Life as a cyber security professional : advice from my former self - Paul Watts

Hello. Hey. So, my name is Paul and I'm a cyber security prof Oh, hang on. >> My name is Paul and I'm a cyber security professional. Confession time. This is my first bsides. Uh, and it what a beautiful venue this is. University of Exit. It's officially known as a botanical garden this campus. Did you know that? >> Yeah. Officially known as a botanical garden. It's also credited with some of the inspiration for the Harry Potter films. I've never watched a Harry Potter film in my life. Please don't help me with fruit. Apparently Martin Hall is the inspiration for the Gryffindor common room. Uh, go check it out. Uh, I spent some time with Manoj in the

um retro room revisiting my uh my former youth. My first computer was an Acorn Electron uh which I got working and we played Chucky Egg. And uh it's funny that you remember those those stupid things games I played in the 80s. I got through three levels before I even realized that manage was wanting to go. But you know, there you go. Sorry buddy. So, um, what I'm going to do is now offer what I know as unsolicited advice. And the interesting thing about me is I I suffer from a phenomenon that we're going to talk a bit about later called imposter syndrome. And I was kind of thinking in the few minutes running up to this is like, who am I to stand here

and tell you um what a good cyber security leader should be doing? But, you know, I've been doing it for a while. So, I figure there's no harm in that, right? some of the things you'll agree with, some of the things you'll disagree with. Um, stop me and ask questions, you know, let's make this interactive. I'm not fast, you know. Let's let's have a conversation about this stuff. Um, I asked Gemini to do the obligatory build me a slide, uh, which it commonly did. Um, didn't do a bad job. So, I've been working in IT for three decades. Um, cyber security leadership for two. I actually started life as a business intelligence data warehousing uh type of guy, data nerd if

you will, and um moved my way through IT service management because I figured I should probably learn uh you know how these bricks and tricks and toys work. Uh and then moved into disaster recovery uh and then moved into information security leadership because I looked up at the wrong moment critically at the wrong moment in a meeting and um I never looked back. Uh I'm inspired by a couple of things. As we talked earlier, where's Peter? War Games. Um, that film is what got me hooked on cyber security and and I would encourage you to watch that film. There are some real parallels with the with the challenges that we face right now that I kind of called out in

that film. There's a character in the in in the film, I won't spoil it too much, Professor Steven Falcon. And back in the 80s, I was really I was I was confused. So he was the guy that created this this this machine that helped um the US military gain World War II to make sure they could win it, right? And he got very disenfranchised with what he'd unleashed upon the world. So he turned his back on technology, moved to Goose Island, Oregon, and became a paleontologist. And I thought, why would you give up doing this fantastic, phenomenal innovative groundbreaking world of of information technology? Um, but as I uh as I reach my uh my

middle-aged years, I'm I'm starting to see that maybe he was on to something. Um, things aren't slowing down, they're speeding up, and I'm not getting any younger. Um, so that's a challenge in itself. Um, I'm getting to the point now where I'm thinking about who's going to survive security leadership after I go off and tend my a lotment. Maybe some of you are in here now. So, what I'm going to impart with is a few words of wisdom about security leadership. Take it or leave it. I think they also apply to any role that you do in technology. Um to be honest with you um because I'm going to talk a little bit about the interplay

between technology security and the business um and some of the challenges we face with um modern day innovation. Anyway, I just spent four years working in research the information security forum. Look them up great bunch and uh looking at the through the lens of security leadership. Uh and I got teased back into taking a role um a CISO role in the video games industry. Um, let me tell you a little bit about the video games industry. It's bonkers. Now, the thing about um, there'd normally be some audio for this, but that's fine. Is the video games industry is moving at the speed of light. Um, we also do media and entertainment. So, we're a B2B. We work with all the big

game studios and um we are responsible for um delivering and making video games, media and entertainment uh in an industry that eclipses movies and music combined. It's a phenomenally sized in terms of capitalization. It's gigantic. Um this is a lot of creative people who work in the video games industry. Do you think they're remotely interested in governance risk compliance patching hyonics? Um, and and and that's the challenge that a lot of CESOs face. You know, like we live in a we want to live in a perfect world. We crave structure, rigor, policies, compliance. That's the world that we live in. But but that's not the perfect world. Um, I've had to learn a whole new industry.

