2980: The Evolution of the CISO Role and NetSPI's Impact on Cybersecurity Leadership

[00:00:00] [SPEAKER_02]: Are we ready for a world where cyber security is not just reactive or proactive?

[00:00:07] [SPEAKER_02]: When today's episode of the Tech Talks Daily Podcast, I'm going to delve into the dynamic

[00:00:13] [SPEAKER_02]: field of cyber security with Nick and Giles from NetSPIs.

[00:00:19] [SPEAKER_02]: And recently rebranded NetSPIs has launched a unified proactive security platform and are aiming

[00:00:24] [SPEAKER_02]: to reshape how businesses approach their digital defenses.

[00:00:28] [SPEAKER_02]: I want to find out more and discuss the latest trends, the evolving role of CISOs, not

[00:00:34] [SPEAKER_02]: to mention the upcoming EU regulations that could change the game for financial institutions.

[00:00:41] [SPEAKER_02]: Reaching listeners in a 165 countries every day is testament to the unwavering support

[00:00:46] [SPEAKER_02]: of you, my listeners and our sponsors without whom this podcast just simply wouldn't be possible.

[00:00:52] [SPEAKER_02]: And it also gives me a chance to talk about the fact that legacy DRM failed to securely

[00:00:57] [SPEAKER_02]: unable external collaboration, especially on sensitive files.

[00:01:01] [SPEAKER_02]: And how every organisation faces this risk-trust contradiction where they can share content

[00:01:07] [SPEAKER_02]: with untrusted third parties yet expected to protect that data.

[00:01:11] [SPEAKER_02]: So it's time for something more modern.

[00:01:13] [SPEAKER_02]: A DRM solution that solves that dilemma without compromising security or productivity.

[00:01:18] [SPEAKER_02]: And you could do all that with a company called CiteWorks that will enable you to say goodbye

[00:01:23] [SPEAKER_02]: to deployment headaches, file transferries, collaboration barriers and productivity constraints.

[00:01:29] [SPEAKER_02]: So you can experience a more modern way to collaborate on sensitive content without sacrificing

[00:01:34] [SPEAKER_02]: control or security.

[00:01:36] [SPEAKER_02]: Please visit CiteWorks.com to get started today.

[00:01:39] [SPEAKER_02]: That's CiteWorks.com to get started today.

[00:01:43] [SPEAKER_02]: Now is the moment you've really been waiting for.

[00:01:45] [SPEAKER_02]: It's time to get today's guest on.

[00:01:47] [SPEAKER_02]: Well, buckle up and hold on tight as I've been your ears all the way to the UK where you can

[00:01:53] [SPEAKER_02]: join myself, Nick and Jiles from Next Buy as we take a deep dive into this.

[00:02:00] [SPEAKER_02]: So a massive warm welcome to the show, Nick.

[00:02:03] [SPEAKER_02]: Can you tell everyone this thing a little about who you are and what you do?

[00:02:07] [SPEAKER_01]: I'm Nick Walker, the regional director for Next Buy in Mea.

[00:02:11] [SPEAKER_01]: Bit of a gone on next by Nest buys the proactive security solution with 20 years of experience

[00:02:16] [SPEAKER_01]: and all things pen testing.

[00:02:18] [SPEAKER_01]: They originated in the US and by a role is to expand that business into the Amir region.

[00:02:24] [SPEAKER_01]: A data in our approach to me customers need on this side of the pond and build in strategic

[00:02:29] [SPEAKER_01]: pen test plans for some of the biggest firms in the world.

[00:02:32] [SPEAKER_01]: So my career in this space started out very technical.

[00:02:36] [SPEAKER_01]: I studied the world's first ethical acting degree in the D& Scotland.

[00:02:40] [SPEAKER_01]: I was called the Abitay University and thankfully as part of course every year you got a chance to kind of stretch your legs with a research

[00:02:48] [SPEAKER_01]: for our debt of your choosing which was kind of my place to go and enjoy my freedom outside of the course material.

[00:02:55] [SPEAKER_01]: So I chose to specialize in memory corruption on the base or typically the stuff that's in C++ type programs.

[00:03:02] [SPEAKER_01]: And I'll barcify it which was a bit of a weird combination but it was when I was at university was when the first Android phone came out.

[00:03:08] [SPEAKER_01]: So I was pretty interested there. So I was the weird guy that actually liked really enjoyed code review.

[00:03:16] [SPEAKER_01]: For some reason in the pen testing world, that's a bit of a hot take.

[00:03:19] [SPEAKER_01]: And my research there, let me to speak in a number of conferences over the years taking part in.

[00:03:25] [SPEAKER_01]: But things like pon-to-own 2013 with some of my colleagues at NWON for security which now and all over exist.

[00:03:32] [SPEAKER_01]: I guess throughout my consultancy years, I've worked as a tech lead for some huge clients, some big ones in the fin-tech industry and particular.

[00:03:42] [SPEAKER_01]: Managing large-fentaste in programs for them and of course start results in interacting with executive senior leadership on a regular basis.

[00:03:51] [SPEAKER_01]: And kind of being exposed to that bigger picture outside of your one project, right?

[00:03:55] [SPEAKER_01]: A lot of the pen testers are kind of honed in on.

[00:03:59] [SPEAKER_01]: And through that kind of understanding of the more nuanced parts of their problems and how they managed to risk.

[00:04:06] [SPEAKER_01]: Coupled with that with my technical background as accidentally set me up quite well to run consultancy firms within a mirror.

[00:04:14] [SPEAKER_01]: Younger me was convinced I would always stay down in the weeds and be boots on the ground with the tools sitting in a basement with a debugger at where in a hoodie.

[00:04:25] [SPEAKER_01]: But brought up me kind of saw the impact that I could have when I started looking at the problem from broader angles.

[00:04:31] [SPEAKER_01]: So here I'm sitting here wearing a suit.

[00:04:33] [SPEAKER_01]: I've met with execs and applying that technical knowledge.

[00:04:37] [SPEAKER_01]: I learned over the years to support those businesses that I work with in consultancy before to now on a broader scale manager risk.

