Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Prepare for the next wave of email attacks at Fwd: Thinking on Nov 2 | Save Your Seat →

Interviews With CISOs
Watch Again: Fwd: Thinking – The Intelligent Security Summit
by Andrew Webb Thursday, October 27th, 2022
If you missed Fwd: Thinking – The Intelligent Security Summit, don’t worry. We have every session available on demand right here. You can also watch past sessions of previous Tessian summits over on our knowledge hub. Five Email Security Stats You Don’t Already Know (But Wish You Did) The summit kicked off with Tessian’s John Filitz in conversation with Ram Ganeshanathan — VP of Enterprise Security at Arm, and Anuj Tewari, CISO at  TMF Group. Together they discussed the findings from our latest State of Email Security Report, comprising global research into email security trends for 2022. The panel then revealed where your focus should be as we head toward 2023.   The Growing Threat of Impersonation and Account Takeover Attacks Impersonation and Account Takeover (ATO) attacks are the leading threat vectors that result in Business Email Compromise (BEC) and represent among the greatest cybersecurity threats to enterprises. In this session, Tessian’s Paul Laudanski is joined by David Kennedy – CEO and Ethical Hacker at TrustedSec, James Fernley –  Head of IT Security, BDO UK, and Jason Thomas — CIO, Cole, Scott and Kissane for a lively discussion on the growing threat of account takeover attacks, and how to mitigate them.    Making the Case for Cybersecurity Spend? What’s the risk really worth? We need to talk about risk. And you can’t talk about risk without talking about spending. It’s a fact that as companies think about growing efficiently, security is often bumped down the agenda. Nate Tombs, CISO at Man Group, Marco Garcia, Field CTO at Torq and Tessian‘s Josh Yavor explore how to prioritize cyber risk as a business risk and explain how to demonstrate ROI so that all business leaders can speak the same language and avoid that worst case scenario. Isn’t Security Everyone’s Responsibility?  Fact: Your end users don’t really care about cybersecurity. Our recent Security Cultures report found that 1 in 3 workers do not think they play a role in maintaining their company’s cybersecurity posture while only 36% say they’re paying full attention to security awareness training. Ash Hunt – Group Head of Information Security at Sanne Group, Imraan Dawood – Information Security Officer, Investec and Tessian’s Kim Burton take a look at why this is and what a better approach to building a stronger security culture looks like.   Lessons Learned on the journey to a Machine Learning Platform Tessian is built on machine learning and artificial intelligence. In this session, Daniel Linder — Senior Director of Data Science at Tessian, takes you on the journey of building a Machine Learning system in the InfoSec world. You’ll also get to peek behind the curtain into building and scaling a team of data scientists and engineers, as well as some practical tips on how to apply machine learning  in ways that are most impactful now, and not in 10 years’ time.     How to Survive and Thrive in Cybersecurity Finally, we were delighted to welcome our keynote speaker and guest, Helen Rabe, CISO at the BBC. Large enterprises like the BBC are high-value targets for attackers, in this wide-ranging talk, Helen explains her approach to cybersecurity and details what it takes to be a successful and savvy security leader.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Podcast, Compliance, Interviews With CISOs
Lola Obamehinti on What Good Security Awareness Training Looks Like
by Tessian Saturday, August 13th, 2022
With a wealth of experience in developing and leading security and awareness programs at companies including eBay and TIAA, Lola Obamehinti knows what makes a good program. Lola, the founder of Nigerian Techie and former ,  joined Tim Sadler, Tessian CEO and co-founder, on the RE:Human Layer Security podcast to discuss security and awareness training – why it matters, how to make it effective, and the secret to keeping employees engaged. Tim and Lola also discussed diversity in tech, with Lola reflecting on the work that remains and how to increase inclusivity and diversity in the industry. Listen to the whole episode or read on for some key Q&As from the interview. Q: Why is security awareness so important in organizations today? A: Security awareness and training are crucial for every organization because employees need to understand their role in protecting confidential company data and information. When cybercriminals target a company and attempt to gain access to networks and systems they do not only target IT or tech employees. Each and every employee has the potential to be a target, regardless of their role. So it is really important to equip employees with the proper tools to identify phishing attacks and other methods that cybercriminals may use to infiltrate an organization. Q: What does a good security awareness program look like? A: Effective security awareness and training programs require a multifaceted approach. It is not just training, and it is not just security awareness events or communications – it is all of those elements working together. You could even divide security training up further into phishing simulations, which then feed into additional security training, alongside required security training (that could also be role-specific). The communications pieces and events also play a big role because you need to let the employees know where they are missing the mark, and also lead effective security awareness events. Finally, you need to use data to track the progress of all of those particular programs. This well-tracked, multifaceted approach really helps to keep security at the forefront of employees’ minds, and in my opinion, is what works best.
Q: How do you improve a pre-existing program and engage employees? A: Additional funding is the best way to improve a pre-existing program. It may seem like the easy answer, but in my experience, I have noticed that security awareness and training is one of the parts of security that is often a bit underfunded. Companies often say that additional funding isn’t necessary, but whenever an incident happens security awareness and training is one of the first teams that is notified. Now when it comes to the content of the program, context is key. To engage employees and help them retain information, you need to provide context to the lessons you are teaching them. For example, when I was leading security awareness and training at eBay, we were entirely remote, so ensuring employees were well engaged was a key focus. One of the things we did was in January after the popular Coinbase advert that was shown at the Superbowl. The advert featured a QR code bouncing around the screen, similar to a bouncing DVD logo. So, I wrote an article about protecting yourself against QR code phishing, using the advert to provide context. The engagement was huge – a few of our engineers even created their own QR codes! Until then I didn’t think that level of engagement was possible, but it just goes to show what happens when employees are truly interested in a topic. You just need to make it relevant to them.