I've never worked in video games before. I barely played Chucky Egg. I got beat in a bloody road rash. Come on. How am I supposed to play World of Warcraft and all of this other stuff? GTA something or other. Don't ask me about that game. I've signed an NDA. But um the point I think I'm trying to make with all of that is every industry, every vertical that you will ever work in is different from the last one. There is no such thing as the perfect way to do security leadership. There's no such thing as the perfect way to do cyber security. Um, and I've had to learn that all over again. It is a lot of fun though. I

mean, it is a lot of fun and the stuff that those guys and it's just insane. I love the creative mind. I wish I could do more of that myself. Okay. So, I'm going to start with a a bit of a first opinion and it's simply this that that cyber leadership isn't something that's taught as such. It's something that gets grown. It gets nurtured and you get that through real world experiences. Some of those experiences are good. Some of those experiences are not so good. Right Harriet? you know, wow. I mean, I can't be that story. Um, when I was working at the ISF, I did some research into cyber security leadership. I'm using my notes, by the

way, cuz I'm middle-aged. I can't remember anything. Um, leadership qualifications, if they exist, all they ever going to do is ice a cake because the skills that you need to become a security leader can't be acquired and demonstrated through a piece of piece of paper. Might set you off on the right footing, but you learn by doing, right? You know, you hear the concept of the accidental seeso. You know, someone who one day wakes up and they're told, right, you're in charge of security. That's that's a really difficult gig. I've spoken to a couple of people who found themselves in that and it's like being dropped into the deep end particularly if the business doesn't really know why they

need a CESO but they've just appointed you as one. That's a challenging environment to be in. Um so let me start with one of the biggest lessons I've learned as being a cyber security leader and it's about the importance of relationships. So um I'm going to impart with some relationship advice. This is going to end badly. My wife's not listening. Um, I wrote it down so I made sure I got it right. But to me, good relationship isn't inherited or inferred. It should never be ruled by fear. And it should never be an uncomfortable donant. A good relationship is earned through dialogue, agreeable disagreement, the odd night on the couch, but most importantly through dialogue, understanding, and empathy and

trust. And all of that is really, really important. Hereby, lesson number one. And this one's always an interesting and challenging conversation to have with people. So, I start with a rule of thumb when I work in a new gig. Um, I work on the assumption that the other person I'm talking to thinks I'm a worthless piece of crap. Uh, and I'm getting in their way and I need to earn my stripes, not be the one that's shouting the loudest. That's how I see security leadership work. We've come from a world where technology was really really hard and we exploited that as the leaders of yesterday year. If if the business wanted to work with technology that had to come through us.

We we used that to stole a bit of power and control and a bit of authority. We thought that that policy statement that we used to walk around with and wave in the air um was the reason why people commanded respect of us and we got that engagement. That's not how it works anymore. My mom can spin up a data center in the cloud with a credit card and a website. God only help us if she ever tries. But the reality is you don't need to go through security to innovate in technology in the modern business. Unfortunately, that's just not the way it works. My first big security leadership role was in financial services. I used to look after the UK's

check clearing utility. We'll come back to that a little bit later on. And it lled me into a full sense of security because over seven years I hid behind a check and credit clearing company, financial services regulator, Apex, all these big scary words and statutes and rules that people had to apply. People did what they were bloody well told. Easy. This security stuff's easy. And then I I left that role and I moved into retail. Worked for a company called Home Retail Group. Uh parent company of what used to be Argos Homebase Habitat. Remember them? laminated book of dreams, the very thing that killed the company actually, but that's another story alto together. Um, I thought, well, this is

fine. I'll just pick up the rule book and go wandering in and uh discovered that there wasn't any rule book and people were crossing the road to avoid me. And I thought, oh, hang on a minute. This is going to be a little bit harder than I I'm used to. What am I doing wrong? There is no rinse and repeat. you know, Google search, rinse and repeat methodology for security leadership didn't exist. And I learned something very, very quickly. No matter how hard I try or how much I think it's true, I will never be the most important person in the room. Why? It's not my business. It's their business. They're moving in a particular direction. There's a set of

outcomes that they are trying to achieve as business owners. It's my job to run alongside them and be their critical friend, but I've got to do that in a way that resonates with what it is they're trying to do as a business. So, it's about value outcomes. So, if all I'm doing is talking to the business about rules and regulations and risk, and I'm not talking about cost and agility and control and innovation, I'm not floating their boat. So I have to think about the way that I sell what it is I and my team do to the business as something that they want to buy and it shouldn't be a force sell. The um I I think it might even be you

