Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Live Webinar | Ready to Supercharge Your Microsoft Environment? Yes, sign me up!

Interviews With CISOs

Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more.

Interviews With CISOs
Q&A with Karl Knowles, Global Head of Cyber at international law firm HFW
21 December 2021
Karl Knowles is Global Head of Cyber at international law firm HFW. Tessian’s Customer Success Manager, Amelia Dunton, spoke to Karl about building defense and depth to combat advanced inbound attacks.   Tell us a bit about your role as Head of Cyber at HFW—What do you think companies should be most aware of when it comes to email security, specifically inbound email attacks?    One of the first things we need to consider is that email isn’t going anywhere—despite the fact that everybody wants it to go somewhere. It does seem to be the main preference of communication, and for all different businesses and industries—not just in legal.    But since the pandemic, there’s been a huge spike in email threats, as we all know. In fact, Mimecast pushed out a report where they had detected a 64% increase in email attacks as people move towards more hybrid environments.   And what we’ve seen, and what we continue to see, are increased impersonation attacks… You have to see Microsoft, Google, Dropbox—they’re all being impersonated on a daily basis. In fact, impersonation attacks account for nearly half of our email attacks that we receive. And then, of course, we’ve got the issues around domain spoofing and account takeovers all becoming more sophisticated—more difficult to see.   And certainly, you need to be conscious at all times when you receive an email. You need to take a breath—you need to take a bit of time, and you have to look at it. But that’s not always the case, and it’s never as easy as just having that taking that time, taking that moment. Because, as you know, the domain impersonations are very realistic. Some of the emails have been crafted better, so you need something else to help you with that.    Regarding inbound attacks specifically, is there a vulnerability gap when relying solely on a secure email gateway (SEG)?   Well firstly, it’s about evolving threats. And as we evolve our defenses, we’ve got to remember our adversaries are doing the same. Their TTPs are changing all the time, so we need to be on our toes.  And we’ve seen the examples of this, as I mentioned before, with the amount of impersonation attacks—where people email from other locations purporting to be from areas where they are registered. And this is where we need to be warning our users.    But we’ve also seen new domains being spun up. Why shouldn’t you be allowed to create a domain if you know how? It doesn’t mean to say that just because you’re creating an email domain, you’re going to use it for nefarious reasons. But the secure email gateway itself won’t just put that domain on a blacklist—and nor should it. Because, just because a domain’s been spun up, it doesn’t mean to say it’s malicious.    So that’s where you need something like Tessian Defender to kick in—because the SEG isn’t going to block it. It’s going to say, “Well, actually, just because you’re new, doesn’t mean to say you’re malicious.” But then what Defender will do is, it will just prompt you as you receive that email to say: “Hey, you know this is the first time your organization has seen this new domain?” So it just acts as a bit of a pause.    But this will also pick up when your normal sender’s domains come from a different location. As I said before with account takeovers, you can be communicating with an organization from Hong Kong, and you can have regular emails—maybe a dozen a day—and all of a sudden, an email comes from that domain—but it’s not in Hong Kong, it’s in The Netherlands.    So you need something to do that—because the secure email gateway isn’t always going to pick that up. So you need a bit of a: “Hey, do you realize that this email has come from a completely different location to where that domain normally sends its emails from?” 
What do you think security leaders need to rethink? What’s your advice to them?    Well firstly, we need to say that malicious emails aren’t going anywhere. They’re getting more and more sophisticated by the day—so we can’t think that you know one tool is going to fix everything. Maybe one day, but as it is at the moment—we’ve got to make sure that we have the technology just to protect our people. But we also need to make sure that our users — as the goalkeepers, as we refer to, the “last line of defense”— know what their responsibilities are, as well.    Because for me, as a security leader—it’s all well and good, me showing them a warning. Tessian will show a warning if an account takeover is triggered, or it’s an official email, or it’s a newly-observed domain—which is really good, but unless the user actually does something with that. and reports that, or blocks it, then it doesn’t actually mean too much.    Because if they can continue to communicate with that malicious domain, then you’ve got yourself a problem—it doesn’t matter about the technology. So, the first thing is: it’s getting more sophisticated but we need to work with our staff, our users, to make sure that they understand the important role that they play. and that they can’t just rely on technology. The technology’s there to support them, but it’s not the be-all-and-end-all   We also can’t expect our users to spot these emails just with the naked eye. We’ve got to appreciate that they’re working now in more hybrid environments, using devices such as mobile telephones, iPads, laptops, computers. And each one of those will display things differently.    And depending on where they’re working, whether they’re working in a train, a cafe, at home, or in the office. what we’ve got to consider is the factors that are going on around them at that time: what their mood is, what stresses are going on at the time…   The people that want to gain something from them know this, and they will prey on our weaknesses, by using a sense of urgency, by crafting words correctly. And when you’re operating in such an environment, where you’re got multiple things to consider and you’re doing a lot of things at the same time, this is when you need to take a step back and briefly just make sure you think before you click that link.    If you haven’t got that secure email gateway… if you haven’t got that machine learning at the top end of that, and then right the way back to the human layer—which is the goalkeeper—making it as easy as possible for them to make the right decision at the right time.
