See our new Attack Masterclass Webinar: How to Beat the Phishing and Ransomware Surge  — Sign Up Now

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Interviews With CISOs

Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more.

Interviews With CISOs
Tessian Spotlight: Bridget Kenyon, Global Chief Information Security Officer at Thales eSecurity
05 November 2019
Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification. What are the greatest challenges you’ve faced while being in the role? Have these changed over time? One of the greatest challenges that I have faced at Thales eSecurity has been the ongoing divestment, acquisition and merger activity that is currently taking place across the organization. With this occurring, it is important that we are appropriately transitioning all of the systems as well as spinning up new IT environments as required. With the merger, we have two separate environments that need to merge, and we need to ensure that they become aligned. For example, our organizations had two separate classification schemes for data. We had to work out how the schemes would fit together, considering things such as how policies and processes were being used in practice. One of the most exciting things with this merger, though, is that it has unblocked some of the security initiatives that I was trying to get started. Finally, with the merger it is a good chance to re-assess who has access to what, such as elevated privilege on certain systems. Are there any core security principles you are guided by in your approach? First – clear and simple communication. With the changes that are currently taking place across the organization, it’s important that clear communication is maintained at each level. One of the great things about this organizational change is that it has given us the opportunity to re-define aspects of our reporting and ultimately fine tune and simplify it so that it can become more effective. A second principle is to make sure that ideas are actionable. There is a tendency in information security to provide a lot of technical details dressed up as KPIs. Ultimately this heap of data becomes more of a talking point rather than an actionable item. Third, as security professionals we should be coming up with strategies and solutions to support the business. In the end the business is our customer, and everything that we do has to help it become better, not get in the way. How important is the human factor when it comes to your role and what impact does human error have on your cybersecurity planning? I think of human error not as a fault in our make-up, but as an intrinsic part of human behavior; we have evolved to find and use the most efficient and energy-efficient solutions, so it’s totally normal to want to write a password down if it’s hard to remember, for example. Making security work for us is about understanding how people operate, and the decisions they make in real life situations. It’s also vital to equip people with a better understanding of the risks. Giving staff a to-do list without any context, for example, is not a reliable approach- while half of your audience may indeed just want to know what to do in what order, the other half will ask “why” something is being required, and balk at adopting a seemingly arbitrary set of rules. The other side of this is the idea of changing business processes and technology to better support employees. I believe that the purpose of IT is to support people performing business operations. If the IT processes are fit for the business purpose, then employees are not expected to stretch and bend their essential behaviors to fit the technology- and security issues are prevented. To avoid people writing passwords down as in my previous example, you could provide a password manager, or use fingerprints instead of a password for logging in. Within your role, have you led any projects to make IT fit people’s needs? At UCL, we had a password management system where students and employees had to change their password every 150 days. The worst problem with this system manifested when students had been away from UCL during the summer months; when they came back to UCL in the autumn term they had either forgotten their password or it had expired. This resulted in massive queues of students at the Service Desk during the first few weeks of term, as passwords had to be reset in person. We realized that we needed a way to improve this system and, due to our set-up, it had to be an in-house solution. After much thought, I invented a password reset system where, when the end user typed in their new password, there would be a colored bar underneath, indicating the strength of the password (nothing new here, but bear with me). Next to the bar was a number, and that number increased when you created a stronger password. The truly novel part was that the number represented the number of days that you got to keep that password! We had this system implemented, coupled with a system that would help you reset your password with SMS, and it helped solve the problem. Trends show a gap in women leadership within the security landscape, what do you think it will take to get more women involved in the industry? I believe that there are two elements. First, there are a lot of role models out there – but they’re unreachable. Somebody who is considering coming into cybersecurity may look at these role models and feel like they represent an unattainable ideal. A woman may work as a CISO; however, how many other women fell by the wayside? I would like to see more stories of women in reachable security positions. The second point is to encourage recruiters to suppress their bias when hiring and be less surprised when they are faced with a woman applying for a technical or leadership role in information security. Looking forward – what kind of security culture are you working towards at Thales eSecurity? I strive for a culture where the different parts of the organization are aware of how they can have an impact and contribute to security. I want people to feel a sense of agency and have the ability to propose change within the organization. We need a collaborative approach to security. The board, for example, could prescribe an outcome, and then it is up to the employees throughout the organization to work towards fulfilling it. I believe that it’s important for people to play a part in designing the policies that they themselves must comply with.