Harry said it earlier that we can't rule through fear. Fear, uncertainty and doubt is not the way to do cyber security in modern business. We have to be running alongside that business adding value to it. The minute you stop doing that, they're gone. they're gone. They're just not going to be interested with you. Um and and yeah, so security has to be done for and with a business, not to. If you take a step back and that's your mentality to doing cyber security, you are on a course that's not going to end well for you because that's not how modern business wants to work anymore. Um while we're talking about this, um I would normally do this in security

conferences full of suited and booted CESOs. Um, I'll I'll chuck the question out there. Should the CESO be on a board? Hands up for no, hands up for yes. So, I wonder how much of that is driven by ego, power, and control versus collaboration, capability, and value. To me, a seeso on a board is the conflict of interest. How can you be a critical friend and have executive accountabilities? What if the board is being incentivized to take 25% operating cost out of the organization, but you know because your risk data is telling you that you need to add 25% operating cost to the organization for it to remain safe. What do you do? Do you turn

your back on your business to take a cut? Or do you upset your colleagues on the board? That's not a situation you want to be in. Either be a trusted adviser or don't be a trusted adviser. But I don't necessarily agree that being on that board is the right answer. Equally, if you are on that board, you're giving them an opportunity to go what's on the board. Ah, we can kick this cyber security stuff into the long grass cuz it's his problem. You don't want to create that situation for yourself. It's hard enough getting them to take responsibility for it. I'm not going to make it any easier for them by abdicating responsibility, by sitting on

the very same board. Final word on humility. Uh, and this is also uh quite practical advice when you're working with internal audit. Don't bl of the most powerful statements you can make is I don't know. Well, we'll find out. You don't have to have all of the answers. A lot of CESOs burn themselves out by thinking that they've got to be across everything and anything all of the time, 24 hours a day, 7 days a week. It's not true. Humility, it's an important characteristic of a security leader. Um, some do it better than others. Um, and I've leed that through good and bad, as I said before, but it's powerful. You know, the idea of

the servant leader. Remember this and and you'll hit you'll see it at the end as well. Remember why you're there cuz without them there's no need for you. So why would you fight that system, that humility? Anyway, that's the first point. In the vast majority of cyber security incidents I've had to deal with in my life, and there's been a few, um, it's never anything particularly complicated. You want you see all these weird and wonderful films about, you know, terrorist organizations and nation state actors and blahy blahy blah. And yeah, of course, some of that's true. These things do exist. You know, we've talked about that in a couple of presentations already. Um, but the vast majority of

them are opportunistic. They're drivebys. They're a mispatch. They're a door that's left the jar. basic stuff. We have a challenge as security leaders. You have a challenge as security practitioners. Whatever level that you are at, organizations are living in the digitally transformative AI powered era. They are running just to stand still. And it's very very easy to get excited and and punch drunk on the promises of artificial intelligence and they'll go running off into the distance trying cool new stuff with Claude and Curser and everything else in between. But a house built on sand is a dangerous position to be in. So the security leaders with the exception of the Burj Khalifa which is actually built on sand. Believe

it or not, engineering is amazing. You've got to make sure you get the balance right. Supporting the business to innovate safely, critical friend, that conscience of the organization, that's really, really powerful, really, really important. But for goodness sake, don't take your eye off the ball of getting the basics right. Asset management patching security operations, good education. All of these things are fundamental to any organization's longevity. There is no point in running off into the distance doing crazy stuff with Aentic and Frontier AR uh if someone's taking the front door off your house. And it sounds ridiculous to even say it out loud, but the number of organizations who are spending a fortune on crazy new technology and forgetting

the basics, technical debt, it's a curse. It's an absolute curse. Don't build on sand. Um anybody see the website XKCD? This is some of the crazy cartoons they do. I absolutely love it. The Nebraska scenario is my absolute favorite cartoon of the idea that an organization is just this this this weird smogus board of different building blocks all delicately stacked together. But the one at the bottom is is owned by a guy in Nebraska who's like long gone. But if you pull that out, the company falls around around its ears. You have to make sure that you're getting the basics right. You've got to get that balance right. Shifting left is also very important. shifting left is a is a

