The year that was: Insights from the top
In many ways, 2021 was an annus horribilis for the UK’s top cyber minds. In a year of sleepless nights, CISOs fought relentless and rising attacks amid a morphing threat landscape and a global pandemic.
What’s more, WFH behaviours stretched and weakened the global attack surface.
But it wasn’t all blood, sweat and tears… this year also threw up genuine moments of lucidity and lessons learned for the way ahead.
(Pictured, clockwise from top left: Martyn Booth; Joanna Burkey; Maninder Singh; Greg Day; Sarah Armstrong-Smith)
Joanna Burkey, CISO, HP Inc: “I ditched degree requirements”
I learned that we need to be more flexible when it comes to hiring cyber talent. We require a variety of experience levels and a more diverse talent pool that includes people moving from other industries, historically underserved populations, workers without traditional degrees and people with transferable skills interested in a change later on in their careers.
At HP, I have just removed the prerequisite for degrees to be included in all cyber job specs as a default.
On another note, the continued shift to hybrid work in 2021 has caused fundamental changes in how security is perceived and how security needs to be operationalised.
As HP Wolf Security’s Rebellions & Rejections report highlighted, some workers are even circumventing security altogether if it's seen to be getting in the way of working from home.
As a result, security teams have had to rethink their whole approach to organisational security.
This past year has taught me that we, as CISOs, need to be ready and willing to adapt, instead of fighting the inevitable, acknowledging upfront that the process won’t be painless. I learned that we need strong leadership and communication to succeed in challenging environments.
Martyn Booth, CISO, Euromoney Institutional Investor: “Supply chain management isn’t a one-man job”
The explosion of cloud services is making business more efficient by offering improved ways to perform complex tasks, but the result is an exponentially growing list of new suppliers with access to sensitive data.
Other businesses need to find more efficient ways of working: by utilising automated scanning services and by using assessment platforms where the results of the assessment of suppliers to other businesses are shared and can be assessed independently.
I also learned that managing the risks and proactively engaging with a team remotely can result in a happier workforce. But, it is more difficult to know when something is going wrong, so a lot more care needs to be taken.
Sarah Armstrong-Smith, chief security advisor, Microsoft Europe: “l put people first”
Across every sector, the pandemic has reinforced the human, empathetic aspects of security, providing a poignant reminder as to who we are trying to protect and why.
Working with customers throughout this period, I learned that the most resilient organisations have created a people-first security culture.
Taking a ‘people-first’ approach means putting people at the forefront of all decisions and ensuring all employees have the skills, knowledge and confidence to work productively and securely.
We saw an appetite for this empathy-driven approach in our research with EY and UK Finance, which found that by using more inclusive language in their work, security professionals could drive a more welcoming environment.
In 2022, I’m hopeful organisations can expand on this people-first mindset, driving security, empathy, and inclusion in everything they do.
Maninder Singh, corporate VP and global head of cybersecurity/GRC services, HCL Technologies: “Complex systems create blind spots”
There is no denying that the flaws of enterprise networks were laid bare by the global pandemic. The rise of working from home and distributed workflows showed us how complex IT environments have become, with layers of shadow IT, bloated software, and rising data volumes.
Complex systems are prone to security blind spots, which is why supply chains became a key target for hackers this year. With new pandemic-induced vulnerabilities, they became the most expensive lesson any business will ever learn.
Now, organisations need to plan for future mitigation, with a top management focus that enacts continuous systems monitoring – not only for internal, but third-party systems as well.
Greg Day, VP and CSO, Palo Alto Networks EMEA: “We have to think differently”
You can't just buy more and keep doing the same. They say in life that three things are guaranteed, birth, paying taxes and death. But, in cyber security I think we can safely add another which is the volume of threats: threat telemetry and business systems that are digitally based will only grow way beyond exponential levels.
As such we have to think differently. Have you changed your employee education program to reflect the new ways of working? Have you figured out what really needs your team's cyber security skills versus what is now being delivered as commoditised cyber-security services?
I also learned that life is short and I enjoyed getting to know my team in new and better ways.
Do you know what makes your team tick? It may sound strange, but being able to spend less time with my team has actually forced me to get closer to them and better understand what makes them who they are. The point is, in the last year it's been very easy to get consumed by your work, but it's actually been an amazing time to get to know your teams, peers and business partners better.
It shows that tough times can bring out the best in people as well as the opportunity to better know all those people.
Enjoyed this? Sign up for exclusive weekly SC Media insights via our homepage – you'll get the analysis first