The Actionable Futurist™ Podcast

S2 Episode 1: The Future of Cyber Security with Nick Coleman from IBM

January 13, 2020 Andrew Grill Season 2 Episode 1
The Actionable Futurist™ Podcast
S2 Episode 1: The Future of Cyber Security with Nick Coleman from IBM
Show Notes Transcript Chapter Markers

To kick off a new year and a new series of the Actionable Futurist™ Podcast, we spoke about a topic the World Economic Forum has identified as one of the top global threats - cyber attacks, This episode features Nick Coleman who is IBM’s Global Head of Cyber Security Risk where he specialises in evaluating risks from cyber adversaries, digital transformation and regulation.

Before joining IBM he served as The UK Government’s National Reviewer of Security, and authored “The Coleman Report” for the UK Parliament. Nick holds an MBA with distinction, and is a Fellow and Chair of Digital at the Institution of Engineering & Technology.

He regularly advises boards around the world on digital leadership, and how to manage risk that results from traditional and emerging business models, and how to create trust and resilience.

We spoke about topics such as:

  • Where are we at in 2020 with cybersecurity?
  • The WEF has designated cyber as a global risk
  • The average data breach takes 279 days to fix
  • Spotting patterns to help detect attacks
  • Do consumers care enough about cyber security?
  • Should executives and the board be cyber aware?
  • Getting business schools interested in cyber security
  • How ready are you for a crisis?
  • Running cyber fire drills
  • Using AI to prevent attacks
  • Hyperpersonalised attacks
  • The employee as part of the 'last mile' of security
  • Removing the friction from cybersecurity
  • Cloud security and GDPR
  • The 5 stages of responding to an attack
  • Addressing the cybersecurity skills gap
  • Cyber role models
  • What can small companies do to get ready?
  • Three things to do this week

1. Think about what is critical
2. Think about what "good" looks like
3. Who do you call when something bad happens?

For more on Andrew - what he speaks about and replays of recent talks, please visit ActionableFuturist.com follow @AndrewGrill on Twitter or @andrew.grill on Instagram.

spk_0:   0:00
Welcome to the Practical Futurist Podcast, a bi weekly show all about the near term future with practical advice from a range of global experts to help you stay ahead of the curve. Every episode answers the question. What's the future ofthe with voices and opinions that need to be heard? Your host is international keynote speaker and practical futurist and you grill. Welcome to the first episode ofthe Siri's two off the practical Future of podcast. We had such an amazing response to Syria's one that we're back again as my first guest of the Siri's. I'm delighted to welcome Nick Coleman, who was IBM's global head off cyber security risk, where he specialises in evaluating risk from cyber adversaries, digital transformation and regulation. Before joining IBM, he served as the UK government's national review off security and author of the Common Report for UK Parliament. Nick also holds an MBA with distinction and as a fellow and chair of digital at the institution of engineering and technology. He regular advises boards around the world on digital leadership and how to manage the risk that result from traditional and emerging business models and how to create trust and resilience Welcome, Nick.

Andrew Grill:   1:14
Thank you. Great to be here. So

Andrew Grill:   1:16
started 2020. Where are we in terms of cybersecurity and where are we going?

Andrew Grill:   1:22
So I think it's Ah, it's a topic which gets into every discussion now. And I think that's partly because we're so digitally connected, Independent. I mean, all of our lives, either our digital or actually enable through digital whether you're travelling, whether your health care, whether you know, your financial services, everything from government services and like and and I think what we've seen is, as we've risen the digital, we've also seen a number of risks evolve and the attacks evolved. So there's bean ah, whole spate of attacks which have bean financially motivated on DH. There's a criminal industry which has grown out of it. So we've kind of grown to a world where cyber is now a risk that people are understanding. What we haven't quite got to is we haven't got a level of hygiene in some of our infrastructure to be able to repel some of those attacks. And there is some some organisations which are still learning how to be ready to deal with these challenges. Leaders and organisations

spk_0:   2:24
So I know you do a lot with the World Economic Forum and they've actually identified cyber security as one of the top risks throughout the world and it's right up there with climate change, extreme weather and natural disasters. With the recent fires in my homeland of Australia, many are now saying we really are undergoing a climate emergency. So if the wf for picking up cyber alongside climate change is the top global risk, are we at this stage of declaring a cyber emergency or people just not listening to the warnings anymore

