Episodes
-
Geopolitics is increasingly influencing cybersecurity.
The growth of online espionage, the potential for attacks by state actors, and governments turning a blind eye to cybercrime are all increasing risk.
At the same time, our growing dependency on connectivity, in government, in critical infrastructure and for day to day business, makes cyberspace an attractive target.
But it's not always been this way. In the early days of information and IT security, nation state threats were rare.
But, as Steve Durbin, CEO of the Information Security Forum points out, a lot has changed over the last few decades, and especially in the last few years.
In this Insights Interview editor Stephen Pritchard asks whether we are now more at risk than ever, if the current level of cyber threats could spill over into a more overt conflict and whether organisations have the resources to operate in a more dangerous world.
-
There's a lot being said (and written) about deepfakes.
And there is no doubt that they can now be very convincing, to the point where they can deceive the human eye.
But are deepfakes just a bit of fun, or do they pose real security risks? Do the dangers lie in manipulating public opinion through fake news, or can deepfakes be used to breach security systems.
Our guest, Dr Andrew Newell, academic researcher and chief scientific officer at iProov, argues that both are happening. Security teams need to take steps to block deepfakes from compromising identity systems, but we all need to guard against their wider influence.
Interview by Stephen Pritchard
-
Missing episodes?
-
Software as a service, or SaaS, has been a huge success. There are now some 30 thousand SaaS applications on the market worldwide. These cover everything from niche requirements to running entire businesses.
The SaaS revolution has certainly brought benefits to businesses.
But are SaaS applications secure and robust enough? Supporters of SaaS argue that their applications are actually safer and more resilient than locally-run IT.
However, Cloud vendors, including SaaS companies, rely on the shared responsibility model. In simple terms, they look after the infrastructure, but the customer is responsible for their data.
This can leave organisations with real problems, if their data is inaccessible, or even deleted.
This could be down to human error, malicious actions, such as a ransomware attack, or even a SaaS provider failure.
Our guest today is Simon Taylor, Founder and CEO of HYCU. He believes that SaaS users need to take more control of their data, even when it's in a SaaS application.
-
Europe's cybersecurity industry is worth some $50bn and is growing at 10% a year.
It's also pretty fragmented – at least when it comes to vendors. Europe -- even more so than the US -- is now ready for market consolidation.
Some of that is being driven by acquisitions by the large technology firms, as they look to broaden their cybersecurity offerings.
But firms, and their investors, are looking for scale.
And CISOs are looking for simplicity and greater security. Could vendor consolidation achieve this? And what is the role of cybersecurity "platforms" as the industry changes shape?
Our guest is Mark Smith, of advisory firm Houlihan Lokey.
Interview by Stephen Pritchard.
-
Conventional security training leaves a lot to be desired.
So what can CISOs do, to deliver training and security awareness in a way that is effective, and engaging?
Over the last few episodes we've discussed both the psychology, and human factors, around cybersecurity. To finish the series, in this programme we will look at experiential learning, or learning by doing.
Our guest is Amy Stokes-Waters. She delivers exactly that, by running escape rooms for organisations who want to improve security awareness, but want to move away from slide-heavy courses, and checkbox compliance. She's also written a paper on experiential learning in cybersecurity.
But does it work? She discusses cyber escape rooms, learning theory, and the pros and cons of measurement with editor Stephen Pritchard.
-
How do we manage the risks posed by human behaviour?
In this, the second of our short series exploring the links between human behaviour and security, we look at the emerging field of human risk management.
The statistics are quite frightening: 90 per cent of security breaches involve human error or social engineering.
But how do we, at a business level, categorise those risks? If we don’t understand the risks, we can’t reduce them.
A better understanding of where the risks are – and which behaviours are risky – makes it easier to design counter measures, such as training.
Our guests this week are Lev Lesokhin and Charlotte Jupp, of OutThink – an firm that’s pioneering human risk management.
We discuss what human risk management involves, and how security teams can make use of it, without crossing privacy boundaries.
-
How important is human behaviour in cybersecurity? How well do we know our people, and do we understand the risks posed by individuals' actions?