Q: What diversity and inclusion work is left and how can leaders help? A: Right now, there is a lot of work left to do in the industry when it comes to diversity and inclusion. The security industry reflects the greater technology industry where there is not a lot of representation. Even for San Fransisco-based companies, the representation of Black, Indigenous, and People of Color (BIPOC) teeters around 2-5%, which is really really disheartening. Particularly because in 2014 a lot of the major tech companies started releasing diversity reports, but the numbers really haven’t moved since. To change this I believe that the gatekeepers, from hiring managers to executives, need to give opportunities to individuals who might not have a traditional path. Maybe they just have a passion, maybe they have done a lot of extracurriculars like starting a podcast or YouTube or Discord to educate other individuals on security. They may not have the right certifications, but those individuals should be given more opportunities at entry-level or even management. Also, for the individuals who are already in the industry – if they don’t feel included or like there are proper opportunities for advancement they leave. We have all seen the lawsuits that are being brought against Google and other tech organizations where people have been discriminated against, experienced racial microaggressions, and were not promoted or compensated fairly. So the work doesn’t stop once you have a diverse workforce – you need to make them feel continually included. Finally, I would like to highlight that diversity is not just about BIPOC. It can be gender, background, or socioeconomic status, it can be anything. I think of diversity as diversity of perspective and thought – and it is so important for the overall success of a company.
Read Blog Post
Integrated Cloud Email Security, Interviews With CISOs
Hot Takes: 8 Ways to Strengthen the CISO and CFO Relationship
by Tessian Thursday, August 11th, 2022
As cyber risk continues to escalate, strategic collaboration between the Chief Information Security Officer (CISO) and Chief Financial Officer (CFO) is becoming more important.  In a recent webinar discussion between Tessian’s CFO, Daniel Kim, Jason Thomas, CIO at Cole, Scott and Kissane and Steve Kinman, CISO at Snyk, we talked about the key elements to addressing cyber risk at a strategic and fundamental level.  What did we uncover? Ultimately, the CISO and CFO roles are changing, and collaboration between these two important stakeholders is essential for businesses to mitigate cyber risk, while also driving business objectives forward. The panel also outlined some of the key principles necessary for enabling a dynamic risk mitigation and business value-led partnership.
1. Focusing on cybersecurity fundamentals  The risk for a cyber breach and the costs associated with breaches are increasing. In fact, the 2022 Cost of a Data Breach Report from IBM revealed that the cost of a data breach now stands at $4.35 million, up 13% from 2020.  According to Jason Thomas, CIO at Cole, Scott and Kissane, security leaders must focus on the security fundamentals as a starting point. This includes understanding your environment i.e. classifying your assets, knowing what you have from a technology and people standpoint, as well as the degree of cyber risk faced by your organization.  
2. Quantifying cyber risk  For Daniel Kim, CFO at Tessian, moving away from a binary quantification of cyber risk is the first and important step to addressing increasing cyber risk, so too is appreciating that “the risk is never going to be zero.”  As a next step, he says, it is important that companies also appoint C-suite steering committees that should operate in a similar fashion to disaster risk committees. This would move companies out of a reactive to a proactive position on cyber risk mitigation. 
3. Prioritize cybersecurity spending Prioritizing cybersecurity investments can often face questions of relevance from other business leaders on the value that these investments would add to the company. For Jason it is essential that company leaders ask themselves, “how much is one hour of downtime worth to the company.” For Steve Kinman, CISO at Snyk, many companies are still struggling to adequately prioritize cybersecurity program development, stating “what I hear a lot from teams is that they’re doing a lot of ad hoc security planning…and there’s no-rollup of that information to the C-suite or board.”  Every cybersecurity initiative, he says, must be aligned with the business and its objectives.    
4. Cyber risk as a financial risk On the growing importance of CFO and CISO relationship building, Tessian’s Dan underscores that the growing importance rests on two important aspects, namely the frequency and the impact of risk.  On frequency of risk, it is imperative that leaders understand what risks exist in their environment. This can range from natural, geopolitical, financial and cyber risk. On impact, the increasing costs associated with cybersecurity events, including loss of revenue, downtime, to the loss of data and IP, have rendered cyber risk as a financial risk, says Dan. Combined with regulatory changes that will result in the C-suite being held personally liable for cyber breaches is essentially elevating the importance of dealing adequately with cybersecurity risk – with Dan adding, “reacting to a breach after the fact is no longer a good business model.”    
5. Healthcheck on the CISO and CFO relationship Synk’s CISO Steve noted that for the majority of organizations a disconnect between the CISO and CFO is apparent, noting many CFOs don’t understand cybersecurity terminology and do not understand the real cyber risk facing their organizations. It’s important to shift the conversation from cyber risk to business risk. Touching on the evolution of the CISO role, Jason states it is critical that security leaders understand the fundamental financial aspects of the business in order to prioritize investments to address these risks.     
6. The importance of ROI Having measurable return on investment (ROI) from your security tools is non-negotiable for every business. For Jason, this entails conducting routine audits on the security tool efficacy. Not being able to get the data out of the tools and demonstrate what impact they are having leaves you unable to determine whether the tool is performing as expected and is delivering ROI. Using  a framework that categorizes the investment by the following criteria for Dan is helpful:   investments that generate revenue investments that cut cost investments that manage risk   Every business leader – including CISOs – need to be able to translate their area of expertise and programs underway to business outcomes, according to Dan. Learning how to speak the same risk language, being the catalyst for change and making it a collaborative journey is so important to achieving business outcome success.     
7. Become an effective C-suite communicator  It’s only once a breach has happened that cybersecurity programs are prioritized. This, according to Steve, is the well-known mantra of “not wasting a breach” to increase the cybersecurity budget.  Although this approach is commonly used in the industry, there is a need for a more proactive approach. Steve cautions, however, that security and risk leaders need to be tactical with their asks for additional cybersecurity investments – you need to have a well developed and well-communicated cybersecurity strategy in place first. Additionally, overcoming communication obstacles that may exist between the CISO and the C-suite, requires developing a set of metrics for reporting that conveys maturity of the program, rollout according to timeframes, and being able to show how risk is trending. The C-suite and board require a different type of language than most security practitioners are familiar with  – don’t go too deep on security jargon.    
