To celebrate the end of Series 1 of IDentity Today, we’ve compiled some of the best bits.
Guests John Buckley, Noel Allnutt, Audrey Jacquemart and Amie Dsouza discuss important cyber themes, like who’s responsible for security, the human element and the challenges of finding tech talent.
Part 1: The human element
To kick things off, we’re looking at the human element of security, particularly around managing insider threats. We spoke to John Buckley (PhD), HSM Training and Consultancy.
Blair: How do you understand the motivations behind insider threats?
John: Anybody who’s been in a management course will be very familiar with Maslow’s Hierarchy of Needs, where there are four or five different groups of motivation. And at the end of the day, we all bring our own prejudices to the discussion of human motivation.
A lot of us think it’s about money; people will always do something bad for money. But Maslow’s is a very simplistic way of looking at things. Looking at money as a motivator is very often a deeply flawed way of looking at things. But it’s an easy way to think that someone can be bought and that a bad person is easily bought. But we would never be bought, and we never want to see that we would betray our organisation.
B: You say money is a flawed way of looking at a way to exploit a person, but what other ways are traditionally used and who is it is doing the exploiting?
J: There are two ways of looking at this. There’s a lot of common threats out there that we’re all aware of: the business competitors that are looking to gain some sort of inside knowledge of products a company may be developing. We’ve got the international actors who are there from the point of view of industrial espionage. We’ve got the people who are trying to do denial-of-service attacks and blackmail companies into providing them with money.
Those threats are generally well understood, and they are more likely to be proactive in going after people. But what is very often overlooked is the individual who begins this journey themselves. They look for a path to vengeance because of something that the company has done to them. So they’re almost like a self-starter and then they go and look for a way to hurt their company.
Part 2: Who’s responsible for security?
Another big talking point throughout the series was around the responsibility for security as a discipline. Whose role is it within an organisation? We spoke to Sekuro’s Managing Director, Noel Allnutt, highlighting the challenges around securing the modern workplace.
Blair: One of the big challenges we’re seeing in organisations is figuring out who is responsible for security. Or what group of people are responsible for the overall security posture?
Noel: That’s a good question! So, who’s responsible? Well, if you break it down to who would get fired if there is a breach that would be the CSO and potentially the CEO. They are the people whose heads are on the block for this. It’s a fairly thankless task to try and secure against global threats, which can move faster than you can. It’s a tough one.
So, that would be where you have to look at the overall responsibility. it’s a shared responsibility. It’s everybody’s problem. The CSO can’t sit on your couch at night and check your emails to make sure you don’t click on a link, and with all of us working from home, there has to be a level of common sense and responsibility.
We’re starting to see cybersecurity awareness training mandated inside organisations, and that’s something that we really support. It’s not fair to give the responsibility to the people without giving them adequate training. It’s becoming a significant part of a business’s onboarding, as well as the ongoing training and uplift of their staff.
We’ve seen some organisations align bonuses to cybersecurity strategy, and those bonuses are either for the whole of business, to make sure that they are maintaining the right amount of day-to-day hygiene. Then also those bonuses aligned to brand reputation and preventing the organisation from a breach.
I think that’s important. But again, that comes back to that responsibility. Who’s getting the bonus for it? It’s the person who’s responsible for it. Just the same way as Sales Directors get a commission when the dollars come in. Overall, it’s a shared responsibility. No one or two people can take absolute ownership for it, the accountability sits at the C- Suite. The responsibility sits with everyone.
Part 3: Tech talent
Lastly, a problem that every business leader deals with: the challenge of retaining talent and managing the gender imbalance in tech. Daltrey’s very own Audrey Jacquemart and AGL’s Amie Dsouza provided some critical insights in the episode ‘Walk the talk – Carving a path for women in security.
Blair: We want to talk about how we can start to address some of the challenges that are being experienced right now. But I think it’s important to initially discuss some of the root causes that exist in that regard. How have you seen that manifest in your career, Amie? How does it actually happen, this gender imbalance across the workplace?
Amie: I’ll try to be more specific to the cybersecurity space. I believe there is absolutely no doubt that there is an inequality in terms of numbers and also in terms of the roles that women take up in cybersecurity teams. And I don’t find it very surprising, to be honest.
If I look around at my team, most of the people have come from either a networking or network administrator sort of background, solution architects or platform management – those sort of backgrounds. And those are traditionally not roles that women have had 50% parity in anyway. So if they’re coming from those backgrounds to cybersecurity teams, obviously there will be much fewer women.
B: Throwing that over to you for a second, Audrey. How do you think we can start to address the imbalances that exist?
Audrey: In my view, we really have to address it from the root. I do believe it’s not just about getting more women into the so-called ‘male-dominated industries’. It’s also having more males in what we currently call ‘female-dominated industries’.
That’s where it starts, and it starts way before university. It’s not just about getting more women into STEM, because how do you get them into STEM after they’ve made the choice to go to university? They’ve already decided way before that.
We were talking about unconscious bias before, and it starts all the way from birth. So for me, every day it’s a conscious choice to explain to my daughter that there’s no ‘boy thing’ or ‘girl thing’. It’s anything that you want to do. It should be the case for every kid to understand that if you want to be a midwife but you’re a boy, then go for it!
Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.
