The Biggest Attack Surface Is Human | Andrew Rose, Field CISO @ SoSafe

The Biggest Attack Surface Is Human | Andrew Rose, Field CISO @ SoSafe

The Biggest Attack Surface Is Human | Andrew Rose, Field CISO @ SoSafe

Jun 15, 2024

Episode Description

Andrew Rose, CISO of SoSafe, shares his unconventional role as a field CISO and his journey to becoming a CISO. He emphasizes the importance of the human side of cybersecurity and the need for organizations to focus more on human risk management. Andrew discusses the stress and challenges faced by CISOs, the imbalance between technology and human resources, and the need for resilience in the face of cyber threats. He also highlights the need for CISOs to stay updated on the evolving threat landscape and to prioritize the security of their people. In this part of the conversation, Tamir discusses the importance of having backup systems and paper-based processes in case of a cyber attack. He emphasizes that every organization, regardless of its industry, is vulnerable to cyber attacks and should prioritize security. Tamir also talks about the role of the CISO and the need for them to have a strategic mindset and strong communication skills. He predicts that the future of cybersecurity will involve more automation and AI, as well as a greater focus on professionalizing the user awareness role. Tamir advises individuals looking to enter the cybersecurity field to gain experience in different industries, take on challenging roles, and bring their passion to the job.

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

[00:00:00] Adi: Hi everyone! Today we're going to chat with Andrew Rose, who's been in the security field for over 25 years and is currently the CISO of SoSafe, or he'll explain exactly what he does. Andrew has earned many different titles, including European CISO of the Year, and has been speaking at many different conferences and private events as a keynote speaker.

[00:00:19] Adi: With a diverse background in security, we're excited to have Andrew share his expertise expertise with us today. How are you, Andrew?

[00:00:28] Andrew: I'm very good. Thanks. Thanks for inviting me on. I'm really pleased to be here.

[00:00:32] Adi: Amazing. So we just started talking and you told me that you're not exactly the conventional CISO.

[00:00:37] Adi: What does that mean?

[00:00:39] Andrew: So, so my current role is I'm effectively a feel CISO. So I feel so so is very different from normal see. So I'm much more external facing. So, so my day to day job really involves me doing a lot of keynote speaking presentations, working with a marketing team, creating thought leadership.

[00:01:00] Andrew: Helping customers, um, speaking to prospects, um, creating communities, inputting into the product roadmap of our product development and helping internal teams really understand what the security professional, um, has as challenges in their day to day life and how we can best help them and support them in achieving the goals that they have.

[00:01:22] Andrew: So. So my, my role is, is not all about the security of the organization. We actually have an internal CISO who looks after all that. I'm much more external facing and looking to help the brand, um, really understand the role of CISOs and deliver, deliver what CISOs really need. That's sort of my, my role as a field CISO.

[00:01:43] Adi: Amazing. And how did you get to this position? I'm assuming that in the past you were a CISO?

[00:01:49] Andrew: I was, yes, for many years. So I've, uh, my journey to becoming a CISO was, uh, started many, many years ago. I was actually working for a large insurance company in the fraud investigation department. Um, and I did that for quite a while, and then I decided that I should.

[00:02:05] Andrew: Wanted to do something a bit more technology based. So I applied for a job in the IT department and moved into their user administration team. And it was their user administration team that really made me start to work with the security team. And this is back in the day, many years ago, when no one cared about security.

[00:02:21] Andrew: It wasn't a priority at all. So me showing some interest in the security team, they just loved it. My God, somebody else is interested in security. This is awesome. So I went to them after a couple of months and said, I don't think I'd really like to work in this team. And they were like, fuck my God, yeah, come and join us.

[00:02:37] Andrew: So, so I moved into the security team there. Uh, and unfortunately, quite rapidly found out that they were doing security pretty poorly. The whole attitude they had was very much about security says no. Um, and so I didn't stay in that security team all that long. And then I moved on to other organizations and, uh, became a security analyst, then head of security operations, and then in charge of, uh, the whole security piece.

[00:03:01] Andrew: Uh, and I did that sort of transformation within the legal sector. And then, so I was CSO in one law firm, then moved to the largest law firm in the world, and was CSO there. Then And then at that point, I was like, well, what do we do next? I've just finished the largest law firm in the world. Where do I go next as a career point?

[00:03:18] Andrew: So I actually sort of took a step aside and became an analyst for Forrester Research, uh, doing investigation into the role of the CISO, uh, but also into security awareness and culture change. Um, and that's when I started to redevelop my passion for the human side of cybersecurity. Um, I was then tempted away from Forrester after about four or five years, um, to become the CISO of UK air traffic control.

[00:03:40] Andrew: Um, and that's when I became the CISO of UK air traffic control. Which was a role you just couldn't turn down. It was so exciting, such, such an incredible role. So security means so much to them in terms of safety. Um, so that was really fun to, to work there for about five years. Then I moved on from there and actually became CISO of MasterCard in the UK.

[00:03:59] Andrew: I was there for about two or three years, then moved on to my first field CISO role, which was at Proofpoint, and then just about five months ago, I moved to a field CISO role for SoSafe, which is a German human risk management company, so it's the next evolution of security awareness and culture change.

[00:04:18] Andrew: And it's all sort of crucible was in Germany, but privacy is really important. So we're helping develop a product that really changes people's behavior and helps, uh, manage that human risk that organizations have.

[00:04:30] Adi: Wow. That's so interesting. It seems like since you've been in so many companies, you've probably seen so many different approaches to the way people as a whole, like as a, as a, Company or even a community see the role of like, what is your responsibility and what is their responsibility?

[00:04:48] Andrew: Yeah, absolutely. It's, it's, it's really interesting to see because every role you go to, it's sliced differently. Um, and you know, in one organization, the, the firewalls will belong to me as the CISO, you go to another organization and no, no, no firewalls are the IT departments. It's just a network device.