Andrew Grill:   2:51
to crash a great question and is it an emergency? I think if I if I look at the global risk report that the World Economic Forum pull together of global leaders. So it was. It was leaders talking about the impact of business and the risk which faced them and climate was one and as you say, cyber risk was was identified as another in the top five that the challenge has grown. The impact is growing toe organisations on DH, you know the volume ofthe impact is also growing, so this is kind of a frequency ah, higher probability of higher impact level you know. So if you kind of look at the risk, well, what's the likely? What is gonna happen to me Kind of high. And that's what you're seeing. And also, what's the likelihood it's going to be disruptive and you're seeing all of those metrics are growing? I think if I remember, one statistic from is a great survey from the Panamint Institute of the cost of a data breach of 2019. And it said the average time to identify and remediated breach was now 279 days.

spk_0:   3:58
That's most of the year.

Andrew Grill:   4:00
Exactly. And actually, if you as the days go up, the cost of the implications also go up to the organisation. So it is it that that we we have, ah, higher risk. Absolutely. Ah number. You know the growth in terms of the complexity off the threat Onda number of people who are doing it, the sophistication of attack and the impacts that's causing all have gone up for sure, and their disruption as we Mohr as we grow our digital connexions is also growing. And then if you kind of look at how well we've built some of the capabilities It's not that people haven't built capabilities. It's just we have to get smarter. We have to get that 279 days and be on beam or agile in our response and be quicker about actually recognising things and being able to respond so that when you start to see these patterns of attack you as an organisation. Khun, Go. I think there's something which is happening there a little bit like some of the other patterns you talk about, the other risks, you kind of can we spot a pattern? Can we think Ah, that's something which is happening How Doe I immediately start to galvanise my defence and resources, minimise the impact. Maximise our resilience.

spk_0:   5:11
Your practitioner, this space. So you are an expert. I double here because I'm a futurist and in fact the connexion to disruption. I talk about disruption all the time. I think cyber is now another level of disruption. But I think the average person on the street really Only a couple of years ago I realised the impact when the ransomware the wannacry disrupted organisation like in a chess and W, P, p and mercy. And even as the record I think Travelex have got their website down. Do you think it's gonna take more attacks like that for the consumer to say? You know, we really worry about this and we want government to do something and have a step change in being aware that this is a risk to the economy.

Andrew Grill:   5:45
So I think from a consumer perspective, we're going to think about resilience of services because you know, whether it's a night failure, whether it's a cyber attack, the answer is if my service isn't running and I can't get access to the service and that's a can be a frustration or actually can have more serious consequences if you know if it's ah ah requirement for a whole bunch of things that might be financial to pay the mortgage, it might be it might be a hospital appointment, which then couldn't have other impact. So I think from a consumer point of view, we look at resilience and we kind of I mean, it's not a word I think consumers would use, but it's actually kind of how do we maintain the trust of those people who we serve both in the public and private sector of citizens consumers that the services are are resilient, that there is enough resiliency planning in there so that you can protect and you can respond. And again, kind of What's the impact that that level of disruption which is increasingly seen and we're going to see more of it for sure we can. We can minimise that impact to the consumer, to the business, to the society at large. And that seems to be, you know, the question. I think everybody should be asking, you know, in the organization's I'm dealing with, how resilient are they planning? And you know it is, you know, on DH simple questions that they can ask those organisations.

spk_0:   7:04
So should executives and the board be cyber aware? Should there be more awareness of the board level and should they go on courses so they understand the impacts? And therefore, when someone comes in with a proposal for a multi £1,000,000 to defend against attack, they say, Well, of course we're going to fund that. Where's education play a role in

