Sean Martin and Marco Ciappelli talk to Paul Watts, keynote speaker at Infosecurity Europe 2023, about communication, collaboration, diversity in cybersecurity, and the importance of nurturing relationships with the business.
Guest: Paul Watts, Distinguished Analyst at Information Security Forum [@securityforum]
On Linkedin | https://www.linkedin.com/in/paulewatts
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Pentera | https://itspm.ag/penteri67a
Semperis | https://itspm.ag/semperis-1roo
✨ ➤ Sponsorship Signup Is Now Open — And Yes, Space Is Limited!
____________________________
Episode Notes
As part of the traditional Chats on the Road to Infosecurity Europe 2023 series, hosts Sean Martin and Marco Ciappelli welcome Paul Watts, keynote speaker, to discuss the importance of communication, collaboration, and diversity in cybersecurity.
The conversation touches on several topics, including the need for security professionals to understand customer needs, the importance of being agile and forward-thinking, and the value of having a nurturing relationship with the business. They also discuss Paul's session on the cybersecurity workforce, where he advocates for creativity and skills beyond just technical expertise.
Overall, the episode emphasizes the need for constant, progressive conversations and relationships with the business, recognizing that change is a two-way street. Paul invites listeners to join his sessions at InfoSecurity Europe and engage in meaningful conversations. We look forward to seeing you there!
____________________________
Resources
Learn more, explore the programme, and register for Infosecurity Europe: https://itspm.ag/iseu23
Catch Paul's session: Managing the Current Demands of a Cyber Workforce Whilst Looking to Secure the Workforce of the Future
Be sure to tune in to all of our Infosecurity Europe 2023 conference coverage: https://www.itspmagazine.com/infosecurity-europe-2023-infosec-london-cybersecurity-event-coverage
Catch the full Infosecurity Europe 2023 YouTube playlist: https://www.youtube.com/playlist?list=PLnYu0psdcllTOeLEfCLJlToZIoJtNJB6B
____________________________
If you are a cybersecurity vendor with a story to share, you can book your pre-event video podcast briefing here (https://itspm.ag/iseu23tsv) and your on-location audio podcast briefing here (https://itspm.ag/iseu23tsp).
Explore the full conference coverage sponsorship bundle here: https://itspm.ag/iseu23bndl
For more ITSPmagazine advertising and sponsorship opportunities:
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Marco Ciappelli00:06
Marco, Shawn,
Sean Martin 00:09
it's good to talk.
Marco Ciappelli00:10
Yeah, slowly do their job. It's fighting and like, horrible.
Sean Martin 00:18
And sometimes, sometimes a one on one conversation is good. Sometimes you need the one too many, sometimes the many too many situations call for, for different types of talks and calm and, and desired outcomes probably as well. And I mean, it's something we've been talking about with respect to cybersecurity, right, making the connection between the seaso and the rest of the C suite and, and having the language and the and the skills and the tools to have that conversation, one on one, one to many, whatever it might be. And we've made progress. But there's more to do. And then I think, I think that's why the crude info security, Europe in London for their conferences here have invited our guests to be keynote speaker. And with that, as part of our coverage of info security, London, thrilled to have Paul Watson Paul, how are you?
Paul Watts01:17
Hey, I'm doing really well. Great. So thanks for having me along. And music to my ears. You know, the power of communication, when talking about cybersecurity is absolutely key. And we still get it wrong from time to time. So I think it's an interesting topic to discuss.
Marco Ciappelli01:34
Yeah, and more and more I have to say, for, for my own delight, which I love storytelling, it's, it's turning into that. And even when we will we cover events. There are more more episodes of getting together telling stories, not just about the technology. It's about translating the conversation involving more people in the conversation. So we know you have a couple of session there. But I would say before we get to that, who is Paul Weitz?
