Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →

Interviews With CISOs

Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more.

Interviews With CISOs
Almost Half of Chief Information Security Officers (CISOs) Have Missed A National Holiday Due to Work
By Andrew Webb
18 June 2022
Being a CISO or Security Leader in today’s InfoSec world is not for the faint hearted. CISOs are some of the hardest working people in any company, regularly working extra hours and overtime to keep the company secure from threats.   But this constant vigilance for threats can mean that CISOs miss out on everything from time with the family to getting enough down time to recharge.   We recently undertook research to see just how much time CISOs “lose” investigating potential breaches and threats and the headline is: security leaders don’t work hard, play hard. They work hard…then work harder.   In fact, 42% say they’ve missed out on a federal or national holiday like Fourth of July, Thanksgiving or Christmas because of work.   You can see the full details here. But here’s some highlights.
CISOs hard work isn’t going unnoticed   While no one wants to miss out on family time, it’s not all bad news. 89% of CISOs we surveyed believe the work they do is appreciated by employees outside their team. Furthermore 66% of employees say they understand the role of the CISO. That’s a ringing endorsement of how valuable and visible the relatively new role of CISO has become in just a few short years.   However, just because the rest of the organization knows who you are and what you do, doesn’t mean it’s plane sailing. As a result of their demanding roles, CISOs are struggling to keep up with developments that further strengthen the business like training, hiring talent, and staying on top of the latest threat intel. They’re also missing out on important personal and social things outside of work, like public holidays and family vacations. Most concerning is the fact that some CISOs are even putting their health at risk by skipping workouts or missing doctor’s appointments.
What are CISOs busy doing? So where is all the time going? What is it that’s causing CISOs to lose, on average, 11 hours a week in overtime?   According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   And a quarter of CISOs say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day investigating and remediating each threat caused by human error.   On top of this, 38% believe they’re spending too much time in meetings and reporting to the board, and 33% also feel as though they’re being drained of time because of other administrative tasks.   Looking for more detail on the things that are taking up CISOs time? We’ve got you covered here, but it’s clear that investigating breaches and dealing with the fallout from them is a major drain on time, resources, and mental health.
What would you do if your schedule was cleared? We asked CISOs what they would do if they were able to claw back those Lost Hours, and it turns out their three primary objectives are:    Spending time with family/friends  Further strengthening the business   Resting
Did you know that organizations with over 1,000 employees could save as many as 26,357 hours a year by automating security with Tessian?   While Tessian’s Human Layer Security platform can help you automate your security, which would help you strengthen your email security defenses and save you time, we’d rather use this opportunity to share some mindfulness and productivity tips to help you switch off.   • Share the load: While – yes – CISOs are the Head Honcho within IT and security teams, that doesn’t mean you have to do everything. Remember that delegation is validation, it’s okay to ask for help, and your best bet is to prioritize, then divide and conquer.   • Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Likewise, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge.   • Unplug (like, actually…): This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.  
Ready to learn more?    Want to find out how your security teams and employees can reclaim their Lost Hours? Get in touch with the Tessian team today to learn how Human Layer Security can help stop “Oh Sh*t!” moments from clogging up your schedule. 
Cyber Skills Gap
IT Departments are Looking for New Jobs: Here’s How to Retain Talent
By Andrew Webb
24 March 2022
You can’t stop people from leaving for pastures new; employee turnover is a natural function of any organization. But when that trickle turns into a flood, there’s an issue. Our recent Great Re-evaluation research conducted revealed that 55% of employees are thinking about leaving their jobs this year. What’s more, 39% are currently working their notice period or actively looking for a new role in the next six months. But who’s leaving, and why? According to research by Harvard Business Review, ‘mid career’ employees between 30 and 45 years old have had seen the greatest increase in resignation rates. The research also identified the most at risk sectors and alarmingly tech industry resignations came out on top, with an increase of 4.5% (compared to 3.6% in healthcare for example). If this sounds like the situation in your security or IT team, here’s why they might be leaving, and what you can do about it.
Why are people quitting?   A recent McKinsey report highlighted that it wasn’t always the promise of a higher salary that lures people away. Instead, the things employees were looking for were: feeling valued by either the organization or by their immediate managers, a sense of belonging, and a flexible work schedule. In essence, employees were far more likely to prioritize relational factors, whereas employers were more likely to focus on transactional ones   The past two years have certainly taken their toll on security teams from the CISO down, and people are a little burnt out and stressed. SOC teams are on the front line of a company’s defenses against cyberattacks – alert fatigue is real.  What to do: Work with your people team on an employee support plan, schedule regular check-ins with team members, and explore technological solutions like – full disclosure, it’s what we use here at Tessian.
Highlight team achievements   SOC team members have a thirst for knowledge – they have to reply to an attack quickly in a high-pressure situation. If they feel they haven’t got the support and encouragement they need, both managerially and technologically, they’ll walk. After all, it can be particularly demoralizing to devote eight hours a day to defending an organization when that defense is neither valued and acknowledged nor resourced sufficiently.    What to do: As the company’s security leader, you have to beat the drum for your team’s work and show the value that it brings to the company. Remember, IBM’s ‘Cost of a Data Breach’ report tells us the average cost of a breach is $4.24 million. Communicate that, whether it’s at the all-hands or a poster in the restrooms.
Automate and augment the mundane The IBM Pollyanna Principle states ‘machines should work; people should think’. That means you should review your security automation and response (SOAR) set-up periodically and see what can be automated. Things that automate well are repeatable manual tasks, threat investigations, triage of false positives, and creating reports. This Microsoft blog has some great tips on what security tasks and objectives you should automate, and why. After all, if attackers are automating many of their processes for increased efficiency, so should you.  What to do: Automating the everyday tasks from reporting to rooting out false positives will help you and your team concentrate on the critical issues. Be realistic about what automation is capable of. With that expectation, focus on areas where augmentation can help the team make faster and better decisions. That’s the winning formula.