[00:04:45] [SPEAKER_02]: You tell me you're sat there in a soap, I suspect underneath the desk these shorts and converse or something going on, right?

[00:04:51] [SPEAKER_01]: There are a lot of jeans and comfy trainers, but I'm not short-styled.

[00:04:56] [SPEAKER_02]: Well, welcome to the show.

[00:04:58] [SPEAKER_02]: And of course we've got Jiles joining you today on the podcast as well.

[00:05:02] [SPEAKER_02]: So Jiles can you just tell you one thing a little about you too?

[00:05:06] [SPEAKER_00]: I know. Yeah, absolutely.

[00:05:08] [SPEAKER_00]: So I have a bit of a different sort of more vocational background in the way that I kind of came into things.

[00:05:14] [SPEAKER_00]: I was originally a forestry laborer, so chopping down trees and digging ditches many years ago.

[00:05:19] [SPEAKER_00]: And then used that to the money I saved up to get my first qualifications in IT.

[00:05:25] [SPEAKER_00]: And then done all sorts of kind of infrastructure and project based stuff over the last I don't know how long it is now.

[00:05:30] [SPEAKER_00]: It's probably about 15 to 18 years somewhere.

[00:05:33] [SPEAKER_00]: I've stopped counting them much like where my hair line starts and ends.

[00:05:36] [SPEAKER_00]: It's something that I try and glaze over a little bit.

[00:05:39] [SPEAKER_00]: But I kind of these days, I'm a bit of a dual-class paladin and rogue, as I would say.

[00:05:45] [SPEAKER_00]: So I do a bit of the red team side of things.

[00:05:47] [SPEAKER_00]: And it kind of next by I look after a number of our infrastructure services, including red team.

[00:05:52] [SPEAKER_00]: But my passion is really sort of helping organisations understand all of their controls together,

[00:05:58] [SPEAKER_00]: all of the kind of the people process and technology side of things and how that all we together.

[00:06:02] [SPEAKER_00]: And then kind of testing that holistic please.

[00:06:04] [SPEAKER_00]: So red teaming to those that don't know that her miskind of is that really for one of the better way of putting it.

[00:06:09] [SPEAKER_00]: And it feeds into a lot of kind of the regulated frameworks that are coming out at the moment.

[00:06:13] [SPEAKER_00]: But generally speaking, aside from that, I am a cessadment, a recovery in cessadment.

[00:06:19] [SPEAKER_00]: I think it's probably the way that I refer to it.

[00:06:21] [SPEAKER_00]: So I spent time on the defensive side of things like this.

[00:06:24] [SPEAKER_00]: That kind of drive my advisory capability to understand the challenges that the people that I work with are clients.

[00:06:31] [SPEAKER_00]: It's important for my perspective to have that understanding to sort of not sat on the edge,

[00:06:36] [SPEAKER_00]: but had a foot in by fields to really sort of understand what and why we're advising what we're advising,

[00:06:42] [SPEAKER_00]: not just purely come at it from one particular discipline or another.

[00:06:46] [SPEAKER_00]: And that's not to say it's right or wrong.

[00:06:48] [SPEAKER_00]: I like that kind of that sort of moderated view if you will.

[00:06:53] [SPEAKER_02]: Well, I'm a big tacky to both of you for sitting down with me today.

[00:06:55] [SPEAKER_02]: And I was doing a little research before you came on the podcast.

[00:06:59] [SPEAKER_02]: One of the things I quickly was reading upon is that your business has rebranded.

[00:07:04] [SPEAKER_02]: So I think we should start there really.

[00:07:05] [SPEAKER_02]: He told me a bit more about next by and its current mission.

[00:07:09] [SPEAKER_02]: Maybe a little bit more about the rebranded.

[00:07:12] [SPEAKER_02]: Ultimately, what does it mean for your business ambition?

[00:07:15] [SPEAKER_01]: Yeah, so it's been an exciting year for next by not only because I've been here a year now.

[00:07:21] [SPEAKER_01]: But we've made three big announcements for the business this year.

[00:07:25] [SPEAKER_01]: Obviously the rebrand is kind of a big component of that.

[00:07:28] [SPEAKER_01]: So we've updated our positioning of visual branding and the website experience,

[00:07:33] [SPEAKER_01]: which I think now more accurately reflects our kind of evolving role in this face.

[00:07:38] [SPEAKER_01]: And in the cyber security industry as a whole, every thought of that brand element brings.

[00:07:44] [SPEAKER_01]: I think next by like a vision of next by his dedication to his customers kind of alignment with the proactive security category.

[00:07:52] [SPEAKER_01]: It shows the innovation.

[00:07:53] [SPEAKER_01]: I think you spot a modern branding and the innovation that we have across our solution.

[00:07:59] [SPEAKER_01]: So we've got kind of three main sections to our business.

[00:08:02] [SPEAKER_01]: So we've got PTAs which has an acronym I'll explain because I'm sure a lot of you listeners might not have heard some of these before.

[00:08:07] [SPEAKER_01]: So PTAs is quite a common one.

[00:08:09] [SPEAKER_01]: It's has pen test and as a service.

[00:08:11] [SPEAKER_01]: We've got ASN which is attack surface management and breach an attack simulation buzz.

[00:08:18] [SPEAKER_01]: Right? So I might mention those acronyms later in the conversations just so we don't think off through the detail again.

[00:08:23] [SPEAKER_01]: So alongside that, we've also launched a new platform.

[00:08:26] [SPEAKER_01]: And that's in tandem with the rebrand.

[00:08:28] [SPEAKER_01]: We've unveiled the unified proactive security platform, which we hope will enable our customers to take a more proactive approach to cybersecurity.

[00:08:37] [SPEAKER_01]: And we've got a lot of security and security with more clarity.

[00:08:38] [SPEAKER_01]: More speed and scale, right?

[00:08:41] [SPEAKER_01]: The difficulty we've got these days is information overload.

[00:08:44] [SPEAKER_01]: And we're trying to bring clarity to that process and help see so I'll make really good decisions about what they have where they have it and how they manage their risk.