Email DLP Interviews With CISOs
Q&A with Punit Rajpara, Head of IT and Business Systems at GoCardless
21 December 2021
Punit Rajpara is Head of IT and Business Systems at GoCardless. In this Q&A he tells us how GoCardless won over the entire organization—from employees to board members—with their forward-thinking data loss prevention (DLP) program. Dig deep into the intuitive and effective user warnings, powerful analytics, and reporting tools that helped prove their business case.   Could you please give us a quick introduction to yourself and your role at GoCardless?   I’m the Head of Business Systems at GoCardless. I’ve been here just over a year—joined at the crazy pandemic time so it’s been an interesting year. Plus, prior to GoCardless, I was at WeWork and Uber, so I clearly love the hot startup journey and putting in core tools. GoCardless is in the space solving for payments—so whether that’s recurring or one-time payments.   We’ve just really done some really cool stuff at the Urban Bank and you should check it out. We service payments across 30 different countries and we process about 20 billion in revenue for other merchants every year. DLP can be a really daunting project, for many. At GoCardless, was your starting point in DLP?   Yeah, I think I’d say boring and daunting. It’s one of those things that just kind of there, and it can be disruptive to users. So, I guess our starting point was we… like I said, it was kind of just there. We used Google DLP to kick off, and the inbuilt DLP tools, and we found those a little bit complex to configure.   So we’re coming to this realization—just when everything just happened and we went to market—to look for somebody better. We realized it needs an admin of its own—it’s just configured a bunch of policies that just block stuff for our users all the time. And it didn’t seem very “user-in-mind.” So that’s our starting point: Google-based DLP tools. A bit boring, a bit daunting, like you said, and just… there. What was it that instigated you to start thinking: “OK, we need a new approach”?   We had an incident where somebody sent a file to a friend, instead of to the right recipient. And we got a bit lucky, where the friend said: “Oh, did you really mean to send me this file?” and it was an important file that probably shouldn’t have gone to the friend. And the person that caught that and came straight to us and said, “Hey—do we have a way of stopping me from sending things I shouldn’t to the wrong people?” And we’re like: “Maybe… Let’s go and have a look at it.”    So, we weren’t intentionally looking at DLP, but it’s one of these things where it allows us to be used a little as well, so users will come and talk to the problem, and go: “Hey, I’ve made this stupid mistake—what should I do?” and “Can you do anything to help me not make that mistake again?”   So, that’s what really led us down the road of going: “We should look at this problem. We should look at inbound and outbound DLP and see if we can make it easy for our users not to do things that are going to be harmful to them and the business.” How have you got your employees to that state, where they’re actually coming forward and saying “Hey, how can we stop it going forward?” I think it’s part of that kind of scale-up workforce culture, where people are expecting not to do things by themselves constantly. If you look at all aspects of… mostly business systems and IT, there’s a huge focus today on ultimate automation and self-service. So people are used to working in organizations where you’re not having to report things, you’re not being blocked by things, you’re really being enabled to just go on with your work. And the expectation is that IT teams and business teams and security teams are becoming more and more “self-service,” and putting the control in the hands of the users. And that just really allows people to not worry about these things, and just get on and just be productive and work. What were you looking for when you set out to try to find a security partner? When we went looking for the right partner, the things that were front-of-mind were: whatever we chose had to be easy to use, it had to be easy to implement, and it had to be easy to administer. I was managing a small team last year, so it couldn’t be anything that required tons and tons of work for my team to implement. It couldn’t be something that required tons and tons of documentation to be written. It couldn’t be something that required using huge amounts of user training.  It had to be quick, easy to use, quick to deploy, easy to deploy, with a lot of support from the vendor will be required to get it out if we need that support, and it had to be self-service. It will have to be really really intuitive. So that’s our approach to how we were looking for the right partner. I think it actually hit the nail on the head with Tessian…  How was the feedback when you implemented Tessian? How did you garner that feedback and how did it change their perception of what security controls can be like? I’d say overwhelmingly, there was a positive response to our deployment of Tessian at the business. People—especially the exec team—would come into us quite quickly and say: “Hey, this is really cool. We’re going to stop data leakage.”  We were able to catch a couple of incidents that we maybe wouldn’t have otherwise, so overwhelmingly there was this really really positive response: “Hey, this tool is really awesome, didn’t know we could do this kind of stuff.”  
Interviews With CISOs
Q&A with Tim Fitzgerald, Chief Information Security Officer at ARM
By Andrew Webb
13 December 2021
Tim Fitzgerald is the Chief Information Security Officer (CISO) at ARM, and former CISO at Symantec.   What are some of the biggest challenges that you face, and how does that make you think about your security strategy? Our challenges are—not to be trite, but they’re sort of opportunities as well. By far the biggest single challenge we have it ARM’s defaults around information sharing. We have a belief—and I think it has proven to be true over the 30 plus years that ARM has been in business—that the level of information sharing has allowed ARM to be extraordinarily successful and innovative. There’s no backing up from that, as an ethos of the company.    But that represents a huge amount of challenge, because we give a tremendous amount of personal freedom for how people can access our information and our systems, as well as how they use our data internally—with our peers—but also externally, with our customers, who we’re very deeply embedded with.   We don’t sell a traditional product where they buy it, then we deliver it to them, and then we’re done. The vast majority of our customers spend years with us developing their own product, based on their own intellectual property.   So the level of information sharing that happens in a relationship like that is quite difficult to manage, to be candid.
