The podcast explores cybersecurity's evolving landscape, discussing compliance, readiness, and global challenges with guest Ian Hill, Director of Information and Cybersecurity at Upp Corporation. Hosts Sean Martin and Marco Ciappelli guide the conversation, offering insights into modern cybersecurity strategies and the need for global collaboration.
Guest: Ian Hill, Director of Information and Cyber Security at Upp Corporation [@getonupp]
On LinkedIn | https://www.linkedin.com/in/ian-hill-95123897/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Pentera | https://itspm.ag/penteri67a
✨ ➤ Sponsorship Signup Is Now Open — And Yes, Space Is Limited!
____________________________
Episode Notes
In this Chats on the Road to Infosecurity Europe Conference podcast episode, Ian Hill, a cybersecurity veteran with 25 years in the field, and current Director of Information and Cybersecurity at Upp Corporation, shares his knowledge and experiences. He provides valuable insights into compliance, readiness, and the global challenges that affect cybersecurity.
A main focus is the interplay between compliance and security. Hill emphasizes the importance of prioritizing a robust security strategy that organically leads to compliance, rather than letting compliance requirements dictate security measures. This perspective offers a redefined take on building an effective cybersecurity framework.
The conversation also explores the concept of readiness in cybersecurity. In a domain where technology continually outpaces regulations, understanding what constitutes readiness is not straightforward. However, the discussion highlights its importance in preparing organizations to respond to evolving threats.
The conversation pivots to get a view of global cybersecurity, discussing the cross-border challenges that organizations face in our interconnected world. Hill underscores the implications of navigating diverse laws, cultural attitudes, and standards in a global company, and points to an increasing need for international cooperation to manage the complex, ever-changing threat landscape.
Have a listen. Enjoy. And be sure to catch Ian's keynote presentation and panel discussion during the conference.
____________________________
Resources
Learn more, explore the programme, and register for Infosecurity Europe: https://itspm.ag/iseu23
Be sure to tune in to all of our Infosecurity Europe 2023 conference coverage: https://www.itspmagazine.com/infosecurity-europe-2023-infosec-london-cybersecurity-event-coverage
Catch the full Infosecurity Europe 2023 YouTube playlist: https://www.youtube.com/playlist?list=PLnYu0psdcllTOeLEfCLJlToZIoJtNJB6B
____________________________
If you are a cybersecurity vendor with a story to share, you can book your pre-event video podcast briefing here (https://itspm.ag/iseu23tsv) and your on-location audio podcast briefing here (https://itspm.ag/iseu23tsp).
Explore the full conference coverage sponsorship bundle here: https://itspm.ag/iseu23bndl
For more ITSPmagazine advertising and sponsorship opportunities:
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin 00:05
Barca Shan so before I press the red button, I always ask you, are you ready? I'm ready. Yes. And then I press the red button. This time, I'm going to ask you again. Are you ready?
Marco Ciappelli00:23
I am ready. Super ready, super, super pumped. Already there in my head. And by there I mean, London. I'm so excited, right? That's right. I already said that. On our first episode, I'm going to set it again. And then I'm going to set it again and again. And again, every time that we do one of our shots on the road or chats on the cloud. I don't know how we decided to call this one yet. But it's whatever we talk about, as we get closer to chats on the water. Oh, yeah, we were talking about floating and swimming. UK, we've kind of covered that across that it did.
Sean Martin 01:02
I don't think we'll we'll survive that trip. But the reason I asked about readiness, and I know you and I know how we operate, and I can confirm and I see how you are for those watching, I can see that you're confident in your readiness to, to have this conversation. That's not always the case for one or the other of us. And, and because of life because of the topic because of surrounding elements. We're not always ready. And I think it's an interesting point, especially when we're talking about cybersecurity. And this is in, in connection to info security Europe in London, coming up here in June. And there's a speaker Ian Hill, who's joining us. Thanks for Thanks for being part of the scene.
Ian Hill01:54
Thank you very much.