[00:08:53] [SPEAKER_01]: So yeah, this kind of means we can help customers build a more complete picture of what they've got,

[00:08:59] [SPEAKER_01]: where they have the risk and what they're joined up dots for all that mean.

[00:09:03] [SPEAKER_01]: It particularly in terms of the impact of the business and the risk that they've caught in those places.

[00:09:09] [SPEAKER_01]: In flight in that, obviously, is you'll be able to infer the guidance about the best places to spend the effort at improved air security or control.

[00:09:17] [SPEAKER_01]: So on the next slide we got a really clear vision.

[00:09:20] [SPEAKER_01]: Later this year, customers can expect to see the ASN, the buzz products and pizzas all joined together alongside new risk prioritization and some exposure management capabilities.

[00:09:33] [SPEAKER_01]: So consolidation overload was into that single platform where significantly improved the company's abilities to deliver more,

[00:09:43] [SPEAKER_01]: I guess, timely and impactful outcomes.

[00:09:46] [SPEAKER_01]: Building new product, build your products faster and just operate as a business in a more robust and effective way.

[00:09:53] [SPEAKER_01]: Also with PTAS, ASN and buzz all tied together will be able to draw insights from those.

[00:09:59] [SPEAKER_01]: So from PTAS and ASN, you see all the assets and your vulnerabilities.

[00:10:05] [SPEAKER_01]: And we can tie those risks to gaps that we can identify in your vision of what's going on in your network through the breach of tax simulation component of platform, right?

[00:10:15] [SPEAKER_01]: And so we can make inferences between what you've got, where it lives, how do you see it, what individual risks each of those components have and kind of build a view of where risk sits and where is the best place to fix it.

[00:10:32] [SPEAKER_01]: So it kind of highlights exactly how an attack a might moves from three networks from points of origin to points of failure.

[00:10:40] [SPEAKER_02]: And I love how you mentioned that the proactive approach and the need for that because we've all seen what happens with the reactive side of things to cyber security.

[00:10:48] [SPEAKER_02]: We've seen the dangers of alert fatigue and there's so many different attacks just this week there was the 10 billion passwords that were breached is rants somewhere and of course AI being used for both attack and defense purposes, but I've got to ask what trends are you seeing in cyber security right now?

[00:11:05] [SPEAKER_02]: Because it's so much going on since we've bombarding our nose feeds every day, but what are you saying?

[00:11:10] [SPEAKER_01]: Yeah, there's a lot and we could probably speak for a week just on that topic.

[00:11:14] [SPEAKER_01]: For I would say this kind of a few areas that are at the forefront of the as far as the industry's collective mind at the moment.

[00:11:22] [SPEAKER_01]: You've got, of course the elephant in the room which have generated AI, you know, right? You can't have a skewery public podcast that I'm talking about generated AI.

[00:11:30] [SPEAKER_01]: Kind of hot topic there is the ray of adoption versus the depth of understanding that the businesses that are adopted this these technologies have.

[00:11:39] [SPEAKER_01]: And about how to manage those risks it's a super strong technology right there's value to be hard out of it, but I just got to be balanced with a deep understanding of what risks that can bring.

[00:11:50] [SPEAKER_01]: And I would say not many organizations at the moment have the skills at least in hours needed to get out and in front of this problem and adequately test them.

[00:11:59] [SPEAKER_01]: I think in a lot of ways some of these.

[00:12:03] [SPEAKER_01]: Gen AI platforms are being embedded into web applications and having those web applications tested is great, but.

[00:12:11] [SPEAKER_01]: The methodology that's been applied across the board generally is not accounting for the mathematical approach needed to test those models accurately.

[00:12:20] [SPEAKER_01]: Top it that would say is a trend at the moment is as always as it always has be attacks are definitely getting a lot more complex and keep an ever if in keeping up keeping everything locked down and.

[00:12:33] [SPEAKER_01]: Reacting certain irreactive money is pretty much impossible least as you said and I would say that broadly businesses moving away from trying to manage that risk through point in time testing and resolving vulnerabilities.

[00:12:45] [SPEAKER_01]: In that way though are still very important as if good to know where you sit with a particular application at particular point in time and get vision of the what those vulnerabilities.

[00:12:54] [SPEAKER_01]: We need to move to a model where businesses are thinking more about on there understanding at a higher level about what assets they have.

[00:13:02] [SPEAKER_01]: As part of the holistic view how they're joined together, while their critical points of failure are and common pathways and managing the risk through them on it or in other those points.

[00:13:11] [SPEAKER_01]: There's on to something developing whereby it's less about identifying an understanding every vulnerability and every point of failure and more about how do we understand what assets we have, well they're means the bigger business and how do we react when something goes wrong.

[00:13:27] [SPEAKER_01]: This is where kind of jails side of the service delivery comes in the what do we do when something goes really bad and what do we see how do we notice it and how do we react.

[00:13:38] [SPEAKER_01]: And we're just changing the way that we think about the problem so less about technical controls because that.

[00:13:46] [SPEAKER_01]: Fairly reasonably easy to set up out the box these days, the default configurations in a lot of ways are come a long way away from where they were 10 years ago.

[00:13:55] [SPEAKER_01]: They're still a key tool in our Ben in our belts but now it's more about that holistic view.

[00:14:01] [SPEAKER_01]: Seeing the whole picture making conscious decisions about how your management information.

[00:14:05] [SPEAKER_02]: And of course it feels sometimes that we've been talking about things like password breaches, fishing attempts, data hacks, ransomware humans being a weakest linking.

[00:14:16] [SPEAKER_02]: Cyber security and the board room not understanding or appreciating the value of cyber security.

[00:14:21] [SPEAKER_02]: We've been talking about this stuff for the what last 10 years or more so I'm curious what has drastically changed about cyber security since you both started in the field anything you can share around that on what you're seeing changing.

[00:14:34] [SPEAKER_00]: So I guess this quite a bit that I think's changed in terms of the cybersecurity landscape.

[00:14:40] [SPEAKER_00]: I think you touched on some of the gen i and i and that type of things but I think there's a great drive towards kind of single pane of glass visibility and all of the things when you kind of really working in a security capacity.