Interviews With CISOs
Tessian Spotlight: Helen Rabe, Global Chief Security Officer of Abcam
09 October 2019
Can you give an overview of your career history prior to joining Abcam? I’ve had a fairly linear career journey in IT in general where security has always been a feature given that I’ve worked across the full systems lifecycle from project management to service delivery. A lot of my earlier career focus was on reactive remediation projects for organizations that had been compromised. More recently, I made a conscious decision to specialize and moved into a dedicated security role at Costa. It proved a successful decision and it’s led me onto CBRE and more recently Abcam where I am the Global Chief Security Officer (CSO). Can you give an outline of your responsibilities as Global Chief Security Officer of Abcam? It’s a wonderfully diverse role with many fascinating security considerations and unique challenges. Physical building management systems and specialized laboratory equipment are within my remit and they are an important part of our holistic security strategy. Abcam is a life-science company with a strong e-commerce element which facilitates external feedback on products using reviews and ratings submitted by customers. Abcam has a corporate culture driven by altruistic and humanitarian values which creates a unique security and risk profile that’s different from industries like banking and telecoms that I’ve been in previously. What are some of the challenges you’ve faced since being in the role? Abcam is undergoing a major digital transformation as part of its growth strategy. Trying to establish a security program in an organization already impacted by a large change initiative is not easy. I need to ensure the security program does not contribute to ‘change fatigue’ and lose its effectiveness. I’m attempting to deliver security across an organization in a way that emphasizes helping people to understand that security adds value rather than being a process blocker, it requires a major communication initiative. I’ve had success with this by positioning security more as a lifestyle choice, this involves helping employees understand how security behaviors can benefit their personal lives as much as it can in the business world. It’s about embedding a security message in a relatable context, that’s how I believe you create positive security behaviors. How important is the human factor when it comes to your security considerations? To me personally, it’s a key factor in the success of my strategy. The human element in cybersecurity is complicated and it shouldn’t be treated as mutually exclusive from the technology enabling solutions we implement. One of the things that technology cannot fix outright is the insider threat, whether malicious or unintentionally negligent. Training employees in order to mitigate the insider threat can’t be a one off and training only goes so far in mitigating this risk. There needs to be a balanced approach in providing human intervention through validation processes alongside automated technology solutions, one should not be relied on over the other. I also support the notion that any security initiative or new policy requires a proportional internal ‘PR’ campaign around it to be effective. For example, if we’re taking something away from users like USBs and pulling away norms you’re going to get the inevitable backlash so we have to communicate what value the users are getting out of the situation to sell it internally prior to it being implemented and impacting them. I don’t think we can easily solve the human problem, human behavior is too variable for us to nail down entirely, and we shouldn’t rely on AI technology as the panacea, but what we can do is prepare for the known threats coming at us. Security needs to be more front line and supporting users for things like phishing and whaling BEC that we know are growing more sophisticated and involve critical human decision making. When cybersecurity technology is at its best, what can it bring to an organization? Value creation…if the technology offers users an intuitive, seamless experience and ensures security, it adds immediate value. This doesn’t necessarily have to be a tangible thing, if your users embrace the solution, by extension security benefits from the success and longer-term support for its initiatives. End users ultimately want to have to have a symbiotic relationship with technology. The best solutions have to be a meshing of technology and the soft line of people, understanding how each of these couple into each other and add value is crucial. What are the common misconceptions about the role of cybersecurity? There is a belief that security owns everything, that it provides oversight for all risks but this is a huge misconception. Most of the time we’re responsible but not accountable, security awareness programs should also include a basic overview of who security is and what it is accountable for. An example would be an introduction to the classic 3 lines of defence model to help business users understand the engagement model between business risk and security. This is why it’s important to have an understanding of the softer elements of security in order to make sure it works for end users, that’s the sign of a successful security program. To achieve this, my advice is to step outside the line of what’s considered the CSO role and to be creative.  
Interviews With CISOs
Tessian Spotlight: Craig Hopkins, Chief Information Officer for the City of San Antonio
25 September 2019
Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. San Antonio is the seventh-most populous city in the United States, and as CIO Craig manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. What are the greatest challenges that you’ve faced being in the role? Originally when I came into role, my primary responsibility was to build new technology relationships across the 42 departments that make up the city. This included looking at different departments’ business strategies and helping them leverage technology to support it. The second area of focus was to set and strengthen the culture inside of the IT organization and to work with our municipal partners across San Antonio as well. I think we’ve done a great job over the past two years on these focus areas. Now the team is integrating systems and processes across departments with a focus on common platforms and prioritizing the user experience. We’re utilizing design thinking techniques and are becoming more of a consultant to the departments rather than building individual technology silos. We’re also having the departments work together on a common set of platforms that help with user problems, not just individual problems that are department specific. As the CIO of San Antonio, are there any core security principles that help guide your approach to security? In the first year we were really focusing on the information security foundation and making sure that we were as strong as we could be with our policies and tools. However, we wanted to make sure that information security was not the only component. It’s really about understanding your overall security posture, which is a combination of physical, data and cyber. In the past year we’ve improved our principles based on the NIST framework with a focus on a comprehensive training programs for our employees, network hardening, updating obsolete systems, threat profiling and vulnerability analysis. This has helped with communicating our policies and procedures and raising the cultural awareness within our organization. Security is everyone’s responsibility. What unique pressures and dynamics do you face when it comes to cybersecurity decisions in the public sector? Typically, people that work in tech will tell you that technology is the most important factor when it comes to making decisions about cybersecurity. What I’ve learned is that in reality, it’s about people. The human factor is incredibly important because people can be great at detecting threats and abnormalities in the system– more so than any tool – but they can also be your greatest internal threat, either intentionally or unintentionally. What we try to do here is to teach behaviors and have protocols that can minimize the risk of intentional and unintentional issues, such as only giving systems access to those who need it and constantly refreshing and validating the user rights. This sounds basic, but it’s the foundational practices and business processes that solidify your position. We also provide peer oversight, technical training, and teach how to combat social engineering. Ultimately, we want people to understand these threats to make sure that we are always leveraging our people first and our technology second. What are the common misconceptions about the role of information security? One of the common misconceptions that I hear is that an organization’s best defense is their technology tools. My response to that is actually that the best defense is a workplace culture that prioritizes cyber and physical security and creates aware and engaged employees and leaders. A second common misconception is that cybersecurity is for the IT team to solve. I believe that cybersecurity isn’t just an IT problem, it’s for leadership to solve for across the organization. It’s the job of all leaders to support and protect our employees on our teams. Looking forward, what type of security culture do you want to create within the City of San Antonio a few years from now? A security-conscious culture where cyber, data, and physical security is naturally integrated into everything we do and every design decision that we make. It can’t be the only thing that we think about, because you can’t run a business that way, but it must be embedded in our thinking and our architecture, as we seek to improve the lives of our citizens and our employees in San Antonio. That is the culture that we want to build into our organization.  