Reward growth   As Mike Privette said in our podcast, security is the one corporate function that should always be growing. As we explored in this article, one of the key factors in building out a security team is that people must have confidence that they can grow and gain value by staying within the organization. So as well as increasing the team in terms of overall size, prioritize elevating existing team members into more senior roles.   What to do: Have a clear understanding of individuals’ potential career progression within the organization. Work with your People team on highlighting future opportunities and creating growth plans for 6-12 months down the line.  
Make time for training, learning and development   As well as promotions and increased responsibilities for some team members, training across the team keeps everyone united and aligned. Training in conjunction with things like automation is most effective when you’re looking to change behaviors, such as decreased response times or triaging.   For the fifth straight year, the ISSA and EGA Cyber security survey reveals that 59% of cybersecurity professionals agree that while they try to keep up with cybersecurity skills development, job requirements often get in the way. As the survey notes, ‘This training gap is quietly increasing cyber risks at your organization’   What to do: designate a baseline metric to improve upon, and design a training program that is focused, flexible, and able to meet that metric. If training lacks an objective and feels like a chore, people will treat it as a chore.    Finally, if people are dead set on leaving, the only thing you can do is wish them all the best. Infosec is a small world and chances are your paths might cross again.
Cyber Skills Gap
There Isn’t a Cyber Skills Shortage, You’re Just Not Hiring and Retaining The Right People
By Josh Yavor
18 March 2022
The Cyberseek heatmap shows there are over 500,000 cyber job openings in the US alone, and globally over 3.5 million.. With so many unfilled vacancies there must be a skills shortage, right? I’m not so sure. I think our perceived talent and skills shortage is largely self-inflicted because as an industry we’re sadly terrible at hiring, growing, and retaining people.  Too many organizations are chasing a finite number of senior-level people which results in two critical problems. The first is self-inflicted: over the past decade as an industry, we have failed to grow enough people from entry and mid-level positions into senior level roles. The second thing is that many organizations believe they can only hire senior talent rather than grow and retain the talent they already have. If we don’t invest in people earlier in their career, we will never have the talent pool our collective job postings demand.
The problem with hiring only senior talent   We tend to spend a lot of time and energy looking for “unicorn hires”. These hires can take months of our energy and attention for each role. In aggregate, we risk incurring opportunity costs that prevent us from  growing a person – or several people – into these capabilities. Of course, the security industry is not the only offender. Many technical roles outside of security are subject to the same type of bad behavior. We allow ourselves to create job postings with requirements that are sometimes impossible – like requesting 10+ years experience in a technology that has literally only existed for five.    So why are situations like this happening? Despite good intentions, a recruitment team supporting a security team without enough investment of time and partnership from the engineering managers is going to get these things wrong. It’s not their fault, but a clear indication that we need to be better together.
I challenge hiring managers to answer this important question: Describe the specific skills and experiences that 5-10 years of experience mean to you?    When I ask this, one of two things happens: they either can’t answer it – which is a good indicator that it shouldn’t go in the job description – or they can, and this becomes the start of better job requirements. Chronological time doesn’t tell us all that much about someone’s capabilities, how they grew (or didn’t), or what they’re good at.   Instead, we should be focussing on things like core experiences, history of growth, skill sets, and capabilities. That’s what we should switch our requirements and expectation language to. So we should seek people who have specific experiences or capabilities, such as leading specific team sizes, adapting to rapid change in a high growth organization, or have navigated significant technology migrations. These are more equitable, measurable, and useful capability assessments that don’t rule out qualified candidates by setting minimums for years of work experience.
Reminder: if a team runs itself for six months while you hire a manager, you shouldn't be hiring, you should be promoting. — Matt Wallaert (@mattwallaert) November 18, 2020  
The great resignation   We’ve covered the great resignation/re-evaluation/migration previously on this blog. But even before this movement, we were already seeing an average ‘in role’ time of just 18 to 36 months for many security individuals. That’s a high turnover, and The Great Migration has only increased it. Senior decision-makers across the US report an average security staff turnover rate of 20% according to research from ThreatConnect. Compare that to another study by Michael Booz that found that the global average for all roles was around 11%.
Organizations should be focused on what it takes to keep people longer. To retain people, there are two key factors. First, people must have confidence that they can grow and gain value by staying within the organization. Second, they need to be able to experience recognition, and crucially – rewards, for their increasing value both in the market and in their organization. Too often we prioritize budget for new hires when the best option is to invest in the people we already have on staff and reward them before someone else does.    In my experience, not enough is done during the first two years of employment to give employees confidence that there is an ongoing trajectory for them in terms of growth, recognition, and rewards. And by the time we get to that two-year point, the first time that the organization hears about it is when they’re getting the resignation letter.    Sadly that is THE WORST time to attempt a growth and rewards conversation.
Creating a better pipeline   Of course as people levelup and grow into new roles, you need new recruits. But many security leaders are reluctant to have their teams be the first stop in someone’s security career. However, there are plenty of security roles that are great places to get a start in security while applying relevant and overlapping skills from previous non-security roles.    There are very few cases where significant skill transfer from non-security to security roles is not possible. Some of the more obvious examples are IT system administrators becoming enterprise security engineers, software developers being successful in product security roles, etc. We need to look beyond these examples and expand our mapping of critical skills and capabilities to additional roles and backgrounds. Some of the most talented security professionals in our industry today come from much more diverse backgrounds. Some went to university to study linguistics, art, or math, and many never pursued higher education.
