Spotlight Series
Tessian Spotlight: Bridget Kenyon, Global Chief Information Security Officer at Thales eSecurity
05 November 2019
Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification. What are the greatest challenges you’ve faced while being in the role? Have these changed over time? One of the greatest challenges that I have faced at Thales eSecurity has been the ongoing divestment, acquisition and merger activity that is currently taking place across the organization. With this occurring, it is important that we are appropriately transitioning all of the systems as well as spinning up new IT environments as required. With the merger, we have two separate environments that need to merge, and we need to ensure that they become aligned. For example, our organizations had two separate classification schemes for data. We had to work out how the schemes would fit together, considering things such as how policies and processes were being used in practice. One of the most exciting things with this merger, though, is that it has unblocked some of the security initiatives that I was trying to get started. Finally, with the merger it is a good chance to re-assess who has access to what, such as elevated privilege on certain systems. Are there any core security principles you are guided by in your approach? First – clear and simple communication. With the changes that are currently taking place across the organization, it’s important that clear communication is maintained at each level. One of the great things about this organizational change is that it has given us the opportunity to re-define aspects of our reporting and ultimately fine tune and simplify it so that it can become more effective. A second principle is to make sure that ideas are actionable. There is a tendency in information security to provide a lot of technical details dressed up as KPIs. Ultimately this heap of data becomes more of a talking point rather than an actionable item. Third, as security professionals we should be coming up with strategies and solutions to support the business. In the end the business is our customer, and everything that we do has to help it become better, not get in the way. How important is the human factor when it comes to your role and what impact does human error have on your cybersecurity planning? I think of human error not as a fault in our make-up, but as an intrinsic part of human behavior; we have evolved to find and use the most efficient and energy-efficient solutions, so it’s totally normal to want to write a password down if it’s hard to remember, for example. Making security work for us is about understanding how people operate, and the decisions they make in real life situations. It’s also vital to equip people with a better understanding of the risks. Giving staff a to-do list without any context, for example, is not a reliable approach- while half of your audience may indeed just want to know what to do in what order, the other half will ask “why” something is being required, and balk at adopting a seemingly arbitrary set of rules. The other side of this is the idea of changing business processes and technology to better support employees. I believe that the purpose of IT is to support people performing business operations. If the IT processes are fit for the business purpose, then employees are not expected to stretch and bend their essential behaviors to fit the technology- and security issues are prevented. To avoid people writing passwords down as in my previous example, you could provide a password manager, or use fingerprints instead of a password for logging in. Within your role, have you led any projects to make IT fit people’s needs? At UCL, we had a password management system where students and employees had to change their password every 150 days. The worst problem with this system manifested when students had been away from UCL during the summer months; when they came back to UCL in the autumn term they had either forgotten their password or it had expired. This resulted in massive queues of students at the Service Desk during the first few weeks of term, as passwords had to be reset in person. We realized that we needed a way to improve this system and, due to our set-up, it had to be an in-house solution. After much thought, I invented a password reset system where, when the end user typed in their new password, there would be a colored bar underneath, indicating the strength of the password (nothing new here, but bear with me). Next to the bar was a number, and that number increased when you created a stronger password. The truly novel part was that the number represented the number of days that you got to keep that password! We had this system implemented, coupled with a system that would help you reset your password with SMS, and it helped solve the problem. Trends show a gap in women leadership within the security landscape, what do you think it will take to get more women involved in the industry? I believe that there are two elements. First, there are a lot of role models out there – but they’re unreachable. Somebody who is considering coming into cybersecurity may look at these role models and feel like they represent an unattainable ideal. A woman may work as a CISO; however, how many other women fell by the wayside? I would like to see more stories of women in reachable security positions. The second point is to encourage recruiters to suppress their bias when hiring and be less surprised when they are faced with a woman applying for a technical or leadership role in information security. Looking forward – what kind of security culture are you working towards at Thales eSecurity? I strive for a culture where the different parts of the organization are aware of how they can have an impact and contribute to security. I want people to feel a sense of agency and have the ability to propose change within the organization. We need a collaborative approach to security. The board, for example, could prescribe an outcome, and then it is up to the employees throughout the organization to work towards fulfilling it. I believe that it’s important for people to play a part in designing the policies that they themselves must comply with.
Spotlight Series
Tessian Spotlight: Helen Rabe, Global Chief Security Officer of Abcam
09 October 2019
Can you give an overview of your career history prior to joining Abcam? I’ve had a fairly linear career journey in IT in general where security has always been a feature given that I’ve worked across the full systems lifecycle from project management to service delivery. A lot of my earlier career focus was on reactive remediation projects for organizations that had been compromised. More recently, I made a conscious decision to specialize and moved into a dedicated security role at Costa. It proved a successful decision and it’s led me onto CBRE and more recently Abcam where I am the Global Chief Security Officer (CSO). Can you give an outline of your responsibilities as Global Chief Security Officer of Abcam? It’s a wonderfully diverse role with many fascinating security considerations and unique challenges. Physical building management systems and specialized laboratory equipment are within my remit and they are an important part of our holistic security strategy. Abcam is a life-science company with a strong e-commerce element which facilitates external feedback on products using reviews and ratings submitted by customers. Abcam has a corporate culture driven by altruistic and humanitarian values which creates a unique security and risk profile that’s different from industries like banking and telecoms that I’ve been in previously. What are some of the challenges you’ve faced since being in the role? Abcam is undergoing a major digital transformation as part of its growth strategy. Trying to establish a security program in an organization already impacted by a large change initiative is not easy. I need to ensure the security program does not contribute to ‘change fatigue’ and lose its effectiveness. I’m attempting to deliver security across an