A

Welcome to Cyber Leaders with me, Kieran

B

Martin, and me, James Line. Now, we're both from sans, who are kindly backing this podcast. I myself am a techie, a massive geek, and I've spent my life chasing cybercriminals around the Internet.

A

And are you a massive geek, James? I mean, we know you are, but we are starting this podcast recording late because you couldn't quite cope with the software update.

B

But never mind. Writing an exploit, easy. Selecting a microphone, difficult, as they say. I'm sure that's a saying.

A

So maybe the geek gap narrows a little bit today because I was fine. You can get me back next time. Anyway, I'm not so much of a techie. Although my software updates are fine and they're up to date. Patch kids. I dealt with cybersecurity policy and operations in government and set up the National Cybersecurity Center. But together, James and I are now trying to unpack the weird, wacky wired and wireless world of tech security and all the complicated things that it involves.

B

That's right, Kieran. This podcast is a voice for security leaders. We want CISOs, security directors and leaders, and frankly, everyone beyond, to build up their knowledge of what works and what doesn't, and ultimately to secure their organizations more comprehensively and quickly.

A

Anyway, James, maybe there was a location issue with the software update of yours, but anyway, are you back from France yet? Where are you?

B

I actually am still in France, though I am imminently to be over in the us. Why do you ask anyway? Just. Just being nosy.

A

I'm just hurt. Not your CEO. You've turned off sharing my location with me. Can't keep track of you anymore.

C

It's just horrible.

B

Listeners, for the avoidance of doubt, Kieran has just completely made that up. Except for the part where he has a great long to understand where I am. That's probably true.

A

I did just completely make that up. And I don't have a great longing for where you are. Anyway, off you go to America.

B

So why do you want to know exactly?

A

Well, I was hoping you might say in London, because I was in London yesterday. But not today. I'm at home. I want to do a London gag to introduce our excellent guest.

B

Well, I can't help you there, but why don't you do your London gag Anyway, I'm in an indulgent mood today.

A

Yes, boss, I'm very excited because I've been working on this for ages. What do they say about London buses, James?

B

That you wait for ages and then two come along at once.

A

Exactly. Boom. And this season is turning out to be the London Buses of Cyber Leaders podcast because you wait ages to get a discussion with world class award winning sisters and then two come along, not quite at once, but in the same series.

B

I see what you did there. Boom. Boom. Very nice, Kieran, very nice.

A

Boom boom. So earlier in the series we were blessed with the wonderful Florence Morte of Zalando and her tales of stopping her firm's clothes buying chatbot from telling her customers how to pick the right clothes to commit and then get away with serious crime.

B

Oh, that was absolutely brilliant. How could one fit Forget that.

A

Well, that's not just the only reason. You can't forget that one. You can't forget that one because that's the one. We spent most of the time talking about your recent appointment as CEO of Sans. Did I mention that? Anyone not here yet, that James has been appointed a CEO of sans?

B

It did feel a little bit self indulgent. Maybe that's why I'm feeling so indulgent today. It's a bit of reciprocity. But anyway, look, stop it. Let's focus. Tell us who the next bus, I mean world class CISO is.

A

Well, I'm very focused, James, so why don't you do it, prove that you're on it today after all this.

B

Fine. All right. Well, we really are getting some absolutely brilliant songs, Cyber Leaders on the show this season and today is one of the best we're thrilled to invite onto the show someone at the very top of the cyber defense profession and a 20 plus year veteran of the industry. He's a computer science graduate with a master's in consultancy management. The start of his career, and I'm going to love exploring this bit, I'll tell you now, was highly technical. Building firewalls, proxy servers, hardening UNIX servers, presumably eating pizza whilst typing commands with his elbows, as we all did in those days. And then he pivoted towards security and has run his own firm and helped hundreds of different partners with all sorts of different cybersecurity problems. He's currently partner and CISO for Deloitte north and South Europe and also serves as Global Deputy CISO with responsibility for cybersecurity strategy across the firm. If he wasn't busy enough for the first part. His expertise spans cyber security, cyber resilience, technology risk, operational resilience and operational risk, with a strong emphasis on CXO and board level relationships. I know we're going to ask about that. That's great practice for our listeners right there and in 2021. He was named number one CISO in the CISO 30 CISO awards. Terrific speaker and is helpfully outspoken about the human dimension of cybersecurity, the issues of capacity and burnout and skills, other long standing challenges of this profession. He is of course the legendary Jitenda or Jit as he is sometimes known. Aur.

