Download your copy of our insight paperLaws and regulations governing privacy and the protection of data, particularly sensitive personal data, continue to proliferate across the globe. But why should CISOs care about data privacy and how should they manage regulatory transitions to ensure their information security program stands up to data privacy protection laws? To get ‘real’ insight into this topic, we hosted a virtual roundtable where we invited a small group of top CISOs, operating in highly regulated industry sectors in the US, to share their lived experiences. Our guest speaker Robert Ball, Chief Business Development Officer & General Counsel from Ionic, also shared insight into why the domain of the CISO has expanded in light of emerging data privacy and protection laws. Download our insight paper for the key takeaways from the event and to discover 10 technology tips for CISOs to effectively manage data privacy. Download
29 Oct 2020
Convincing decision makers to invest in Cyber Security According to Senior Technology Leader, Dan Crisp, there are several strategies which can be used to get past organisational resistance and convince decision makers to investment in Information and Cyber Security. Read his guest blog below to learn more... Dan Crisp, Senior Technology Leader About Dan CrispDan Crisp is the founder of Digital risk Insight, a technology risk strategic advisory consultancy. He began his career as a technology merger & acquisitions analyst at Citi. Subsequently, he led the technology risk, cyber risk, and Basel programs for JP Morgan Chase in the US. Dan went on to serve as Chief Operations Officer for Barclays Global Information Security in London.Dan also served as the CISO and Chief Technology Risk Officer for BNY Mellon with technology risk, cybersecurity and data privacy oversight responsibility at BNY Mellon Corporation and its affiliates and subsidiaries. While there, he led the innovation, development and deployment of a global technology risk regulatory controls and analytics system for technology and privacy risk. Many decision makers overestimate their company's cybersecurity defenses – ‘no news is good news’ and they may not be enthusiastic about allocating more budget to protect themselves. One of the biggest barriers experts in my line of work find is convincing executives that doing nothing allows cybercriminals to gain advantage and potentially is putting the company at peril. I believe that there are several strategies which can be used to get past organisational resistance and convince decision makers to investment in Information and Cyber Security: 1. Reframe success metrics - what worked before is no longer effective It is an arms race, what used to work doesn’t work six to twelve months later, you’ve constantly got to be thinking about upping your game and getting that across to non-technical people is essential. For want of a better analogy – executives need to understand that they can’t simply buy the car and then continue drive it for a decade - without servicing it - just because they don’t want to spend further money or buy a new one.Use problem statements to help push back on the status quo and facilitate conversations as to why what you’ve always done is no longer good enough. Here is an example:“Our information security management system requires reassessment and transformation to ensure continued effective protection for our clients and the company.” 2. Benchmark with peers to challenge assumptions about the adequacy of cybersecurity investmentsFor example, when the Travelex breach occurred in London other currency exchange companies wanted to make sure it didn’t happen to them. There were questions like – what was Travelex’s Cyber Security footprint? What was their approach to risk management? How did it compare to their own company and therefore, how likely was this to happen to them? 3. Follow the organisational expectationsUse provided expected financial templatesWork with finance in advance to ensure your budget can withstand challengeUse storytelling to illustrate the risk Although it’s important that you have done your homework, laid out a clear budget and you speak the language of finance – you want your conversations to be risk based- not dollars and cents based. 4. Refine your presentation approachKeep the focus on the risk to the organisation (operational, reputational, regulatory, litigation, etc.)Present in non-technical languageUse storytelling to illustrate the riskCreate a sense of urgency. Inaction is dangerous.Leave a strong document trail leading to the person(s) who grant budgetAlways provide a follow-up email regardless of the meeting outcomeYou want to leave a strong document trail, and I call that the smoking gun, where it’s been explained in layperson’s terms and is abundantly clear to the budget granter – this is what’s at stake... 5. Use the three-slide technique Problem statementRisk storytelling Solution with costingThe discovery of the three-slide technique is a defining moment in my career. When I was working for a bank, we had a Big 4 consultancy firm provided us with a 40-slide presentation deck, which we spent quite a bit of money on. We were to use these slides to present our justifications to the board for asking for exponentially more money. The CISO I worked with at the time said she didn’t want to use them. She only wanted three slides. One explaining what the problem was. The second was to be the scary slide – explaining what would happen if they didn’t address the problem. The third was the solution and cost. It was so powerful and effective that we got the funding we asked for. I have gone back and used this technique, incrementally, for projects and programme fund raising with great success. 