Paul Watts02:08
Well, that's a very interesting question. And so
Marco Ciappelli02:11
I think, although you don't need to go there. I was, I was born at a very early
Paul Watts02:15
age. So I've been working in in it for approaching 30 years now, which reminds me very much of my own mortality. But let's move on from that. And I've been working in cyber now for around about 18 years in in a variety of leadership roles. And I've had the great privilege to work in sectors such as financial services, critical national infrastructure, fast food, retail, analytics, market research. And, yeah, I've had a great time doing it. And I've got the scars to prove it like every other security leader. And just to seeing the evolution of our tradecraft as technology has become normalized in mainstream, it's moved from being business supporting to business enabling to now practically, the business, you know, we woke up one morning, and we found that the plastic computers were running everything so. So the way that we've had to take that conversation forward has equally changed over the years, as technology has become, you know, more accessible and easier to use by everybody. So why come and talk to us in the first place? And I think that's the recurring theme of the the two or three sessions that I will be having info security, Europe next week.
Sean Martin 03:37
I love it. And I was I often heard this from somebody and I was thinking maybe your your last name might be Daniels. And there's that infamous question. What first attracted you to the millionaire? And anyway, that's really a joke aside, all use that as kind of a tip tipping off point of that? That's an obvious question to an obvious answer, right. But for those, I'll have to include the link for somebody to read but what that's all about, but the point is, you ask an obvious question to get an obvious answer. It's not always obvious, either side and, and what might be obvious to you might not be obvious to the other person and vice versa. So maybe talk to me a little bit about kind of a level setting the Captain Obvious bar, if you will.
Paul Watts04:31
Well, I mean, it's actually quite straightforward. So let's take a typical scenario. So my, my wife will come up to me and she will say, Paul, I'm thirsty. And I'll go to the kitchen and I'll turn on the faucet and I'll make her a glass of water. I'll put it in front of her and I go, but there you go. She looked at me she was this. So when you said you were thirsty, she said, but I want a hot drink with sugar in it and all those little little umbrellas and and And actually what what that's what that's calling out is a problem that's blighted software delivery for many, many years, which is understand the customer requirement and understand where the value is. So when you think about that, in the context of security, there's, there's no point in coming to me with something to say, I'll look what I've made. And I say, No, you can't use that it's illegal. And so what point were you going to tell me that? Well, at what point were you going to ask me, and then you realize that fundamentally, the two, the two conversations never had an opportunity to start in the first place? And what's the consequence of that, but people cross the sidewalk, cross the street to avoid us, because when security just gets in the way, you know, it's a blocker. It's not making me successful, it's not allowing me to do things, it's slowing me down, it's costing me burden, it's adding friction. Nothing could be further from the truth, because security professionals don't come to work to be willfully obstructive. And, you know, back to the analogy of I want to drink or what type of drink you want. It starts with a conversation, ergo, the title of my throwdown on the first day of info security Europe is, it's good to talk because it absolutely is. So that's that's kind of where the start point from it, Shawn, really to be, to be honest, the power of communication.
Marco Ciappelli06:22
So sometimes I look back and you know, I'm relatively new in the industry, let's say, seven, eight years, and they come from communication, branding, marketing. So they're, you talk a lot, but But you tried always to understand the business. And at the beginning, you know, what, seven, eight years ago with students a long time ago now? It was it was what you said, I mean, you can do this, you can do that. And but I've seen changes, I've seen a lot more communication. But do you think we are there yet, but we're really far from it.