organization in a way that emphasizes helping people to understand that security adds value rather than being a process blocker, it requires a major communication initiative. I’ve had success with this by positioning security more as a lifestyle choice, this involves helping employees understand how security behaviors can benefit their personal lives as much as it can in the business world. It’s about embedding a security message in a relatable context, that’s how I believe you create positive security behaviors. How important is the human factor when it comes to your security considerations? To me personally, it’s a key factor in the success of my strategy. The human element in cybersecurity is complicated and it shouldn’t be treated as mutually exclusive from the technology enabling solutions we implement. One of the things that technology cannot fix outright is the insider threat, whether malicious or unintentionally negligent. Training employees in order to mitigate the insider threat can’t be a one off and training only goes so far in mitigating this risk. There needs to be a balanced approach in providing human intervention through validation processes alongside automated technology solutions, one should not be relied on over the other. I also support the notion that any security initiative or new policy requires a proportional internal ‘PR’ campaign around it to be effective. For example, if we’re taking something away from users like USBs and pulling away norms you’re going to get the inevitable backlash so we have to communicate what value the users are getting out of the situation to sell it internally prior to it being implemented and impacting them. I don’t think we can easily solve the human problem, human behavior is too variable for us to nail down entirely, and we shouldn’t rely on AI technology as the panacea, but what we can do is prepare for the known threats coming at us. Security needs to be more front line and supporting users for things like phishing and whaling BEC that we know are growing more sophisticated and involve critical human decision making. When cybersecurity technology is at its best, what can it bring to an organization? Value creation…if the technology offers users an intuitive, seamless experience and ensures security, it adds immediate value. This doesn’t necessarily have to be a tangible thing, if your users embrace the solution, by extension security benefits from the success and longer-term support for its initiatives. End users ultimately want to have to have a symbiotic relationship with technology. The best solutions have to be a meshing of technology and the soft line of people, understanding how each of these couple into each other and add value is crucial. What are the common misconceptions about the role of cybersecurity? There is a belief that security owns everything, that it provides oversight for all risks but this is a huge misconception. Most of the time we’re responsible but not accountable, security awareness programs should also include a basic overview of who security is and what it is accountable for. An example would be an introduction to the classic 3 lines of defence model to help business users understand the engagement model between business risk and security. This is why it’s important to have an understanding of the softer elements of security in order to make sure it works for end users, that’s the sign of a successful security program. To achieve this, my advice is to step outside the line of what’s considered the CSO role and to be creative.  
Spotlight Series
Tessian Spotlight: Craig Hopkins, Chief Information Officer for the City of San Antonio
25 September 2019
Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. San Antonio is the seventh-most populous city in the United States, and as CIO Craig manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. What are the greatest challenges that you’ve faced being in the role? Originally when I came into role, my primary responsibility was to build new technology relationships across the 42 departments that make up the city. This included looking at different departments’ business strategies and helping them leverage technology to support it. The second area of focus was to set and strengthen the culture inside of the IT organization and to work with our municipal partners across San Antonio as well. I think we’ve done a great job over the past two years on these focus areas. Now the team is integrating systems and processes across departments with a focus on common platforms and prioritizing the user experience. We’re utilizing design thinking techniques and are becoming more of a consultant to the departments rather than building individual technology silos. We’re also having the departments work together on a common set of platforms that help with user problems, not just individual problems that are department specific. As the CIO of San Antonio, are there any core security principles that help guide your approach to security? In the first year we were really focusing on the information security foundation and making sure that we were as strong as we could be with our policies and tools. However, we wanted to make sure that information security was not the only component. It’s really about understanding your overall security posture, which is a combination of physical, data and cyber. In the past year we’ve improved our principles based on the NIST framework with a focus on a comprehensive training programs for our employees, network hardening, updating obsolete systems, threat profiling and vulnerability analysis. This has helped with communicating our policies and procedures and raising the cultural awareness within our organization. Security is everyone’s responsibility. What unique pressures and dynamics do you face when it comes to cybersecurity decisions in the public sector? Typically, people that work in tech will tell you that technology is the most important factor when it comes to making decisions about cybersecurity. What I’ve learned is that in reality, it’s about people. The human factor is incredibly important because people can be great at detecting threats and abnormalities in the system– more so than any tool – but they can also be your greatest internal threat, either intentionally or unintentionally. What we try to do here is to teach behaviors and have protocols that can minimize the risk of intentional and unintentional issues, such as only giving systems access to those who need it and constantly refreshing and validating the user rights. This sounds basic, but it’s the foundational practices and business processes that solidify your position. We also provide peer oversight, technical training, and teach how to combat social engineering. Ultimately, we want people to understand these threats to make sure that we are always leveraging our people first and our technology second. What are the common misconceptions about the role of information security? One of the common misconceptions that I hear is that an organization’s best defense is their technology tools. My response to that is actually that the best defense is a workplace culture that prioritizes cyber and physical security and creates aware and engaged employees and leaders. A second common misconception is that cybersecurity is for the IT team to solve. I believe that cybersecurity isn’t just an IT problem, it’s for leadership to solve for across the organization. It’s the job of all leaders to support and protect our employees on our teams. Looking forward, what type of security culture do you want to create within the City of San Antonio a few years from now? A security-conscious culture where cyber, data, and physical security is naturally integrated into everything we do and every design decision that we make. It can’t be the only thing that we think about, because you can’t run a business that way, but it must be embedded in our thinking and our architecture, as we seek to improve the lives of our citizens and our employees in San Antonio. That is the culture that we want to build into our organization.  