[00:14:53] [SPEAKER_00]: And that kind of platform unification and sort of centralization of information.

[00:14:58] [SPEAKER_00]: Makes the life of the security professional easier but also it provides a centralized target for an attacker something to go after something to something to to record ruin if you will.

[00:15:08] [SPEAKER_00]: I think the the other things as well is the kind of the trend towards kind of through mergers and acquisitions of a lot of the kind of the security companies we're seeing.

[00:15:17] [SPEAKER_00]: Very kind of.

[00:15:19] [SPEAKER_00]: And high reliance on single vendors to offer all of the solutions to all of the problems of the world if you will and that that provides.

[00:15:28] [SPEAKER_00]: An interesting conundrum because if you go to a vendor that can supply your computer power your kind of your databases your storage or whatever you might choose and also your security they're not focused so that perhaps the level of security that comes from that is not as easy to kind of judge the quality of it.

[00:15:46] [SPEAKER_00]: And then comes along a contender in the security space and sort of has a very focused security product I think.

[00:15:54] [SPEAKER_00]: It's tricky.

[00:15:55] [SPEAKER_00]: I think if we rely on businesses that offer all of the services and all of that becomes centralized we end up with a number of very small monopolies in that space and I think that's a tricky question to answer because we want these businesses to grow to get to be able to fund getting ahead of kind of threats and attack as if you will.

[00:16:11] [SPEAKER_00]: But equally I think we probably can kind of don't want to have to buy everything from one place or one place owned like kind of the academic or sort of analogy I think it is it's where I would put that.

[00:16:22] [SPEAKER_00]: Otherwise trends I think aside from generally generally I think there's a trend towards the kind of brand somewhere is a perennial thing I think it's becoming more and more a thing that's tied not just to sort of those who are criminally oriented if you will I think it's becoming much more of a kind of a wider sort of.

[00:16:41] [SPEAKER_00]: Orchestra of hybrid warfare across the world and there's lots of different regional things that go on but I think we've seen more and more of those two being very closely linked in the last sort of 10 years or so in terms of trends.

[00:16:52] [SPEAKER_00]: And I guess that's pretty much it generally in a I as probably drowned a number of the other things out in terms of what people are talking about there are plenty smaller things but yeah those are these.

[00:17:02] [SPEAKER_02]: And there comes the you've been on both side of the fence here from starting out in the hardcore techy space to being a in a suit talking to me today.

[00:17:11] [SPEAKER_01]: Well, I still want to spin on both sides of that fence what are you seeing changing I guess the kind of the place I would see it is and the barrier to entry has been substantially reduced right yeah when I was young with less gray hair looking a lot more attractive than I do today.

[00:17:28] [SPEAKER_01]: There weren't really any resources to learn out to misuse these systems abuse the systems make them do things they want intended to do.

[00:17:37] [SPEAKER_01]: These days there are really good learning resources out there things like pre-bought labs play grounds intentionally vulnerable challenges then you can work your way through to get you your hands dirty in practical terms I'm really learn the job without actually.

[00:17:51] [SPEAKER_01]: Messing with anybody systems and being able to do that really acceleration standing in these realistic scenarios and it's quite easy to get off the ground so.

[00:18:02] [SPEAKER_01]: There's a flip side to that coin and it's that of course with that understanding of how these things work.

[00:18:08] [SPEAKER_01]: Being so easy to get to at least in the lower end the collective knowledge that the industry's grown substantially right and so there are less and less low hanging fruit these days.

[00:18:18] [SPEAKER_01]: Our job yes order so does the the dark side of the coin the attackers that guess he gets harder for them.

[00:18:24] [SPEAKER_01]: They learn just as well as you would me do and.

[00:18:28] [SPEAKER_01]: That's men because our low hanging fruits gone there's more or more complex detections and more robust technical defenses.

[00:18:36] [SPEAKER_01]: Problems obviously not gone away because we're still sat here having this conversation so clearly the top end of the problem the extremely complex and more technical attacks are growing.

[00:18:45] [SPEAKER_01]: Our job in that is shift into words that and it's getting more and more difficult to defend which is why I think there's this shift in approach to looking at it more holistically right and so.

[00:18:57] [SPEAKER_01]: It's easier to get into as an industry overall but that gap between being good and great these days on both the red undenabluesides is bigger than us ever been.

[00:19:07] [SPEAKER_02]: And we are seeing an increase in data breaches and cyber attacks with stories in our headlines as I said at the beginning of our conversation almost on a daily basis.

[00:19:15] [SPEAKER_02]: So I'm curious do you think there's a need or an increase me should I say for C so's it how are you seeing their roles evolving over time too is the board room waking up to to the threats found a value of the C so brings.

[00:19:31] [SPEAKER_01]: Yeah, I think so on on the on the visibility of the breaches side I do think there are more creatures generally by think the headlines are more prevalent because businesses again in batter at note to see quickly when something's gone wrong.

[00:19:44] [SPEAKER_01]: And they have an obligation to be open and up from about that morally and.

[00:19:50] [SPEAKER_01]: A basic understanding as cyber security is a concept for Joe blog member of the public is now really common.

[00:19:56] [SPEAKER_01]: So we see in share more of it so I just think there's more noise and and comfortable around about what's going on and people are just seeing a lot more of it.

[00:20:06] [SPEAKER_01]: There is definitely an increase on that side of the fence in in terms of breaches for part of that is the fact that people are just more knowledge about it and it's more in front of people these days and that's only that could only be a good thing right.

[00:20:19] [SPEAKER_01]: Yeah there's always been a need for someone to hold and manage responsibility for the cyber risk of all businesses big free small and whether you follow me see so or not.

[00:20:28] [SPEAKER_01]: I don't think that's changed very much.

[00:20:31] [SPEAKER_01]: I think the sea salt roll itself as has become much more of a mature position than it was ten years ago.

[00:20:37] [SPEAKER_01]: Moving from that reactive place of making sure everything's had its annual pen test and will be all with an incident when it happens to someone who's roll is now.