Paul Watts06:59
I think we're heading in the right direction. And I think you make a really good point, Marco. So my first Security Leadership job was in financial services heavily regulated. And if you wanted to do anything, you had to jump through certain hoops. And I was one of those hoops. So everything came past my desk, and I had the opportunity to rubber stamp it, or say no, go rework that do it again. But the reality was, you had to pass my rules, otherwise, Thou shalt not pass. And this technology has become easier to use from the mainstream. The reality is, is the business can then kind of cycle around us. And they've chosen to do that. So I think we've had to almost reinvent ourselves overnight, really. Now, we don't have the rulebook to Wave in the air and say, you know, you've got to go across my palm with silver, or this conversation or this thing isn't happening. We've actually had to become marketeers overnight. So where's the value in having a conversation with me? Well, the reality is, if you put something out that's inherently insecure, there be dragons. And we know what happens when those dragons bite. Now, nobody wants to feel the wrath of a breach, or a loss of service, or poor reputational damage or financial loss. So what security leaders and their teams have done is they've started to play on that to say, well, I can reduce the opportunity of that happening for you, if we have a conversation at the appropriate time. And the language has moved from a no, but to a yes, and, and because of that, we've started to enable the conversations to happen at the appropriate point. So actually, then security baked into those life cycles of projects and product development become less intrusive. And we're working together. And I use an analogy, I'll share this with you I talk about security, and how it's changed over the years, using the phrase done with sorry, done for and with, in the old days, security was done to a business, you know, very heavy duty controls policies, that couldn't be overcome. Then we were doing it for the business because everybody appreciated that they needed to be done. But the business wasn't really that interesting. So we were doing it for the business, because we were saving them from themselves, which is still a little bit rude, really, because we're kind of suggesting that the business are idiots, which is what we used to say. But I think we've kind of moved away from that now. We're now moving into a world where security is done with the business. Because we have a constructive collaborative relationship, where we recognize we look across the desk at each other and we say, we want the same things. We want prosperity. We want profit, we want margin, and we want success. And we're coming at it from slightly different angles. But we absolutely amplify the likelihood of us achieving those outcomes. If we work in unison, and we work together and we work in harmony. So now security is done with the business. Well
Sean Martin 10:00
Yep. And so another one of your sessions at the at the conference is on the workforce. Yeah. And so in what taking what you just said? I mean, when, when I hear the term cybersecurity and workforce, I'm thinking analysts and and people deploying protection technologies and kind of the core of the InfoSec workforce is, how do you view it as an analyst, and especially given the points of having conversations and the fact that we're doing stuff with the business? So you have app development and operations and whatnot. So your view on the workforce? Are we kind of, yeah, let's leave it there.
Paul Watts10:44
So this is a really interesting point short, I'm glad that you've raised it. And I don't want to give too much away, because I really want our listeners to be coming to info security and hearing it for themselves. But let's just talk about this a little bit, because I think it is really relevant. One of the challenges we've had, as we've evolved as security practitioners, or we've started to find that value of engagement with the business is, we still have what I would describe as blind spots. Now, you know, I've been around for a long, long time. And the reality of it is that people of my generation came from a highly technical background. So we learned the tradecraft of cyber information security through the technology, and that medium. And what I think that's done is that's that's inhibited our broader development, and it stifles the way that we engage with business. So what do I mean by that, I make a call to our industry and a call to the academia and the classrooms that are bringing the next generation workforce together, we absolutely need a diversity of skills in the cyber security workforce. And I use the phrase bring me the creatives upstairs, share a story with you, if I may. So when I was working for the UK railroad operator, this is back in sort of 2014 2015. We were really struggling to land our communications campaign, we were doing a big cybersecurity transformation program. And you know, suits like me, were trying to tell the business owner, it's really important to follow these tips. And it was all very mechanical. And it didn't, it didn't really resonate, didn't work particularly well. And I was standing in a coffee queue. And the young lady called Georgina came up to me. And Georgina was a communications and branding executive, she did internal communications and program communicated with the public, and so forth. And she said, See what you're trying to do. And I think I can help but I don't know anything about cybersecurity. And I said, Okay, let me buy you a coffee. And we sat down, and she said, Look, you're missing fundamental basics of marketing and communications, you know, you've got to understand the groups that you're communicating to understand your core messages, translate them, so that they resonate, strike an empathetic pitch with the people that you're trying to talk to. And she reconstructed the way that we did that, that communication and awareness, and it was an absolute slam dunk. And from that point on, I was sold, that actually, we were part of the problem, because we recognize now that we needed humanities, students, artists, visual people, and we needed those skills to be brought into the tradecraft of cybersecurity. Now, herein lies a problem. And this is a slightly controversial thing that I'm going to surface it Infosecurity Europe next week, we need to acknowledge that we've got blind spots, cyber security leaders, we have to acknowledge the fact that we need to recognize that we need those broader skills to augment what we know, over the years of experience that we've gained to be absolutely nailing the relationship with our business and driving true business value. Now, that's a hard thing to say to a security who's around 20 years and thinks they know it all. They don't. And the market for our trade skills has changed. And if we don't change with the demands of our consumer, we then start to lose relevance. And that potentially becomes a problem down the line. And one of the things that I I do some lecturing at universities, which I'm absolutely privileged to do, and if it feels right, because you're paying forward. And I say to them, what are you being taught about marketing and communication to this? And they said, Whoa, I know how to, you know, all this technical stuff, and they're in the business of risk management. So and I look at the lecturers and they say, you're letting the students down, because they need to be entering our industry with a breadth of skills that transcend just the technicalities of doing cybersecurity. And I think that's vitally important. And we need to be doing more of that. Sorry, I get on my soapbox a little bit, because I do feel quite strongly about that. But hopefully that's answered your question, Shawn.