Your next security hire could come from customer success, marketing, or human resources   One of the things we need to be more conscious of is that security roles don’t just need technical skill sets. In fact training people up in specific technical skills is relatively easy to do. Instead, we should be optimizing security roles for people who are making a job transition. Security teams can benefit hugely from the things that are NOT easy to train people up on, like emotional intelligence, personal relationship management, and communication skills.   I’ve done this myself. I supported hiring someone with a background in customer service for a security operations role. 90% of the job is still based on providing effective customer service and rapidly triaging problems to identify the most appropriate solutions; it’s just a different set of customers and problems. We can train people on how to use our technology and how to think about security. What’s much harder is training people to be effective communicators with empathy and the high emotional intelligence to provide exceptional outcomes while supporting people.    I’ll finish how I started, by saying again that, there isn’t necessarily a skills shortage in many cybersecurity roles. We’re just setting the requirements poorly, largely ignoring retention, failing to take advantage of skill transference opportunities from non-security roles, and not giving people the opportunity to grow. Want to Join us at Tessian and start or develop your security career? Check out our open roles. What’s it like to work here? Here’s 200 reasons why you’ll love it. Want to find out more about diversity and the cyber skills gap? Register for our up-coming LinkedIn Live.
Cyber Skills Gap
New Research: 1 in 3 Employees in IT and Security Teams Are Female
By Maddie Rosenthal
07 March 2022
As the global job market has contracted over the last 18 months, cybersecurity has expanded, putting IT and security professionals in higher demand than ever. But diversity is still a big problem in the industry and it’s one that security leaders, HR teams, and recruiters are desperately trying to solve.    And, while there’s still room for improvement, new research shows that organizations are prioritizing diversity and inclusion (D&I), and it’s paying off: 1 in 3 employees in IT and security teams are female.    Why is diversity so important in cybersecurity?    We know instinctively why D&I matters from an ethical perspective. But, year after year, research from consulting firms like McKinsey show there’s a strong business case for diversity, too. It helps boost innovation, increase job satisfaction, and helps drive higher profitability, market share, and return. It’d also have a big impact on the global economy.    The Center for Economics and Business Research quantified just how much of an impact…   If the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. And, if women earned as much as their male counterparts, we’d see billions more pour in, with a further $12.7 billion added in the US and £4.4 billion in the UK.   So, how diverse is the industry today?
How diverse is the industry today?   A recent survey of 250 IT leaders in the US and UK revealed that: On average, one in three (33%) employees in IT and security teams, in UK and US organizations, are female  IT leaders in US organizations have slightly more diverse teams, with 36% of their team being female, versus 30% of IT teams in UK organizations  Larger companies are more likely to have greater diversity in their teams. 36% of IT teams in medium sized businesses (25-499 employees) are female, and 34% of IT teams in large enterprises (1000+ employees) are female. This drops to 29% in small businesses (2-49 employees)  But it’s not just about gender. It’s about geo, professional experience, educational background (or lack thereof), age, religion, and more.    According to a 2021 report from (ISC)2, while minority professionals make up a significant portion of the cybersecurity workforce, they’re underrepresented across senior roles within their organizations. Among minority cybersecurity professionals, just 23% hold a role of director or above, 7% below the U.S. average.    And, interestingly, minorities who have advanced into leadership roles often hold higher degrees of academic education than their Caucasian peers who occupy similar positions. Of minorities in cybersecurity, 62% have obtained a master’s degree or higher, compared to 50% of professionals who identified as White or Caucasian.    That said, progressive IT leaders do have objectives in place to hire people from a more diverse range of backgrounds: 56% of IT leaders in US organizations have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 46% of IT leaders in UK firms have objectives have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 65% of large businesses (1000+ employees) have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 This begs the question: what can organizations do to ensure a more diverse workforce, including diverse leadership?    How can organizations hire (and keep) diverse talent? Hiring diverse talent   To better understand what would encourage more diversity in cybersecurity, we asked female practitioners what would make the biggest impact. Here’s what they said:   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//");   According to Tessian’s CISO, Josh Yavor, job descriptions and requirements are turning people off and away, too.    “We have to look at the terrible multi-decade history of awful job descriptions and requirements in cybersecurity. This industry is bad at posting entry-level descriptions that require unreasonable levels of experience and this makes it impossible to hire anyone. The challenge I give to hiring managers is to ask them, what does 5-10 years of experience actually mean to you? What does 5-10 years of experience look like and what value does that actually provide?” Josh explained.   It’s essential that organizations remove barriers to entry like 4-year degrees, cybersecurity certifications, and previous experience. Of course, IT skills and knowledge of computer science and engineering may be prerequisites for some roles in cybersecurity. But all roles require soft skills.For example, data analytics, analytical thinking, creative thinking, and collaboration.   Retaining diverse talent   The Great Resignation of 2021 has continued well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year. The most likely department to be on their way out? IT.    That means retaining diverse talent is just as important as hiring diverse talent.    How? Prioritize employee wellbeing, promote flexibility, offer good perks (which means more than just snacks, beer, and ping pong), build a good company culture, and invest in career development.   Looking for a new gig? If you’re looking for your next gig, and want all of the above ☝ explore Tessian’s open roles.