Andrew Grill:   7:21
this? It plays a huge role and I think ah, the personal passion of mine. So I'm a visiting professor at Lancaster University and I've worked with a number of universities now about how we teach business school, both the current and you know, both the execs and also the current crop coming through. How do we teach them to think about the digital risks of society? And I'm very clear that, you know, cyber risk is one of the digital risk. But there are, you know, in in the world that everybody is emerging, then their world is underpinned by digital, and this is kind of Well, okay, so how do I know that I've understood the Detroit? I asked the right questions. And Andi, I'm ready to respond. So I think the education bit is both a literacy thing. And I've led a whole bunch of things in 2019 to rewrite some of the materials to make it business, not technical, So we'd start with their business, and then we grow in the technology rather than the technology trying to grow in the business. On by that, we find a language which boards and leaders can understand because it's their language of risk, and it's their language of resilience and how to run an organisation. And so I think part of it is literacy. And then I think it's about capability. So it's both capability of control and the capability of organisation to know they've got enough on appropriate agile defence. And then the other big piece of education is about how ready for crisis are they? And the studies show that the more you're prepared, the more you know. I think some of us think when you go on an aeroplane and for those of you going aeroplanes and you hear the safety advice and you know you go here, it is again. And the studies show both in those kind of environments and also in in cyber attacks that the more prepared you are, the better you are when it comes to an event that you can really handle. You have the processes, you have the experience, and you have this thing called muscle memory. And so it's so I think the education is both the literacy. It's about the controls and what kind of questions and due diligence we need to ask. And then it's about your role in preparedness and the capability you might need, You know, how do you candidly speak to the media in the moment of a crisis, What do you say? Knowing that also the adversary, the attacker may be listening to you and you know And if it's a live event, then you have to plan that. So So there are some great ways to think that through and, you know, pleased to see the business schools are starting. Andi, I'm really died. I've been passionate, had it personally to start to get business schools to really teach it as a business subject on give them that skills in an exact format, which works. So

spk_0:   10:08
maybe we need to start doing cyber fire drills. I mean, most organisations have a fire drill every month or every quarter, and that muscle memory kicks in even if you haven't listened to it yet. The exits are here, but I think it goes deeper because it's about technology and is about technology. Can't see. So if there's a fire, you know where the fire is. You know not to go near it. But if there's a threat happening in your system and you can't see it and you're not a practitioner like you, maybe we need to do fire drills. Who has the key to the war room. Who has the access to the Twitter account? Who's got the emergency phone numbers? Are there things that people could be doing now to plan for that cider fire

Andrew Grill:   10:43
drill? Yes, so absolutely. I was involved last year in the launch of something called the IBM Mobile Cyber Command, and this is a 23 mega tonne lorry or Truckee, in the vocabulary and what it is, it's Ah, it's Ah, it's Ah, it's a It's a vehicle which actually acts as a training centre on we have schools. We have executives who come through and they trained for exactly that scenario. And so it's a re alive. It's got a data centre in the truck. It's God the best calms and you've got, you know, video walls, which show rial time things from everything from stock tickers to show social media to show actually, some of the patterns of intelligence. And I think the two bits one is first of all organisation and leader's got to know what kind of patterns that they could start to see. So it's It's not that you can't see an attack, you just need to have the that artificial intelligence enabled solutions are increasingly which can pull together patterns and show you what's happening from one part you know, because some of the attacks are pretty, you know, they tend to try and hide in the organisation, so there might be little things happening. But actually pulling those together and seeing a picture is important. And so, being able to recognise where you are, what's really happening is one thing, and then being able to actually understand how to prioritise, what do you do? What did the order? Who makes the decision about whether to unplug different systems and what the business impacts? Are these the kind of business led questions? These are not questions. These are questions in terms of Yeah, it is a technology question, but ultimately it's a business decision about the risk. And so yes, So from what we've seen is a whole bunch of people come through and test two things. One is sort of their at their own capabilities and also how they as a team work. The reality for most people is that they're not all gonna be in the same room when those events happen. So how you communicate and how you deal with it, how you build those relationships and how you have plans, which are able to deal with the fact that you might not have what you expect, the telephone directory and some very simple things in that moment of crisis. So there's a role for education and getting leaders ready, doing the due diligence. So the systems are absolutely resilient in line with the business appetite, understanding a little bit also about the regulatory context, because that's also changed. And then there's been about actually being prepared for the crisis, and I think all really important. You

spk_0:   13:16
touch him a couple of things there on regulation. I wanna pick them apart. So it's clear that I was gonna have to be deployed here because thie attacks are becoming more sophisticated. They happen very quickly if I could learn what's going on and then help the humans decide to decode that. But on the flip side are not the criminal's getting smarter? Not they use starting into use II to beat the eye off the defender are, you know, sort of a ying and a yang that we learn and then they learn faster. Isn't this an a I war

