Lee Barney is the ex-CISO of Marks and Spencer and is widely credited with enhancing their cyber security to bring it in line with modern security standards. The Cyber Leader’s Network spoke to him about how GDPR has affected cyber security and also how more people can be encouraged to enter cyber security and information security careers.
1) WHAT ARE SOME OF THE MOST COMMON MISTAKES YOU SEE ORGANISATIONS MAKING IN RELATION TO CYBER SECURITY?
There’s one big mistake that organisations – more specifically cyber security departments – make; and that’s one one of engagement, and the language they use to talk to people. It’s really important that cyber security professionals are business people first, and cyber security professionals second; it can be quite the opposite from what they expect as they move through their career. Most people think they need to advance their knowledge about technology, and they need to advance their knowledge about cyber security processes; but actually, it’s about understanding the distinct parts of your business. In the retail sector that I work in, there are very different parts of the business. For example, just to pull out two: we have retail distribution and we have marketing. They don’t necessarily talk to each other, but, of course, I would need to talk to both of them. So I would need to speak their language rather than expecting them to have the Rosetta stone that speaks to me. So, the biggest mistake I see organisations make, is one about engagement and language.
2) HOW DO YOU THINK ORGANISATIONS COULD ENCOURAGE MORE PEOPLE INTO A CAREER IN CYBER SECURITY?
Organisations who are already really good at doing this, they need to look at the objectives for their business. For many businesses, cyber security is not necessarily their highest priority; but in those where it is (certainly in retail at the moment) they need to use the tried-and-tested means that they already have at their disposal. It’s quite easy for organisations to attract talent, but they need to focus on attracting that talent, and you can’t expect that to happen from a single hot topic like cyber security. So I think the best way of doing that is to expand your search, and not just look through the traditional approach of expecting people to come from IT. Instead, you should take people from finance or from marketing, for example, and look for and try to develop their transferable skills. The best successes I’ve had in cyber security are people who’ve actually come from outside the industry, who I’ve then taught cyber security as an afterthought.
3) DO YOU BELIEVE THAT THE UK ECONOMY IS ARMED WITH ADEQUATE TALENT TO COMBAT IMPENDING RISKS?
Yes. We already have the nascent skills within the country to do this, but they are not necessarily working in cyber security at the moment. So, if the government’s going to do anything, then they need to start encouraging people out of the silos of information that they have and start getting them to look at other skills in cyber security. The biggest problem we have is this: the perception that cyber security can be solved by cyber security people. It’s not. You have a mature organisation or a government with a mature response, that’s because they understand that security is a continuous part of the journey. So naturally, it should start to come out through the vocabulary of organisations as they are talking to people. You know, we are not just going to do development – we are going to do secure development, and there is never a concept of doing something other than that. So, to answer your question directly: does the UK economy have the right amount of people to answer the risks? If you consider the example I have already given you with development, yes; but you have to train the developers to be secure. It doesn’t mean you need security people alongside developers, that’s just a waste.
4) WHAT ARE THE CYBER SECURITY IMPLICATIONS OF GDPR FOR ORGANISATIONS?
Specifically, they are very little. The cyber security implications of GDPR don’t necessarily translate direct to security outcomes in terms of things you want to put in place, or people or resources that you need. The exception is where you need data protection officers who are traditionally, not necessarily associated to cyber security. That said there are large programmes of work that most organisations probably need to undertake, if they haven’t already, and that is around protecting person identifiable data. Logically, you can only protect someone’s identifiable data if you understand where it is, the systems that it’s in and the risks it faces. So realistically, the only real thing you need to do is a risk assessment – and then follow through with the outcomes of that risk assessment. Whether they are updates to your policy, updates to your training, updates to your culture, or updates to technology. Those are the things that are realistically called out in the GDPR regulations.
5) DISCUSSING THE GENDER BALANCE IN CYBER SECURITY, HOW IMPORTANT DO YOU THINK IT IS TO ENCOURAGE MORE WOMEN INTO THE PROFESSION?
So, the gender imbalance is a hot topic at the moment. It has been for a number of years and it needs to carry on being a hot topic, because there are too few women in Cyber Security. In fact, there are too few women in technology roles specifically. The government has a part to play in that, because they need to encourage girls from a younger age to start picking up technology and playing with technology, rather than just seeing it as a man’s environment. There is also a part to play through the blokes in the industry as well, to stop making the environment hostile to women coming into IT and into cyber. It’s not necessarily anything conscious that they are doing, but you have to consider: is this the kind of environment I would want my daughter to work in? Is this the kind of environment I would want my wife or auntie or mother to work in? If the answer is no, then you really need to readdress the way that you work.
But then to answer your question, does there need to be more done to address it? Absolutely. There are way too few women in Cyber Security. You only have to look at the stats for the country: roughly 50/50 male to female, yet there is nowhere near that balance in cyber. If we were being honest with ourselves and we looked at our hiring patterns and our hiring practices, you have to ask: why is it that women aren’t fairly represented? One of the things that I have done and which I recommend people to do, is to encourage those recruitment agencies that you work with to pass you female CVs as well as male CVs. You don’t have to hide the names, you just need to know that you have 10 CVs from females and 10 CVs from males. What that does is it challenges the preconceptions of recruitment agencies that they are only going to be successful with male candidates. That then allows you to pick from a pool of both female and male, and you can look at them and choose the person that is best suited for the role – regardless of gender. Where I have done that, it has been very successful, and I end up hiring quite a lot of women because actually, of the CVs that I am seeing? They’re the ones that are strongest.
6) IN YOUR EXPERIENCE, DO YOU THINK WOMEN CAN BRING SOMETHING DIFFERENT TO CYBER SECURITY ROLES TO MEN?
