Episode #79 Making the cyber sector redundant with Nick Ellsmore
After the success of Nick’s first episode, we welcome him back to discuss what has changed since we spoke a few years ago. We chat about the cyber job market, how things have changed through COVID, how ‘good cybersecurity is boring’, shadow IT, and Nick’s thoughts on the future of cybersecurity.
Nick Ellsmore has started, built, merged, acquired and sold multiple cyber-security businesses. Now Global Head of Strategy, Consulting & Professional Services at Trustwave following the sale of Hivint to Trustwave in 2018, Nick previously founded SIFT (acquired Safecoms, merged with Stratsec), sold to BAE Systems in 2010. The inaugural “AISA Information Security Professional of the Year” in 2012 and a past Australian APEC TEL delegate, Nick is an advisor to Universities and fast growing cyber startups including Bugcrowd, is a published author on the topic of cyber security and a keynote speaker on various things cyber and startups.
Links:
Episode 12: The Cybersecurity 'Roles' Crisis with Nick Ellsmore
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today we will come back Nick Ellsmore. Nick, it's great to have you back on the podcast, your episode from season one remains number two of all time downloaded episodes. And so by popular demand, welcome back!
NE: Thanks Claire. I'm flattered and glad to be back here.
CP: So when we met you back in season one, we talked about how you'd built your career, you'd built multiple security businesses, and we covered some of your opinions on the skills crisis, which you termed the security roles crisis, if people want to go back and have a listen. So has much changed in this space do you think since we last caught up? And are you seeing a shift in the cyber job market, for better or worse?
NE: It's a fascinating question. It's definitely changed. The interesting part for me about that question about whether it's changed, for better or worse, is for who? You know, like what lens are we looking at this? So I'll break it down into three different aspects. One is, for me as a cybersecurity professional. The second is for me as a manager who's trying to hire a team and run a business. And the third is sort of for the economy overall. For me, as a cybersecurity professional, I think it's fantastic. You know, it's a hot market, I get approached every week with interesting job opportunities, venture capitalists offer to firehose money at me to start businesses, like it's a great time to be alive. For me, as a manager, it's pretty challenging. You know, I still need the economics of the business to work. And that's, at times, that's getting hard. You know, I think the positive piece from the business side is, it's really starting to force everyone's hand in terms of really investing in learning and development and graduate programmes and interns, and really building out the base of people in the industry. And then the last piece for the economy overall, I don't necessarily know that it's great there either. Because the dynamic we have at the moment is, you know, we have above average attrition, above average mobility between roles, a lot of people moving around, all the research says people are of below average effectiveness in the first few months in a new role. And so if you take it at a macro level that an above average number of people are in new roles, then you're effectively saying that a disproportionately large part of the cybersecurity industry is currently not functioning at 100%. And that can have a pretty significant impact. But key piece for me is, it is really, really positive, that it has driven graduate programmes, intern programmes focus on learning and development, diversity, and all those other things to try and help solve the issue.
CP: It's actually a really interesting point about productivity, this great resignation that everybody keeps talking to me about. And you know, we've covered it in a number of episodes, in this seasons of the podcast. It's a really interesting thing to consider that if 40% of people move on from their jobs in the next 12 months, the productivity and the effectiveness and the culture shift that's going to occur will be incredible.
NE: It's enormous. And it's even, it's even more pronounced in the professional service firms. You know, I mean, that the, you know, they're having the same issue in accounting and auditing in consulting, like all across professional services, this really high attrition. And it's absolutely a known fact that, you know, if you bring a new person into a professional services organisation, there's at least, you know, best cases, three months, more likely, it's going to be six months. In some cases, if they're, you know, relatively early in their career, it could be one or two years before they're, like really, really able to be self reliant. They know all the processes, they know all the systems, and they can really just get out there. And so when you have, you know, 30/40% annual attrition, and you multiply that out across the economy, it's a massive, massive, massive impact.
CP: If we take a step away from just the skills and the sort of employment community, I suppose and look at cyber more generally, what do you think have been the biggest shifts in the cyber industry over the last two years or, you know, 18 months to two years since we've had such a change in the way we operate?