Andrew Grill:   13:42
Well, I think eso artificial intelligence And there are whole, you know, and that we could talk about machine learning and a whole bunch of different elements to artificial intelligence. Artificial intelligence for me is two sides of a coin on one side, as we see businesses and or on organisations rollout and enable things for artificial intelligence. I think my toothbrush is getting increasingly artificial intelligence embedded on guy make that as a sort of lighthearted. What it means for all of us is we're getting a I and machine learning it in in a whole set of devices from, ah, things which sit on our kitchen tables to to do all the way to traffic lights in the whole bunch of things behind. And so we have a challenge that the digital world that we're evolving is increasingly a I enabled, and we have to think about how we move protection. And so I'm doing some work now with leaders around the world about thinking, and we we spent that six months really in depth working out. You know how the future of the immortalised people and then the second bit, which you touch on is so in terms ofthe Aye, aye, both of the defence and attack. How we're going to have that that ability and how are the are the adversary is going to use a I and I think the answer is absolutely

spk_0:   15:01
doing it already.

Andrew Grill:   15:03
And it's still evolving and, you know, sophisticate And there are some some things about, you know, we may get increasingly hyper personalised attacks, so you know Hey, I will be used tto learn how you and your email system and how you sign signatures, and we've already seen a bit of that. But it will start to learn how you communicate and all that kind of thing, and then we'll be much more tailored to you as an individual, so we might see more precision on the other flip side. As you say, we'll be able to get to a world, and we already are where we're employing some of the technologies to really see patterns, and also that's helping with protection as well. So where you're getting, for example, how to sign onto systems on dure access. Now you can use artificial intelligence to start to understand some of those patterns and whether who should be able on whether, what looks normal on what looks abnormal rather than probably traditional, which is you just signed on. So it's so kind of it's ah, it's having to protect the world. The digital world were evolving the II world and also then, using cyber security understanding the threat is going to be changing and using more. Aye, aye. And how do you then use your defence to be agile across the different stages of security from sort of identifying the risk all the way to protecting and defending? You

spk_0:   16:27
brought up the toothbrush and this brings us to the fact that everything is now becoming connected. I 18 2 things. We've got Bluetooth enabled toothbrushes. We've got nest thermostats. I think we're going to start to see So you talk about hyper personalised attacks. If I want to attack the CEO, the CFO, this particular company and I know where he or she lives on, then I suppose, fighting the attack on a personal level at their home level. And if I know they've got some IittIe devices that brings a whole new things into it, so is the way. And it's not just a corporate level about firewalls and gateways and email, phishing campaigns and lots of things. But also, I think the last mile actually is down to the employees. If you compromise your own security by emailing passwords on Gmail or you have unprotected, I ot device at home. Should we not also be getting down to the employee level to say you are actually part of the solution? If you're the weakest link? In many ways,