8. Overcoming the cybersecurity perception problem In a 2022 Tessian study, we found that only 58% of employees believe that senior executives at their  company value cybersecurity. For Steve, recognizing that most companies recognize that cyber risk is the number 1 risk, and that’s where the acknowledgement stops.  Even large corporations don’t demonstrate how essential cybersecurity and cyber risk mitigation are to their overall growth strategies. Cyber risk needs to be intertwined in the business plan and commonly understood by all of the business units. When cybersecurity risk is not referenced in the business plan that is where the perception of cybersecurity not being valued manifests from. Jason and Dan agree that security awareness training needs to be ongoing and doesn’t need to be overly complex. Jason uses a constant messaging approach to drive security awareness on the risks being seen in the industry and measures his team have in place to safeguard his company.  
Building a Long-Term Relationship The importance of strategic collaboration between CFOs and CISOs is coming into sharper focus, particularly as cyber risk continues its upward trajectory.  For organizations that are behind the technology adoption curve, according to Dan, cybersecurity risk can no longer be seen as a standalone, siloed IT project, but rather it needs to be seen as key business risk facing the enterprise. Sharing information and intelligence i.e. constant communication on breaches threat trends in the industry as well as demonstrating what measures are in place helps Jason and his team build trust with the C-Suite.   Steve advises, it can be very intimidating to think that the CFO doesn’t care about cyber risk, get over that fear, go and speak to your CFO, build that relationship.  Building an effective relationship between the CFO and CISOs takes collective effort, as well as a shared view on the extent of cyber risk facing the organization. Having a well-oiled partnership between these two important business stakeholders can both mitigate cyber risk and as well as deliver success on business objectives.     
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Interviews With CISOs
Almost Half of Chief Information Security Officers (CISOs) Have Missed A National Holiday Due to Work
by Andrew Webb Saturday, June 18th, 2022
Being a CISO or Security Leader in today’s InfoSec world is not for the faint hearted. CISOs are some of the hardest working people in any company, regularly working extra hours and overtime to keep the company secure from threats.   But this constant vigilance for threats can mean that CISOs miss out on everything from time with the family to getting enough down time to recharge.   We recently undertook research to see just how much time CISOs “lose” investigating potential breaches and threats and the headline is: security leaders don’t work hard, play hard. They work hard…then work harder.   In fact, 42% say they’ve missed out on a federal or national holiday like Fourth of July, Thanksgiving or Christmas because of work.   You can see the full details here. But here’s some highlights.
CISOs hard work isn’t going unnoticed   While no one wants to miss out on family time, it’s not all bad news. 89% of CISOs we surveyed believe the work they do is appreciated by employees outside their team. Furthermore 66% of employees say they understand the role of the CISO. That’s a ringing endorsement of how valuable and visible the relatively new role of CISO has become in just a few short years.   However, just because the rest of the organization knows who you are and what you do, doesn’t mean it’s plane sailing. As a result of their demanding roles, CISOs are struggling to keep up with developments that further strengthen the business like training, hiring talent, and staying on top of the latest threat intel. They’re also missing out on important personal and social things outside of work, like public holidays and family vacations. Most concerning is the fact that some CISOs are even putting their health at risk by skipping workouts or missing doctor’s appointments.
What are CISOs busy doing? So where is all the time going? What is it that’s causing CISOs to lose, on average, 11 hours a week in overtime?   According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   And a quarter of CISOs say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day investigating and remediating each threat caused by human error.   On top of this, 38% believe they’re spending too much time in meetings and reporting to the board, and 33% also feel as though they’re being drained of time because of other administrative tasks.   Looking for more detail on the things that are taking up CISOs time? We’ve got you covered here, but it’s clear that investigating breaches and dealing with the fallout from them is a major drain on time, resources, and mental health.
What would you do if your schedule was cleared? We asked CISOs what they would do if they were able to claw back those Lost Hours, and it turns out their three primary objectives are:    Spending time with family/friends  Further strengthening the business   Resting
Did you know that organizations with over 1,000 employees could save as many as 26,357 hours a year by automating security with Tessian?   While Tessian’s Human Layer Security platform can help you automate your security, which would help you strengthen your email security defenses and save you time, we’d rather use this opportunity to share some mindfulness and productivity tips to help you switch off.   • Share the load: While – yes – CISOs are the Head Honcho within IT and security teams, that doesn’t mean you have to do everything. Remember that delegation is validation, it’s okay to ask for help, and your best bet is to prioritize, then divide and conquer.   • Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Likewise, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge.   • Unplug (like, actually…): This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.  
Ready to learn more?    Want to find out how your security teams and employees can reclaim their Lost Hours? Get in touch with the Tessian team today to learn how Human Layer Security can help stop “Oh Sh*t!” moments from clogging up your schedule. 
Read Blog Post
Cyber Skills Gap
IT Departments are Looking for New Jobs: Here’s How to Retain Talent
by Andrew Webb Thursday, March 24th, 2022
You can’t stop people from leaving for pastures new; employee turnover is a natural function of any organization. But when that trickle turns into a flood, there’s an issue. Our recent Great Re-evaluation research conducted revealed that 55% of employees are thinking about leaving their jobs this year. What’s more, 39% are currently working their notice period or actively looking for a new role in the next six months. But who’s leaving, and why? According to research by Harvard Business Review, ‘mid career’ employees between 30 and 45 years old have had seen the greatest increase in resignation rates. The research also identified the most at risk sectors and alarmingly tech industry resignations came out on top, with an increase of 4.5% (compared to 3.6% in healthcare for example). If this sounds like the situation in your security or IT team, here’s why they might be leaving, and what you can do about it.
Why are people quitting?   A recent McKinsey report highlighted that it wasn’t always the promise of a higher salary that lures people away. Instead, the things employees were looking for were: feeling valued by either the organization or by their immediate managers, a sense of belonging, and a flexible work schedule. In essence, employees were far more likely to prioritize relational factors, whereas employers were more likely to focus on transactional ones   The past two years have certainly taken their toll on security teams from the CISO down, and people are a little burnt out and stressed. SOC teams are on the front line of a company’s defenses against cyberattacks – alert fatigue is real.  What to do: Work with your people team on an employee support plan, schedule regular check-ins with team members, and explore technological solutions like – full disclosure, it’s what we use here at Tessian.