Has human layer security been part of your strategy at ARM, or even your career before ARM? My career before ARM was at Symantec. Symantec was a very different company—you know, more of a traditional software company. It also had 25,000 people who thought they knew more about security than I did. So that presented a unique challenge in terms of how we worked with that community.   But even at Symantec, I was thinking quite hard about how we influence behavior. And ultimately, what it comes down to for me, is that I view my job in information security as something between a sociologist and a marketing expert. We’re really trying to change people’s behavior in a moment. Not universally, not their personal ethos, but will they make the right decision in this moment, to do something that won’t create a security risk for us.   I label that “microtransactions.” We get these small moments in time where we have an opportunity to interact with and to influence behavior.    And I’ve been evolving that strategy with ARM in a very different place, in some respects—but trying to think about not just how we influence their behavior in that moment in time, but actually—can we change their ethos? Can we make responsible security decision-making part of everyone’s job?   That turns out to be a very hard problem. And the way we think about that at ARM—we have a centralized security team, ultimately security is my responsibility at ARM, but we very much rely on what we very much consider to be our “extended” security team, which is all of our employees.   Essentially, our view is that they can undo all of the good that we do behind them to try and compensate for all the risk that a normal human being creates.    But I think that one of the ways we look at this that is unique at ARM is that we very much take the “people are people” view on this. Not that they’re the weakest link, not that they don’t come with good intent, or they don’t want to be good at their job, or that they’re going to take that shortcut just to get that extra moment of productivity.    But actually, that everyone wants to do a good job, and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.  
At Tessian, we think that technology should not only keep people safe, but it should do it in a way that empowers them to do their best work. What did Tessian address for you that you couldn’t quite address with other platforms? Coming from Symantec, I used all their technology extensively, and one of the best products Symantec has to offer is their DLP solution. I’m very familiar with that, and I would argue we had one of the more advanced installations in the world running internally at Symantec. So, I’m extremely familiar with the capability of those technologies.    What I learned in my time doing that, is that when used correctly in a finite environment, on a finite data set, that sort of solution can be very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem.   When you try to apply that broadly, it has all the same problems as everything else. You start to run into the inability of the DLP system to understand where that data is supposed to be—is this person supposed to have it, based on their role and their function? It’s not a smart technology like that, so you end up having to write these very complex rules that are hard to manage.   What I liked about Tessian is that it gave us an opportunity to use the machine learning in the background, to try and develop context about whether something that somebody was doing was either atypical—or maybe it’s not atypical, it’s part of a bad process, but by the very nature of the type of information they’re sending around and the characteristics of that information—we can get a sense of what they’re doing at whether it’s causing us risk.   So, it doesn’t require us to be completely prescriptive about what we’re doing. It allows us to learn, with the technology and with the people, about what normal patterns of behavior look like—and, therefore, intervene when it matters, and not every time another bell goes off.
Interviews With CISOs Podcast
Q&A with Ben Aung, Chief Risk Officer at SAGE
29 November 2021
Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.
Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”
The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”
Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.
And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 
If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,
Interviews With CISOs
Q&A with Jerry Perullo, CISO at ICE
By Andrew Webb
22 November 2021
Jerry Perullo has served as the CISO of Intercontinental Exchange, Inc. (NYSE: ICE) since 2001 and in that time has seen how security has moved from the ‘blame game’ to securing the human layer. In this interview, he explains how InfoSec teams can work together with employees, for a stronger security culture.   You’ve been the CISO at Intercontinental Exchange for over 20 years. How has the narrative changed on the “human factor” over that time?   Jerry: I’ve always worked closely with customers and peers, so I’ve gotten a lot of insight into the financial services landscape. It wasn’t top-of-mind in the early days—mainly because it was such a small company. It was a bit later that phishing became the number one threat vector. Because of that, the human element really came up.   Unfortunately though—as technology professionals are wont to do—the initial reaction was full-on victim-shaming. In traditional IT, there’s a lot of: “I can’t believe this person didn’t know how to plug their keyboard in,” or whatever it’s going to be. And in security, it was immediately: “I can’t believe this person clicked that…” or “…plugged in this USB,” or whatever it may have been.   And then a bit later, I think that a lot of people came around to realizing that the people they were shaming were generating their revenues and paychecks, at the end of the day, and so it wasn’t a good idea to just mock them.   So things really did start to pivot to more of an era of collaboration, and that was great. And we see some evidence of that in a lot of the training material now, which came to be more entertaining—the gamification, trying to get people involved.   And then lately I’ve seen some questioning of where that line needs to be. Some people saying, “If anything goes wrong, it’s never the person’s fault,” so to speak—it’s always on information security, and we should know that people are humans and that they should be permitted to click things if they are available to them, and it should be on cyber to get in the way of problems.    