A

Welcome Jatinder.

C

Thank you for having me. I really appreciate it.

A

You're extremely welcome and it's good to

C

be here in such an esteemed company. To be honest. That was mouthful. That was really mouthful. Who gave you all that introduction?

B

You don't want to know. The same people that disrupt my location sharing services for Kieran. I think Jitendra, that's the secret to it.

A

I think it's what we call the Sans small language model, otherwise known as me. But there we are. Now look, thank you so much for coming. It's a real pleasure and privilege to have you on. It's genuinely great to get so many good cyber leaders on. We want to hear hear about frontline experience and developments in the industry and so forth and you're just ideally placed to do that. But we always start with your story into this business. So just interested. You have crossed continents to become a big figure in UK cyber security. I even read that English isn't your first language, which could have fooled me.

B

Me too.

A

You've been around as a large and important figure in the UK cyber scene for quite a while. But how did you get here? Tell us about your journey into CyberSecurity and the UK Cybersecurity. How did you get started and what was then a relatively new profession? What drew you into of this?

C

I always say before the role, I'm always interested to understand the person behind the role because the individual, the human is a lot more important. So just to give you my journey again, born and brought up in India and you're right, English was not my first language. It's actually still not my first language. Wow. I studied in a Hindi medium school, couldn't speak English until university.

A

Really?

C

So it has been a journey. Absolutely, it's been a journey.

A

You didn't speak at all? You didn't speak English?

C

No, I couldn't speak. I used to try to listen very carefully and lose what people are saying when I was having the conversation.

B

So yeah, I just realized something. Does that mean that you learn, you know, Linux and Unix command line? I was going to ask the same thing before English. So technically your cybersecurity skills predate your English skills?

C

Yeah, I mean I started Working on Unix when in some basically specific during the university days. At the same time I was picking up English because I think I could read. Writing was a bit difficult, but speaking was very, very hard. Very hard. It was I think one of the biggest challenge I think I had in terms of trying to learn and build my conflic confidence to be able to speak English. So but again that's the computer science graduate. I think I found my love for technology. I was somehow good at it. Mathematics was always my gig. I was very good in math, maths. And then when I started my career, in fact my first job was not a techie.

A

Okay.

C

When I finished my engineering I couldn't get the job. That was the time.com bubble burst. So I was actually selling shirts and trousers door to door with a big backpack, very skinny guy on my back. And then in the morning there is an area which is given to you with some targets.

B

Wow.

C

And you go door to door.

A

Where were you doing this?

C

India. It was in India.

A

Wow.

C

And that was the time I built up some courage to ask for my dad for a little bit more money to do a diploma in advanced computing which was a very intense six months course where you learn coding, databases, Java, C, C, almost everything. So took my engineering to a next level and then after I did that six months, basically I got my first job in technology infrastructure services in a small company where they were training us on the Sun Solaris with the hope of that at time you go to us and guess what? After one year the company closed down. I was made,

B

lost the job. And that's quite the journey.

C

Quite a journey. Exactly. So after that finally found a job in one of the big Indian SI company and then ended up building server farms, UNIX administration. And that's where at one point somebody said hey is we are starting a new security practice, something called as firewalls, something called as checkpoint. And they asked us somebody would like to join here. Why not? I had no idea by the way.

B

Wow.

C

But then learned to become the building the checkpoint firewalls on Sun Solaris, then on the Nokia devices and then Netscreen, Juniper, Cisco Pix, you know, proxy DNS. You talk about all this. Yeah, it's been a beautiful journey. I always say I'm very privileged that maybe some guardian angels have shown me the path to be here.

B

Incredible. I have an alternative interpretation which is frankly anyone who managed to suffer their way through the early days of Solaris, frankly deserved some grace for the rest of their career. It was fun configuring those systems in the early days, wasn't it? Different threading models and ZFS file system. And I will say though, Solaris D trace was nice.

