Transcript
Hello and welcome to episode 14 of Strive, where we talk about security, technology, resilience and everything IT, all in a virtual environment. I'm Darren Thompson, your host, and today we're going to change things up just a little bit in terms of format. I'm very excited to say that today's episode is going to include a very special guest and she and I are going to talk about the technical, social and organisational gaps that we have found tend to exist between the traditional IT infrastructure organisation and the security group. We're going to talk about as well some of the risks associated with those gaps. But before we start, my usual disclaimer, please do not forget that the information provided here is for general informational purposes only. It does not constitute legal advice and it may be subject to change. Now, without further ado, let's go to the interview. Jane, welcome to Strive, great pleasure to have you here with us. Why don't we start with an introduction to you, your backgrounds, your experiences over the years and what you're doing right now? Yeah, thanks so much, Darren. Well, my name is Jane Franklin and I've been in cyber security for 28 years. I work as a brand ambassador, an influencer, whatever you want to call it, an advisor. I'm a published author and I do an awful lot of work when it comes to women. In fact, in some circles, that's how I'm most well known. But yeah, I've been in cyber for 28 years. I started my own penetration testing company back in the late 1990s. So very, I'm very pioneering by nature, a challenger by nature. And I started that company at a time really when, you know, there wasn't much security around. I mean, we called it information security. We called it network security, IT security. And I built a penetration testing company, owned that company for 16 years. It was the first female owned penetration testing company in the UK. And I then went on to do some executive roles. The last one being as a managing director at Accenture. I think one of the things that I like about working with you, Jane, is that you'll talk conceptually with me and we'll talk about, as we're going to do today, about strategy. Yeah. But you come from a deep security background. You ran a penetration testing company, which means there's kind of depth and grounding in the basic concepts. Yeah, absolutely. But having said that, my background is art and design. So, so I haven't come from a technology discipline. You know, it was art and design. And I think that is really useful for us because it brings the diversity of thinking. It brings a different perspective. And I think when we're talking about security, we need different perspectives. It can't all be the same type of thinking and us having the same types of people from the same types of background in, in, in our field. Otherwise we just end up blind, blindsided. So yeah, I have been in the industry for a long time. Inclusion and relevancy is so massively important for me. And it's, it's why I enjoy the work that I do as a brand ambassador, because it's really helping to, um, to expand the mess, the message, really the importance of, of what we're doing in, in security. Now I work with the likes of you, um, as a brand ambassador in that capacity and also with other companies, uh, as well. So it's really helping to get that visibility, that engagement, that trust. And importantly, that the message and relevance of, of what we're doing. Makes sense. And recently, Jane, for the, for the work that you've been doing over the last few years, you were awarded something called the MBE here in the UK for our international audience. Uh, why don't you just describe what that means? Because that's pretty special. Yes. And as I understand it involves a visit to Windsor Castle. It does. Tell us a little bit about that. So it's, I, I was included in the King's New Year's honors list and it is an incredible recognition and an MBE, which is the first level of recognition, means a member of the British empire. So I got that for all of the work that I do and have done for, for women in cyber. So, um, you know, not only am I a visible female role model in, in cyber, having been in it for over 28 years, but I've actually contributed extensively. So as, as a, you know, in, in terms of scholarships. So I've put 442 women through my insecurity scholarships. That's absolutely changed people's lives. And it's a value of about $800,000. Um, I've also done research. I've called for, um, campaigns or creative campaigns. And I've also acted as a voice for the voiceless. So I, what, in my position, I'm able to do certain things that other people aren't able to do. And some of those things are for women. Some of those things are for all of us in, in cyber to make the world safer. Um, and, uh, yeah. Amazing. Amazing. Well, congratulations on the award. Thank you. Uh, and so, so, you know, I think, I think you can recognize, you know, one of the reasons we brought Jane here is there's, there's deep knowledge and experience here. So, so to leverage that, uh, the, the subject that I wanted to talk about today is, is something that you and I have spoken a bit about, which is the gap that we see existing in many organizations between the IT infrastructure team, I refer to that group largely as the deliverers of IT service and the security organization. So typically the CISOs team, the protectors of those IT services. And in my work, consulting with our customers at Commvault, I see the gap between those, uh, organizations existing over and over again. Um, and importantly, uh, that matters because risks have started to appear in my experience where, where that gap exists. So, so, so first of all, um, tell us a little bit about your experience