is a is an important imperative of good security foundations. We're talking about this at lunch actually. Be inquisitive. Get in there early. Well, you know, you want to be talking to a project when they're thinking about doing something, not when it's just gone live and a little piece of you dies inside because you realize that now you've got to chase after that and unpick it because it's actually illegal, immoral, can't be done in that country or is running on Dave's laptop which is slung under a desk somewhere in London. That's the reality. The TLDDR of all of that is always try to see the wood and the trees. Now, a lot of this also comes

back to the idea of humility. You've got to make sure that you're you're finding a way to incentivize the business to to do this stuff. This one is really, really challenging. In the batshit crazy world of video games, media, and entertainment, practically impossible. And every time I talk about it, I hear this collective uh from the boardroom. Um but that's not going to stop me. Anybody that knows me is um will know that I'm a quite tenacious kind of guy sometimes to my um detriment. But you know um that's the reality. Um you've got to be persistent, build on sand, and have a bit of humility. All good so far. Any questions? I'm just rambling on here. You know, everyone's

probably falling asleep eating their sandwiches. Well, Pete's had about 18 pies now. What did you call them? Northern batteries. >> That's right. Northern Batteries. >> That is my literally my favorite f That's my favoriteest phrase. There's a hand at the back. You got a question.

>> Perspective of pride over humility. That's a really interesting question. Um, I'm very proud of the job that I do. I'm very passionate about being in cyber security. There is a reason why I I stand in front of you telling you that I've had the time of my life over the last 20 years in security leadership. But I have to remember without them there's no need for me. So sometimes I have to let that pride take a hit in the interest of the longer game and let the humility take over. That's my answer to that question. >> Welcome. That's good. That's a great question actually. Sometimes we we do let pride get in the way of our uh of

our judgment. And sometimes I'll offer you another little bit of advice unscripted. When you find yourself in a situation of conflict like that, take a breath. take a breath because your head and your heart will fight each other and sometimes you just need to kind of just just take a breath. Take a couple of seconds. Trust me, it's uh it works.

Yeah. I mean that phrase used a lot and but but I really really like it. I was I was about to say this reminds me of what Harry was saying earlier, but the next sentence is probably not going to work now, but I'll do it anyway. So, going back to talking about Equifax and how that how brutal that incident was. Um, ask a CISO about their first incident. It's a bit like everybody remembering their first kiss. Told you it was weird. Didn't think that through, did I? Every CISO will remember the first time they get that call. It is the most destabilizing, disorientating thing that will ever happen to a security leader. It's it's horrible. It's absolutely horrible. I've

had a few gnarly incidents. The very first one I had was 2012. Uh I was heading up the UK's check clearing um infrastructure and we fell victim to a uh well-known at the time Microsoft vulnerability um which goes under the code of MS08067. Anybody remember that one? I do. It was the bane of my life. So, um I'll give you a long story short. Um the check clearing infrastructure is completely airgapped. Uh it sits away from any operating environment. It's on its own. It's in its own island. But sometimes we need to move things like sortter patterns um onto the imaging machines. Um, we used to do that through very clinical procedures that were manually

orchestrated that allowed us to move data via physical media into the protected environment through what we used to call sheet dips. The process worked if it was followed properly. Um, an engineer decided it would be a really really clever idea to borrow one of these hard drives, take it home to back up his wife's laptop, which was infected with configurer. He then didn't clean the drive, put it back into the process. The process was followed through. A step was missed. The sheet dip didn't happen. Uh the hard drive was inserted into the clearings infrastructure and 1 hour later the United Kingdom did not have a check clearing environment. Oh my god, that's what I said. Uh I used

slightly more colorful language actually. But the thing was quite notable about it was that moment of realization. So this was before the days of Teams and Zoom and any of that nonsense. Um, we were using BT Meet me. People of a certain age will remember that, but good old fashioned phone conferencing. I don't know why we made eye contact there. You're a young and you're welcome Fiverr. And and we were going through the uh the obviously immediate characteristics of the event and then someone said, "Well, what we going to do, Paul?" And then there was a silence and then I realized they were talking to me and I myself. Um, but it was it it

was a real leveler because at that point you realize that actually you're holding something quite significant in the palm of your hands and then you what you also realize is you've just been punched in the face. Well, I didn't have a plan for that. I wasn't ready for it. Neither was the business. We had the mechanics of dealing with incidents, but we never had a scenario where the entire environment was dead. Now, fast forward to not pettier and all of these wonderful things. You know, we now appreciate the concept of a black swan extinction level attack on an organization. It is a real thing. But back in 2012 in a in an airgapped environment, may maybe not so