C

Oh, sun machines were beautiful. Come on, sun microsystem machines. But they were beautiful pieces of machinery.

B

They used to have those T2000s and they didn't get the Terminator reference like surely someone did that on purpose.

C

Yeah, but there was something beautiful about it. You know, you order the servers, you wait for them, they come in the boxes, you take them out of the boxes, put them into the cages, you know, screw them up, plug in all the cables, configure them from the ground up. I miss those days. Beautiful.

B

Those were elegant times. Although I did once have to install JS&S on Solaris and that. Well, anyway, Kieran, we should probably move on to something else, otherwise I might start weeping in anger.

C

I think we're getting geeky here.

A

So yes, I was enjoying geek fight. But anyway, let me just ask. I'm just fascinated by the backstory. So one more quick thing on that Jatinder. When you finally broke through in western companies and so forth, how much barriers were there for someone coming from another continent when you weren't completely confident in the language and so forth, you know, how much did you feel like an outsider in this profession and how long did it take you to settle in?

C

Oh my God. See, 2007 when we decided to come to UK, it was me, my wife, two and a half year old son, one year old son, four suitcases, £3,200, our lifetime saving to build a dream to look for a job. One of my very good friends from college days. So we used to sleep in his living room on the air mattress and making sure that we get up and clean the room before when they get up. And you don't realize money runs out very, very quickly. So you just basically try to find a job and then get to the first job as quickly as you can. And remember that was the time Eng still I was not still very confident about it. So I got my first job in one of the large retail bank in UK and that's when my journey began in 2007. Here it's been 19 years since then now. So basically I will go to the office, try not to make an eye contact with anybody, go and sit my desk in a corner. I will always look for a corner desk, right? And then open my machine, get the tickets, do my risk assessments, reviews, exception to policy, whatever, and with the hope that, you know, just do my job as quickly as I can and as best as I can.

A

Right.

C

And that's where my journey began.

A

And I'm just thinking about the chronology of that and the sector you're in. It's also the time when the global financial system starts collapsing.

C

So you really pictured I came here and it happened. Exactly, exactly.

B

So ideal.

C

I think this is something with me that, you know, I keep having some interesting challenges.

A

Well, hopefully this fit doesn't befall the Sound Cyber Leaders podcast after if something goes wrong.

C

Kieran. I'm the reason.

B

Are you suggesting, Kieran, that JIT joins the podcast and then there's a global recession as a result of this important that we are.

A

There's less systemic risk to the world from something happens to us.

B

Butterfly effect.

A

Exactly. Well, who knows? Well, it's just an extraordinary story of one of the most incredible stories we've had of people's journeys into the profession. As James was saying, learning Linux before you learned English and so forth and following that dream over to the uk. So I can see why, to get into the substance of some of the things we really want to talk to you about, I can see why you're so passionate about the human side of cyber security. So let's be a bit introspective, you know, let's be geeky in a different way, sort of cyber, professionally geeky. Now that having crashed through all those barriers, you are very much a pivotal figure in CISO world and in the cybersecurity community. So you've lots of ideas and thoughts about the role of CISOs and some of the current issues around that. To you, what is a CISO and how is it changing?

C

Stay with us, we'll be right back.

B

Hi everyone, James Lyon here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums where they share what works, what doesn't and where they're constantly sharpening their playbooks against us. So why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what's actually working inside their organizations and what isn't, while getting access to world class experts sharing insights into the latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.orgcln that's Charlie Lima November. And if you're enjoying the show, one teeny tiny small favor hit subscribe. That's genuinely all we'll ever ask of you. And in return we'll keep fighting to bring you the guests and conversations that you want to hear. Appreciate it all. Now let's get on with the show.

C

Oh, wow. That's a very interesting question. There's a jokey part of it I always tell some people when I mean, CISO stands for career is so over.

A

I've never heard that one before. That's very good.

C

Yeah. I think if I just follow my journey, right. It is a very technical area, you know, systems technology. But just look at the landscape, how it has shifted from on prem data centers to cloud and nobody knew. You know, you can work from home and you can completely have the whole organization running where you do not have any real estate. So I think things have changed and evolved quite, quite a lot. While it was about protecting systems and people, organizations, I think CISO role has transitioned into what I call Chief Trust officer.

