Andrew Besford has over 20 years’ experience in technology-enabled business transformation. His early career was in the telecoms industry, in both in-house and consultancy roles in a number of countries, most recently at UK mobile operator O2. Andrew joined the UK Civil Service at the start of 2014, initially to set up business transformation at the Department for Work and Pensions, where he was responsible for developing a compelling vision for the future of the organization. Andrew then joined the Cabinet Office as deputy director of the Government Digital Service, and led the creation of the Government Transformation Strategy, which was published in February 2017. Andrew holds a degree in Computer Science from Cambridge. As we have a global readership, can you give a brief explanation of your work with the Department for Work and Pensions and UK government? My first job as a civil servant was in 2014, where I established the business transformation programme to modernize the Department for Work and Pensions (DWP).  DWP is the UK’s biggest public service delivery department, and has a long history of administering the state pension and a range of benefits. Its operation distributes around £167bn of benefits per year (£650m per day, in 2.8m separate payments). The business costs around £8bn per year to run, employs 95,000 people, and delivers face-to-face services through 720 Job Centres. The big themes of the transformation were around secure self-service wherever possible, intelligent use of data, and process automation. I later moved to the Government Digital Service to work on the portfolio of digitally-enabled transformation programs across UK government. Across all of these themes of transformation, we were constantly balancing the pace of technological change with the ability of the organization to adapt to new ways of working. With public services that people depend on, it’s always vital to consider how the organization will continue to serve people reliably whilst it is changing. Sometimes this means you need to make incremental changes, because a major technological overhaul and starting from the ground up would be too high risk, even though it may appear to be a better technology solution. What pressures and dynamics were unique to digital transformation in the public sector? Public sector digital transformation programs tend to be driven by a mix of three key drivers – making efficiency improvements, improving the customer/citizen/user experience, and implementing the government’s policy agenda. Sometimes a new government policy can be an opportunity to modernize the way the whole of something works. Other times the policy might stay the same but there is an opportunity to deliver it in a modern and efficient way, which means making the best use of today’s digital delivery approaches and technologies. Eventually it will also mean adopting more internet business models but we are still in the very early stages of governments thinking in this way. Some of the dynamics of this really are unique to the public sector – you have to deal with all service customers/citizens/users, some of whom may be extremely vulnerable or unable to deal with you online. You are spending public money, and the procurement rules are always a factor. A hugely positive aspect is that your colleagues are people who go to work every day to make government work better for the people who need it most. The scale may be vast, but other challenges of transformation are the same as you find anywhere else – making smart use of data, having a plan for legacy systems, getting enough people with the right skills, aligning the organization around a clear vision, establishing the basics like a common language and a focus on user needs. How does cybersecurity factor into your work? Although my job title doesn’t say cybersecurity, it is absolutely integral to leading business transformation in this environment. Different parts of the public sector have aspects in common, for example the need to handle sensitive personal data. But different areas naturally have different threat profiles – for example DWP is a unique environment in that it pays out such a big percentage of our GDP directly to citizens. One key factor when you are building new digital services in this environment is that you have to be careful with which parts need an iterative test-and-learn approach, and which parts need a high-volume, stable and auditable approach. Sometimes this experimentation is essential, for example when creating new online services which you hope will change people’s behaviors. Other times this can be risky or impossible, for example if you consider the interface to the banking system. Using appropriate methods can be very hard if there is a context of “agile everywhere”, which has sometimes been dogmatic. There is a fine trade off between making a service useful and making it safe. Often, senior leaders of organizations need help to understand the risks and the choices they face, so it was a big part of my job to clearly communicate the risks associated with projects and the mitigations that can be put in place. Are there any security principles you are guided by when approaching business transformation? The vision for business transformation needs to include security at its heart, and not just include it as an afterthought. As ever, this can be a juggle because other themes must also run strongly through the story, especially around people and technology. Of course boards will always want to know “Are we secure, and compliant?” But when you are working on transformation, they probably also want to know “Why are we not more of a “digital business yet?”. So there has to be a security perspective on the organization of the future. Frequently this means evolving the security focus so that it is not just about securing networks and endpoints, but extends to designing secure services. My view is that transformation leaders always have a role to play in security. This could be helping board members understand what good looks like, and helping them understand options and consequences. Equally it could be helping to raise colleagues’ awareness and understanding as part of a more general digital upskilling. You often refer to keeping user needs at the heart of your thinking – can you share more on this approach? The emphasis on user needs has been a real turning point in how UK government thinks about delivering digital services. In 2014 the Government Digital Service mandated the Service Standard, which includes as its first point to “Understand users and their needs”. This helped establish the thinking that without understanding users, you won’t know what problems you’re trying to solve, what to build, or if the service you create will work. From a broader cybersecurity perspective it is important to start with user needs, while acknowledging that the government has needs too, for example to protect taxpayers’ money, reduce fraud and preserve trust. How important is the human factor when it comes to digital design? It’s impossible to overstate the human factor. In government terms this applies to the people who use government services, as well as the people working within government agencies. Digital services rely on balancing a low-friction user journey, with the need for proportionate controls to limit business risk. Designing this successfully can only be done by putting the users at the center of the design. For public services this will touch on user identity, data ownership and sharing, minimizing risk and administrative errors that could cause significant damage – all while respecting people’s privacy and rights. Criminals might impersonate these services without the victim ever contacting the agency in question, so this is in part a national problem, not an organizational one. For example, the UK’s tax, payments and customs authority (HMRC) has experienced significant criminal use of their brand, highlighting the need for a national response to protect citizens and ensure that when people see an email from a .gov.uk email address they can trust it. In 2016, HMRC was the 16th most phished brand globally, but following efforts from HMRC and the UK’s National Cyber Security Centre, by the end of 2018 it was 146th in the world. Within government agencies, for those who advise on policy, build technology solutions, and deliver front-line operations, there are also threats at the human level. These could be from organized criminals, hacktivists or state actors, who may use attacks based on social engineering or spear phishing. Do you have any advice for cybersecurity practitioners on how to work effectively through digital transformation? As always this depends on the context, but there are three common themes I would highlight from recent work. Firstly, we need to help senior leaders understand cybersecurity better. Transformation is a leadership problem and sits in the realm of the boardroom; it is made possible by leaders understanding what it means, and setting out a vision for the organization. Those people generally don’t have a deep understanding of cybersecurity, but increasingly recognize how critical it is, because they have heard of WannaCry ransomware, Cambridge Analytica data mining, and British Airways/Marriott fines under GDPR. Secondly, we need to focus on creating the right conditions in the organization for delivering new services. This means enabling people and empowering teams. Someone in your organization is eventually going to end up attempting to do secure service design themselves – with or without any guidance from specialists. Cybersecurity practitioners need to collaborate across the organization, avoid creating factions, and make sure it gets done right and integrates with your other layers of defence. Finally, we need to embrace digital change and experiment. Any big organization needs to be able to operate while under persistent threats and sophisticated attacks. And you need your teams to be enabled to experiment (safely), test and learn what works, and continuously evolve services to deal with the evolving landscape they operate in. Security leaders can and should be at the heart of safely delivering the transformation ambition.  