Andrew Grill:   17:23
I think employees. I mean, I think the employees are just one group. I mean citizens or a group Employees Air group, you know, you get, you know, you even get parents. I mean, like, I remember doing this thing with the European Union a couple of years ago, and that was saying, Well, you know, let's do security awareness Month And I said, Well, the first thing we should define is, you know, you have multiple roles of a person, and the reality is security should be embedded into all those roles. You know, if you're a parent, then that might be about how you know you work with your Children and where, how you work with school to do that and where you need to have biometrics and other techniques to be able to protect those environments. And similarly, in the home environment. Yes, I think the takeaway is understand the role. Second, make the security appropriate for that. For that environment, you know, you have to manage it with the risk. You know, that's a cost thing, but also pragmatic thing about how you run these in. And the third thing is working out what the critical bits are and who owns them. So, you know, if you take the employee scenario what you're typically doing is your your maybe working from home. Well, that means that your responsibility is to make sure that you're protecting the corporation and the organisation that you work for. And so So, yes, I think we can think about you know, those different roles. I think we should also understand that Attackers tend to go for the easy things. And so if frankly, it's an easy thing to get people to click on links and people go, I've just won the lottery. Let me click and see if I really have you know. Then the Attackers will continue to do it by the tea. So while we worry about sort of the really targeted sophisticated, which is also important. We also our role is ready to take it, that the hygiene as high as we can in the easiest way to what I would describe his removed the noise, just removed the noise. And then you can focus on the really bound the really bad stuff that might come really pope. And if you're doing the hygiene both on a personal level and also as a corporate on organisation, then it's easier for youto have the hygiene which removes some of that noise and then focus on the targeted sophisticated, which still maybe they're in some specific example. I

spk_0:   19:35
mean, it's got to be frictionless. I think of the whole notion of VPN is most people listening. He would know what a virtual private network is. Some people use it to watch television, other countries, they shouldn't be able to people like you and I probably use it to protect the tunnel that we're using back to the corporate mainframe. But if you have to actually flick a switch and elicit this friction, then I think people will go around that. So how can we make cyber security in the different roles that we play completely frictionless. Is it Is it possible? Well,

Andrew Grill:   20:01
I think I think it will never become totally frictionless on. There's some There's some good things about having some friction because actually it makes it a conscious decision. I think if you think about coming to ah country and going through passport control, you know, you put your thing on the reader, could we do it in different ways yet? But there's a process and the reason for doing some of those processes, and I think so. So it's not that it necessarily needs to be zero friction. I think it needs to be proportionate and and usable. And I think the challenge is if you make it really difficult, then people will find work around. So just so you know, I think I look at some of the banking examples of the last couple of years and you know how they've used by metrics to really be able to authenticate both voice, biometrics and other biometrics with a whole load of other security mechanism. Working from the user perspective, it's some of it has become

spk_0:   20:54
really simple that I look at my phone and I'm on my banking

Andrew Grill:   20:57
app. Yeah, and so you know, that might that's example of where we have to be agile in terms of the both solution, but also behind that. We have to use multiple points to really understand it is still truly you. So is it your phone? Is it your location? Is it? And then I think the thing is that we the friction can be spread across the across the transaction. So if you start to do something unusual in an organisation, in your banking app or something, can we understand what abnormal looks like? And that might be for a whole bunch of reasons, cyber being one of them. But suddenly this is that's not usual. That doesn't look right, that maybe that outcome shouldn't be working like that on really focus resources to kind of go hang on. Can we just verify that is, can we put in additional cheque in, And so we will hopefully get to a world where the hygiene is good. The usability is kind of embedded and proportionate in different stages. I think the final thing I'd say is the embedded thing when you just talk about your phone and looking at it and being on, that's because it's being built in. And I think way we find a lot of friction is where it hasn't been built in. So where I think we'll end up with and again, something I'm pretty passionate about his engineering cybersecurity in to build, eh? So it's not something which is done later, which often costs more money but is also part of that solution that you get in the car in the in, the in the bank, in the utility that actually cyber is part the process. And what that ultimately means is it's built for you but usability. But it's also built a part of risk profile of building. And I think, you know, we've got into a world where we're testing a whole bunch of infrastructure to cheque for challenges and then remediating them and will still need to do that. Where we see goodness is, you know where. That also goes further, where the engineers themselves are starting to think about their digital transformations and how they engineer security in a CZ part, the build process checking code, checking all the things as they actually build systems that's guilty, as has been addressed in each stage.