6. Use narratives to illustrate the risk of inactionI have found the use of narratives incredibly powerful. We used to call those the scary slides i.e. here’s an example of something that has happened recently and here’s why it might happen to you.News headlines cause decision makers to take action — even if it's short lived Storytelling activates sensory centers in the brain that make people relate to the story on a personal level — it places them inside of the storyStorytelling is extremely powerful when it comes to marketing and other forms of communicationUse storytelling to demonstrate the risk, create a sense of urgency and leave them with the impression that you have laid this at their feet, with all of the risks and consequences outlined and now the decision is in their hands.You almost want to worm into a person’s thinking so that they wake up in the middle of the night thinking about what you’ve laid at their feet. You want them thinking - what if we have a cyber-attack and I’m the budget granter who said no? That said, it’s important to use storytelling to convey the drama for you- you want to portray yourself as the calm and collected person who has the plan.A helpful the trick for me with the storytelling is to make them as scared as you are and no more. If you’re stretching your own fear, it's going to be transparent. Remember...you are competing for finite resources and budget. The best storytelling wins the day and the funding! Download our insight paper For more insights from top CISOs download our recent insight paper. It features the key takeaways from our recent CISO virtual roundtable where the challenges of setting best practice for secure remote working and obtaining budget were discussed. Download Speak to a Cyber Security recruiting expert If you need help finding and hiring exceptional Cyber Security professionals or you are searching for your next opportunity, please get in touch to speak with a Cyber Security recruiting expert at Stanton House.
20 Oct 2020
In my last blog, I wrote about the necessary workforce competencies and the type of cultural mindset that is needed to make digital transformation a success in this new era. But what are the technical skills and areas of expertise that support digital transformation? Here are five areas where talent is in high demand right now:Talent in demand1. Strategy & TransformationIncreasingly organisations are looking to the future, modelling different crisis scenarios, investing in new technology and exploring new customer engagement models or partnerships. The question of who is thinking strategically, beyond the business proposition as it stands today and shaping how it may look in 3, 5- or 10-years’ time is paramount to an organisation’s survival and future growth. Many organisations are facing wholesale changes to their operating model which is a highly complex and often daunting piece of work. As such, there has been a proliferation of new roles in the areas of strategy, innovation and change management. ‘Directors of Strategy’, ‘Project or Programme Directors’ and ‘Change Managers’ have become common place across many different types and size of organisation. However, the unprecedented speed with which organisations have had to react to the Covid-19 pandemic, and its ensuing challenges, has triggered an acceleration of digital transformation projects and compounded the need for senior professionals who can facilitate transformative change, alongside the complexities of a remote working environment. 2. Cloud-based servicesUnsurprisingly, as we have transitioned to remote working, skills in cloud-based services such as AWS, Google Cloud and Azure, have and will continue to be of critical importance. The shift to cloud based technology will no doubt remain prevalent even when we all get back to the office without restrictions. Professionals that have the skills to deploy cloud-based services as needed will be required to ensure continuous and reliable connectivity to these systems to ensure business continuity and productivity. 3. Cyber securityRemote working increases the risk of cyberattacks as hackers target people’s increased use of and dependence on digital tools, data sharing and communication. As such, organisations must enable secure remote working using a virtual private network (VPN) to create an encrypted connection from the user's computer to their company IT system. However, even businesses with a quality VPN may need to improve the server capacity and network security to enable their entire workforce to use it at once and work remotely, securely. This means that top cyber security talent, already in high demand, will remain indispensable for employers as agile working practices continue for the foreseeable future. 4. Data analytics As organisations race to adapt to different ways of working and evolve best practice across their systems, people and processes, Data Scientists and Analysts continue to be in high demand. Modelling the impact of the Covid-19 crisis and understanding evolving customer behaviour is vital to the strategic decision-making process of any organisation right now. Data analysts who can provide the accurate analysis and interpretation of data, to the right people at the right time, will provide much needed foresight in these unprecedented times. 5. Automation & AITo help reduce administrative tasks and enhance process efficiencies, within and between different systems and departments, most organisations have invested in automation technology and artificial intelligence (AI) to some degree. The specific artificial intelligence or automation technology, its application and tools available (such as Robotics Process Automation, Chatbots or CRM) varies across industry and profession. Professionals who have demonstrable experience of either developing, implementing or integrating this technology within and between business functions and adapting it to the new virtual world of work, will be highly prized. As well as investing in technology and talent, organisations must look at their people from top to bottom and involve individuals who can provide ideas, or champion and lead transformative change. Those that believe it will all be driven from the boardroom and do not engage a diverse group in tackling change may well struggle. Understanding individual challenges in remote project delivery requires diverse perspectives and agile leadership that utilises the capabilities of individuals from every corner of the business. In an increasingly geographically agnostic business world, leaders have to understand how they can embrace technology, help their people to bring about better customer experiences and deliver lasting change that enables them to remain relevant. After all, how can you compete if you don’t evolve your operating model in today’s rapidly changing world?Those that can win both the hearts and minds of their workforce will successfully deliver the most complex of technical change with the highest levels of engagement. It’s strange how even the most baffling of technical puzzles always falls back to people! Download our insight paperFor more on this topic, download a full version of our insight paper 'Digital Transformation: What does it take to succeed?,' where we explore what constitutes the right mindset needed for change and share the technical skills and talent in demand right now. Download Share your insights If you need help finding talent with the necessary competencies to transform your business please get in touch. We’d also love to hear from leaders on how you are progressing your digital transformation projects in these challenging times.