Sean Martin 14:49
Yeah, absolutely.
Marco Ciappelli14:51
Yeah. I have a comment on that if, Shawn if I can, quickly. I think it applies to a lot of other a Um, industries, I give you an example. medical industry doctors when you go and you need to have, you need to have people skills. It's not just about telling, this is what you got. And this is what you have to do to get cure, you need that interrelationship skills. And I was talking to actually the former CEO of Kaiser Permanente here and he was talking about this things like, we need to insert in the curriculum of medical doctor psychology in the way that you communicate with people. And I can think many other industry that do that. So I'm 100% with you on, on these for info security.
Paul Watts15:47
I totally agree, a little bit of bedside manner goes a very, very long way. Especially if you do take the old school approach, and you rampage into a project meeting ago, stop everything, because you've you've not filled in form a 123 dash 54 C, and you can't proceed past Stage Gate three to get you going. This guy is always going to be found in the kitchen at parties, you know, you've got to match. It's match pitch. Read the room is basic emotional intelligence. And unfortunately, it's sadly lacking in a number of areas. And Mark, your point is well made, this isn't just something that cyber has to worry about this is, you know, many industries where you know, the importance of of that, that resonating relationship finding that that impasse between the two of you getting past is so so, so important.
Sean Martin 16:38
So, so many questions in my mind, I feel like we could just wrap for the whole day here. But I want to, I want to connect it to to one of your other sessions around outsmarting cyber criminals, because what what I'm hearing here is understanding the business, right doing being part or being with the business. So that assumes you have some vision of where you want to go, and how you want to get there. And then you throw regulation in the mix, right kind of to your point where you you can go there, but only if you pass through these gates successfully, which kind of could could slow things down. And in some cases, you can't get around those. So how to side with cybersecurity play a role there. And then we have the cyber criminals who have neither of those constraints, right. They don't have to abide by the the ethics of the company or the or achieve the same growth rates and have issues with staffing and things like that. And education. They just in their no boundaries from from a from a compliance perspective, they just go. So there's this race between the tortoise and the hare. And one of them is wearing a big backpack, lugging them down. And then the other is just kind of fun, freely. So how do you tying in that that third session, that your part? I think that's a panel discussion with with a few folks? Yeah, how does that change the conversation?
Paul Watts18:15
I think we are moving away from the world of managing risk versus reward. And we're now actually talking about the language of business resiliency. What do I mean by that? Spoiler alert, getting breached is no longer a matter of if it's now a matter of when. So we need to think about how we drive the agility into our people, our process and our technologies. So that we can spot these things quickly. We can act swiftly to contain and limit the damage. Now in order to do that you have to be thinking about security from cradle to grave, you know, and you're almost, you're selling the importance of security being something that threads itself right the way through business. But now, it's not a question of measure and countermeasure, you've always got to be ready for the inevitable to happen. Now, this doesn't mean that you have to take a slower approach, you know, we've just exited from a big global pandemic, the markets are in a bit of a mess. You're earning every dime cent and dollar that's that's afforded to you. It's a very competitive world. And organizations still need that competitive edge. They need that ability to innovate, they need that ability to be out front. And it's absolutely possible to do that and be resilient. But what you need is agility both on the side of security and on the side of business as well. And this kind of brings me back to the importance of communication and collaboration and it being a two way street. You know, if we're having the conversations about we want to use I don't know let's talk about AI everybody else is down at us get on the bandwagon right here. Let's talk about chat. GPT It's great. What do you what do you use it for the
Sean Martin 20:02
conversation there?