Interviews With CISOs
Q&A with Karl Knowles, Global Head of Cyber at international law firm HFW
21 December 2021
Karl Knowles is Global Head of Cyber at international law firm HFW. Tessian’s Customer Success Manager, Amelia Dunton, spoke to Karl about building defense and depth to combat advanced inbound attacks.   Tell us a bit about your role as Head of Cyber at HFW—What do you think companies should be most aware of when it comes to email security, specifically inbound email attacks?    One of the first things we need to consider is that email isn’t going anywhere—despite the fact that everybody wants it to go somewhere. It does seem to be the main preference of communication, and for all different businesses and industries—not just in legal.    But since the pandemic, there’s been a huge spike in email threats, as we all know. In fact, Mimecast pushed out a report where they had detected a 64% increase in email attacks as people move towards more hybrid environments.   And what we’ve seen, and what we continue to see, are increased impersonation attacks… You have to see Microsoft, Google, Dropbox—they’re all being impersonated on a daily basis. In fact, impersonation attacks account for nearly half of our email attacks that we receive. And then, of course, we’ve got the issues around domain spoofing and account takeovers all becoming more sophisticated—more difficult to see.   And certainly, you need to be conscious at all times when you receive an email. You need to take a breath—you need to take a bit of time, and you have to look at it. But that’s not always the case, and it’s never as easy as just having that taking that time, taking that moment. Because, as you know, the domain impersonations are very realistic. Some of the emails have been crafted better, so you need something else to help you with that.    Regarding inbound attacks specifically, is there a vulnerability gap when relying solely on a secure email gateway (SEG)?   Well firstly, it’s about evolving threats. And as we evolve our defenses, we’ve got to remember our adversaries are doing the same. Their TTPs are changing all the time, so we need to be on our toes.  And we’ve seen the examples of this, as I mentioned before, with the amount of impersonation attacks—where people email from other locations purporting to be from areas where they are registered. And this is where we need to be warning our users.    But we’ve also seen new domains being spun up. Why shouldn’t you be allowed to create a domain if you know how? It doesn’t mean to say that just because you’re creating an email domain, you’re going to use it for nefarious reasons. But the secure email gateway itself won’t just put that domain on a blacklist—and nor should it. Because, just because a domain’s been spun up, it doesn’t mean to say it’s malicious.    So that’s where you need something like Tessian Defender to kick in—because the SEG isn’t going to block it. It’s going to say, “Well, actually, just because you’re new, doesn’t mean to say you’re malicious.” But then what Defender will do is, it will just prompt you as you receive that email to say: “Hey, you know this is the first time your organization has seen this new domain?” So it just acts as a bit of a pause.    But this will also pick up when your normal sender’s domains come from a different location. As I said before with account takeovers, you can be communicating with an organization from Hong Kong, and you can have regular emails—maybe a dozen a day—and all of a sudden, an email comes from that domain—but it’s not in Hong Kong, it’s in The Netherlands.    So you need something to do that—because the secure email gateway isn’t always going to pick that up. So you need a bit of a: “Hey, do you realize that this email has come from a completely different location to where that domain normally sends its emails from?” 
What do you think security leaders need to rethink? What’s your advice to them?    Well firstly, we need to say that malicious emails aren’t going anywhere. They’re getting more and more sophisticated by the day—so we can’t think that you know one tool is going to fix everything. Maybe one day, but as it is at the moment—we’ve got to make sure that we have the technology just to protect our people. But we also need to make sure that our users — as the goalkeepers, as we refer to, the “last line of defense”— know what their responsibilities are, as well.    Because for me, as a security leader—it’s all well and good, me showing them a warning. Tessian will show a warning if an account takeover is triggered, or it’s an official email, or it’s a newly-observed domain—which is really good, but unless the user actually does something with that. and reports that, or blocks it, then it doesn’t actually mean too much.    Because if they can continue to communicate with that malicious domain, then you’ve got yourself a problem—it doesn’t matter about the technology. So, the first thing is: it’s getting more sophisticated but we need to work with our staff, our users, to make sure that they understand the important role that they play. and that they can’t just rely on technology. The technology’s there to support them, but it’s not the be-all-and-end-all   We also can’t expect our users to spot these emails just with the naked eye. We’ve got to appreciate that they’re working now in more hybrid environments, using devices such as mobile telephones, iPads, laptops, computers. And each one of those will display things differently.    And depending on where they’re working, whether they’re working in a train, a cafe, at home, or in the office. what we’ve got to consider is the factors that are going on around them at that time: what their mood is, what stresses are going on at the time…   The people that want to gain something from them know this, and they will prey on our weaknesses, by using a sense of urgency, by crafting words correctly. And when you’re operating in such an environment, where you’re got multiple things to consider and you’re doing a lot of things at the same time, this is when you need to take a step back and briefly just make sure you think before you click that link.    If you haven’t got that secure email gateway… if you haven’t got that machine learning at the top end of that, and then right the way back to the human layer—which is the goalkeeper—making it as easy as possible for them to make the right decision at the right time.