much um not so much. So the advice that I always give with this is everyone has a plan until they get punched in the face. What I mean by that is the plan is a guiding light. The plan is the basis of choreography for an incident. If you think for one minute that every incident you're going to encounter during your career as a cyber security practitioner is going to follow your playbooks, bad news. Doesn't happen. The plan establishes lines of communication, protocols, escalations, side moves, communications plans. Test them, test them, test them again, but recognize that they will not have all the answers. You need to blend those plans with some creative thinking, some collaboration,

some out of the box stuff, some real Anyone watch the film Apollo 13 when they had to put one of these into one of those using only this. That is major incident crisis management right there in a nutshell. Sometimes you got to think outside the box to get things established, but then learn the lesson so it doesn't happen again. Close the loop. Really, really important. Um, and again, something we talked about earlier and I'll skip over in the interest of time. management won't have your back. Yes, you can do everything you can to rest and rotate your your staff. I now have a welfare officer and all of my incident response teams. They're not there because I thought it was a good

idea. They're there because I know what it feels like to come off a 3-w week night and day incident response and realize that no one gives a about how you're feeling with the ear infection, the chest infection, the blood pressure in the sky, and everything else. No, no, no. They still want to put you in front of the Bank of England to explain what happened. So make sure that you've got your own back and that of your teams as well. And I think the world has moved on um a little bit more now, you know, but but at the time I felt very lonely. Um and by the time the incident was done, I felt very ill.

Um a good friend of mine, uh Steven Khn, uh actually great friend of mine, uh he used a great phrase once where we were talking about security leaders. He said, "Security leaders have got to act like chameleons. You never know from one day to the next what type of person you've got to be. Are you going to be the playful person? Are you going to be the dict, you know, the dictator, the authoritarian? Are you going to be something in between? We change characteristics depending on the circumstances we find ourselves in. Security leaders have to be very, very adaptable because businesses are not linear structured. They generally meander around all over the place. Now, you could argue that there are different

types of security leader and I think that's right. postbach seeso, startup CISO, stable CISO, regulator CISO, and that's very very true. But they all need a set of broad skills that transcend technical skills so that they can relate and resonate and operate with their businesses. And and a lot of security leaders of a certain age who came from a technical background found it there was almost like an inflection point when we realized that actually we weren't just technical people anymore. We weren't IT managers anymore. We were business managers. We were parents. We were educators. We were philosophers. And that's quite a that's quite a moment of realization that actually the path of security leadership has suddenly become

business leadership with a little bit of technology on the side. Um I'm a techie. I I love technology, but I have very little time to do that when I'm massaging numbers in a spreadsheet to go to the board or keeping the investors happy or or or or so. You have to recognize that diversity of skills and that also ripples down into your teams and true business resilience comes from the mosaic of perspectives. The diverse security team is an absolute gift. Think about it right creative thinkers. Um they think about novel solutions to you know nonlinear threats. You know that again that's the sort of person you want in an incident respond. You need literists. You need communicators. I

needed one of those to write this presentation for me because I'm rambling a load of nonsense. But the reality is is technical stuff spoken to a business audience isn't going to get you anywhere. You've got to you've got to be that translator. Never expect your audience to be the one translating. You've got to do that. If you want them to want what you're selling, it's got to be in their terms. So now you need the the the technical people to have a degree of business acumen or you need people in your team that can do that. If anybody again of a certain age picks up an old Microsoft Office manual, Excel 4, classic example, I've still got a copy

at home, written by the techies, absolute bloody gibberish. Absolute gibberish. Um, now think about how we we educate people to use productivity software. Um, you've also got the in between there. There's the psychological impact of cyber security. We're talking earlier about deep fakery, you know, and then and and things like that. There's there's there's a lot of different attributes and skills now that comprise a cyber security team. Um, and diversity drives rapport. As I've said, your team is comprised of people with different characteristics. Um, so your team needs to be like that as well so that you can interplay and communicate with each other. I mean, again, it sounds obvious, but security teams for for a long part