[00:05:04] Andrew: They look after that. But here you've got to look after business continuity for us. Yeah. And then he goes to another firm and said, well, no business continuity that belongs to resilience team. You've got to look after DevSecOps, or you've got to look after physical security. And so there's, there's all these different, um, sort of parts of cyber security and security as a whole.

[00:05:22] Andrew: And in each organization you go to, you sort of get given different bits of them. So over my whole career, I've had all of them, uh, and they're all fun to deal with, but it's, it's just interesting how they're just sliced up differently in different organizations. Uh, it's, it's not quite the same.

[00:05:39] Adi: Every time.

[00:05:40] Andrew: Oh, absolutely. Yeah. I mean, when I got physical security, um, that was, that was a learning path, physical security. What's that mean? So guards and gates. So, you know, the gates and the fences around your buildings, the security guards who patrol the grounds and let people into the building. Um, that became my responsibility in one of my organizations and it's amazing how that brings you to really weird places.

[00:06:05] Andrew: So we had subsidence under one of our gates and it was the gate that allowed you into the main office. Um, and it was, you know, open to the cars in and actually there was subsidence under the gate and because the gate was a security control, subsidence under the gate became my problem. And so here's. Me as a CISO of an organization, suddenly having to figure out how the hell we deal with, you know, a slopey gate.

[00:06:30] Andrew: Really? Is this my problem? Do we not have other people who could deal with this? So it's, uh, yeah, it's, it's weird where it takes you. Um, but it's, it's fun. You know, you, you're always got challenges, you know, how high should the fence be? I don't know. Let's figure it out. So, uh, you've got all these sort of things to think about.

[00:06:47] Andrew: And you go all the way from that extreme about, you know, fixing a gate all the way through to, Dealing with encryption certification, and how do you refresh your encryption certificates or how do you deal with DevSecOps and application development? Um, so there's, there's so many different aspects into being a full on CISO.

[00:07:05] Andrew: It's, it's can be overwhelming and that's possibly something we'll come back to, but it's, uh, it really is, um, a different day every day. The amount of challenges you can have, the amount of different types of topics you get drawn into is, is almost, you know, without, without limits. It's quite an incredible role.

[00:07:24] Adi: Amazing, and it seems like today you're much more focused in your current see saw role that is not exactly see saw, but you're more focused on really getting the mindset, like, the human. Part of it. So how does your day to day look like? What is it like?

[00:07:43] Andrew: Uh, well, again, these aren't really very similar. So as my, uh, as my wife pointed out recently from the past 12 weeks, I've been traveling for 10 of them.

[00:07:53] Andrew: Um, so going all around Europe and the States, doing presentations, appearing at events, doing keynote speeches. Um, working with customers, um, having roundtables with customers and prospects and having discussions about certain aspects. Um, you know, I've been doing presentations on stress management in the CISA role.

[00:08:13] Andrew: I've been doing presentations on the different maturity stages of how you build a security culture and the different, how you move from just building. basic awareness all the way through to doing proper human risk management. Um, I've been talking about the cybercrime trends and what we're seeing at the marketplace now, where things are going next in terms of deepfakes and hyper personalization of attacks.

[00:08:35] Andrew: I've been working with our product development team to To enhance the roadmap for what comes next and, um, work on the right way to create the, the narrative and how we get that across to customers so they can understand the value our product offers. Uh, working to build a webinar, uh, which is happening next week with, um, about 140 different CISOs, um, about change control and change management.

[00:09:00] Andrew: Um, so just doing that, putting that for our community. So lots and lots of different stuff. Um, It's all about sort of the external facing perception of, of the problem space that we perceive and the brand that we have. But it's, it's always different stuff. But one of the good things is that I can be a lot more, um, A lot more selfish really in what I cover now, because this is my interesting area.

[00:09:25] Andrew: So if I find a topic that I'm really interested in, I can drill down into it and actually start to do some real good research on that topic. And then I can share it with multiple people. When, um, when you're actually a CISO, you figure out a problem for your organization and you implement it quickly.

[00:09:41] Andrew: Then you get onto the next problem. When you get into a role like this, you can actually have a little more time to think through, okay, well, how should I address this problem? What's the right way of dealing with it? Bye. Bye. Bye. And then once you figure out what the right way of dealing with it, you can share that with loads of people.

[00:09:54] Andrew: And so I can, I'm not just helping my company be more secure. I'm helping hundreds of companies be more secure. And that's, that's really fulfilling for me. It's not just the person who pays my wages who's improving because of the work I do. There's loads of companies who are getting better because of the work I do.

[00:10:10] Andrew: So it's, I, I, I love that. I love that. And I, I learned that when I was at Forrester Research, um, having the ability to take a step back and having the ability to help lots of organizations is really fun. So I get that a lot in this current role too.

[00:10:24] Adi: Amazing. And what do you find are the current most, um, like the issues that you deal with most or the biggest problems right now in the cybersecurity field, whether it be human or even technological?

[00:10:39] Andrew: Gosh, biggest problems right now. Um, I mean, I guess I focus a lot now on the human side and I think that's still a very Absolutely. Very great area for organizations to focus on themselves. You see statistics from the World Economic Forum, which say that 95 percent of security events have, you know, a human, uh, a human cause.

[00:11:02] Andrew: Uh, Forrester suggested that this year, 90 percent of events will have a human cause. I think the Verizon Data Breach Report puts that in the sort of 70s or 80s percent. It doesn't really matter what the percentage is. We just know that it's, it's high. A lot of security events are caused by people. Um, and, and why is that happening?

[00:11:21] Andrew: I think it's because there's a lack of focus on the problem. I don't think many people really spend as much time and as much resource dealing with the human side of security risk as they do with the technology side. They'll be quite happy could you go and spend a hundred thousand pound to buy a brand new shiny firewall, but actually they won't spend anywhere near that amount on, on improving the, the human firewall, improving the the people.

[00:11:42] Andrew: Um, and yet that's where most of the problems come from. So I do see that real big imbalance between the threat and the, the spend, you know, you get 90 percent of your threat comes from people and yet 90 percent of your spend goes on technology. So there's a real opportunity to, to balance that resource problem space up, uh, and, and help.