18 Sep 2020
Business leaders are discussing what increased remote working and reduced real estate costs mean for investment and budgets for their different business functions going forward – including of course - Information and Cyber Security. So, now more than ever CISOs need to ensure that they have a voice in these discussions and a seat at the board table. Download our insight paper Our recent insight paper features the key takeaways from our recent CISO virtual roundtable where the challenges of setting best practice for secure remote working and obtaining budget were discussed. Our guest speaker and Senior Technology Leader, Dan Crisp also shares the techniques he has found most valuable in convincing key stakeholders to invest in Information and Cyber Security. Download
26 Aug 2020
The inevitable increase in demand for Cyber Security talentWhat a crazy time we’re all living through! I hope anyone reading this is safe and coping okay with this new way of existing that we’re all adapting to.In my job I have the privilege of being able to speak to an array of talented and insightful Cyber Security leaders across a variety of different industries every day. With everyone working from home, my phone hasn’t stopped ringing in the past few weeks with people looking to have a catch up.Clearly this is an unprecedented and difficult time for everyone, but being the optimist that I am, I’d like to take a look at one of the positives I think will come out of this situation and that is the inevitable increase in demand for Cyber Security talent. Remote working leaves us open to increased risk of cyberattacksThe COVID-19 pandemic increases the risk of cyberattacks as hackers target people’s increased use and dependence on digital tools, data sharing and communication. Just yesterday I read that the usage of Zoom in the past month has gone up by 535%, so sure enough there has since been an increase of over 2,000% when it comes to malicious files with Zoom in the name.It’s fair to say that most business leaders (myself included) have had their eyes opened to the benefits of remote working over the past few weeks and I don’t think any of us can see the working world going back to how it was before this all happened. As we know, remote working, in general, leaves us more vulnerable to successful cyberattacks with potentially devastating repercussions if we’re not careful. Individuals new to working from home present a target for hackers, who will no doubt seize any opportunity to steal sensitive personal or company information to create disruption or commit online fraud.I recently read, for example, a cyberattack targeted people looking for visuals of the spread of COVID-19. Viewers of a map showing Coronavirus statistics were asked to download a malicious application that compromised their computer and allowed hackers access to that individuals personal information.Organisations must enable secure remote workingTo keep information secure, most companies will use a virtual private network (VPN) to create an encrypted connection from the user's computer to their company IT system.However, even businesses with a quality VPN may need to buy more user licences or improve the server capacity and network security to enable their entire workforce to use it at once and work remotely, securely. We are already seeing organizations increasingly stress-testing their servers to ensure they will cope with everyone working from home; checking that their networks remain secure and both company and customer data is protected.Far too many remote workers, however, don’t have two-factor authentication (2FA) turned on in their email and apps. As any Cyber Security professional will tell you, 2FA is one of the easiest and most effective ways for users to protect their data and identities.In my experience, particularly with small or mid-sized organizations, the reason many companies lack these basic security measures is not because they are lazy, but because they don’t have the education or expertise in Cyber Security in their business. What does this mean for Cyber Security talent demand? A lot of businesses are looking at their security budgets right now and are weighing up the risks of trimming them down. As such, over the last few weeks we have seen a drop in demand for talent across almost all industries. It will be interesting to see what happens to the businesses that do cut down their security budgets vs those that don’t over the coming months. Sadly, as we know, it often takes a breach for an organization to invest properly in their security. The positive news is that I do believe that this recent drop in talent demand is likely to be short-lived. The conversations I’ve had with CISOs, CIOs and CEOs over the last month fill me with confidence that in the coming months and years there will be even more demand for Cyber Security expertise. Organizations need to adapt to new ways of working, which are very reliant on technology and the inevitable continuation in increased levels of cyberattacks and probable breaches, will only amplify the need for more Cyber Security talent still further.If you are currently looking for a role in Cyber Security right now, my advice is stay patient, continue building your network and have faith that it won’t be long before we see things start to pick back up. The high demand for hiring Cyber Security talent is not going anywhere!Please get in touch if you need help hiring within Cyber Security. Equally if you are a permanent or contract Cyber Security professional, we are here to support your job search in these troubled times.