Highlight team achievements   SOC team members have a thirst for knowledge – they have to reply to an attack quickly in a high-pressure situation. If they feel they haven’t got the support and encouragement they need, both managerially and technologically, they’ll walk. After all, it can be particularly demoralizing to devote eight hours a day to defending an organization when that defense is neither valued and acknowledged nor resourced sufficiently.    What to do: As the company’s security leader, you have to beat the drum for your team’s work and show the value that it brings to the company. Remember, IBM’s ‘Cost of a Data Breach’ report tells us the average cost of a breach is $4.24 million. Communicate that, whether it’s at the all-hands or a poster in the restrooms.
Automate and augment the mundane The IBM Pollyanna Principle states ‘machines should work; people should think’. That means you should review your security automation and response (SOAR) set-up periodically and see what can be automated. Things that automate well are repeatable manual tasks, threat investigations, triage of false positives, and creating reports. This Microsoft blog has some great tips on what security tasks and objectives you should automate, and why. After all, if attackers are automating many of their processes for increased efficiency, so should you.  What to do: Automating the everyday tasks from reporting to rooting out false positives will help you and your team concentrate on the critical issues. Be realistic about what automation is capable of. With that expectation, focus on areas where augmentation can help the team make faster and better decisions. That’s the winning formula.
Reward growth   As Mike Privette said in our podcast, security is the one corporate function that should always be growing. As we explored in this article, one of the key factors in building out a security team is that people must have confidence that they can grow and gain value by staying within the organization. So as well as increasing the team in terms of overall size, prioritize elevating existing team members into more senior roles.   What to do: Have a clear understanding of individuals’ potential career progression within the organization. Work with your People team on highlighting future opportunities and creating growth plans for 6-12 months down the line.  
Make time for training, learning and development   As well as promotions and increased responsibilities for some team members, training across the team keeps everyone united and aligned. Training in conjunction with things like automation is most effective when you’re looking to change behaviors, such as decreased response times or triaging.   For the fifth straight year, the ISSA and EGA Cyber security survey reveals that 59% of cybersecurity professionals agree that while they try to keep up with cybersecurity skills development, job requirements often get in the way. As the survey notes, ‘This training gap is quietly increasing cyber risks at your organization’   What to do: designate a baseline metric to improve upon, and design a training program that is focused, flexible, and able to meet that metric. If training lacks an objective and feels like a chore, people will treat it as a chore.    Finally, if people are dead set on leaving, the only thing you can do is wish them all the best. Infosec is a small world and chances are your paths might cross again.
Read Blog Post
Cyber Skills Gap
There Isn’t a Cyber Skills Shortage, You’re Just Not Hiring and Retaining The Right People
by Josh Yavor Friday, March 18th, 2022
The Cyberseek heatmap shows there are over 500,000 cyber job openings in the US alone, and globally over 3.5 million.. With so many unfilled vacancies there must be a skills shortage, right? I’m not so sure. I think our perceived talent and skills shortage is largely self-inflicted because as an industry we’re sadly terrible at hiring, growing, and retaining people.  Too many organizations are chasing a finite number of senior-level people which results in two critical problems. The first is self-inflicted: over the past decade as an industry, we have failed to grow enough people from entry and mid-level positions into senior level roles. The second thing is that many organizations believe they can only hire senior talent rather than grow and retain the talent they already have. If we don’t invest in people earlier in their career, we will never have the talent pool our collective job postings demand.
The problem with hiring only senior talent   We tend to spend a lot of time and energy looking for “unicorn hires”. These hires can take months of our energy and attention for each role. In aggregate, we risk incurring opportunity costs that prevent us from  growing a person – or several people – into these capabilities. Of course, the security industry is not the only offender. Many technical roles outside of security are subject to the same type of bad behavior. We allow ourselves to create job postings with requirements that are sometimes impossible – like requesting 10+ years experience in a technology that has literally only existed for five.    So why are situations like this happening? Despite good intentions, a recruitment team supporting a security team without enough investment of time and partnership from the engineering managers is going to get these things wrong. It’s not their fault, but a clear indication that we need to be better together.
I challenge hiring managers to answer this important question: Describe the specific skills and experiences that 5-10 years of experience mean to you?    When I ask this, one of two things happens: they either can’t answer it – which is a good indicator that it shouldn’t go in the job description – or they can, and this becomes the start of better job requirements. Chronological time doesn’t tell us all that much about someone’s capabilities, how they grew (or didn’t), or what they’re good at.   Instead, we should be focussing on things like core experiences, history of growth, skill sets, and capabilities. That’s what we should switch our requirements and expectation language to. So we should seek people who have specific experiences or capabilities, such as leading specific team sizes, adapting to rapid change in a high growth organization, or have navigated significant technology migrations. These are more equitable, measurable, and useful capability assessments that don’t rule out qualified candidates by setting minimums for years of work experience.
Reminder: if a team runs itself for six months while you hire a manager, you shouldn't be hiring, you should be promoting. — Matt Wallaert (@mattwallaert) November 18, 2020  
The great resignation   We’ve covered the great resignation/re-evaluation/migration previously on this blog. But even before this movement, we were already seeing an average ‘in role’ time of just 18 to 36 months for many security individuals. That’s a high turnover, and The Great Migration has only increased it. Senior decision-makers across the US report an average security staff turnover rate of 20% according to research from ThreatConnect. Compare that to another study by Michael Booz that found that the global average for all roles was around 11%.
Organizations should be focused on what it takes to keep people longer. To retain people, there are two key factors. First, people must have confidence that they can grow and gain value by staying within the organization. Second, they need to be able to experience recognition, and crucially – rewards, for their increasing value both in the market and in their organization. Too often we prioritize budget for new hires when the best option is to invest in the people we already have on staff and reward them before someone else does.    In my experience, not enough is done during the first two years of employment to give employees confidence that there is an ongoing trajectory for them in terms of growth, recognition, and rewards. And by the time we get to that two-year point, the first time that the organization hears about it is when they’re getting the resignation letter.    Sadly that is THE WORST time to attempt a growth and rewards conversation.
