In this Chats on the Road to Infosecurity Europe 2023, hosts Marco and Sean interview Erhan Temurkan, Director of Security and Technology at Fleet Mortgages to discuss his experiences with cybersecurity strategy and diversifying recruitment, emphasizing the need for the security community to learn from each other's experiences and to talk about security incidents to improve outcomes.
Guest: Erhan Temurkan, Director of Security and Technology at Fleet Mortgages [@FleetMortgages]
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Pentera | https://itspm.ag/penteri67a
Semperis | https://itspm.ag/semperis-1roo
✨ ➤ Sponsorship Signup Is Now Open — And Yes, Space Is Limited!
____________________________
Episode Notes
In this Chats on the Road to Infosecurity Europe 2023, hosts Marco and Sean interview Erhan Temurkan, Director of Security and Technology at Fleet Mortgages to discuss his experiences with cybersecurity strategy and diversifying recruitment, emphasizing the need for the security community to learn from each other's experiences and to talk about security incidents to improve outcomes.
The conversation touches on the importance of having a diverse range of skills and backgrounds in the cybersecurity workforce, and maintaining a balance of skills for old and new technology. They also discuss how organizations can maintain a workforce for legacy technology while also preparing for the future, and how to recruit candidates with varied experiences and education.
The conversation also highlights the value of having flexibility and being open to new ideas, including from younger generations. The hosts encourage listeners to engage with speakers and attendees at events and continue the conversation beyond the sessions.
____________________________
Resources
Learn more, explore the programme, and register for Infosecurity Europe: https://itspm.ag/iseu23
Catch Erhan's session: Managing the Current Demands of a Cyber Workforce Whilst Looking to Secure the Workforce of the Future
Be sure to tune in to all of our Infosecurity Europe 2023 conference coverage: https://www.itspmagazine.com/infosecurity-europe-2023-infosec-london-cybersecurity-event-coverage
Catch the full Infosecurity Europe 2023 YouTube playlist: https://www.youtube.com/playlist?list=PLnYu0psdcllTOeLEfCLJlToZIoJtNJB6B
____________________________
If you are a cybersecurity vendor with a story to share, you can book your pre-event video podcast briefing here (https://itspm.ag/iseu23tsv) and your on-location audio podcast briefing here (https://itspm.ag/iseu23tsp).
Explore the full conference coverage sponsorship bundle here: https://itspm.ag/iseu23bndl
For more ITSPmagazine advertising and sponsorship opportunities:
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin 00:06
Marco. Shawn, time to pop that champagne bottle.
Marco Ciappelli00:12
Yeah. On the laundry flights, flying luxury.
Sean Martin 00:18
Yeah, for first pain all the way, champagne for everybody.
Marco Ciappelli00:24
I'm taking a Concorde anymore. Although I heard there the reintroducing the work in something's as fast if not faster than that. So, but no yet no yet, we're gonna take it easier. It's gonna take a little longer to get there, but I heard there's some pain on location there in London,
Sean Martin 00:46
I'm sure. I'm sure they know how to have a nice glass of champagne. Of course, they're not here to talk about delicious beverages or different classes on airplanes. We're here to talk about the role of cybersecurity in society and in business and, and what better place to have that conversation are those conversations and info security, Europe and London, which is where we're headed to the excel in London. And as you know, Marco, we get to as part of our chats on the road. Jeff through the clouds, you might want to call it for this one. We get to talk to some really cool people, keynote speakers, fireside chatters panelists. All the above right. And today is no different. We had the pleasure of having Iran to Merkin Iran. How are you?
01:42
I'm very good. Thank you. How are you both?
Sean Martin 01:44
Doing great. Doing great. We're excited to chat with you. You have you have two sessions, going one of the fireside chats with another gentleman, Paul watts, looking at managing the cyber workforce. And you're also on a panel called clubs. seaso presents the champagne CISOs of people kind of think at the peak of why I meant to the champagne story there at the beginning. So we're gonna dig into both of those, of course not giving anything away, we want people to come join you and participate in those conversations. Before we get to those topics, so a few words from Iran on you are your role, what you're up to and and what you hope to get from interest security. Europe in London. Sure.