Sean Martin 01:56
In your you're doing a quick presentation on the topic of readiness, and then having a panel discussion to dig deeper into that with some folks. And I found it interesting that we talk about being ready, right? I think we all and the reason I asked Mark with that question that I think we think we're ready. And when asked, we say we're ready. But are we really ready? And what is really important, I mean a conversation like this, yes, this is an important conversation. But when we're talking about protecting critical infrastructure, healthcare systems or financial institutions, being ready is pretty important, right? It's not, I presume, not just the feeling the feeling sure has a role to play. So I'm excited to get into this with you. And we're not going to give anything away from your session. We want people to join you there in London, to partake and engage. Before we do that, though, in a few words from you about who you are your current role, and and why this topic at emphasis.
Ian Hill03:06
Thank you very much. So my name is Ian Hill. My current role is Director of Information and cybersecurity up Corporation, we are a big regional broadband provider provide fiber to the home in the East Anglia and Lincolnshire areas of United Kingdom. I've been in InfoSec for some 25 years plus senior roles, both in global companies and local companies. And my role here at up with pretty much a startup moving towards scale up. So for me, it's quite a refreshing job because I'm able to build the cybersecurity posture pretty much from the ground up, I'm not inheriting any legacy. So I was really excited about this role, because, you know, it gives me the opportunity to sort of start from base with my ideas and strategy to develop. I mean, it's only small companies only got 170 employees. But it's expanding very rapidly to be a premier fiber to the home broadband provider in the East of England.
Sean Martin 04:24
So clearly in your role, you you have to be ready. But you also have to help your team be ready. And you also have to present that readiness to your executive staff and and perhaps even the board that you're ready for what might come right. Yeah, I
Ian Hill04:49
think it's interesting because he was talking about this particular subject. It's really about The I'm gonna start with asking question, and you'll see where I'm going with all this, I was going to ask the question or put a statement on the screen, and it's quite relevant for for pre discussion is that compliance doesn't give you good security, that good security will give you compliance, discuss. And basically, you know, I'd like to talk about that, because when you, you talk about readiness, and you talk about building a cyber strategy, there's often different schools have different views of coming at it. And in my experience, small and large companies, I've often found that the technical operational side of cybersecurity can often bang heads, if you like with the GRC, the compliance side, because they see things from an ISO 27,001 perspective, they don't necessarily see it from the the cybersecurity perspective, I'm not saying you need to comply, you need to have compliance, job, see risk management, all that sort of stuff. But where I want to discuss and get some interesting ideas and views is you shouldn't have compliance driving your cybersecurity strategy. That sort of makes sense. Because you could end up going down the role.
Marco Ciappelli06:32
Not only makes sense, but it makes you think, because, you know, Sean went, I went to, I'm ready to go to info secure Europe, I'm ready to have this conversation. And he won kind of pretty philosophical there. Because you can, you can just state that you're never ready until you decide what is the makes you ready, right? It's kind of like an ideal is, as you get closer to that ideal, from a philosophical perspective, you the ideal get away from you. So the readiness with especially a change of technology and cybersecurity, you know, it's never there. But you need compliance, in my opinion, or rules or anyway, a set of checks that says, Well, ideally, philosophically, we're never going to be ready. But are we ready enough now? So who makes that decision?
Ian Hill07:31
Well, I think, you know, I think they need to go hand in hand. So in a mature company, you need the cybersecurity the the technical and the operational and strategic side of implementing all the controls and what have you, they need to sort of align and work together with compliance. Were sort of put in a particular way, you get some companies that say, for example, right, we're going to we're going to get ISO 27,001, that's going to look good on our letterhead, and that's going to look good for our sales, whether so right, here's ISO 27,001, what we need to do, we need to do that, we need to do that we need to do that. Whereas on the other side of the fence, you say, we've got a good security posture, review SAP certain things like that, right? Let's do 27,001. Here's 20,001. Okay. Yes, yes, yes, yes, yes. You get the idea. And that's, that's the sort of trying to try to balance it up.
Marco Ciappelli08:35
Yeah, you just can't rely just on that. But that's the message, don't just check the list.