Email DLP Interviews With CISOs
Q&A with Punit Rajpara, Head of IT and Business Systems at GoCardless
21 December 2021
Punit Rajpara is Head of IT and Business Systems at GoCardless. In this Q&A he tells us how GoCardless won over the entire organization—from employees to board members—with their forward-thinking data loss prevention (DLP) program. Dig deep into the intuitive and effective user warnings, powerful analytics, and reporting tools that helped prove their business case.   Could you please give us a quick introduction to yourself and your role at GoCardless?   I’m the Head of Business Systems at GoCardless. I’ve been here just over a year—joined at the crazy pandemic time so it’s been an interesting year. Plus, prior to GoCardless, I was at WeWork and Uber, so I clearly love the hot startup journey and putting in core tools. GoCardless is in the space solving for payments—so whether that’s recurring or one-time payments.   We’ve just really done some really cool stuff at the Urban Bank and you should check it out. We service payments across 30 different countries and we process about 20 billion in revenue for other merchants every year. DLP can be a really daunting project, for many. At GoCardless, was your starting point in DLP?   Yeah, I think I’d say boring and daunting. It’s one of those things that just kind of there, and it can be disruptive to users. So, I guess our starting point was we… like I said, it was kind of just there. We used Google DLP to kick off, and the inbuilt DLP tools, and we found those a little bit complex to configure.   So we’re coming to this realization—just when everything just happened and we went to market—to look for somebody better. We realized it needs an admin of its own—it’s just configured a bunch of policies that just block stuff for our users all the time. And it didn’t seem very “user-in-mind.” So that’s our starting point: Google-based DLP tools. A bit boring, a bit daunting, like you said, and just… there. What was it that instigated you to start thinking: “OK, we need a new approach”?   We had an incident where somebody sent a file to a friend, instead of to the right recipient. And we got a bit lucky, where the friend said: “Oh, did you really mean to send me this file?” and it was an important file that probably shouldn’t have gone to the friend. And the person that caught that and came straight to us and said, “Hey—do we have a way of stopping me from sending things I shouldn’t to the wrong people?” And we’re like: “Maybe… Let’s go and have a look at it.”    So, we weren’t intentionally looking at DLP, but it’s one of these things where it allows us to be used a little as well, so users will come and talk to the problem, and go: “Hey, I’ve made this stupid mistake—what should I do?” and “Can you do anything to help me not make that mistake again?”   So, that’s what really led us down the road of going: “We should look at this problem. We should look at inbound and outbound DLP and see if we can make it easy for our users not to do things that are going to be harmful to them and the business.” How have you got your employees to that state, where they’re actually coming forward and saying “Hey, how can we stop it going forward?” I think it’s part of that kind of scale-up workforce culture, where people are expecting not to do things by themselves constantly. If you look at all aspects of… mostly business systems and IT, there’s a huge focus today on ultimate automation and self-service. So people are used to working in organizations where you’re not having to report things, you’re not being blocked by things, you’re really being enabled to just go on with your work. And the expectation is that IT teams and business teams and security teams are becoming more and more “self-service,” and putting the control in the hands of the users. And that just really allows people to not worry about these things, and just get on and just be productive and work. What were you looking for when you set out to try to find a security partner? When we went looking for the right partner, the things that were front-of-mind were: whatever we chose had to be easy to use, it had to be easy to implement, and it had to be easy to administer. I was managing a small team last year, so it couldn’t be anything that required tons and tons of work for my team to implement. It couldn’t be something that required tons and tons of documentation to be written. It couldn’t be something that required using huge amounts of user training.  It had to be quick, easy to use, quick to deploy, easy to deploy, with a lot of support from the vendor will be required to get it out if we need that support, and it had to be self-service. It will have to be really really intuitive. So that’s our approach to how we were looking for the right partner. I think it actually hit the nail on the head with Tessian…  How was the feedback when you implemented Tessian? How did you garner that feedback and how did it change their perception of what security controls can be like? I’d say overwhelmingly, there was a positive response to our deployment of Tessian at the business. People—especially the exec team—would come into us quite quickly and say: “Hey, this is really cool. We’re going to stop data leakage.”  We were able to catch a couple of incidents that we maybe wouldn’t have otherwise, so overwhelmingly there was this really really positive response: “Hey, this tool is really awesome, didn’t know we could do this kind of stuff.”  
Interviews With CISOs
Q&A with Tim Fitzgerald, Chief Information Security Officer at ARM
By Andrew Webb
13 December 2021
Tim Fitzgerald is the Chief Information Security Officer (CISO) at ARM, and former CISO at Symantec.   What are some of the biggest challenges that you face, and how does that make you think about your security strategy? Our challenges are—not to be trite, but they’re sort of opportunities as well. By far the biggest single challenge we have it ARM’s defaults around information sharing. We have a belief—and I think it has proven to be true over the 30 plus years that ARM has been in business—that the level of information sharing has allowed ARM to be extraordinarily successful and innovative. There’s no backing up from that, as an ethos of the company.    But that represents a huge amount of challenge, because we give a tremendous amount of personal freedom for how people can access our information and our systems, as well as how they use our data internally—with our peers—but also externally, with our customers, who we’re very deeply embedded with.   We don’t sell a traditional product where they buy it, then we deliver it to them, and then we’re done. The vast majority of our customers spend years with us developing their own product, based on their own intellectual property.   So the level of information sharing that happens in a relationship like that is quite difficult to manage, to be candid.
Has human layer security been part of your strategy at ARM, or even your career before ARM? My career before ARM was at Symantec. Symantec was a very different company—you know, more of a traditional software company. It also had 25,000 people who thought they knew more about security than I did. So that presented a unique challenge in terms of how we worked with that community.   But even at Symantec, I was thinking quite hard about how we influence behavior. And ultimately, what it comes down to for me, is that I view my job in information security as something between a sociologist and a marketing expert. We’re really trying to change people’s behavior in a moment. Not universally, not their personal ethos, but will they make the right decision in this moment, to do something that won’t create a security risk for us.   I label that “microtransactions.” We get these small moments in time where we have an opportunity to interact with and to influence behavior.    And I’ve been evolving that strategy with ARM in a very different place, in some respects—but trying to think about not just how we influence their behavior in that moment in time, but actually—can we change their ethos? Can we make responsible security decision-making part of everyone’s job?   That turns out to be a very hard problem. And the way we think about that at ARM—we have a centralized security team, ultimately security is my responsibility at ARM, but we very much rely on what we very much consider to be our “extended” security team, which is all of our employees.   Essentially, our view is that they can undo all of the good that we do behind them to try and compensate for all the risk that a normal human being creates.    But I think that one of the ways we look at this that is unique at ARM is that we very much take the “people are people” view on this. Not that they’re the weakest link, not that they don’t come with good intent, or they don’t want to be good at their job, or that they’re going to take that shortcut just to get that extra moment of productivity.    But actually, that everyone wants to do a good job, and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.  