NE: So I think the first one and you know, this is probably predictable, is around the supply chain. But I think the piece for me around the supply chain is I think what we've seen in supply chain risk is the broad acceptance or the broad awareness of it as an issue and it's taken a decade you know. I mean, RSA and Lockheed happened literally a decade ago, and at the time, if you go back and read the articles at the time, the articles were saying, supply chain risk will never be the same again. This has made everyone aware of the risks around the supply chain, it's all changed. And then within, you know, 12 to 24 months, we'd forgotten it all. And then when SolarWinds happened, everyone goes, oh, wow, I didn't know that was a thing. It's like, yeah, yeah, it was 10 years ago happened. But I think now, it's so pervasive, just in terms of everyone's awareness, that it is just unquestionably, you know, a big issue. The second big shift that I'd call out is really around the fact that everyone's realised cybersecurity is a really, really hot market. And it's a supply side constrained market. And it's one where, ultimately, if you have capacity, you're probably going to be a viable business. You know, a lot of buyers can't really tell the difference between cybersecurity services. It's probably not a popular message, but I have some real concerns about the quality of advice that a lot of organisations are receiving. But, you know, there's definitely that recognition that it's a hot market, and a lot of people are pouring in. And then the third big shift is, I'll borrow a term that I think I stole from Brian Wakely, which was marketecture, which is the sort of crossover between marketing and architecture. And it, it's a way of capturing this idea that it's no longer enough to be secure, you also now need to be seen to be secure. And so security has started becoming something that really needs to be, it needs to have a marketing department. You need to tell it your digital trust story, you need to be able to communicate your values, you need to be able to really have an external facing security team. And more and more organisations are going to start to sort of build that out. But I think over the last couple of years, that's been one of the big trends.
CP: It's interesting, because I wrote a blog about that a while ago about whether or not organisations had a level of comfort talking about the controls they've got in place, and, you know, did building trust with customers equate to customer retention. And, you know, I wonder if people are doing the sums around that as well in that trust relationship now. Especially because a lot of people aren't going into stores or meeting people face to face to build that trust with consultants and the like, a lot of it is remote. So you wonder if that desire to inject marketing into how we do cybersecurity and how an organisation presents cybersecurity will catch on.
NE: I find that the tech industry tends to front run a lot of these security trends. And it's interesting, because I guess it used to be the banking and finance would sort of be the leaders in the way security was approached and that sort of thing. And to their credit, I think if you do go back, you know, quite a few years, the banks were probably the first ones that had, you know, pages on their website about, you know, here's how you can help secure yourself. Now at the time it was go download some antivirus software, and you know, good luck with that. Whereas now, you know, there's whole pages and pages and pages and awareness campaigns and everything else. But if you look at the tech companies, you look at, you know, trust.salesforce.com, trust.microsoft.com, trust.atlassian.com. The resources that are available, the amount of material and thought that's being put into how to explain their security philosophy and approach and really to enable security in their partners and their customers, is really enormous. And I think going back to the supply chain risk piece, one of the things that I think needs to be looked at a lot more by organisations is if your suppliers are really that important to your business, why aren't you helping them? I don't just mean like sending them a questionnaire and saying fill this out because your job is to be secure. Help them, like genuinely help them. Why wouldn't you let them come into your awareness programme? Why wouldn't you help share resources? If you have 1000 suppliers and you want them all to have a good policy, write one for them, hand it out. I think that that concept of genuinely working with your supply chain on their overall security is something that needs to become a lot more prevalent.
CP: There was an interesting conversation I had with Paul from NBN earlier this season. He is the first episode of the season and we literally called the episode you know, Cyber Marketing 101, but the focus was much more on using marketing tools inside your organisation to market to your employee community and be using those sort of marketing tricks I suppose, to get your employee community to really engage and understand why cybersecurity is so important. Because you know, we all know that it only takes one person in whatever team to click on a link, and it can take the whole place down. But, you know, really using the same way that companies put ads on TV and billboards, and you know, those types of things as a mechanism to get people involved, really, we need to start leveraging that if we're going to be able to trust our employee community to not to do the wrong thing as well.
NE: We did a security awareness campaign for one of the banks, would be a few years ago now. And we actually did it in partnership with a PR firm. And the exercise was basically, look, you know, we need a slip, slop, slap message that we can just pound away on and try to get something that's going to cut through and be memorable and all those sorts of things. But even just, you know, as you say, the tips, the techniques, the way that we get messages to stick, as a cybersecurity industry, it's not necessarily something that we're great at. But there are plenty of people out there who are great at it.
CP: If we talk about messaging, you were quoted last year, in an article saying that good cybersecurity is boring. I loved that. And I guess to give the audience context, you were actually referring to why bad stories, of you know fear, uncertainty and doubt, are used to obtain funding around cyber. And how, you know, that seems to be one of the key ways that CISOs and security leaders or those accountable for security, they have to pull that lever and use that stick in order to get budget. How do you think CISOs can get better at selling cyber hygiene as a good news story?