Interviews With CISOs
Tessian Spotlight: Don Welch, Chief Information Security Officer at Penn State University
04 July 2019
Can you give a brief overview of your background and responsibilities at Penn State? As Chief Information Security Officer for Penn State University, I am in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. What are your core objectives in the role? One of the main objectives I work to, is to understand who is on the network and who has access to what. This is what our privacy and security is all about, stopping people getting access to critical information that they shouldn’t. Compliance is another large objective that has a lot of overlap with security. Compliance is necessary and often the fines and other sanctions are a serious risk to Penn State. However, while the standards do support security initiatives, they’re not sufficient in themselves. That makes the distinction between what policies and programmes are compliance-led versus security-led very important for us. Have you observed any dynamics that are unique to university environments when it comes to information security? The interesting thing for large research universities is that we are affected by almost every area of compliance and information threat that exists. We have healthcare data, valuable research, financial information, student PII as well as a nuclear reactor, an airport and all the utilities cities have. This means we are subject to a range of threats like nation state actors trying to steal IP or gather information for their country, and criminals targeting us for fraudulent payments. Do you think universities are well equipped to deal with these threats? No, it’s a real challenge. Universities do great things as faculties are very entrepreneurial, working on cutting edge innovations with relative autonomy. While autonomy is an important value of the institution, it makes cybersecurity more challenging. The university has so many faculties and operations which create a diverse range of activities within the one system. Creating security alignment that works effectively across the board is therefore a big undertaking. How do you instil a cybersecurity culture in such a diverse environment? We have 17,000 regular staff members and 100,000 students who all fall prey to different kinds of attacks. We tailor our education and training approach to each different group, ensuring that people understand both the threat to them personally and to the institution. How does human error play a role in cyber vulnerabilities? Phishing and social engineering attacks are getting more sophisticated meaning that even very intelligent people can be deceived. We know people make mistakes so it’s important to maintain a combination of approaches to mitigate human error. We implement layered security strategies because you can’t depend on a single defence approach. We build security that considers everything together; people, technology and processes. With a phishing campaign for example, when a normal user has fallen victim and an attacker takes over that account we have several ways of identifying the attack and stopping it before the attacker does damage.  We look for strange account activity that indicates a compromised account.  We mandate protections on privileged accounts, changing the password every time it is used.  We separate our sensitive systems from the rest of the network.  These are some of the controls we use to protect our system in a layered and integrated manner. Where do you see the biggest risks being in future? Attackers are always innovating so we have to continually evolve our defences to keep up. This will become more challenging when adversaries begin to use AI and automated techniques to attack systems much more rapidly. We’ll have to act more quickly to match their speed. But we still have the basic challenges that we need to address – simple attacks still succeed because people continue to fall for spear phishing attacks. We cannot forget about the basics and get distracted by shiny new toys. What are the common misconceptions about the role of cybersecurity? A lot of cybersecurity professionals look at security from a risk-based approach, they’ll assess what the individual risks to the organization are. That’s important, but it has to be incorporated into a larger strategy that looks at the bigger picture of potential damage and allocates our cybersecurity resources in an efficient and effective way. We have to think how our attackers are thinking in order to understand how they will attack us.  
