Luke Beeson, AVIVA group CISO and new Chartered Institute of Information Security chair, opens up to SC Media about the cyber skills gap and crushing AI threats
Luke, congratulations on being appointed the new CIISec chair. What will be your focus?
We’re facing a watershed moment in addressing the cyber skills gap. The problem has been around for many years but now, more than ever, it’s important to focus on introducing the cyber industry to school-age children.
We need to get children excited about the cyber industry and show them how the sector is different from normal IT roles. For example, we need to highlight the need for human controls and psychology skills.
As tech controls improve, the attackers will still continue to take advantage of human vulnerabilities – which is why we need thought diversity in our sector. It remains important that CIISec represents and reaches out to a diverse audience.
The increasingly disparate nature of third-party supply chains is another challenge. The fact that large enterprises will have thousands of suppliers in their chain and each of them will have their own vulnerabilities and issues is a huge concern. What’s more, with the rise of cloud and hybrid working environments, maintaining threat visibility is a really high priority.
You come from an insurance background, so we have to ask: Is cyber insurance now critical?
Cyber insurance forms an important part of any security strategy but I don’t think companies should be entirely reliant on it. Organisations should be working proactively to protect their organisations as much as possible. As with all insurance policies, prevention is so important. There are certain things an organisation can do, such as following guidance from the NCSC.
And is it time for more general regulation within cybersecurity?
The more standardisation we can drive into cybersecurity, the better. Currently there are too many different standards in the market, which creates confusion. We need to globalise certain cyber standards – and I think regulators could help us with that. I expect regulators to become more involved in cybersecurity as time progresses. We will soon see cyber regulation move beyond financial services and into wider sectors.
How’s 2023 looking for ransomware?
Ransomware is a continued threat. We will start to see more ‘smart’ attacks – where attackers take information out of the organisation before they deploy the ransomware.
Ransomware remains an effective way for sanctioned countries to get currency through Bitcoin and that in itself is problematic. Ransomware will continue to be a top risk this year.
And finally... ChatGPT: friend or foe?
ChatGPT is massively exciting. There are really interesting cyber applications that it can be used for. We’re already seeing the democratisation of code writing. For example, you can ask it to scan a range of IP ideas, or write basic code script.
And, as with social media or search engines, ChatGPT can be used for both good and bad. It can help pen-testing teams but, equally, it can aid attackers.
ChatGPT can also assist with the writing of effective phishing emails. CISSec is looking at ways to make people aware of its possibilities and pitfalls. It’s a super powerful, game-changing technology.