Chatting With Ingram

Cyber, security and success is when nothing happens

February 26, 2020 Philip Ingram MBE with Ellie Hurst Season 2 Episode 4
Chatting With Ingram
Cyber, security and success is when nothing happens
Chatting With Ingram
Cyber, security and success is when nothing happens
Feb 26, 2020 Season 2 Episode 4
Philip Ingram MBE with Ellie Hurst

Philip Ingram MBE in this Episode 4 of Season 2 of the With Ingram PODCAST series talks to the wonderful Ellie Hurst from Advent IM. We berate the infosec community, look at skill set shortages, discuss C suite engagement with security and highlight the importance of communications. Whilst no bacon was harmed in the making of the PODCAST, Roy Cooper from Professional Security Magazine, did provide a bacon roll as I had missed them when I first got to his event. Well done Roy and the team.

Show Notes Transcript

Philip Ingram MBE in this Episode 4 of Season 2 of the With Ingram PODCAST series talks to the wonderful Ellie Hurst from Advent IM. We berate the infosec community, look at skill set shortages, discuss C suite engagement with security and highlight the importance of communications. Whilst no bacon was harmed in the making of the PODCAST, Roy Cooper from Professional Security Magazine, did provide a bacon roll as I had missed them when I first got to his event. Well done Roy and the team.

spk_0:   0:00
Welcome to the within glimpses of podcast. I'm Philip Ingram this season to absolute four. On today. I'm talking to Ellie Hearst from Haven't. I am a fascinating discussion. Warning. You might actually learn something while I'm sitting in the Hilton Metropol at the NBC with a low virility Ellie Hearst from a company called Advent. I am let her introduce herself in a minute. But today we're going to talk about cyber security info, sec business, onder Anything we can get to. My only complaint is I've come out to Security 20 at the NBC today, and I did not get a bacon roll. So there's been no big and harmed in the production of this podcast. Any. This's a bacon free zone. Ellie welcomed the within grammes is a podcast. Can you, for the listeners either introduce yourself on DH. Say how you fit into all of this.

spk_1:   0:56
Okay. I'm head of communications and media for Advent. I am a member of Sisic and also the security of Thie Security Institute on DH. We have a stand here today. Security 20 talking about some of our physical offerings physical security offerings, but were holistic security consultancy. So we work across the board on. That's Basically me.

spk_0:   1:23
So working across the board, you touch cyber. You're touching for SEC. You touch physical security on everything else. Well, on your interacted with industry on a daily basis, how much does industry get security? How much does the people who are at sea sweet sitting on the boards where the decision makers really get security?

spk_1:   1:45
Well, it's an average of averages, but I would say some getting absolutely, brilliantly and somewhat someone nailing it. They're building blended, multi skilled security teams that can work across the board. A variety of disciplines, you know, cross emphasis on physical security. But there are plenty that kind of want to do everything from arm's length. You know, they don't really want to engage with their security professionals. I think if they can buy a bit of kit that's going to do it for them, they'd much rather do that than actually go in their minds down to the basement and have the conversation with the geeks and Andi Warlocks that left on there. Some cases can't blame them, but in others I think you know they're doing Their business is a huge disservice because actually, you know, a fish rots from the head down, as the Chinese very accurately say on booth behaviours. And a culture that is built at that level is what you'll see reflected throughout the rest of the organisation on DH casual disinterest in security when it starts at that level, that can have disastrous effects throughout the rest of the organisation. So I think I see sweet need to be far more engaged in the art in general. Well, except that there are those that do it brilliantly. Many sizes don't actually sit on the board, so they have, ah, see, sweet title. But they don't actually sit on the board on DH, you know, with fault for that, I think he's spread equally between both camps that security needs to up its game, certainly in the way it communicates with this. It's, uh, colleagues in the rest of the business on DH that will in turn, draw more interest and an interaction from the rest of the business and hopefully the engagement off the senior board where it needs to actually be.

spk_0:   3:35
Now we'll get on the communications a minute, but before we do that, one of the issues that I'm seeing with C suites. All the rest is the measurement of success for the security professionals. Is nothing happens. So how do you translate that into a business expenditure on business effort? Terms to get those sceptical CEOs or managing director's tow actually focus and concentrate and security realise that actually nothing happens is a good thing.