Interviews With CISOs
Tessian Spotlight: Graham Thomson, CISO at Irwin Mitchell
04 July 2019
Tessian spoke to Graham Thomson, CISO at leading law firm Irwin Mitchell, about his career and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. To get started, can you take us through how you first got into security? I got my degree in genetics and then worked in military intelligence, where I received a grounding in computer security. After a few years, I left the military and got a job as an investigator for a global retailer. Initially this was to investigate fraud and corruption, but evolved to cover issues relating to information security, such as insider breaches and hacking. Having decided that a career in information security was for me, I then obtained my CISSP qualification. I’ve since been lucky to experience many different industries, including insurance, online banking and e-commerce, and now the legal sector. I’ve been focused on purely information security for around 12 years now. How has the industry changed since you began your career, and what has the impact of technology on security been? Information security has changed hugely over time, probably because the threats themselves have changed. When I started out, I think it’s fair to say the work we were doing probably wasn’t that well understood. When I was being trained initially, I remember learning about a KGB-initiated infiltration of systems that was discovered pretty much by chance: this was a real eye-opener that brought home just how important computer security was going to be in the modern economy. One of the biggest changes is the focus on people. Previously, security professionals would be technical IT specialists, but today many different career paths – the military and law enforcement are just a couple of examples – can lead towards information security. The ability to understand an issue from the attacker’s point of view is very useful. You can spend as much money as you want on technology, but at the end of the day there are humans with legitimate access to your systems; if they are negligent or abuse their positions, then there’s very little that tech can do to stop that. What are your core responsibilities at Irwin Mitchell? And what are your ambitions for your department and the team over the coming years? My core responsibility is setting the strategic security vision for the company and making sure we successfully deliver on our objectives. I refer back to this regularly to work out whether there are gaps in our present strategic framework, or whether we need to readjust priorities on particular technical projects. It’s all well and good sitting and thinking about high-level problems, but real-world feedback really helps to crystallize the impact of what we’re doing. It’s my security policy, but I want to know how it translates across the business. The key thing is that many people within law firms deal with very sensitive personal and company data. Our bread and butter is keeping this safe. Firms in other sectors may only have a few people dealing with sensitive data, but in law firms the proportion of people in the business who have this responsibility is far higher. This information isn’t just internal, it comes from external parties too. For example, we might have sensitive medical records or information relating to military matters as part of the work our solicitors do. The legal space is a fairly unusual sector in that we have to think about security in a very broad sense. The very term ‘cybersecurity’ reflects the fact that more and more of the information people consume is digital. But working at a law firm, there are paper records that have to be dealt with too. So my role depends on understanding and managing all the implications of information security, not just the technical aspects. It’s important to remember that our people could be very experienced lawyers or new graduates: we have to make sure that everyone understands what their security responsibilities are. People have to know how to handle information from when it comes into our orbit right through to when we dispose of it. Security can’t just be a case of asking people to read a lengthy, technical policy document. I have to ensure the information is relayed in a way that’s meaningful, interesting and relevant, and I need to make sure the technical tools we use are easy to understand. How can new security technology help the legal sector really make strides in the years to come? The first thing to say is that the legal sector has probably not moved as fast as some other sectors when it comes to adopting technological solutions. Although there are some startups making strides in ‘legal tech’, fintech, for instance, has a higher profile and potentially more innovation happening in that space right now. Things are improving, but the sector has a whole has possibly been slightly behind the times. For me, where the sector could really benefit is access to justice: I think tech will help ordinary people engage more meaningfully with the legal system. Law is complex, and there are so many gray areas, but I’m hopeful that developments in artificial intelligence (AI) hold a lot of promise. It’s never a good thing when someone decides not to approach a lawyer or a law firm because they’re not sure whether it’s worth it or because they think the process will be particularly laborious. Tech that allows people to ask initial questions without having to directly engage the services of a human lawyer could mean that people find it less intimidating to approach law firms. I think we’re now moving past the point where people expect to have to walk into a physical office to have meaningful conversation with a legal professional. You could easily get the same result from your own home, or on your phone, and that kind of relationship is what we need to be thinking about. I also think there could be major benefits to research. When paralegals need to sift through thousands of pages, AI could help surface the relevant information more quickly. Bots that do more labor-intensive work like reviewing long contracts could also save significant chunks of time. Next-generation technologies like AI could definitely help the legal sector move forward. The danger with AI though is that biases may still come into play, as is often the case when dealing with complex algorithms. Can you tell us about your experience bringing new technologies into a law firm? I’m fortunate that today, cybersecurity is taken very seriously at board level. If I can show that there’s a requirement and a potential benefit with a new piece of technology, the appetite to mitigate that risk is usually there. When it comes to end users, we have to think carefully about altering processes they might be used to, or telling them to stop doing something that seems innocuous. I’ve found that as long as the training and awareness is communicated well, it’s usually accepted without too many hiccups. Interestingly, when we implemented Tessian Guardian, which helps us combat misdirected emails within the organization, it was one of the few security products where we had no complaints about it. In fact, people sent us screenshots thanking us for preventing emails potentially going to the wrong destination! It’s great for the team to feel like we’re making positive changes within the organization. Could you describe Irwin Mitchell’s attitude to information security in a couple of sentences? Our people see information security as an absolute necessity when it comes to doing business. Everyone acknowledges that they share responsibility for the firm’s success or failure here. So how important is Tessian to your overall security stack? Tessian is critical for us. Misdirecting an email is very easily done: people want to be productive, and they don’t always notice when autocomplete gives them an incorrect email address. Tessian also gives us great analytics and reports which help us actually analyze the data, over and above the solution itself. We’re soon going to be implementing Tessian Defender, which will help us address inbound spear phishing threats and make Irwin Mitchell’s security structure even more secure. Tessian is just a very clear way for us to communicate potential risks and give our colleagues additional protection. *Interview condensed from Modern Law Magazine supplement, May 2019.
