Cyber Relevance – The Titanic Effect

cool hands over to you so what do I want you to take away from this talk um the cybercity market is really unusual unlike a lot of Industries it is almost entirely driven by PR sales and marketing which would be fine if ships don't syn if security is done badly how does a cyber security leader wage through the waters avoid sinking and float away like rose did through prioritizing cyber defense relevance which is what I'm going to talk about so who am I I'm Rosie Anderson I wear many hats including apparently being one of the most inspiring women in cyber which I find with cringe um I'm one of the organizers of this bsides but

I'm going to talk to you as head of solutions for that security company you'll notice I said head of solutions and not sales it's a role that's created to be a problem solver and not a sales Droid desperately trying to hit kpis so my role is very much having conversations with customers to helping pick out the relevant problems and pains for that customer so my background before working in this um role was recruitment so someone is actually ringing [Music] me did I who that was [Music] sorry my role before working in cyber which I've only actually been doing for 6 months now is recruit was recruitment so now instead of solving hiring problems for customers I'm trying to

help solve the cyber security challenges and find the right solution if you think of your standard GP if you have a headache and you go to a doctor a standard doctor will give you painkillers but a good doctor will start to look at what those underlying conditions are like what's causing that headache and that's what we try do or what I try and do with my role so why is this an important approach to cyber because relevance matters so if we think about the Titanic the Titanic had 2,200 as people but only life boats for 1200 is one of the main reasons was that it was told it was Unsinkable which meant cluttering it with life boats and was deemed

unnecessary and it was a contradictory PR move the owners of the T meic didn't prepare for the relevant threats it could face and they neglected to put defense and depth measures in place instead they entrusted safety to the designers and Pi Spinners wanting to sell [Music] tickets try and slow down when we encourage companies to buy the next AI powered humanless sock magic Genie tool we're encouraging this Titanic effect vendors selling their solution to cyber risk for example are selling that unsinkable ship and we all know what happened there so what is the problem that we see when one vendor supplies one tool to meet all of the business security requirements they're encouraging this Titanic effect vendors don't use T

tactics that don't work they're selling a cure and people buy it if leaders don't stop and think about your specific business needs and buy tools and services with relevance in mind you're heading for an iceberg that you don't have the rescue votes for the common rhetoric that we hear is the Board needs to understand cyber security but the truth is cyber security needs to be able to communicate with that board in language that they understand they respect and they act upon one of the key lessons here is that understanding a business its drives its goals its plans and even things such as how high-profile the board members are in the press for example can have a huge

impact on your threat [Music]

profile business stakeholders need to have faith in those security teams but it's even more critical that those security teams and providers understand the business's goals how it operates how it works really to ensure they guard against those icebergs you're going to get lots of reference to icebergs I'm really really sorry uh okay you only have to go to infoset I'm not going to say bsides you only have to go to infos or any other highly vendor driven conference and you'll see really bold claves from providers you they might end or cyber risk or they might use the moon's gravitational Pole to predict security breaches and these claims don't help our cause as an industry now we can laugh at

the vendors and we can laugh at their outrageous claims but we're not laughing at the people who are buying these Solutions the same as with the Titanic the people that boarded that ship were not to blame for it sinking and neither was the crew or I can't see my notes if I press down that yes that's fine neither were the TR um the problem was the the problem was the pr Spinners and the stakeholders who they were responsible for selling that impossible dream that married a solution to a problem affordable travel and an opportunity of a new life in America was what was sold the same as if you sell complete cyber defense we cannot solve problems with

tools alone and we cannot entrust our business security to PR Spinners like the Builders of the Titanic did I have lost my M give me one second there okay so how do we navigate this speaking the language of the board Bo is a great indicator of success in getting your projects approved it's all very well a cyber security manager wants a shiny new tool that they heard about at conference normally paid for by sales departments of vendors but normally the board has to approve that purchase if cyber security isn't on the board's agenda and the risk isn't contextualized to what they understand it's very unlikely to get approved so you might have a CEO hires

an accountancy for because the end goal is to not inadvertently commit tax fraud and end up in jail that accountancy firm calls the CEO they're up selling a digital solution for expense policy the CEO thinks do I go to prison if I don't buy this tool I'm not interested then the tool has not been aligned to the point of the CEO using that service to be successful at persuading the board oh crap wrong button ah be with two screens to be successful at persuading the board to purchase Cyber Solutions we've got to articulate how buying that tool that product that seam that pentest impacts the bottom line or what the risk of the problem of the bottom line being