and anybody who's watched the IT crowd, you know, that's been the type cast. Bury them in the order takers, bury them in the basement, get them out when you need something, and then send them back when we're done. That's not how it works anymore. Security at the speed of business means we have to be on point in there amongst them all of the time. Um I I think the industry actually needs to do a better job. Um you know I won't politicize any of this but you know I look at the UK Cyber Security Council and I look at CEC I look at you know all of these bodies. They're not doing enough to talk about our industry in

those more colored terms. I do a lot of work with children. And I've been a non-exec director in the education sector for quite some time. And you know, I I I get to talk to the teenagers about what they think cyber security is. They're still very much hackers in hoodies as far as they're concerned. But our industry needs such a diverse portfolio of skills. We need to be better at marketing who we are and what those people can do for us. It's not just about the technical side of things. People, process, and technology. The final one I want to talk about is curiosity. Um, every day does have to be a school day. So when you work in cyber security,

you are constantly going to be in the pursuit of curiosity. There's no escaping it. You've got to have that curious mind. Um, if you're standing still in cyber security, this is an inconvenient truth actually. Um, if you're standing still in cyber security, you're falling behind. All right. And you know, again, I was talking to somebody about this earlier. I I I actually feel quite tired. You know, a time where it's really exciting kind of back at the 80s when I was a lot younger and my batteries were more charged and I was getting really excited about what was coming and this this this revolution, you know, was I was I was up for it. But

every morning I turn on my laptop and there's just a feed of, you know, everything's changed. It used to change every couple of years. Now it's changing every couple of minutes. It's really hard to keep up with that. And I I wonder how the next generation of cyber workforce are going to be able to adapt to be able to run that fast. You know, maybe it's just me. You know, I'm getting a little bit old now and you know, it's it's it's harder to keep up. But digital transformation is speeding up, not slowing down. So, how do we keep a breast and keep on top? Curiosity is really, really important. Um, lifelong learning. This is an industry of

lifelong learning. As I've said before, if if you're not up for that, then just be careful. Always stay curious. Um, you need to actively challenge what you think you know and and be inquisitive about emerging technologies. You know, we're all in the in the AI model now. We're talking about agentic. We're worried about frontier AI. Over the hill is this thing called quantum. So now start to be thinking about that. Now start thinking about what happens when you take that and you blend it with artificial intelligence. That is a level up um that I I'm really don't even want to get my head around, but it's coming. It's absolutely coming. Back to the humility point. Humility in

knowledge with curiosity and it's back to that point I made earlier about I don't know. You have to recognize that everything you do isn't a test. It's not about you being tested to think that you know and are across everything. Sometimes when you don't know, it's an opportunity to learn together with your business. How great is that? Collaboration through learning through curiosity. That's perfect. What best way to help a business on its growth journey by learning together? That's a very different way of looking at it in my opinion. It's not just about doing the training and saying, "Right, I'm ready to splat it at the business." As a as a modern cyber security leader, I have the usual challenge everybody

else has. You know, my budget gets smaller and they want more. Dedicate a good chunk of time to training. And even if that's not OPEX, dedicate some of the teams time to learning themselves. Give them the time. If you can't give them the cash, give them the time. Give them the opportunity to learn and develop and be curious because you'll get rewards from that because if they've got a curious mindset and they're con continually learning that's taking a bit of weight off your shoulders and it means that your team is running at the speed of the business and running at the speed of innovation and you will get a benefit from that. But also make sure that you recognize as

a leader and also as as you move through your careers as well. You know, you you'll start at the bottom and you'll move up to the top or you'll move sideways or whatever it is. Curiosity leads to challenge. Challenge is good. Let people feel empowered and comfortable in challenging you and encourage that debate because their curiosity shouldn't be something that you then immediately shut down because they don't think that they can take you on. It's really important that they are empowered and they're able to do that. And and then always have that growth mindset. um just just no escaping it as I say it's you know everything is speeding up but curiosity as well through the lens of putting yourself in

the business's shoes as I said earlier being about you know being humil having the humility and understanding what the value is that the business is trying to get from a circumstance or situation put yourself in those shoes um if you have a have you have a look through LinkedIn I put my money where my mouth is dressed up as a Domino's pizza delivery guy going out delivering pizzas understanding what the process is standing in the middle of the West Coast mainline at 3:00 in the morning, pissing down with rain, being shouted at by the um the the project lead because I put a 60-second timeout on their iPad and in the time they took their fail weather