Tessian spoke to Graham Thomson, CISO at leading law firm Irwin Mitchell, about his career and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. To get started, can you take us through how you first got into security? I got my degree in genetics and then worked in military intelligence, where I received a grounding in computer security. After a few years, I left the military and got a job as an investigator for a global retailer. Initially this was to investigate fraud and corruption, but evolved to cover issues relating to information security, such as insider breaches and hacking. Having decided that a career in information security was for me, I then obtained my CISSP qualification. I’ve since been lucky to experience many different industries, including insurance, online banking and e-commerce, and now the legal sector. I’ve been focused on purely information security for around 12 years now. How has the industry changed since you began your career, and what has the impact of technology on security been? Information security has changed hugely over time, probably because the threats themselves have changed. When I started out, I think it’s fair to say the work we were doing probably wasn’t that well understood. When I was being trained initially, I remember learning about a KGB-initiated infiltration of systems that was discovered pretty much by chance: this was a real eye-opener that brought home just how important computer security was going to be in the modern economy. One of the biggest changes is the focus on people. Previously, security professionals would be technical IT specialists, but today many different career paths – the military and law enforcement are just a couple of examples – can lead towards information security. The ability to understand an issue from the attacker’s point of view is very useful. You can spend as much money as you want on technology, but at the end of the day there are humans with legitimate access to your systems; if they are negligent or abuse their positions, then there’s very little that tech can do to stop that. What are your core responsibilities at Irwin Mitchell? And what are your ambitions for your department and the team over the coming years? My core responsibility is setting the strategic security vision for the company and making sure we successfully deliver on our objectives. I refer back to this regularly to work out whether there are gaps in our present strategic framework, or whether we need to readjust priorities on particular technical projects. It’s all well and good sitting and thinking about high-level problems, but real-world feedback really helps to crystallize the impact of what we’re doing. It’s my security policy, but I want to know how it translates across the business. The key thing is that many people within law firms deal with very sensitive personal and company data. Our bread and butter is keeping this safe. Firms in other sectors may only have a few people dealing with sensitive data, but in law firms the proportion of people in the business who have this responsibility is far higher. This information isn’t just internal, it comes from external parties too. For example, we might have sensitive medical records or information relating to military matters as part of the work our solicitors do. The legal space is a fairly unusual sector in that we have to think about security in a very broad sense. The very term ‘cybersecurity’ reflects the fact that more and more of the information people consume is digital. But working at a law firm, there are paper records that have to be dealt with too. So my role depends on understanding and managing all the implications of information security, not just the technical aspects. It’s important to remember that our people could be very experienced lawyers or new graduates: we have to make sure that everyone understands what their security responsibilities are. People have to know how to handle information from when it comes into our orbit right through to when we dispose of it. Security can’t just be a case of asking people to read a lengthy, technical policy document. I have to ensure the information is relayed in a way that’s meaningful, interesting and relevant, and I need to make sure the technical tools we use are easy to understand. How can new security technology help the legal sector really make strides in the years to come? The first thing to say is that the legal sector has probably not moved as fast as some other sectors when it comes to adopting technological solutions. Although there are some startups making strides in ‘legal tech’, fintech, for instance, has a higher profile and potentially more innovation happening in that space right now. Things are improving, but the sector has a whole has possibly been slightly behind the times. For me, where the sector could really benefit is access to justice: I think tech will help ordinary people engage more meaningfully with the legal system. Law is complex, and there are so many gray areas, but I’m hopeful that developments in artificial intelligence (AI) hold a lot of promise. It’s never a good thing when someone decides not to approach a lawyer or a law firm because they’re not sure whether it’s worth it or because they think the process will be particularly laborious. Tech that allows people to ask initial questions without having to directly engage the services of a human lawyer could mean that people find it less intimidating to approach law firms. I think we’re now moving past the point where people expect to have to walk into a physical office to have meaningful conversation with a legal professional. You could easily get the same result from your own home, or on your phone, and that kind of relationship is what we need to be thinking about. I also think there could be major benefits to research. When paralegals need to sift through thousands of pages, AI could help surface the relevant information more quickly. Bots that do more labor-intensive work like reviewing long contracts could also save significant chunks of time. Next-generation technologies like AI could definitely help the legal sector move forward. The danger with AI though is that biases may still come into play, as is often the case when dealing with complex algorithms. Can you tell us about your experience bringing new technologies into a law firm? I’m fortunate that today, cybersecurity is taken very seriously at board level. If I can show that there’s a requirement and a potential benefit with a new piece of technology, the appetite to mitigate that risk is usually there. When it comes to end users, we have to think carefully about altering processes they might be used to, or telling them to stop doing something that seems innocuous. I’ve found that as long as the training and awareness is communicated well, it’s usually accepted without too many hiccups. Interestingly, when we implemented Tessian Guardian, which helps us combat misdirected emails within the organization, it was one of the few security products where we had no complaints about it. In fact, people sent us screenshots thanking us for preventing emails potentially going to the wrong destination! It’s