Erhan Temurkan02:35
Sure. Thank you very much. Yes, it's just the introduce myself. So my name is Hunter Merkin. My current role. I'm currently the director of security and technology at a company called fleet mortgages. And the way I describe myself and people asked me to kind of describe my, my, my role in one line is all about cyber transformation. So my kind of background is, is doing cyber transformation in a variety of industries, namely financial services, fintechs, insurance, legal. And I have also done a stint in the in the public sector too. So yeah, I'm really about going into into organizations, looking at their current cyber maturity, and then building out a cyber transformation plan to take them to the target maturity level that they need to achieve.
Marco Ciappelli03:24
How is that going?
03:29
I'm gonna answer that. I'm gonna say it depends.
Marco Ciappelli03:34
Very, very, very polite, very political.
Sean Martin 03:40
Everybody, I'm sure has their own view on that as well.
03:44
In the, in the in the, and there's a, you know, that that question can be answered with a variety of different factors, right. But, yeah, I'm going to
Sean Martin 03:55
give an even on in our chat with Paul, Paul Watson, I think even made the comment that the transformation isn't to an endpoint. Because you don't end up there and go woof. It's a while, I mean, we talk a lot about culture. And and, I mean, the technology certainly continues to transform over time. So does business. So security needs to keep up with that over time. So how did you get involved with with the info security Europe? event this year? Yeah, so
04:37
I was approached to, to talk on on the two areas, as you've listed, one is the fireside chat, which I'll be doing, namely with Paul watts, which we're excited about, which will be touching more on the diversifying kind of your recruitment strategy and the challenges that we face with that. And then one will be as you said, will be more of an interactive session with with a club CISO. And that we'll be looking at the latest security trends and threats, as seen in the report was for 2023.
Marco Ciappelli05:11
So that's, I think that's a leaders lounge roundtable. So it's not open to the whole public. And you'll have a more and more intimate conversation where people can be open about the reality of things. And of course, we're not going to ask you to predict what they will tell you, but maybe you, you can tell us what you think, in terms of what is happening in the industry. I can overview where we were standing from your perspective.
05:45
Sure, sure. Yeah. So, so yeah. So that that will cover a variety of factors. And as you said, I won't go into detail, but we'll cover kind of the people the process and the technology. So looking at culture, looking at technology, and how different people's security strategies, you know, reflect reflect on those. What will be done and what what what won't be said that's, that's, that's hard to say. But, you know, I'm, I'm a, I'm a big fan of learning from from kind of everyone in the audience. And I'm actually really sorry, my cat has decided to meow as we do this podcast.
Marco Ciappelli06:23
more than welcome more than welcome. The more the merrier.
Sean Martin 06:26
He advice on the security posture of one of the companies?
06:31
Well, he seems to have a, you know, maybe, maybe, maybe he he actually wants to be vocal here. But But yeah, I think the challenging thing is actually to get people to actually be vocal and actually talk about the the actual reality. Okay? And what I mean by that is, if there's a saying no, if but when, okay, that means that most of us, if not all of us, at some point, will have faced an incident, either we've faced already or we're going to, and often I find, when I ask this question to people, have you had a material breach? Or how do they all say no? Okay. And that could be reality, or that could be that people don't want to speak up? Okay, for obvious reasons, right? They don't want to actually be they see it as a personal reflection on themselves. Okay. And, and we see this very often, actually, is one thing I often talk about is, when we see these public news, data breaches, you know, we're very quickly see on social media, on these professional social media platforms, people are very quick to comment on all they should have done this. Okay. And one thing myself and Paul often talk about, and I'm sure he won't mind me saying this is that instead, as a community, we should be coming together. Okay. Is that saying if success leaves clues, right, we should be coming together, learning from, you know, what went wrong, you know, I often do this, you know, as soon as I see that, that latest report come out of, you know, I'm not sure if we're allowed to name names coming, so I will leave them out. But, you know, a specific incident response organization who write up a report, which is, you know, public release to, to review, I often sit down actually read that, you know, I'll receive, I'll read the, you know, the reports from Information Commissioner's Office, you know, in the UK on different breaches and actually understand, so what did that organization do do wrong? Okay, what could they have done better? So, yeah, you kind of asked, you know, to bring it back to your original question. The, the biggest part of that session will be around that engagement, actually, you know, having the audience's participation, understanding, you know, the results of the survey, and actually, the, the response from the, from the audience in the room, and actually seeing, you know, if that, if that reflects, and, and, and how that actually plays out, moving forward.
