What would you describe as your most memorable achievement in the cybersecurity industry?
Whilst working for the Cyber Crime Unit in my local police force, I was asked to give a talk on stage a Digital Innovation show but they didn’t want me to heed cyber security advice, these guys wanted something else. They asked if I could do something special, one even wondered if I could ethically hack into someone’s email live on stage. I accepted the challenge and got to work. I always thought I would enjoy social engineering and white hat hacking but this challenge was even more fun than I expected and being from the police just made it even more exciting – for me and the audience. The moment I got in to my target’s account in front of 500 people, I knew this was the only way truly effective cyber advice could be taught. The point was that the danger is very real and might be done on many times way easily than many think. It is important to note that no privacy was harmed with this experiment and no emails actually read. And most importantly, the person I accessed email of, has agreed to do this experiment.
What first made you think of a career in cybersecurity?
I’ve always been into technology and as a child I always enjoyed finding out the backdoors or hacks into any system. My current job hadn’t been created when I was growing up so I decided to join the police force and investigate computer crime in the Digital Forensics Unit. This taught me a huge grounding in computing and emphasised my passion to help victims. The Cyber Crime Unit was soon created and I was naturally attracted to it. 14 years later I decided to make the big jump into the private world and thrived on this leap.
What style of management philosophy do you employ with your current position?
I think cyber awareness should never be seen as scare mongering. Naturally, when cyber anecdotes are used they describe the negative impact an attack can have. However, when delivering protection advice, it can be done in a positive way and make people feel productive and empowered to make the simple changes to culture which may in turn thwart a breach. Smalls steps and procedure changes are what really add up the best defence and when completed in an engaging or even fun way, makes for the best safeguarding.
What do you think is the current hot cybersecurity talking point?
I find most people don’t want to talk about computing –it is one of those feared answers at a party when asking “So what do you do then?”. You can visibly see the colour drain from their face as it dawns on them they are now stuck with an IT nerd on their one night out that month! So hacking tends to be the more interesting subject. Everyone wants to know how hackers operate, how to protect yourself online and then if they get into questioning how they are traced and investigated by law enforcement, you can soon find yourself telling police war stories to the whole party.
How do you deal with stress and unwind outside the office?
Being based in ESET UK’s awesome head office in Bournemouth, I inevitably make the most of the beach. I paddleboard and kayak in the summer months and surf through the winter at the pier which is possibly the best ways to unwind. The sea has an incredible way in making you feel 100% and of those days I get to have a swim in the sea before work are possibly the most productive days of the year.
If you could go back and change one career decision what would it be?
This may sound exaggerated but I have enjoyed every part of my career and wouldn’t change a thing. I spent the perfect amount of time being trained by the police in digital forensics and investigating cyber crime and I now have my dream job working for a huge internet security company which allows me to talk cyber security all day with the scope to develop new and innovative ways of making that message stick.
What do you currently identify as the major areas of investment in the cybersecurity industry?
Hacking the human is always by far the easiest way in for an attacker and therefore that is the place to start with regards to investment. Ideally, all threat gaps need to be plugged but the landscape is constantly evolving and sadly we have been on the back foot for quite some time. Companies of all sizes are finally starting to realise the potential in training. I see nano learning as the best tool to reach the staff with short interesting bite sized chunks to digest coupled with engaging media and real life examples. This is completed in bursts of 15 minutes rather than the laborious 1-2 hour e-learning directive used by so many which just turns people into clicking the answers without taking in the information.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
I keep reading that there is a lack of people coming into the industry which is a real shame and could have a massive impact on the threat picture in the future. In the last 12 months I have seen more top level staff and board members take note of what is being said around cyber security and slowly shift older cultures which may have previously disregarded the threat as a real issue. This bodes well in terms of preventing and mitigating future threats whereas before it was rarely seen as anything other than the IT manager’s problem. Cyber attacks are an inevitability but reducing their size and scale is the best action. With CEOs and board members now starting to listen, it will mean more people are properly trained and aware of the risks to their organisations.
What advice would you offer somebody aspiring to obtain C-level position in the security industry?
The right qualifications are a must these days but coupled with the right industry and even public sector / private sector experience creates the best platform to excel into the C-level positions. I was lucky enough to experience first hand law enforcement investigations whilst receiving a plethora of training courses on side. Then moving to the private industry just added more weight to my tool kit which enriched my CV.