Interviews With CISOs
Tessian Spotlight: Sarat Muddu, IT Security Director at Kelley Drye
04 July 2019
Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change, and how his firm wards off threats by embracing innovation. As an IT professional, what attracted you to a career in the legal sector? I’ve had experience in a wide variety of sectors, but I was fascinated by the security challenges of the legal space. Although I wasn’t a legal expert when I joined Kelley Drye, I moved across from health care, which is another industry that is extremely sensitive to cybersecurity risks, so I understood the importance of the problem. How important is it that the top level of a firm is alert to the dangers of cybersecurity? Even at board level, there should be people who understand the more nuanced technical details of a security project. At Kelley Drye we’ve been lucky to get great buy-in from our managing partner and CIO. They see a direct connection between a well-constructed security policy and the broader success of the business. I can’t speak for other law firms, but ever since I’ve been working in the legal sector, I’ve seen significant positive movement in how people approach and value security. This is one really refreshing change. We regularly get inquiries from partners asking whether we are protecting ourselves against this or that new threat – they pay attention and want to ensure firm and client safety. If we can continue developing this kind of curious mindset, I’ll be happy. It’s important to remember that a main driver of this new focus comes from partners being keenly aware of potential damage to a firm’s reputation. You don’t want to be the firm in the headlines because of a security breach, and you have to preserve client relationships, which are the bedrock of any firm. Why is email a particularly high-risk activity at law firms? I think all industries are susceptible to engaging in risky behaviors, but the kinds of data held in law firms means any unauthorized email that goes to a personal address is potentially more dangerous because of the content of that email. We all want to take the convenient path, but it’s the responsibility of a security team to manage and, if necessary, plug holes in those workflows that increase risk. Email is one of the most heavily used tools in any law firm, alongside document management systems. Human error is always one of the big factors in any data breach report. Lawyers send and receive a lot of email, so in a sense it’s natural that they may be more likely to misdirect an email, for instance. Even IT teams are not immune to these pressures! Is it the case that email is just an inherently risky mode of communication? At Kelley Drye, our ‘Defense in Depth’ strategy tackles security concerns at every layer of the stack, from our perimeter down to individual devices, and people too. As a security team, we have established a number of risk management and training programs to help us avoid any sleepless nights. Email security is a critically important part of this mix. As technologists, we have to make sure that all our communications channels allow business to function without any hindrance. If people don’t have a seamless experience in an enterprise, that actually raises the likelihood of people trying to evade those systems by, for instance, sending an email to their personal address so they can work on something at home. They’re not trying to be malicious, but they are putting data at risk. That’s why when we’re thinking about bringing in a new security tool, we take into account not only how robust the product is but how it impacts the team’s work. Ease of use is incredibly important to us, and that’s actually what Tessian does very well. How does Tessian make it easier for you to learn about and act on potentially risky behaviors? It was really important to us that Tessian would improve our knowledge as a security team. The market for security products is incredibly saturated, and not every product is able to offer a rich level of detail to its administrators. Not only did Tessian give us valuable historical analysis, working retroactively, it was very easy to start using it. Out of all the security products we’ve invested in, Tessian has had the lowest amount of up-front work to do to get set up. This meant we could get started analyzing the results straight away. We are now able to have a better dialogue with legal professionals and other end users, because rather than just being blocked from doing certain things, people know why an action could be problematic thanks to the insights Tessian displays within the email client. So do tech products like Tessian help you drive cultural change within the firm? Implementing change is only easy when it’s a team effort. When I’m making a business case for why a tool will help the firm, having productive discussions around the business – not just with the management team – is paramount. You can’t drive real cultural change with just a couple of people: it doesn’t happen overnight. In general, when we’re implementing a new piece of technology, the fewer complaints we get the better, and we haven’t had a single complaint or unhappy query about Tessian. In the long run, this makes it easier for me to bring the next security project to the board and justify investment, which makes my job easier. Finally, looking a few years ahead, where would you like to see the legal sector progress? I think the legal sector is in a really interesting period as far as technology is concerned. Every time I go to a conference there are new and innovative solutions targeted at helping law firms succeed. At the same time, the business of law firms is changing. We have to evolve at the same pace as other industries, moving with the times. We’re seeing big shifts towards agile and remote working, for instance. How are legal security teams going to deal with this new dynamic, securing client data while giving professionals more flexible ways to get work done?  For us, investments in products like Tessian are a great example of how much the firm values technological innovation. *Interview condensed from Modern Law Magazine supplement, May 2019.