20 Apr 2020
It’s Cyber Awareness Month in the US and what better way to celebrate than with a new Cyber function in Chicago and a simulated breach to show executives it’s time to get Cyber savvy? It’s all things Cyber Security at Stanton House right now with our experts scattered across the UK, APAC and USA and the team in London are getting creative with their awareness training. Some like presentations, others prefer round-table events and some produce pdfs. We on the other hand like to throw a bunch of executives into a very surreal, live, simulated, data-breach and then make them fix it, quick. Two weeks ago, we hosted the first of our gamified event series titled: How would you respond to a Data Breach? It was terrifying, thought-provoking, exciting and a huge success. More than 20 senior executives from a multitude of industries and disciplines joined us in our City office for the simulation. They were given a company profile and had to get into character quickly as they would soon become the Executive Board for a listed company which was facing very public issues with their online security. They were then given several injects of information from the Legal, Finance, Technology and Marketing divisions; as well as the outside world, and had to piece together the severity of the alleged breach – a breach they knew nothing about. From the initial technology malfunction, the guests had to work together in teams to work out if a hack had even taken place, where the attack had hit and who was affected. They also had to deal with a simulated press conference, concerned customers on social media and stakeholders asking questions they might not have the answers to. By the third briefing, teams were questioning if this was a business-ending attack and if they too were about to face the end of their career – taking an empathetic approach to the hack and applying it back to their very own organisations. We understand that Cyber Security can be overwhelming and it’s not something that is easily understood by professionals outside of the industry. This event offered our network a real-life insight into a Cyber Breach as it happened and taught the professionals taking part, how to respond. Not only was this event insightful, thought-provoking and eye opening but it was interactive, fun and exciting and offered a truly unique but surreal experience, giving our executive guests the answers to take back to their own Board. For us, this is the very definition of Cyber Awareness. For your copy of our white paper which offers an insight into the conversations had on the day, please get in touch and in the meantime, join the conversation – what is the best way to improve Cyber Awareness?
01 Oct 2019
Aside from the infamous hot-dogs, deep-dish pizzas, jazz music and gangsters, the Windy City is home to an array of incredible Cyber Security professionals and I’m raring to meet them when I move over in just a few weeks’ time. We’ve been focusing on the US market for the past few months from London, but as of October, I’ll be on the ground in Chicago and expanding the Stanton House US offering with a keen focus on the Cyber Security market. It goes without saying that I’m dead excited from a personal perspective to move to such a wonderful city, but as well as that, Chicago homes a wide range of industries needing protection from the ever-growing threat of cyber attacks. I feel energised by the idea that the team and I have the opportunity to support corporate America through introducing Cyber talent to vulnerable organisations. I started out my career at Stanton House focusing on the Accounting and Finance market but my interest in technology and desire to provide solutions for our clients, led to me setting up a team focused on Finance Transformation. My venture into Cyber Security allows me to not only satisfy my own fascination with the world of technology, but also help executives deal with one of their biggest preoccupations: protection of data. Whilst I have an amazing adventure ahead of me, I wanted to take this opportunity to thank everyone in my network who has supported me in my career to date. Whilst working in America has always been a dream of mine, it has been a thoroughly enjoyable six years with the UK team and it goes without saying you’re in the safest of hands once I hop across the pond. I will continue to remain connected to the UK market and do not intend on losing touch with you all. If you ever need any support, advice or just fancy catching up, don’t hesitate to drop me an email. For anyone else floating around in the states, I’d love to meet for a coffee and maybe trade in some geeky Cyber dialogue for a tour around the city!