spk_0:   23:09
We talked a while ago about being mobile first name being outside the first that when you do the code review, when you design the digital transformation process, your building and it sounds like the sort of things that have to happen in the background can only be done at scale. If you've got processing parent I on everything else net that means cost. I very fortunate. What ideo. I generally talk to the C suite of some of the largest organisations in the world, and I get a chance under off under India, often to understand what this being their money on. And most companies, especially law firms, maybe it's radiation are saying we just spent a truckload of money last year on cyber in air quotes. They're probably not quite sure what they spent it on, but someone who said they need it two reasons. One is I think they're now saying there's a risk there and they've gotta protect their risk. And their insurance company may have said your premiums go up unless we have a view of your cybersecurity strategy. But the second thing is regulation and you mention this before this one. Touch on that because being complied with the regulations such as Judy PR have changed the cyber security landscape now. So risk management means you have to think about the regulatory compliance is, well, a security and controls and be agile and ready for the cloud model. Do you think the growth in cloud services has provided more of a threat than before? And what could be done to balance the convenience and cloud with end users security?

Andrew Grill:   24:25
So just take that apartment. There's GDP are There's also something called the S directive, which she doesn't get much as much publicised sixties todo eso. That's a specific piece of cyber security legislation. And what it did was it It essentially identified for all the countries in Europe, including the UK, that we needed to focus on what critical infrastructure sectors and name critical infrastructure providers and make it clear that there were specific. So telco water power, yes, financial services, exactly, etcetera. It also had a provision in there for cloud services at a lesser threshold and said, Look where this cloud services those will also now need to be regulated and so so yes, In addition to data protection, which also has, as you say, GPR has security implications. There is cyber regulation as well, specifically now enacted and live in the environment already passing enacted, same kind of timescales. Gpr I remember I was involved in some of these discussions when I helped launch the Latvian presidency in Riga, where we actually started to shape some of that legislation with them. So So so so yes, it's a regulatory. If I come back to sort of how what does that mean in practise on what you know, if you're an organisation, be that one of those law firms or anything and you're kind of having this well, I'm spending it. It comes down to well, I need to be able to demonstrate that I've got controls which meet the regular true acquire mints and the risk portfolio that I'm running and are applied in context of my organisation and and for sure, if you look at organisations, many of them have been building out frameworks. The there's a framework from the National Institute of Standards and Technology called the Cyber Security Framework, which has proved a backdrop for many which has been great in terms of how to actually think about the problem. Andi has five stages, and so there is identify, protect, detect, respond and recover A simple method off thinking about the challenge and then a whole bunch of steps. And you can apply this and regulatory crow controls in terms of that, creating that framework in that landscape. And then I think the question is well, so in this thing, how doe I demonstrate that I've got adequate controls and I can show that I've done that due diligence in the proportionality. And this is about really then having ability to translate that into Also, this is the capability. This is how we've done it. And this is how we can evidence it through ordered an assurance and so very much sort of links to some of the things you talked about. Insurance have also got into this about you. Can you demonstrate it? Can we offset premiums and things like that? So so absolutely regular trees there. The thing The other thing I'd say about regulation is you have both industry regulations. You have banking regulations and you have other sectors regulating. And then you have these sort of horizontal data and cyber and other things. And you know so the world is getting a little bit more complex in terms of especially for organisations who do business internationally. We've had sort of in California We had a privacy act just just enabled us to January. So you know, for organisations who are who are working internationally which for most of us is increasingly right Then we have to think about how those controls Khun be agile to meet many needs. And so what? What some people have got stuck on is well, let's have a programme to do this piece of regulation and then suddenly another one's come on and then suddenly it's kind of well, okay, do we need to do a delta for that On the leading organisations? I've bean you know, speaking to have really started to understand that it's about capability and then you can map it two different regulatory obligations in different jurisdictions. But ultimately you have you have a model which gives you flexibility and you get a rule of, you know, meeting a certain threshold and then if there's a particular requirement or a particular operating environment which was quite s'more. You can always increments, but you kind of come to a cost effective baseline, which gives you things that enable you to get that hygiene going on. Monitor it so it has been a catalyst for sure. The challenge is making it complexity, not accost overhead, which is unbearable,

spk_0:   28:47
you mentioned. Complexity is incredibly complex area, which is changing all the time. So who is educating the regulators? They understand how their regulation is to adapt and be agile for what's going on on the threats that are evolving. And is there a skills gap? And how do we address that in secondary school and university? So that we've got more and more people that want to move into that and apply the knowledge and thinking business prowess to stop these threats and protect us