At Tessian, we think that technology should not only keep people safe, but it should do it in a way that empowers them to do their best work. What did Tessian address for you that you couldn’t quite address with other platforms? Coming from Symantec, I used all their technology extensively, and one of the best products Symantec has to offer is their DLP solution. I’m very familiar with that, and I would argue we had one of the more advanced installations in the world running internally at Symantec. So, I’m extremely familiar with the capability of those technologies.    What I learned in my time doing that, is that when used correctly in a finite environment, on a finite data set, that sort of solution can be very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem.   When you try to apply that broadly, it has all the same problems as everything else. You start to run into the inability of the DLP system to understand where that data is supposed to be—is this person supposed to have it, based on their role and their function? It’s not a smart technology like that, so you end up having to write these very complex rules that are hard to manage.   What I liked about Tessian is that it gave us an opportunity to use the machine learning in the background, to try and develop context about whether something that somebody was doing was either atypical—or maybe it’s not atypical, it’s part of a bad process, but by the very nature of the type of information they’re sending around and the characteristics of that information—we can get a sense of what they’re doing at whether it’s causing us risk.   So, it doesn’t require us to be completely prescriptive about what we’re doing. It allows us to learn, with the technology and with the people, about what normal patterns of behavior look like—and, therefore, intervene when it matters, and not every time another bell goes off.
Podcast Interviews With CISOs
Q&A with Ben Aung, Chief Risk Officer at SAGE
29 November 2021
Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.
Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”
The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”
Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.
And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 
If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,
Interviews With CISOs
Q&A with Jerry Perullo, CISO at ICE
By Andrew Webb
22 November 2021
Jerry Perullo has served as the CISO of Intercontinental Exchange, Inc. (NYSE: ICE) since 2001 and in that time has seen how security has moved from the ‘blame game’ to securing the human layer. In this interview, he explains how InfoSec teams can work together with employees, for a stronger security culture.   You’ve been the CISO at Intercontinental Exchange for over 20 years. How has the narrative changed on the “human factor” over that time?   Jerry: I’ve always worked closely with customers and peers, so I’ve gotten a lot of insight into the financial services landscape. It wasn’t top-of-mind in the early days—mainly because it was such a small company. It was a bit later that phishing became the number one threat vector. Because of that, the human element really came up.   Unfortunately though—as technology professionals are wont to do—the initial reaction was full-on victim-shaming. In traditional IT, there’s a lot of: “I can’t believe this person didn’t know how to plug their keyboard in,” or whatever it’s going to be. And in security, it was immediately: “I can’t believe this person clicked that…” or “…plugged in this USB,” or whatever it may have been.   And then a bit later, I think that a lot of people came around to realizing that the people they were shaming were generating their revenues and paychecks, at the end of the day, and so it wasn’t a good idea to just mock them.   So things really did start to pivot to more of an era of collaboration, and that was great. And we see some evidence of that in a lot of the training material now, which came to be more entertaining—the gamification, trying to get people involved.   And then lately I’ve seen some questioning of where that line needs to be. Some people saying, “If anything goes wrong, it’s never the person’s fault,” so to speak—it’s always on information security, and we should know that people are humans and that they should be permitted to click things if they are available to them, and it should be on cyber to get in the way of problems.    
Do you think security teams are taking the attitude of: “It’s not because users are stupid, it’s because they’re human, and humans are going to make mistakes”?   Jerry: Yes. I do see a lot of that. And in different environments—some environments don’t have the ability to impose many controls at all. So in those cases, they’re playing “clean up” all the time.   And there’s other organizations that do have the ability to impose some pretty heavy controls. And there, it is a little bit different. There, you do have individuals who have a little more time so they can work with individuals and hold them to a higher standard.  
Everything you do as a security team is having some impact on the employee. How do you consider the trade-off of better security versus impacting the productivity of the employee that you’re trying to secure?   Jerry: There has historically been this notion of an inverse relationship between security and user experience.    I think that controls that have that attribute—when you impose it, people’s lives get a little bit less fun, and the more that you do the less fun it is—are generally bad controls. They’re really the “control of last resort.”   There are other things that can actually be quite helpful, and enhance productivity, visibility and awareness.    To that end, any tools that really empower the user and give them the means to protect themselves—so for example, enriching emails and giving them the idea of the threat of it, rather than just blocking it, and giving them advice, informing them and allowing them to make those calls, or phish report buttons that a lot of products have been delivering, so they can make their own claims about what they think is good or bad.   And then giving a feedback loop on that, so they know whether they’re right or wrong, just for their education. But also, where they can gamify it a bit, and really be incentivized to spot security issues—I think that’s been really effective overall.   How has the shift to remote work impacted organizations’ security strategies and the way they’re thinking about protecting their people in 2021?   Jerry: Having a unified security strategy—I’ll be the first to admit that that’s not a given, and it’s not universally agreed what that even means. I’m fortunate that we have gone through the process of doing that, and putting pen to paper.    For us, the strategy has really been about paying attention to the threat landscape, learning from our peers or others who may have had cybersecurity issues in the world, internalizing and seeing if those same issues could manifest, and—when we identify that they could—identifying the new controls that we need to adjust, making those adjustments, then repeating the whole cycle again.   That’s certainly not changed. So we’re going to look at what’s manifesting externally, and if that happens to lever the remote-work environment more, in the threat intelligence, then that would utilize the exact same strategy, but the operationalization of it would be a little bit different.   So strategy is unchanged—but the manifestation of it may.
I know you have a lot of thinking about this concept of adversarial risk management. Could you please outline your thoughts on that?   Jerry: Your controls that are good enough today will not be tomorrow. Because you have an adaptation of the problem.    As computing professionals, we want to have an algorithmic solution to something like phishing, And in many ways, we have.    We have a lot of platforms that are, for example, looking through attachments that are in email. And the ones that are either short-sighted or in a really unforgiving environment are trying to disassemble and sandbox attachments in real time—that sort of thing. The ones that are more effective are just blocking all attachments of certain natures.   But as that technology has evolved, the adversarial side has turned to what I call “narrative phish.” So, instead of a link or an attachment, it’s: “Hey Bob, do you have a minute?” And there’s not an algorithmic solution to that one.    I think you guys at Tessian are really fast on it. Because it’s great that the advances in machine learning have really matched that.    Because that’s what you need it for, isn’t it? Real-time, behavioral, statistical monitoring. To figure out that no-one calls you “Bob,” that this customer doesn’t really care how you’re doing. That’s how deep you’re going to have to get to really be able to have an adversarial management approach.   Listen to the full interview on our podcast, and follow us on your Spotify and Apple Music.  