27 Sep 2019
Today we were joined by executive-level professionals from a multitude of disciplines who wanted to learn a little more about their Cyber Security. Jay Abbott and Kieron Maughan of Nellcote joined our Head of Cyber Security, Ryan Surry, to host our gamified event titled; How will you respond to a Data Breach? Our audience of CFOs, COOs, Transformation Directors and the like were thrown into a live hacking simulation - faced with a possible data breach - and unsure of how to respond. From the initial breach, the guests had to work together in teams to work out if a hack had even taken place, where the attack has hit and who is affected. They also had to deal with a simulated press conference, concerned customers on social media and stakeholders asking questions, they might not have the answers to. Cyber can be overwhelming and it’s not something easily understood by professionals outside of the industry. Today’s event offered our network a real-life insight into a Cyber Breach as it happened and taught the professionals taking part, how to respond. Not only was the event insightful, thought-provoking and eye opening but it was interactive, fun and exciting and offered a truly unique but surreal experience, giving our executive guests the answers to take back into their own Board. Head of Cyber Security, Ryan Surry said; “I’ve worked in this industry for many years, having intelligent conversations with many fellow Cyber professionals along the way. Today was the first time I was able to take that conversation to an audience of Board members who do not specialise in Cyber, in fact, focusing more on Finance, Change, HR and other industries. “It was truly mind-opening to see how professionals of different disciplines react in situations that we deal with every day and was equally rewarding to work with Jay and Kieron to help these leaders understand a very current issue that could impact their company tomorrow.” We will be producing a white paper to capture the insight shared this morning – to receive a copy of this paper once published, please get in touch with Ryan here.
17 Sep 2019
Alan Jenkins is the Head of Advisory Services at 2|SEC Consulting. He has some 30 years of experience across all aspects of security, particularly Cyber and Enterprise Security Risk Management. Alan started his career in the Royal Air Force and has subsequently held multiple Cyber Security roles, including as the first CISO for Babcock International Group in 2013. He has also worked for organisations including IBM Security, Atos Consulting, CSC and T-Systems. A NATURAL PATH I see my progression into Cyber Security as natural rather than accidental. I’m a security generalist and haven’t done anything but security in my adult life. I joined the Royal Air Force when I was 18 because I liked aircraft and wanted to be a pilot. I hadn’t thought of doing anything else since I was seven until I ended up with a navigation scholarship aged 16. Unfortunately, the RAF decided that my eyesight wasn’t up to scratch for me to fly. This forced a deviation from my dream and I then went to university as study electronic systems engineering but my heart wasn’t in it. What it did do however was give me the time to find something that I really wanted to do and that led me to join the RAF Police as a Provost Officer. I subsequently spent much of my service on security duties until 2001 when I made a deliberate decision to get into computer network defence and information assurance – of course, we didn’t call it Cyber in those days. So, in 2002, I joined the Ministry of Defence’s stand-up CERT team as the Intelligence lead, working with Other Government Departments and Allies in the then new world of response to computer incidents. Having started in physical security, looking after nuclear weapons and so on, I worked my way up through Security on Operations at home and overseas into Information Security. That’s what drew me towards Cyber– old principles applied to a new domain. REACHING THE BOARD FOR THE FIRST TIME My role at Babcock was as CISO; in fact, I was the first Group CISO at Babcock. I was initially only responsible for Cyber-related matters but subsequently picked up the broader security coordination task across the Group as we made progress with our Cyber improvement. I relished it. It was a significant career step as it was the first time that I was at the pinnacle of security capability; I wasn’t reporting to a higher level in another company - this was my first UK-based outfit and part of the attraction to me was that it put me into direct contact with the Board for the first time. I had to up my game – I’m not saying that I got it right straight away but after some years in the game, you know how to hone your craft and apply good practice. It was genuinely a new role, it wasn’t head of IT Security, it was a CISO role and that’s something Babcock did right. A PROTECTIVE MINDSETWhile I progressed through the different facets of security, for me, the mindset remained on protection. However my nature and environment fashioned me, protecting an enterprise, it’s people and assets. That’s what has always appealed to me. I would say over the three decades I have been working within the space, the industry hasn’t progressed enough. People still don’t have all the answers to Cyber; many think it’s only a technology problem. That’s not to say it isn’t but it isn’t the only problem. The technology space is perhaps where we have made the most progress but just thinking Cyber is about technology or defending IT infrastructure actually misses most of the problem. It brings us back to the HR debate: how do we develop the people? That’s where the greater problem lies. PEOPLE, PROCESSES AND