spk_1:   4:03
Well, it's This is a really tricky one field because unfortunately, being really, really lucky looks very similar to being really, really good. And so this is this is going to continue to be a problem to try and demonstrate return on investment insecurity. That's always going to be hard because, as you say, it's a bit like many other Ahn Sung heroes in business. If you're doing it really well, either everyone thinks it's really easy, like marketing. Oh, they just they just assume that everything's fine and they don't need to worry about it. Um, unfortunately, it takes usually a serious incident to occur before people start to take it really slow or something happens in the supply chain. If you look at what's happened over the last of 18 months to two years, the majority of serious breach has actually come through third party, the third party breach on DH. So it's forcing businesses to actually look at their supply chain ecosystem. Teo try and look a risk to try and risk what sitting in their ecosystem and the threat that it could potentially have on them. So those businesses that have embraced things like I so $27.1 for instance, this is old news to them because they have already been doing this for quite some time. But for a lot of businesses, it's such a convoluted and complex area, but it's something that kind of shy away from and again. It will mean more engagement with warlocks and demons that live in the dungeon. So, you know. But there has to be avoided at all costs.

spk_0:   5:33
But getting into the warlocks and demons and the dungeons on the security professionals. Hey, you lot out there. If you're a warlock and demon, that can be a good thing. If you're not a warlock and demon, that can also be a good thing, but start sudden like them. Do you think actually security professionals understand enough about business and how they fit in on can communicate in the way that they need to to properly engage with that that that higher level of management.

spk_1:   6:02
I think one of things that the work the work force survey 2018 came out with was it was a global survey and it looked at what employers on DH recruiters were looking for in terms of security and in Passaic skills and requirements. And they basically said, Look, technical skills, this is this is a given Of course we expect technical skills, but what we need our technical sport skills in people who can communicate with our business, which would indicate to me that actually, this is quite a rare breed. And there's a reason why it's a road bridge. And if you take a casual glance at Intersect Twitter, you'll start to see why. Because in for sex is very good at communicating with itself and not quite so good at communicating in the broader sense. I'm generalising massively so everyone who's getting upset with me right now just calm down because I'm probably not talking about you. But if you take, for example, the whole scale Twitter pylon that happened last week about the West Midlands police cyber Rocco poster that went up in a school in Warsaw really, profoundly depressed me, watching my community, the community that I love gets so malicious and nasty and more seriously unhelpful. Two trying to do something really good. They had an opportunity to do something good, and they chose to look as if the defensive and insecure and had a chip on my shoulder and that depress me. Yes, I know you can say we could do it better, but part of being better then in that case and find a better way to communicate it because it just made us look petty and small minded and unhelpful. And I don't want to see that we've got a skills gap, right? We know that we have a skills gap on DH. There are lots and lots of reasons for that, but I'm not going to go into now, but this is where we are. We need to recruit more diverse people of all sorts into security community. But is this the way that we're going to attract them? Because business on DH people potentially looking at that career themselves, they're all going to be looking at this kind of behaviour, I'm wondering. OK, so we're being told that Intersect wants to, let's say, engage with school age Children now to try and build a career path to get them into security. You're a parent looking at that kind of pylon and thinking, Is that really what I want my kids to get involved with? Your A marketer whose may be interested in growing area of Marseille, which is work effectively I work. Is that so? I'm looking at that. And, you know, two days before the cyber Rocky pylon, there was one of marketing marketing one. I was so disappointed to see people that I knew quite well, actually sticking the boot in really horribly. In my profession, which is an established profession on has an established career professional career path. Do you know I'm sorry. I'm sorry if you don't like us, but you know you're not going to attract people in who can effectively helpyou with communication who want to support you in communicating with your businesses because he'd have those skills. If you have the technical skills and not the communication skills, then you need to be going to your communications team to say you help me that I need to do this presentation to the board or in building this training pack or whatever it is you need your communications people to help you do that and you're not going to engage. They're not gonna want to engage with you Think? Well, actually, I don't see why I should, because clearly you've got no respect for me whatsoever.

spk_0:   9:25
Yes, I remember watching the Twitter Terry it against West Midlands Regional Organised Crime Unit. I was wondering what's going on. The poster to me came across a brilliant Then the tirade made me think through why people were getting upset on. I realised that the majority of those that were, um complaining about it or trying to undermine it. We're thinking of it from their perspective, not from the target audience of the posters perspective. So if I can't remember the tools that they were put up on that. But if you've got a 12 year old child who doesn't come from the technical family, who's got the Tor browser on the constant on the tour, brides are looking at different things on the computer. It is a good thing to open a conversation with and go, Oh, explain what this is about, What's going on, which is the message that I got looking at it. Which Rocky we're trying to put out. Not they knock, that you should be patting the individual in the bank because they've got the brilliant Intersect professionals understand what's going on. Geeks. It's great for geeks. Toe have all of this on their computers, and everything else is perfectly normal. But for the average child, that's right there who the most complex thing is the latest PS two or Pierce three. I don't know where they are. I'm showing my age and I game that that's sitting there toe have some of these other tools that let you get into different areas of the Internet. I have got a lot of unsavoury stuff in. There is something to not criticised but open conversation