Research suggests that the overwhelming majority of cyber breaches start with human error or poor practice. But despite investments in security training and security awareness, we still make mistakes.
Over the next three episodes, we will examine some of the human factors around cybersecurity, including human risk management, and how we change behaviour.
We'll start the series by looking at the psychology of cybersecurity, as well as how to measure change.
Our guest is Dr Thea Mannix, a neuroscientist and head of research at Praxis Security Labs
-
Our guest for this episode is Tim Freestone, of Kiteworks. He’s a long-standing expert in data protection and data privacy. And he's been following the growth of AI, and what it means for data privacy, security and confidentiality.
Even data specialists have been surprised by the rapid take up of generative AI and its benefits. But do we have the measure in place to guard against the potential security risks it brings?
It is not just malicious hackers who make AI tools such as chatbots a risk. Even something as simple as pasting information into a generative AI tool can cause problems. And he argues that we need to apply security's zero trust approach to AI too.
Interview by Stephen Pritchard
-
Any advanced economy relies on the smooth running of its infrastucture.
And whether it’s transport, logistics, healthcare, the banking system, manufacturing – even food production – industrial and operational systems are what keeps it all running.
Those systems are now being targeted by malicious actors. Both state-sponsored and criminal groups are looking closely at operational technology and industrial systems.
Recent research suggests that many, if not most, of the groups attacking critical national infrastructure are linked to national intelligence agencies. And that raises some difficult questions about how both businesses, and their governments, should respond.
Our guest is Mark Magpie Graham, technical director for threat intelligence at Dragos, who carried out the research.
-
It's hard to put an exact figure on ransomware attacks. All the available research shows incidents continue to grow year on year, and that the vast majority of cyber incidents are now ransomware or other extortion attacks.
But could more transparency and information sharing help defend against ransomware?
If more organisations disclosed attacks, we would have a clearer picture of the problem and be able to respond more quicky to new techniques or attack vectors.
That's the argument put forward by this week's guest.
Sabeen Malik is vice president of global government affairs and public policy at Rapid7. She has put together a ransomware disclosure framework, based around the "3 Cs" of capabilities, context, and collective action.
She tells Stephen Pritchard how it works, and why it could help.
-
The idea of cyber war is not new; researchers first suggested the concept 30 years ago.
Since then, there's been a debate on what cyber war means and what can be done to prevent it.
Some experts even suggest cyber war is already happening, even if it is mostly in the shadows.
For Peter Kestner, the rise of cyber attacks and an increasingly volatile geopolitical situation were just two of the reasons to examine cyber warfare in more detail.
Peter is both a keen student of history, and a cybersecurity professional with over 25 years' experience in consulting in the sector.
He decided to combine the two interests, and the result is his new book, "The Art of Cyber Warfare".
Peter believes that by looking into conflicts in the past, we can learn valuable lessons about how warfare, and especially cyber warfare, might develop. But history can also teach us how to improve our defences, against adversaries who are as comfortable attacking civilian as government or military targets.
Please note this episode contains some stronger than usual language. -
The CISO’s role is changing; that is clear enough.
Indeed, constant change and the need to adapt is always a feature of cybersecurity.
And that’s why our guest this week lists curiosity as one of the key attributes for a cybersecurity career.
Mani Nagothu is field CISO at SentinelOne. Before that she headed up IT security for an energy company. That followed a career as a consultant.
But she didn’t start out in cybersecurity, but as an engineer. And the CISO’s role itself is becoming less technical, and more business focused, she says.
In this episode Mani talks to Stephen Pritchard about her career so far, what it takes to be successful as a CISO, and why greater diversity is the key to strengthening our security teams, and so our defences.
-
The cybersecurity skills gap is a problem that won't go away.
Worldwide, there are close to 3.5 million vacancies in the industry. The problem seems to be worsening, not least because we are all doing more business online.
And moves to recruit and retain more staff, as well as to widen the talent pool, take time.
In the immediate term this leaves CISOs with gaps to fill. One option is outsourcing. Another is to use “on demand” cyber specialists. But how do these options work with building larger and more effective in-house teams?
Do they go hand in hand, or are the two measures likely to conflict?