Sean Martin 09:00
Yeah, and I think you're touching on an extremely important point where, I mean, there's so many, also, I'll say, fascinating aspects to cybersecurity and the way that we, we think about it, and we hold it on a pedestal, like, you can only be a hacker, if you have a certain set of knowledge and nobody else really understands what you do. And we often have a tough time connecting cybersecurity operations to business outcomes, right. We're always blocking things instead of enabling things. And, and to the new your other point of, it's kind of taboo to talk about the reality that this is, this is this is happening, this happens. It does happen. It has happened. Yeah, but we don't want to talk about us, I think, kind of breaking down those and there's probably other other things that make this even more are fun and unique, but breaking down some of those hard edges. And having conversations like this amongst your peers kind of helps to understand better helps to reflect better helps to help each other better, which he also mentioned. How do you? How do you think people will leave that room? After having these conversations? What do you what do you expect? What do you hope to, to accomplish with this?
10:33
Yeah, so, you know, yeah, I'm hoping people will be enlightened, they'll find it to be a very informative session. And I'm hoping it's a conversation that will continue. Okay, this is, you know, this is not something that we'll just do in an hour, and it stays there. You know, what I would love this to be is to be a continuous conversation. Okay, we, you know, it's all about really having that sense of community. And, you know, discussing those different topics, learning from each other. And let's continue the conversation, you know, I'm hoping people will come away with that from that and say, That was a great session, you know, I learned XYZ, or in my organization, we're facing this, and how can we help each other because most of the time, you know, the, we are, most of the time, we're facing the same challenges, okay, we just have different ways of doing it. And, you know, most of the time, as I said, we're going back to that, say, if success leaves clues, you know, if someone's done it one way, at times, it can work just as well for a different person, a different organization, etc. So I'm hoping people, you know, as I said, will come away, enlightened, find it informative session, and it'll be a real sense of community and a conversation that we can continue.
Marco Ciappelli11:45
Loving, we're sure understand how important is, you know, I keep thinking about what Paul said about, I'm done, I'm going to drop the mic, and then we will start laughing and say, Well, now you got to pick up the mic again, and keep the conversation going, because it's not really ended. And, and it made me also think about how this conversation is important on how the, in talking about the cyber workforce, and how it has to evolve into including so many different kinds of background and so many different skills. And, you know, Paul mentioned we need, we need the arts, we need the creative people, we need the the marketing, we need all of that. So, love your your perspective on that. And, again, don't give away your own presentation. But, you know, what's your perspective on that?
12:41
Yeah, totally agree. You know, having that diversity of thought is, is is key. You know, I think we've, we've, we've now realized that security is not just a technical challenge, okay. But having that diversity of thought of people from different industries, you know, their their variety of roles. Now, there are there are even, you know, cyber psychologists, right, who look at how, you know, how people go down the route of cybercrime. Okay, what turned them down that down that path? You know, was it? You know, there's a lot of reports, I won't go, but there's, you know, there's been research into looking at how teenagers start with cracking games, and that leads them on to a path for cybercrime. Okay, you know, that is, that's an example. You know, so having that variety of, you know, of of industries, brings a different perspective. So, to kind of give an example, often we kind of talk about how CISOs we really want to be on the board, but when we're on the board is quite challenging because of the different stakeholders, okay? And a different stakeholders are, who are on the board could be, you know, on the exec team instead could be people from HR from finance from the legal team. Okay. And we offer our but they don't understand security and how it works, etc. Well, you know, maybe to bridge that gap actually looking and diversifying ourselves in terms of when we recruiting, why don't we look at candidates who have that background of you know, they've got a legal background, and they'll actually be great at implementing your compliance against GDPR. For example, you know, someone who's got a more varied background in terms of, you know, they may have an HR background will actually that HR person who deals with people all the time, could be the perfect person for security awareness. Okay. There are a lot of, you know, security logins, where's a lot of transferable skills which can actually complement your team. And I think it's the you know, not to give away too much, but it's about having the balance of, you know, a varied experience, but also the education to go with it. Okay. There's a saying that I like to say, experience and education will help you reach your I am back, I am back. Here we go. Yeah. So, just to just to wrap up that, that kind of last section, so I was talking about variety of experience with variety of education. And kind of, you know, just to just to get to just to just to close it out, you know, if you have the writing variety of both in terms of, you know, looking at, you know, when we're recruiting, not just saying, you know, that person needs to have, you know, an education that's purely technical, you know, a computer science degree degree in cybersecurity, for example, you know, or have just, you know, or you have to have five years of experience. Okay. That That, to me, is challenging. Okay. Because you may find, you know, an individual has one, but not the other. Okay. Also, you know, one thing that continues to surprise me, and I'm sure many of us actually face this, and we continue to face this, with our own families and friends, you know, is, you know, we we prescribe that specific, you know, individuals needs to have five years of experience. However, you know, some of the youngest and brightest minds, you know, can actually be super technical. Already, you know, you know, I'm sure you've all come across family and friends, you know, you know, I've got my own family members, you know, three years old, they're, you know, two years old, they can use an iPad better than me, you know. So I think having that variety of, you know, just being flexible, just being flexible is is the point that I'm kind of, I'm trying to get across here.