A

Right.

C

Because end of the day, this is the ethos with which I operate. Working in cybersecurity is not a job. It's not a role. It's a mission every day. Because what you're really doing is you are protecting, you are defending not just the organization, but colleagues who are working in the organization, families of those colleagues. Because any organization that goes through a big cyber event, it's a moment of distress that is felt everywhere. And that's why this role, I think, is very profound. I think of ourselves as a noble profession. Just like you have firefighters, you have police, you know, defense forces. So we are protecting not just the organization and the people, but we are really protecting the trust that is established in the organization and the society at large. Because I like to call ourselves included, both of you, community of defenders. We are essentially a community of defenders who are protecting, affecting our societies and nations at large.

A

I do like that because coming out of government and even in government, I remember noticing that a lot of private sector cyber people really had a sense of motivation that often public officials allowed themselves, they allowed themselves to feel they were doing something special. But I think cyber defenders do have that motivation. Firefighters are really good analogy. They feel like they're doing something that really helps people. Anyway, sorry to cut across you, James.

B

No, no, I couldn't agree more. You preached the converted on, you know, those who have a respective mission in this area. I would underline the other thing you said as well, though, because there has a lot of evolution very quickly. I mean, we all know cybercriminal tactics evolve and put pressure on us. Yes. You listed a few of many transatlantic shifts in technology use cases and of Course, they're within cyber security, but we're also subject to all of the ones around us in business as well. A complete change in the operating model of how people work and how they use technology. And of course, we'll get back to AI shortly because there's another transatlantic shift right there. But there's also been this evolution of expectation of security leaders. I mean, when you and I started, you were quite literally in the corner of the IT room, finding that corner desk, but that's kind of where security was too. And now it's sat in senior leadership teams connected to the board. And I just, I love that notion you described of the chief Trust Officer that comes out of this with all these different pressures that have culminated into a really rapid change for cybersecurity professionals. What do you think is the biggest challenge for people, people adapting to all of those things together?

C

See, the thing is, I think technology has changed the way we live, the way we connect, the way we work, we provide services, consume services, everything. And it's evolving very rapidly. And whether people accept it or not, cyber is still a very, very young profession. We are still trying to figure it out what does this profession is supposed to do, where the boundary lines are. And maybe there are no boundary lines at all. All. And also when nobody knows the answer, cyber effectively becomes a de facto place where you go and get the answer. Means even if you look at the AI, when it came along, I'm sure every CISO had the same conversation, which is about what do we do about the AI. AI is a lot bigger than cyber. There's a confidentiality aspect to it, there are legal aspect to it, there are privacy aspect to ethics aspect to it. So there is a lot more to unpack in these areas. But eventually CISO role or the cybersecurity function becomes a de facto place where when you do not know the answer, that's the place you go and ask anything to do with the technology. Because somehow cyber is also being associated with the safety aspect to it. How can we safely use technology in the organization for whatever purpose basically they are using it for? So I think biggest challenge for me is there are boundary lines of the cyber function are still not that clear. They are blurred. And cyber means different to different person. An engineer, it means different. A developer, it means different. A normal practitioner makes different for a board member and the exec means different, different. And then you apply the industry context with a very different context in terms of healthcare, very difference in aviation and very difference in banking, financial services. I think it's still a new profession. Boundary lines are not clear, scope is not clear. And whether we accept it or not, it's a huge sense of accountability responsibility that comes along with it.

B

There most certainly is. It's woven into the fabric of almost every other part of a business. And as you pointed out earlier, the human dimensions, people's lives, people's jobs, people's mortgages.

C

Yeah.

B

So there is great responsibility to. And it's a young profession. And then of course you said the line tack haven't settled yet. Of course, all those technology trends and change in business practices are forcing changes as well. So we're trying to kind of define it a little bit on the fly as it's moving around us. But I think that this point you make about the being the catch all is really fascinating. And I think this builds into something I wanted to ask you about that I know you've been very positively outspoken on. You've been saying over a number of years around the kind of risk of burnout and strain in the profession. And there's an obvious tie between these massive technology trends, a lack of definition and being a catch all to everything across a business and the pressure of accountability. So can you talk about these trends? Do you think things are getting better or worse? Where are we in those challenges?