Paul Watts20:03
What are the pros? What are the cons is going to this with our eyes really, really wide open? Because if we don't, and the business says we're just gonna go and do this anyway, we'll just kind of give pulled a swerve, and we just won't talk to him. And then something happens. We know what happens, the business come back to us and go, How did you let that happen? Why was your sock not detecting that? And why didn't this happen? And why? Well, we need to have that that balanced conversation between the two of us, right. The other thing is to think like an attacker. So the importance of you know, read, carefully rehearsing using red teaming, blue teaming, purple teaming, just making sure that your your skills are honed situational awareness, making sure that your workforce has a is operating in a culture of of being able to feel comfortable to say, I think there's a problem here, or I think I've clicked on something I shouldn't, or I think I might have done a thing. Rather than say, it's gonna get me fired, because I'm just not going to say anything. And in the meantime, you've got an attacker in your environment moving laterally, and you know what happens next. So there's a number of moving parts that allow us to behave in the way that we need to behave. And it just comes back to the importance of recognizing that change is a two way street, there's things that we need to do differently, and we're starting to change, there's things that the business need to do to pull their weight, and they need to be able to change as well. So there's a lot to unpack there. I appreciate that. I think if you want to hear more, you're gonna have to come to London, right?
Sean Martin 21:39
Yep, that's a panel to partake in, for sure.
Marco Ciappelli21:42
Ya know, a lot to think there and make me think about some other conversation we had shown in the past about trust is not is not about, I'm going to trust you, if you tell me that I'm going to be unhackable unbeatable, if you're going to protect me 100%, it's to say, I'll do my best. And my best. You know, it's a two way things like communication, you know, it's not just this department, it's everybody, as a culture that we do something about it. So I think you can look at from that perspective, which bring back the soft skill of communication. So we, we've gone the full circle here, right?
Paul Watts22:27
I think it's also important to recognize the cyclical nature of the wealth that we operate in. Because, as I said, you know, there's a lot of moving parts. So the business is now moving at breakneck speed, it's innovating as quickly as possible to stay competitive, we're trying new things, we're playing with chat, GVC, we're playing with new technology, we're embracing automation. The threat actors are just as innovative. And they're trying new cool stuff as well. I mean, I don't think should really be cooling it cool. But there is creative and innovative as we are. So we have to be as cool and innovative. And as agile as they are, you've also got to have the outline, you've got to have your your people looking into the future, you know, the organization that I worked for the information security for, and we have a paper called threat horizon. And it's very, very popular because what we're doing is we're encouraging both technology and business stakeholders to think about the things that could be influencing them in the future. So you think about the threat landscape, but you have to think about that in the context of your organization's strategy. And you have to be interested in the organization's strategy. So it's not just about a risk practitioner managing a risk register. It's about thinking about the ultimate outcomes you're trying to drive and taking early action, so that when the worst happens, when not if you're ready for it, if your competitors aren't doing that, they're immediately on the backfoot when the next threat lands, and they've got to think about what they're going to do that. And in the meantime, you're flying because you've already got a plan A, B and C and yourself, you've got the competitive edge. That's why it's so important. And it changes over and over and over again. It's just a merry go round. I talked to people and they say, I've just completed a five year cybersecurity transformation program, Mike drop, like a great, what next? Take. There is at the beginning, a middle or an end. Now tell me how you're going to sustain that? Well, I haven't I haven't told the board that it's going to cost him 20 million US to run this every year. Well, I think you'd probably need to do that pretty quick, to be fair, because they now think they're secure, because you've just delivered that five year program. But the world's changed. Now you got to start over again. And again and again.