Interviews With CISOs
Tessian Spotlight: Duncan Eadie, IT Director at Charles Russell Speechlys
04 July 2019
Duncan Eadie, IT Director at Charles Russell Speechlys, speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. What were some of the main threats in cybersecurity when you first moved into the sector? The first computer virus I was aware of was distributed in 1988, and in my first job we had a lunchtime session discussing it! We then had to contend with viruses distributed via floppy disk, which demonstrates just how far the industry has come. At that time, people breaking into computer systems was almost done for fun; now, cyber crime is a major global industry in its own right. Lawyers and clients alike are now all aware of the consequences of handling data inappropriately. Today, we expect security from every organisation we deal with, not only as professionals but also in our personal lives. Does security permeate all aspects of your role, or is it effectively treated almost as its own business unit? My role is essentially to design and deliver Charles Russell Speechlys’ IT strategy. That means overseeing the development of products and services, and then successfully introducing these across the business. Within the IT department, I’d say that security has had to become more of a specialist requirement in recent years, partly because criminals and tactics are becoming more sophisticated. This vertical knowledge has to be supported by core tools that help us do this more specialized work. What are some of the challenges around driving change in a business like Charles Russell Speechlys? In some ways it depends on the change you’re introducing. When we introduce products like Tessian, which doesn’t necessitate huge change to working practices and which doesn’t require lots of training, you can feel people embracing the change in a different way. From a people perspective, the principal security challenge is really to make sure that everyone around the organization is vigilant, whether you’re a lawyer, a secretary, a software engineer or a marketing professional. In a broader sense, the entire legal industry is feeling that there’s a significant shift happening right now. This isn’t at the individual or firm level, it’s impacting the whole sector. Firms have to decide at what point they want to catch that wave of change. For forward-thinking law firms, this is a fantastic opportunity to build on the heritage of the past and embrace the opportunities of the future, something that’s in the DNA of Charles Russell Speechlys. So why is this technological shift happening now, and what are the knock-on effects for security? I think there is some frustration on the part of clients that the legal sector isn’t changing and evolving at the same speed as other industries. Changing customer demographics are beginning to disrupt the legal market in the same way as many other industries. In general, customers are more willing to challenge the professions and really engage with their service providers, and that means law firms need to offer a modern experience for clients. Regulatory changes are also impacting these strategic decisions. We’re now seeing more punitive penalties for breaches of regulation, and that affects the way firms might think about the risks of expanding into a new practice area, for instance. All of this has consequences for security. What do you wish the average lawyer knew about cybersecurity? That if their cybersecurity knowledge is not up to scratch, their firm’s reputation could be damaged very quickly. We’re talking about a relatively small investment in time to focus on cybersecurity best practices. In the long run, this could protect a reputation which has been built up over decades. It only takes a moment to potentially destroy all that. And what would you say to a technologist or security professional thinking about a career in the legal sector? What advice do you have that would help them make an impact? Too often in the industry, making something more ‘secure’ results in making it harder to interact with. Technologists coming into the sector should empathise with legal professionals and realise that people don’t want barriers, however difficult that might be to incorporate into products. If people build products that combine security with ease of use, you’re onto a winner, and that’s actually what Tessian has done. The other thing for IT specialists to remember is that much of a law firm’s business still stems from its reputation. Reputation can be a very fragile entity, but it’s also why law firms will survive over the long term. Protecting reputation is absolutely key. So much important work carried out by lawyers is based on their firm’s and their own reputation. When people or businesses are in extremely sensitive situations, facing very difficult decisions, they don’t want an app, they want to talk to someone whose advice they trust. In this environment, our duty is to preserve and enable this intimate communication as best as we can with the support of technology, while balancing this need with best-in-class security practices. How is Tessian helping Charles Russell Speechlys tackle threats and manage email security? Well, the channel that generates the highest number of complaints to the ICO every year is email. Firms can easily send hundreds of thousands of emails every month: when businesses have that volume of communication, you don’t have to be wrong very often for it to really matter. Misdirecting an email isn’t something someone does intentionally, and I’m sure that your readers have all experienced sending an email to the wrong person at some point. With Tessian, we don’t encounter pushback from within the organisation, so it’s a great way to deliver meaningful change in the firm. Tessian proves that modern technology can support our lawyers and help protect their relationships with clients. *Interview condensed from Modern Law Magazine supplement, May 2019.
Interviews With CISOs
Tessian Spotlight: Mark Ramsey, Chief Information Security Officer of Americas Division at ASSA ABLOY Group
30 April 2019
Mark Ramsey has over 30 years’ experience in software engineering and security. He initially trained as a software engineer and transitioned into the security side of Information Technology, as it became a growing area within enterprises. He has set up security teams from scratch in a handful of businesses including Assa Abloy, where he is currently Chief Information Security Officer. Alongside this, he is committed to knowledge and education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years. What can you share from your experience creating a security function from scratch? I’ve done this for three companies now. I find most people are cooperative because there is a growing understanding that security is crucial for the successful running of a company. Most people want to be secure and to do things right, but it’s important to strike a balance. You must be sure to make things secure, but flexible enough so people are able to do their jobs and do them well. For Assa Abloy, security has always been a priority; it is in our DNA given we are a security lock company. We have been building up our security profile but it is an on-going process with new challenges. We are preparing for the expansion to the Internet of Things. What are the greatest challenges you have overcome since you have been CISO of Assa Abloy – Americas? My biggest fear is the employees. You can put in all the technology in the world, but sometimes people will not be thinking; that is human nature. The risk is not just malicious in nature, mistakes can be unintentional. It is not just on email where this can happen, it can happen in file sharing environments. All it takes is one click. We have set up many training sessions to help combat this, with training on secure business processes, and security awareness. I am lucky to have many years’ experience in university lecturing, so I know how to translate technical aspects into easy to learn steps. We do know people are getting better. What is making it tougher is that there are two things accelerating. Everything is increasingly global and accessible, and everything relies on cyber. You need to know where your data is stored, who the owners are and how it is classified. We can put protection in one area, but if we find a breach in another then you have wasted time and money. It’s not a security project its a programme – a case of on-going management. How should senior cybersecurity executives ideally work with the board? I’ve been fortunate to work with security conscious boards, but I would advise people not to scaremonger. It’s best to communicate honestly, to make them aware of risk levels and explain what can be done. Security teams ultimately don’t make the company money, but they certainly can generate value in the long run. Security is a wise expense that can keep boards out of the news if they’re provided with the right information to make an educated decision. We’re lucky now with GDPR and CCPA providing external standards and pressure. Most boards now know they will be held responsible, this means they are actually seeking out help from security leaders. Do you have any advice for new CISO’s to set them up for success? Communicate, communicate, and communicate. Keep the business leaders and employees informed of the risks and what needs to be done to mitigate them. Be willing to compromise; there are some areas might not have all policies we want in place, but we have to find what will realistically be adopted. Security practices must still allow people to do their jobs properly and securely.  