gloves off and unlock their iPad and then put their foul weather gloves on, the iPad's locked again. I wasn't being empathetic to their situation. That's wrong of me, you know. So, take the time to learn and and and and empathize, accept challenge and and and challenge back. It's really really important. It's a two-way thing. Just going to finish on what the future holds. And you know, I I don't know, honestly. If I did, I wouldn't be here. I'd probably be making my millions doing something else. But the reality is is that we live in a world powered by unpredictability, Middle East crisis, Russia, Ukraine, AI, quantum. There's just so much going on. Um, and we've got

to deal with these emerging frontiers. you know, AI in particular, you know, that's that's eroding the the composition of the labor market. It's giving us new challenges. It's it's creating new roles as well. Um, you've got to roll with these changes. And I think the accumulation of everything that I'm kind of saying there is um you you've just got to have that agility. You've just got to recognize that being a chameleon is the way to to to get ahead in uh in cyber security and cyber security leadership. Um, final word on the CESO. Maybe the CESO's doomed anyway. You know, we've always talked about, you know, do we live in a world where one day everybody just does

security? It becomes a product of something that they do or maybe AI is doing security for us. Maybe the security leader or the operating model of the CISO and the security teams and then the business. Maybe maybe that's gone. Um, there is a reason why the business information security officer roles are becoming more and more lucrative because what we're doing is we're distilling security capabilities into the business operating model and you're starting to see that blend of security teams that used to be in an ivory tower integrating with the fabric of business. I actually think that that is probably the most pragmatic direction of travel. So my advice there would be don't fight that system, roll with it. Our

businesses are adapting. we need to adapt with them. And I find it really really interesting that kind of post pandemic businesses now work in a very agile distributed kind of way. Um it has learned that it shouldn't be order takers, it should be involved in the solution and they've become more intertwined with the business. Security feels like it's always lagged a little bit behind. Time to get on the front foot and get ahead of the game. I think you know to to kind of finish that before my voice gives up on me. We have to continuously adapt to align with the changing world that we serve and protect. It's the only way that we're going to thrive. We've got to put the

business front and center because without them there there is no need for us. That's kind of my final piece of advice. But overnight when I was lying in bed worrying about cyber it's what I and a lot of my colleagues tend to do. I I wanted to impart with a final piece of advice actually. Um, you don't always have to be the hero. You don't have to carry the world's woes on your shoulders. And and most importantly, it's okay to not be okay. And it's okay to have feelings as a cyber security leader or any leader, any business leader. You're just you're human. Don't bottle all of that up. This this is a this is a family. This is a

community. This is a really, really stressful job. Harriet talked about it earlier. I've had the same experiences. Other people in the room will have done as well. If you can't talk to your business about how you're feeling, use these networks, use these communities. Share in the in the challenges that you're having. It will make you feel a whole lot better. I mean, as I went through the pandemic, you know, I was tapping into those communities. A lot of my colleagues were as well. The reality is is that you, you know, don't suffer in silence because the challenges that we have are the same challenges that everybody else has. And actually just reaching across and being able to say to

somebody, "Oh, this isn't happening." And say, "I've had the same problem." It grounds you and it really levels you out. I'm I'm so disappointed that in 20 years of cyber security leadership, we still haven't solved the problem of mental health challenges in this industry. And somebody said it earlier, forgive me because I'm not going to get this entirely accurate, but they said, you know, when a when an organization is physically attacked, the resources are parachuted in to help. You know, you you get all the support that you need. When an organization is logically attacked, is the same support offered? More often than not, the answer is no. And I think that's wrong. So in the absence of that,

do one thing for me. Look after each other. Look after yourselves. I have no regrets about being a cyber security leader. I love this industry. I absolutely love it. It's a tough gig, but the strength and the power of the community to support each other is is is really really valuable. We are moving the needle. It's a slow and steady progression, but in the meantime, just make sure that you are supporting each other and and feel safe to put your hand up and say, "Actually, I'm having a really bad day. Can I talk to somebody?" It's really really important. Um, I've run out of stuff to say. Um, if people want to talk to me, please reach

out on LinkedIn. I I'm total open door. If you want to ask me any questions, you're more than welcome. in the last couple of minutes we've got. If you've got any questions, come at me. I'm ready. Thank you everybody.