Spotlight Series
Tessian Spotlight: Andrew Besford, former Deputy Director, Government Digital Service, UK Government
30 July 2019
Andrew Besford has over 20 years’ experience in technology-enabled business transformation. His early career was in the telecoms industry, in both in-house and consultancy roles in a number of countries, most recently at UK mobile operator O2. Andrew joined the UK Civil Service at the start of 2014, initially to set up business transformation at the Department for Work and Pensions, where he was responsible for developing a compelling vision for the future of the organization. Andrew then joined the Cabinet Office as deputy director of the Government Digital Service, and led the creation of the Government Transformation Strategy, which was published in February 2017. Andrew holds a degree in Computer Science from Cambridge. As we have a global readership, can you give a brief explanation of your work with the Department for Work and Pensions and UK government? My first job as a civil servant was in 2014, where I established the business transformation programme to modernize the Department for Work and Pensions (DWP).  DWP is the UK’s biggest public service delivery department, and has a long history of administering the state pension and a range of benefits. Its operation distributes around £167bn of benefits per year (£650m per day, in 2.8m separate payments). The business costs around £8bn per year to run, employs 95,000 people, and delivers face-to-face services through 720 Job Centres. The big themes of the transformation were around secure self-service wherever possible, intelligent use of data, and process automation. I later moved to the Government Digital Service to work on the portfolio of digitally-enabled transformation programs across UK government. Across all of these themes of transformation, we were constantly balancing the pace of technological change with the ability of the organization to adapt to new ways of working. With public services that people depend on, it’s always vital to consider how the organization will continue to serve people reliably whilst it is changing. Sometimes this means you need to make incremental changes, because a major technological overhaul and starting from the ground up would be too high risk, even though it may appear to be a better technology solution. What pressures and dynamics were unique to digital transformation in the public sector? Public sector digital transformation programs tend to be driven by a mix of three key drivers – making efficiency improvements, improving the customer/citizen/user experience, and implementing the government’s policy agenda. Sometimes a new government policy can be an opportunity to modernize the way the whole of something works. Other times the policy might stay the same but there is an opportunity to deliver it in a modern and efficient way, which means making the best use of today’s digital delivery approaches and technologies. Eventually it will also mean adopting more internet business models but we are still in the very early stages of governments thinking in this way. Some of the dynamics of this really are unique to the public sector – you have to deal with all service customers/citizens/users, some of whom may be extremely vulnerable or unable to deal with you online. You are spending public money, and the procurement rules are always a factor. A hugely positive aspect is that your colleagues are people who go to work every day to make government work better for the people who need it most. The scale may be vast, but other challenges of transformation are the same as you find anywhere else – making smart use of data, having a plan for legacy systems, getting enough people with the right skills, aligning the organization around a clear vision, establishing the basics like a common language and a focus on user needs. How does cybersecurity factor into your work? Although my job title doesn’t say cybersecurity, it is absolutely integral to leading business transformation in this environment. Different parts of the public sector have aspects in common, for example the need to handle sensitive personal data. But different areas naturally have different threat profiles – for example DWP is a unique environment in that it pays out such a big percentage of our GDP directly to citizens. One key factor when you are building new digital services in this environment is that you have to be careful with which parts need an iterative test-and-learn approach, and which parts need a high-volume, stable and auditable approach. Sometimes this experimentation is essential, for example when creating new online services which you hope will change people’s behaviors. Other times this can be risky or impossible, for example if you consider the interface to the banking system. Using appropriate methods can be very hard if there is a context of “agile everywhere”, which has sometimes been dogmatic. There is a fine trade off between making a service useful and making it safe. Often, senior leaders of organizations need help to understand the risks and the choices they face, so it was a big part of my job to clearly communicate the risks associated with projects and the mitigations that can be put in place. Are there any security principles you are guided by when approaching business transformation? The vision for business transformation needs to include security at its heart, and not just include it as an afterthought. As ever, this can be a juggle because other themes must also run strongly through the story, especially around people and technology. Of course boards will always want to know “Are we secure, and compliant?” But when you are working on transformation, they probably also want to know “Why are we not more of a “digital business yet?”. So there has to be a security perspective on the organization of the future. Frequently this means evolving the security focus so that it is not just about securing networks and endpoints, but extends to designing secure services. My view is that transformation leaders always have a role to play in security. This could be helping board members understand what good looks like, and helping them understand options and consequences. Equally it could be helping to raise colleagues’ awareness and understanding as part of a more general digital upskilling. You often refer to keeping user needs at the heart of your thinking – can you share more on this approach? The emphasis on user needs has been a real turning point in how UK government thinks about delivering digital services. In 2014 the Government Digital Service mandated the Service Standard, which includes as its first point to “Understand users and their needs”. This helped establish the thinking that without understanding users, you won’t know what problems you’re trying to solve, what to build, or if the service you create will work. From a broader cybersecurity perspective it is important to start with user needs, while acknowledging that the government has needs too, for example to protect taxpayers’ money, reduce fraud and preserve trust. How important is the human factor when it comes to digital design? It’s impossible to overstate the human factor. In government terms this applies to the people who use government services, as well as the people working within government agencies. Digital services rely on balancing a low-friction user journey, with the need for proportionate controls to limit business risk. Designing this successfully can only be done by putting the users at the center of the design. For public services this will touch on user identity, data ownership and sharing, minimizing risk and administrative errors that could cause significant damage – all while respecting people’s privacy and rights. Criminals might impersonate these services without the victim ever contacting the agency in question, so this is in part a national problem, not an organizational one. For example, the UK’s tax, payments and customs authority (HMRC) has experienced significant criminal use of their brand, highlighting the need for a national response to protect citizens and ensure that when people see an email from a .gov.uk email address they can trust it. In 2016, HMRC was the 16th most phished brand globally, but following efforts from HMRC and the UK’s National Cyber Security Centre, by the end of 2018 it was 146th in the world. Within government agencies, for those who advise on policy, build technology solutions, and deliver front-line operations, there are also threats at the human level. These could be from organized criminals, hacktivists or state actors, who may use attacks based on social engineering or spear phishing. Do you have any advice for cybersecurity practitioners on how to work effectively through digital transformation? As always this depends on the context, but there are three common themes I would highlight from recent work. Firstly, we need to help senior leaders understand cybersecurity better. Transformation is a leadership problem and sits in the realm of the boardroom; it is made possible by leaders understanding what it means, and setting out a vision for the organization. Those people generally don’t have a deep understanding of cybersecurity, but increasingly recognize how critical it is, because they have heard of WannaCry ransomware, Cambridge Analytica data mining, and British Airways/Marriott fines under GDPR. Secondly, we need to focus on creating the right conditions in the organization for delivering new services. This means enabling people and empowering teams. Someone in your organization is eventually going to end up attempting to do secure service design themselves – with or without any guidance from specialists. Cybersecurity practitioners need to collaborate across the organization, avoid creating factions, and make sure it gets done right and integrates with your other layers of defence. Finally, we need to embrace digital change and experiment. Any big organization needs to be able to operate while under persistent threats and sophisticated attacks. And you need your teams to be enabled to experiment (safely), test and learn what works, and continuously evolve services to deal with the evolving landscape they operate in. Security leaders can and should be at the heart of safely delivering the transformation ambition.  