Do you think security teams are taking the attitude of: “It’s not because users are stupid, it’s because they’re human, and humans are going to make mistakes”?   Jerry: Yes. I do see a lot of that. And in different environments—some environments don’t have the ability to impose many controls at all. So in those cases, they’re playing “clean up” all the time.   And there’s other organizations that do have the ability to impose some pretty heavy controls. And there, it is a little bit different. There, you do have individuals who have a little more time so they can work with individuals and hold them to a higher standard.  
Everything you do as a security team is having some impact on the employee. How do you consider the trade-off of better security versus impacting the productivity of the employee that you’re trying to secure?   Jerry: There has historically been this notion of an inverse relationship between security and user experience.    I think that controls that have that attribute—when you impose it, people’s lives get a little bit less fun, and the more that you do the less fun it is—are generally bad controls. They’re really the “control of last resort.”   There are other things that can actually be quite helpful, and enhance productivity, visibility and awareness.    To that end, any tools that really empower the user and give them the means to protect themselves—so for example, enriching emails and giving them the idea of the threat of it, rather than just blocking it, and giving them advice, informing them and allowing them to make those calls, or phish report buttons that a lot of products have been delivering, so they can make their own claims about what they think is good or bad.   And then giving a feedback loop on that, so they know whether they’re right or wrong, just for their education. But also, where they can gamify it a bit, and really be incentivized to spot security issues—I think that’s been really effective overall.   How has the shift to remote work impacted organizations’ security strategies and the way they’re thinking about protecting their people in 2021?   Jerry: Having a unified security strategy—I’ll be the first to admit that that’s not a given, and it’s not universally agreed what that even means. I’m fortunate that we have gone through the process of doing that, and putting pen to paper.    For us, the strategy has really been about paying attention to the threat landscape, learning from our peers or others who may have had cybersecurity issues in the world, internalizing and seeing if those same issues could manifest, and—when we identify that they could—identifying the new controls that we need to adjust, making those adjustments, then repeating the whole cycle again.   That’s certainly not changed. So we’re going to look at what’s manifesting externally, and if that happens to lever the remote-work environment more, in the threat intelligence, then that would utilize the exact same strategy, but the operationalization of it would be a little bit different.   So strategy is unchanged—but the manifestation of it may.
I know you have a lot of thinking about this concept of adversarial risk management. Could you please outline your thoughts on that?   Jerry: Your controls that are good enough today will not be tomorrow. Because you have an adaptation of the problem.    As computing professionals, we want to have an algorithmic solution to something like phishing, And in many ways, we have.    We have a lot of platforms that are, for example, looking through attachments that are in email. And the ones that are either short-sighted or in a really unforgiving environment are trying to disassemble and sandbox attachments in real time—that sort of thing. The ones that are more effective are just blocking all attachments of certain natures.   But as that technology has evolved, the adversarial side has turned to what I call “narrative phish.” So, instead of a link or an attachment, it’s: “Hey Bob, do you have a minute?” And there’s not an algorithmic solution to that one.    I think you guys at Tessian are really fast on it. Because it’s great that the advances in machine learning have really matched that.    Because that’s what you need it for, isn’t it? Real-time, behavioral, statistical monitoring. To figure out that no-one calls you “Bob,” that this customer doesn’t really care how you’re doing. That’s how deep you’re going to have to get to really be able to have an adversarial management approach.   Listen to the full interview on our podcast, and follow us on your Spotify and Apple Music.  
Interviews With CISOs
Almost Half of Chief Information Security Officers (CISOs) Have Missed Thanksgiving Because of Work
By Andrew Webb
18 November 2021
Being a CISO or Security Leader in today’s InfoSec world is not for the faint hearted. CISOs are some of the hardest working people in any company, regularly working extra hours and overtime to keep the company secure from threats.    But this constant vigilance for threats can mean that CISOs miss out on everything from time with the family to getting enough down time to recharge.    We recently undertook research to see just how much time CISOs “lose” investigating potential breaches and threats and the headline is: security leaders don’t work hard, play hard. They work hard…then work harder.   In fact, 42% say they’ve missed out on a federal or national holiday like Thanksgiving or Christmas because of work.   You can see the full details here. But here’s some highlights.
CISOs hard work isn’t going unnoticed   While no one wants to miss out on family time, it’s not all bad news. 89% of CISOs we surveyed believe the work they do is appreciated by employees outside their team. Furthermore 66% of employees say they understand the role of the CISO. That’s a ringing endorsement of how valuable and visible the relatively new role of CISO has become in just a few short years.   However, just because the rest of the organization knows who you are and what you do, doesn’t mean it’s plane sailing.  As a result of their demanding roles, CISOs are struggling to keep up with developments that further strengthen the business like training, hiring talent, and staying on top of the latest threat intel. They’re also missing out on important personal and social things outside of work, like public holidays and family vacations. Most concerning is the fact that some CISOs are even putting their health at risk by skipping workouts or missing doctor’s appointments.