[00:12:03] Andrew: Professionalize and raise up the role of the security awareness professional. And I think that could make the biggest difference to organizations right now. If they just focused more on that human side and less worried about the technology piece.

[00:12:15] Adi: I remember, I think I saw maybe even yesterday that there was an article published about something like 700 billion are wasted in cybersecurity because of like cybersecurity professional burnout.

[00:12:30] Adi: And it was super interesting to like see. End of the day, it's all about people, like people who can't be as sharp because they're under a lot of stress, which seems like it kind of characterizes the whole thing.

[00:12:45] Andrew: It does. The, the stress bit is a big topic. I've been talking about that a lot recently because I, I suffered that myself in one of my organizations.

[00:12:52] Andrew: I got to the stage where I was having chest pains in the office because of the stress I was under.

[00:12:55] Adi: Wow.

[00:12:56] Andrew: Um, so. It's a topic I talk quite honestly about and I think lots of people in security need to do that because every year the role gets bigger and bigger and bigger and also it becomes more important.

[00:13:09] Andrew: You know, you, you think about security 20 years ago and it was just, it was just an annoyance. It was just something that we had to do just to, no one really knew why we just have to do it. We just have to stop getting those little viruses on the machines that are annoying. Now it's way, way past that. Now society is completely dependent on technology.

[00:13:28] Andrew: And if technology fails, companies can fail, supply chains can fail, um, and that could have a massive implication on, on society as a whole. So, you know, just imagine if, if there was some sort of ransomware outbreak that took down all the supermarkets abilities to deliver food because they just couldn't get the logistics working.

[00:13:48] Andrew: How long would it be before there was anarchy in the streets and people breaking into supermarkets to steal food? You know, it wouldn't take long before the system started to break down. And you have to think about that for power, for water, for everything, all these critical national infrastructure pieces, they're all completely dependent on technology.

[00:14:06] Andrew: And yet, you know, society is completely dependent on them. So actually everything that we do now is technology. It's a technology risk. So CISOs have, carry that burden and have the responsibility for making sure that they're building resilience into those supply chains and those, uh, service products to make sure that our services can't fail and that society can be resilient.

[00:14:28] Andrew: And that's a big burden to carry. And that can actually start to result in some of the burnouts, especially as the threat keeps on evolving and evolving and growing. And we need to keep on racing to try and keep up with it.

[00:14:39] Adi: Do you think there's a difference in terms of, well, stress between being a CISO of a smaller company and that doesn't necessarily have a team or being a CISO of a big company with a few employees and like, how do the two compare?

[00:14:56] Andrew: Um, I guess it depends on the scale, the scale of the team. Um, So a ciso, I've seen sort of solo CISOs who work on their own. They, they can have different types of roles. Some of them can be quite hands-on and technological, so they're actually getting in the, you know, changing the firewalls and configuring the systems and that's fine.

[00:15:19] Andrew: Uh, and some of them can actually be very sort of second line control. So they're actually doing audits and they're making sure that the policies are written and they're delivering to the firewall guys. This is how you set up a firewall. And again, that works fine too for those smaller organizations.

[00:15:33] Andrew: Once you start to build up a larger team, then it can get more complicated. And actually, once you get into the actual quite large teams, you tend to spend all of your time not doing security. So, as I see, so you'll spend more of your time in budget meetings, um, in project planning meetings, um, working with the HR team to make sure your people are getting the right support and they're in the right packages and bringing people into the team.

[00:16:01] Andrew: So you end up just becoming a standard manager. But with, with parts of actual real hard work where they'll, your team will drag you in for, we've got a crisis, we've got a big problem that none of us can solve. Can you solve it? And so you, you get snippets of security. And it's mainly when those are sort of complicated, difficult, political problems or priorities, then you have to sort those out.

[00:16:25] Andrew: But actually, um, For large corporate CC, you spend a lot more time just on that finance and HR type issues. That's where your attention is taken. But it's still stressful, you know, because when you're dragged into security, it's still, it's the, this is on fire. Can you solve it, please? And so, There's, there's no lack of stress when you get to those bigger, bigger teams, in fact, probably more because, you know, you've probably got bigger enterprises depending on you to deliver on the, the multi million pound strategy and this, you know, if you fail and the system goes down, then that organization.

[00:16:59] Andrew: We'll have reputational issues. You know, the, the customers will, will complain. It'll get you to the press, whatever, you know, different organizations have different sort of threats scenarios, but actually, you know, the CCO is carrying a lot of that. So there's a lot of stress with it. Um, you have to sort of end up, you have to figure out how to cope with it because it's, it's not going to go away, it's always going to be a stressful role.

[00:17:21] Andrew: You just have to learn how to cope with that. And, you know, there are techniques that you can employ to, you know, to manage that. Just do it mindfully. Don't be destructive. That's one of the problems that we saw. I think when this started to happen as a problem, we saw people, um, start to Employs self destructive methods for managing, um, stress.

[00:17:38] Andrew: So, you know, self medication with drink, you know, gambling issues, stuff like that. All the negative side. I think now the topic is becoming more, uh, open to be talked about. I think people can adopt, uh, better ways of dealing with this. And start to be more mindful that, yes, I am under stress. How am I going to manage this?

[00:17:55] Andrew: Rather than just falling into it by mistake, like perhaps I did.

[00:17:58] Adi: Just. And do you think that, um, in this field that you're constantly either A, if you have a team, then you're managing it. And if you don't, then you're always kind of like, whenever an event happens, you have to be on it and everything is constantly changing.

[00:18:16] Adi: How do you have time to also learn new things? Because it's also a field that is. Moving so fast. Like that's one of the things that is so interesting because it's the way it is today is not the way it was two years ago, five or 10, and it seems to be speeding up.