in that area. What are you seeing? And then what I'd like to get into is, well, what kind of gaps are appearing? What risks are emerging as a result of those gaps? And then perhaps we should get into a little bit of, you know, what are the first steps to resolving some of those situations? So tell us about your experience. Well, that gap exists and it has done for many, many years, but I think it's actually getting worse. So both the CIO and the CISO, they have the objective, same objective, which is to support the business, to enable it, to, to, to prosper and do well. Um, but the CIO is there really to drive innovation to, it's about, they're about digital transformation. They're about supporting the IT systems. Whereas the CISO is there to reduce risk and ensure compliance with regulatory frameworks. And because of, because of those things, what we see is we see a discord. We see often that the CISO is seen as the disabler to business. They don't like change because change introduces risk. Now I could argue that no one likes change. As human beings, we work really hard to avoid change, but the CIO is driven. They're incentivized in terms of cost efficiency, in terms of production, um, operational uptime and things like that. Whereas the CISO is incentivized on risk reduction and being resilient. So you have two opposing forces and that's, that aren't necessarily aligned. So one that's disabling, one that's enabling and you know, what we can do to bridge that gap, certainly from a CISO and security perspective is we can have things like zero trust architectures. We can be shifting left. Uh, we can, um, be working with DevSecOps and things like that, that will help to, to bridge the gap. From a, from a, a cultural perspective, well, actually from an organization perspective, you know, we can, we're not helped at all, neither the CIO or the CISO are helped in that respect because actually what we see often is that the CISO is reporting to the CIO. So often there can be a different agenda. And what I've seen with some CISOs, I've seen them alert the CIO to certain risks and that CIO will be taking it to the board. Um, but because that doesn't align with his or her objectives, their agenda, they're removing those risks. They're removing those vulnerabilities. So the board is unaware. You know, I've seen, I've also seen CIOs actually, um, at the first opportunity remove the CISO because they are too good at their job. They're, this is it. They're slowing things down. Um, they're becoming a hindrance to the CIO's mission. It creates a real challenge, doesn't it? This for the, for the CISO, because on the one hand, there's definitely evidence you've seen it of CISOs being taken out of the equation because they're slowing things down and I've seen plenty of CISOs taken out of the equation because they got breached, it's almost a no win situation, isn't it? This, this is, I think, I personally think that the CISOs are really vulnerable at the moment. I think the CISO really has to show their value to the organization because right now, if they can't do that, then the CIO, if they're reporting to the CIO can come in and say, look, you know, leave it to me, we'll get rid of the CISO, we'll have the security department, it will fall underneath me. You're not showing the value that you're adding to the business. You're just causing me a headache. So therefore let's cut some costs and get rid of you. So, you know, I see that and it's so important from a cultural perspective that we have security embedded into the business. And the only person who is really able to lead that change is the CISO because they understand that and they can complement and really add value to the CIO. Another thing I've seen, Jane, I don't know if you've seen similar, I've seen people take the CISO position and they've come from the business. Yes. And so the advantage to the business there is here's somebody that's not going to slow things down because they understand the business, but on the other hand, they don't have a deep grounding in security. And so there's a risk right there. That's a dangerous situation, right? It can be. It really depends on that person in that seat, I think. You know, if they're listening to the business, if they're going out there and really understanding the business units and how they're working, how they want to work, they're understanding the risks out there and really speaking to their team and they've recruited the right people in those positions, then I don't necessarily think that it is, providing that they step up. So they are educating themselves. So they're not standing still and just accepting, well, this is, you know, this is my position. I know enough about this business in order to do well here. They've got to educate themselves so that they're far, far more aware. So step up. So I don't think that it necessarily is in some respects, actually, because they understand the business, you could argue that they're doing a better job. The danger comes, I think, when you have a CISO in a business who isn't going out there and making friends with the other stakeholders in the business and really understands what it is they're doing. So for me, I'm always advocating that the CISO actually goes out there and understands the stakeholders and what it is that they're trying to do. So from a place of, of service, how can I serve you as opposed to here's my stick. And if you don't do this, then you're going to be in trouble. Or I'm going to mandate that you, you're not able to do this. And all that then happens is that the, the business units just find ways around it. You know, shadow IT pops up, shadow AI pops up and it creates all sorts of problems, all sorts of risks, which doesn't help the