TECHNOLOGYThese are three things to keep in mind always. You can’t attack one pillar in isolation to the other two; simplistically, you have to tackle all three in concert - if you don’t, the weakest or lowest hanging fruit will be the thing to trip you up. If you don’t bring the people along for the ride, if you don’t optimise the process flows to minimise human interactions and integrate the technology effectively, your technology investment will not deliver full value to the enterprise. THE VIRTUAL CISOSmall and Medium Enterprises (SMEs) need someone to offer a vision, to map out where the business is at with their Cyber Security and figure out what is right for that organisation at that time - this has to be aligned with the business strategy. This is what they should look for from a CISO but, I do not believe SMEs need a CISO permanently. Firstly, SMEs can’t afford them – fully capable CISOs are rare, expensive and demand exceeds supply. Secondly, having developed and delivered that vision piece – they no longer need a full-time CISO. What they need is for someone to drop in occasionally, increasingly referred to as a Virtual CISO (vCISO). I and others have been developing this concept for some time now: I liken it to that of the Flying Doctors – the vCISO drops in from time to time to review the agreed road map with the business check on progress, check the implementation plan is still right for that business and adjust as necessary while also being on call for remote consultation as the need arises. SMEs really need to look carefully at the cost/benefits and determine what they get for their money. It could be a virtual CISO, a temporary or an Interim CISO for a fixed term: an SME simply doesn’t always need a full-time incumbent. The SME needs expertise and guidance on call but once embarked on their capability improvement journey, they don’t need a CISO for 240+ days a year because they won’t provide that ROI. The CISO will be tracking progress, reporting and simply, I don’t believe you need that person every day of the week. The business is inevitably focused on whatever line of business they are in; the CISO has to talk to the business but, the business doesn’t always have time to talk to the CISO. The Board doesn’t meet every day of the week nor even weekly but the CISO should bein attendance on a routine basis, not reporting by exception - with bad news! THE IDEAL CISOTo be that all-important leader - and that in itself is different to a manager – the CISO needs to be able to come in and sell a vision. That vision has to be linked to; and supported by, the business and the CISO needs to be able to communicate that message to the Board in their business language, not in technical jargon. The CISO should have expertise around programme management rather than project as it’s often a series of activities, many in parallel. The CISOs role is to articulate and sell that vision and make sure there are success criteria in there, the measures of success of that criteria, with a link to fiscal targets; whether that’s spend targets or return targets, and what are you getting for your money. This is still a huge weakness for us. The ROI for Cyber investment is not good: there is stuff happening in this space but it’s still not mature and not yet universal in use as a result. Enterprises need to think carefully when looking to hire that ‘Ideal CISO’. It’s not just a label and then letting them get on with it. If you’re looking to appoint a CISO, whether to work as an Interim or on a full-time basis, then they need to be connected with the business, not just IT. Perhaps controversially but I don’t think the CISO should report to the CIO. It’s not all about IT, they’re often rebadged Heads of IT Security and that’s not all that the business needs from the role. After all, the CISO often calls out the CIO for taking on too much risk as they prioritise availability.If the CIO’s main function is to keep the lights on, availability will also govern the CISOs priorities. Security often needs to look much harder than IT to know what was the root cause of an Incident. It’s all about understanding and prevention. Most often, the security function is there to do the thinking that the business doesn’t do, it’s almost a mindset piece, looking out for the things that can go wrong. I have found that there’s too much optimistic thinking and not enough pragmatic thought about untoward things happening whether by accident or design, i.e someone overstretched cutting a corner to get the job done rather than some more malicious motivation. Security is there as a check and balance, not there to slow the business down but to give more thought about what is happening and how to prevent it or reduce the impact and that’s often not the priority of the CIO. Hierarchies and divisions of responsibility need to be right between the roles but an SME or smaller company doesn’t always have the luxury to afford this. This is where a virtual CISO becomes helpful and offers a perspective that they wouldn’t usually get, providing this is positive and aligned with their business needs. It’s also hard to learn from others if you spend 30 years in the same company.A CISOs role is to make sure all of the day-to-day roles come together to secure their business in a cohesive manner. Security is a horizontal activity, not merely a vertical one in the IT space: it’s also everyone’s responsibility! In an ideal world, we wouldn’t need a Cyber department as the workforce would all protecting the business. Then there is Security’s Achilles heel – the good are most often playing catch up with the bad. We have to get more pro-active rather than the more usual reaction to events after they have occurred. Security is neither an art nor a science, it has to be a hybrid function. For full access to our white paper - The Evolving Role of the CISO - please follow the download link and join the conversation, should we segregate IT and Cyber Security? Do we need 'flying doctors' rather than in-house security and is Cyber Security - everyone else's responsibility? Download our CISO white paper
