Join Sean Martin, host of Redefining Cyber Security Podcast, and Siân John, Chief Technology Officer at NCC Group, in an engaging discussion on the evolving cybersecurity landscape. Explore key insights on citizen-driven regulation, bridging business-cybersecurity gaps, and emerging trends reshaping security strategies.
This Brand Story Podcast comes to you from the RSA Conference Broadcast Alley and features an insightful discussion between Sean Martin, the host, and Siân John, the Chief Technology Officer at NCC Group. The conversation dives deep into the complex world of cybersecurity, shedding light on critical issues and trends impacting organizations globally. Siân John, in her role as the Chief Technology Officer at NCC Group, brings a wealth of experience and knowledge to the table. She discusses the challenges faced by organizations in the rapidly evolving cybersecurity landscape.
From insights to innovation, threat intelligence to research, her role encompasses a wide range of responsibilities aimed at enhancing cybersecurity capabilities. One of the key highlights of the episode is the discussion around the shift in regulatory dynamics driven by citizen advocacy. Siân John emphasizes how the push for regulations, especially in areas like online safety and data privacy, is now coming from the citizens themselves. This shift signifies a growing awareness and concern among the general public regarding cybersecurity issues.
The conversation also touches upon the importance of bridging the gap between business and cybersecurity. Sean Martin and Siân John discuss how organizations need to align their security strategies with business objectives to effectively manage cyber risks. By emphasizing the need for a business-driven approach to cybersecurity, they underscore the significance of integrating security into the fabric of the organization. Furthermore, the episode explores emerging technology trends that are reshaping the cybersecurity landscape. Siân John highlights the importance of consolidation, simplification, and automation in security operations.
The discussion underscores the need for organizations to adapt to new technologies while ensuring a streamlined and resilient cybersecurity posture. As the conversation unfolds, Sean Martin and Siân John stress the importance of strategic planning and gradual implementation in cybersecurity initiatives. They caution against hasty decisions driven by urgency, advocating for a methodical approach to security transformation. By drawing parallels with failed IT projects, they emphasize the need for careful planning and execution in cybersecurity endeavors.
Ultimately, the episode offers valuable insights into the evolving cybersecurity landscape and the role of key stakeholders in driving security transformation. Sean Martin and Siân John bring a wealth of knowledge and expertise to the table, offering practical advice and strategic guidance for organizations navigating the complex cybersecurity terrain.
To learn more about the latest cybersecurity trends and best practices, connect with Sean John and the team at NCC Group and explore the cutting-edge solutions they offer to enhance cybersecurity resilience and protect against evolving threats.
Learn more about NCC Group: https://itspm.ag/ncc-gr1ajh
Note: This story contains promotional content. Learn more.
Guest: Siân John, Chief Technology Officer, NCC Group
On LinkedIn | https://www.linkedin.com/in/sian-john/
Resources
Learn more and catch more stories from NCC Group: https://www.itspmagazine.com/directory/ncc-group
View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Digital Dawn: Cyber Security Policy in the Wake of Political Change | A Brand Story Conversation From RSA Conference 2024 | A NCC Group Story with Siân John | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. We're we're live on the on the show floor. Yes. Great. John John. Hi. It's amazing to see you. Good to see you. Glad you made it across the pond safely. Yes. Hopefully I'll make it. Hopefully make it back home safely as well. You will. Yes. It might take you a few minutes. Yes. But, uh, hopefully it's a nice long single stretch home.
Uh, thank you for, uh, thank you for joining us here. And thanks everybody for. Joining us on location, I'm Sean Martin, host of the Redefining Cyber Security Podcast, and we are at RSA Conference. And I am joined by Sean John, who I mentioned, uh, from NCC Group. And we're going to talk about a new report, that he just put out, and uh, some of the findings and, and how that's going to impact organizations, not just in the UK, but abroad, right?
Yeah, yeah. All over the world. So, before we get into that though, a few words from you about what your role is at NCC Group, and some of the things you're working on.
Siân John: I'm the Chief Technology Officer at NCC Group. So, uh, a global cyber security services [00:01:00] company. Very big in North America, UK, Europe, and Asia Pacific.