C

First of all, I think there is a human side to it. I think there is. Cyber as a profession is very demanding. That's where the stress comes along. But as a society, as the way we live and work, I think the lines have been blurred. Where the work stops, stops, where your personal life begins. Everything is intertwined very nicely in a way. So people talk about stress in a very negative way because we are not really understanding the definition of stress. It's a very simple biological and chemical phenomenon which is designed as part of the human ecosystem for us to achieve things which we possibly is difficult. So I went for skiing last year in February. Trust me, I thought working in cyber is hard. Gosh, when I put the ski boots on, walking was hard. Then when I went onto the ski slope, I was hanging on for my life. I thought, you know, cyber is so easy.

B

Easy.

C

You know, doing the skiing was harder.

B

You'd much rather configure a Solaris skiing.

C

Yeah. I mean, so when that was very stressful environment. But when you harness the power of the stress and you understand how the positive stress we talk about, you achieve something much, much bigger. Whether athletes, you know, people who are going to climb the Everest, lots of other things that you think about. It's Basically we allow, as long as you know how to harness the power of the stress, you can achieve great things. The problem is the lines have become blurred because we are not in tune with our mind and body. So we do not know body's giving us signals, we're not taking care of them. And then when you try to combine that in the cyber space, I think there is. Cyber as a profession is such that it's always on. Systems are always on. Things go wrong at the wrong time. Christmas holiday period evenings, most cyber professionals will tell you that, you know, Friday is a curse. Sometimes things go right on exactly Friday, 4 o', clock, 5pm or when you're going on the Christmas holiday. So it's very difficult for people to switch off, which creates this kind of a challenge of a burnout. Burnout is not one big event that happens. It happens because stress is kind of creeping into your life, into your work profession. Boundary lines are getting blurried and you're not paying attention to it. And then one event basically breaks the camel's back. There is a lot more to unpack than I think maybe we'll have time because I talk about this very extensively around how do we spot the signals of stress? I have a playbook that I have created for myself. And how do you prevent that burnout? Because I believe it's the concept of navigating the stress and avoiding the burnout which we need to practice. But again, again, as an industry, it is demanding. I think the challenges are not going to be less so everybody needs to come up with the playbook and have the right supporting ecosystem around you so that when demands are excessive on us, we can fulfill our responsibilities effectively without having that burnout either for ourselves as leaders or also to our teams.

B

Yeah, it makes a lot of sense. A couple of thoughts for security leaders who are listening, building on what Jits described there. Having watched over the years many teams in many different organizations. So I'm going to generalize in a way that won't be true literally everywhere. But it's very often the case. You don't see a lot of security teams that operate at 80, 85% capacity. You see a lot that operate at 100 to 110. And I think it's tied up on average with this mission catch all accountability culture that we've described. People want to do a fantastic job of this. They know it matters. There's a pride to it. And there are some parts of cybersecurity where it is an unending deluge that the job is Never done stack on top of that. Now challenges with AI and it's kind of new terms flying around AI fry where people are getting more burned out from these challenges, not less. I think for security leaders, on average, you are likely to find your security team is more likely to overwork than under.

C

Yeah.

B

Which is an interesting variation to performance management frameworks for lots of other parts of an organization, on average. Make sure you are building in purposeful time to stop. You have them research, think, train, develop, have a cup of tea. It really is very easy to fry folks in those positions because they care so much. Anyway, I shall get off my soapbox. Kieran, take us somewhere else.

A

Let's talk a bit more about this. So when you were talking about that lovely folksy but inspiring story about how to think about skiing and all the difficulties reminded me that's the sort of thing Ted Lasso would come out with. Now, for those who don't know who Ted Lasso is, but many will, he is a fictional, sadly fictional American Solaris administrator. Anyway, he is American born. He is a coach of soccer, football, football in England for some random reason, even though he has no experience and he's in a hopeless position, but he seems to rescue his club, his job and his career essentially by being very nice and supportive of people. Is that a fair enough summary, Evan?

C

Yes, absolutely. Yeah.