Sean Martin 08:42
Exactly. And, and that's the question I have for you. And I don't know if you have a chance to, to connect with your peers throughout the UK and in Europe, and in the US, I find and maybe I'm just not having the conversations with the people in the US that that talk about ISO 27,001 But I seem to hear it much more as a talking point in Europe and UK. Did you find that true? And if so, why? Do you think that?
Ian Hill09:21
I think there's a number of reasons. So So one particular reason is that a lot of public body contracts now dictate that is the company that is providing the services is ISO 27,001 certified. So you know, if you if you want to do business or a lot of public bodies here in the UK, they dictate that but also, I think it's it is also generally more popular as well because in the UK, we also have a sort of, sort of entry level certification called Cyber essentials. rules. And also it's a little ces or bigger sister rather, cyber essentials plus, and they are a stepping stone to 27,001. Because when the NCSC put together cyber essentials as a standard, it was very much take a lot of that was taken from ISO 27,001. Of course, look at the history, ISO 27,001 was an old British Standard BS 7799. So it's been around a lot longer here in England as a British Standard and then adopted by the International Standards Organization, as 27,001. So there's a couple of things really history and also that it's very much seen in the UK as evidence that you're managing information security to properly.
Sean Martin 10:50
And I wanted to follow up on that with one of the points in in the panel, I believe it is, some of the talking points is this idea of responsibility, discipline, and flexibility. And I think Marco kind of touched on this a little bit where you kind of need to know where you're going to go. And I kind of touched on the path to get there. But then in reality, the path often changes, right? Threats, change, technology change. Another point you make is clouds and networks and API's and all these things, business requirements, they all change, how you tackle that path, and how you follow that path and remain flexible along the way. So any thoughts on that point?
Ian Hill11:42
Yeah, you know, absolutely. And again, just just all the standards and things, you know, when you if you follow standards, the threat landscape is changing all the time. It's far faster than the standards can change. When you look at things like PCI DSS and 2001, this will change every five or six years. A lot can happen in five or six years in our industry, as well. But absolutely, you know, you when you're developing a cybersecurity posture and team, you have to be agile. And one of the things that I found certainly the last few companies where you've traditionally had a very, very sort of siloed closed shop, cybersecurity, strategy and team, you know, the cyber team, there's those guys who's living in the black room and they send out diktats and you mustn't, you know, you have to do what they say. And things like that. And it's very, to a certain extent that old school, dark arts cyber silo mentality is being broken down. And we're finding that you're coming up with more federated capability, one of the things I like to do in the business I've been involved in, so didn't want to do at the moment, we're having a small cyber team, and a much more federated cyber capability amongst the subject matter experts and the technical teams and across the business. So you've got your network guys and your IT guys and things like that. And transfer of responsibility and ownership for the security in their areas, but obviously federated so you still got the cyber team and the seaso still managing and keeping track of it. But you know, by by transferring ownership and responsibility, you you sort of get a much bigger if you like, cyber team by proxy. And I found and you have to have that because you know, the technology we're working with now is very complex and the subject matter experts in those areas know their technologies. And if you encourage them to know understand the security of those technologies and or have ownership of that you're going to be in a much better position than having some sort of dark arts siloed cyber team who think they know everything that makes sense. And if it's part of the adaptation and the more agile development of the cyber world
Sean Martin 14:17
and it definitely speaks to the responsibility as well. If you share that responsibility than strength in numbers comes comes into play.
Marco Ciappelli14:28
Well I'm glad you started world because we were talking before start recording on how excited we are to go in such a great event. And how a lot of people come they're not only from Europe and from from a lot of different parts of the world. We're gonna come from the US we know a lot of companies are going to be their huge exit exhibit exhibitor directory and hole in the new Excel place. So standards can be something for you and standards can be something else when you come from another country where you have different regulation. So the big question is in a new world, as you said, you know, the world where we all need to work together, there are no boundaries in cybersecurity, unfortunately, we would learn that every day. That flexibility that you're talking about, it will come together, it has to come together when you work internationally with others. So with that, in mind, your perspective on it? And also, what do you expect to be kind of like, the the theme and the conversations that are going to happen this year, maybe on the floor there during the event?