business. I think part of the, part of the answer here is to define at the board level what I've always referred to as preferred risk tolerance. Yes. So who are we as a business? How much risk do we want to take? And are we all prepared to sign off on that? So that if there is a business orientated CISO in place, for example, there's already agreement between them and the other stakeholders in terms of the level of risk this organization is prepared to take. You know, I used to be in the business of helping define that line, that risk tolerance line, and I did that with Formula One racing teams. And I also did it with local government organizations in Africa. Oh wow. They're all different lines. You know, a Formula One racing team, by definition almost, has a very, very high tolerance for risk. Whereas, you know, a local government organization is about protecting citizens, very, very low tolerances for risk. And that risk-taking culture is very often not defined. So we have a CISO and a CIO trying to have a sensible conversation about where's the balance between innovation and risk. It's hard to have because you haven't agreed yet what this organization represents in terms of risk or how much risk they want to take. That's very true. I mean, you know, I'll often say the fish rots from the head down. So you have to have that right at the very top. And the other thing I think that needs to happen is that the CIO and the CISO, they have to be incentivized correctly. They have to have the right KPIs in place so that it encourages the collaboration and for them to work together. And I don't, I don't see that happening as much as it needs to. So let's talk about, we've talked about the problem, the gap exists. I mean, a couple of use cases that I've seen recently here, just to put this into a kind of real world context, a couple of things that hopefully all of our listeners will recognize, use cases where the gap that we're describing here has a negative impact, system patching, you know, something we've always done, we will always need to do is a job that's never finished. Typically, and traditionally it's the infrastructure team under the CIO that's responsible for deploying those patches. But who's the organization that can tell you which ones are, should be prioritized based on vulnerability? Well, that's a security organization. So if they're not talking and gelling and collaborating on just something as simple as system patching, things tend to go wrong. The other one, very close to my heart and because of what we're doing at the moment, who writes the plan for cyber recovery? On the one hand, that's got a lot to do with traditional backup and recovery and the things that the infrastructure team would do. On the other hand, who's the team that can do the forensics and tell you where the clean backup is? That's a security team again. So you don't get a good cyber recovery plan unless those teams are collaborating. So are there other use cases you can think of? Yeah, yeah, absolutely. But you know, to your last point, who also makes that time available? You know, for the testing. So it's just like, okay, well, here's a scenario. We, we had minutes to meltdown, you know, that brilliant workshop where you took a variety of different stakeholders through a scenario. In, in our, in our case, it was airplane, wasn't it? It was a ransomware for, for an airplane airline company. And so getting people into, into a room and really understanding what's going on and why and how you can recover as fast as you can is massive, massively important. So it's making space. It's making time available to actually do, you know, to test the scenario. It's just like, well, how do we perform? You, you might have an incident response plan. You might not. If you do, are you testing it? Are you testing it regularly? So it's, it's making sure that that is, is going on. And there's so many other things as well. But, um, another scenario could be a merger and acquisition. You know, so you have a case where the business has acquired a company, but they haven't done the due diligence. They haven't made time for that. They haven't included security in it. And what can happen is that, that they acquire a company that's suffered a data breach, but they're not aware. And often we talk about, um, it's, it's a case of, um, not if it's going to happen, but when it's going to happen. But actually it might already have happened. You just don't know about it. Um, so if security isn't involved in that type of scenario, then you've got risk. You're behind already. And, and I want to, I want to come on to, you know, what are some of the solutions to this, what, you know, how, how can organisations move forward and make, make the gap smaller? You mentioned Minister Meltdown. Thank you for mentioning that. For those that don't know, Minister Meltdown is a, is an event that Convolt have been running around the world. We basically put about 30 people in a room and we exposed them to a simulated ransomware event. And, and the reason I bring it up again is because for us, that's maybe one of the best first steps to get any stakeholders in the same room. So, so when we, when we organise one of those, uh, Minister Meltdown events, we always make an effort to bring folk from the security side and the infrastructure side together. Uh, also often sort of business leaders and heads of lines of business managers, et cetera. Um, because if nothing else, they leave that session with. Oh my goodness. If this happened to us, we don't have a plan and that plan's not going to exist unless we all contribute to it, which is, I think a great first step to, you know, resolving the problem of this gap. I agree. I think, you know, what I see is I see you