Headquartered out of Manchester in the UK. Uh, my role as the Chief Technology Officer is to really lead insights, intelligence, and innovation for the company. So, the threat intelligence team work for me. We have a research function. Uh, and then, uh, A function that helps and works with our capability leaders on evolving our offering.
So I've been here this week looking at what technology providers there might be that we can work with, uh, to help our customers really.
Sean Martin: Yeah, technology, uh, such a broad, broad thing. And I'm, before we get to the core, I want to talk to you briefly about kind of your, your role and perhaps connections with other technologists.
You're able to have conversations from an innovation and capabilities perspective that many can't, I'd say. So how does your role help you connect with some of your customers in a way that can help them?
Siân John: Well, it's really been being able to sit there and obviously having been around in the [00:02:00] industry for a long time, understanding the challenges they face.
And I've been at technology companies for most 20 years, so it was always, how can my technology help you? And now it's like actually We have some very smart people that can come in and help you to do things we do, uh, helping people to, to build what they're trying to do, consulting and implementation, doing some technical assurance and some, some testing with some of the best testers in the world, incident response, and then manage services.
So having that background of having worked in technology and then knowing where the service gap is, allows me to have that conversation with customers around, you know, where are your challenges? What are your pain points? And The things that we have and the people that we have that can maybe come and help you to get to where you need to.
Sean Martin: Right. And this year's theme at the conference is the art of possible. Are you, are you seeing some cool things happening?
Siân John: Um, there are some cool things. So I was saying I'm probably getting a little bit old and jaded where you sort of go, well there's a lot of variants of the theme and seeing [00:03:00] things.
Though as expected, there's a lot of AI here. Yeah. And I used to think, well, you know, AI is a different chair. I think it's almost, it's expected that you're going to have AI now. Uh, I did find a company and I've forgotten the name, I just was up in the early stage expo. I was like, the killer use case for AI is to actually help to find sensitive data, because we're really bad at classifying it, aren't we?
We're really good at finding it. And classification isn't natural to most people. So, like, if anyone had that, and I found a company up in the startup space that does it, so I was like, whoa! So, uh, they're the ones to follow up. It'd be really great for them if I could remember their name off the top of my head, but, uh, they are really good.
Sean Martin: That'd be great. So hopefully people go to the sandbox and check it out. But we're here to talk about the great work that you and your team do. And so you've done some research, pulled a report together, it's the inaugural report. So give us some background on how all that came together this year.
Siân John: So we have a really strong government affairs team that work with policy makers around the world, [00:04:00] particularly in the UK and the US and Europe.
basically talking to them about, you know, what the regulations are. We got evolving policy, evolving governance and control from a public sector perspective of, of, of the industry. And it's been a lot of regulation, a lot of change capping over the last few years. So we put together this digital dorm report where we really went out and did a combination of some quantitative surveys and some quality chatting and surveys just to get a feel for, uh, What is the pressure that's creating so much regulation at the moment and where might people be and therefore what does that mean for us as an industry and for people, uh, that are trying to use technology and how they need to deal with it, so.
Sean Martin: So what were, what were some of the highlights from, from this year?
Siân John: So one of the things that's really interesting that came through, and you'll probably see it, UK we've got the online harms bill which is very much being driven by, uh, The parents of children that were affected by social media, um, [00:05:00] either suicide, uh, sites or, or bullying or, or elements like that.
But it happens across the, uh, more broadly than that in terms of being safe online and now with AI. There's actually a, a big citizen push for regulation, which it hasn't been in the past. Quite often it's been like governments choosing to do it. If you think about The conversation that's happening around a I the conversation that's happening around social media.
A lot of it is coming from from citizens and only people lobbying their Representatives to say, you know, we need to regulate this which is something a little bit different to where we've been in the past which I think that just reflects the fact that that cyber is now part of everybody's life and it's embedded into the world and and the other thing is seeing that there's actually a Lot of Collaboration going on in terms of regulation, both cross party because it's not really part of political cyber and being safe online, but also across countries.
So if you look at [00:06:00] things like the emerging regulation of AI, although you know, the European Union is doing something, we've got AI institutes in the UK, the U. S. Canada. Everyone's actually looking to say how can they work together and harmonize at least Those organizations with similar values, they're all looking at how we can harmonize and work from the beginning, which is actually quite useful and interesting because historically what you see is lots of different regulations and you've got to work out how you deal with it.