Interviews With CISOs
Tessian Spotlight: Giampiero Astuti, Group CIO at Astaldi
24 April 2019
Giampiero Astuti has served as Group Chief Information Officer at global construction company Astaldi since 2003. Before joining Astaldi, he worked as CIO in different industries (financial services, IT, and pharma / biotech) both in Italy and abroad. What are your principal responsibilities at Astaldi? My role is to define Astaldi’s information and digital strategy and, consequently, plan the evolution of the Group’s information systems. I am supported by a team of around 50 people, spread across different functions and countries. A vital part of my job is to enable better information management and communication across the business: Astaldi operates more than 250 sites in 20+ different countries, so our information requirements are quite complex. How do you manage security risks in such a complicated global business? Astaldi has more than 50,000 different active suppliers worldwide: we have a very varied range of product and service partners. This creates inevitable security risks. We also need to be careful when working with other construction companies on joint venture projects, which is a very common occurrence in our industry. We could be working together with a company on one project, but simultaneously competing with that same company for another separate tender. This makes information governance extremely important. What are some of the most interesting problems CIOs in the construction sector have to tackle? It’s worth stating that every sector has its own particular opportunities and threats, of course. But considering the fact that the construction sector can be quite traditional and conservative, CIOs have to maximize innovation by focusing on great change management and creating value from relatively limited IT budgets. So how has the sector changed since you started working at Astaldi? When I joined Astaldi there were no web apps or content management solutions: some information was still being shared by fax. Inevitably, much more of our activity is digital these days. There are so many fascinating new paradigms becoming more and more popular in the sector, such as BIM (Building Information Modelling) and Industry 4.0. These are great opportunities for us, but they are also significant security threats. As more and more devices and machines are connected to networks, the potential risks increase dramatically. In construction, we must also think of physical safety as well as data loss, so the risks are magnified even more if systems are corrupted or hijacked. There are also challenges bringing these new ideas into our work. We are experimenting with the possibilities of machine learning and other next-generation technologies, but when competing to win contracts it can be tricky to persuade a customer that a newer technology is going to be practical and cost-effective. Our projects range from hundreds of millions of euros up to multiple billions of euros: this scale can make the implementation of new technologies very expensive and complex. Lastly, what are the key qualities of the best CIOs? Firstly, I think it’s very important that CIOs are much more than just technical experts. I studied economics, for instance, and I think a broad understanding of business and project management is very important in this role. Technology knowledge will always be important, but CIOs must also have good soft skills like motivation and leadership. In my view, these are just as important as IT expertise.  
Interviews With CISOs
Tessian Spotlight: Jaya Baloo, Chief Information Security Officer at KPN Telecom
09 April 2019
Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. What are the greatest challenges you have overcome since you became CISO? The one thing I keep telling my team that I can guarantee is we are going to get hacked. It’s because we are such a big network and also because we are an intermediate target to get to other targets. Obviously, we try to prevent as much as we can, respond as quickly as possible and verify as many actions as possible. The main challenge is to always keep thinking of new ways that we could improve our existing security measures in novel ways. We recently set up a new unit that invents new security solutions which we cannot find in the market, for example a post-quantum VPN tool. How should CISOs work with the rest of the board? People need to realize that security is actually sticky in that it is something very relatable to each and every role. You inherently realise that if you do not address a security issue then you will be exposing yourself to a risk. As a CISO, you should use this to your advantage, relate your cybersecurity objectives to the motives of the board and make it as relevant to them as possible. I also don’t believe that support for cybersecurity ends with the board, effective storytelling might work for senior leadership but you ultimately need every employee on your side to realise how they can best defend the company within their role in order for this to work. What needs to change about how most organizations are handling their information security? A lot of companies are quite relaxed about their cybersecurity, almost too relaxed. This is usually because they are not measuring what is actually going on in their company. They tend to generally want to trust their employees, partners and vendors. The issue is that trust is ultimately just a social contract and the health of this contract needs to be checked. So only if you monitor the behavior of your employees, partners and vendors can you give your trust to them freely. This is not a well-known threat for many of the larger companies. How much of a role does human error play in data breaches? Human error plays a huge role in data breaches. Whenever I talk about employees being a threat, I don’t simply mean the malicious ones who want to wreak havoc across your organization. A lot of accidental actions create many of these problems. That’s why creating cybersecurity awareness across a company is so difficult to scale. All forms of attacks tend to begin with some form of targeted phishing which is very challenging because of the social engineering aspect. That’s why you need a system in place that takes these issues into account and why the best solutions a company can have is a mix of technology and user awareness. Do you have any advice for new CISOs to help set them up for success? CISOs typically come from a very technical background and tend to think that they need to develop their metaskills such as presentation or storytelling. Obviously this is not a bad thing but it does become an issue when they invest in these new skills at the detriment of those core technical skills that got them there in the first place. So I would recommend obviously investing in those metaskills but also doing a technical training session once a year with your team. Try to stay abreast of the newest technical trends as well by networking and speaking to other CISOs.  