[00:18:35] Andrew: Absolutely. Um, it's interesting because that's one of, I looked at some research recently from ISC squared who do the CISP certification and they came up with, I think it was the top six reasons why the roles, uh, security roles are stressed, and one of those reasons was trying to keep up.

[00:18:51] Andrew: Trying to keep up with the evolving, uh, threat landscape. It's, it's not a simple thing to do. And honestly, as a CISO, you, you can't keep up with everything. Because there are so many different layers that you have to know about in terms of technology, things that are changing, and uh, threat attack vectors that are changing and.

[00:19:10] Andrew: Um, compliance and legislation, things that are changing, you can't keep up with everything. So you have to delegate that down to the right people and ask them to keep up to date with the news and come to you with anything that is important. But there's certainly news stories out there. There's, there's different places that you can keep up with the, the relative news about different breaches and incidents.

[00:19:29] Andrew: Because as I see, so that's probably what will happen. Your, your needs to stay up to date is largely driven by the fact that you get in the lift to go to your desk and the CEO or a board member gets into the same lift as you and they go, I was reading in the Financial Times this morning about this breach of this organization.

[00:19:48] Andrew: Are we vulnerable to that one? And you need to know an answer. You need to have an answer. You can't go, Oh, I didn't hear about that. Sorry. You need to have an answer. So you need to keep up to date with the news and what's going on in the, in the world about security and the biggest threats and the biggest incidents.

[00:20:02] Andrew: And you can do that from. Honestly, just general mainstream media. Uh, there's websites out there like Gleeping Computer, Doc Reading and the Hacker News, they're all really good websites to keep up to. And then there's sort of blogs like Troy Hunt and this, you know, this, uh. There's a certain, there's a load of Twitter people they follow as well.

[00:20:21] Andrew: So there's always ways to get some of that news back into you, so you can actually stay up to date. But also reach out to your suppliers and your security vendors. You know, if you've got a company who's providing a SOC service to you, get them to brief you on. The threats of the week, or if you've got a company that's providing, I don't know, email, secure email gateway services to you, ask to get regular reports on their threats, threat intel teams about what they're seeing and what the marketplace is looking like, because they can give you insight and threat intel and good, good industry vision, um, from people you're already paying for these services.

[00:20:59] Andrew: So reach out to them and just say, When you get to Sintel, tell me what I need to know, tell me what I should be aware of right now, and get them to brief you, that will help too. But, Delegate. Get your security operations guys to, you know, get into the detail, the weeds and get them to tell you what's going on, get your security architecture team to brief you about what they're seeing every so often in the, in the market space, everybody can bring the, the value to the table.

[00:21:23] Andrew: So just delegate it out to your team, get them to figure stuff out. Have a team meeting once every three months where everybody shares about what's going on. That'd be useful.

[00:21:32] Adi: Well, do you think what is one thing that CISOs don't really think about but they should?

[00:21:40] Andrew: Um, uh, it's a difficult one because CISOs think about everything all the time constantly.

[00:21:47] Andrew: Um, That's that's what we do. Uh, I guess I guess I could go back to the blind spot of human risk again. I think I've already mentioned about the kind of the imbalance in terms of resource and risk. So I think that's possibly something that. So we don't spend enough time thinking about, there was a, there was a slide, which I found really impactful that I saw several years ago.

[00:22:11] Andrew: And I still sort of, I still bring it out in some decks occasionally, but it was about the attacker versus the defender perspective on organizations. And I think what you see is you see that as a defender, you spend all of your time thinking about, okay, let's keep the firewall up to date. Let's keep the intrusion detection system going.

[00:22:28] Andrew: Let's, let's look at the endpoint detection recovery systems. And you're constantly looking at the technology. It takes all of your time and all of your focus and all of your money. And then you say, okay, well, what's the attacker looking at? And the attacker does not care about any of that. They don't care what firewall you've got.

[00:22:44] Andrew: They don't care about what endpoint detection response system you've got. They care about who works there. Who is going to have access to the data I want? Who's going to have credibility? Who can I target with some, um, some spear phishing, which means they'll actually engage with my content and I'll be able to steal their credentials and blog on as them, and then, you know, my job is half done.

[00:23:04] Andrew: So they, they look at your, at your organization entirely differently than you do. You worry about your technology, they worry about your people. And so I think there's a, something we need to learn from that. And that is that I think people are your primary attack surface. When you, you know, people talk about users being, you know, the weakest link or your first line of defense or strongest line of defense, whatever they call them.

[00:23:28] Andrew: I don't think any of those are relevant. So I think you need to think about people as your primary attack surface. That's what people, that's what the attackers are trying to subvert to trying to get in and exploit your people. So, and I don't think that CISOs really spend enough time thinking about that perspective.

[00:23:45] Andrew: And that, that's, that's obviously my job now is to try and change people's minds and make them think in that way. Um, but, uh, that's something that I think CISOs could, could step back and have a think about. Am I really putting enough time and effort into, into that? Into the, uh, into the people side, if I could have a second one as well, in terms of blind spots, I'd probably say it's, um, have a think about resilience as well, because so many organizations think about, okay, resilience is we get hit by malware, we're taken down, but we can rebuild from backups, and then we get going again.

[00:24:19] Andrew: I think that's sort of an outdated view of resilience. I think resilience in these days needs to be, how can we continue to operate, even though we've been compromised? You know, how can we, how can we still pump oil? How can we still, um, create widgets? How can we do that? Even though we know that part of our network has got a hacker on it, or some of our data has been leaked, but it's about the continuity of service.

[00:24:44] Andrew: So I think that's another thing that CSO should start to think about. Don't think about fail and recover. Think about service continuity, despite the fact that you've been compromised. I think that's another thing that they need to think about going forward.

[00:24:58] Adi: That sounds very, like a very modern problem.

[00:25:00] Adi: Like everyone is expecting everything to work all the time. So we've come to an age where you have to kind of be able to.

[00:25:07] Andrew: You do. And there's, there's lots of different industries I've spoken to where it becomes really interesting to discuss that. So, you know, I've spoken to, um, a factory, you know, organization, they've got a factory going and they said it's.