I think men and women bring exactly the same to the role and it should be completely gender neutral. It’s about finding the right person for the role. But let’s just be very clear: men and women are equal in all aspects. The only difference I can see is that women have the slight edge over men because they can have babies, whereas men can’t.
7) WHAT DO YOU ANTICIPATE BEING THE GREATEST THREAT TO CYBER SECURITY OVER THE NEXT FEW YEARS?
I anticipate the largest threat to cyber security over the next few years to be confirmation bias. It’s something I have spoken about quite a lot in the past as well. The perception is that because you hear something in the press about cyber security, that Cyber Security is actually getting worse; when in reality, it’s not really changing. What we are seeing is that people are getting better at identifying and reporting cyber security crimes when they are happening. It doesn’t mean things have changed; the pressure from the attackers hasn’t changed – but what that creates is this atmosphere of uncertainty and doubt, and then people start to have immediate reactions to that uncertainty and that doubt. So my biggest concern is that actually, we will end up with a very tight set of regulations around cyber security; a very tight set of responses from an organisational level, that doesn’t necessarily replicate or need to respond to the risk that is actually relevant to them.
8) WHAT EXAMPLE OF CONFIRMATION BIAS HAVE WE SEEN IN RECENT MEDIA?
Well, less so an example of confirmation bias and more one of how this issue will start to get away from itself. Take the recent issue with Facebook and the presidential elections. Almost certainly, organisations helped the presidential candidates (on both sides of the campaign) win favour by influencing adverts on Facebook and social media. But the problem is that, because the press are saying that to be a bad thing, people suddenly perceive it to be a problem. But you sign up to Facebook – which is a free service. If you’re not paying for a service then you are the product and, therefore, that’s how you are paying for it. So your interactions and comments on Facebook and other social media sites should never be considered to be secure or not sensitive. Any thoughts otherwise is actually an indication that you don’t really understand what you’re doing.So from my perspective, the biggest problem in that space is more that our general economy and that the citizens of the United Kingdom don’t understand the interactions – in particularly what they are imparting when they join those services. I wasn’t really outraged by the use of that information, I’m more outraged that people don’t understand that they are giving away their data for free and that is valuable, not just to them, but also to the companies that they are giving it to.
9) IN YOUR OPINION, WHAT PROPORTION OF ORGANISATIONS IN THE UK ARE WELL POSITIONED TO HANDLE THE THREAT OF CONFIRMATION BIAS?
Very few organisations are well placed to handle confirmation bias, and the problems that arise around the confirmation bias – fear, uncertainty and doubt. That comes down to the leadership in Cyber Security, there’s a lot of opportunity to grow there in terms of the C-zone and ‘head of’ roles, but we really need to be honest with ourselves and ask ourselves a question: ‘Are we really capable at having a conversation at a business level? Or are we just really good at Cyber Security?’ If there answer is well, no; then really we need to take ourselves out of that process and to start getting better at business. That’s where I think organisations need to start employing the very top level of Cyber Security, people from outside of Cyber to ask those challenging questions and to look for the opportunities that people within Cyber Security don’t necessarily know are there in the first place.
10) WHAT INNOVATIONS ARE BEING PICKED UP IN THE INDUSTRY, AND HOW CAN WE MOTIVATE PEOPLE TO JOIN THE CYBER SECURITY PROFESSION?
There are some great innovations happening at the moment. We’ve got things like red teaming that are really picking up pace, and many organisations are looking to encourage red teams (and the natural opposite or the dichotomy that you create when you have a red team is that you need a blue team, so you need the attackers and the defenders). That moves away from the traditional penetration test approach, yet the innovation that links very closely to that is this instilling of agile development away from a traditional, and quite old-fashioned, waterfall approach. The two go very much hand-in-hand, and that then helps invigorate and excite people coming into the industry because you know they are looking at Cyber Security as doing something quite new and innovative. What we’re doing in the organisation I work in is we are gamifying the relationship between the red and blue team. So when our organisation is attacked, the red team get points when they attack successfully, and when the blue team defend against those attackers (whether they are real or the red team) they also get points. We tally those points up every 5 weeks and the person that gets the highest amount of points wins £200. That has really motivated and incentivised those colleagues that work in that environment and, of course, that has incentivised other people to actually come in and work with us from outside.
11) WHAT PART DO YOU THINK BUG BOUNTIES HAVE TO PLAY IN PROTECTING ORGANISATIONS?
Well traditionally you have three lines of defence: you have your first line of responders, the ‘doers’, and then you have the people that check the ‘doers’ are doing what they are supposed to be doing. And then finally, in the third line of defence, you have the auditors; whether that’s internal audit or external audit. The bug bounty programme should sit on your third line of response. If you’ve got your software engineers making changes to your code base they are your first line, they are the ‘doers’; they need to have an understanding of security and how to do it, and work within your organisation. The second line, usually that’s where your Cyber Security team sits, they sit over the top of the software engineers, making sure they are doing what they are supposed to be doing through checks and balances. But then, if you can’t assure yourself that the process is working well, traditionally we’ll rely on an internal audit function or an external audit function to come in and check to make sure that all of that is happening. But if you’re working at pace and working in an agile manner, you’re going for a very high cadence of delivery and expectation; so in many cases you’re going to be releasing lots of code and changes to your website without necessarily having the traditional waterfall STLC approach. In that case, that’s where bug bounties play a perfect role, because they sit over the whole scope of your organisation. If you set the scope correctly, they will try and hack in everywhere. Then they will then tell you how they do it and, of course, it will cost you money; but my experience has shown me that that cost is actually much less than continual penetration testing and the gated waterfall approach that STLC mandates.