Interviews With CISOs
Tessian Spotlight: Kevin Delange, Chief Information Security Officer at International Game Technology
05 April 2019
Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence. What are the greatest challenges you have overcome since you became CISO? Most of the challenges you tend to face as CISO are people challenges like understanding how different areas work and what their state of security is. This is critical, but can be difficult especially when you are trying to integrate all the different operations into a single security unit. What are specific tactics you use to engage the board? The two main functions of my job are to communicate updates to the board and keep a finger on the pulse of the business. This means that I need to translate tech speak into business speak for the board, because if I can’t communicate it well, then nobody will listen. Therefore, the art of presentation is key and you should avoid communicating anything too technical. Ultimately, when speaking to the CISO, the board is interested in understanding our risk profile. If the profile is acceptable and you can communicate that clearly, they will be happy. What are the most important KPIs or security indicators that gaming companies should care about? From a high level, the two most important security aspects that every company should care about — not just gaming companies — are knowing what your attack surface is (i.e., the different attack points) and what your defences are. Based on those two, you can then determine what your KPIs should be. Other than that, understanding how well you are implementing governance, risk and compliance requirements and meeting your regulatory obligations should be on every company’s mind. You need to make sure you are operating in line with the regulatory requirements. If you are compliant and you understand what your attack profile and defences are, you can solve a huge portion of what the board is concerned about. What needs to change about how most organizations are handling their information security? Companies should accept that it is just a matter of time before something happens, and they need to be prepared for attacks to get through their defences. I’ve been exposed to a lot of organizations that focus entirely on preventing attacks and do not have a plan for dealing with successful attacks. It is important to be prepared for every scenario, and this is not something that many companies are doing. The key is understanding that technology is ultimately a means to achieving an acceptable risk profile. What are the greatest information security threats to the gaming industry and how would you address these? The biggest threat is phishing, and this is not unique to the gaming industry. Being able to deal with phishing attacks and reacting to successful ones should be at the top of everyone’s mind. Phishing attacks are basically 90% of the way people are attacking you; all other attack vectors are significantly smaller. Many threats can be dealt with quite well, but addressing the social engineering aspect that makes phishing attacks hyper-targeted is extremely difficult. What do you read/listen to stay on top of advancements in information security? Information security is all about being up-to-date. The joke used to be that technology changes in dog years; now it’s more in the mayfly territory, where every single day something new comes up. I take advantage of any article that highlights new possible attack vectors, or helps me understand how I could deal with these attacks. If you don’t know what you are dealing with, then you will simply not be able to deal with it. Another option is to go to tradeshows or networking events that involve a lot of knowledge sharing.  
Interviews With CISOs
Tessian Spotlight: Richard Wakefield, Chief Technical Officer at Salford Royal NHS Foundation Trust
05 April 2019
Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity. What are the greatest challenges you have overcome since you became Chief Technical Officer? The most difficult challenge was initially dealing with cybersecurity, but there has been a huge transition in how we view it. It used to be seen as something we did alongside the ‘day job’, but now it has taken a much more central role. The main challenge is embedding cybersecurity culture and awareness into teams, and ensuring that security is dealt with in the right way at all levels. Part of my role is to introduce cybersecurity topics to the board, to make sure leadership are aware of the risks that the organization is presented with. How these risks are perceived will then influence our strategic direction when it comes to cybersecurity. How should security executives ideally work with the rest of the board? Security executives should first become aware of the language they are using, and change it if necessary to suit their audience. Many of them come from a technical background and speak in highly technical terms. People from other backgrounds will struggle to understand cybersecurity if it is presented in a highly technical manner, and they may consequently fail to realize its importance. Analogies are powerful ways to help translate to a non-technical audience. It comes down to understanding your audience, including their backgrounds and motivations. This has been one of the most important things I have understood in the last couple of years. How are most organizations handling their information security, and what should ideally change? I think a lot of people don’t understand cybersecurity and how it could impact on them personally or on the organization they work in. People tend to view it as something that restricts people, rather than being an area that protects them. Most organizations need to do a better job of embedding their security team into the wider business culture. Security measures should be viewed as coming from within the organization, rather than as something alien. Another important aspect is to foster a transparent culture between employees about cyber risks, and have everyone be willing to report their mistakes. What are the greatest information security threats to the healthcare industry? Medical devices now have far more digital capabilities than ever before, but with this comes a higher risk of these capabilities being exploited. Hacking groups are aware of the value of the information held in these devices. Unfortunately, I see this risk increasing over the coming years as everything becomes far more digitally integrated. Another risk unique to the public healthcare sector is that funding tends to be very tight. Usually, cybersecurity is viewed as a cost-avoidance tool by decision-makers and is not prioritized enough as a result. This makes attracting and retaining cybersecurity talent, as well as having the right level of security in place, important challenges. The Salford Royal NHS Foundation Trust is fortunate enough to have a great team, but many other organizations struggle to retain talent. Do you have any advice for new cybersecurity executives to help set them up for success? It’s all about the relationships you have with the key influencers in your organization. You could be doing all of the right things but if you don’t have the right support at the right level then you won’t achieve anything. It is also extremely important that you establish a cybersecurity performance baseline when you are just starting out. A lot of people start changing things as soon as they start, but if you can’t compare your changes to anything, then you won’t know if you’re improving. Therefore, the first thing you should do is simply observe and establish a baseline for yourself of what is going on.  
Page
[if lte IE 8]
[if lte IE 8]