[00:25:19] Andrew: It's unsafe to switch the factory off in a rapid way. So you've got to keep it going. You've got to be able to sort of spin it down if you want to turn it off. And if you want to turn it back on again, it then takes a long time to turn it back on again. So they, they need continuity. Um, there's another one, which is really interesting case study, which is chicken manufacturer.

[00:25:40] Andrew: So basically they breed hundreds and thousands, probably millions of chickens every month. And then they process them and sell them to supermarkets. And so the whole, the whole chain of creating chickens, rearing them, and then slaughtering them and packaging them, that can't stop. And I can't stop because your systems are down because otherwise it gets really horrible.

[00:26:02] Andrew: You can't just leave chickens in a, in a, in a, You know, a barn for a couple of extra weeks while you get your backups going. That's just not going to work. So talking to those guys and they've, they've come up with paper based systems. So they know that even if all of the computers go, they can still run their business, they can still keep things going and keep things moving.

[00:26:23] Andrew: And I think organizations need to think about that. You know, what, what, in worst case scenario, how do we keep producing widgets? How do we keep pumping oil? How do we keep providing our services? Even if all of these computers are gone. Um, and some organizations, it might be quite relatively easy to do for some, it'll be incredibly difficult, but you need to think through that scenario that, uh, what can we do to keep our service, you know, to keep continuity of our, of our service.

[00:26:50] Adi: Do, are those companies that are, you would think are not as affected by security? Like, if you would have asked me. If a company like that is affected by it, I would have said not really, but now I understand that it is. Are these companies being targeted by attackers?

[00:27:11] Andrew: Um, I think every company is being targeted by attackers.

[00:27:15] Andrew: I used to use the, uh, the analogy many years ago. It's like, okay, if you're a bank, you care about security, but if you're making socks in Manchester, you probably don't give two hoots about security. And actually, probably 20 years ago, that story was right. Now, that story is entirely wrong because if you're making socks in Manchester, you absolutely depend on technology because your systems probably make the designs in the socks using a computer system.

[00:27:38] Andrew: You probably have a logistic system, which is all based in technology and a routing system and a customer database and people pay for your socks online. Suddenly you're, even though you make socks, you're a hundred percent dependent on technology. So if technology goes, you can't make socks. You can't ship socks.

[00:27:53] Andrew: You can't sell socks. You're done. So every organization will feel differently about whether they're a target or not, like every individual does. Um, they'll think, oh, no, one's going to bother with me. I just make socks. Who's going to care about me? Well, they care about you because if you've got a vulnerability, they can exploit.

[00:28:12] Andrew: They can get in there and they can take away your service and they can charge you money for bringing that service back. Okay. And people will pay, you know, we see that the percentages of people paying ransomware is, is remarkably high. So they don't really care where they're attacking. They will attack anybody who's got a vulnerability, anybody who they can breach.

[00:28:30] Andrew: And sometimes that will be a small organization like a sock manufacturer. Sometimes that will be a healthcare, um, organization, which we just saw today about, um, hackers releasing, uh, data onto the dark web regarding, uh, people and their blood test result or the blood test, um, blood test they've been going through.

[00:28:49] Andrew: So, they will attack anybody they can. And it used to be, there were, there were sort of rules that they wouldn't attack critical infrastructure. They wouldn't do sort of really bad things for society. But those, those rules have gone. You know, they will attack universities. They will attack healthcare. They will attack government, you know, other pieces.

[00:29:08] Andrew: Anyone who's exploitable, they will attack because they know that they, they can monetize that. So everybody is vulnerable.

[00:29:16] Adi: Interesting. I was talking to a CISO last week, and he told me about when he started working for Relatively small financial services company. The CEO told him we're not going to be attacked, and he was just sitting there being like, I'm sorry.

[00:29:33] Adi: It's not really a question of whether it's going to

[00:29:36] Andrew: get attacked. I mean, the whole thing is, is that the question to that, if the CEO said we're not going to get attacked, you could probably say, well, we're probably being attacked right now because it

[00:29:50] Adi: really

[00:29:51] Andrew: is, because if you think about most organizations throw away 70 percent of the, of the incoming email.

[00:29:59] Andrew: Because it's nonsense. It's spam and it's malware and it's just opportunistic crap that they will throw out everywhere on the basis that some, some of it may get through and some of it may get clicked. Um, and so if you count that as an attack then absolutely you're being attacked all the time. You know, or if you see people scanning your perimeter, looking for a vulnerability on your firewall system, um, then that happens, you know, multiple times a day.

[00:30:26] Andrew: So saying you're not going to get attacked is a naive perspective because they're just looking for any vulnerability. And if they spot a vulnerability in your organization, because your, your VPN gateway is not patched up to date, or, you know, your secure email gateway is vulnerable and will let some crap through, then they will absolutely exploit it.

[00:30:47] Andrew: They don't care who you are. And actually, if you're in financial services, then they'll probably talk to you anyway, because hey, you're financial services, you've got money. So it's, um, it's not, it's not a case of it will be attacked. It's a case of you, you're being attacked. You're being attacked right now.

[00:31:01] Andrew: Um, it's just the fact that you're, you know, you're doing okay at holding them at arm's length. You might not always be that lucky.

[00:31:07] Adi: Interesting. Have you ever been in a company where you had a, of course you don't have to say the company, but like that you've had a pretty serious attack. Um, and how did that roll out?

[00:31:19] Andrew: So I have been lucky in my career and, uh, no, I've never had a serious attack. Um, I've seen, I've had a couple of attacks and a couple of breaches, but they've never been really, um, really bad. So I've just been fortunate, frankly, but we've had. Certainly, one organization, we were notified about a part of the organization that had been compromised.

[00:31:45] Andrew: And, uh, we went through and we dealt with that and we sorted it all out and we Cut that piece of the organization off, cleaned it up and put it back in again, it all went okay. So I've just been very fortunate not to be there when it's all gone to hell in a handcart. Some of my colleagues have not been that lucky, some of my friends in the industries have not been that lucky.