great for the team to feel like we’re making positive changes within the organization. Could you describe Irwin Mitchell’s attitude to information security in a couple of sentences? Our people see information security as an absolute necessity when it comes to doing business. Everyone acknowledges that they share responsibility for the firm’s success or failure here. So how important is Tessian to your overall security stack? Tessian is critical for us. Misdirecting an email is very easily done: people want to be productive, and they don’t always notice when autocomplete gives them an incorrect email address. Tessian also gives us great analytics and reports which help us actually analyze the data, over and above the solution itself. We’re soon going to be implementing Tessian Defender, which will help us address inbound spear phishing threats and make Irwin Mitchell’s security structure even more secure. Tessian is just a very clear way for us to communicate potential risks and give our colleagues additional protection. *Interview condensed from Modern Law Magazine supplement, May 2019.

Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change, and how his firm wards off threats by embracing innovation. As an IT professional, what attracted you to a career in the legal sector? I’ve had experience in a wide variety of sectors, but I was fascinated by the security challenges of the legal space. Although I wasn’t a legal expert when I joined Kelley Drye, I moved across from health care, which is another industry that is extremely sensitive to cybersecurity risks, so I understood the importance of the problem. How important is it that the top level of a firm is alert to the dangers of cybersecurity? Even at board level, there should be people who understand the more nuanced technical details of a security project. At Kelley Drye we’ve been lucky to get great buy-in from our managing partner and CIO. They see a direct connection between a well-constructed security policy and the broader success of the business. I can’t speak for other law firms, but ever since I’ve been working in the legal sector, I’ve seen significant positive movement in how people approach and value security. This is one really refreshing change. We regularly get inquiries from partners asking whether we are protecting ourselves against this or that new threat – they pay attention and want to ensure firm and client safety. If we can continue developing this kind of curious mindset, I’ll be happy. It’s important to remember that a main driver of this new focus comes from partners being keenly aware of potential damage to a firm’s reputation. You don’t want to be the firm in the headlines because of a security breach, and you have to preserve client relationships, which are the bedrock of any firm. Why is email a particularly high-risk activity at law firms? I think all industries are susceptible to engaging in risky behaviors, but the kinds of data held in law firms means any unauthorized email that goes to a personal address is potentially more dangerous because of the content of that email. We all want to take the convenient path, but it’s the responsibility of a security team to manage and, if necessary, plug holes in those workflows that increase risk. Email is one of the most heavily used tools in any law firm, alongside document management systems. Human error is always one of the big factors in any data breach report. Lawyers send and receive a lot of email, so in a sense it’s natural that they may be more likely to misdirect an email, for instance. Even IT teams are not immune to these pressures! Is it the case that email is just an inherently risky mode of communication? At Kelley Drye, our ‘Defense in Depth’ strategy tackles security concerns at every layer of the stack, from our perimeter down to individual devices, and people too. As a security team, we have established a number of risk management and training programs to help us avoid any sleepless nights. Email security is a critically important part of this mix. As technologists, we have to make sure that all our communications channels allow business to function without any hindrance. If people don’t have a seamless experience in an enterprise, that actually raises the likelihood of people trying to evade those systems by, for instance, sending an email to their personal address so they can work on something at home. They’re not trying to be malicious, but they are putting data at risk. That’s why when we’re thinking about bringing in a new security tool, we take into account not only how robust the product is but how it impacts the team’s work. Ease of use is incredibly important to us, and that’s actually what Tessian does very well. How does Tessian make it easier for you to learn about and act on potentially risky behaviors? It was really important to us that Tessian would improve our knowledge as a security team. The market for security products is incredibly saturated, and not every product is able to offer a rich level of detail to its administrators. Not only did Tessian give us valuable historical analysis, working retroactively, it was very easy to start using it. Out of all the security products we’ve invested in, Tessian has had the lowest amount of up-front work to do to get set up. This meant we could get started analyzing the results straight away. We are now able to have a better dialogue with legal professionals and other end users, because rather than just being blocked from doing certain things, people know why an action could be problematic thanks to the insights Tessian displays within the email client. So do tech products like Tessian help you drive cultural change within the firm? Implementing change is only easy when it’s a team effort. When I’m making a business case for why a tool will help the firm, having productive discussions around the business – not just with the management team – is paramount. You can’t drive real cultural change with just a couple of people: it doesn’t happen overnight. In general, when we’re implementing a new piece of technology, the fewer complaints we get the better, and we haven’t had a single complaint or unhappy query about Tessian. In the long run, this makes it easier for me to bring the next security project to the board and justify investment, which makes my job easier. Finally, looking a few years ahead, where would you like to see the legal sector progress? I think the legal sector is in a really interesting period as far as technology is concerned. Every time I go to a conference there are new and innovative solutions targeted at helping law firms succeed. At the same time, the business of law firms is changing. We have to evolve at the same pace as other industries, moving with the times. We’re seeing big shifts towards agile and remote working, for instance. How are legal security teams going to deal with this new dynamic, securing client data while giving professionals more flexible ways to get work done?  For us, investments in products like Tessian are a great example of how much the firm values technological innovation. *Interview condensed from Modern Law Magazine supplement, May 2019.