have to start with the leaders. You've got to start at that level. Then you've got to move on so that there's awareness. They understand, you know, what is at stake and also how to, how to deal with it. What their party in it is. And that has to, you then have to move up to culture because it's got to be embedded into the organisation because security is a shared responsibility. If you don't have everybody involved in those decisions, really understanding, then you're failing. Then it's, it's risk and GRC. Then it's about defence and protection. Usually the tech solutions in there, then it's about community. And it's a bit like, I think Maslow's hierarchy of needs, you know, so those are the layers. And what I see is that often we go in at the GRC or the risk layer, or even the protection layer, often with technology, thinking that it's going to solve the problem, and that's why we have these issues because actually it's like a house being built on sand, you know, and it crumbles, so time comes in or water comes in or whatever, and it just crumbles. And that's, I think why we have a lot of the issues that we have. And we talk a lot about people, process and technology, the golden triangle in security and how those, those three are required, but we tend to be solving the issues that we have mostly with technology. Yes. And I have to fight that urge, you know, as a strategist and an advisor. And I, you know, I've learned over the years that as excited as I am about whatever technology is emerging, right now it's generative AI, but 10 years ago it was something else. As excited as I am about that, I have to temper that enthusiasm. And if, for example, I'm doing a lot of work right now with my team around building cyber recovery plans, and I have to fight the urge to lead with the technology that can enable that, because of course what has to come first is, as you say, culture, people, organizational structures, governances, best practices, playbooks, and then the technology can then show up to automate that. So I completely, cause that's what the tech, it's like any, anything you, you need to be putting the technology in. I think once the, the people in the processes are all, all sorted, then the technology can scale it, then the technology can, can support it. But if you just put technology and without dealing with the other, the other two, you are, you, you introduce, you introduce risk, you can't start. And a thought just occurred to me as well. I think by, by, by going kind of technology first, process and people later, you're probably widening the gap. I think you are. Because the tech, what's the technology? Well, the technology is security technology that typically exists in the, in the sock, very security orientated, security folk understand it. They're proud of it. You know, those sorts of things. Or it's technology on the other side. And so just by deploying technology without the fabric of the people in the process, you're probably making the gap even worse. But I think you miss things as well. So if you're not including the people, you're working blindsided, you know? So, and that's why it's really important to get the people involved, to get those stakeholders involved. Now, what are you seeing that I'm not seeing? Right. And I love the idea of working on real use cases. Yeah. So there's a lot we can do, like minutes to meld down, to bring people together and start to get them collaborating and talking, but in every business, everywhere, there is going to be something that's a project that, that needs to be worked on anyway. And what I encourage organizations to do is just to make sure that all of those stakeholders are in the project. Yes. For us, a project very often right now is a cyber recovery planning exercise. Like, what does the plan look like? How do we enable that plan? What are the playbooks? You know, what is the technology to enable it? All of that stuff. And, you know, I refuse to run a cyber recovery planning workshop unless, you know, the infrastructure and the security people are in the room, because I know we're not going to get there otherwise. Yeah. We need both those. It's a golden opportunity. I think finding those projects to work on together is really important. So, Jane, as always with you and I, we've run out of time. We'll talk forever on these topics and we'll certainly have you back for future episodes and we'll discuss some other things as well. But before we go, any last words of advice for the Strive audience here? Yeah, I would say security people go out there and be evangelists. Go out there and serve the business. Find out about what they are doing. Build your influence so that you can do a better job. You can serve the business better. And if anyone is tuning in who's not in security, go and increase your cyber literacy, go and find out about cybersecurity, go and make friends with security. You know, we are very friendly people. We are the department that now likes to say yes. So, yeah, I think when these two worlds kind of come together, we can do a much better job. And right now, you know, certainly with the climate as it is, we need to be doing a better job. I totally agree. Jane, thank you so much for your time. Appreciate you being here with us and we'll see you again soon. Thanks, Darren. Okay, so thank you for joining us on this episode of Strive. We do plan to include more special guests in future episodes. Let us know what you think about that. Is that a good idea? Who would you like to see? Who would you like me to talk to? What subjects would you like us to discuss? But for now, that's all we have time for. Stay tuned for more stories and insights. And until next time, stay informed, stay secure, and I will see you in the next one.