Sean Martin 24:38
And every every industry is different. I remember working with some defense departments in the US government when I was working for a security company, the lifecycle of those programs. I mean, you you're behind before you start almost and then five years later, you're implementing what you defined five years ago and it's crazy. So having a regular conversation, regardless of what the plan looks like, I think, ultimately really matters.
Paul Watts25:07
It's interesting as well short, so not wishing to come back to AI and machine learning, but it's the hot topic. There's this expectation that the law Lords and the regulators are going to catch up, and they're going to show us the path to righteousness and set out what's right and what's wrong. We've been around for a while. And we know that this isn't going to happen, it's going to take legislators time to catch up. We also have geopolitical risks now. So our determination of what's morally and ethically right for AI and ML in one part of the planet may be different or perceived differently. And another, so we have to unpick all of that. But the reality is this technology is here today. And we've got to deal with it today. Which means that we've got to decide our own rights and wrongs and our own risks and rewards if we want to leverage this technology to remain competitive. And when the legislation catches up, we will have to adapt to become compliant to it, I don't think we're ever going to be in a situation where the rules of the road will be set. Before we set off down the road. Unfortunately, we don't have the luxury of being in that position. But that makes it all the more important for security leaders and their teams to be having constant progressive conversations and relationships with the business. So that when they thinking about doing something, they say, get to hang out with the security guys and get their take on this. Because I want to start off in the right direction. Because if it turns out three, three years from now, they was completely the wrong direction. What are we gonna do? I can take the seats out the back and fire him. Yeah, that's, that's pretty that sport, right? That's generally what happens is it blame the security guy. But that's not how we want this to be, you know, we don't want to be, you know, operating, looking over our shoulder worrying about, you know, where the next blade is going to come from. We want this to be a nurturing relationship, in a culture that's fresh, and invigorating and innovative, and not stifled and governed by rules. And by fear, you know, we want to change. So, you know, that's that's the journey that security is trying to take itself.
Sean Martin 27:08
And firing. Firing the seaso didn't solve the problem.
Paul Watts27:11
Solve the problem, because you still got a mess to clean up. That is a scapegoat. And that's just not the right answer.
Sean Martin 27:19
Well, so many, so many things to talk about. We can't do that all here. You have three sessions security in the business, it's good to talk on Tuesday, 20th, less than 45 and 55. You have a panel on outsmarting cyber criminals, that's also on Tuesday looks like it's just after that. So kind of you have your short, your short, short bursts, and then a nice chat to break that apart a bit. And then on Wednesday, well, your trio of things here you have managing the current demands of a cyber workforce whilst looking to secure the workforce of the future. That's merely two o'clock just before to
Paul Watts28:02
have a lot to unpick are very grateful that I've been given the three the three sessions and I mean, I'd love to continue this conversation with your good selves. And no doubt we'll get an opportunity next week and, you know, called out to others who are going to attend info security Europe, you know, I'll be around for at least the first two days, maybe the third, coming out of a conversation, you know, there's a lot to unpack here
Sean Martin 28:24
to get into talk. So I hear
Marco Ciappelli28:30
you learn the lesson. And I think the lesson here is that if if half of our conversation there, and anybody that's that comes to London to the event or as you know, 150 as interesting as this one we just had with you, I think we're all for him for for really great event. So I invite everybody to come and join your session, but also, like you said, to hang out, take the opportunity, mingle network, and rethink the power of info security, Excel London, the 20th 21st 22nd, June 2023. And we'll we'll see you all there. Be there be square
Sean Martin 29:14
scrawl sessions in the shownotes. And we touched on a few topics marker that we've had conversations about as well. So we'll link to those people can get a head start. And of course, stay tuned. We have a lot more coverage coming this weekend throughout the conference itself. So we look forward to sharing those stories with you and hopefully becoming part of it as well. So, Paul, thanks again for your time and good luck next week with the sessions and the conversations and see everybody there.
Paul Watts29:44
enjoyed the conversation, gents. Thank you very much. See you next week. See ya