Spotlight Series
Tessian Spotlight: Don Welch, Chief Information Security Officer at Penn State University
04 July 2019
Can you give a brief overview of your background and responsibilities at Penn State? As Chief Information Security Officer for Penn State University, I am in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. What are your core objectives in the role? One of the main objectives I work to, is to understand who is on the network and who has access to what. This is what our privacy and security is all about, stopping people getting access to critical information that they shouldn’t. Compliance is another large objective that has a lot of overlap with security. Compliance is necessary and often the fines and other sanctions are a serious risk to Penn State. However, while the standards do support security initiatives, they’re not sufficient in themselves. That makes the distinction between what policies and programmes are compliance-led versus security-led very important for us. Have you observed any dynamics that are unique to university environments when it comes to information security? The interesting thing for large research universities is that we are affected by almost every area of compliance and information threat that exists. We have healthcare data, valuable research, financial information, student PII as well as a nuclear reactor, an airport and all the utilities cities have. This means we are subject to a range of threats like nation state actors trying to steal IP or gather information for their country, and criminals targeting us for fraudulent payments. Do you think universities are well equipped to deal with these threats? No, it’s a real challenge. Universities do great things as faculties are very entrepreneurial, working on cutting edge innovations with relative autonomy. While autonomy is an important value of the institution, it makes cybersecurity more challenging. The university has so many faculties and operations which create a diverse range of activities within the one system. Creating security alignment that works effectively across the board is therefore a big undertaking. How do you instil a cybersecurity culture in such a diverse environment? We have 17,000 regular staff members and 100,000 students who all fall prey to different kinds of attacks. We tailor our education and training approach to each different group, ensuring that people understand both the threat to them personally and to the institution. How does human error play a role in cyber vulnerabilities? Phishing and social engineering attacks are getting more sophisticated meaning that even very intelligent people can be deceived. We know people make mistakes so it’s important to maintain a combination of approaches to mitigate human error. We implement layered security strategies because you can’t depend on a single defence approach. We build security that considers everything together; people, technology and processes. With a phishing campaign for example, when a normal user has fallen victim and an attacker takes over that account we have several ways of identifying the attack and stopping it before the attacker does damage.  We look for strange account activity that indicates a compromised account.  We mandate protections on privileged accounts, changing the password every time it is used.  We separate our sensitive systems from the rest of the network.  These are some of the controls we use to protect our system in a layered and integrated manner. Where do you see the biggest risks being in future? Attackers are always innovating so we have to continually evolve our defences to keep up. This will become more challenging when adversaries begin to use AI and automated techniques to attack systems much more rapidly. We’ll have to act more quickly to match their speed. But we still have the basic challenges that we need to address – simple attacks still succeed because people continue to fall for spear phishing attacks. We cannot forget about the basics and get distracted by shiny new toys. What are the common misconceptions about the role of cybersecurity? A lot of cybersecurity professionals look at security from a risk-based approach, they’ll assess what the individual risks to the organization are. That’s important, but it has to be incorporated into a larger strategy that looks at the bigger picture of potential damage and allocates our cybersecurity resources in an efficient and effective way. We have to think how our attackers are thinking in order to understand how they will attack us.  
Spotlight Series
Tessian Spotlight: Graham Thomson, CISO at Irwin Mitchell
04 July 2019
Tessian spoke to Graham Thomson, CISO at leading law firm Irwin Mitchell, about his career and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. To get started, can you take us through how you first got into security? I got my degree in genetics and then worked in military intelligence, where I received a grounding in computer security. After a few years, I left the military and got a job as an investigator for a global retailer. Initially this was to investigate fraud and corruption, but evolved to cover issues relating to information security, such as insider breaches and hacking. Having decided that a career in information security was for me, I then obtained my CISSP qualification. I’ve since been lucky to experience many different industries, including insurance, online banking and e-commerce, and now the legal sector. I’ve been focused on purely information security for around 12 years now. How has the industry changed since you began your career, and what has the impact of technology on security been? Information security has changed hugely over time, probably because the threats themselves have changed. When I started out, I think it’s fair to say the work we were doing probably wasn’t that well understood. When I was being trained initially, I remember learning about a KGB-initiated infiltration of systems that was discovered pretty much by chance: this was a real eye-opener that brought home just how important computer security was going to be in the modern economy. One of the biggest changes is the focus on people. Previously, security professionals would be technical IT specialists, but today many different career paths – the military and law enforcement are just a couple of examples – can lead towards information security. The ability to understand an issue from the attacker’s point of view is very useful. You can spend as much money as you want on technology, but at the end of the day there are humans with legitimate access to your systems; if they are negligent or abuse their positions, then there’s very little that tech can do to stop that. What are your core responsibilities at Irwin Mitchell? And what are your ambitions for your department and the team over the coming years? My core responsibility is setting the strategic security vision for the company and making sure we successfully deliver on our objectives. I refer back to this regularly to work out whether there are gaps in our present strategic framework, or whether we need to readjust priorities on particular technical projects. It’s all well and good sitting and thinking about high-level problems, but real-world feedback really helps to crystallize the impact of what we’re doing. It’s my security policy, but I want to know how it translates across the business. The key thing is that many people within law firms deal with very sensitive personal and company data. Our bread and butter is keeping this safe. Firms in other sectors may only have a few people dealing with sensitive data, but in law firms the proportion of people in the business who have this responsibility is far higher. This information isn’t just internal, it comes from external parties too. For example, we might have sensitive medical records or information relating to military matters as part of the work our solicitors do. The legal space is a fairly unusual sector in that we have to think about security in a very broad sense. The very term ‘cybersecurity’ reflects the fact that more and more of the information people consume is digital. But working at a law firm, there are paper records that have to be dealt with too. So my role depends on understanding and managing all the implications of information security, not just the technical aspects. It’s important to remember that our people could be very experienced lawyers or new graduates: we have to make sure that everyone understands what their security responsibilities are. People have to know how to handle information from when it comes into our orbit right through to when we dispose of it. Security can’t just be a case of asking people to read a lengthy, technical policy document. I have to ensure the information is relayed in a way that’s meaningful, interesting and relevant, and I need to make sure the technical tools we use are easy to understand. How can new security technology help the legal sector really make strides in the years to come? The first thing to say is that the legal sector has probably not moved as fast as some other sectors when it comes to adopting technological solutions. Although there are some startups making strides in ‘legal tech’, fintech, for instance, has a higher profile and potentially more innovation happening in that space right now. Things are improving, but the sector has a whole has possibly been slightly behind the times. For me, where the sector could really benefit is access to justice: I think tech will help ordinary