ATO/BEC Integrated Cloud Email Security Interviews With CISOs
All Cybersecurity 2022 Trend Articles Are BS, Here’s Why
By Josh Yavor
16 November 2021
Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.
And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: — c🎃e (@caseyjohnellis) November 2, 2021
So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  
Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.
Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.
  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!
Cyber Skills Gap Life at Tessian
Tessian Officially Named a 2021 UK’s Best Workplaces™ for Women
By Laura Brooks
01 July 2021
We’re excited to announce that Tessian has been recognized as one of the top three medium-sized companies in the UK’s Best Workplaces™ for Women for 2021.  Our Human First value, its commitment to Diversity, Equity and Inclusion (DEI), and its Employee Resource Group (ERG) for women – Tes-She-An – are just some of the reasons why people love working at the company. This recognition confirms that:  Tessian is a great workplace for all employees, including women. Tessian recognizes that women represent a valuable talent pool in increasingly talent–constrained industries such as cybersecurity and technology.  Tessian lives up to its company values of ‘Human First’ and ‘We Do the Right Thing’, as its leaders make meaningful changes to improve their ability to recruit, retain and nurture top female employees.
Education and training have been foundational first steps in Tessian’s DEI strategy. We partnered with Jeff Turner, former International Learning and Development Director for Facebook, to deliver company-wide training around diversity, unconscious bias and inclusion. We’ve also taken the time to establish our long-term DEI roadmap – which includes a diversity recruitment strategy across all hiring levels, expanding the entry-level talent pool by creating junior jobs for people entering the tech industry, and prioritizing the development of future leaders through well-defined growth frameworks across the company. 
In addition, Tessian’s ERG group – Tes-She-An – provides a space to support all employees who identify as women, celebrate their achievements, and help each other “shine even brighter” by focusing on career progression. The group runs monthly workshops for women, and invites inspiring external guests who are leading the charge in creating equal opportunities in the tech industry, to speak to employees. Importantly, these events do not operate in a closed network. They’re open to the entire company – not just women.  As a result of these initiatives and programs, 99% of Tessian employees surveyed by Great Place to Work® agreed that people at the company are treated fairly regardless of their gender.  Paige Rinke, Head of People at Tessian, says: “We are so proud to be recognized as a Best Workplace for Women and hear first-hand from our employees that our initiatives to create an inclusive workplace are resonating. One of our core values is Human First, and we’re committed to ensuring every employee feels supported and valued, and to improving gender and ethnicity representation across all levels of seniority at Tessian through our DEI efforts. “Why? Because empowering our people to thrive in an inclusive environment and challenging the status quo to create more equal opportunities in the tech industry is, ultimately, the right thing to do.”  Benedict Gautrey, Managing Director of Great Place to Work® UK, explains: “We’re delighted to recognize so many great organizations in this fourth year of the UK’s Best Workplaces™ for Women list. The issues affecting women in the workplace, particularly what we’ve witnessed in the face of the pandemic including parity of pay and advancement opportunities, continue to be important topics. “What our 2021 UK’s Best Workplaces™ for Women clearly show is the positive impact their practices have on business. As a result, they are better able to attract and retain women of talent, encouraging them to develop professionally and personally, and in turn, contribute exponentially to the success of the organizations they work for.” Want to work at Tessian? See if we have a role that interests you today.
Interviews With CISOs
12 CISOs to Connect With On LinkedIn and Twitter
By Maddie Rosenthal
09 April 2021
While the title “Chief Information Security Officer” (CISO) is highly sought after, the job is tough.    On top of preventing threats and avoiding breaches, CISOs are also tasked with communicating risk, aligning with key stakeholders across the business, and – of course – managing a team of IT professionals.   So, how do you keep your head above water and excel in your role?    We can’t offer a prescriptive answer to that question (sorry!), but we can tell you that staying connected with your peers – regardless of industry or company size – can help. After all, they’re right there in the trenches with you.   Here’s a list of 12 CISOs you should connect with on both LinkedIn and Twitter for tips, advice, anecdotes, industry news, open tech roles, and even the occasional joke. “The more you know”, right?    P.S. If you’re looking for tips on how to build better relationships and influence change within your organization, check out this article: Relationship 15: A Framework For Security Leaders.    Name: Bob Lord    Bio: CSO The Democrats, former CISO Yahoo, Rapid7 CISO in Residence, Twitter alum.   Handle: LinkedIn | @BobLord   Follow him for: Bob Lord is the Chief Security Officer at the Democratic Nationalist Committee and has held senior executive infosec positions at Twitter and Yahoo (he was actually Twitter’s first-ever security hire). He’s particularly active on Twitter and shares personal security hacks, debunks cybersecurity myths for his followers, and shares great advice for security leaders.     Name: Window Snyder   Bio: A security industry veteran and former Chief Security Officer at Square, Fastly, and Mozilla.   Handle: LinkedIn | @window   Follow her for: Window Snyder has more than 20 years of experience in cybersecurity and has held positions at some of the world’s biggest brands. She worked with Apple leading security and privacy features for OS X and iOS. Follow Window for posts about her experiences as a CISO (and a parent!) and details of her favorite cybersecurity events.     Name: Michael Coates    Bio: Co-founder & CEO @Altitude Past: CISO @Twitter, Head of Security @Mozilla, @OWASP Chairman, Top 30 Security Startup.   