Duncan Eadie, IT Director at Charles Russell Speechlys, speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. What were some of the main threats in cybersecurity when you first moved into the sector? The first computer virus I was aware of was distributed in 1988, and in my first job we had a lunchtime session discussing it! We then had to contend with viruses distributed via floppy disk, which demonstrates just how far the industry has come. At that time, people breaking into computer systems was almost done for fun; now, cyber crime is a major global industry in its own right. Lawyers and clients alike are now all aware of the consequences of handling data inappropriately. Today, we expect security from every organisation we deal with, not only as professionals but also in our personal lives. Does security permeate all aspects of your role, or is it effectively treated almost as its own business unit? My role is essentially to design and deliver Charles Russell Speechlys’ IT strategy. That means overseeing the development of products and services, and then successfully introducing these across the business. Within the IT department, I’d say that security has had to become more of a specialist requirement in recent years, partly because criminals and tactics are becoming more sophisticated. This vertical knowledge has to be supported by core tools that help us do this more specialized work. What are some of the challenges around driving change in a business like Charles Russell Speechlys? In some ways it depends on the change you’re introducing. When we introduce products like Tessian, which doesn’t necessitate huge change to working practices and which doesn’t require lots of training, you can feel people embracing the change in a different way. From a people perspective, the principal security challenge is really to make sure that everyone around the organization is vigilant, whether you’re a lawyer, a secretary, a software engineer or a marketing professional. In a broader sense, the entire legal industry is feeling that there’s a significant shift happening right now. This isn’t at the individual or firm level, it’s impacting the whole sector. Firms have to decide at what point they want to catch that wave of change. For forward-thinking law firms, this is a fantastic opportunity to build on the heritage of the past and embrace the opportunities of the future, something that’s in the DNA of Charles Russell Speechlys. So why is this technological shift happening now, and what are the knock-on effects for security? I think there is some frustration on the part of clients that the legal sector isn’t changing and evolving at the same speed as other industries. Changing customer demographics are beginning to disrupt the legal market in the same way as many other industries. In general, customers are more willing to challenge the professions and really engage with their service providers, and that means law firms need to offer a modern experience for clients. Regulatory changes are also impacting these strategic decisions. We’re now seeing more punitive penalties for breaches of regulation, and that affects the way firms might think about the risks of expanding into a new practice area, for instance. All of this has consequences for security. What do you wish the average lawyer knew about cybersecurity? That if their cybersecurity knowledge is not up to scratch, their firm’s reputation could be damaged very quickly. We’re talking about a relatively small investment in time to focus on cybersecurity best practices. In the long run, this could protect a reputation which has been built up over decades. It only takes a moment to potentially destroy all that. And what would you say to a technologist or security professional thinking about a career in the legal sector? What advice do you have that would help them make an impact? Too often in the industry, making something more ‘secure’ results in making it harder to interact with. Technologists coming into the sector should empathise with legal professionals and realise that people don’t want barriers, however difficult that might be to incorporate into products. If people build products that combine security with ease of use, you’re onto a winner, and that’s actually what Tessian has done. The other thing for IT specialists to remember is that much of a law firm’s business still stems from its reputation. Reputation can be a very fragile entity, but it’s also why law firms will survive over the long term. Protecting reputation is absolutely key. So much important work carried out by lawyers is based on their firm’s and their own reputation. When people or businesses are in extremely sensitive situations, facing very difficult decisions, they don’t want an app, they want to talk to someone whose advice they trust. In this environment, our duty is to preserve and enable this intimate communication as best as we can with the support of technology, while balancing this need with best-in-class security practices. How is Tessian helping Charles Russell Speechlys tackle threats and manage email security? Well, the channel that generates the highest number of complaints to the ICO every year is email. Firms can easily send hundreds of thousands of emails every month: when businesses have that volume of communication, you don’t have to be wrong very often for it to really matter. Misdirecting an email isn’t something someone does intentionally, and I’m sure that your readers have all experienced sending an email to the wrong person at some point. With Tessian, we don’t encounter pushback from within the organisation, so it’s a great way to deliver meaningful change in the firm. Tessian proves that modern technology can support our lawyers and help protect their relationships with clients. *Interview condensed from Modern Law Magazine supplement, May 2019.