A

Now, I know I'm stealing other people's content here, but I saw two years ago in a podcast with a friends at Cyberark, the interviewer said that you've been described by your friends as a sort of cyber Ted Lasso. So I have two questions for you. One, is this true? And two, whether it is or it isn't, having talked about the stresses and strains, what a more sort of human friendly the cybersecurity industry would look like. So Ted Lasso, yes or no?

C

Oh my God, are you the cyber Ted Lasso? I think a lot of people have said that. Excellent. I think it's maybe because of the kind of human aspect of life I talk about and the importance of the human first before anything else. I don't like to think about work, life balance or whatever. For me it's a life work harmony concept. But yes, I think Ted Lasso is something which is very close to my heart as well. And I think it was a great compliment, by the way, somebody when they gave it.

A

Yeah, yeah, it really is. It really is. Yes. He's impossible to dislike and very much somebody you want to support. And you can see why the team get behind him. The only Difference is, I think unlike Ted Lasso, you do actually know something about the subject that you're working.

B

Passive aggressive insult. Kieran.

C

I tell you what, it was very interesting, very recently when I went to one of the universities, I was talking to one student and she said to me, I do not know what it is, but there's some sense of calmness when I'm talking to you and we are having conversation. Are you calm all the time? Time. So she spotted something. I had no idea I was meeting her for the first time. And I think I get this feedback quite a lot. There's a sense of calmness around this and I think it comes when you are in tune with your mind and the body. And I think that's what I talk about because a lot of us have lost that. So I want to give one tip which works really well for me because you know, jobs are. Job. They are. And as a ciso, you're having budget conversation.

A

Yeah.

C

You are managing incidents. You know, there is never enough resources. You're always trying to do more with less. So I don't like to do back to back meetings. I have like five minute breaker. So I will get up from my desk. I don't do emails. I will walk sometimes. Now the weather is night, I may go to the garden. The context switching creates such a fatigue in your mind. So kind of just a little bit of a reset allows you. And especially not emails, not screen, but just looking out. And one thing I always do is it's where it might sound very cliche, but end of the day I actually do not go out of my room. I will sit in silence for five minutes and I stay in tune. Listen to my body and the mind to say how I'm feeling. And I always say red, amber, green. Am I feeling red? Am I feeling amber, green? And if I get an answer, I'm feeling red, amber.

B

I'm more of a cyan color, I think.

C

Yeah. Then I talk to my wife about it and just about how I'm feeling. Similarly similar practice that she has if she's not feeling good about something. So we generally have a just have a conversation that's really interesting and what it does, it brings your mind back to a very calm state. And I think there's some simple, simple things that we can do. Similarly example, if I'm on an incident call, even if somebody asked me the question, I actually focus on my breath for five breaths before actually I lean into the conversation. It's magical. Small, small things. Absolutely magical.

A

Fantastic. Thank you.

B

It Is so true. Your incident examples, a fantastic one, though, is, you know, we've described on this podcast in prior episodes the notion of being Zen in the middle of chaos or the kind of calm island in the middle of a storm. And it is what is required in these types of scenarios. And there you go, folks. There's a couple of specific practices for your mindful CISO routine. Assuming, you know, JIT will be launching an app available soon with a subscription service on how to.

C

No technology, please, but if somebody has to visualize. In fact, I have a presentation I give on stress and burnout. So one of the slide is where this firefighter and you have a stack of paper above you, so it's almost like your work stack is huge, and then you have a firefighting going on. And the next slide is about Zen, which is, you know, just the Zen person looking at the leak and everything else. And I think I can't control what's happening outside around me, but what I can control is what's happening in my mind. And I'd like to be that calm Zen inside, irrespective of what's happening outside.

B

I love it. And by the way, if you have a large pile of paperwork above you and there's firefighting going on, the solution is simple. Use the fire to burn the paper. Problem solved. But, hey, look, let's pivot to another area because there are so many things that we want to ask you about. You're a wonderful guest. Kieran. You mentioned before something prescient to this transition here. Stealing other people's content.

C

Kieran.

B

Yeah, a great seg into talking about AI. Of course.

A

I see what you did there en masse.