16 Sep 2019
In our recent white paper; The Evolving Role of the CISO, we interviewed Roy Whitehead – an established security professional with two decades of experience at the likes of Barclays, British Energy, Volvo, Jaguar Land Rover, British American Tobacco and Thomas Cook. He describes himself as damming in his opinions towards most CISOs - comparing them to ‘heads of level folk’ and explores the idea that they are far too junior to be tackling a role that protects the security of an organisation. He raises the argument that security is the most important aspect of any organisation and therefore requires a more senior level of CISO who have a far more diverse career history across IT and business management. This got me thinking. What does constitute a great CISO? For me – a great CISO's characteristic falls into five categories; Experience. From the technical experience to the hands-on, this is vital for a great CISO. They should be well equipped with the knowledge and understanding of how to use different platforms and how to manage different functions.Likeability and Communication. As a CISO, you need to be not just understood and appreciated but liked too. This is how you get buy-in from non-security personnel. Rather than sitting in an ivory tower and speaking a different language, CISOs must be accessible and remove the jargon from every conversation to ensure their demands are understandable to key stakeholders. Over time, their relationship with the board can become more transparent as executives learn to put more trust into the strategies, suggestions and requests made by the CISO in return. Starting from scratch. In my experience, a CISO that has built a function from bottom-up is usually a great one. The ability to mature a security function in the public sector for instance, where all stakeholders are risk adverse, bureaucratic and dismissive of security as an integral business principle – that is impressive stuff.Getting your hands dirty. Decent CISOs aren’t always derivative from that environment but the same qualities can be recognised in a professional who has been able to open or expand a security function without using a managed service provider for instance. A person who is happy to get their hands dirty and get stuck in with the hands-on technical requirements. Ability to Align Security with Business Goals. A great CISO knows they are not there to control the business, but there to enable the business to do what they need to do in the most secure way. Great CISOs align their strategies with their firm’s mission values and understand how to communicate with business leaders in ways that are culturally aware, whilst enabling those leaders to make effective decisions. More importantly, a great CISO will always be playing a balancing act between what is good for security and what is good for the business.In the paper, Roy describes his ideal CISO as a person equipped with a plethora of security qualifications, the ability to liaise, negotiate and conversate with non-security professionals and also, have experience in senior management roles in as many industries as possible. For me, it’s simple. To be a great CISO you need a blend of security and general management experience – enabling you to build and maintain a security function while getting stakeholder investment, employee engagement and credibility throughout the organisation. For full access to Roy's and our other contributors interviews, please follow the download link to our white paper below. Download our Cyber white paper
06 Sep 2019
Louise Shea is the Head of Cyber Operations and Intelligence for Aerospace, Technology and Nuclear International (ATN-I) at Jacobs. Having spent more than two decades in the Metropolitan Police, 18 years of which as a Detective, working her way up to Head of the Met Cyber Crime Unit, Louise transitioned from reactive to proactive security, moving into Industry to help organisations combat crime before it happens. FOLLOWING THE DREAM From as young as I can remember I wanted to join the Police force and my mum refused to support me, insisting I get myself a decent education first and advised that if I still wanted to join the police then I would have a career to fall back on. I studied History, Law and Politics at A-Level and scored an A in Law, so naturally, I decided to study for a Law degree at university which I thoroughly enjoyed. Following University, I was still set on joining the Police and whilst I did some temping work at a few law firms, the thought of being chained to a desk for 12-hours a day just cemented the fact that I wanted to have a career that was diverse, challenging and kept any boredom securely at bay. Within a year of graduation, I joined the Metropolitan Police.I completed 16 months in uniformed roles during my probation but knew very quickly that my future would lie in the Detective ranks. You couldn’t apply to be a detective until you had two years service under your belt and even then, it was unusual. I managed to get an investigative role as a PC (Police Constable) and with 16 months service and the minute I had 2 years’ service I applied to be a Trainee Detective. At the time I was the youngest to get through the process and then worked my way around the various departments. I was then promoted to Detective Sergeant where I remained for five years before being