infected is if they don't do what we want them to do and give us the money it's really nice to be a secure business and it's nice to have an office with bean bags and beer fridges but if it doesn't have a POS positive impact on the business why will the board care so another metaphor for you head of facilities wants a budget to make a new break room with pool table bean bags emotional support dog Cal room again your CEO do I go to prison if I say no does anyone die if I say no do I lose money if I say no what are they going to say however if we bridge this as we have

really low staff retention we've got really low morale will losing money to we losing staff to our competitors and we are paying money hand over fist in recruitment fees if you give me 20K to build what I want to build I'll save you 75k on recruitment costs in 2024 alone suddenly you're allowed to build up a proposal so it's really important to think how your board thinks if you're trying to get your projects approved another aspect of relevance is specifically the threats the business is going to face for example activists now some businesses aren't going to get attacked you would think for those by those specific threat factors but when you're dealing with a mature company

that understands those attacks understands their threat profile relevance being taken into account for the business another issue we see is the language that's being used between security teams it teams heads of security it's so fractured one person's talking FY Tech and the other one's saying I haven't got a clue what you're saying you're wasting my time so to get what you want from the board you've got to speak the language of Finance in the sea Suite again another example for you a small investment firm wants a vulnerability management tool they might not need one but they want one um they explained to the board we're going to use this tool and this is how we're going to do

it it's going to increase our own cyber defenses but it's also going to scan upand com in Investments to look how secure they are if they don't have Security in place allow us to do better due diligence we might be able to make purchases cheaper so by aligning what we know the business goals are make new Investments find cheaper ways to find new Investments you've got better success of getting your budget approved and how do we stop those pesky ticket sellers of un single ships having a community of peers like like we have right now besides can help stop B bad practices reference checking with your peers have you used this tool what you think getting that

sort of experience calling out and questioning bad practices and sharing knowledge like sharing success stories sharing our problems with our peers helps build that community so a I've lost my mouth again te if your business has a clear business strategy a 12 year plan a 12- month plan 2ye plan 5e plan it makes it a lot easier to align your security goals too however if you're not in that enviable position I've created like a checklist that you can scan of things to consider it does work or it did work this

morning that if anyone wants that after just messaged me don't want to scam links so future predictions the industry will mature like the IT industry did we cyber security is where it was 20 years ago it is going to there will become a point where regulation does overpower PR if we think about the Titanic there's now a lot you know those regulations were outdated there's now rescue strategies that businesses have to do if you're flowing ships we're already seeing this with the SEC in America so new regulations that are coming out there you must disclose material incident within 4 days things like that and any public trading B bodies have to expect to be attacked and

be prepared companies that make these really bold and untrue claims will eventually struggle and fingers crossed be called out for what they're doing um I think there in the mainstream media a business has been called out a snake oil so the message is getting out there but no business is too big to fail stop trying to solve problems tools alone and think about your relevance just because a new product tool practice is in fashion doesn't mean it's a requirement for your business's security success there are no silver bullets there are no useful cookie cut Solutions and vendors are being exploitative to think they can play GP and prescribe open brain surgery for a minor headache if we question how someone is

can sell to your problems when they don't know anything about what those problems are they're counting on you not knowing what you need and that is me done if my slides work

oh no so there's a lot of courses that that new people into cyber can go on um to learn the technical aspects in the technology Etc yeah what would you recommend though for somebody relatively new to cyber or some need to move out technical domain how could they potentially go and learn to think more strategically and speak more so it's practice so like for me I'm I'm doing that now I'm of learning how to speak to people it's asking open questions and not being afraid to say I don't know the answer to that but tell me more about what you do and having that time with practicing explaining things so for example one of the things