Handle: LinkedIn | @_mwc   Follow him for: Michael Coates is the former CISO of Twitter and is the co-founder and CEO of a cloud data protection company. He’s made TV appearances and has been a speaker at the RSA Conference to share his experiences of being a leading CISO. Follow Michael for tips for CISOs and advice on how to work with security vendors.      Name: Azeem Bashir    Bio: Award-winning Global CISO | CDO |Cyber Security & Cyber Risk Leader | NED | Advisor | Speaker   Handle: LinkedIn    Follow him for: Azeem Bashi held a number of CISO and CIO positions at confidential companies. Although his previous companies are a mystery, he must be pretty good given the endless awards he’s won and certifications he’s achieved. He’s also a board advisor, CISO mentor, speaker, and government advisor. Follow Azeem for the latest cybersecurity news about data breaches, attacks and, industry research.      Name: Kevin Fielder    Bio: Dad, CISO, Health and resilience coach, Podcaster. Lover of life and learning.  Passionate about helping people and building high-performing (security) teams.   Handle: LinkedIn | @kevin_fielder   Follow him for: Kevin has a huge range of CISO experience at companies ranging from Just Eat to WorldPay and FNZ Group. He’s also an active cybersecurity speaker, podcaster and is particularly active in the LinkedIn cybersecurity community. Follow Kevin for honest posts about life as a CISO (as well as honest posts about life as a Dad) and for his perspective on security attacks or breaches.      Name: Troels Ortering    Bio: Chairman, NED, award-winning CSO, passionate cybersecurity leader with a long track record in cybersecurity and privacy.   Handle: LinkedIn    Follow him for: Troels has over 20 years of cybersecurity experience, including intelligence roles within the Danish Police, Group Chief Security Officer at Barclays, cybersecurity lecturing roles and, multiple board positions. Follow Troels for his perspective on the latest cybersecurity attacks and threat actors – as well as his views on best practices and how to stay protected.      Name: Lynwen Connick   Bio: Chief Information Security Officer at Australia and New Zealand banking group(ANZ) Loves Travelling, Skiing, Mountain Biking & Orienteering.   Handle: LinkedIn | @LynwenConnick    Follow her for: With 25 years of cybersecurity experience ranging from working in Australia’s Department of the Prime Minister and Cabinet to the CISO of one of the biggest banks in Australia – Lynwen is a great addition to your social timelines. Lynwen is highly active in the women in cybersecurity community, and shares cybersecurity events and groups that other women can get involved in. Follow Lynwen to hear about the work she’s done with the Australian Government, and for cybersecurity advice for the financial services and banking industry. Name: Dinis Cruz    Bio: CTO and CISO of @GlasswallCDR, Transformation agent, project leader of OWASP SBot and O2 Platform projects.   Handle: LinkedIn | @DinisCruz    Follow him for: Dinis Cruz has over 20 years of experience in cybersecurity and software development, he’s also been nominated for CISO of the year and is currently writing a book. On social media, Dinis is all about knowledge sharing and contributing to the cybersecurity community. Follow Dinis for cybersecurity and general tech hacks, advice on how to apply for security roles, and details of cybersecurity events (plus you might even come across his TikTok account).      Name: Moty Jacob   Bio: Moty is a long-time CISSP, holds Security Clearance, and has several Industry certifications including checkpoint’s CCSE, PCI-DSS AUDITOR, CCNA, Certified Ethical Hacker, and many others.   Handle: LinkedIn   Follow him for: Moty Jacob has a huge list of experiences in security from start-ups to Fortune 500 companies and national governments. As well as being a top leader in cybersecurity, Moty is also a leader in Diversity and Inclusion, with almost half of his security team being made up of women. Follow Moty for his hilarious and relatable cybersecurity memes and for honest posts about his experiences as the CISO at Dunnhumby.      Name: Christopher Porter    Bio: CISO, student of infosec, manager of risk, Dad, exerciser, and @UVA alum. Former @vzdbir author, @verisframework creator.    Handle: LinkedIn | @cdporter00   Follow him for: Christopher Porter is the CISO at Fannie Mae, he previously worked with Verizon to author Verizon’s Data Breach Investigations Report series and co-created the VERIS framework (Vocabulary for Event Recording and Incident Sharing). On social media, Christopher is committed to sharing cybersecurity research and posts about how to help close the diversity gap in the industry. Follow Christopher for the latest phishing intel, information about how the pandemic is affecting cybersecurity, and the occasional cybersecurity joke!      Name: Becky Pinkard   Bio: Cyber security exec, published author & professional speaker. I do security because I love it.    Handle: LinkedIn | @BeckyPinkard   Follow her for: Becky Pinkard has worked in the cybersecurity industry at some of the world’s leading brands since 1996 – from Blackberry and Vodafone to Aldemore and Barclays. She’s also a published author, a regular commentator on infosec events, and won CISO of the Year at the 2020 SC Awards, Europe. Becky is an active advocate for diversity and inclusion in cybersecurity on social media. Follow Becky for posts about open cybersecurity roles, her honest advice to other security leaders, and her incredible sense of humor.      Name: Bobby Ford   Bio: Senior Vice President/Chief Security Officer at Hewlett Packard Enterprise   Handle: LinkedIn   Follow him for: Bobby Ford has held the position of CISO at world-leading organizations from Unilever and Abbott Labs to his current company – Hewlett Packard Enterprise. Bobby has also been an information security analyst for the Pentagon’s incident response team and spent much of his career in the Aerospace and Defence industry. Bobby is an active member of the cybersecurity community on social media – follow him for posts about improving diversity in cybersecurity, open tech roles, and the occasional throwback picture of his days in the army.      And, if you want to be the first to get your hands on blogs like this and others written just for security leaders like you, subscribe to our newsletter below.