What are CISOs busy doing? So where is all the time going? What is it that’s causing CISOs to lose, on average, 11 hours a week in overtime?    According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.    And a quarter of CISOs say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day investigating and remediating each threat caused by human error.   On top of this, 38% believe they’re spending too much time in meetings and reporting to the board, and 33% also feel as though they’re being drained of time because of other administrative tasks. Looking for more detail on the things that are taking up CISOs time? We’ve got you covered here, but it’s clear that investigating breaches and dealing with the fallout from them is a major drain on time, resources, and mental health.
What would you do if your schedule was cleared? We asked CISOs what they would do if they were able to claw back those Lost Hours, and it turns out their three primary objectives are:    Spending time with family/friends  Further strengthening the business   Resting
Did you know that organizations with over 1,000 employees could save as many as 26,357 hours a year by automating security with Tessian?   While Tessian’s Human Layer Security platform can help you automate your security, which would help you strengthen your email security defenses and save you time, we’d rather use this opportunity to share some mindfulness and productivity tips to help you switch off.   Share the load: While – yes – CISOs are the Head Honcho within IT and security teams, that doesn’t mean you have to do everything. Remember that delegation is validation, it’s okay to ask for help, and your best bet is to prioritize, then divide and conquer. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Likewise, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge.  Unplug (like, actually…): This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.  
Ready to learn more?    Want to find out how your security teams and employees can reclaim their Lost Hours? Get in touch with the Tessian team today to learn how Human Layer Security can help stop “Oh Sh*t!” moments from clogging up your schedule. 
ATO/BEC Human Layer Security Interviews With CISOs
All Cybersecurity 2022 Trend Articles Are BS, Here’s Why
By Josh Yavor
16 November 2021
Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.
And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: — c🎃e (@caseyjohnellis) November 2, 2021
So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  
Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.
Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.
  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!
Life at Tessian Cyber Skills Gap
Tessian Officially Named a 2021 UK’s Best Workplaces™ for Women
By Laura Brooks
01 July 2021
We’re excited to announce that Tessian has been recognized as one of the top three medium-sized companies in the UK’s Best Workplaces™ for Women for 2021.  Our Human First value, its commitment to Diversity, Equity and Inclusion (DEI), and its Employee Resource Group (ERG) for women – Tes-She-An – are just some of the reasons why people love working at the company. This recognition confirms that:  Tessian is a great workplace for all employees, including women. Tessian recognizes that women represent a valuable talent pool in increasingly talent–constrained industries such as cybersecurity and technology.  Tessian lives up to its company values of ‘Human First’ and ‘We Do the Right Thing’, as its leaders make meaningful changes to improve their ability to recruit, retain and nurture top female employees.
Education and training have been foundational first steps in Tessian’s DEI strategy. We partnered with Jeff Turner, former International Learning and Development Director for Facebook, to deliver company-wide training around diversity, unconscious bias and inclusion. We’ve also taken the time to establish our long-term DEI roadmap – which includes a diversity recruitment strategy across all hiring levels, expanding the entry-level talent pool by creating junior jobs for people entering the tech industry, and prioritizing the development of future leaders through well-defined growth frameworks across the company. 
In addition, Tessian’s ERG group – Tes-She-An – provides a space to support all employees who identify as women, celebrate their achievements, and help each other “shine even brighter” by focusing on career progression. The group runs monthly workshops for women, and invites inspiring external guests who are leading the charge in creating equal opportunities in the tech industry, to speak to employees. Importantly, these events do not operate in a closed network. They’re open to the entire company – not just women.  As a result of these initiatives and programs, 99% of Tessian employees surveyed by Great Place to Work® agreed that people at the company are treated fairly regardless of their gender.  Paige Rinke, Head of People at Tessian, says: “We are so proud to be recognized as a Best Workplace for Women and hear first-hand from our employees that our initiatives to create an inclusive workplace are resonating. One of our core values is Human First, and we’re committed to ensuring every employee feels supported and valued, and to improving gender and ethnicity representation across all levels of seniority at Tessian through our DEI efforts. “Why? Because empowering our people to thrive in an inclusive environment and challenging the status quo to create more equal opportunities in the tech industry is, ultimately, the right thing to do.”  Benedict Gautrey, Managing Director of Great Place to Work® UK, explains: “We’re delighted to recognize so many great organizations in this fourth year of the UK’s Best Workplaces™ for Women list. The issues affecting women in the workplace, particularly what we’ve witnessed in the face of the pandemic including parity of pay and advancement opportunities, continue to be important topics. “What our 2021 UK’s Best Workplaces™ for Women clearly show is the positive impact their practices have on business. As a result, they are better able to attract and retain women of talent, encouraging them to develop professionally and personally, and in turn, contribute exponentially to the success of the organizations they work for.” Want to work at Tessian? See if we have a role that interests you today.