I try and do is I try and explain to my eight-year-old what I do for a job and if he can understand it then I try and explain Tom M who doesn't understand um but it it means that you keep practicing how you say things and going and speaking to other leaders them um I wouldn't recommend any courses because I don't know what are the best ones for that but there will be courses that you can do as well add on that yeah talk to old people who've been around for a long time it's I look back to my first job when I worked BC before BC British Telecom we had the 7 in club logo

um I would suggest some thing to Senior Management to my senior team yeah yeah and then my boss who was several years older than me a lot you know all my age now when I was 20 um he exactly the same thing oh yeah yeah that's really good and it's gr hair and it's it's it's maturity so I think you can't expect to go in as a very young person until you build that credibility you will build that credibility okay it right I sitting in listening and and testing the water um but over time it just it builds and once you got that sort of credibility I recruited a a young lady into into my

team few years ago and she would have been about 20 um when I recruited her in absolutely brilliant as your security specialist absolutely tople and we went into board and said we want to do this this this this is and so she presented it all she knew all that stuff she put all stuff together and the board looked at me and said is that right she's a specialist and that helped her get the credibility it just that sort of I recuited her because she's spe so there's a certain amount of of that will Happ but definitely um if you want to start talking to B people you have to think by B people which means

unfortunately you have to get out of the technical world and you know saying get into you know risk profit oral things I think you're right actually I think one of the challenges for people who are young is they're normally so enthusiastic about doing the right thing they all these really good creative ideas and what they don't do is they think about it's so obvious why is nobody doing it but they don't take a step back and think actually from the other side why is it important to that person and tell the story why can't remember well somebody used to say to me that their job wasn't see so Chief story and that's part yeah yeah

yeah there's been a trend should have SE

technical I'll put my my I'm going to put this back here yes yeso should be technical but it doesn't mean they've got to be technically handson today right afterday the skills CU you can't know sorry I feel like the conversation between business and cyber is always going to be because cyber seems to be more willing to admit we don't know everything where Tech feel like I do and I feel like you're L conversation you say I don't know I now we can't promise you feel like cyber is going to be disadvantage because we have more of those people and in I think pretending that you know something is back into that lying you're going to get caught in a lie if you

pretend that you know all the answers same with the board like the board doesn't know all the answers they just have to make the best decision on that day but they do FR like they do yeah that's what I mean quite yeah well I wouldn't want it to because if if you ask a cyber person if you ask a see so am I going to get prach today I you don't want to say yes or no it depends is such a phrase for a reason you mentioned that youl a bit like I suppose when you look back at health and safety on and then it's designed in the buildings just we do what you think it's

going to take for it get important I I I would hope that we're we up um to much legislation we'll have H pinders I feel as an industry but we need some legislation to the B claims you look at um you look at some of the claims and we we laugh at them as an industry you know we can't cyber nothing is actually military grade nothing's unhackable um but there needs to be something around that because a business owner is going to buy that solution thinking I've got a C I'm C I've got the tool I will not get hat and they will um eventually everyone will eventually hope Charles that's where the consultan is

coming as well is it because she used to drive me ABY when I work confence because we buy these security talks because they happen to be up there in and to do that yeah now the reality is we actually the tool properly it can do that that You' actually bought 15 other tools that that and that and I think some of the value that consultancies of good s people can do is taking that step back and going okay I don't really want to just buy the new exy toy I want to look at what we've got work out whether it can do the 8020 abely explo exploit what you've got what you already know yeah if you bought tool train yourself

in or train team in it learn everything that we'll do do absolutely everything work yes because you're better off having 80% covered 20 tools to

do secondly you talk about talking in relevance to see level where do you think in AER stry that starts oh it should start Junior sock analyst level so sock manager level head sock level where do you think that starts at some point sock analysts should be able to talk to PE and one above maybe not EAS way you need your sock lead and sock managers uh I I would suggest um but there are things like reverse mentoring that can happen in the business and it depends on the size of the business a seeso of a 50 50 person company will probably talk to everybody in that company they probably not C had a security c um dep

how much person to be P um but you should be able to talk to your leaders and leaders should be visible now it will be very different in a boxing 500 company where they're in an a tower you got to get me into with them um but it's practice it's speaking to the peers it's speaking to managers it's coming to conferences like this you want to talk to a come to a conference and talk to them there um practice what do they care about what's important to them same with the board if you know you have a board made up of five people research those people you need to know what they're like how risk diverse they are

how um you know how how to communicate them what presses their buttons what do they care about and that's where that relevance is of checklist started anyone

questions I'll throw back day one when you want to start talking start day one if you can't write the document all the work you've done isable um and people asked me the pass learn to get security how to bite how to present how to stand up there and and and talk to people how use Exel delete delete Exel yeah if you can't you you say can can explain to your 8-year-old well that's great if you can't explain to somebody meaning why should I do this why should I care why should I do this why should I care does somebody die I didn't do this thank you