people engage more meaningfully with the legal system. Law is complex, and there are so many gray areas, but I’m hopeful that developments in artificial intelligence (AI) hold a lot of promise. It’s never a good thing when someone decides not to approach a lawyer or a law firm because they’re not sure whether it’s worth it or because they think the process will be particularly laborious. Tech that allows people to ask initial questions without having to directly engage the services of a human lawyer could mean that people find it less intimidating to approach law firms. I think we’re now moving past the point where people expect to have to walk into a physical office to have meaningful conversation with a legal professional. You could easily get the same result from your own home, or on your phone, and that kind of relationship is what we need to be thinking about. I also think there could be major benefits to research. When paralegals need to sift through thousands of pages, AI could help surface the relevant information more quickly. Bots that do more labor-intensive work like reviewing long contracts could also save significant chunks of time. Next-generation technologies like AI could definitely help the legal sector move forward. The danger with AI though is that biases may still come into play, as is often the case when dealing with complex algorithms. Can you tell us about your experience bringing new technologies into a law firm? I’m fortunate that today, cybersecurity is taken very seriously at board level. If I can show that there’s a requirement and a potential benefit with a new piece of technology, the appetite to mitigate that risk is usually there. When it comes to end users, we have to think carefully about altering processes they might be used to, or telling them to stop doing something that seems innocuous. I’ve found that as long as the training and awareness is communicated well, it’s usually accepted without too many hiccups. Interestingly, when we implemented Tessian Guardian, which helps us combat misdirected emails within the organization, it was one of the few security products where we had no complaints about it. In fact, people sent us screenshots thanking us for preventing emails potentially going to the wrong destination! It’s great for the team to feel like we’re making positive changes within the organization. Could you describe Irwin Mitchell’s attitude to information security in a couple of sentences? Our people see information security as an absolute necessity when it comes to doing business. Everyone acknowledges that they share responsibility for the firm’s success or failure here. So how important is Tessian to your overall security stack? Tessian is critical for us. Misdirecting an email is very easily done: people want to be productive, and they don’t always notice when autocomplete gives them an incorrect email address. Tessian also gives us great analytics and reports which help us actually analyze the data, over and above the solution itself. We’re soon going to be implementing Tessian Defender, which will help us address inbound spear phishing threats and make Irwin Mitchell’s security structure even more secure. Tessian is just a very clear way for us to communicate potential risks and give our colleagues additional protection. *Interview condensed from Modern Law Magazine supplement, May 2019.
Spotlight Series
Tessian Spotlight: Sarat Muddu, IT Security Director at Kelley Drye
04 July 2019
Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change, and how his firm wards off threats by embracing innovation. As an IT professional, what attracted you to a career in the legal sector? I’ve had experience in a wide variety of sectors, but I was fascinated by the security challenges of the legal space. Although I wasn’t a legal expert when I joined Kelley Drye, I moved across from health care, which is another industry that is extremely sensitive to cybersecurity risks, so I understood the importance of the problem. How important is it that the top level of a firm is alert to the dangers of cybersecurity? Even at board level, there should be people who understand the more nuanced technical details of a security project. At Kelley Drye we’ve been lucky to get great buy-in from our managing partner and CIO. They see a direct connection between a well-constructed security policy and the broader success of the business. I can’t speak for other law firms, but ever since I’ve been working in the legal sector, I’ve seen significant positive movement in how people approach and value security. This is one really refreshing change. We regularly get inquiries from partners asking whether we are protecting ourselves against this or that new threat – they pay attention and want to ensure firm and client safety. If we can continue developing this kind of curious mindset, I’ll be happy. It’s important to remember that a main driver of this new focus comes from partners being keenly aware of potential damage to a firm’s reputation. You don’t want to be the firm in the headlines because of a security breach, and you have to preserve client relationships, which are the bedrock of any firm. Why is email a particularly high-risk activity at law firms? I think all industries are susceptible to engaging in risky behaviors, but the kinds of data held in law firms means any unauthorized email that goes to a personal address is potentially more dangerous because of the content of that email. We all want to take the convenient path, but it’s the responsibility of a security team to manage and, if necessary, plug holes in those workflows that increase risk. Email is one of the most heavily used tools in any law firm, alongside document management systems. Human error is always one of the big factors in any data breach report. Lawyers send and receive a lot of email, so in a sense it’s natural that they may be more likely to misdirect an email, for instance. Even IT teams are not immune to these pressures! Is it the case that email is just an inherently risky mode of communication? At Kelley Drye, our ‘Defense in Depth’ strategy tackles security concerns at every layer of the stack, from our perimeter down to individual devices, and people too. As a security team, we have established a number of risk management and training programs to help us avoid any sleepless nights. Email security is a critically important part of this mix. As technologists, we have to make sure that all our communications channels allow business to function without any hindrance. If people don’t have a seamless experience in an enterprise, that actually raises the likelihood of people trying to evade those systems by, for instance, sending an email to their personal address so they can work on something at home. They’re not trying to be malicious, but they are putting data at risk. That’s why when we’re thinking about bringing in a new security tool, we take into account not only how robust the product is but how it impacts the team’s work. Ease of use is incredibly important to us, and that’s actually what Tessian does very well. How does Tessian make it easier for you to learn about and act on potentially risky behaviors? It was really important to us that Tessian would improve our knowledge as a security team. The market for security products is incredibly saturated, and not every product is able to offer a rich level of detail to its administrators. Not only did Tessian give us valuable historical analysis, working retroactively, it was very easy to start using it. Out of all the security products we’ve invested in, Tessian has had the lowest amount of up-front work to do to get set up. This meant we could get started analyzing the results straight away. We are now able to have a better dialogue with legal professionals and other end users, because rather than just being blocked from doing certain things, people know why an action could be problematic thanks to the insights Tessian displays within the email client. So do tech products like Tessian help you drive cultural change within the firm? Implementing change is only easy when it’s a team effort. When I’m making a business case for why a tool will help the firm, having productive discussions around the business – not just with the management team – is paramount. You can’t drive real cultural change with just a couple of people: it doesn’t happen overnight. In general, when we’re implementing a new piece of technology, the fewer complaints we get the better, and we haven’t had a single complaint or unhappy query about Tessian. In the long run, this makes it easier for me to bring the next security project to the board and justify investment, which makes my job easier. Finally, looking a few years ahead, where would you like to see the legal sector progress? I think the legal sector is in a really interesting period as far as technology is concerned. Every time I go to a conference there are new and innovative solutions targeted at helping law firms succeed. At the same time, the business of law firms is changing. We have to evolve at the same pace as other industries, moving with the times. We’re seeing big shifts towards agile and remote working, for instance. How are legal security teams going to deal with this new dynamic, securing client data while giving professionals more flexible ways to get work done?  For us, investments in products like Tessian are a great example of how much the firm values technological innovation. *Interview condensed from Modern Law Magazine supplement, May 2019.