[00:32:06] Andrew: And you see some organizations that go through some really painful stages. You know, you look at Maersk, the, the shipping company who updated the tech software and found out that the tech software had malware in it and that it devastated the whole network. And they only were able to come back because one of their offices was offline due to a network connectivity issue.

[00:32:27] Andrew: And therefore that didn't get completely flattened. And they had to rebuild the whole network from what was left in that tiny little, um, that little tiny island that had been just disconnected at the right time. So it can happen. Absolutely. Your organization could be completely devastated by an attack.

[00:32:43] Andrew: Fortunately, I've not been on the end of that, but I kept that as luck rather than judgment.

[00:32:48] Adi: Wow. And when something like that does happen, how much of it, from what you've seen now from working with so many CISOs, how much of it seems or is, um, what's the word? Is it seen usually as the CISO's fault? Or is it?

[00:33:09] Adi: No.

[00:33:11] Andrew: Oh, gosh. Um, the answer to every security question ever is, it depends. And, uh, for this one too, it depends. Um, it depends on lots of things. I don't think, I don't think that a lot of the time the CC will be blamed for the, for the attack. But what they will be blamed for is if they haven't got a strategy sorted for how to deal with that attack.

[00:33:40] Andrew: That's when you sort of, that's when you earn your reputation or lose your reputation. If you have a ransomware attack in your organization, then okay, look, it could happen. It could happen to anybody. There is zero day exploits out there. There's all sorts of different things that can happen. But if you have no plan on what to do next, that's when your reputation is going to suffer.

[00:33:59] Andrew: That's when the board is going to go, okay, well, what do we do now? So you say, well, you're like, I don't know. Let's try and figure it out. It's like, this is not the time to figure it out. You should have figured this out months ago, years ago. So, and you should have been rehearsing this and practicing this.

[00:34:12] Andrew: So, the CISO can get blamed, definitely. In some organizations, they'll have a naive perspective that, hang on, the CISO's responsibility is to keep us secure, and therefore, they failed, therefore we need to have a scapegoat for this event, therefore we're going to fire them. That absolutely does happen, but, um, I think a lot of the time in the more mature organizations, they don't have that perspective.

[00:34:34] Andrew: They see that this is all about risk management and these risks can happen, uh, these events can happen, even though we try to manage the risks as best we could. It's just, it's about that next stage. Okay. So now what, how do we recover? How do we, you know, live on that resilience thing I was mentioning earlier?

[00:34:50] Andrew: How do we deliver on service continuity? How do we recover, get ourselves back up? How do we manage the situation so our reputation isn't damaged? What do we need to do next? That's where the, the CISO's reputation can be, can become hero or zero.

[00:35:04] Adi: Amazing. So it's really, you're saying that. Everyone can get attacked in some way, but the, what makes you a so called good CISO is having a plan for dealing with what happens next.

[00:35:16] Andrew: I think you, there's loads of things that make you a good CISO, loads of different aspects, but, um, you need to build your organization to minimize that risk. But you need to do that pragmatically, you know, so, because you could bankrupt a company trying to make it secure, or you could make it so secure that they can't do business anymore.

[00:35:36] Andrew: I remember paying a sizable amount of money to a big four consultancy to give me a secure server build. Um, and they gave me this secure server build and we implemented it and it wouldn't work because it was so secure it just wouldn't connect to anything, it wouldn't do anything. Um, it was secure, fine, completely useless.

[00:35:55] Andrew: Couldn't use it at all. So, as a CISO, you could do that. I could, I could get your company to be secure by turning off all the computers and building a big wall around your building. Ta da! Secure. But hey, no one can get into work anymore and the systems don't work even if they could, so. Your business is not going to work.

[00:36:11] Andrew: So it's all about finding that pragmatic route through and finding, okay, so we've got to accept the risk of connectivity internet or having online, I know, uh, mail systems or online marketing and, uh, uh, electronic transaction systems. So we've got to have those. It could be attacked, it could be vulnerable, there could be a zero day, there could be an exploit in there that the, even the manufacturer doesn't know about.

[00:36:36] Andrew: There's always a risk. So, yeah, you manage that as best you can. You put defense in depth, so you've got layers and layers of control, so if one control fails, hopefully another one will pick it up. You then put in place a whole strategy regarding, okay, So if it does fail, how am I going to know, how am I going to detect that we've got a compromise?

[00:36:54] Andrew: I'm going to detect that information is leaving our organization that shouldn't be. How am I going to detect we've got a ransomware breach? How can I really minimize that time to detect the exploit? And then it's going, okay, so if we have got exploits that got through now, how do I recover? How do I recover this organization?

[00:37:10] Andrew: How do we clean up the infection or the breach? How do I get us back? So we're rapidly delivering back on our value proposition again. It's all of those pieces that come together to, to actually make you a good CISO. It's being able to manage all that within a, you know, a budget and within a resource limitation that you've been given in terms of staff and money, et cetera.

[00:37:31] Andrew: How can you manage all that to the risk appetite of the organization? That, that's Sounds

[00:37:36] Adi: very hard. Sounds like a game of chess, you, yeah, something.

[00:37:43] Andrew: And every day the attackers will make their move and then you have to make a counter move or you just got to look back and go, no, happy with my position.

[00:37:49] Andrew: This is where we need to be. We're good, but let's keep on testing it. Let's keep on making sure let's keep on refining. Let's see about how we build for the future because the attackers are building for the future. They're doing research into what they can do. So you're seeing technology like deepfake technology coming out.

[00:38:04] Andrew: Um, the attackers using AI. So, okay, so they're about to make a move. How can we make a move to counter that? How can we improve our position as well? So it is, it's, it's a game of tactics and strategy, short term tactical moves to shore up events and threats that just pop up on the, on the day. And then strategy to go, okay, where's this all going?