>> Thank you. >> Are we going to answer some questions? I say we, I mean you. Are you going to answer some questions? Oh no, I've fall. Sorry. Paul, you ready? You got a couple of questions. Yeah. >> Oh, just been a horses with a horses. Here you go. >> Go for it. >> One one of my favorite quotes in the context of occupational safety actually uh that I saw on a wall somewhere was if we do our jobs great, no one's going to remember. If we do our jobs badly, no one's going to forget. And I guess you probably feel that way in security. I wonder if you had any reflections on that and how you essentially bridge the

gap between those two things. Yeah, that's a that's a that's a good question. I I I kind of I used to feel like that in the early stages of my career where it was literally you were you were you were like your your parents fine china. You were you were brought out on occasions and then you were kind of put away and forgotten about until the next time. And it it was kind of that metaphor in terms of when when the hit the fan, you got dragged out, kicked around the room and then got put back again. But actually over time I think that's started to move away because we're recognizing the balance of protect, detect, respond, recover. One

of the things that really helped with that in a funny sort of way was the pandemic because the prophecy that a black swan event would never happen came to light and we all lived through that. And now what we realize and what we've learned from that and I do I get this to varying degrees of talking to organizations the reality that actually prevention is better than the cure. So now we don't talk about the secure modern business anymore. We're starting to talk about the resilient business. uh to quote chamber one by I get knocked down I get up again but actually what what businesses are realizing and again this comes back to the value proposition

is it's cheaper in the long term to invest in an organization's recoverability so that when they fall down they come up really really quickly than spend a bloody fortune on dark sites and DR sites that you may never ever use and actually when you do use them the recovery time and point objectives are so expensive to maintain because you're using dark sites or standby sites that Actually, maybe, just maybe, if we were resilient by design, we're balancing cost, productivity, and availability. So, I think we're moving past that. Sorry, that was a very long answer to probably a short question. Is that okay, brilliant? Thank you. Oh, got the mic. Oh, hello. Um, I g I gave I

gave you that statement. You're happy to use it. I'm very wise beyond my ears. Um, as someone that works with students or whatnot, and this is not necessary cyber security question, it's a leadership question. when you've got like a million a million grads uh out of work and then only six n 19,000 grad jobs. Are you worried about the future leaders not getting the mentorship and not getting the opportunities from a low level to build that foundation where entry- level sock roles or entry- level cyber roles want one year of experience but they can't get the experience without getting the experience. Do you ever worry about that from a leadership perspective? >> Yeah. Yeah. Yeah. Yeah, I'm bloody

terrified actually because um so my lad's just graduated uh University of Plymouth and he was one of the lucky ones but his cohort they're really struggling and that's right across the world. What I would say with that in the context of what I've just talked about is um we are running around so crazy worrying about today that I don't think we are doing enough to pay it forward. I and I really worry about this. I mean, I burn these two ears all the time about we're talking about this as well. Um, when we're allowed to go out for good behavior. No, I don't think we are. I think and I am genuinely concerned that we are looking at the short-term gains

of using AI and taking that out, but we are not looking at the long-term ramifications of that. I don't think we're setting ourselves up for success. I don't know how quickly we're going to get to the point where we have that sobriety test and we realize that actually we do need to be thinking about that, but I am I am genuinely concerned about that having having lived through it with with with my kids. Um but as security leaders, I really worry that we're not paying it forward enough at all. Um that's why I jump at any chance to come and talk you know in in things like Bides because it's a real range of people who are kind of on entry early

mid seniors and it it it's important and and and whilst I've talked about stuff through the lens of security leadership because that's kind of my jam. You know a lot of what I'm saying I hope is advice for people who are coming into the industry. you know, if you take the word phrase security leader out of it and and and look at some of that advice, I think it's largely translatable. But yeah, I I I do it comes back to my point, you know, I I I look at UK CSSE and I look at all of these other bodies and they're all living in the now. Spend some time on the nextG soon as possible.

Good, good point. Great point. >> No, no worries. So, how do you make your employees feel like we're all important and that you don't think you are the most important person in the room? >> Um, by fostering a culture that allows them to feel safe and trusted and and able to call out things that they're worried about. It's about treating training cyber security risk management not as something they need to do to tick a box in a company but as an investment of a life skill. So actually again it's like doing cyber security to and for a business actually what we need to be doing is educating and delivering the culture with our workforce. So you need

to spend the time. So don't just throw mandatory training at them and then quote a figure back to the board. do it in context and make it valuable to them and let make make them feel that you're you're listening to their needs and wants and you're delivering training for them, not to them. Does that answer your question?