Cyber Skills Gap
3 Reasons Hackers Could Help Bridge the Cybersecurity Skills Gap
By Maddie Rosenthal
28 April 2020
There are currently over 4 million unfilled positions in cybersecurity. The question is: Why? To find out, Tessian released the Opportunity in Cybersecurity Report 2020. Based on interviews with over a dozen practitioners from some of the world’s biggest and most innovative organizations (including Google, KPMG, and IBM), survey results from hundreds of female cybersecurity professionals, and quantitative research from the Centre for Economics and Business Research, we revealed that: There’d be a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK if the number of women working in cybersecurity rose to equal that of men A lack of awareness/knowledge about the industry is the biggest challenge female cybersecurity professionals face at the start of their career The industry has a major image problem. Women working in cybersecurity believe a more accurate perception of the industry in the media would be the biggest driver of new entrants  A different perspective of the same problem While we examined the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field, we were recently introduced to a different perspective. Hackers’.  HackerOne released The 2020 Hacker Report earlier this year and, on April 21, Tessian welcomed Ben Sadeghipour, the platform’s Head of Hacker Education, to present the key findings from the report during one of our Human Layer Security Virtual Roundtables. The message was simple: Hackers can (and do) help bridge the cybersecurity skills gap.  Now, by combining highlights from The 2020 Hacker Report with our own Opportunity in Cybersecurity Report 2020, we’ve identified 3 key reasons why hackers have the potential to make a positive impact on the industry. 
1. Hackers have the skills the cybersecurity industry needs When asked why there’s a skills gap in the industry, 47% of those women surveyed said it’s because there’s a lack of qualified talent. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); Likewise, 33% of women currently working in cybersecurity say that a lack of requisite skills was the biggest challenge they faced at the start of their career. This came behind a lack of clear career development paths (43%) and a lack of awareness/knowledge of the industry (43%). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); While a greater emphasis on STEM subjects in primary/high school, more apprenticeship programs, and cybersecurity-specific curriculums at universities would certainly help, we need to look beyond formal education. According to HackerOne’s report, “Most [43%] hackers consider themselves self-taught… since formalized cybersecurity engineering educations have yet to become common, bug bounty programs and public VDPs give promising hackers the ability to quickly learn, grow, and contribute to everyone’s increased security.” What’s more, hackers are putting these self-taught skills to use, with 78% of hackers saying they’ve used or plan to use their hacking experience to help them land a job. On top of that, the majority of hackers (59%) say they hack as a hobby or in their free time and 27% describe themselves as students.  That means a large percentage of hackers could, in theory, transition into cybersecurity. It’s important to note, too, that different cybersecurity roles attract different types of talent. We asked our survey respondents to identify the skills needed to thrive in different roles, and the results demonstrate how diverse the opportunities are. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//");  
2. All hackers aren’t “bad” While a lack of requisite skills is perpetuating the skills gap, 51% of the women surveyed in Tessian’s Opportunity in Cybersecurity Report 2020 said that a more accurate perception of the industry in the media would encourage more women into cybersecurity roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); Hillary Benson, Director, Product at StackRox and one of the contributors to our report summed it up nicely when she said, “People hear ‘cybersecurity’ and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.” Unfortunately, this “caricature” of hackers tends to be negative as pop culture and headlines about nation-state hacking groups have conditioned us to associate hackers with criminal or solitary activity. HackerOne even commissioned a survey of over 2,000 US adults to gauge their perception of hackers.  The survey found that 82% of Americans believe hackers can help expose system weaknesses to improve security in future versions. However, a nearly identical share said they believe hacking to be an illegal activity.  But, hackers feel confident this perception is changing for the better, with:  55% saying they see a more positive perception from friends and family 47% saying they see a more positive perception from the general public 38% saying they see a more positive perception from businesses 35% saying they see a more positive perception from the media
3. Hackers already have a strong community 23% of Tessian’s respondents said that a lack of role models was a challenge they faced at the start of their career, and a further 26% said that more diverse role models would encourage more women to enter cybersecurity roles. The impact of role models is even more important for the younger generations. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); Hackers already have a strong community. Katie (@Insider_PHD) was quoted in HackerOne’s report saying “The community is super encouraging. The community is super willing to help out. It’s, as far as I’m concerned, my home.”  Likewise, Corben (@CDL) was quoted as saying “Being part of the hacker community means the world to me. I’ve met a ton of people. I’ve made a ton of friends through it. It’s really become a big part of my identity. Everyone who is a part of the community is bringing something important.” Beyond that, 15% of those surveyed got interested in ethical hacking because of online forums or chatrooms.  The bottom line is: Mentorship is important. Role models are important. Community is important. Unlike cybersecurity professionals – specifically female cybersecurity professionals – hackers have these things in abundance. Cybersecurity is more important now than ever Data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year. And now, with new security challenges around remote-working and a marked spike in COVID-19-related phishing attacks, cybersecurity is more business-critical than ever before. While we should continue encouraging gender diversity in cybersecurity, we should also encourage other types of diversity as well. The field is wide open for a range of educational and professional backgrounds…including hackers.  Challenge perceptions, make an impact.  Learn how cybersecurity professionals kick-started their career   So, what is cybersecurity actually like? It depends on your role within the field. And contrary to popular belief, the opportunities available are incredibly diverse.  To learn more about how the 12 women we interviewed broke into the industry, read their profiles. #TheFutureIsCyber
Cyber Skills Gap
Key Takeaways from Tessian’s Cybersecurity Skills Gap Webinar
By Maddie Rosenthal
31 March 2020
In case you missed it, Tessian released the Opportunity in Cybersecurity Report 2020 earlier this month. In it, we examine the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field.  While the report was released in time for Women’s History Month and addresses the issue of gender bias in the industry, we found that it’s actually inaccurate perceptions of cybersecurity that are preventing people from considering the opportunities available. So, how can organizations tailor recruitment efforts to help candidates overcome this barrier to entry? To find out, we invited three of the contributors to the report to join Kelli Hogan, Tessian’s Head of Marketing Communications, for a webinar: “Cybersecurity skills gap: talent shortage or image problem?” You can view the full webinar here, and we’ve compiled the key takeaways for you in this blog. Cybersecurity is an incredibly diverse field Cybersecurity isn’t limited to hackers, developers, and engineers.
