What is the biggest security challenge that will be faced in 2017? How should it be addressed?
Enforcing international law against cybercriminals who operate across international boundaries. Ensuring it is safe to operate online in an international, rule-based system where the laws apply to all remains the enduring challenge.
What are your three goals for 2017?
What is your favorite blog?
What is on your desk right now?
My water bottle, MacBook Air and A5 Bullet Journal notebook
What is your number-one piece of advice for other information security professionals?
Get the basics right and everything else follows.
What is your favorite benefit of your ISACA membership?
Access to the research materials, frameworks and white papers
What do you do when you are not at work?
I read as widely as possible, military and political history as well as a wide range of fiction, and I love to exercise. Recently, I have become a CrossFit addict, but I try not to talk about it!
How do you think the role of the information security professional is changing or has changed?
We are now able to base investment decisions on evidence from events that have occurred. Clients often ask if they are spending too much or too little money in comparison to their industry peers, and we can now generate a benchmark of spend across different industries to inform clients’ balance of investment decisions in a way not previously possible, as information security was not considered of sufficient importance to warrant its own budget.
The proliferation of technology means more people are able to understand our challenges. It will become easier to translate threats and risk using a common lexicon and thereby more effectively gain buy-in, understanding and compliance from people across an entire organization. I think we will see increasing benefit from our ability to work together, across multiple sectors, sharing information on threats and on how different organizations in different industries and potentially in different countries have responded.
How do you see the roles of information security and, specifically cyber security, changing in the long term?
I think we will see a greater interest from the general public in keeping their personal information secure. Now, if people are asked for their personal details, even if they are just registering with, for example, a new dentist or a social group, they are likely to ask: “If I pass my personal information to you, are you able to guarantee its security?” I think more consumers should ask this question whenever they are asked for their name, address and date of birth.
How have the certifications you have attained advanced or enhanced your career? What certifications do you look for when recruiting new members of your team?
I would not have gotten my current role without the Certified Information Security Manager (CISM) certification and I am proud to have a qualification that is so widely recognized.
The main certifications I look for are the CISM or CISSP qualifications, and most information security job specifications will detail either of those two as being mandatory. I also look for an interest in the profession and a keenness to learn, to stay abreast of current topics and understand the context in which we are operating. It is important to be able to relate security issues to risk, so suitable qualifications such as Certified in Risk and Information Systems Control (CRISC) are also highly regarded.
What do you think are the most effective ways to address the cyber security skills gap?
This is a complex problem and it will take time to address. In the UK, we are doing more by teaching coding in school and promoting science, technology, engineering and mathematics (STEM), but it will take some years for the fruits of these labors to be realized. In the shorter term, we need to broaden our recruitment base to ensure greater gender parity and we also need to make certifications more accessible to those who are new to the industry. ISACA is doing good work here with the Cybersecurity Fundamentals Certificate.
The UK is widely considered the cyber security hub of Europe with the largest talent pool of cyberprofessionals. What do you think the long-term impact of Brexit will be on European and global cyber security?
The UK is currently solidly entrenched as a primary hub for the international business community and has also yet to invoke Article 50, meaning the short- to medium-term impact is likely to be low. There is a potential risk to longer-term cyber security cooperation with the EU, although obstacles here would be in no one’s interest.
In terms of the UK’s position in Europe, a relevant example is the planned introduction of the EU’s General Data Protection Regulation, which will still affect UK-based organizations that handle EU data post-Brexit. If the UK does not enact a similar act under UK legislation (concerning data held within the UK for UK citizens), I fear the UK may lose out if its data protection standards are perceived to be lower than those of EU countries. Levels of data privacy and security are valid concerns and consumers may choose the best location to have their data stored, or the most customer-friendly regime within which to operate. The UK must remain the optimum choice in this marketplace.
You have considerable military experience. What role do you think the military will play in combating the threats of cyberterrorism and cyberwarfare?
Cyberwarfare, or at least state-on-state cyberinterferences, have already taken place, and I have no doubt that Western militaries are working with other government bodies to share information to ensure an appropriate level of protection. Conventional Western militaries are very good at using existing frameworks, such as the North Atlantic Treaty Organization (NATO), for increased international cooperation and threat deterrence. The use of international organizations as a vehicle for greater cooperation should act as an exemplar for commercial and nonstate bodies to work together to combat threats, share information and learn from each other.
What has been your biggest workplace or career challenge and how did you face it?
My transition from the military was a significant challenge. To overcome the challenge, I took advice from colleagues who had left the military before me, I networked and I ensured that I had appropriate qualifications to showcase my skill set. I made the challenge a little harder as I wanted to break into the commercial world, rather than work in the defense or public sector with which I was more familiar, but I am very happy with the result, have learned a tremendous amount and I enjoy each day’s new challenges.