Ian Hill15:45
Yeah, I think I think it's going to be because as you rightly say, you know, if a security Europe is an international event, you get sort of a lot of visitors from Europe. And having worked for a global company that was based out of Europe, I have, you know, experience of how attitudes, cybersecurity, cultural differences, and in different this interpretation of standards and things, causes challenges, you know, so just just just a classic example, I remember trying to implement some new technology across a global company, we had all sorts of challenges with in Germany, because they have some of the tightest privacy laws and things like that quite a bit different, even though be that they'd have GDPR, like everybody, rest of Europe, but they have their own sort of German state laws, which are very, very tight. So it does, when you're trying to develop a cybersecurity strategy in a global company, it does give you challenges like that. But again, you have to sort of compensate for those challenges and where necessary, you have to create a certain level of, if you'd like, commonality for the general security strategy, but certain level of segregation where there are elements within a certain country, or standards or culture or something like that, that needs to be different, as, you know, again, you're striking the balance, ultimately, what you're trying to protect the business. So you still have that common base, a common goal, but achieving that goal, within different countries, you have to sort of walk the minefield of the local laws and cultural things. So it is what it is, you know, the these challenges exist, but you're absolutely right, Marco, we live in a global world, the enemy is out there. And we are, you know, everybody I've worked with, particularly international companies understand that they understand that, you know, the enemies out there, and that, you know, we need to work together. I think, you know, more and more cooperation globally is going to have to happen, I think this this gets much more into more philosophical areas about, you know, cooperation and sharing of information. And I think, you know, as time goes on, we we're going to be forced down that road, that we have to share more and collaborate more just the nature of the threat landscape.
Marco Ciappelli18:38
And I have to say, as a comment on this, that, again, events like this other important event in the industry, are offering this platform for everybody, for people from different parts of the world to really have conversation that maybe are not as structured as it could be when you are talking business from one company to another or a government level, but you know, openly share and maybe get ideas while you are interacting one another listening to talk and presentation like the one that you have, and like the many other shown, there's a lot of great talk and topics coming from from this event.
Sean Martin 19:19
There are certainly and I want to give you and I want to give you a chance to kind of describe the two parts session that you have going but what what I like about the second part where it's a group discussion, if you will, is you have a fellow industry person from another telco joining you, right. So, perhaps competitor in the market, but a cohorts in in fighting, funding the bad actors and having having good discussion on this. I love that those professor from University of Nottingham and also So somebody from from compliance. So it's not just protecting the systems, but you mentioned enemy earlier in that sometimes the enemy is ourselves and our business and, and the way we define and develop our processes, and the way we use the information we collect, most specifically the customer information. So tell us a little bit about the format of of your, your, your first slide, and then the and the thought provoking conversation you have there. And then the follow up conversation with this group.
Ian Hill20:35
Yeah, absolutely, yeah. So it's going to be just like a 10 minute presentation, start with and really just discuss, as I say, you know, the security doesn't give you a good supplier could possibly give you good security, but security Guca compliance, a start with that, and then just just start with a few slides, and really sort of going down and explaining the going down that route and explaining sort of two sides of the argument. And where I want to do, the intention is to, if you like, put both sides of the argument, compliance lead or not, tends to play 10 slides or so give some examples. But what I want to do is really sort of incite discussion. And I want to get people talking, because I think ultimately, the aim is to, to find the common ground in the middle. To say, Yeah, we need both, but how do we get both to work together in harmony, for the good of protecting the business. So I think that when we go into the discussion and the panel side of things is, it's you know, we got compliance person, Professor, I'm functioning from a technical background. So really, and obviously, it's audience engagement as well. That's the whole purpose. This is not just about, you know, for people sitting on stage, talking, it's, it's the whole idea of this InfoSec, this new way of presenting is getting the audience to be part of the discussion getting involved in. And I think that's very positive, because ultimately, I want to find out, and I'd like to understand some of the audience points of view, you know, there are professionals in the people that attend InfoSec, you know, are all professional, so it'd be interesting to draw on their experiences, and their instant how they do things and have a proper, like roundtable discussion on it, ultimately, to find out where's the common ground.