NE: So firstly, I love the fact that we've finally all relented and we're now going with CISOs. Whereas, you know, deep down, we really want to call them CISOs, but we just can't because the Americans have won! CISOs, sure let's do that! I'll start off with a slightly challenging sort of perspective on this, and then I'll come to a more acceptable sort of viewpoint. I believe that boards have to own a lot of that responsibility. And they currently don't. You know, this is supposedly a top three risk on many boards, but how many cybersecurity experts do you see getting appointed to board vacancies, you know, there's not very many. It's fine to say that CISOs need to get better at talking to boards, but boards also need to get much, much better at understanding what they're being told. The example that I give is if you tried to say as a director, I'm not an accountant, so I can't be expected to understand the financials, you would get laughed out of the room, and you'd probably be prosecuted when something went wrong. Whereas we still have plenty of directors who would say, you know, I can't be expected to understand IT. It's 2021, you can be expected to understand IT. If you don't understand it, either you need to get familiar enough with it, to be able to deal with the information you're being told or retire. You know. So that's kind of my perspective on the board side. Now, that being said, I also understand that, you know, there needs to be a more practical sort of set of advice for CISOs, about how they can communicate. And I think I've got two pieces there. The first is, don't claim success for not having incidence. My point there is if we acknowledge the fact that there are very, very few CIOSs who are in anything like a position to spend as much as they would need to, to, you know, really be confident that they're not going to have an incident, then the last thing you want to do is try and present that you have somehow created the situation where you don't have an incident, where you haven't had an incident. So if a board ever or your senior executives are ever saying great job, you didn't have any incidents, take the time to say that your efforts are valuable, but insufficient. It was good luck as much as good planning. Because that's going to help you when you then do have an incident to sort of point back to say, look, I'm not taking the credit, I'm also, you know, not going to take the blame. The second piece is and this is where it comes to the boring piece. My key message around boredom is so much of security needs to be about the basic controls. I mean, we're still talking about patching, we're still talking about multifactor authentication, we're still talking about end of life technology, all those pieces. The piece about boredom for me is, one of the most powerful things you can do is focus on the completeness of coverage. What I mean by that is if you look at something like the essential eight, like there's nothing in the essential eight that is exciting. And there's really not a huge amount in the essential eight that requires investment in sort of specific tech, it's ultimately process. And process is about completeness. You know, if you have a patching regime, the question is not, do you have a patching magic regime? Yes or No. It's okay, what proportion of systems are patched within whatever timeframe you say they're going to be patched in. You know, what proportion of systems are, you know subject to, they're able to be patched or their end of life. You know, if you have a endpoint security technology, what's the proportion of the fleet that did it cover. Because when you start looking at that, what you find is, in almost every case, you've got, you know, 95/96/97% coverage. And then there's these edge cases, which are, systems don't get connected very often, systems that belong to board members and so they don't want MFA because that would, you know, require them to learn a new thing. And so you start having these things that are basically, you know, holes in the wall. And my view around the completeness of deployment, completeness of coverage is, if you can invest in closing those gaps, then you at least know that the controls that you've decided were appropriate, are now in place. And so now whatever happens, is happening on the basis that it is something breaching the controls that you said were in place, rather than going around the controls that were in place.
CP: So tell me then about shadow IT or business lead IT or whatever you want to call it. But you can put all the controls in place that you want, but then some person in a department, buy something, buys a SaaS product on their corporate credit card or gets a free one. And starts kind of putting information out there that might have PII or might be sensitive, where do you go from that? And how do you educate the board about that? Because often directors and executives are the bad guys that are doing the shadow IT.
NE: The question with shadow IT is why is it necessary? The really, really simple premise that I always go back to, and I actually can't remember who told this gem to me early in my career, but you know, you have to make the secure way that easy way. All of those cases where people are using shadow IT is they're trying to solve a problem that the business has not currently given them a way to solve. In almost every case that I've seen, they're not doing it out of malice, they're not doing it to try to be devious, you know they're not feeding information to the Russians, like it's just they need to get this file from here to this other company. And it's too big to fit in, you know, whatever technology the company has available, and the security team has locked down OneDrive, so they can't share files outside of their company. They can't use USB, because USB drives have been locked down. And it needs to get there tomorrow, their business need is to get that file from here to there. If you don't give them a way to do that, they're going to find a way to do it. And that's where shadow IT comes in. The key piece for me is sort of having almost this concept of an amnesty, and basically going we understand we've done some things incorrectly in the past, we put security policies in place that result in the wrong outcome in perverse behaviours. Just like tell us what you're using, tell us what you're doing, we'll find a way to solve it. But also when those things come forward, you can't then start, you know, beating people with a stick and saying, well, you know, there is no solution to that problem, so we're not going to solve it, just stop doing it. Like no, you know, that's trying to, you know, trying to encourage people to pursue abstinence is probably not going to be successful.