Andrew Grill:   29:15
so dealing, I mean, a lot of this regulation to deal with the first point is relatively new, so so part of this journey is to actually have that discussion involving, and I think a number of the regulators have really being very open to understanding how the legislation is translating into operating environments and making sure that what their objectives are are realistic. So I think it's a journey. I think that a number of them have to grow their own cyber skills, and that's new things. You've seen a number of regulators try and build their skills. Um, and I think there is still this area where, you know, through some of the activities, the the's regulators are continuing to try and form ecosystems. To be able to do that, some of those have to be new because they've bean used to in traditional environments are banking, for example, is more severely. Some of the other regulated sectors tramp with transport and others have probably not had these dead discussions in that same way. And then we talk about skills gap in pipeline. And I think, first of all, is we have to get better at getting role models on dso kind of podcast like this for me, a kind of a little bit of where we have to engage in new and different ways to make it understandable of one exciting world. This is, you know, this is ah, digitally transformed world, and this is exciting place doing. You could do amazing things in that career. And so for secondary education. I mean, there are a number of things, you know, we see governments doing girls competitions to get more girls in, literally in schools, and that's being hugely successful in in different schools, in different competitions in different parts of the world. On DH, truly brilliant. You've seen a number of initiatives from private sector. There's something called P Tech, which was started in the US and is rolling out, which is about college and getting people interested in in effectively vocational on industry engagement to really shape their careers in these things. And so I think there are, it comes down to Can we excite people about the opportunity and make it interesting on that, For me, is about wider than just cyber. That's about science, technology, engineering, math, the stem analogy. Um, I remember I met Tim Peake from who was the Astra estate. And, you know, I had the privilege of meeting him, I think last year, and you know in that discussion that the reality wass he was enabled able to explain space and, you know, yes, it's a physical concept and that inspired so many people, and we have to do the same in cyber security. And so I think role models and doing that is important. And then I think literally, like again, maybe a little bit like space, but a little bit broader, because I think we can get more audience and we've got more capacity. Then we think about how we can get people into those stem subjects and really thinking about how we we also advertised that there are true opportunities to build on DH and develop their careers. The final thing for me is, is a little bit about where the world is heading. And so I think, as we talk on a podcast today, you know, I say this again. Digital enablement. This is about if we think about our phones, they have maps and we think about and so getting the next that the people in secondary school with the opportunity to figure out how to code with a I how to actually start to use and experience this stuff to me is also part the challenge. So they don't just become consumers, but they actually become enabled digital citizens. And I see that in, you know, in the Nordics, in other parts of the world where they're really trying to get Aye, aye, and all these topics into schools, but also practically touching people on go. We're doing lots of it in lots of countries to me. I think that's our next challenge.

spk_0:   33:08
Final question before I ask you about your three things for next week. We talked about response from governments. But what can you do if you say a small charity, a multinational, someone seeing at home Listen to this podcast. What can they

Andrew Grill:   33:19
do? So I think it's Ah, great question. I mean, I think that there is a lot of advice out there and I think, you know, the first thing is you You should ideally have somebody in your network who is from credited by one of the professional bodies you know, has Cem, Cem, Cem accreditations who can be almost in the network is a trusted adviser and say kind of Okay, what does it mean for us? And what we and then the second thing I think of your charity is you should have the conversation at the board, you know, kind of kind of as a trustee is when you meet, you know, kind of What does this mean to us?

spk_0:   34:00
We talk about risk. But if we talked about cyber risk?