Can you give a brief overview of your background and responsibilities at Penn State? As Chief Information Security Officer for Penn State University, I am in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. What are your core objectives in the role? One of the main objectives I work to, is to understand who is on the network and who has access to what. This is what our privacy and security is all about, stopping people getting access to critical information that they shouldn’t. Compliance is another large objective that has a lot of overlap with security. Compliance is necessary and often the fines and other sanctions are a serious risk to Penn State. However, while the standards do support security initiatives, they’re not sufficient in themselves. That makes the distinction between what policies and programmes are compliance-led versus security-led very important for us. Have you observed any dynamics that are unique to university environments when it comes to information security? The interesting thing for large research universities is that we are affected by almost every area of compliance and information threat that exists. We have healthcare data, valuable research, financial information, student PII as well as a nuclear reactor, an airport and all the utilities cities have. This means we are subject to a range of threats like nation state actors trying to steal IP or gather information for their country, and criminals targeting us for fraudulent payments. Do you think universities are well equipped to deal with these threats? No, it’s a real challenge. Universities do great things as faculties are very entrepreneurial, working on cutting edge innovations with relative autonomy. While autonomy is an important value of the institution, it makes cybersecurity more challenging. The university has so many faculties and operations which create a diverse range of activities within the one system. Creating security alignment that works effectively across the board is therefore a big undertaking. How do you instil a cybersecurity culture in such a diverse environment? We have 17,000 regular staff members and 100,000 students who all fall prey to different kinds of attacks. We tailor our education and training approach to each different group, ensuring that people understand both the threat to them personally and to the institution. How does human error play a role in cyber vulnerabilities? Phishing and social engineering attacks are getting more sophisticated meaning that even very intelligent people can be deceived. We know people make mistakes so it’s important to maintain a combination of approaches to mitigate human error. We implement layered security strategies because you can’t depend on a single defence approach. We build security that considers everything together; people, technology and processes. With a phishing campaign for example, when a normal user has fallen victim and an attacker takes over that account we have several ways of identifying the attack and stopping it before the attacker does damage.  We look for strange account activity that indicates a compromised account.  We mandate protections on privileged accounts, changing the password every time it is used.  We separate our sensitive systems from the rest of the network.  These are some of the controls we use to protect our system in a layered and integrated manner. Where do you see the biggest risks being in future? Attackers are always innovating so we have to continually evolve our defences to keep up. This will become more challenging when adversaries begin to use AI and automated techniques to attack systems much more rapidly. We’ll have to act more quickly to match their speed. But we still have the basic challenges that we need to address – simple attacks still succeed because people continue to fall for spear phishing attacks. We cannot forget about the basics and get distracted by shiny new toys. What are the common misconceptions about the role of cybersecurity? A lot of cybersecurity professionals look at security from a risk-based approach, they’ll assess what the individual risks to the organization are. That’s important, but it has to be incorporated into a larger strategy that looks at the bigger picture of potential damage and allocates our cybersecurity resources in an efficient and effective way. We have to think how our attackers are thinking in order to understand how they will attack us.  

Mark Ramsey has over 30 years’ experience in software engineering and security. He initially trained as a software engineer and transitioned into the security side of Information Technology, as it became a growing area within enterprises. He has set up security teams from scratch in a handful of businesses including Assa Abloy, where he is currently Chief Information Security Officer. Alongside this, he is committed to knowledge and education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years. What can you share from your experience creating a security function from scratch? I’ve done this for three companies now. I find most people are cooperative because there is a growing understanding that security is crucial for the successful running of a company. Most people want to be secure and to do things right, but it’s important to strike a balance. You must be sure to make things secure, but flexible enough so people are able to do their jobs and do them well. For Assa Abloy, security has always been a priority; it is in our DNA given we are a security lock company. We have been building up our security profile but it is an on-going process with new challenges. We are preparing for the expansion to the Internet of Things. What are the greatest challenges you have overcome since you have been CISO of Assa Abloy – Americas? My biggest fear is the employees. You can put in all the technology in the world, but sometimes people will not be thinking; that is human nature. The risk is not just malicious in nature, mistakes can be unintentional. It is not just on email where this can happen, it can happen in file sharing environments. All it takes is one click. We have set up many training sessions to help combat this, with training on secure business processes, and security awareness. I am lucky to have many years’ experience in university lecturing, so I know how to translate technical aspects into easy to learn steps. We do know people are getting better. What is making it tougher is that there are two things accelerating. Everything is increasingly global and accessible, and everything relies on cyber. You need to know where your data is stored, who the owners are and how it is classified. We can put protection in one area, but if we find a breach in another then you have wasted time and money. It’s not a security project its a programme – a case of on-going management. How should senior cybersecurity executives ideally work with the board? I’ve been fortunate to work with security conscious boards, but I would advise people not to scaremonger. It’s best to communicate honestly, to make them aware of risk levels and explain what can be done. Security teams ultimately don’t make the company money, but they certainly can generate value in the long run. Security is a wise expense that can keep boards out of the news if they’re provided with the right information to make an educated decision. We’re lucky now with GDPR and CCPA providing external standards and pressure. Most boards now know they will be held responsible, this means they are actually seeking out help from security leaders. Do you have any advice for new CISO’s to set them up for success? Communicate, communicate, and communicate. Keep the business leaders and employees informed of the risks and what needs to be done to mitigate them. Be willing to compromise; there are some areas might not have all policies we want in place, but we have to find what will realistically be adopted. Security practices must still allow people to do their jobs properly and securely.  