Spotlight Series
Tessian Spotlight: Duncan Eadie, IT Director at Charles Russell Speechlys
04 July 2019
Duncan Eadie, IT Director at Charles Russell Speechlys, speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. What were some of the main threats in cybersecurity when you first moved into the sector? The first computer virus I was aware of was distributed in 1988, and in my first job we had a lunchtime session discussing it! We then had to contend with viruses distributed via floppy disk, which demonstrates just how far the industry has come. At that time, people breaking into computer systems was almost done for fun; now, cyber crime is a major global industry in its own right. Lawyers and clients alike are now all aware of the consequences of handling data inappropriately. Today, we expect security from every organisation we deal with, not only as professionals but also in our personal lives. Does security permeate all aspects of your role, or is it effectively treated almost as its own business unit? My role is essentially to design and deliver Charles Russell Speechlys’ IT strategy. That means overseeing the development of products and services, and then successfully introducing these across the business. Within the IT department, I’d say that security has had to become more of a specialist requirement in recent years, partly because criminals and tactics are becoming more sophisticated. This vertical knowledge has to be supported by core tools that help us do this more specialized work. What are some of the challenges around driving change in a business like Charles Russell Speechlys? In some ways it depends on the change you’re introducing. When we introduce products like Tessian, which doesn’t necessitate huge change to working practices and which doesn’t require lots of training, you can feel people embracing the change in a different way. From a people perspective, the principal security challenge is really to make sure that everyone around the organization is vigilant, whether you’re a lawyer, a secretary, a software engineer or a marketing professional. In a broader sense, the entire legal industry is feeling that there’s a significant shift happening right now. This isn’t at the individual or firm level, it’s impacting the whole sector. Firms have to decide at what point they want to catch that wave of change. For forward-thinking law firms, this is a fantastic opportunity to build on the heritage of the past and embrace the opportunities of the future, something that’s in the DNA of Charles Russell Speechlys. So why is this technological shift happening now, and what are the knock-on effects for security? I think there is some frustration on the part of clients that the legal sector isn’t changing and evolving at the same speed as other industries. Changing customer demographics are beginning to disrupt the legal market in the same way as many other industries. In general, customers are more willing to challenge the professions and really engage with their service providers, and that means law firms need to offer a modern experience for clients. Regulatory changes are also impacting these strategic decisions. We’re now seeing more punitive penalties for breaches of regulation, and that affects the way firms might think about the risks of expanding into a new practice area, for instance. All of this has consequences for security. What do you wish the average lawyer knew about cybersecurity? That if their cybersecurity knowledge is not up to scratch, their firm’s reputation could be damaged very quickly. We’re talking about a relatively small investment in time to focus on cybersecurity best practices. In the long run, this could protect a reputation which has been built up over decades. It only takes a moment to potentially destroy all that. And what would you say to a technologist or security professional thinking about a career in the legal sector? What advice do you have that would help them make an impact? Too often in the industry, making something more ‘secure’ results in making it harder to interact with. Technologists coming into the sector should empathise with legal professionals and realise that people don’t want barriers, however difficult that might be to incorporate into products. If people build products that combine security with ease of use, you’re onto a winner, and that’s actually what Tessian has done. The other thing for IT specialists to remember is that much of a law firm’s business still stems from its reputation. Reputation can be a very fragile entity, but it’s also why law firms will survive over the long term. Protecting reputation is absolutely key. So much important work carried out by lawyers is based on their firm’s and their own reputation. When people or businesses are in extremely sensitive situations, facing very difficult decisions, they don’t want an app, they want to talk to someone whose advice they trust. In this environment, our duty is to preserve and enable this intimate communication as best as we can with the support of technology, while balancing this need with best-in-class security practices. How is Tessian helping Charles Russell Speechlys tackle threats and manage email security? Well, the channel that generates the highest number of complaints to the ICO every year is email. Firms can easily send hundreds of thousands of emails every month: when businesses have that volume of communication, you don’t have to be wrong very often for it to really matter. Misdirecting an email isn’t something someone does intentionally, and I’m sure that your readers have all experienced sending an email to the wrong person at some point. With Tessian, we don’t encounter pushback from within the organisation, so it’s a great way to deliver meaningful change in the firm. Tessian proves that modern technology can support our lawyers and help protect their relationships with clients. *Interview condensed from Modern Law Magazine supplement, May 2019.