[00:20:46] [SPEAKER_01]: To manage huge and detailed proactive programs are tested and just as importantly track the metrics to represent the success of those efforts it's leading more towards a.

[00:20:59] [SPEAKER_01]: Getting an understanding of context and how your efforts in that cyber space are being effective or not so.

[00:21:11] [SPEAKER_01]: They need to understand where they're spending their hard for for cyber budget right their economies tough right now budget sounds on the cyber side are increasing disproportionately to the margins of those companies so it's clear that the sea so is having the impact they need and that the businesses as a whole understand the need for important spending the space.

[00:21:32] [SPEAKER_01]: What they're doing is changing how they spend it so with that comes things like.

[00:21:38] [SPEAKER_01]: Thread intelligence and applying tactics techniques and procedures that specifically apply to your business.

[00:21:44] [SPEAKER_01]: To get more value out of that spend so instead of running your generic red team.

[00:21:49] [SPEAKER_01]: Come in see what you can hear it see how we respond to it.

[00:21:52] [SPEAKER_01]: It's very much more guided spend not so they can specifically address those threats to the face and under the context of all the information managed to govern about their efforts right.

[00:22:01] [SPEAKER_01]: So getting that deeper and more and complete understanding of the access to God building a massive register and the risk to associate with those assets through something like attack surface money excuse me attack surface management tools that's a bit of a mouthful sometimes.

[00:22:17] [SPEAKER_01]: Helps them build that kind of big picture they need to start applying those changes that are effective.

[00:22:23] [SPEAKER_01]: The way that sea so's a result in those issues is also changed right so.

[00:22:28] [SPEAKER_01]: Critical vulnerabilities and always the first things to get prioritized for fixing anymore gone of the days where a CVS score of a nine or whatever was.

[00:22:37] [SPEAKER_01]: Panic stations we've got to patch this today.

[00:22:40] [SPEAKER_01]: And the lows and always the lowest on the list and so with that bigger picture approach to be spoke about earlier it might mean the two medium risk issues.

[00:22:49] [SPEAKER_01]: When applied to the context of your business in combination.

[00:22:54] [SPEAKER_01]: Pause much more of a substantial problem together and then may get prioritized over a more critical on pay for vulnerability like for example the recent SSH regression vulnerability the may have seen in the news right.

[00:23:07] [SPEAKER_01]: That vulnerability gives root access to systems and from a technical perspective.

[00:23:11] [SPEAKER_01]: That's really bad and critical for business but it's also a really complex race condition memory collection vulnerability.

[00:23:20] [SPEAKER_01]: And currently there's no exploit code to 64 bit systems which is what everybody's running on so that may not be prioritized to the or business over those two medium vulnerabilities when applied to that bigger picture that the sea so's got.

[00:23:31] [SPEAKER_01]: I guess context is super important and in summary I would probably say that we're moving away from that single vulnerability CVS score system.

[00:23:41] [SPEAKER_01]: So a model of kind of deeper understanding of of what those risks mean in real impact and context and adapt in the approaches that we're taking to reduce the risk using our model.

[00:23:52] [SPEAKER_02]: And jios is there anything that you'll see in how the roles of C so's evolving any observations from you on there.

[00:23:59] [SPEAKER_00]: Yeah, I think it's probably quite a few from from my side of things.

[00:24:04] [SPEAKER_00]: I think to sort of in general terms I think often sort of the early sea so's of the world where.

[00:24:10] [SPEAKER_00]: Techies in a suit who kind of who who were thrown to the board because they kind of understood their science if you will more often than not and that was quite the kind of the traditional pathway and as there's been more framework so instead of learning pathways and kind of adoption of the kind of more of a kind of a definition of what that role looks like.

[00:24:26] [SPEAKER_00]: They are now fully much more members of the board if you will they are much more they act as a translation layer much more and sort of being able to talk about the wider business and enterprise risk.

[00:24:37] [SPEAKER_00]: To the rest of the board rather than just being this sort of that person who converted from one trade to another they're now very much in that house.

[00:24:44] [SPEAKER_00]: That means that they've got a lot of responsibilities around sort of cost rationalization and sort of looking at how to spend budget effectively and make the right decisions about what where to invest the budget that they've gotten the kind of.

[00:24:56] [SPEAKER_00]: How much security realistically that actually brings to them as an organization general terms and I think that's a kind of change in.

[00:25:04] [SPEAKER_00]: The approach and the level of maturity the individual needs to have in the way the soft skills and the sea so have to be.

[00:25:11] [SPEAKER_00]: Probably much more refined now than in the early days of the wrong itself where you could be a very technical slightly acidic human being and know what very well and be very successful in that role.

[00:25:22] [SPEAKER_00]: Now you have to apply significant soft skills to kind of talk to the other sea sweet members or to the security team to kind of act in on behalf of both and to make sure that you get the best results for the business.

[00:25:34] [SPEAKER_00]: And it's quite a perilous job there's probably not the right way to think about this but often many a sea so we'll think themselves kind of on the chopping block every single day so they're going to be a very resilient human being to be able to fulfill that role.

[00:25:46] [SPEAKER_00]: And I think that's probably something with the rising kind of publicization of breaches some lean into that and if the angle of wanting to be a strong and resilient as possible.

[00:25:59] [SPEAKER_00]: Some what at the deniers for one of better way of putting it in the world and some now three regulation and enforcement are actually sort of being encouraged and we're seeing a great uptick in this.

[00:26:10] [SPEAKER_00]: In being community and is Christian's open talking about the challenges talking about the failures as well of the successes of their roles and in things like post-projectivities talking about the lessons learnt and and after read teams I've activities and no type of scenario based tests that.

[00:26:26] [SPEAKER_00]: Now they're becoming much more humble in the way that they express themselves it's really positive change because now we get to hear about the things that occur and but we all get to learn and share intelligence and and mature.

[00:26:40] [SPEAKER_00]: The market more widely by sort of a proactive.

[00:26:43] [SPEAKER_00]: The community testing point of view but also from the kind of proactive defensive view as well we all get to learn from each other better as a red teamer I've been thrown into many picks of fire many meetings to.