Sean Martin 16:33
Yeah, and one of the things I wanted to touch on before we, for we wrapping, remind folks that they can, they can engage with you directly at the conference is back, sticking with the workforce, I guess, because he kind of touched on it here is the it goes back to a number of conversations that Marco and I have had where organizations deal with legacy technology all the time, where they're trying to manage old systems that are hard to update, difficult to maintain a strong configuration for keep an eye on for monitoring and response perspectives. There's that technical and operational end of things. But then when you bring back the workforce, and you talk about an old technology, running a certain OS, or certain identity infrastructure, very few are learning that old stuff, right, though, are all learning the new cloud whiz bang things? And so I don't know, if you want to get no give anything away from the session with Paul, but any thoughts on kind of maintaining a workforce for the old legacy, while also helping to prepare for the future? And new technologies that that come along?
18:00
Sure. Sure. Yeah. So yeah, not to give away not to give away too much, but just in my professional experience, it's about having the balance of both. Okay. So, it is a it is a challenging paradox, you know, how do we continue to maintain our current risk exposure with our legacy systems? And how we keep the lights on? But also, how are we preparing? You know, how are we preparing to serve the businesses for tomorrow, okay, for the technologies of, of the future. And that's, that's a challenge. But the way to do that is, you know, we have to educate our current workforce, and not just to look from not just look, not just to not, not just look to recruit externally, okay, so actually, you know, building on the current workforce, who may have that internal knowledge to prevent and protect those current systems, but also look to complement their skill set with, you know, with the, with the newer technologies that are going to put them in, put them in a good place to protect your infrastructure of the future.
Marco Ciappelli19:11
You know, Shawn, would you made me think with this, and then Iran as well, you know, we talked about legacy legacy devices, legacy software. Now we're, we're talking about legacy people, like we need to renew people you don't. I mean, the culture that we always talk about many times, it's just, it's the legacy culture that doesn't allow to progress in a certain way. I just throw an example there. It was back in the in the 30s, where I'm reading like this biography of Disney. Walt Disney is the average when he was reinventing animation, pretty much the average employees, amongst 500 of them was 26 years old. And everybody was creative, innovative. and any create the future of you know what these needs today and all the amazing thing they've done. I'm wondering if we need to be more open into, again, welcoming not only diverse people, but also, you know, listen a little bit more to the younger generation as well.
Sean Martin 20:19
Yeah, it's interesting, you mentioned that, obviously, we're on the heels of RSA Conference in San Francisco. And I felt that, I mean, normally, I would run the halls and, and there'd be a colleague of 15 years, 20 years prior that I'd run into in the hall, and then 10 steps later, it'd be another one. This past one and a couple of months ago, very few of the old faces, tons of new faces, not unless people just way more new faces. So I'm excited to see what infra security London brings. It's been a few years since we've been there for that, too. And already know, there'll be some familiar faces, and then we'll get to meet new ones like around here. But I suspect there will be a new generation there helping us take things forward. So I look forward. Yeah, exactly. Like with, like, with all this has been good. I mean, we said a lot of good things, but not enough to take away from the conversations at the conference. If you're lucky enough to get into the, into the champagne event. I'm jealous, that don't want media into those things. They don't trust us. That kind of information. But the other other panel with Paul, the fireside chat with you, and Paul is gonna be super cool. So definitely check that out as well. And even more importantly, outside of the sessions, in the halls and the expo, hubs wherever make friends meet people will have the discussions keep that conversation going. This is their own talked about. And there'll be links to the sessions in the show notes. Of course, we had a lot of coverage, pulling together before, during and after the event. So stay tuned, coverage page for that. Iran. Thanks so much for joining us. Appreciate you taking the time. Good luck at the events. Look forward to seeing you.
22:23
Thank you, Phil. Thank you, Mark. It's been a pleasure. I look forward to seeing you there. Likewise,