Spotlight Series
Tessian Spotlight: Mark Ramsey, Chief Information Security Officer of Americas Division at ASSA ABLOY Group
30 April 2019
Mark Ramsey has over 30 years’ experience in software engineering and security. He initially trained as a software engineer and transitioned into the security side of Information Technology, as it became a growing area within enterprises. He has set up security teams from scratch in a handful of businesses including Assa Abloy, where he is currently Chief Information Security Officer. Alongside this, he is committed to knowledge and education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years. What can you share from your experience creating a security function from scratch? I’ve done this for three companies now. I find most people are cooperative because there is a growing understanding that security is crucial for the successful running of a company. Most people want to be secure and to do things right, but it’s important to strike a balance. You must be sure to make things secure, but flexible enough so people are able to do their jobs and do them well. For Assa Abloy, security has always been a priority; it is in our DNA given we are a security lock company. We have been building up our security profile but it is an on-going process with new challenges. We are preparing for the expansion to the Internet of Things. What are the greatest challenges you have overcome since you have been CISO of Assa Abloy – Americas? My biggest fear is the employees. You can put in all the technology in the world, but sometimes people will not be thinking; that is human nature. The risk is not just malicious in nature, mistakes can be unintentional. It is not just on email where this can happen, it can happen in file sharing environments. All it takes is one click. We have set up many training sessions to help combat this, with training on secure business processes, and security awareness. I am lucky to have many years’ experience in university lecturing, so I know how to translate technical aspects into easy to learn steps. We do know people are getting better. What is making it tougher is that there are two things accelerating. Everything is increasingly global and accessible, and everything relies on cyber. You need to know where your data is stored, who the owners are and how it is classified. We can put protection in one area, but if we find a breach in another then you have wasted time and money. It’s not a security project its a programme – a case of on-going management. How should senior cybersecurity executives ideally work with the board? I’ve been fortunate to work with security conscious boards, but I would advise people not to scaremonger. It’s best to communicate honestly, to make them aware of risk levels and explain what can be done. Security teams ultimately don’t make the company money, but they certainly can generate value in the long run. Security is a wise expense that can keep boards out of the news if they’re provided with the right information to make an educated decision. We’re lucky now with GDPR and CCPA providing external standards and pressure. Most boards now know they will be held responsible, this means they are actually seeking out help from security leaders. Do you have any advice for new CISO’s to set them up for success? Communicate, communicate, and communicate. Keep the business leaders and employees informed of the risks and what needs to be done to mitigate them. Be willing to compromise; there are some areas might not have all policies we want in place, but we have to find what will realistically be adopted. Security practices must still allow people to do their jobs properly and securely.  
Spotlight Series
Tessian Spotlight: Giampiero Astuti, Group CIO at Astaldi
24 April 2019
Giampiero Astuti has served as Group Chief Information Officer at global construction company Astaldi since 2003. Before joining Astaldi, he worked as CIO in different industries (financial services, IT, and pharma / biotech) both in Italy and abroad. What are your principal responsibilities at Astaldi? My role is to define Astaldi’s information and digital strategy and, consequently, plan the evolution of the Group’s information systems. I am supported by a team of around 50 people, spread across different functions and countries. A vital part of my job is to enable better information management and communication across the business: Astaldi operates more than 250 sites in 20+ different countries, so our information requirements are quite complex. How do you manage security risks in such a complicated global business? Astaldi has more than 50,000 different active suppliers worldwide: we have a very varied range of product and service partners. This creates inevitable security risks. We also need to be careful when working with other construction companies on joint venture projects, which is a very common occurrence in our industry. We could be working together with a company on one project, but simultaneously competing with that same company for another separate tender. This makes information governance extremely important. What are some of the most interesting problems CIOs in the construction sector have to tackle? It’s worth stating that every sector has its own particular opportunities and threats, of course. But considering the fact that the construction sector can be quite traditional and conservative, CIOs have to maximize innovation by focusing on great change management and creating value from relatively limited IT budgets. So how has the sector changed since you started working at Astaldi? When I joined Astaldi there were no web apps or content management solutions: some information was still being shared by fax. Inevitably, much more of our activity is digital these days. There are so many fascinating new paradigms becoming more and more popular in the sector, such as BIM (Building Information Modelling) and Industry 4.0. These are great opportunities for us, but they are also significant security threats. As more and more devices and machines are connected to networks, the potential risks increase dramatically. In construction, we must also think of physical safety as well as data loss, so the risks are magnified even more if systems are corrupted or hijacked. There are also challenges bringing these new ideas into our work. We are experimenting with the possibilities of machine learning and other next-generation technologies, but when competing to win contracts it can be tricky to persuade a customer that a newer technology is going to be practical and cost-effective. Our projects range from hundreds of millions of euros up to multiple billions of euros: this scale can make the implementation of new technologies very expensive and complex. Lastly, what are the key qualities of the best CIOs? Firstly, I think it’s very important that CIOs are much more than just technical experts. I studied economics, for instance, and I think a broad understanding of business and project management is very important in this role. Technology knowledge will always be important, but CIOs must also have good soft skills like motivation and leadership. In my view, these are just as important as IT expertise.  