CP: Yeah. And I think to your point, you would like to think that most people, you know, we assume good intent, and that they are using those tools for productivity and to get things done. And so it's a million dollar question, you know, how do we stop people from inadvertently creating the holes in our network that the bad guys can just step straight into?
NE: Yeah. And again, I think, you know, make the secure way, the easy way. Just focus on that. Understanding the business and so understanding that these requirements exist and having a process for people to raise it. Generally speaking, when people are doing this, it's because they've found a need, they need to solve it right now. And, you know, there's just not, there's just not a process or a willingness, there's just not a way to enable it.
CP: Nick, before I let you go, I'm really keen to know what your prediction is for 2022. What's the next big thing for the cyber industry, next year and beyond?
NE: That's a big question. So I think my perspective on this is, we're currently having our moment in the sun, you know. The cybersecurity industry, we spent so long trying to get people to listen to us and take the issue seriously, you know, we're now getting that, you know. Everyone listens, we're on the front page of the paper. There's money everywhere for new ideas, for you know, for employees, but like everyone, like it's just a great time to be in cybersecurity. I think it's important that we don't lose sight of the fact that this is actually a bad thing to have to spend money on. Like, the reason that we're doing this is not healthy. And from my perspective, you know, being a consultant talking to our clients, I get clients don't want to do this, like, no one gets up in the morning and says, wow, I can't wait to, you know, put better locks on my doors. It's just not a thing. All of the industry outside of cybersecurity, want this to go away, they want this to not be an issue anymore. And so I think we need to remember that, in a sense, our job is to create the entire redundancy of this sector. Like, if we actually do our job, well, then we all have to go and do something else, because security is no longer an issue. Which would be fantastic at a sort of, you know, macro economic society kind of level. But my prediction for the next big thing is, I think the industry will need to, will be forced to, start standing behind a lot of the products and services that it's selling a lot more than we have in the past. And so that means things like, you know, bulletproof service level agreements, it means warranties, guarantees, sort of a pseudo insurance kind of self insurance kind of model. And there are a couple of them that have started coming out, you know, which is effectively organisations that are confident enough to say, you know, if you come onto my platform, use this system, then, you know, if you have an incident, we'll cover all the costs of responding to that incident. I think that type of concept where organisations are actually confident enough to say, if we can control your security environment, then we will basically indemnify you against any losses that come. I think that's what we're ultimately going to be headed towards. But there'll be a lot of baby steps towards getting there.
CP: The cyber insurance industry seems to be trying to find its feet a little bit at the moment. And you know, many, many organisations are now saying, okay, we need to have this. But that feels like a financial tool, it doesn't feel like a strategy. It's certainly not a strategy. There are organisations that use it as a strategy. But my concern is that our organisations are leaning too heavily on outsourcing that risk and that responsibility, and to your point, would they buy from an organisation or partly an organisation that gave them that surety or that guarantee because they feel like they're giving the risk to somebody else.
NE: Again, at a sort of big, big picture level, I think where this goes is, you know, if you look at the slow progression, maybe it's not slow of, you know, Microsoft and AWS and and Google, taking more and more of the security market and, you know, more and more of the security around the pieces that they're already sort of providing and managing. I think it's only a kind of a small step from there to effectively say, well, if you're going to hand over sort of all of the control of the IT, the how things are set up, how things are built, how things are run and everything else, why would you possibly accept the responsibility for something going wrong? Why would that be your problem? And so I think, you know, we will inevitably end up in a situation where I mean, ultimately just you know, standard trade practices, law type concepts, start to you know, start to be enforced on this. We haven't for the last 30 or 40 years but I'm still living the dream
CP: Legislation and then judiciary will catch up at some point.
NE: When I was at uni, my law professor had a poster on his wall that said 'law moves at a pace second only to geology'.
CP: You'd like to think they'd been changing that, but I don't think so. Nick, it's always a pleasure to have you on the podcast. Thank you so much for coming back. I'm sure we'll have you again. And I'm really grateful for your time today as always.
NE: Thanks Claire.