Andrew Grill:   34:03
Yeah, on almost kind of. What does it mean to us? What is the critical data we hold? What is it? Do we hold stuff? So I talked to one charity who who did stuff in in medical in youth health, actually, and, you know, they understood that they hold sensitive records. And I was kind of saying, Well, okay, so how does that relate to your infrastructure? And they said, Well, you know, that's our journey. And so we started just to have that simple question about war. Where's the risk? You know, the other advantage to some of this is in some of those organisations you? No, that one, I think, had five employees. And so, actually the challenges are are, you know, easily addressable and through adopting cloud and other solutions, they could really get best of breed. So this wasn't kind of a really cost expensive thing. It was a process thing. It was a practical thing. It wass how we digest this and get the basics right and kind of what they really wanted. And I said, Look, you know what we always look for is just practical advice. We No, we don't. We want to spend cost effective and you know, we're a charity at the end of day. Um but we also understand that we may have some critical assets, but at the same time, we may also have people who are looking at the weather on the Internet. And, you know, like all organisations, it has to be risk based on Actually, let's protect what matters. Let's do the hygiene. And yeah, we should also probably be ready for a crisis just to know who that who would one would call in the five, how they would do it and what the role of the the key of the key people bay. So

spk_0:   35:35
as this is the practical futures podcast, I'm gonna hold your feet to the fire what three things cannot listen to be doing this week to ensure they're protecting themselves from cyber attacks.

Andrew Grill:   35:45
So I think the first thing they should do is think about their their lives and think about what's critical on DH. Have they thought about what matters and what You know what's critical that the second thing is thinking about what good looks like. So you know what's acceptable risk levels? I think Identify what then? Think about the risk. And the third thing is, if the bad thing happens, what would I do?

spk_0:   36:11
Who you gonna call? Who you gonna call? Who you

Andrew Grill:   36:14
gonna worry? And who would you look to for? You know, if you if you need to get mean, practical advice where you go I think if I put this down toe practicalities I mean, if you're in a corporate organisation, you know, they should be aware of how those incidents and not be afraid to say, like something small might be happening, which you may not think is a risk, but somebody else they wanted. So just, you know, positively report things which may look suspicious. You know, that's what we hear all the time that the final thing on the sort of who would you call is Think about it in your personal journeys. Think about it when you go abroad, you kind of in your mind think Hang on. What happens if I get sick while I'm travelling? Who am I gonna call? Well, how am I going to get home? Who is going to give me the local doctor. And so for this, it's like identify what matters. Think about what the appropriate have you got a level of risk that actually you think is not quite right. Can you talk to other people if you're in an environment which could share that and understand whether they have a similar prospection? You know, in work environments, that's really important in business environments in leadership, that's important. And then this bit about will, what will I do? And can I make it practical? And do I Do I have a backup? If my phone actually doesn't switch on, you know, how will I go through that experience?

spk_0:   37:31
Nick, thank you so much. How can people find out more about you on your

Andrew Grill:   37:34
work? So I'm a bit on social media platforms like linked in people are welcome to reach out and be delighted. And then on then, simply some of some of some of the other institutions I'm involved in I'm available. And you know, I think this is such an exciting world, and the more we can do to help everybody get to understand, the risk is important.

spk_0:   37:56
I think I've learned so much today. Thank you so much. Free time. Thank you. Thank you for listening to the practical Futurist podcast. You confined all of our previous shows at Futurist stopped London on DH. If you like what you've heard on the show, please consider subscribing via your favourite podcast app. So you never miss an episode. You can find out more about Andrew and how he helps corporate Navigator disruptive digital world with keynote speeches and see sweet workshops at Futurist Start London until next time. This has been, the Practical Futurist podcast.

Where are we at in 2020 with cybersecurity?
Cyber is now a risk people are understanding
The WEF has designated cyber as a global risk
The average data breach takes 279 days to fix
Spotting patterns to help detect attacks
Do consumers care enough about cyber security?
Should executives and the board be cyber aware?
Getting business schools interested in cyber security
How ready are you for a crisis?
Cyber fire drills
Using AI to prevent attacks
Hyperpersonalised attacks
The employee as part of the 'last mile' of security
Removing the friction from cybersecurity
Cloud security and GDPR
The 5 stages of responding to an attack
Addressing the cybersecurity skills gap
Cyber role models
What can small companies do to get ready?
Three things to do this week
1. Think about what is critical
2. Think about what "good" looks like
3. Who do you call when something bad happens?