promoted to Detective Inspector, focusing in on tasking and intelligence by default really for the first few years at this rank. PEAKING INTERESTSMy career path has always taken a turn where other people have identified my abilities before I did. My initial role as a Detective Inspector taught me great deal about budgets, the flexing of assets and a lot more about intelligence being Intelligence Manager centrally for the Met. These were never roles I actively applied for but roles that were suggested to me; my next role was running the National Mobile Phone Crime Unit. I hadn’t applied but I was asked to join and I loved it. I was really interested by this, not from a technical background but from the Cyber Security Aspect. Much of our work in Serious & Organised Crime and related Phone Activity was tackling national and international organised crime groups who were fraudulently dealing/stealing mobile phones, exporting them around the world and laundering the proceeds, especially Apple devices. I got involved in SIM swap - a form of identity theft using mobile phones – and conducted significant partnership work with Industry and the Home Office as a result, in efforts to stem the tide of mobile phone criminality. This is when my interests in cyber-crime really started peaking. CATCHING THE CYBER BUGThe Met was restructuring due to austerity and the National Mobile Phone Crime Unit was being examined as a potential merge with the Met Cyber Crime Unit, given the ever increasing cross-overs in our work. I received a call from a senior officer to say come and run the Cyber Unit. Off I went and within three months I hugely caught the Cyber bug and never looked back. Within a short period of time I wondered why I didn’t make the move years ago as it was a fascinating and exciting area of serious crime to work in. I adapted my skills as an SIO (Senior Investigating Officer) to Cyber and quickly identified a career development path to upskill me in all facets of Cyber. A short while later the Home Office funded a pilot project called the Cyber Digital Careers Pathway and I was asked to apply. The scheme provides a national professional accreditation via IISP (at a range of levels) for varying areas of cyber investigation, from forensics through to intelligence. I was advised to apply for the highest grade as a Cyber Strategist and after a gruelling interview process and submission of a range of evidence over several months I was successful.I now assist the programme and continue to assess and interview other candidates across the UK from all areas of the public sector. The programme is now pushing into private industry which is hugely exciting. Within 18 months of joining the Met Cyber Crime Unit I was promoted to Detective Chief Inspector and quickly set about creating a dedicated Dark Web Unit and related capability. I worked extensively with a range of UK and foreign agencies to ensure the best possible outcomes were achieved against high tier Cyber criminals around the globe. Collaboration is key in the fight against cyber-crime as it respects no boundaries. CHANGING ROLESMy role within Jacobs is Head of Cyber Ops & Intelligence within Aerospace, Technology and Nuclear International (ATN-I). The role has provided me with new and exciting challenges but it’s a huge difference to what I was doing before. I’m thoroughly enjoying applying the skills and experience from two decades of policing to Jacobs. I have gone from heading up significant operations targeting high tier cyber-crime criminals (nationally and internationally) impacting London and beyond, to now providing a life cycle of Cyber Security to a wide variety of businesses. Although it has been a significant change, the two go hand in hand. The Met take the ‘Four P’ approach to cyber-crime: Pursue, Prevent, Protect, Prepare - the four distinct strategies that law enforcement refer to. Every time we launched an investigation I would assess it from not just a Pursue angle, but a Four P angle to set the strategy and related tactics across the ‘4P’ spectrum. A similar analogy can be adopted in private Industry in ensuring businesses are in the strongest possible position against Cyber threats in an ever-changing threat landscape. I love working in Cyber and would strongly encourage it as an exciting and challenging career path. For full access to all of our interviews in our Cyber Security white paper - 'The Evolving Role of the CISO' please follow the download link below. Download our CISO white paper
03 Sep 2019
Have you thought about what would happen if your organisation was hit with a data breach tomorrow? Come along to our escape-room style event which will see you take part in a live hacking scenario. From the initial breach you will have to work out if a hack has even taken place, where the attack has hit and who is affected - you'll also have to deal with a simulated press conference, concerned customers on social media and your stakeholders asking questions you might not have the answers to. How would you react? We are hosting an exclusive event for exec-level, non technical professionals to come and learn about the world of Cyber in our new and exciting gamified event: How will you respond to a Data Breach? At Stanton House we understand that Cyber Security can be overwhelming and it’s not something we all understand. This simulation offers you a real-life insight into a Cyber Breach as it happens and teaches you how to respond. This event offers an insight into media training, £10,000 worth of consultancy and more importantly, the answers to take back to your board and an unrivalled opinion on a current hot topic. Get in touch with Ryan Surry for more information and to secure your place.
28 Aug 2019