Bruce Hallas is the founder of SABC Framework and an advocate for increased information security training, understanding and adoption of Government risk and compliance. Having authored Re-Thinking the Human Factor and Cyber Security ABCs, Bruce is now one of the most active speakers in cyber-security.
WHAT DO YOU ANTICIPATE REPRESENTING THE LARGEST CYBER SECURITY THREAT TO BUSINESSES IN THE NEXT THREE YEARS?
I probably go back to threat being one about humans themselves and either the ignorance of the risk and the threats that they face and how best to deal with them, but it could also just as easily be a lack of vision by those people whose responsibility it is to effectively get that over to them about how to actually communicate that effectively in a meaningful way which actually changes behaviour and I think recently it was a Ponemon Institute and this was one of the things that actually ceases where identifying is about that actually they are genuinely concerned that number one threat is the human factor and the lack of skills within their organisations to be able to deal with that competently.
DO YOU BELIEVE THAT COMPANIES ARE ARMED WITH ADEQUATE TALENT TO COMBAT RISKS?
I think on the whole I would say that organisations actually have the resource and the talent it’s about actually trying to funnel that in a way against specific objectives so you know, organising information security professionals conducting risk assessments, actually need to engage with the organisation to help them conduct a risk assessment effectively to get in effect the customers view upon the actual challenge so in my mind, those people are talent and it’s about how you marshal that talent to get to your own goal. So I do think every organisation has people it’s about whether or not you can marshal them in a way and get enough of their attention and create a structured process that we facilitate as security professionals to come up with the answers we need to achieve the objectives that we set for us. So yeah, I think the talents there.
HOW DO YOU THINK COMPANIES CAN ENCOURAGE PEOPLE TO ENTER INTO A CYBER SECURITY CAREER?
I I think a career in cybersecurity, you know to encourage it within your own organisation the instant thing is about you know you’ve got your security team so it’s about trying to maintain them on board and that’s really important trying to maintain your team because generally the resource pool in terms of security professionals is relatively small at the moment. So one, its about motivating people and I don’t think that’s just about financial rewards, it’s about you know mastery, it’s about being a seeing career progression. The second group I would look at are those people who all within the organisations but maybe don’t work with in information security at all. I think you know these people know the business, they know the organisation, they have relationships across the organisation so I think in my mind there’s an opportunity to take those people and see who’s interested in a different career and to leverage all their experience working outside of the security function, but that means they’re going to need training and you know we have training to address those issues. Then the third one is you’re trying to bring people in from the outside and my personal view is, you know there’s almost like there’s a resource-pool that we’ve been tapping into which tends to be more technical but I really do believe, absolutely, that we need to be thinking outside of the technical resource pool we need to be reaching out to people or you know maybe from a marketing background, or a HR background, or from a behavioural science background because these are the type of skills, attitudes, mindsets which are going to help us address the human factor.
WHAT ARE SOME OF THE MOST COMMON CHALLENGES YOU ENTER WHEN MANAGING AND NURTURING TALENT?
When I’ve successive build teams, it’s all been about recruiting people to a vision, and being absolutely 110 percent behind that vision myself and being prepared to sacrifice a lot to achieve it. And my role I’m often seen more as a leader than necessary a manager and there’s a very distinct difference between a leader and a manager what sometimes makes you a better leader, doesn’t necessarily make you a better manager and therein lies a really important lesson, understanding your limitations. I think strong people are people that actually going, “this is what I’m good at, this is not what I’m good at” and then finding people who are good at the bit you’re not good at and then getting them behind the vision but obviously having the vision having a shared vision isn’t enough in itself you’ve got to be able to bring people on that may have the existing skills and aptitude or alternatively you find people have the raw talent to be nurtured and that nurturing process is just as much about giving them a vision as it is about giving somebody who’s already been working in security that vision and they need to know that they are going to go through a process of learning and a part of that process of learning might actually mean challenging the assumptions that are already bringing with them and I think if you can challenge people’s assumptions and they still buy into the vision and they’re prepared for change they’re the type of people they’re going to give you a long term commitment.
WHAT SKILLS DO YOU THINK ARE GOING TO BE IN DEMAND IN THE NEXT 5 YEARS AND WHICH SKILLS ARE THE HARDEST TO FIND?
Well my team and what I do is very much focused on the human factor. The research that we did we started off just doing a risk assessment around the human factor and very quickly what we realised is that actually the disciplines which are going to make the big difference are things like psychology, behavioural science, the cognitive science, sociology, neuroscience, physiology the whole render of ‘ologies’, and then you’ve got the marketing side of things which is something that you find more common. Now I look back and I was like, ‘Okay where do we find people?’ and for me it was really, really rare within the security industry. So the challenge for me developing a team that addressed that particular challenge of the human factors, it’s not going to be immediately that easy to just turn around to my existing networks for example. I think one of the important things is about developing networks outside of the security industry where you will be able to find people that have those necessary skill sets from their experiences and then the next challenge is you know how do you get people from marketing, which can be quite well paid at times into security education and awareness for example, and that’s more of a struggle. But actually a lot of people are really interested in you know the vision and the value and what they’re going to get from it the sense that they’re actually contributing to something there has been a shift I know with a certain sort social demographics away from consumerism and looking for something that they think is going to add more value and who would argue the case that cyber security is you know helping reduce risk to economic and social prosperity and part of that is about helping the rest of people’s lives and that’s a pretty noble thing to do and I think that’s the sort of thing that we might be able to use to actually attract other people in from other industry sectors to to the cyber security industry.
WHAT CAREER ADVICE WOULD YOU GIVE SOMEONE THAT IS JUST BEGINNING IN CYBER SECURITY?
I think what I’d probably tell them to do is to stick at it. When I first started on my journey within cyber, you know I trained in law finance and marketing many, many years ago but when I first got this opportunity I didn’t quite realise, consciously, how exciting was going to be and then by working with organisations and you know and having a network of people who are helping people you start to understand the good that comes from the work we do and it’s not always completely rewarding you don’t always feel like you’re being recognised okay but it really does make a difference to people’s lives, they may never recognise it because maybe the incidents have stopped okay, they may never be able to come to you and say thank you right, but knowing that you’re making a difference I think is incredibly rewarding and it’s something that you know you need to stick at it to realise that. So my advice is that you’ve managed to get your foot on the ladder stick at it because it is an incredibly rewarding career.