Creating a better pipeline   Of course as people levelup and grow into new roles, you need new recruits. But many security leaders are reluctant to have their teams be the first stop in someone’s security career. However, there are plenty of security roles that are great places to get a start in security while applying relevant and overlapping skills from previous non-security roles.    There are very few cases where significant skill transfer from non-security to security roles is not possible. Some of the more obvious examples are IT system administrators becoming enterprise security engineers, software developers being successful in product security roles, etc. We need to look beyond these examples and expand our mapping of critical skills and capabilities to additional roles and backgrounds. Some of the most talented security professionals in our industry today come from much more diverse backgrounds. Some went to university to study linguistics, art, or math, and many never pursued higher education.
Your next security hire could come from customer success, marketing, or human resources   One of the things we need to be more conscious of is that security roles don’t just need technical skill sets. In fact training people up in specific technical skills is relatively easy to do. Instead, we should be optimizing security roles for people who are making a job transition. Security teams can benefit hugely from the things that are NOT easy to train people up on, like emotional intelligence, personal relationship management, and communication skills.   I’ve done this myself. I supported hiring someone with a background in customer service for a security operations role. 90% of the job is still based on providing effective customer service and rapidly triaging problems to identify the most appropriate solutions; it’s just a different set of customers and problems. We can train people on how to use our technology and how to think about security. What’s much harder is training people to be effective communicators with empathy and the high emotional intelligence to provide exceptional outcomes while supporting people.    I’ll finish how I started, by saying again that, there isn’t necessarily a skills shortage in many cybersecurity roles. We’re just setting the requirements poorly, largely ignoring retention, failing to take advantage of skill transference opportunities from non-security roles, and not giving people the opportunity to grow. Want to Join us at Tessian and start or develop your security career? Check out our open roles. What’s it like to work here? Here’s 200 reasons why you’ll love it. Want to find out more about diversity and the cyber skills gap? Register for our up-coming LinkedIn Live.
Read Blog Post
Cyber Skills Gap
New Research: 1 in 3 Employees in IT and Security Teams Are Female
by Tessian Monday, March 7th, 2022
As the global job market has contracted over the last 18 months, cybersecurity has expanded, putting IT and security professionals in higher demand than ever. But diversity is still a big problem in the industry and it’s one that security leaders, HR teams, and recruiters are desperately trying to solve.    And, while there’s still room for improvement, new research shows that organizations are prioritizing diversity and inclusion (D&I), and it’s paying off: 1 in 3 employees in IT and security teams are female.    Why is diversity so important in cybersecurity?    We know instinctively why D&I matters from an ethical perspective. But, year after year, research from consulting firms like McKinsey show there’s a strong business case for diversity, too. It helps boost innovation, increase job satisfaction, and helps drive higher profitability, market share, and return. It’d also have a big impact on the global economy.    The Center for Economics and Business Research quantified just how much of an impact…   If the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. And, if women earned as much as their male counterparts, we’d see billions more pour in, with a further $12.7 billion added in the US and £4.4 billion in the UK.   So, how diverse is the industry today?
How diverse is the industry today?   A recent survey of 250 IT leaders in the US and UK revealed that: On average, one in three (33%) employees in IT and security teams, in UK and US organizations, are female  IT leaders in US organizations have slightly more diverse teams, with 36% of their team being female, versus 30% of IT teams in UK organizations  Larger companies are more likely to have greater diversity in their teams. 36% of IT teams in medium sized businesses (25-499 employees) are female, and 34% of IT teams in large enterprises (1000+ employees) are female. This drops to 29% in small businesses (2-49 employees)  But it’s not just about gender. It’s about geo, professional experience, educational background (or lack thereof), age, religion, and more.    According to a 2021 report from (ISC)2, while minority professionals make up a significant portion of the cybersecurity workforce, they’re underrepresented across senior roles within their organizations. Among minority cybersecurity professionals, just 23% hold a role of director or above, 7% below the U.S. average.    And, interestingly, minorities who have advanced into leadership roles often hold higher degrees of academic education than their Caucasian peers who occupy similar positions. Of minorities in cybersecurity, 62% have obtained a master’s degree or higher, compared to 50% of professionals who identified as White or Caucasian.    That said, progressive IT leaders do have objectives in place to hire people from a more diverse range of backgrounds: 56% of IT leaders in US organizations have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 46% of IT leaders in UK firms have objectives have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 65% of large businesses (1000+ employees) have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 This begs the question: what can organizations do to ensure a more diverse workforce, including diverse leadership?    How can organizations hire (and keep) diverse talent? Hiring diverse talent   To better understand what would encourage more diversity in cybersecurity, we asked female practitioners what would make the biggest impact. Here’s what they said:   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//");   According to Tessian’s CISO, Josh Yavor, job descriptions and requirements are turning people off and away, too.    “We have to look at the terrible multi-decade history of awful job descriptions and requirements in cybersecurity. This industry is bad at posting entry-level descriptions that require unreasonable levels of experience and this makes it impossible to hire anyone. The challenge I give to hiring managers is to ask them, what does 5-10 years of experience actually mean to you? What does 5-10 years of experience look like and what value does that actually provide?” Josh explained.   It’s essential that organizations remove barriers to entry like 4-year degrees, cybersecurity certifications, and previous experience. Of course, IT skills and knowledge of computer science and engineering may be prerequisites for some roles in cybersecurity. But all roles require soft skills.For example, data analytics, analytical thinking, creative thinking, and collaboration.   Retaining diverse talent   The Great Resignation of 2021 has continued well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year. The most likely department to be on their way out? IT.    That means retaining diverse talent is just as important as hiring diverse talent.    How? Prioritize employee wellbeing, promote flexibility, offer good perks (which means more than just snacks, beer, and ping pong), build a good company culture, and invest in career development.   Looking for a new gig? If you’re looking for your next gig, and want all of the above ☝ explore Tessian’s open roles.