[00:38:25] Andrew: How can I improve my situation? How can I make sure this is the best, most resilient organization I can possibly make with the limitations of money and resource I have? And it's fun. It's a really fun job. Uh, we, I've talked a lot so far in this about, you know, the stresses and the strains. Absolutely.

[00:38:41] Andrew: They're real, but gosh, it's a rewarding job, especially when it really matters. Um, looking after, looking after air traffic control, God, that mattered, you know, security that was keeping people alive. It was keeping the, uh, keeping the UK infrastructure and economy moving by enabling flights to go in and out of our country.

[00:39:01] Andrew: Great. Thanks. It was so important. Safety of your population and the air travel industry was so important. It really mattered. And so you've got a great deal of fulfillment from working in that sort of industry and making sure that I was keeping people safe. That's what I was doing. It was a job, um, delivery that I could be proud of.

[00:39:23] Andrew: It was something that really mattered to society and really mattered to the, you know, the normal people on the streets, rather than just working perhaps in the, in the legal sector where the customers were one massive big bank and the other customer was another massive big bank, you know, where people wouldn't really see the difference that came from that.

[00:39:40] Andrew: So some of these jobs can be incredibly fulfilling, um, and it's, and it can be really fun. So although it's a stressful job, I know I wouldn't swap it for the world. I wouldn't swap this career for the world. I loved every moment of it.

[00:39:53] Adi: Do you think most security specialists, people working security CSOs, do you think they focus or they realize how much their job is impactful?

[00:40:06] Adi: Is it something that is very on the table or is it something you think you kind of need to realize?

[00:40:12] Andrew: Um, I think they lose sight of it a lot of the time because they're dragged into the minutiae of the day. Um, but every so often they step away and realize the importance of what they're doing. I did, when I was at Forrester, I did a study into CISO and their career aspirations, and I said, you know, what do you want to do next?

[00:40:31] Andrew: What do you want to be when you grow up from being a CISO? And actually the vast majority of them wanted to be a CISO again. They didn't want to go into a different role, didn't want to become a chief risk officer or a COO or anything like that. They just wanted to do security because they loved it. And so I also asked a question as a.

[00:40:49] Andrew: What reward do you get from this? Is it just about the money or is it something else? And a lot of the answers came back saying, I feel I'm making a difference. I feel I'm helping society, I'm helping my organization and that's part of society. I'm helping them stay safe, I'm helping them stay resilient, I'm helping them stay in business and profitable.

[00:41:07] Andrew: So, there was a lot of that personal fulfillment that comes from the role. But you can lose sight of that because the job is so busy and so full on that you can just end up sort of thinking you're just a little, you know, hamster in a hamster wheel running around trying to fix stuff. But every so often, perhaps when you go on vacation, if you get a vacation, then you can go away and you can think about this and go, actually, you know what, I'm doing a good thing.

[00:41:32] Andrew: I'm keeping the world safer, I'm minimizing cybercrime, and therefore I'm giving people, I'm giving society trust in the technology that they depend on every day, and you know, depending on the industry you're in, you know, you're, you're adding value to people's lives and you're keeping that safe and ensuring that value can be added every day and people can trust in the things around them.

[00:41:53] Andrew: And that's, that's definitely a good thing.

[00:41:55] Adi: Amazing. So, in a small transition. What do you think the security field will look like in a few years? What would be different? What would be the same?

[00:42:07] Andrew: Oh, gosh. Um, so I guess we're going to see a lot more automation coming in. AI is the topic of the moment and it can definitely be helpful.

[00:42:18] Andrew: So we've got a lot of, uh, security vacancies, you know, staff, you know, staff opportunities that are missing, but you can't replace, we can't get people in. Um, so I think AI is going to come in and start to help us out. It'll start to help the security operations center. It'll start to help the DevSecOps guys.

[00:42:35] Andrew: It'll start to help threat intel people. There's loads of different roles that will help. And it will enable us to be more effective and more efficient with some of the limitations that we've got, which will be great. So we'll be able to be better at our jobs and faster at sort of detecting things, which is all great.

[00:42:52] Andrew: Um, I, I want to see from the human side again, I want to see more professionalization of the human, of the user awareness role. Because one of the things that I find disappointing. It's the fact that actually the CISO will constantly have a right hand person and that right hand person will be the head of security architecture or the head of security operations.

[00:43:14] Andrew: But it's so rare that they have a left handed person who looks after policy and communications and the human side. That person tends to be a lot further down the tree, like further down that sort of career ladder. And often, a lot of the people I see who look after user awareness are people who just do it part time.

[00:43:32] Andrew: You know, they'll, so they'll do it one day a week and the other four days a week, they're doing governance, risk and compliance or doing audits or doing something else. So I think there's a huge opportunity for professionalization of that role for it to become really up to be an equivalent of the security head of security ops.

[00:43:49] Andrew: So they will look after. Awareness, policy, communication, all of those aspects which are equally vital in driving change and driving secure behavior in your organizations. So I think, so that's the second thing. So AI, professionalization of the user awareness role. And I think the third one probably would be, I think the CISO role has gotten more scope to be elevated further.

[00:44:14] Andrew: Because although it's starts with a C, it's not, it's not the same size C as A COO or A CEO, or A CFO, um, or even A CIO. All of those tend to sit on that board level and the CSO doesn't. The CSO tend to sit a layer below. I think there's opportunity in the next to the five to 10 years for that, for the CSO role to be elevated further, but because that will stretch it even thinner.

[00:44:40] Andrew: I think what we'll see is, we'll see effectively. You know, there'll be like a board level CISO who looks at strategy for your organization, and then there'll be an operational CISO who reports into them. So I think we'll start to see, um, you know, effectively some of the current CISOs taking that step up to become more strategic, uh, on board, board facing, and actually more CISO roles coming in underneath to look after the operational side of it.

[00:45:06] Andrew: So, uh, it'll be a challenge, but I think we'll see. The continuing escalation of the CSO role as well.