This is perhaps best demonstrated by the women themselves.  Carolann Shields, the former CISO at KPMG, is something of an industry veteran, having driven more than fifteen large-scale company-wide cybersecurity initiatives throughout her career. But, she didn’t study anything related to computer science. Instead, she earned her degree in Business Studies before starting down her path to cybersecurity. On the other hand, Hayley Bly, a Cybersecurity Architect at Nielsen, earned her Bachelor’s Degree in Computer Science almost four years ago and is currently working towards her Master’s of Science in Cybersecurity. Finally, Tess Frieswick, who earned her Bachelor’s Degree in World Politics with a minor in Islamic World Studies, became interested in cybersecurity after learning about Russian bot interference in the 2016 US presidential election. She recently started a new job as a Client Success Manager at Kivu Consulting after spending a year working at Uber as a security analyst. Learn more about their backgrounds by reading their profiles on our blog.  Organizations should enable internal recruitment as well as external recruitment  While most of us think of recruitment outside of our organization when we consider growing our security teams, Carolann has, throughout her career, made a point to look internally first.
Importantly, internal recruitment was only possible because of the environment KPMG created through job shadow programs and other initiatives that encouraged cross-functional movement and communication between teams.  Internal recruitment can do more than just fill vacancies, though. It also gives other individuals and even full departments a chance to better understand the function of cybersecurity teams which, in turn, helps build a stronger, more positive security culture.  Collaborative and open environments attract new talent We know from our research that creativity and collaboration rank in the top five skills needed to thrive in a cybersecurity role, but it’s clear that these are also attractive traits in an organization to applicants. That means if you want new, diverse talent, you have to communicate the scope of the opportunity, the open-mindedness of senior executives, and the organization’s overall propensity to engage with new ideas.  COVID-19 means more for cybersecurity than just a transition from office-to-home Given the current climate, it’s no surprise that the conversation turned to COVID-19.  When asked by an audience member during the live Q&A what the outbreak meant for the future of cybersecurity, all three of the women were steadfast that the impact goes far beyond just the transition from office-to-home, especially as attackers are taking advantage of the situation with opportunistic phishing attacks. 
But, this doesn’t just impact professionals in client services. Organizations are relying more heavily on cybersecurity teams to lock down internal systems and networks. The question is: Are teams going to have to do more with the same resource? Or will teams expand as necessary? Increased remote-working could mean more opportunities in cybersecurity  According to Carolann, it’s inevitable that this sudden transition necessitates a larger security team. 
Now more than ever, organizations have to recruit new and diverse talent in order to not just fill the 4 million vacancies that already exist, but to accommodate the increased reliance on cybersecurity teams to help us all safely transition to remote-working. For more insight on how to improve your recruitment efforts, listen to the webinar. #TheFutureIsCyber
Cyber Skills Gap
Introducing Tessian’s Opportunity in Cybersecurity Report 2020
11 March 2020
Despite higher-than-average salaries, the opportunity to solve real-world problems, and unlimited growth potential, there’s a skills shortage in cybersecurity. In fact, the cybersecurity workforce needs to grow by 145% to meet the current global demand.  That’s over four million unfilled jobs. But, there isn’t just a skills gap. There’s also a gender gap, with women making up less than a quarter of the workforce. The question is: Why? To find out, Tessian: Worked with the Centre for Economics and Business Research to analyze the economic impact if the number of women working in the industry equaled the number of men Surveyed hundreds of female cybersecurity professionals in the US and the UK with Opinion Matters Interviewed over a dozen practitioners from some of the world’s biggest and most innovative organizations – including Google, KPMG, and IBM –  about their own experiences. To download the full report, click here.
An economic boost worth billions Today, the cybersecurity industry contributes $107.7 billion in the US and £28.7 billion in the UK, and that’s in spite of four million job vacancies. So, what would happen if we minimized both the skills gap and the gender gap, and the number of women working in cybersecurity rose to equal that of men? Our research reveals that we’d see an economic boost of $30.4 billion in the US and of £12.6 billion the UK, bringing the total contribution of the cybersecurity industry up to $150.8 billion and £45.7 billion in each respective country.   But, without a clear understanding of the challenges women currently working in the industry faced at the start of their career, organizations and governments will continue to struggle with recruitment.  And the challenges aren’t necessarily what you’d expect… Cybersecurity has an image problem While it’s easy to cite the gender gap as a barrier to entry – especially with 66% of women in cybersecurity agreeing there is a gender bias problem in the industry – it actually isn’t one of the biggest challenges women currently working in the industry have faced.