Read Blog Post
Interviews With CISOs
Q&A with Karl Knowles, Global Head of Cyber at international law firm HFW
Tuesday, December 21st, 2021
Karl Knowles is Global Head of Cyber at international law firm HFW. Tessian’s Customer Success Manager, Amelia Dunton, spoke to Karl about building defense and depth to combat advanced inbound attacks.   Tell us a bit about your role as Head of Cyber at HFW—What do you think companies should be most aware of when it comes to email security, specifically inbound email attacks?    One of the first things we need to consider is that email isn’t going anywhere—despite the fact that everybody wants it to go somewhere. It does seem to be the main preference of communication, and for all different businesses and industries—not just in legal.    But since the pandemic, there’s been a huge spike in email threats, as we all know. In fact, Mimecast pushed out a report where they had detected a 64% increase in email attacks as people move towards more hybrid environments.   And what we’ve seen, and what we continue to see, are increased impersonation attacks… You have to see Microsoft, Google, Dropbox—they’re all being impersonated on a daily basis. In fact, impersonation attacks account for nearly half of our email attacks that we receive. And then, of course, we’ve got the issues around domain spoofing and account takeovers all becoming more sophisticated—more difficult to see.   And certainly, you need to be conscious at all times when you receive an email. You need to take a breath—you need to take a bit of time, and you have to look at it. But that’s not always the case, and it’s never as easy as just having that taking that time, taking that moment. Because, as you know, the domain impersonations are very realistic. Some of the emails have been crafted better, so you need something else to help you with that.    Regarding inbound attacks specifically, is there a vulnerability gap when relying solely on a secure email gateway (SEG)?   Well firstly, it’s about evolving threats. And as we evolve our defenses, we’ve got to remember our adversaries are doing the same. Their TTPs are changing all the time, so we need to be on our toes.  And we’ve seen the examples of this, as I mentioned before, with the amount of impersonation attacks—where people email from other locations purporting to be from areas where they are registered. And this is where we need to be warning our users.    But we’ve also seen new domains being spun up. Why shouldn’t you be allowed to create a domain if you know how? It doesn’t mean to say that just because you’re creating an email domain, you’re going to use it for nefarious reasons. But the secure email gateway itself won’t just put that domain on a blacklist—and nor should it. Because, just because a domain’s been spun up, it doesn’t mean to say it’s malicious.    So that’s where you need something like Tessian Defender to kick in—because the SEG isn’t going to block it. It’s going to say, “Well, actually, just because you’re new, doesn’t mean to say you’re malicious.” But then what Defender will do is, it will just prompt you as you receive that email to say: “Hey, you know this is the first time your organization has seen this new domain?” So it just acts as a bit of a pause.    But this will also pick up when your normal sender’s domains come from a different location. As I said before with account takeovers, you can be communicating with an organization from Hong Kong, and you can have regular emails—maybe a dozen a day—and all of a sudden, an email comes from that domain—but it’s not in Hong Kong, it’s in The Netherlands.    So you need something to do that—because the secure email gateway isn’t always going to pick that up. So you need a bit of a: “Hey, do you realize that this email has come from a completely different location to where that domain normally sends its emails from?” 
What do you think security leaders need to rethink? What’s your advice to them?    Well firstly, we need to say that malicious emails aren’t going anywhere. They’re getting more and more sophisticated by the day—so we can’t think that you know one tool is going to fix everything. Maybe one day, but as it is at the moment—we’ve got to make sure that we have the technology just to protect our people. But we also need to make sure that our users — as the goalkeepers, as we refer to, the “last line of defense”— know what their responsibilities are, as well.    Because for me, as a security leader—it’s all well and good, me showing them a warning. Tessian will show a warning if an account takeover is triggered, or it’s an official email, or it’s a newly-observed domain—which is really good, but unless the user actually does something with that. and reports that, or blocks it, then it doesn’t actually mean too much.    Because if they can continue to communicate with that malicious domain, then you’ve got yourself a problem—it doesn’t matter about the technology. So, the first thing is: it’s getting more sophisticated but we need to work with our staff, our users, to make sure that they understand the important role that they play. and that they can’t just rely on technology. The technology’s there to support them, but it’s not the be-all-and-end-all   We also can’t expect our users to spot these emails just with the naked eye. We’ve got to appreciate that they’re working now in more hybrid environments, using devices such as mobile telephones, iPads, laptops, computers. And each one of those will display things differently.    And depending on where they’re working, whether they’re working in a train, a cafe, at home, or in the office. what we’ve got to consider is the factors that are going on around them at that time: what their mood is, what stresses are going on at the time…   The people that want to gain something from them know this, and they will prey on our weaknesses, by using a sense of urgency, by crafting words correctly. And when you’re operating in such an environment, where you’re got multiple things to consider and you’re doing a lot of things at the same time, this is when you need to take a step back and briefly just make sure you think before you click that link.    If you haven’t got that secure email gateway… if you haven’t got that machine learning at the top end of that, and then right the way back to the human layer—which is the goalkeeper—making it as easy as possible for them to make the right decision at the right time.