[00:26:55] [SPEAKER_00]: Adversarial thinking often people in the defensive role free my role in that that situation as someone that's come to.

[00:27:03] [SPEAKER_00]: Come to sort of mark their homework if you will and that's not necessarily it's not a bad thing I might be giving them an a and telling them that they're doing really well for one of better way of putting it but actually it's to talk pragmatically about what can be done what challenges to their configuration choice to this budget choices make and bring them into their controls help consolidate that.

[00:27:22] [SPEAKER_00]: And then rather than writing off into the sunset actually sort of help them through that process of transition to a more secure organization.

[00:27:30] [SPEAKER_00]: So I think the C so has to be much more mature much more adult these days much more soft skills oriented as well as having technical skills too and they have to be that hybrid all things to all men as they say.

[00:27:41] [SPEAKER_00]: Or indeed all all things to all people really in real terms and I think that's what we see now whereas before it was okay to be very.

[00:27:49] [SPEAKER_02]: singular now you have to be you have to be much more broad in your role and you mentioned the word resilience there a few times and it brings me back to something I always I've only sat beside podcasts every day are trying to take a topic that people may be heard things about but a little unsure on what it means to them and their business and.

[00:28:08] [SPEAKER_02]: One of the things that I'm reading more and more about lately is the European Union's digital operational resilience act or Dora which is much more catchy so I'm a question to both of you if we can try and demystify this today.

[00:28:21] [SPEAKER_02]: Why exactly is Dora and why do we need it just for any business leaders listening.

[00:28:26] [SPEAKER_00]: I'll jump in there because it is in fact why my headline is now currently a few inches behind what was so it's a it's a it's a big thing but it's also a thing that so it existed for the wildings some of what it asks organizations to do so.

[00:28:39] [SPEAKER_00]: It's a law and a framework that will bring together some of the things that some of the kind of the UCD European Union have been doing for a little while now things like type of testing for instance or threat they'd be referred to generally as threat they'd been testing what others might refer to as red teaming.

[00:28:54] [SPEAKER_00]: What what that does is in shrines and law a number of things that were frameworks or guidance practices that the organizations of regulators were encouraging.

[00:29:03] [SPEAKER_00]: Financial institutions to do what it tries to do is it for one of the way putting this in force good behavior so that's things like intelligence sharing I mentioned before.

[00:29:13] [SPEAKER_00]: But also how do you sort of testing and planning for how you react to a breach testing your people process and technology across an enterprise with starrier based testing red teaming to really stress test.

[00:29:27] [SPEAKER_00]: And so that's the way of putting it the organization as a whole as a holistic entity and all of the things that you've done together.

[00:29:33] [SPEAKER_00]: And it's particularly pertinent because what it does is it that you would kind of put puts that to organizations that will have done that before they're kind of the big banks, the financial sort of organizations across your approach that kind of have significant presence in Europe if you will in different jurisdictional areas.

[00:29:50] [SPEAKER_00]: So, pledge financial institutions such as banks will have to do those tests that are the same very similar to title tests and there are mature market but also a very immature market will will be asked to do this so organizations like crypto currency exchanges or kind of other smaller wealth management organizations or organizations that haven't had to do this before.

[00:30:12] [SPEAKER_00]: So there's going to be a mixture of very mature organizations doing what they've always done and helping sort of steer that market and a lot of those are getting ahead of that and sort of doing proactive sort of redeeming assessments before the for the deadline to make sure that they've got everything in place.

[00:30:26] [SPEAKER_00]: But also to buy a little bit of time before when they need to next do those a number of the regulators or TCTs are encouraging organizations to do that to make to kind of buy them some time before they next have to do those tests.

[00:30:38] [SPEAKER_00]: And then the kind of on the less mature side of things it's going to be a lot of organizations that never had to do this before perhaps they've got a pen test program perhaps they've got some vulnerability management sort of capability within the organization.

[00:30:50] [SPEAKER_00]: Now they're being thrown right into the sort of perceived apex or top end of testing.

[00:30:55] [SPEAKER_00]: The interesting thing is the the frameworks and the kind of the the law behind it the drives the type of framework especially is actually quite pragmatic one and it's quite a sort of hand hold through the process way of approaching things.

[00:31:12] [SPEAKER_00]: And it's much more around learning objectives and making sure that those organizations are able to get the every single drop of learning and knowledge sharing and capability increase if you will that they can from those exercises.

[00:31:28] [SPEAKER_00]: So there's all sorts of workshops and exercises to come at the back end of it 360 workshops purple teaming various other things where we working as a sort of security testing or pen test company as part of our capacity.

[00:31:39] [SPEAKER_00]: We work together really closely and go through every single play of what we do as far as testing components go it's it's a very rigorous and very serious framework.

[00:31:50] [SPEAKER_00]: But it's not unapproachable because the it's being built to be up to the point where everybody can go into it and get walked through it every single time whether or not they're mature.

[00:31:59] [SPEAKER_00]: It's a very solid way of kind of mature and businesses that scale in the finance markets for instance in the UK practice standards like sea best have been around a little longer and you just have to look around in terms of the kind of the banking sector the finance sector and how that's really sort of mature that market over the last 10 years or so.

[00:32:18] [SPEAKER_00]: Which is a very positive site indeed.

[00:32:20] [SPEAKER_00]: Plyver has also been around for a while it will be updated and sort of brought into the the door of legislations part of that there's also I'm very passionate about the testing side of things but there's also other things around the kind of the intelligence sharing how do you.

[00:32:34] [SPEAKER_00]: Can you communicate with your peers how do you enable them to be able to see breach information or where you're seeing active threats trying to explore your environment how do you share that to your peers to enable them to defend themselves better in advance.

[00:32:48] [SPEAKER_00]: What it's trying to do is make that ecosystem and sort of build it across Europe and Europe is a really big target for a lot of this for various reasons diplomatic economic and various other drivers.

[00:32:59] [SPEAKER_00]: Europe as an entity and every major financial institution in there has been encouraged to do this just to make sure that.

[00:33:07] [SPEAKER_00]: The things that literally keep the light on people going to work more lights on and people going to work are maintained.

[00:33:13] [SPEAKER_00]: I don't really just talk about kind of how important it is to be able to pay you mortgage.

[00:33:16] [SPEAKER_00]: I'm sure we've all experienced some or you're either on digital rent or what anything of that nature we want to make sure that continues to happen so we at next by.

[00:33:25] [SPEAKER_00]: Test that to help those organizations really validate it.

[00:33:29] [SPEAKER_02]: So yeah, a bit of a long answer but it can be complex the complex framework and as you said there we will enthrines it in law but the scary thing for a lot of people this thing is that I think they could update is the 17th of January next year which is just six months away so.

[00:33:46] [SPEAKER_02]: I've got to ask I don't want to scare anyone here but what are the consequences if a business doesn't comply with door in your by 17th of January next year anything can share on that.

[00:33:57] [SPEAKER_00]: Yeah, so I'll jump back in there. I mean, my neck me sort of taking the reins there.

[00:34:01] [SPEAKER_00]: I've got to ask my boss.

[00:34:04] [SPEAKER_00]: But I think in terms of the kind of the compliance I think it's not necessarily absolutely everything in place and you've got everything sort of in hand to kind of producers like like your papers.

[00:34:14] [SPEAKER_00]: The moment the January 17th kicks in so this allows for a testing cycle for instances part of that testing process and not not every part of that has to be yearly.

[00:34:26] [SPEAKER_00]: So where you've got the type of tests that I was spoken to before actually you're probably most likely only needing to do one of those every three years and you'll be notified in advance generally speaking that your this will be your turn your year when that occurs.

[00:34:39] [SPEAKER_00]: But you are encouraged to do testing at a similar standard or the same standard which you can drive internally on the other two of the three so you get to keep that tempo and that pace but it's not got the same level of oversight the same level of all of all kind of everybody being part of the group so the regulator the the the institution intelligence provider and the pen test provider coming together to make sure that it's the best level of successful economy.

[00:35:06] [SPEAKER_00]: And in the short terms kind of the short answer is if you think about the level of financial impact to organizations that GDPR had GDPR finds had broadly speaking cut that in half and that's what do or can represent to an organization so whereas where is GDPR I breathe broadly four percent of kind of global revenue annually.

[00:35:28] [SPEAKER_00]: And Doris actually closer to two percent in terms of the revenue side of things but then there's also the kind of the one percent monthly as well which can occur so.

[00:35:38] [SPEAKER_00]: The guidance on Doris is some of it still being formed some of it relatively limited and some of it being implemented but the kind of the perception at the moment is that those are two separate things so you can have the 2% of annual turnover and the 1% monthly as a rolling as a rolling fine if you will.

[00:35:55] [SPEAKER_00]: The continued noncompliance and that could be policies and processes and documentation to support the fact that you've got a good.

[00:36:01] [SPEAKER_00]: Business resiliency frame went by so 27,000 one and I SMS and all of the stuff that comes with that it's about all of those things in units and together so you need to make sure that each of those different disciplines that door mandates you've got you can evidence on a continuing basis and then you can do on the rolling basis the different types of testing you need to do as well.

[00:36:19] [SPEAKER_00]: One thing that I haven't mentioned is actually these tests are able to start from a supply chain side of things and it tested an entire organization so you could be the things that are most important my main friend.

[00:36:31] [SPEAKER_00]: That never been touched before or you're crypto exchange or all these types of things so it is truly the whole organization that it focuses on and the kind of the implementation of ICT as part of that organization but the people behind it the dependent systems the critical functions and it is.

[00:36:48] [SPEAKER_00]: Comprehensive as any testing framework is ever in to be.

[00:36:52] [SPEAKER_02]: And they just are bringing you into this here door is just one example there basically so many different number of regulations and frameworks businesses need to follow in the coming years.

[00:37:02] [SPEAKER_02]: Any advice you could offer for C. So I was dealing with this increased cyber attack surface but also trying to remain compliant with these increasing framework at the same time.

[00:37:11] [SPEAKER_01]: Yeah, I mean as Jail said it's fairly well structured and less complex and some of the previous compliance frameworks that we've seen before.

[00:37:21] [SPEAKER_01]: Obviously you can't really better support them reaching out to the people that are going to be doing the testing for these kind of engagements in understand and exactly what it is you need to do so reach out to your suppliers if they've already got door a compliant test in schemes.

[00:37:36] [SPEAKER_01]: The fairly similar to the hybrid you see best those styles of engagements a lot of organizations we've seen over the last year are doing.

[00:37:44] [SPEAKER_01]: I guess what would call dry runs of these styles of engagements to get a flavor and prep themselves for being prepared for this when it comes in.

[00:37:52] [SPEAKER_01]: And so the clock is ticking but a lot of people have already started if you haven't already started it's about time to.

[00:37:58] [SPEAKER_02]: I think that's a beautiful moment to end up but before I do like you go I think the one thing that we all having common at the moment is struggling to keep up with the speed and the pace of technological change and we're all in this state of continuous learning.

[00:38:12] [SPEAKER_02]: So I'd like to get a few tips off both of you here.

[00:38:15] [SPEAKER_02]: Jail's I'll come to you first where or how do you self educate out there and keep on top of these trends.

[00:38:22] [SPEAKER_00]: It's an interesting one as a badge holding imposter syndrome suffering individual I don't think I necessarily am.

[00:38:29] [SPEAKER_00]: A lot of people look to security testers or hackers ethical hackers whatever you may wish to tell us as kind of people who know everything or we were often encouraged to know everything at all times not the case.

[00:38:40] [SPEAKER_00]: I dare say and also by wife would tell me and I think from my perspective I learned a lot on the job have to learn a lot on the job so I will constantly encounter you implement the implementations of technology that I've never seen before and I have to go out read the docs read the manuals they say on a daily basis but.

[00:38:58] [SPEAKER_00]: For me about the wider the wider learning that kind of the talking to individuals that kind of understanding the challenges.

[00:39:07] [SPEAKER_00]: I'm quite lucky in what I do that I get to talk to people who are in the kind of the top sides of businesses gay today and understand sort of how they approach things.

[00:39:23] [SPEAKER_00]: I think that's a lot of the way to learn anything and my son is teaching me things all the time so there we go.

[00:39:36] [SPEAKER_02]: I hope you're looking forward to what he's doing.

[00:39:38] [SPEAKER_02]: He's scary just how knowledgeable the kids are now.

[00:39:43] [SPEAKER_00]: He's just starting school very soon and he teaches me all about well I guess about humility and he learns new things all the time and he's like a sponge.

[00:39:52] [SPEAKER_00]: I often wish that I was like that especially in the kind of industry and it kind of encourages no to noble things at all times.

[00:40:00] [SPEAKER_00]: So yeah he teaches me that so I think then a thing's in this world that can be learnt much quicker than I had the capacity to do it and he could enjoy doing it at the same time.

[00:40:09] [SPEAKER_02]: And Nick what about yourself later how do you self educate how do you keep up to speed with things any tips?

[00:40:14] [SPEAKER_01]: Yeah so I would say for me it's definitely changed over the years as of one or my two hats have been down in the weeds and the technical space and moving into this executive era.

[00:40:24] [SPEAKER_01]: So yeah back when I was actively pan testing a foreign reseller for me learning was sitting down with the project getting as far as I could just follow him and know it was until you hit a brick wall hopefully not too painful it.

[00:40:37] [SPEAKER_01]: At that point you got a pretty clear indication of a gap in your knowledge and a gap in your understanding that you need to dig deeper into an address right.

[00:40:47] [SPEAKER_01]: So following you know is working on things interesting interest you're pushing into these uncomfortable places where you face with the things that stop you progressing and you learn in skydive by those difficulties.

[00:40:59] [SPEAKER_01]: These days I would say I'm faced with helping other people resolve their problems and that's a very different course of learning.

[00:41:06] [SPEAKER_01]: So obviously I can draw on that previous experience in the understanding of the tech but there's a wealth of knowledge stored in the experience of other people in industry.

[00:41:15] [SPEAKER_01]: The problems that those ceasals have gone through and how they resolved them and what worked and what didn't work.

[00:41:20] [SPEAKER_01]: Broadening that knowledge through for exposure and networking and again those people successes and failures and I can take that now and apply that to each new experience and do new person that meet.

[00:41:33] [SPEAKER_01]: And the problems that they've got and kind of out saying my personal growth is now driven by networking and other people and applying the experience to kind of refine what I do.

[00:41:46] [SPEAKER_02]: Well we covered so much in a short amount of time today but for anyone that would love to continue this conversation.

[00:41:52] [SPEAKER_02]: Maybe find out more information about net spy or even connect with you on a personal level if you got a website or.

[00:41:59] [SPEAKER_02]: LinkedIn etc but need to begin with well do you like to send everyone.

[00:42:03] [SPEAKER_01]: Yeah so I would send everybody over to net spy.com on main website.

[00:42:08] [SPEAKER_01]: We've also got a LinkedIn channel where we post a wall up all of our news, customer stories, things like this podcast and we also share one is like to work for us.

[00:42:17] [SPEAKER_01]: I'm also available on LinkedIn so if you feel free to connect with me in other conversation but yeah.

[00:42:22] [SPEAKER_02]: So we'll get the links added to that and jiles anywhere additionally you'd like me to folks links too like your LinkedIn etc.

[00:42:30] [SPEAKER_00]: And yeah LinkedIn's always a good one. I'm unfortunately the bat signal is is out of operation at the moment.

[00:42:35] [SPEAKER_00]: I'm saving up some repairs but like Nick said, took us out on our website and reach out by LinkedIn with friendly faces and we're here to help.

[00:42:44] [SPEAKER_02]: Well, I get all those links added and added to the show notes of people can find you nice and easy.

[00:42:49] [SPEAKER_02]: Look learning more about net spy or mission since the business rebranded also someone who's key trends that you're both seeing in the service security industry and what has changed since you start on also this growing number of regulations and frameworks and how to overcome them.

[00:43:05] [SPEAKER_02]: I do hope you get that signal fixed pretty soon because it is essential and Nick, I hope you've got a big red phone in there somewhere as well.

[00:43:13] [SPEAKER_02]: But I think thank you for sharing your stories to that.

[00:43:15] [SPEAKER_02]: It's on my arm as on wish list. I'll go on a very funny thing.

[00:43:18] [SPEAKER_01]: Thank you, please share this.

[00:43:19] [SPEAKER_01]: Cheers, Nick.

[00:43:20] [SPEAKER_02]: As we wrap up today's enlightening conversation with Nick and Jiles from next by I think, it's clear that the landscape of cybersecurity is undergoing a significant transformation.

[00:43:31] [SPEAKER_02]: Why do it be the integration of generative AI or the strategic ships in CSORALs?

[00:43:38] [SPEAKER_02]: The challenges are complex as they are critical.

[00:43:42] [SPEAKER_02]: But remember, you can continue this conversation online. You can visit next but next by, can chat to today's guest.

[00:43:48] [SPEAKER_02]: You can chat to me email me techblogwriter at rock.com, twitter, link to an Instagram just at nails.

[00:43:55] [SPEAKER_02]: See yous. Let me know your thoughts on adopting a proactive approach to cybersecurity, but how are you doing that?

[00:44:01] [SPEAKER_02]: What challenges have you at to overcome? Have you encountered or implemented any innovative strategies that have reshaped your security posture that you would like to share with other business leaders?

[00:44:12] [SPEAKER_02]: Please share your insights. Join the discussion. Let me know.

[00:44:16] [SPEAKER_02]: Other than that, I will return again to your podcast feeds tomorrow morning with another guest and a different topic.

[00:44:22] [SPEAKER_02]: But the message will be the same. How is technology transforming your life your business, your world?

[00:44:28] [SPEAKER_02]: Join me again for the discussion.

[00:44:29] [SPEAKER_02]: Just like that. But thank you for listening today and until next time, don't be a stranger.