And I think just as a way, a lot of people ended up following the GDPR with their own flavor. I think rather than doing that now, everyone's actually coming together to go, what are the things that matter and how do we regulate? And, um, yeah, there is a lot of interest. Right. In regulating the space, which is why we're seeing that explosion of regulations.
Sean Martin: So two questions. What do you make of the fact that it's the citizens pushing? Where typically it's been government entities, lobbyists, and, and [00:07:00] there's probably some battles that. Yeah. That probably could have happened earlier. Yes. In that sense because, because of lobbyists, maybe it didn't happen. But now the citizens are pushing.
So that's the first question. What do you make of that shift?
Siân John: Yeah.
Sean Martin: And then how, how do you see it impacting. The way businesses run now,
Siân John: so there's two things. So obviously the citizens pushing for it means that there will be a continued pressure to make it happen. But it also means that they might have an opinion about what should be done that may not be practical to implement.
And, you know, really victim victims should have an input into how it, how something hurts and harms them. But if they design the actual regulation of the law, that could sometimes become too punitive. So Uh, and, uh, and difficult to implement in practical. And so from the point of view, from an organization's perspective, it's try not to stop the regulation, but try to talk about how do we make this something that's practical and implementable?
So one, for one example, there's a lot of push for age [00:08:00] verification, uh, particularly in social media, media, which seems very simple and easy to a parent of a child that's seen content they shouldn't have done. But actually when you think about that from a privacy person. That means collecting a lot of personal data about people in order to prove that you are the agent.
Maybe organizations that you don't want having personal data suddenly collecting it, which then leads to data breach issues. I think from the point of view of an organization looking to respond and work with regulation, you've just got to work on the assumption that it's there, and it will increase, and it will go there.
And so Don't fight against it. Look at how you can embrace and do the right thing and be proactive. I think that's why you see a lot of supply chain and governance and compliance solutions around here. And it's really how do you make that easy to do, as automated as possible, and as responsive as possible.
Sean Martin: Now do you, do you see it, uh, so clearly we're, we're talking about [00:09:00] harm and children, and as soon as you connect it to social media, a lot of companies might say. We're not social media. Um, do you see any bleed over in terms of how something might be defined that will then make it apply to any organization that collects data?
Siân John: I mean, some of the things with age verification, there's a danger there. I think we're more for most, for most organizations, it probably gets into the world of AI and machine learning and the fact that there will be a lot of regulation on things like that. So yeah, the social media is a very specific one.
But there is now then that, you know, if you're selling items on an internet presence to people, maybe you can expect that there might be more scrutiny of that and regulation of that. Just as happened with the GDPR, it might be applied in one year's case. It, it grew, so you have to prepare for that. I think when it comes to, to more broadly beyond social media, I mean that, that citizen push [00:10:00] on on, um, the The social media is one thing, but then there's also one about I want to just be able to just buy a device that's secure.
So this whole, you know, software bill of materials, the whole making sure you're, you've got security built into any devices you create, that you're doing security by design and cyber resilience. Those two phrases that we're hearing a lot and coming along. And I think that's a sign of that more broader general, you know, use of use case and pressure.
So. We want to be able to use technology. We want to know it's secure from the beginning and then it's going to be resilient and it's not going to take the country or the business down.
Sean Martin: Right. And our organizations and obviously from the UK, I'd love that perspective. Yeah. Because a lot of folks we talk to in the US have the US perspective.
Yeah. What's your, what's your view on the maturity level for organizations to be ready at the executive staff level to move forward? [00:11:00] We want to embrace technology. We want to create an infrastructure that's resilient. We want to promote safety, be it physical in the OT or online for children or whatever, depending on the business.
And it needs to be secure as well, because that always comes, but typically, especially when we look at regulation, it's we build something and then we audit and see how well we do. So, how What's the maturity level of the UK organizations and maybe your broader view because obviously NCC is broad, uh, global as well.
Siân John: Yeah, I think it sort of depends on vertical. So if you go into the regulated verticals, I think this applies globally. So if you go into certain verticals like financial services, they much more get it than say, if you go into retail, which traditionally hasn't been as regulated. Um, there are some organizations that are really good examples of doing it, but I think still the majority aren't.
And I think it's what only 30 percent of boards actually have. People that are cyber and willing to talk [00:12:00] about cyber at that board level. I think that's particularly UK, but I think that's, you can look across the globe. That'll be reflected. I mean, UK is probably one of the more mature countries because they've had quite a mature cyber strategy.
They've been trying to push boards to care about security, just as has been happening in the U. S. In other places, it's probably less so. And the challenge is, of course, when we go and look at the opportunity of technology, People are almost treating cyber risk as something that belongs to IT and it's not a business risk.
And actually you need to say, so I'm investing in this technology, I also need to think about what the threat is that comes with that. And investing in cyber is really managing that threat to allow you to maximize the opportunity. That, that equation still isn't happening a lot, which is why security is at the end.
Uh, which is why you've got this pressure for cyber resilience. So that's why I say UK financial services are particularly good because you have the, uh. The stress testing that was done after the financial crash in 2008. They brought in the [00:13:00] CBEST testing, which, uh, you know, there's the, the, the stress testing of how resilient the organization as a whole.
But there is a cyber part of that, which is a threat led red team pen test. And then that's got into Europe with Tiber. And then we have Dora coming from the Digital Operations Resilience Act. And what's good then is that drive towards principle. Resilience not towards a checklist and too many boards still look for the checklist.
And you actually, I've been saying for 10 years, we need to get people having more of a conversation. It's better than it was, you know, 30 percent is much better than where we were 10 years ago. But we still got more work to do for people to be really thinking about risk. We know our board do, but the nature of our business is they, they care about it.
But if you go into many others, particularly in non regulated industries. Uh, it's still, there's a long way to go.
Sean Martin: So how, how does NCC group unlock some of those [00:14:00] conversations? Cause I mean, we, we, I continue to hear this dichotomy between the business and IT security specifically. How do you change the narrative?
How do you, how do you change the language? Or how do you unlock it, I guess is really the question.
Siân John: So, so we have some, some senior consultants will actually go in and, and brief the board. Our board members actually also are members on other boards and they drive the message that way, but we will actually go in and we'll do tabletop exercises, we'll do preparing people, but also the advanced testing and the penetration testing that we do, whether that's of vehicles, hardware, devices, cryptography.
Yes, that's a very technical element, but quite often it's then taking that and translating that into what does that mean for you as an organization. Um, with some of these threat led penetration testing scenarios, we're very involved in looking up using our threat intelligence to work out what is a scenario that's really realistic for an organization, [00:15:00] doing the red team tests to prove we can get in, which comes with some technical controls, but then having a senior advisor, you could actually go in and translate that into so what?
So what does that mean for you for the company? And that's the big thing for a board. So what? Yeah, yes, there's the technical things and we can connect with it. But so what, from a business perspective, is that question that we need to be posing or giving an idea of what a board should do to having that business conversation.
So, because we're quite broad, we've got the very, very deep techies, but we've also got the people that can talk business as well.
Sean Martin: Yeah, yeah. The tactics and the strategy. Yeah, exactly. Coming together. What's um, I'm going to take the easy one off the table, AI.
Siân John: Okay, right, okay.
Sean Martin: What are some other Tech trends that you're seeing that organizations need to be cognizant of.
Siân John: I mean, there's the one that's been going on for years. Isn't there about consolidation and simplification and [00:16:00] you consolidate and simplify what you're doing. Um, but then you have a gap, yeah, yeah, yes. Or the security tooling, because there's too many tools. We constantly say that, but then you can people consolidate down, but then you've got a gap for some new emerging tech.
Without. Saying the word that I'm not going to mention it. So you go off and get some of the controls. That means you've then got tools sprawl again, and then you've consistently got consolidation. There's another interesting thing that I'm sort of tracking in industry where your speakers were like a testing company.
So you've got your, your red team testing, your pen to pen testing, your PCI compliance testing, your really advanced code reviews on one end. And on the other end, we've had like vulnerability management, vulnerability scanning for years, then attack surface management. And now continuous controls monitoring.
There's almost like a trend that I think is happening over time. And you can see it in some of the people that are here that we're getting towards that almost continuous controls management of, help me to do the automated remediation, help me to do the patching, [00:17:00] bring in the pen test and correlate it with it.
We're on the early days of that journey, but that's a definite trend we can see happening, which for us as a services company, it's like, how do we make sure we adjust and apply both?
Sean Martin: Yeah. What I hear there is, I mean, you have world renowned researchers doing all this hardcore stuff that most organizations can't get their head wrapped around.
It's very technical, very deep. And then translating that into action. And then, obviously, we talked about, uh, kind of the strategy to unlock the, uh, transformation. I believe security needs a transformation. Yes, it does. It does. But, I think it's gonna, it's gonna start with that point of We have this exposure.
We need to reduce complexity. We need to simplify. We need to consolidate. We need to automate, orchestrate. And I believe it's going to be a lot driven by the researchers that have this technical knowledge of this is how we close that [00:18:00] gap. This is how we tighten. This is how we So, any thoughts on that?
Siân John: I think that's absolutely true.
So, a lot of things get called AI. Sorry to say that word. But when they're actually really automation. And let's not overcomplicate it. Let's make sure it's simple and automated. And yeah, we need to make sure that we're doing that. Keep it simple, stupid all the way along the way and making sure we're taking that basic approach.
We're actually at that point where as an industry, I think we're beginning to mature and professionalize. So there is that requirement that you have a much more business driven approach, your business outcome, but also you are thinking about how to do things in a more sensible way. Um, We're building the skills and the profession in a way that people are happening and, you know, we're less the hobbyist with a screwdriver and more the, how do we automate and make it simplified and orchestrated and built into the way that the business works.
So effectively we've been going from market transformation, which is like new tech coming, forcing the digital [00:19:00] transformation that business, well businesses having to transform, then digital transformation in IT. We're almost at that security transformation now for. From, from, from that perspective where you need to be plugged into the business, connecting them, using you as a, an advisor, but then also thinking about not just how do I secure this, but how am I securing and enabling the business process with the security I do, not just doing security
Sean Martin: and not disrupting the business.
Siân John: Yeah,
Sean Martin: and you mentioned the screwdriver, right? I, I can picture a lot of organizations recognizing they need. To make a change.
Siân John: Yeah
Sean Martin: They they get help and and and see they have exposure and weaknesses And all they want to do is bring a hammer because they get frustrated right? They can't actually take take meaningful action Because they don't have the budget.
They don't have the staff. They don't have the knowledge. They don't have The strategy to do that in a way that supports the business
Siân John: But we all know what [00:20:00] happens when you take a hammer to your Ikea flat pack because you can't, other, other, other flat packs being available. Yeah, you don't, you don't, it doesn't run well.
Sean Martin: Just hammer, hammer that screw in there, it'll be fine.
Siân John: It's actually a, I've been reading some books about like planning and things like that and one is about why big projects fail, looking at building of bridges and things like that. And quite often because people, they want to act quickly so they, they, they, they think fast.
Right. And then and then when they actually go to action and implementation, it goes very slowly because all the things they were expecting come along and they get lots of shocks and they don't deal with it. I think that happens a lot in security where we're so like the risk is there. Now we need to do something.
Maybe you need to do the quick hammer now, but then you need to think slow and do the planning and think about how we're going to do it right. You know how many I. T. Projects can we post point to where they went too quickly to implementation? It ended up being a big, big mess. So Yeah, obviously the UK, the post office being one of those, that's the worst example, I think.
So, but if [00:21:00] you actually can think slowly, do the planning, work out what you need, and then act in, in sprints about the things that matter and prioritizing that, you know, embrace the MVP and then expand from there. We need to do that more, as opposed to what we do is, the world's falling down, let's go throw some money now, yeah.
And, and you can't do everything at once anyway.
Sean Martin: Exactly. I think what What many people forget is, it's been done before.
Siân John: Yes.
Sean Martin: People have done it successfully, so don't try to reinvent the wheel with a hammer.
Siân John: Yeah, yes, exactly.
Sean Martin: Alright, well, Sean John, it's a pleasure to see you, as always. Great to chat with you.
Brilliant. And, uh, hopefully, hopefully we'll connect with you again soon and talk more about what you're up to at NCC Group. And everybody listening, thank you for joining us on location here at RSA Conference. Be sure to connect with Sean John and the team at NCC Group. Grab a copy of the report and learn some more about that.
And, uh, people have done it before. Don't try to [00:22:00] recreate the wheel here. So thanks everybody for joining. See you.