Read Blog Post
Email DLP, Interviews With CISOs
Q&A with Punit Rajpara, Head of IT and Business Systems at GoCardless
Tuesday, December 21st, 2021
Punit Rajpara is Head of IT and Business Systems at GoCardless. In this Q&A he tells us how GoCardless won over the entire organization—from employees to board members—with their forward-thinking data loss prevention (DLP) program. Dig deep into the intuitive and effective user warnings, powerful analytics, and reporting tools that helped prove their business case.   Could you please give us a quick introduction to yourself and your role at GoCardless?   I’m the Head of Business Systems at GoCardless. I’ve been here just over a year—joined at the crazy pandemic time so it’s been an interesting year. Plus, prior to GoCardless, I was at WeWork and Uber, so I clearly love the hot startup journey and putting in core tools. GoCardless is in the space solving for payments—so whether that’s recurring or one-time payments.   We’ve just really done some really cool stuff at the Urban Bank and you should check it out. We service payments across 30 different countries and we process about 20 billion in revenue for other merchants every year. DLP can be a really daunting project, for many. At GoCardless, was your starting point in DLP?   Yeah, I think I’d say boring and daunting. It’s one of those things that just kind of there, and it can be disruptive to users. So, I guess our starting point was we… like I said, it was kind of just there. We used Google DLP to kick off, and the inbuilt DLP tools, and we found those a little bit complex to configure.   So we’re coming to this realization—just when everything just happened and we went to market—to look for somebody better. We realized it needs an admin of its own—it’s just configured a bunch of policies that just block stuff for our users all the time. And it didn’t seem very “user-in-mind.” So that’s our starting point: Google-based DLP tools. A bit boring, a bit daunting, like you said, and just… there. What was it that instigated you to start thinking: “OK, we need a new approach”?   We had an incident where somebody sent a file to a friend, instead of to the right recipient. And we got a bit lucky, where the friend said: “Oh, did you really mean to send me this file?” and it was an important file that probably shouldn’t have gone to the friend. And the person that caught that and came straight to us and said, “Hey—do we have a way of stopping me from sending things I shouldn’t to the wrong people?” And we’re like: “Maybe… Let’s go and have a look at it.”    So, we weren’t intentionally looking at DLP, but it’s one of these things where it allows us to be used a little as well, so users will come and talk to the problem, and go: “Hey, I’ve made this stupid mistake—what should I do?” and “Can you do anything to help me not make that mistake again?”   So, that’s what really led us down the road of going: “We should look at this problem. We should look at inbound and outbound DLP and see if we can make it easy for our users not to do things that are going to be harmful to them and the business.” How have you got your employees to that state, where they’re actually coming forward and saying “Hey, how can we stop it going forward?” I think it’s part of that kind of scale-up workforce culture, where people are expecting not to do things by themselves constantly. If you look at all aspects of… mostly business systems and IT, there’s a huge focus today on ultimate automation and self-service. So people are used to working in organizations where you’re not having to report things, you’re not being blocked by things, you’re really being enabled to just go on with your work. And the expectation is that IT teams and business teams and security teams are becoming more and more “self-service,” and putting the control in the hands of the users. And that just really allows people to not worry about these things, and just get on and just be productive and work. What were you looking for when you set out to try to find a security partner? When we went looking for the right partner, the things that were front-of-mind were: whatever we chose had to be easy to use, it had to be easy to implement, and it had to be easy to administer. I was managing a small team last year, so it couldn’t be anything that required tons and tons of work for my team to implement. It couldn’t be something that required tons and tons of documentation to be written. It couldn’t be something that required using huge amounts of user training.  It had to be quick, easy to use, quick to deploy, easy to deploy, with a lot of support from the vendor will be required to get it out if we need that support, and it had to be self-service. It will have to be really really intuitive. So that’s our approach to how we were looking for the right partner. I think it actually hit the nail on the head with Tessian…  How was the feedback when you implemented Tessian? How did you garner that feedback and how did it change their perception of what security controls can be like? I’d say overwhelmingly, there was a positive response to our deployment of Tessian at the business. People—especially the exec team—would come into us quite quickly and say: “Hey, this is really cool. We’re going to stop data leakage.”  We were able to catch a couple of incidents that we maybe wouldn’t have otherwise, so overwhelmingly there was this really really positive response: “Hey, this tool is really awesome, didn’t know we could do this kind of stuff.”  
Read Blog Post
Interviews With CISOs
Q&A with Tim Fitzgerald, Chief Information Security Officer at ARM
by Andrew Webb Monday, December 13th, 2021
Tim Fitzgerald is the Chief Information Security Officer (CISO) at ARM, and former CISO at Symantec.   What are some of the biggest challenges that you face, and how does that make you think about your security strategy? Our challenges are—not to be trite, but they’re sort of opportunities as well. By far the biggest single challenge we have it ARM’s defaults around information sharing. We have a belief—and I think it has proven to be true over the 30 plus years that ARM has been in business—that the level of information sharing has allowed ARM to be extraordinarily successful and innovative. There’s no backing up from that, as an ethos of the company.    But that represents a huge amount of challenge, because we give a tremendous amount of personal freedom for how people can access our information and our systems, as well as how they use our data internally—with our peers—but also externally, with our customers, who we’re very deeply embedded with.   We don’t sell a traditional product where they buy it, then we deliver it to them, and then we’re done. The vast majority of our customers spend years with us developing their own product, based on their own intellectual property.   So the level of information sharing that happens in a relationship like that is quite difficult to manage, to be candid.
Has human layer security been part of your strategy at ARM, or even your career before ARM? My career before ARM was at Symantec. Symantec was a very different company—you know, more of a traditional software company. It also had 25,000 people who thought they knew more about security than I did. So that presented a unique challenge in terms of how we worked with that community.   But even at Symantec, I was thinking quite hard about how we influence behavior. And ultimately, what it comes down to for me, is that I view my job in information security as something between a sociologist and a marketing expert. We’re really trying to change people’s behavior in a moment. Not universally, not their personal ethos, but will they make the right decision in this moment, to do something that won’t create a security risk for us.   I label that “microtransactions.” We get these small moments in time where we have an opportunity to interact with and to influence behavior.    And I’ve been evolving that strategy with ARM in a very different place, in some respects—but trying to think about not just how we influence their behavior in that moment in time, but actually—can we change their ethos? Can we make responsible security decision-making part of everyone’s job?   That turns out to be a very hard problem. And the way we think about that at ARM—we have a centralized security team, ultimately security is my responsibility at ARM, but we very much rely on what we very much consider to be our “extended” security team, which is all of our employees.   Essentially, our view is that they can undo all of the good that we do behind them to try and compensate for all the risk that a normal human being creates.    But I think that one of the ways we look at this that is unique at ARM is that we very much take the “people are people” view on this. Not that they’re the weakest link, not that they don’t come with good intent, or they don’t want to be good at their job, or that they’re going to take that shortcut just to get that extra moment of productivity.    But actually, that everyone wants to do a good job, and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.  