Instead, women cite a lack of awareness or knowledge of the industry and a lack of clear career development paths as the biggest challenges, meaning a general demystification of the industry is required to encourage new entrants. What’s more, 51% of women believe more accurate perceptions of the industry in the media would encourage more women to explore cybersecurity roles. This came first, beating out a more gender-balanced workforce, equal pay, and cybersecurity-specific school curriculums. So, what is the industry actually like? Read the full report to find out the top 5 skills needed for a range of cybersecurity roles, including CISO, network engineer, data scientist, and risk & compliance. You can also read the profiles of each of our contributors which prove there is no “stereotypical” cybersecurity professional.  The industry is future-proof Demystifying the industry truly is essential, especially because the industry is one of the most important today, with over half of those surveyed saying that they joined for exactly that reason. But, it’s not just the opinion of cybersecurity professionals.  In fact, the global cybersecurity market is booming, having grown 30x in the last 13 years. That’s because cybersecurity professionals are solving real-world problems and are making a positive impact doing so. After all, data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year.
Perhaps that’s why the vast majority of women surveyed feel so stable in their jobs; 93% saying they feel secure or very secure working in this industry. Unfortunately, though, without encouraging more people to join the industry, professionals will struggle to keep pace with the ever-evolving threat landscape.  The cybersecurity industry – like all other industries – requires diversity to thrive. And we don’t just mean gender diversity. The field is wide open for a range of educational and professional backgrounds, from psychology majors to business analysts and just about everything in between. Read the full report to learn more, including: How opinions of the industry differ based on age, company size, and region The economic impact the industry would have if the number of women working in cybersecurity equaled the number of men and the wage gap was eliminated The five most important developments in the cybersecurity industry today Resources – including cybersecurity groups, female empowerment groups, and industry-specific certifications to help you make a start in the field Challenge perceptions, make an impact.  #TheFutureIsCyber
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Shamla Naidoo From IBM
By Maddie Rosenthal
10 March 2020
Shamla Naidoo – who has 37 years of industry experience in technology and security – is currently leading C-Suite strategy and integrating security with digital transformation at IBM, where she previously served as the Global Chief Information Officer. Having held Senior Officer roles at Starwood Hotels and Resorts, WellPoint, and Northern Trust, she’s a true veteran in the industry and has used her professional and personal experiences to help mentor and motivate teams and individuals across departments within all the organizations she’s served.  Earlier in her technology career, she earned degrees in Information Systems and Economics (her fail-safe!) and, afterwards, went on to receive her Juris Doctor degree.
Q. Describe your role as a CISO in 300 characters or less. A CISO’s job is to protect an organization’s brand and reputation by managing cybersecurity threats. Protecting a corporation’s digital footprint supports business growth enables the acceleration of innovation. Q. How did you get started in cybersecurity? This is my 38th year working in technology and initially, security wasn’t a separate function, role or organization; it was completely integrated. As a developer, my job was to write code that worked and that included working in a secure way.  As a network engineer, I built networks, in a secure way. I never envisioned security would become a free-standing profession. But, after almost 20 years of integrating security into my technology roles, I realized Security was becoming important and that I was actually knowledgeable on the subject. Not because I had a security title at that stage, but simply because I had done it before. Q. What does this integration of tech and security roles mean for the cybersecurity industry? There’s now an entire ecosystem for security and because of that, you can participate without having technical skills or a hardcore technical background. You can now become a security expert without ever having written a line of code in your life; you can become a security expert without ever having built any kind of technology solution. It’s really expanded the opportunities for career paths in security. Q. Do you think people are aware that technical skills aren’t necessarily required to succeed in cybersecurity? There’s still a lot of mystery surrounding what exactly a profession in cybersecurity entails. The information isn’t that forthcoming. It’s not clear or simple to understand. This requires us to demystify the opportunities and talk about them not just in business terms, but in relatable terms.  Perhaps we’re just missing the mark on how to market jobs in this industry… Q. Do you think that the industry has an image problem? To many people, cybersecurity equates to – and is limited to – someone in a hoodie bent over a keyboard in a dark room. That’s not the case at all. If we don’t expand beyond that, we’ll lose out on even more people in the industry. Q. How did your role as a CISO enable you to champion the industry and the people in it? I believe leaders take ordinary people and enable them to do extraordinary things. I have been able to do that; I’ve been able to mentor and coach people to be better versions of themselves, better professionals, better employees, more productive, more engaged, better community leaders…  My goal is to help people connect hard work and aspiration.  Sure, you could go out and read a book on cybersecurity, but if you don’t understand the vocabulary or the required outcomes, and you don’t understand what impact these types of roles can have, you miss the plot. If you can contextualize it, it becomes real quickly.  When I coach people, I ask them to pick a person who they aspire to be. I ask them to tell me their name. You learn best by observation! If you can pick a person and you can visualize the role you want, it’s more attainable. If it’s a role that you want to have rather than a person you want to be like, then find the role you want, seek out the person doing that role, and try to understand what led them to that position. What do they know? How did they prepare? What do they deliver?  How are they recognized for it? That research will help you to create a roadmap of how to get there. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, Funding Circle and more. #TheFutureIsCyber