Spotlight Series
Tessian Spotlight: Full Archive
10 April 2019
  Earlier this year we started a new series of interviews called “Tessian Spotlight”—an exploration into the world of cutting-edge enterprise innovation and cybersecurity. In this series, we interview inspiring technology and security leaders across different sectors in order to learn about their backgrounds and accomplishments, the challenges they foresee in the future and their top insights that have helped them succeed in their respective fields. Mark Ramsey, CISO, Americas Division, ASSA ABLOY Mark Ramsey has over 30 years’ experience in software engineering and security. He is committed to education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years. Read full interview here Company Profile Giampiero Astuti, Group CIO, Astaldi Giampiero Astuti has served as Group Chief Information Officer at global construction company Astaldi since 2003. Before joining Astaldi, he worked as CIO in different industries (Financial Services, IT, and Pharma / Biotech) both in Italy and abroad. Read full interview here Company Profile Jaya Baloo, CISO, KPN Telecom Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. Read full interview here Company Profile Kevin Delange, CISO, International Game Technology Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence. Read full interview here Company Profile Richard Wakefield, CTO, Salford Royal NHS Foundation Trust Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity. Read full interview here Company Profile Craig Walker, Global CIO, Shell International Petroleum Company Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail. Read full interview here Company Profile Thomas Tschersich, Senior Vice President, Internal Security and Cyber Defense, Telekom Group Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. Read full interview here Company Profile Pierre-Yves Geffe, Chief Information Officer for Swedbank Luxembourg Pierre-Yves has been the Chief Information Officer for Swedbank Luxembourg for over a decade. Originally hired to restructure the bank’s IT operations, he overhauled the IT teams into a highly agile workforce and successfully led numerous IT implementations and migrations. Before joining Swedbank, Pierre-Yves worked in IT at both the Luxembourg Stock Exchange and IBM. Read full interview here Company Profile Johan Kestens, former Chief Information Officer at ING Belgium and Luxembourg As the former Chief Information Officer for ING Belgium and Luxembourg, Johan was, until September 2018, responsible for the complete IT stack and was part of the Executive Committee. An engineer by training, Johan has worked with a number of organizations before joining ING, including McKinsey, SWIFT, SAP and A.T. Kearney. Read full interview here Company Profile Michael Mrak, Head of Department Compliance & Information Security at Casinos Austria Michael has been with Casinos Austria for 26 years. He started in the IT department and eventually took over the role of Data Privacy Officer in 2001. Responsible for overall information security strategy and, working closely with the CEO, Michael establishes policies relating to compliance and anti-money laundering. As well as overseeing all the activities related to the development, implementation, maintenance and adherence to the organization’s privacy policies, he is also the link between his organization and the Austrian Ministry of Finance. Read full interview here Company Profile Don Welch, Chief Information Security Officer at Penn State University As Chief Information Security Officer for Penn State University, Don is in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. Read full interview here Company Profile Sarat Muddu, IT Security Director, Kelley Drye & Warren Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change in this Tessian Spotlight Series. According to Sarat, it’s important to embrace innovation in order to ward off threats. Read full interview here Company Profile Graham Thomson, CISO, Irwin Mitchell Graham Thomson is the Chief Information Security Officer at leading law firm Irwin Mitchell. In this Tessian Spotlight Series, Graham talks about his career in information security and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. Read full interview here Company Profile Duncan Eadie, IT Director, Charles Russell Speechlys As IT Director, Duncan Eadie is responsible for designing and delivering the IT strategy at Charles Russell Speechlys. In this Spotlight Series, Duncan speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. Read full interview here Company Profile Andrew Besford, former Deputy Director, Government Digital Service, UK Government Andrew has over 20 years’ experience in technology-enabled business transformation. His early career was in the telecoms industry, in both in-house and consultancy roles in a number of countries, most recently at UK mobile operator O2. Andrew joined the UK Civil Service at the start of 2014, initially to set up business transformation at the Department for Work and Pensions. Andrew then joined the Cabinet Office as deputy director of the Government Digital Service, and led the creation of the Government Transformation Strategy, which was published in February 2017. Read full interview here Company Profile Craig Hopkins, Chief Information Officer, City of San Antonio Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. As CIO Craig also manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. Read full interview here Company Profile Helen Rabe, Global Chief Security Officer, Abcam Helen Rabe is a distinguished security leader, with wide reaching experience across banking, telecoms, food and drink and more recently life sciences. As Global Chief Security Officer at Abcam, we spoke with Helen to understand her core driving principles when it comes to leading enterprise security programs and what impact cybersecurity technology can truly have on an organization. Read full interview here Company Profile Bridget Kenyon, Global Chief Information Security Officer, Thales eSecurity Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification. Read full interview here Company Profile
Spotlight Series
Tessian Spotlight: Jaya Baloo, Chief Information Security Officer at KPN Telecom
09 April 2019
Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. What are the greatest challenges you have overcome since you became CISO? The one thing I keep telling my team that I can guarantee is we are going to get hacked. It’s because we are such a big network and also because we are an intermediate target to get to other targets. Obviously, we try to prevent as much as we can, respond as quickly as possible and verify as many actions as possible. The main challenge is to always keep thinking of new ways that we could improve our existing security measures in novel ways. We recently set up a new unit that invents new security solutions which we cannot find in the market, for example a post-quantum VPN tool. How should CISOs work with the rest of the board? People need to realize that security is actually sticky in that it is something very relatable to each and every role. You inherently realise that if you do not address a security issue then you will be exposing yourself to a risk. As a CISO, you should use this to your advantage, relate your cybersecurity objectives to the motives of the board and make it as relevant to them as possible. I also don’t believe that support for cybersecurity ends with the board, effective storytelling might work for senior leadership but you ultimately need every employee on your side to realise how they can best defend the company within their role in order for this to work. What needs to change about how most organizations are handling their information security? A lot of companies are quite relaxed about their cybersecurity, almost too relaxed. This is usually because they are not measuring what is actually going on in their company. They tend to generally want to trust their employees, partners and vendors. The issue is that trust is ultimately just a social contract and the health of this contract needs to be checked. So only if you monitor the behavior of your employees, partners and vendors can you give your trust to them freely. This is not a well-known threat for many of the larger companies. How much of a role does human error play in data breaches? Human error plays a huge role in data breaches. Whenever I talk about employees being a threat, I don’t simply mean the malicious ones who want to wreak havoc across your organization. A lot of accidental actions create many of these problems. That’s why creating cybersecurity awareness across a company is so difficult to scale. All forms of attacks tend to begin with some form of targeted phishing which is very challenging because of the social engineering aspect. That’s why you need a system in place that takes these issues into account and why the best solutions a company can have is a mix of technology and user awareness. Do you have any advice for new CISOs to help set them up for success? CISOs typically come from a very technical background and tend to think that they need to develop their metaskills such as presentation or storytelling. Obviously this is not a bad thing but it does become an issue when they invest in these new skills at the detriment of those core technical skills that got them there in the first place. So I would recommend obviously investing in those metaskills but also doing a technical training session once a year with your team. Try to stay abreast of the newest technical trends as well by networking and speaking to other CISOs.  
Page