Sean Martin 22:38
And I think, the cool thing, and Mark, when I were there a few years back, before, we couldn't be there for a couple of years, and we found the event to be just that very, very open and collaborative and, and engaging to where people from everywhere can have conversations and agree to disagree and find those those ways for forward to to that common ground, as you described. And so I want to say the so your sessions, in our on Wednesday on the keynote stage, if I'm not mistaken, Wednesday, the 21st of June. Right. So that's the second day in Keynote in the morning there. And
Ian Hill23:26
Wednesday's the best day.
Sean Martin 23:28
That's right. I'm not biased. That's not it's gonna, it's gonna be really good. And I'm excited to see that in here. Here's some of the engagement from the audience and the panel. And it's one of many topics with amazing speakers, we're actually going to speak to some of the other keynotes as well like Kara Keller's Ari. And look at the state of InfoSec. In UK in Europe, and from that perspective, and I don't know market we have like 2020, folks, we're, we're looking the lineup.
Marco Ciappelli24:10
Yeah. And also, it's not just about cybersecurity. I mean, we were talking with with the organizer on our first conversation, which I invite everybody to listen to, because you get a more general overview of what's what's going on. There is one of the headline speakers, Michael Johnson. So if we can catch him, and I'm making a joke here, because if Brian or Alyssa used to run really fast, and a lot of fun to be able to talk to him, so I'm hoping he will be here on the show as well. So yeah, a lot is going on. And we're going to be there. We're going to be here before having another conversation and then on the floor. And yeah, the the excitement is real. Hope we can transmit it to everybody to stay tuned. A lot of follow a
Sean Martin 24:58
lot of innovation A lot of people a lot of conversations and excited to be part of it. And
Ian Hill25:07
one of the reasons, you know, we look the reason why do people attend InfoSec and the conversations I've had a lot of the time, they have problems, you know, these are insect professional, we got problems, where some InfoSec it is a big collaboration and collection of vendors and professionals and things like that. And I often find those people attending InfoSec are looking for answers. You know, they want to talk to people, they want to see the vendors, you know, they've got problems, and then looking for the answers. And I think InfoSec is a great collection coming together where people can find answers. I know that's a real strength of it.
Sean Martin 25:55
And I think in people like you and I want to thank you for, for your contributions to the event because it's it's people like you and your fellow panelists that get folks to think about the question, Do they even have a problem? Do they know they have a problem in the first place? Because if you're only seeking answers to what you think you have, this kind of goes back to the beginning. What are you ready for right? If you're ready to for the things you know you have to deal with? You might be ready but if you don't know about the unknown might not be as ready as you think.
Ian Hill26:30
Wow, I think so. I think one of the one of the topics I'm pretty certain will come out a lot will be that of ai ai in you know this, you obviously with all the GPU for and stuff like that. I see a lot of chatter in the in the news feeds and forums I'm everyone's suddenly talking about I think AI will be a big topic of discussion. InfoSec Europe this year.
Sean Martin 26:56
I'm surprised me when 26 minutes without mentioning it.
Marco Ciappelli27:03
I'm betting my money on on the chat. GPT and AI by buzzword. Yeah. My money on that.
Sean Martin 27:13
Yeah. Yeah. So many thoughts on that we don't have time to get no, no,
Marco Ciappelli27:18
we don't have time now. That's why we'll talk about later
Sean Martin 27:22
and have a pint or something in London. Get into it. Well, listen, I'm excited for the events and thrilled to to have you on the show. Ian, excited to hear your your session. Wednesday. They're the best day of the event, evidently. And for those listening, there'll be links to the events and his team's profile connected in there. His sessions, of course, and we invite you all to stay tuned and many more conversations coming here from info security here in London 2023. And if you're there in London, hope to see you there. Thanks, everybody. Thank you