spk_1:   10:57
about just anything that opens a dialogue. Phil, Anything that was a dialogue is really, really important on Do you know what? There's something else that we forgot. Maybe our kids could be teaching us something. There's also that you know, we can assume that we know everything and that were very, very clever. But actually kids have got a lot to teach us, and I think in this case, most definitely so

spk_0:   11:19
well. And in that it's it's interesting. I talked about digital exposure a lot on DH people off our sort of generation. We understand perfectly about physical exposure. We close the curtains in the house that night. We close the front door. We lock up at certain times, you lock your car, you screen things off whenever. Whenever you're doing stuff, you don't do stuff in the local supermarket that you might do at home. However, when it comes to the digital world, people forget about that. They don't seem to do it.

spk_1:   11:47
Yeah, its's a bit of a blind spot and that takes us back to business. Actually, because it's it's kind of like if something gets so big and unwieldy and horrible that you kind of you, you don't want to talk about it. You don't want to engage with it. You don't want to. Hence, we got this arm's length approach to security from business leaders just wanting Tio. Let security teams go and do whatever it is that they want to do, and it's kind of it's almost like a Petrie dish on. I really, really feel a CZ a communicator, and there's a communicator in security. I feel very passionately that we really need to kind of smash that little bit. I need to break it apart. We need to start a much more inclusive dialogue, and we need people in our community that actually want to do that. Don't behave in that way that don't want to engage in that kind of activity. When I did, I did a workshop. But York, in the sub Security Practitioners event a couple of years ago published a white paper on my findings, which was literally just what the people in the room actually said to me on DH. One of the things that they talked about was that they were concerned about the perception ofthe implicit in general in business how people perceived their profession. And, you know, recent events make me think that we haven't really moved on very much since. From that point on, that may be what we aren't helping ourselves. Because if it was something that we're worried about, then you know, we really need to worry about about that Holst wholesale. You know that the whole of our sector needs to think about that, especially as one of the other things that came out in my findings was that they felt it was really, really urgent that we start engaging with school aged Children, and I wholeheartedly agree. But, you know, with them we have to make ourselves an environment that is attractive to the parents and the Children who are going to want to be a part of that community because, as we've established, it's not just about technical skills. It's about a whole range of other things. The softer skills that perhaps have not previously been prised that highly are becoming more and more important. Business is recognising it, because if you look at the research the Osterman did about three years ago, they looked at how three C suite perceived security and her security perceived see sweet, and it was very much a case of Never Between shall Meet. It was very much a case of, you know, the border was saying, You know, we don't understand the reports that we get. We don't understand the presentations that they're giving us. It's much too technical on DH, you know, so way don't engage with that. But then the next question is, so do you understand you? Are you able to take action upon thee? Oh, yeah, yeah, yeah, it's fine because there's a unwillingness to admit that they don't understand to their security people what it is that they've been given. They contact action upon it, then that also means that funding is always gonna be a problem because they're not able to, because security aren't able to adequately cute, cute to communicate. And as I've already established, demonstrate return on investment in security is very, very hard. So you know, there are all sorts of fences to be built that knocked down and bridges to be built there. But also the perception back in the same piece of research, from the from the security professional, back to the board, where they're saying, you know, we know that they don't understand, but they won't tell us what it is that they want. So we don't know how to change what it is that we're doing to show them what it is they need, and it's just feels like there's this chasm in between, and it's just so

spk_0:   15:25
just so frustrating. But It's interesting. So we've got a percentage off decision makers and business we don't quite understand. Count particular the requirements. We've got percentage ofthe professionals that are either who are fixated on the geeky stuff. I don't understand how to articulate what they could do, what they should be doing, the risks and others in the business on DH. The bit that's getting wrong between them is this communications piece and then the communications going outside. How do we fix it?

spk_1:   15:58
We're not going to solve that in four minutes, Phil, But I think both sides actually engaging with their communications professionals is a good place to start because what they did bring out to me, it was a message of hope in some regards because it did indicate that they did actually want to. Both groups of people did actually want to. It's just a case that they weren't quite sure how to do it without losing face. His face is obviously very important to both groups of people. Um, kudos very, very important to both groups of people. So, you know, somewhere this solution somewhere is in the communication field. It's somewhere in there.

spk_0:   16:36
Well, as we're both communications professionals. I think you're finishing on the You need to talk to your communications professionals and seek a little bit of advice. Is it is. It is a good place to sort of end this podcast. It's been a real pleasure talking to you as ever. It's been wonderful. Thank you very much. The opportunity. As a final note, the organizer's off security 2020 did deliver me a bacon sandwich. So well done. Roy Cooper on the team.