two almost is quite unhelpful because the business is always going to win an argument between security and the business unless there's something like super illegal. But, you know, so I think being able to understand both those worlds is quite cool.

Adi (39:38.)

Interesting. In companies that you've worked in the past, how much would you say the leadership understood the importance and the necessity of having a strong security team, a strong security position?

Chris Denbigh-White - Next DLP CISO (40:00.986)

Yeah. I've been really lucky to be on this with the company I'm at at the moment. They really get it. I suppose we're a security vendor. We make security software. So there isn't a worse look really than a security software company that succumbs to a breach. You know, that's, you know, you know, it happens to everyone, but it will be a very, very bad day for me when that happens. And for that reason, you know, the wider company, you know, really are supportive.

Adi (40:23.504)

Thank you.

Chris Denbigh-White - Next DLP CISO (40:29.561)

And as well as we're selling security software, it's good that our sales and marketing team kind of have that as a USP as well. You know, hey, we are also striving to be secure. We understand because we do the right things ourselves. And again, in banking, you know, I've worked in banking and again, they're very much, because they have to be, they're regulated. There are rules that if they don't do the right thing, then they're not allowed to trade in anymore.

You know, for slightly different reasons, I think most companies I've worked for have been really supportive as far as security is concerned. Although I have friends and colleagues where sometimes they struggle to be heard. budgets, budgets get cut and cut and cut. And I think that's, that is challenging. And sometimes you either have to disingenuously ride the wave of a security incident. You know, if something bad happens there, then you just go and shovel your funding requests in and your support requests in and capitalize on that.

But thankfully that's not a position I've been in so far. The companies I've chosen to work for have all taken security quite seriously.

Adi (41:38.8)

Amazing. Okay. So we're at the last question. thank you by the way, for everything. I think I learned so much like about the way you see things and just the whole field. yeah, honestly, like really interesting. What do you think, what is one piece of unusual advice that you would give to anyone who is thinking about?

Chris Denbigh-White - Next DLP CISO (41:53.722)

Thank you.

Adi (42:06.96)

going into security, anyone who's doing something that is maybe like you in the beginning that is doing something that is similar but not exactly, or that is looking to become a CISO.

Chris Denbigh-White - Next DLP CISO (42:18.33)

Yeah, no problem. I've got two, if that's okay. First, don't feel like you need to know everything because information security and cyber security is a vast, vast sub -subject and you will never know everything. Be comfortable with not knowing stuff and flip that on its head and ask questions. Be inquisitive.

Adi (42:20.944)

Of course.

Chris Denbigh-White - Next DLP CISO (42:43.194)

Be that kind of annoying person that midway through a conversation, if there's something you don't know, you need to fact check, go on Google. Google is your friend in that respect. Find there are a bunch of resources out there to learn stuff. Have a passion for learning and don't be afraid of not knowing something because everybody doesn't know something. You know, there's a whole bunch of information security I know absolutely nothing about and I'm constantly trying to learn. You know, that is when you enter cyber security.

realize that you're entering an industry that you will never be finished learning it. And that's okay. That is absolutely okay. So don't worry. First piece of advice. Second piece of advice is if you feel there's a personal characteristic that you have that will preclude you from being an effective cybersecurity leader, don't let that stop you trying. For example, for me, I have a problem with speech occasionally as you know, it's been perfectly obvious speaking to you.

today and I do, and I deliberately do things like public speaking. You saw me speak the other week at InfoSec and although it is sometimes uncomfortable, I still do it and I don't let that personal thing with me stop me from doing something I'm deeply passionate about and that is information security and helping people get into this industry as well. So I say if there is anybody listening to this that thinks

there's no way I could lead a team because I have this unique characteristic that I think would preclude me from doing it. Don't let that be an excuse. You know, if you don't want to do it, certainly don't do it. Don't force yourself into a situation that's uncomfortable for you. But don't feel that anything like that should stop you from engaging in what is and what I find to be a thoroughly fascinating and deeply rewarding career. So those are my two pieces of advice.

Adi (44:39.472)

So one is always keep learning and feel comfortable about not knowing anything. And then two is you can do it even if you think you can't.

Chris Denbigh-White - Next DLP CISO (44:50.234)

Yeah, absolutely. Well, you could do it even if you think you can't try, you know, it might it might not be for you. I'm not saying that anybody can do something that literally anyone should and must do this job. You know, there have to be some doctors in the world. You know, we can't all be CISOs. But don't let self doubt stop you from pushing at that door and trying, you know, and it is worth and it is worth trying, you know, like I say, cybersecurity isn't for everyone.

Adi (44:54.48)

Yeah.

Hehehe

Chris Denbigh-White - Next DLP CISO (45:18.778)

you know, may not enjoy it. You know, the lure of, you know, the shining lights of Cesar Dome and information security and cyber security, you may seem really attractive on the outside, but when you actually do the job, you may think, man, this is like really tedious and boring, you know, horses for courses. But my point is don't think there's, don't rule it out without trying it. I think that's a rule for life for anything really, just, you know, always try and do something that scares you occasionally. You know, it's good. It's good for the soul.

Adi (45:48.944)

Amazing. Thank you so much, Chris.

Chris Denbigh-White - Next DLP CISO (45:51.418)

It's no problem, I think. It's been a pleasure.


Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel