Join Marco Ciappelli and Sean Martin as they sit down with experts at Infosecurity Europe 2024 to discuss the evolution, challenges, and human aspects of the cybersecurity industry.
Guests:
Madelein van der Hout, Senior Analyst Security & Risk at Forrester [@forrester]
On LinkedIn | https://www.linkedin.com/in/madelein-van-der-hout-65452025/
On Twitter | https://x.com/HoutMadelein
Paul McKay, Vice President, Research Director at Forrester [@forrester]
On LinkedIn | https://www.linkedin.com/in/paul-mckay-5304a115/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
The Human Side of Cybersecurity
Infosecurity Europe 2024 in London brought together some of the industry's most knowledgeable professionals. Marco Ciappelli and Sean Martin, your hosts, were joined by Madeline Van Der Hout, Paul McKay, both from Forrester, and various other experts to discuss the latest trends, challenges, and solutions within the cybersecurity landscape. This exciting episode of "On Location With Marco and Sean" dives deep into essential topics such as the significant role of the human element in cybersecurity, skill shortages, industry fragmentation, and future trends.
Reimagining Cybersecurity: Back to the Future
The episode begins with a nostalgic touch as Sean Martin and Marco Ciappelli discuss the iconic movie "Back to the Future". Drawing a parallel between the film's theme of time travel and the evolving cybersecurity landscape, they emphasize how the industry might benefit from lessons of the past while anticipating the future.
The Reality of Cybersecurity Innovation
Madeline Van Der Hout and Paul McKay shed light on the changing dynamics of cybersecurity events. Paul mentions that events like Infosecurity Europe must now compete with other regional events like CyberSec Europe in Brussels. This healthy competition fosters localized insights and innovations.
Madeline adds that cybersecurity innovation often stems from startups. She believes these events stimulate larger vendors to communicate with smaller startups, thus supporting the entire ecosystem.
API Security: A Case for Consolidation
Both Paul and Madeline reflect on the notable presence of API security vendors at the conference. Madeline points out the consolidation in the market driven by various approaches to API security. CISOs today expect API security to be an integral part of their infrastructure, driving the conversation towards prioritization and efficient resource management.
The Human Element and Mental Health
One of the crucial points discussed was the significant skill shortage in the cybersecurity industry. Madeline stresses the need for more conversations around mental health and burnout prevention among cybersecurity professionals. Paul supports this by highlighting common hiring challenges where organizations are often looking for the "purple squirrel" or the "five-legged sheep."
Training and Educating Future Talent
The conversation moves towards the barriers to entry for new talent in the industry. Both experts agree that focusing on certifications alone can create a class divide. Paul argues that this practice restricts access to the industry for those unable to afford costly certifications.
Madeline emphasizes the need to work closely with HR departments to create better job profiles and hiring practices. This could alleviate some of the industry's talent shortages.
Cybersecurity's Future: More Than Just a Business Problem
Madeline takes a broader view by asserting that cybersecurity is not just a business problem. It's a civilian issue as well, affecting everyone with a digital footprint. She encourages leveraging the power of informed voting and education to address cybersecurity at a societal level.
Data-Driven Decision Making: The Key to Security's Evolution
Sean Martin concludes by discussing the immense data available in the cybersecurity sector. He emphasizes the potential for the industry to drive businesses by making better, data-driven decisions. Paul agrees, pointing out the need for cybersecurity to evolve similarly to how the CIO function has over the years.
Conclusion: A Call for Innovation and Humanity
The episode wraps up by reinforcing the focus on the human element. Marco highlights the need to utilize existing resources effectively rather than being distracted by the latest technological gadgets. Madeline's call to talk more about humans in every cybersecurity breach serves as a profound takeaway.
As the conversation echoes through the media room at Infosecurity Europe 2024, it's clear that the journey forward in cybersecurity involves a blend of technology, human touch, and innovative thinking.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcLEF2H9r2svIRrI1P4Qkr
Be sure to share and subscribe!
____________________________
Resources
Learn more about InfoSecurity Europe 2024: https://itspm.ag/iseu24reg
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Jump Into Our DeLorean and Travel Back and Forth Into the Future | An Infosecurity Europe 2024 Conversation with Madelein van der Hout and Paul McKay from Forrester | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco.
[00:00:02] Marco Ciappelli: Sean.
[00:00:03] Sean Martin: It's time to go back to the future.
[00:00:06] Speaker 2: Back to the future. You know, as a kid of the 80s, I really loved that movie.
[00:00:11] Sean Martin: Yeah.
[00:00:11] Speaker 2: Yeah, I know you're much younger than me.
[00:00:13] Sean Martin: Did you like the concept of the movie, or the car in the movie, or?
[00:00:16] Speaker 2: I liked everything about it. Everything? If it comes out on TV, I'll still watch it.
There is two movies, that and Top Gun, that I would not pass.
[00:00:25] Sean Martin: Oh, alright. Yeah, I think I'll stick with the one we talked about this morning, which was Young Frankenstein.
[00:00:31] Marco Ciappelli: Oh, well, that's totally fine.
[00:00:32] Sean Martin: That paired with Airplane or something. I don't know, what are we talking about?
[00:00:37] Marco Ciappelli: I don't know, it's in a way You and I go off on tangents.
We all call it a little bit of a Frankenstein, because the cyber security industry for me is a little bit of a monster. We do recall that. Different things put together. Fair enough. And then definitely the DeLorean, because we're going to maybe go a little bit into the future, but I don't know anything.
[00:00:54] Sean Martin: So we took, we took the Elizabeth line here to Abbey, Abbey, Abbeywood, I think it was. Abbeywood. The direction, right. Anyways, enough messing around here. I'm thrilled to have our friends from Forrester. I love working with the Forrester team. Uh, great insights on all things tech and cyber and uh, always great conversations when, when they join us.
And we. We have Madeline Vanderhout back on again, it's good to have you on, and, uh, Paul McKay. Paul McKay, that's where I was trying to remember how to pronounce the last name after you said it. Don't go wrong with that. One gets used to have a Scottish name. Can't mess that up, which I normally do, I usually mess up the names as soon as I think about them.
I overthink it. But anyways, thrilled I'm thrilled to have you on here. We're obviously, well not obviously, we're here at Infosecurity Europe in London at the Excel and lots of great conversations going on this week and I'm excited to hear what the two of you heard, said, saw, expect to see in the few years now that you've experienced uh,
Before we do that, though, a few words, uh, for me to, uh, who you are, what you're up to, your role at Forrester, what areas you look after, and Madeline, we'll start with you.
[00:02:15] Madelein Van Der Hout: Yeah, so, Madeline van der Hout. I'm a Senior Analyst at Forrester Cybersecurity and Risk. Uh, so I cover different domains within the cybersecurity and, uh, risk space.
[00:02:29] Sean Martin: I think we joked about being, being nerdy on risk last time.
[00:02:32] Madelein Van Der Hout: We did. We did. And all things legislation where other people get bored but we get enthusiastic. We see possibilities and opportunities.
[00:02:42] Sean Martin: We see through the boredom into the fun. Alright.
[00:02:46] Paul McKay: My name is Paul McKay. I'm a VP and Research Director at Forrester and I'm one of our European Tech Research Directors.
So I oversee A whole bunch of people doing broader tech research and also Madeline and Toppy, uh, who do some of the cyber screening risk topics myself. I used to be an analyst, uh, covering things like cyber security services and some of the risk quantification and ratings technologies. So I've had a bit of a back to the future type thing with them as well.
Meeting some old acquaintances as they say.
[00:03:18] Sean Martin: And I had the pleasure of chatting with Topey as well. So I'd encourage folks to listen to that episode. It was great. Again, another great conversation.
[00:03:28] Marco Ciappelli: So I think this is the perfect moment to have this conversation because we are at the third day of the three days event that from what I could see from up here looking down, we're pretty busy, you know, going around definitely, I think more vendors than than last year, maybe a little bigger, but and a larger floor, a lot of AI I see on the marketing and banners.
But, uh, yeah.
[00:03:55] Sean Martin: Not as much in the conversation,
[00:03:58] Marco Ciappelli: but that's what happened to us. And so, yeah, to have someone like you that, uh, that, you know, look into the present and the future. Um, what, what's your feeling about this event, Madeleine? Let's start with you.
[00:04:11] Madelein Van Der Hout: Well, looking at the present and the future, I think that there are multiple possibilities.
Big events when it comes to cyber security in Europe. And they are more and more emerging. And my takeaway actually is, while I've seen great information, great talks, great speeches, met up with an enormous amount of specialists in the industry and vendors, I do believe that they are choosing now where to go to.
So, a couple of, um, people you would have expected at this event were not here. They were at CyberSec Europe and the other way around. So, I think in terms of, um, importance, that really shows that we're trying on multiple levels to share information and in multiple places within Europe.
[00:05:10] Paul McKay: I think, I think what I would reflect on is I agree with Madeleine that the, there are definitely some notable absences in terms of some of the larger enterprise vendors that one might expect to see here. I would also say that some of the exuberance we saw at some of these shows over the last couple of years when money was plentiful.
Has kind of been toned down a lot. So there's there's not the kind of kind of cute, you know, building size robots or any of the kind of other gimmickry that we see in in years going sharks. And I think that reflects a little bit the broader kind of austerity that we see within the cyber security community.
So, as I said at the beginning, I spent a lot of time, not just for security leaders, but also tech leaders and that kind of pressure from the business to do more of less. is impacting security leaders now. So some of the things that I heard in conversations were really focused on. We need to really be effective in how we're spending our money.
Uh, making sure we, um, are very thoughtful with what we spend our money on. And I'm not sure the cyber security industry has really got the memo here, because you still have over three and a half thousand cyber security vendors all chasing after the same small pots of money. When the pressure from the rest of the business is really around consolidation.
So I was kind of looking to the future. I would say you can see a lot more interest in security tech that helps CISOs really justify what they're spending their money on in financial terms. It allows the business to understand how that weighs up against other things they could spend their money on. I also have heard a lot about AI.
From vendors, but also a lot of A. I. Fatigue, you know, we've been through this a couple of times in the industry before, but I think the broad challenge of the promise of the A. I. Hype is not quite there. Meeting the reality. And I think you see that in the cyber security space as well. So I think again, Caesars are kind of a little bit tired of hearing that there's gold at the end of the rainbow, that there's milk and honey on the other side of the Thames and all this other stuff.
So I think that you're going to see a focus on practical AI use cases that have that business ROI in return. So those would be my kind of two things kind of going into the future.
[00:07:30] Madelein Van Der Hout: Exactly. The conversation that I have with multiple end users actually this week. Was about them saying, I'm so fatigued of the generative AI washing.
I know that if I don't have a policy in place that my employees will bring their own device. But we still have to debate, especially in security, what are those use cases that I want, that I need, that can actually have effective artificial intelligence of machine learning practices in there. So, I think that was also sort of what they.
We're seeking coming here and seeking to have that conversation. And I fully agree with the consolidation. We're battling day to day business. We're trying to create business value or help our company create business value while we have to prioritize. And then you have to think of every different domain of security that needs to be in there.
And we have to look at the regulatory landscape, which is. Increasingly becoming difficult because you need to understand where you need to comply, how we need to comply, and we need to make sure that that's best practice we implement, like the bare minimum we implement, and that it's not about having a compliance check, because then, you know, that, that, that should not be the goal whatsoever.
[00:08:52] Marco Ciappelli: Yesterday, Sean, you and me, we're talking about We've made the reference to the Frankenstein Jr. And the thing is, what you said, Paul, about a lot of people, and Madelein too, that a lot of company now being here, I talked to several CMOs and yeah, they, you know, they, they're, they're looking at this thing as well, like, and the monster reference for me from a brand and marketing perspective is the fact that it's just too much.
Cyber security right now is everything. Maybe 10, 15 years ago, it could have been in closing to a conference and now I feel like you need a specific conference for certain angle of cyber security, even if at the end they need to come together. But you can't go to a conference and then say, well, I can only hit 30 percent of it.
What, what's the point, right? So this fragmentation is probably good for the industry. What do you think?
[00:09:51] Paul McKay: Yeah, I guess what I would say has been quite interesting is when I started coming to these events as an analyst six or so years ago, this was one of the dominant events in Europe. This was the closest thing you got to the RSA conference in Europe.
I think what's happened, which is really healthy, is that there's a lot more competition for the CISOs. They're not all having to get on planes and travel to London. They can actually find all of the insight they need within their local market in places like France and obviously cyber sector Europe is happening in, in, uh, Brussels.
So I think you're seeing a fragmentation of this. Now this event obviously has to compete with that, but I think that that's healthy and should be encouraged because you're getting much more the local perspective as well as the kind of the Europe wide or more, more accurately, a more UK centric perspective at this event in the last year or two.
I think that's a healthy thing.
[00:10:51] Madelein Van Der Hout: And I think as well, to me this event, within cyber security a lot of innovation happens with startups for instance. These type of events also stimulate larger vendors communicating with smaller startups and seeing how that can support the entire ecosystem. So, I I think it's actually a good development that it's happening in multiple countries and that it's happening on multiple levels because not every startup is able to come to London or to come to Brussels or to Lille.
We have Insider Forum as well over there. So I think it's good to fuel that ecosystem and to be aware of how to, how to work with that. And in terms of also consolidation, what CISOs are expecting, if we have a look for instance at API security. We see a lot of consolidation happening already within the market, but it's driven by, well, first of all, we're approaching API security from the data perspective.
Then we're approaching it from the network perspective. Then we're approaching it solely APIs. But CISOs are sometimes also expecting it's part of my infrastructure. It's part of my network. Why isn't it secured? So. To me that was also one of the takeaways from the conference. Yes, we see loads more API vendors, and you can already see movement happening in which direction based on how CISOs perceive where it should be in their security program.
[00:12:25] Sean Martin: Yeah, it's interesting. I also noted walking through the hall, a number of API security vendors specifically there. That's what they do. And, um
[00:12:36] Madelein Van Der Hout: And APIs have been around forever. But now we're having the conversation
[00:12:43] Sean Martin: on My job is to test the APIs and if they didn't exist, I knew they were going to come at some point, so I had to test the functions that would eventually be exposed as an API.
[00:12:54] Madelein Van Der Hout: Exactly.
[00:12:56] Sean Martin: I'm wondering, this is something that crosses my mind quite often, because there's so much technology. Yeah. Right? So many parts of an InfoSec program and so many, so many technologies to help with those things. Um, and this is another conversation we've had this week around making good decisions on where and how to invest.
And at a tech show you look at the tech, but for me it's much more than that. It's how do we staff our team properly? How do we leverage tech to enable them? How do we, how do we Build our programs that support found solid foundational decision making. Um, tapping into the regulations that, where we need to.
Um, but not just being sold a bill of goods from a, from a provider because we, we now told we have a gap in our program. Um, so I don't know, what, what do you see in terms of how the industry is progressing in terms of Maybe an abstraction above all the tech to really have a good foundation for decision making.
[00:14:09] Paul McKay: I'm going to say something a little bit controversial. Which is, I don't think it is really dealing with that abstraction particularly well. I still see people chasing after, in some cases, quite specific technical problems. And, um, When I'm speaking to the tech leaders about security, they need to understand, because I think generally CIOs and IT leaders are much more along the journey of having a seat at the table, being a business executive that happens to run and operate a technology function.
They need to see the business value that's going to be driven by that, and I don't see the awareness of the business value. Solving said technical challenge has, you still see a lot of vendors kind of saying, well this is terrible because this is all the technical reasons and reasons why the sky will fall in if this kind of stuff happens.
And you see sometimes people flinging out, especially in the last couple of months, Well, this too is coming in in the EU and if the management team don't buy this Insert very niche product category. They will get fired and that's just not reality And I so I don't actually think the industry really is particularly mature at that Not when I compare it to the broader tech industry that the rest of my rider team covers
[00:15:33] Madelein Van Der Hout: well, and to add I think within security we're still very comfortable talking about technology and every time something happens and we see emerging trends, emerging technology, we start talking about technology, technology solutions.
So we are talking about prioritization, staffing. We have four millions, jo, 4 million jobs that we cannot fill because we do not have the people. Oh no, wait. Generative AI, it will solve it all! And then we have alert fatigue. No, yeah, you know what? We're gonna optimize everything! But there's one conversation that we're not having, and that's the actual conversation that I had hoped to have here.
Uh, we did in a session, but not as much as I would have hoped to. And that is actually about, so how do we address this? How do we address skill shortage? What are we going to do as an industry? How can we come together on that and then step away from the technology conversation? One of the other things is Cyber security burnout.
People are moving away from this industry because they're significant levels of stress. They're fatigued and we're not having a conversation on mental health, but we're having a conversation on what solution, what technical solution can help us. And that's actually something that I would love to have more conversations on on these type of events, because we're bringing technology leaders, security practitioners together.
We're humans!
[00:17:09] Paul McKay: That's, that's absolutely spot on. Madeline, I think one of the things I see with a lot of my CISO clients, I speak to them at the beginning of their relationship with Forrester. So tell them they can't hire any staff, and then you get the, I'll use a Dutch expression, two Dutch expressions that don't particularly translate well into English, but I think they're apt.
[00:17:27] Madelein Van Der Hout: They're funny.
[00:17:28] Paul McKay: When you go, when you go through, when you go through the, when you go through the job requirements, and what they're, what they're, what they're asking for, versus what they think they're prepared to pay. They're looking for either the five legged sheep or the purple squirrel, depending on what, um
[00:17:41] Marco Ciappelli: Can you say that in Dutch, please?
[00:17:43] Madelein Van Der Hout: Het schaap met de vijf poten. So it has the Dutch G, schaap met de vijf poten, yes. So, which is actually an old expression, because I cannot imagine that a sheep with five legs can run very fast or is very efficient. But apparently it's our expression to say that it You're looking for the unicorn, is the British, uh,
[00:18:08] Paul McKay: Yeah, yeah, yeah, yeah, we would say the, the, the, the, the unicorn, uh, candidate in English.
[00:18:14] Madelein Van Der Hout: I also like the purple squirrel.
[00:18:15] Paul McKay: Yeah, but I, but I, but I, so these are expressions that I've learned over the years from Dutch clients. But I, but I think they, I think they highlight very succinctly what you see in the industry. You, you see people asking for Caesars. That have experience of operating specific technology stacks and configuring and deploying them and all those, all those sort of stuff.
And you said I think a CISO is supposed to be an executive accountable for a security function and managing that up to board level if you're really hiring for a true CISO. So things like that are irrelevant. You also see kind of the other way around where people are struggling to enter the industry because people are being asked to have three, four, five years experience plus all the certifications plus experience in technology.
And I think Probably one of my favorite ones was when somebody asked for 10 years experience in implementing a technology that had only existed for 6. I've seen things like that in the past before.
[00:19:07] Madelein Van Der Hout: You still see it. I actually saw like 2 3 weeks ago, I saw one like that. And it's just crazy and also, One of the things we saw in our research is that one of the departments that our security and technology departments within organizations are working the least with is HR.
How is this possible? Because then you get these instances where, um, uh, we need a job profile but we do not have it. Communicate or collaborate enough to have a correct profile in place.
[00:19:45] Paul McKay: Yeah, that really tends to bite companies on the backside when they get a role they're hiring for mapped to a HR grade, which usually is benchmarked against a generic IT role.
And then that drives the salary problem. So a lot of, sometimes when you get down to it, you kind of say, well, you need to. Have the conversation, have the battle with HR to try and get the right salary benchmarks done so that you can actually compete in the market. You know, you're never going to be able to compete with, you know, sort of top vendors that can pay top dollar for top talent, but you need to at least be competitive within the industry you're recruiting in and not just give me a business analyst salary scale when you're looking for a forensic incident response specialist, as an example.
[00:20:30] Marco Ciappelli: The purple squirrel or the sheep with five legs. Which one are you? I don't know, I'm thinking many others. But the point is, it's the same thing. I don't know, I'm thinking anytime but it doesn't come to my mind. But I see the point, which is I think that the reason for that is because you're kind of scrambling, I think.
And you don't have an understanding of what's happening, maybe because it's still a young industry. So young that you're asking for more experience.
And you're hoping for this mythological figure that is going to solve all your problem. So maybe it's a lack of strategy, lack of, you know, looking at what we really have. Let's, let's play this hand with the card that we've been deal.
[00:21:18] Paul McKay: Yeah. I think, I think a lot of it comes down to people. Perceiving that they're so stressed and busy they don't have the time to train or grow up anyone.
So they're kind of looking for a ready made candidate that exists in the market, who just happens to not mind taking a 50 percent salary cut. If you look into public sector hiring, in many cases that is not an un far from the truth figure.
[00:21:42] Madelein Van Der Hout: Yeah, and also having a conversation, um, Certification. So sometimes the goal is to have the certificate because then you're trusted to have the knowledge.
Um, so I'm also having sometimes conversations where people ask me And it depends on countries, but people ask me so I saw your LinkedIn that there is no certification. Are you certified? Etc. Etc. And then to me it should be about do you have the knowledge and if there is not the well sort of the You don't have a certificate zero trust approach How can we hire younger people into the industry because they they they just graduated they want to learn they want to have career path You They don't have those certifications yet.
Or it's not on LinkedIn and then it should also be fine, right?
[00:22:33] Sean Martin: That's all become distributed and dispersed as well. Like, specialize this, or specialize that street.
[00:22:39] Paul McKay: Yeah, and I don't think you want to, I think one of the challenges with that is that if you're saying people have to have certifications to get into the industry, you're essentially erecting barriers where only those who can afford to pay
[00:22:50] Madelein Van Der Hout: Exactly.
[00:22:50] Paul McKay: hundreds of pounds or send themselves on courses, sometimes costing thousands, Can get into the industry that that's creating a bit of a class divide where people that don't have that resources When they come out of university can't actually enter the industry if you kind of erecting these firewalls in the way.
[00:23:06] Sean Martin: Yeah So I was fortunate to be in the industry. I got my CIS SP 20 something years ago and I did it for two reasons one to learn is it was a very efficient way
[00:23:19] Madelein Van Der Hout: Yeah
[00:23:19] Sean Martin: to get a nice strong base of Here are all the categories and things that I need to understand to be successful in my role. And then, I was a product manager building products, so I needed it.
And then the second piece was to get credibility with, yeah, the customer that I was speaking with. I want to, I know we're kind of out of time, but I'm going to ask one more question here.
[00:23:40] Marco Ciappelli: One more question from Sean.
[00:23:42] Sean Martin: Yes, that's my, that's my trait. Um, In terms of the maturity of the business, we talked, you know, the industry, we're not quite there yet.
Where we need to be in terms of how we're separating ourselves from technology. So I'm going to swing to the far end of this. It's something I ask on my show quite a bit. Which is, we see other parts of the business. We can call it transformation. We can call it heavy investment to get the best outcome for a particular function.
We see it in marketing, right? A ton of money invested in marketing platforms and technologies and processes and programs with measurement and, and MBOs and all kinds of stuff tied to all that. And the company can see it's driven by data. I guess that's my point that I'm trying to make. Data driven business outcomes, right?
We make an investment. I'm not convinced that all this stuff in marketing is an accurate way to do it, but anyway. I believe that security has a ton of knowledge and a ton of data to really drive an innovative, tech driven business in a safe way. And I think we're being dragged along as opposed to using the knowledge and data we have to create a better business.
So, uh, my question is, do you see an opportunity there? Do you see we'll ever arrive at a point where security is Driving the business. I will, I
[00:25:19] Speaker 5: will, I will,
[00:25:22] Paul McKay: I will venture a response here. So, so I, so I guess the,
I agree with your point of view here that the data is there, the knowledge is there. But one of the, one of the ways in which I'll illustrate this is that one of the more progressive CISOs. I worked with who actually eventually evolved his role into becoming a CTO of a very large organization told me one of the things he always did when he took on a new role was to go and spend a week with a salesman or just whatever, really understanding the business.
In enterprise architecture we would talk about the value chains. How do we drive revenue? What are the ways in which the business makes money and how do you secure those? That kind of business understanding, that industry knowledge, I think is, there's the opportunity to get that. There are promising technologies and methodologies and things like cyber risk quantification that I think are going to get us there on the journey, so I'm going to be optimistic and end on the note that I think we will get there.
I think it will happen. We saw the same evolution from IT basement for the CIO function. And now I would say that the, you know, the majority of CIOs I work with are very progressive and really do understand that their role is to use technology to help drive the business and execute on its strategy. I think security, if we get the relationship right with technology and we understand the ways in which the business makes money and how we secure those, so people are doing things in the right way, and we're helping them to do their jobs, not getting in the way and providing roadblocks, I think we could get there.
[00:27:02] Madelein Van Der Hout: I'm actually going to take it up a notch. I know we're at a business conference. I know. But is security really only a business problem? No, it's not. We're all consumers. We're all having a private life. We have a business life. On my phone, I have, uh, uh, my private data. I also have, uh, my teams from my work.
So, that's the most valuable thing I have in terms of data. So. Taking it up a notch. It's not just a me and organization problem. It's also a civilian problem. So why not live with the understanding that we as a consumer, as a civilian, also have a responsibility but also have power so we can vote on parties that include digitization and security in their programs.
And I think that's actually a way we should approach it. Hmm. We should also look at how to educate civilians and how to educate, uh, organizations. And we can vote and we can have power in that sense. So why not approach it a bit on a more meso level?
[00:28:16] Marco Ciappelli: I agree. That's what I It's very profound.
[00:28:20] Madelein Van Der Hout: If I can have my back to the future moment, or maybe progress again into Ford, Ferrari, and Rush, then, you know
[00:28:29] Marco Ciappelli: My show is technology and society.
So, you know, I think we have it wrong.
[00:28:35] Madelein Van Der Hout: So, I'm preaching to the To the choir.
[00:28:37] Marco Ciappelli: Yeah, to the choir. I think we all agree with this. You know, if you don't start with The base of education, you just don't have everything else. And I, my lesson from this conversation and what I
[00:28:50] Sean Martin: don't let me ask it last question.
I'm not going to ask.
[00:28:53] Marco Ciappelli: Yeah, well, that's for sure. Cause we keep going. But we, we talked more in this conversation about the human element, I love then, uh, then the tech, or at least we agree that we need to drive with the human element. Either is education is, uh, uh, Mental health, it's burnout, it's using the resources that you have, the human resources that you have in a better way.
And as Sean, as you said, maybe we do have a lot of stuff and we don't need another blinking light tomorrow that is going to distract us from what we could do with what we have.
[00:29:29] Madelein Van Der Hout: And you know what? One of our predictions for this year actually is that in 90 percent of all data breaches, there is a human element.
So why not talk about the humans?
[00:29:39] Sean Martin: And let's do it. If only I was human. I'm a purple squirrel. You're a five legged sheep. I'm a purple squirrel.
[00:29:51] Marco Ciappelli: I think aliens, alien solution will be on the, on the, on the
[00:29:58] Madelein Van Der Hout: If they have, if they have feelings, aliens still qualify for me as humans.
[00:30:02] Paul McKay: We don't need an overlord to tell us.
I, I, I can see a market there. Alien cyber XDR detection response as a service. Alien driver. Alien human.
[00:30:12] Madelein Van Der Hout: Fight aliens with better aliens.
[00:30:14] Sean Martin: Yeah, there you go. Material aliens. Marco, as the creative director, you have the, uh The fun task of photoshopping our photo that we're going to take after this. Oh, God.
Turn us into a five legged sheep and a purple squirrel.
[00:30:29] Marco Ciappelli: I'll ask CHAT GPT. There you go. Perfect.
Alright, so, so great to have you guys. I know. This was a fun task.
[00:30:36] Sean Martin: Thank you. so much. Yeah, thank you so much for having us. We tried to drag Topé in. He was too shy or too busy. One of the two. Or both. Or he just didn't care about us.
I think we got it wrong. Anyway, we'll have another chat with him. I really enjoyed this.
[00:30:51] Marco Ciappelli: I hope, uh, the audience enjoy that as well. If you have any comment, let us know. There'll be links to this coverage on the podcast that you're hearing and connect with any one of us or the guest. So stay tuned and, uh, we'll be back.
Perfect to the future.
[00:31:09] Madelein Van Der Hout: Back to the future.
[00:31:10] Marco Ciappelli: Back to the future. Uhhuh .
[00:31:12] Paul McKay: Jumping into the DeLorean
[00:31:14] Sean Martin: always. Or into the tams On a, on a standup paddleboard. ? No, that I'm not gonna do it. Alright, thanks everybody.