At Tessian, we think that technology should not only keep people safe, but it should do it in a way that empowers them to do their best work. What did Tessian address for you that you couldn’t quite address with other platforms? Coming from Symantec, I used all their technology extensively, and one of the best products Symantec has to offer is their DLP solution. I’m very familiar with that, and I would argue we had one of the more advanced installations in the world running internally at Symantec. So, I’m extremely familiar with the capability of those technologies.    What I learned in my time doing that, is that when used correctly in a finite environment, on a finite data set, that sort of solution can be very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem.   When you try to apply that broadly, it has all the same problems as everything else. You start to run into the inability of the DLP system to understand where that data is supposed to be—is this person supposed to have it, based on their role and their function? It’s not a smart technology like that, so you end up having to write these very complex rules that are hard to manage.   What I liked about Tessian is that it gave us an opportunity to use the machine learning in the background, to try and develop context about whether something that somebody was doing was either atypical—or maybe it’s not atypical, it’s part of a bad process, but by the very nature of the type of information they’re sending around and the characteristics of that information—we can get a sense of what they’re doing at whether it’s causing us risk.   So, it doesn’t require us to be completely prescriptive about what we’re doing. It allows us to learn, with the technology and with the people, about what normal patterns of behavior look like—and, therefore, intervene when it matters, and not every time another bell goes off.
Read Blog Post
Podcast, Interviews With CISOs
Q&A with Ben Aung, Chief Risk Officer at SAGE
Monday, November 29th, 2021
Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.
Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”
The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”
Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.
And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 
If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,
Read Blog Post
Interviews With CISOs
Q&A with Jerry Perullo, CISO at ICE
by Andrew Webb Monday, November 22nd, 2021
Jerry Perullo has served as the CISO of Intercontinental Exchange, Inc. (NYSE: ICE) since 2001 and in that time has seen how security has moved from the ‘blame game’ to securing the human layer. In this interview, he explains how InfoSec teams can work together with employees, for a stronger security culture.   You’ve been the CISO at Intercontinental Exchange for over 20 years. How has the narrative changed on the “human factor” over that time?   Jerry: I’ve always worked closely with customers and peers, so I’ve gotten a lot of insight into the financial services landscape. It wasn’t top-of-mind in the early days—mainly because it was such a small company. It was a bit later that phishing became the number one threat vector. Because of that, the human element really came up.   Unfortunately though—as technology professionals are wont to do—the initial reaction was full-on victim-shaming. In traditional IT, there’s a lot of: “I can’t believe this person didn’t know how to plug their keyboard in,” or whatever it’s going to be. And in security, it was immediately: “I can’t believe this person clicked that…” or “…plugged in this USB,” or whatever it may have been.   And then a bit later, I think that a lot of people came around to realizing that the people they were shaming were generating their revenues and paychecks, at the end of the day, and so it wasn’t a good idea to just mock them.   So things really did start to pivot to more of an era of collaboration, and that was great. And we see some evidence of that in a lot of the training material now, which came to be more entertaining—the gamification, trying to get people involved.   And then lately I’ve seen some questioning of where that line needs to be. Some people saying, “If anything goes wrong, it’s never the person’s fault,” so to speak—it’s always on information security, and we should know that people are humans and that they should be permitted to click things if they are available to them, and it should be on cyber to get in the way of problems.    
Do you think security teams are taking the attitude of: “It’s not because users are stupid, it’s because they’re human, and humans are going to make mistakes”?   Jerry: Yes. I do see a lot of that. And in different environments—some environments don’t have the ability to impose many controls at all. So in those cases, they’re playing “clean up” all the time.   And there’s other organizations that do have the ability to impose some pretty heavy controls. And there, it is a little bit different. There, you do have individuals who have a little more time so they can work with individuals and hold them to a higher standard.  
Everything you do as a security team is having some impact on the employee. How do you consider the trade-off of better security versus impacting the productivity of the employee that you’re trying to secure?   Jerry: There has historically been this notion of an inverse relationship between security and user experience.    I think that controls that have that attribute—when you impose it, people’s lives get a little bit less fun, and the more that you do the less fun it is—are generally bad controls. They’re really the “control of last resort.”   There are other things that can actually be quite helpful, and enhance productivity, visibility and awareness.    To that end, any tools that really empower the user and give them the means to protect themselves—so for example, enriching emails and giving them the idea of the threat of it, rather than just blocking it, and giving them advice, informing them and allowing them to make those calls, or phish report buttons that a lot of products have been delivering, so they can make their own claims about what they think is good or bad.   And then giving a feedback loop on that, so they know whether they’re right or wrong, just for their education. But also, where they can gamify it a bit, and really be incentivized to spot security issues—I think that’s been really effective overall.   How has the shift to remote work impacted organizations’ security strategies and the way they’re thinking about protecting their people in 2021?   Jerry: Having a unified security strategy—I’ll be the first to admit that that’s not a given, and it’s not universally agreed what that even means. I’m fortunate that we have gone through the process of doing that, and putting pen to paper.    For us, the strategy has really been about paying attention to the threat landscape, learning from our peers or others who may have had cybersecurity issues in the world, internalizing and seeing if those same issues could manifest, and—when we identify that they could—identifying the new controls that we need to adjust, making those adjustments, then repeating the whole cycle again.   That’s certainly not changed. So we’re going to look at what’s manifesting externally, and if that happens to lever the remote-work environment more, in the threat intelligence, then that would utilize the exact same strategy, but the operationalization of it would be a little bit different.   So strategy is unchanged—but the manifestation of it may.
I know you have a lot of thinking about this concept of adversarial risk management. Could you please outline your thoughts on that?   Jerry: Your controls that are good enough today will not be tomorrow. Because you have an adaptation of the problem.    As computing professionals, we want to have an algorithmic solution to something like phishing, And in many ways, we have.    We have a lot of platforms that are, for example, looking through attachments that are in email. And the ones that are either short-sighted or in a really unforgiving environment are trying to disassemble and sandbox attachments in real time—that sort of thing. The ones that are more effective are just blocking all attachments of certain natures.   But as that technology has evolved, the adversarial side has turned to what I call “narrative phish.” So, instead of a link or an attachment, it’s: “Hey Bob, do you have a minute?” And there’s not an algorithmic solution to that one.    I think you guys at Tessian are really fast on it. Because it’s great that the advances in machine learning have really matched that.    Because that’s what you need it for, isn’t it? Real-time, behavioral, statistical monitoring. To figure out that no-one calls you “Bob,” that this customer doesn’t really care how you’re doing. That’s how deep you’re going to have to get to really be able to have an adversarial management approach.   Listen to the full interview on our podcast, and follow us on your Spotify and Apple Music.  
Read Blog Post