[00:45:11] Adi: Interesting. Do you think the CSO role usually is. Someone who would want to go, like, in my mind, I'm thinking of a CISO as someone who's quite technical, and you are quite unique in the fact that you, you're very aware to the stress factor and the human factor.

[00:45:30] Adi: And do you see a lot of CISOs wanting to advance to a position of looking mainly at the human side, rather than the technological side, or do you think.

[00:45:45] Andrew: I'm not sure. I think I'm, I wouldn't say I'm unique. I'm relatively unique in having such a specialist sort of interest in this area, but I think I'll find that I can find a lot of CISOs in my network who are that strategic visionary CISO.

[00:46:01] Andrew: Who have left the operations side and left the technical side behind a little bit, but are very focused on that, that board level engagement on the aligning the security strategy with their business strategy on becoming business professionals and enabling security to weave its way into the very fabric of the organization.

[00:46:20] Andrew: I think that's pretty much what a CISO is. If you really want to define how the CISO should be operating, they should be that, that conduit, the communication vehicle between the board and the technology department. So they can speak to a, you know, this security operations analyst, and the security operations analyst would tell them all about this technical vulnerability.

[00:46:40] Andrew: The CISO then turns to a board member and says, What he means is that our business operation is, is in peril because there's a new vulnerability out there that we're vulnerable to, that this could take our business operations down and we could lose profits. We wouldn't be able to open this office in this jurisdiction.

[00:46:55] Andrew: And the board member would come back and he would, Cecil would then turn to the security operations analyst and go, what the board member meant was that, yes, you need to implement this control and close this port and change this and update that. You need to be that conduit to be able to talk both languages.

[00:47:10] Andrew: And actually enable the business strategy and the technical strategy can be aligned on that risk based focus. That's what a Proceso really is. They need to be able to operate in both of those worlds. If you're still stuck in the technology world, you're not going to get the credibility you need at the board to drive further investment, to drive strategic change, to drive risk adoption and risk identification and treatment.

[00:47:35] Andrew: You're just not. You're just going to be seen as a technology guy. So you need to move out of that space and you need to become a business professional. And you need to communicate at the business level. And that will take you away from the technology. Absolutely, because you can't, you can't really be both.

[00:47:50] Andrew: Although I have to say I've met one or two CCOs who are, and they're incredible. But I couldn't do both. I couldn't be both of those people at the same time. So you have to sort of water down your technical capabilities to build up your business capabilities, but I don't think it'd be a good CISO until you've got both, you've got a good, a good grounding of being a business person and a technical person.

[00:48:12] Andrew: So that's where I think, um, I see most CISO roles going in that direction.

[00:48:17] Adi: So one final question. What advice would you give to anyone who's looking into getting into cybersecurity or anyone who's looking to advance in it to become a CISO?

[00:48:31] Andrew: Um, I think, I guess it's probably two bits. I would say, um, I think it's, I'm just really not sure too.

[00:48:41] Andrew: Uh, I, I think move, move around organizations. Don't stay in one organization and don't stay in one sector either. Uh, Move between sectors because you learn an awful lot by moving from different sectors. You, you'll learn about different risks, different risk issues, different risk appetites, different control structures and systems, different priorities.

[00:49:03] Andrew: And they will apply, they will apply to other organizations. You will learn a lot from moving between sectors. So, you know, it was interesting that I moved from air traffic control to MasterCard. And actually, there was a lot of similarities in that. They don't sound like they're very similar, but they really were.

[00:49:20] Andrew: Um, so you can learn a lot from different organizations. So try and move between different industries and see what you can learn. As you're moving between organizations and looking for roles, try and only accept roles that scare you. If you look at the role and go, I can do all of that, then that's not going to stretch you sufficiently.

[00:49:41] Andrew: Try and look at the role and go, Oh, okay. Yeah, I can do most of this and this bit. I can't really do very well. Oh, okay. I'm a bit uncomfortable. I think that's the sort of role you should go for. Because then you know that that role is going to stretch you and develop you. And you're going to come out the other end of that as a better person, with more capability and more confidence.

[00:50:01] Andrew: And, and it's, it's amazing how that can change your whole life. Because I, when I joined Forrester, I looked at the job description. I thought, Oh my God, this is going to have me doing speeches on stage. And I'm not really comfortable with that. That really scares me. And now here I am, you know, I've got those 15 years later and that's what I do for a living.

[00:50:21] Andrew: I do speeches on stage for a living now. So it's amazing how doing that, taking those risks and pushing yourself outside your comfort zone can really develop parts of you and open up your career opportunities way beyond what you expected. So try and take a role that, that, um, scares you. So that's, that's, so it's change industry, take a role that scares you.

[00:50:42] Andrew: And then I think the third one would be bring your passion to security. You know, if whatever you were interested in, whatever you love, whatever you're really gets you interested, bring that to security because there's a place for you in the security family. Now, if you're really interested in coding or hacking or law or storytelling, or even sort of art and drawing, there's a place for you in the security industry.

[00:51:10] Andrew: We can find, you know, a role where that will be embraced and will be useful. So I think try, try and bring your passions to the role and find out where that can fit. Because then the job doesn't become anywhere near as taxing as a job. It becomes something you love doing. And if you love doing your job, then you're going to be much more effective at it.

[00:51:31] Andrew: And you're going to be better at it. And it's not going to feel like hard work. And so there's so many different benefits that come with that. So definitely try and bring your passion to the job as well and look for opportunities to, to leverage what you're interested in within the environment, within the context of cyber security, because there will be an opportunity.

[00:51:49] Andrew: It's just looking for it. So those are sort of, I think those are my three bits of advice.

[00:51:56] Adi: Wow. Andrew, thank you so much. That was so interesting and so informative and just like seeing the way you think about it is amazing. So thanks for joining us.

[00:52:05] Andrew: And my absolute pleasure. Pleasure to be here. Thanks for inviting me on.

[00:52:09] Adi: Amazing. Wait, I'm going to stop the recording.

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel