Are vendors doing enough to help their customers understand the complexities of cybersecurity?
I think that they are to a certain degree, at a very technical level. But that audience would be very technical. And those technical individuals are not necessarily the ones that make decisions. They're not necessarily the ones that have the purse strings. They don't have budget accountability or responsibility. So, I would raise a slightly different question, say, well, where's the thought leadership in the way that these technology companies are actually talking about cybersecurity and applying it to real life problems that these businesses face. Vendors and end users have to come together and find a way to communicate better.
Do you think that the key pillars of an end to end security strategy are understood by most users or are many of them still a bit in the dark?
It's a really good question as to whether end users fully appreciate cybersecurity strategies within their businesses. And it depends on whether you're an SMB enterprise, or a large corporate; if you're regulated or not regulated; if you are compliance or not compliance driven. So, it's actually a very complex question to answer. I think that organizations have an absolute responsibility in ensuring that their end users are educated, are made aware and are trained correctly. It is then the responsibility of vendors that supply and support those tools and technologies - that help prevent particular breaches or malware or viruses or conducting penetration testing. They have to find a way of communicating what they're doing so that the end user is again made aware and educated.
But I do think that the responsibility does also lie with the individual. If you work for a large organization, you can argue that you have a couple of people that are responsible for cybersecurity. Actually, if you're a company of two hundred fifty, I would say you've got 250 people that are responsible for cybersecurity. The mentality has to shift. I think we all have a good understanding of what it means to protect ourselves and to protect those around us. It's a very natural thing. I've never really understood the behaviour of why people then decide it's not important to do it in a corporate right. Actually, it's somebody else's issue, somebody else's problem.
Vendors maybe have a problem they need to address in how they communicate with the customers, but the customers can't wash their hands and say, oh, tell us what to do. I think it's a joint it's a joint effort right now. You're going to get circumstances where individuals within organizations may not have the necessary skills. That they're not going to know everything about cybersecurity. And I think that's when the dependency on the vendor comes in to help them educate. And in those circumstances, it's a huge responsibility for the vendor to take on. Now, you want to be in a position where you would hope that it becomes a very advisory exercise. Let's understand the problem that the organization has. Let's understand those pain points. Let's see what we can fix quickly for them. Right. And let's do it all in a very cost effective way. That's what a small board or a bunch of people want to hear, right? Because they're now effectively outsourcing that security to a third party. And they will take that advice.
The vendors in these circumstances need to act in a very truthful, honourable way. Don’t do or say something because it helps you make a sale. Do it because actually it's the right thing to do for the customer. Be transparent about what it is that you're attempting to do. And I think that's what's really great about Kaspersky, is that level of transparency in the way that they're trying to deliver products and services.It's not about selling a product. It's about supporting a business in the delivery of the right cybersecurity strategy that's going to help them.
In terms of moving forward, that there needs to be better way of vendors and end users working together. What is the ideal way of addressing this problem?
I think it's such an important question. And one of the reasons why I teamed up with Kaspersky was to effectively address this this particular issue. And I'm so happy that they actually stepped up to take on the challenge, which is effectively: chief information security officers or anyone that's accountable for cybersecurity with an organization has to start having more transparent, open dialogues with vendors. So let's start with the practitioners.
There is this misconception that has been built and I saw this over the beginning of the lockdown version one. We had a lot of people working from home. We had a huge amount of digital transformation suddenly wanting to take place, you know. So if you think about organizations compressing what would have been two to three years’ worth of digital transformation compressed into months’ worth of work. So that's a huge change in security landscape. And therefore, you require a huge pool of vendors to help support the delivery of that transformation. What I was witnessing within the practitioners side of the world was people complaining, complaining about the number of vendors trying to contact them, the number of people trying to sell them stuff, the number of people not listening to them.
And you could sense the hostility, in that the vendor side was saying ‘we're trying to help you, we're trying to provide services’. So, you had vendors wanting to do the right thing. And I could say that with hand on heart. They were they were they were stepping up to support businesses in a time of need. It just wasn't recognized. It really wasn't recognized by the practicing group. They just saw it as another affront by the vendors. Always want to steal my time. So both are at fault. One is not listening to the other and the other one's not hearing this.
So what would I recommend? Just stop, look and listen for a second. We need to stop and assess what that relationship actually is, because it is about relationships. And it is about trust. Forget the tools and the technology and the processes for a second.
If I believe in what somebody is trying to tell me about a solution, not a product, but how I'm going to solve a problem - I want to build a relationship with that individual, which then in turn allows me to build a relationship with that company. And I generate trust. So stream it down to just simple human engagement. Everyone's time is valuable. But actually, if you're telling me something of importance, find a way to talk to me about it.
So build that relationship first. The second piece then is, you know, show me and demonstrate to me how it solves it. Because I now need to build a business case. I believe in what you're telling me. I understand how it works. But I have to report to other people. I have to have enough confidence that I can build a business case. And business cases in large institutions take ages.
So there's a level of patience I think vendors need to have with businesses, and especially now we're entering into a potential global depression. You know, cyber security has never been more important, but it's the one thing that disappears – it’s seen as quite a dispensable function because it's expensive.
And lastly, I would say create working groups. Create effective working groups that debate and challenge what vendors are doing. I actually sit on multiple working groups for particular vendors, whether it's governance, risk compliance, threat intelligence or penetration testing. And the idea is, is that as part of a CISO group, I can say what works, what doesn't work, at a technical level, at an operational level, at a strategic level.
Is there any sort of sort of basic checklist for end users when looking at a vendor such as Kaspersky? The sort of language you want to hear from them when they're talking to you as opposed to, somebody who's maybe just trying a bit of smoke and mirrors?
I think I think there are a lot of charlatans out there. But then, there are a lot of vendors out there. I think at the last count, in the UK alone, there are probably about 7000 cyber security vendors.
There are a couple of things I would say. One is, there are lots of different ways you can be informed about what cybersecurity tools and services are out there. It is a really complex market. There are a couple of organizations that are trying now to challenge that. But, you know, people's dependency has mainly been on the likes of Gartner and analytics.
And if you sit up in a Magic Quadrant, then, for a lot of the boards and CEOs, they're going to look at that and say, OK, you know, let's go in this direction. And this is just my personal opinion, but I don't necessarily think that always gives an accurate picture of whether something is good or not. The individuals that are then having the responsibility for going down that path must ensure they do their own discovery and their own homework and their own assessment of the applicability of any solution.
Reverse this to the vendor - tell me whether I need this or not. Is this actually appropriate for me? As an example, I’m worried about my intellectual property being stolen because I'm working on some top secret engineering project, but I've only got 10 people working in my company. So what do I need to do? Do I need some intelligence because I'd be worried about spies coming in and stealing that data.
Do I need any additional protection to add to any malware or antivirus solutions I might have? Do I need to encrypt stuff? An opportunistic vendor would say, yes, sure, you need them. And then, before you know it, you can't operate as a business because you're so locked down that it's non-functional. What I would like to see is those vendors saying, well, actually, there are multiple different things that you can see here that you need to achieve. Let's break it down and do it in such a way that you understand what those business critical assets are. And let's look to see how we can then apply that to tech. And see what that solution is. I still think it's just too much about the products. And, as practitioners, we switch off when we start hearing about products, because there are 10 other products that do exactly the same thing.
I want a vendor’s expertise. I want Kaspersky expertise when it comes to intelligence because they are one of the key players in threat intelligence. All the efforts that they're making in terms of transparency of their operations is key. And they are one of the only vendors I know who are doing that, which is excellent.