Giampiero Astuti has served as Group Chief Information Officer at global construction company Astaldi since 2003. Before joining Astaldi, he worked as CIO in different industries (financial services, IT, and pharma / biotech) both in Italy and abroad. What are your principal responsibilities at Astaldi? My role is to define Astaldi’s information and digital strategy and, consequently, plan the evolution of the Group’s information systems. I am supported by a team of around 50 people, spread across different functions and countries. A vital part of my job is to enable better information management and communication across the business: Astaldi operates more than 250 sites in 20+ different countries, so our information requirements are quite complex. How do you manage security risks in such a complicated global business? Astaldi has more than 50,000 different active suppliers worldwide: we have a very varied range of product and service partners. This creates inevitable security risks. We also need to be careful when working with other construction companies on joint venture projects, which is a very common occurrence in our industry. We could be working together with a company on one project, but simultaneously competing with that same company for another separate tender. This makes information governance extremely important. What are some of the most interesting problems CIOs in the construction sector have to tackle? It’s worth stating that every sector has its own particular opportunities and threats, of course. But considering the fact that the construction sector can be quite traditional and conservative, CIOs have to maximize innovation by focusing on great change management and creating value from relatively limited IT budgets. So how has the sector changed since you started working at Astaldi? When I joined Astaldi there were no web apps or content management solutions: some information was still being shared by fax. Inevitably, much more of our activity is digital these days. There are so many fascinating new paradigms becoming more and more popular in the sector, such as BIM (Building Information Modelling) and Industry 4.0. These are great opportunities for us, but they are also significant security threats. As more and more devices and machines are connected to networks, the potential risks increase dramatically. In construction, we must also think of physical safety as well as data loss, so the risks are magnified even more if systems are corrupted or hijacked. There are also challenges bringing these new ideas into our work. We are experimenting with the possibilities of machine learning and other next-generation technologies, but when competing to win contracts it can be tricky to persuade a customer that a newer technology is going to be practical and cost-effective. Our projects range from hundreds of millions of euros up to multiple billions of euros: this scale can make the implementation of new technologies very expensive and complex. Lastly, what are the key qualities of the best CIOs? Firstly, I think it’s very important that CIOs are much more than just technical experts. I studied economics, for instance, and I think a broad understanding of business and project management is very important in this role. Technology knowledge will always be important, but CIOs must also have good soft skills like motivation and leadership. In my view, these are just as important as IT expertise.  

  Earlier this year we started a new series of interviews called “Tessian Spotlight”—an exploration into the world of cutting-edge enterprise innovation and cybersecurity. In this series, we interview inspiring technology and security leaders across different sectors in order to learn about their backgrounds and accomplishments, the challenges they foresee in the future and their top insights that have helped them succeed in their respective fields. Mark Ramsey, CISO, Americas Division, ASSA ABLOY Mark Ramsey has over 30 years’ experience in software engineering and security. He is committed to education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years. Read full interview here Company Profile Giampiero Astuti, Group CIO, Astaldi Giampiero Astuti has served as Group Chief Information Officer at global construction company Astaldi since 2003. Before joining Astaldi, he worked as CIO in different industries (Financial Services, IT, and Pharma / Biotech) both in Italy and abroad. Read full interview here Company Profile Jaya Baloo, CISO, KPN Telecom Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. Read full interview here Company Profile Kevin Delange, CISO, International Game Technology Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence. Read full interview here Company Profile Richard Wakefield, CTO, Salford Royal NHS Foundation Trust Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity. Read full interview here Company Profile Craig Walker, Global CIO, Shell International Petroleum Company Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail. Read full interview here Company Profile Thomas Tschersich, Senior Vice President, Internal Security and Cyber Defense, Telekom Group Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. Read full interview here Company Profile Johan Kestens, former Chief Information Officer at ING Belgium and Luxembourg As the former Chief Information Officer for ING Belgium and Luxembourg, Johan was, until September 2018, responsible for the complete IT stack and was part of the Executive Committee. An engineer by training, Johan has worked with a number of organizations before joining ING, including McKinsey, SWIFT, SAP and A.T. Kearney. Read full interview here Company Profile Michael Mrak, Head of Department Compliance & Information Security at Casinos Austria Michael has been with Casinos Austria for 26 years. He started in the IT department and eventually took over the role of Data Privacy Officer in 2001. Responsible for overall information security strategy and, working closely with the CEO, Michael establishes policies relating to compliance and anti-money laundering. As well as overseeing all the activities related to the development, implementation, maintenance and adherence to the organization’s privacy policies, he is also the link between his organization and the Austrian Ministry of Finance. Read full interview here Company Profile Don Welch, Chief Information Security Officer at Penn State University As Chief Information Security Officer for Penn State University, Don is in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. Read full interview here Company Profile Sarat Muddu, IT Security Director, Kelley Drye & Warren Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change in this Tessian Spotlight Series. According to Sarat, it’s important to embrace innovation in order to ward off threats. Read full interview here Company Profile Graham Thomson, CISO, Irwin Mitchell Graham Thomson is the Chief Information Security Officer at leading law firm Irwin Mitchell. In this Tessian Spotlight Series, Graham talks about his career in information security and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. Read full interview here Company Profile Duncan Eadie, IT Director, Charles Russell Speechlys As IT Director, Duncan Eadie is responsible for designing and delivering the IT strategy at Charles Russell Speechlys. In this Spotlight Series, Duncan speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. Read full interview here Company Profile Craig Hopkins, Chief Information Officer, City of San Antonio Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. As CIO Craig also manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. Read full interview here Company Profile Helen Rabe, Global Chief Security Officer, Abcam Helen Rabe is a distinguished security leader, with wide reaching experience across banking, telecoms, food and drink and more recently life sciences. As Global Chief Security Officer at Abcam, we spoke with Helen to understand her core driving principles when it comes to leading enterprise security programs and what impact cybersecurity technology can truly have on an organization. Read full interview here Company Profile Bridget Kenyon, Global Chief Information Security Officer, Thales eSecurity Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification. Read full interview here Company Profile

Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. What are the greatest challenges you have overcome since you became CISO? The one thing I keep telling my team that I can guarantee is we are going to get hacked. It’s because we are such a big network and also because we are an intermediate target to get to other targets. Obviously, we try to prevent as much as we can, respond as quickly as possible and verify as many actions as possible. The main challenge is to always keep thinking of new ways that we could improve our existing security measures in novel ways. We recently set up a new unit that invents new security solutions which we cannot find in the market, for example a post-quantum VPN tool. How should CISOs work with the rest of the board? People need to realize that security is actually sticky in that it is something very relatable to each and every role. You inherently realise that if you do not address a security issue then you will be exposing yourself to a risk. As a CISO, you should use this to your advantage, relate your cybersecurity objectives to the motives of the board and make it as relevant to them as possible. I also don’t believe that support for cybersecurity ends with the board, effective storytelling might work for senior leadership but you ultimately need every employee on your side to realise how they can best defend the company within their role in order for this to work. What needs to change about how most organizations are handling their information security? A lot of companies are quite relaxed about their cybersecurity, almost too relaxed. This is usually because they are not measuring what is actually going on in their company. They tend to generally want to trust their employees, partners and vendors. The issue is that trust is ultimately just a social contract and the health of this contract needs to be checked. So only if you monitor the behavior of your employees, partners and vendors can you give your trust to them freely. This is not a well-known threat for many of the larger companies. How much of a role does human error play in data breaches? Human error plays a huge role in data breaches. Whenever I talk about employees being a threat, I don’t simply mean the malicious ones who want to wreak havoc across your organization. A lot of accidental actions create many of these problems. That’s why creating cybersecurity awareness across a company is so difficult to scale. All forms of attacks tend to begin with some form of targeted phishing which is very challenging because of the social engineering aspect. That’s why you need a system in place that takes these issues into account and why the best solutions a company can have is a mix of technology and user awareness. Do you have any advice for new CISOs to help set them up for success? CISOs typically come from a very technical background and tend to think that they need to develop their metaskills such as presentation or storytelling. Obviously this is not a bad thing but it does become an issue when they invest in these new skills at the detriment of those core technical skills that got them there in the first place. So I would recommend obviously investing in those metaskills but also doing a technical training session once a year with your team. Try to stay abreast of the newest technical trends as well by networking and speaking to other CISOs.  

Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence. What are the greatest challenges you have overcome since you became CISO? Most of the challenges you tend to face as CISO are people challenges like understanding how different areas work and what their state of security is. This is critical, but can be difficult especially when you are trying to integrate all the different operations into a single security unit. What are specific tactics you use to engage the board? The two main functions of my job are to communicate updates to the board and keep a finger on the pulse of the business. This means that I need to translate tech speak into business speak for the board, because if I can’t communicate it well, then nobody will listen. Therefore, the art of presentation is key and you should avoid communicating anything too technical. Ultimately, when speaking to the CISO, the board is interested in understanding our risk profile. If the profile is acceptable and you can communicate that clearly, they will be happy. What are the most important KPIs or security indicators that gaming companies should care about? From a high level, the two most important security aspects that every company should care about — not just gaming companies — are knowing what your attack surface is (i.e., the different attack points) and what your defences are. Based on those two, you can then determine what your KPIs should be. Other than that, understanding how well you are implementing governance, risk and compliance requirements and meeting your regulatory obligations should be on every company’s mind. You need to make sure you are operating in line with the regulatory requirements. If you are compliant and you understand what your attack profile and defences are, you can solve a huge portion of what the board is concerned about. What needs to change about how most organizations are handling their information security? Companies should accept that it is just a matter of time before something happens, and they need to be prepared for attacks to get through their defences. I’ve been exposed to a lot of organizations that focus entirely on preventing attacks and do not have a plan for dealing with successful attacks. It is important to be prepared for every scenario, and this is not something that many companies are doing. The key is understanding that technology is ultimately a means to achieving an acceptable risk profile. What are the greatest information security threats to the gaming industry and how would you address these? The biggest threat is phishing, and this is not unique to the gaming industry. Being able to deal with phishing attacks and reacting to successful ones should be at the top of everyone’s mind. Phishing attacks are basically 90% of the way people are attacking you; all other attack vectors are significantly smaller. Many threats can be dealt with quite well, but addressing the social engineering aspect that makes phishing attacks hyper-targeted is extremely difficult. What do you read/listen to stay on top of advancements in information security? Information security is all about being up-to-date. The joke used to be that technology changes in dog years; now it’s more in the mayfly territory, where every single day something new comes up. I take advantage of any article that highlights new possible attack vectors, or helps me understand how I could deal with these attacks. If you don’t know what you are dealing with, then you will simply not be able to deal with it. Another option is to go to tradeshows or networking events that involve a lot of knowledge sharing.  

Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity. What are the greatest challenges you have overcome since you became Chief Technical Officer? The most difficult challenge was initially dealing with cybersecurity, but there has been a huge transition in how we view it. It used to be seen as something we did alongside the ‘day job’, but now it has taken a much more central role. The main challenge is embedding cybersecurity culture and awareness into teams, and ensuring that security is dealt with in the right way at all levels. Part of my role is to introduce cybersecurity topics to the board, to make sure leadership are aware of the risks that the organization is presented with. How these risks are perceived will then influence our strategic direction when it comes to cybersecurity. How should security executives ideally work with the rest of the board? Security executives should first become aware of the language they are using, and change it if necessary to suit their audience. Many of them come from a technical background and speak in highly technical terms. People from other backgrounds will struggle to understand cybersecurity if it is presented in a highly technical manner, and they may consequently fail to realize its importance. Analogies are powerful ways to help translate to a non-technical audience. It comes down to understanding your audience, including their backgrounds and motivations. This has been one of the most important things I have understood in the last couple of years. How are most organizations handling their information security, and what should ideally change? I think a lot of people don’t understand cybersecurity and how it could impact on them personally or on the organization they work in. People tend to view it as something that restricts people, rather than being an area that protects them. Most organizations need to do a better job of embedding their security team into the wider business culture. Security measures should be viewed as coming from within the organization, rather than as something alien. Another important aspect is to foster a transparent culture between employees about cyber risks, and have everyone be willing to report their mistakes. What are the greatest information security threats to the healthcare industry? Medical devices now have far more digital capabilities than ever before, but with this comes a higher risk of these capabilities being exploited. Hacking groups are aware of the value of the information held in these devices. Unfortunately, I see this risk increasing over the coming years as everything becomes far more digitally integrated. Another risk unique to the public healthcare sector is that funding tends to be very tight. Usually, cybersecurity is viewed as a cost-avoidance tool by decision-makers and is not prioritized enough as a result. This makes attracting and retaining cybersecurity talent, as well as having the right level of security in place, important challenges. The Salford Royal NHS Foundation Trust is fortunate enough to have a great team, but many other organizations struggle to retain talent. Do you have any advice for new cybersecurity executives to help set them up for success? It’s all about the relationships you have with the key influencers in your organization. You could be doing all of the right things but if you don’t have the right support at the right level then you won’t achieve anything. It is also extremely important that you establish a cybersecurity performance baseline when you are just starting out. A lot of people start changing things as soon as they start, but if you can’t compare your changes to anything, then you won’t know if you’re improving. Therefore, the first thing you should do is simply observe and establish a baseline for yourself of what is going on.  

Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail. What are the greatest challenges you have overcome since you became CIO for the Downstream business? I was originally brought in to put the IT processes right as Shell was not doing the best it could have been at the time, it wasn’t moving quickly enough or being very agile. I managed to cut down my budget by 44% by the end of 2018 all at a time when digital transformation is one of the hottest topics in the board room. It was a difficult process, but we ultimately managed to do this through various initiatives to increase talent and reduce the number of outsourced employees. I also restructured my team to make sure that everyone had the skills, such as agility and speed, to thrive in a modern IT department. Another key action I did when I arrived was to outline the 3 themes that my team would cover: 1. We focused on commerciality. If you don’t understand how the business makes money, then you cannot be an effective IT person. You have no accurate framework of how to prioritise your work. Everyone at Shell is a business person, it just so happens that IT people come to work with an IT toolkit. 2. We established one true team. You cannot have a high performing team if people cannot work effectively with each other. 3. The team became very results-oriented. It’s all about putting a dollar on the bottom line of the business ultimately, that’s why you are doing it. Another challenge is keeping up-to-date with all of the tech nowadays which, as an IT leader, you absolutely must do. You have to have the 101 knowledge to engage the business effectively and understand the possibilities of the tech. Ideally, 10% of your time should be spent learning about new topics. How should CIOs ideally work with the rest of the board? The CIO has to use the same business speak as anyone else does, you have to take your speciality up to a level that colleagues understand why it is relevant to them and their bottom line. Otherwise, it will not have an impact. Another very important aspect is having the ability to tell a story and bring a vision to life. For example, I use clips from JFK’s Moonshot speech a lot and, at one point, he says that they are going to build a rocket out of material that hasn’t been invented yet. Well, I’m trying to build a business model with technology that people are just beginning to understand. You have to be able to convey all of this in a convincing way and show the rest of the board the art of the possible without overselling. You have to show up as a business person which is not easy for a lot of CIOs as they come from a highly technical background. This is why I say that one of my greatest learnings at KPMG was the ability to tell an engaging story to a client. What needs to change about how most organizations are handling their information strategy? One of the largest issues right now is that many organizations are swamped with data. For us, the amount of data coming from plants etc. is immense. However, it is important to capture and use as much of that data as possible. In essence, the change in strategy nowadays is that, because nobody knows what the data will be used for yet, you better make sure to capture as much of it as possible. It used to be very prescriptive whereas now, companies such as ours, are much more open-minded. What are the greatest information security threats to the oil & energy industry and how would you address these? There seem to be two levels of threat nowadays: you have people who want your data because it costs a lot to get and then you have people who want to do you harm. Because of the new regulations in place (e.g. GDPR), information security now has to be much more encompassing in protecting the consumers and the brand. The main threat is damage to the brand because any company that has a high level of trust and then suffers something like a data breach will immediately lose that trust. This will affect your business. At the same time, the amount of data is growing, so it is now becoming much more difficult to keep it safe. Ultimately, nobody can create a perfectly safe environment but you have to do your best and this is not unique to our industry. Do you have any advice for new CIOs to help set them up for success? Whenever I am in a new position, I always write myself a 30-, 60- and 90-day plan. In the first 30 days, you should just listen to everyone and build up your own picture of what is going on. Be sure to test your opinions by playing it back to people constantly and listen to the business team a lot. You need to understand what they want to achieve. Once you have a picture of the business, don’t be afraid to make difficult decisions about people. Have a vision in place and see who fundamentally buys into it and who doesn’t. Whenever I delayed decisions about people, I almost always regretted it. Somewhere within those 90 days, you should set out your plan of action and learn who is going to give you unbiased feedback. Finally, try to network with your fellow CIOs in your and other industries to keep exchanging knowledge.