In the second of the second of our three part series looking at the evolution of the CISO role, we speak to Victoria Parker, advisory professional services manager at Orange CyberDefense.
We discuss how external experts can help organisations secure their environments now - but how CISOs still need to invest in their own teams, and that critical talent pipeline.
-
What is a chief business security officer, and what do they do?
IT and data security are increasingly important. But so too are physical security and resilience.
The chief business security officer, though, is a fairly new addition to the security team.
Over the next three episodes of the Security Insights podcast, we’ll look at the changing role of the CISO, the role interim or outsourced security professionals can play in plugging the skills gap.
We’ll cover the role of interim and virtual CISOs, and whether outsourcing parts of security can make up for a growing skills gap.
But first, we ask Anaïs Beaucousin, Chief Business Security Officer at ADP International, about her role, the threats and risks she manages, and what is needed to make the most of a broader security team.
-
Ransomware now accounts for the vast majority of cyber attacks.
But regulators and law makers are increasingly concerned about the money being paid out to ransomware groups -- often, it is used to fund further crime.
Should paying ransoms be banned? Would a ban improve security, or make matters worse? And what steps can organisations take, to cut the risk of falling victim to a ransomware attack in the first place?
Our guest this week is Ian Thornton Trump, CISO at Cyjax. He believes that calls to ban ransomware are misplaced; a ban gives firms fewer options when it comes to responding to an attack. And fines for paying ransoms is further punishing victims of cybercrime.
He discusses the development of ransomware, why it is so dangerous, and how to counter it with Stephen Pritchard.
-
In this episode, we look at why a lack of robust identity controls are one of the biggest causes of cloud security failures.
Cloud operators, at least the larger ones, now have robust security in place. But that security is there, first and foremost, to protect their business. The "shared responsibility model" means that users are responsible for their data and applications.
The problem, as our guest this week identifies, is that senior managers fail to understand that point, and expect the cloud to fix everything.
It won't, and as Jennifer Cox, member of the global engineering team at Tenable, and director for Ireland of Women in Cybersecurity, warns "it always makes me a bit nervous when people think that something is foolproof".
-
Are passwords now a security risk? And if they no longer work, what should replace them?
In this episode, we speak to https://www.linkedin.com/in/johncapps/ at VIDA Digital Identify, and Ev Kontsevoy, CEO of infrastructure access firm Teleport.
They argue that relying on "secrets" and data to prove identity no longer guarantees security. Alternatives, including zero trust, hold out a lot of promise. But moving to zero trust needs the whole organisation behind it -- it's as much about culture as technology.
-
How are the threats to critical national infrastructure evolving, and how do we counter them?
And are we seeing a shift from attacks based on data and ransomware, towards disruption.
In this episode, we welcome back a previous guest, Trevor Dearing.
Trevor is Director of Critical Infrastructure at Illumio.
Trevor’s work is increasingly focused on resilience, and helping organisations to survive and recover from attacks.
We discuss how organisations in the CNI space need to improve their ability to react to, and survive, a cyber attack.
After all, a failure to do so could cause widespread economic and social disruption.
-
The EU’s Digital Operational Resilience Act, or DORA, comes into force in January 2025. So there is not much time for affected organisations to prepare.
DORA sets out to improve cybersecurity — or ICT risk management — across the EU’s financial services sector.
The Act covers both regulated firms and what the EU terms “critical third parties” in their supply chains. In fact managing third party risk is a big part of DORA, along with measures such as improved resilience testing, incident management plans, and strict reporting requirements.
Our guest is DORA expert and director of consulting firm SECFORCE Rodrigo Marcos.
-
The UK Government's Department of Science, Innovation and Technology (DSIT) is consulting on a new code of practice for business leaders, which aims to "improve cyber resilience across the UK economy".
But how will this operate, and will another code of practice -- alongside a host of existing laws and industry regulations -- help organisations be more secure?
We discuss this with our guest Amanda Finch, CEO of the Chartered Institute of Information Security.
Listeners can find out more about the proposed Code of Practice and the consultation on the UK Government's cyber security site.
- Show more