B

So, jit, one of the things changing the work of the ciso. AI, Right. I mean, there's the excitement, the hype, the hopes, the fears, the boardroom panic, the whole gamut.

C

Yeah.

B

We've had so many fascinating perspectives on the show so far, and we'd obviously love to hear yours. Is it a simple race between goodies and baddies in terms of the use of AI? You know, do you have more hope for defenders? Are you seeing more bad stuff? Are we winning? Assuming we're the goodies? Of course I think we are. Reminds me of that sketch.

A

I think for these purposes, we'll be the goodies. Otherwise it kind of wrecks the whole principle of the podcast. But anyway, yeah. Are we winning?

C

Hmm. I think we are, but it's an unfair game. In fact, I always use the analogy, you know, think about a boxing match ring where Referee turns to you to say, hey, you have to follow these rules. Do not hit below the belt. All kinds of rules of the road are given to you and referee turns to the opponent saying, do whatever you want. So I think the interesting thing here is because you know, we have to comply with regulations. Even if you think about the EU AI Act. Do attackers have to comply with EU AI Act? No.

B

Be great if they would.

C

Yeah. So are we winning in the context? I believe that as a community of defenders, our intent is right. We are working through the problems, whether there's a vendor community, researchers, you know, the CISOs and the cyber team and everything else. And I'm a very optimistic person in life, very positive person in life. So I would like to think we are winning. Is this something which, where you like win and everything gets over? No, I think it's a constant mission. That's why I think it's a mission every day. And we will keep on innovating. The people, the adversaries will keep on innovating. And I always like to give credit to the adversaries. I think the moment you start becoming complacent and think we are winning, maybe that placence is going to come and hurt you. So I think we have to give the where the credit is. We are up against smart people, very organized people who know their stuff really well, they know technology really well. But I would like to think we are winning.

A

But I know you've talked about frustrations, about our inability sometimes as a community of defenders to fix some ancient and basic problems.

C

Which means that you read that.

A

Yes, and it also means I was very taken by it, very struck by it. It's something I think about because we are loading expectations on CISOs and all the cyber defenders, on having to cope with the innovations of AI, the innovations of talented adversaries and so forth. But the implication of what I read from you was that there are plenty of other harms being done because people haven't patched properly, because the adversaries don't have to be innovative. So how do you get to grips with all of this? And what hope is there for sorting out all this newfangled AI threat stuff if we can't fix the basics?

C

So my view is AI is going to amplify if you are good in maintaining hygiene, if organization has good data governance practice, practice. If organization has got their arms around technology, well, they are going to leapfrog everybody and then AI is going to amplify the dividend that will come along with it. But if There are issues in the technology estate. You have technology, tech AI is simply going to amplify the problems. I was giving the analogy. I love analogies for some reason I was giving the analogy. You know, if, let's say before AI, if you have a big house, you know, where you have different doors and different windows and everything else, then the attackers have to go to every window and every door to knock and find which one is open or which one is vulnerable.

A

Yeah.

C

Now they can do that at scale. So your window of exposure through which you can find is actually reducing is shrinking big time. So AI is going to amplify either good practices or bad practices. And BAU hygiene and all these things I talk about, you know, it's a very interesting thing. I don't think people are ignoring these things, but it's just that there's a small amount of team have to do a lot. They're trying to get through the day work, keeping the lights on, patching the machines and you know, applying the patches and doing the upgrades. Developers are trying to rush the code and everything else be busy people trying to do their thing. But in my honesty view is cyber and all the technology organizations need obsession with the BAU hygiene. I just want to emphasize we need to be obsessed with it because if we are really good at doing that. And example, if developer takes pride in not writing the code, it's not about how many CPU cycles, what's the memory footprint of the code that you take pride in. But basically, even though it may take some more CPU cycles, a bit more memory footprint, but the code is safe and secure before I push it into the production. If I take pro pride in that, I think will go a long way in defending and winning. Similarly, if somebody's just an application owner who's asking for the investment for creating new user features, which users will love a new user experience. You also ask for making your application secure as part of that investment cycle and you put same passion behind it like you put for user experience. I think if we get to that point where people start caring about it, I think it will go a long way.

B

I think that makes a lot of sense and there is a lot of opportunity to solve many of these issues earlier. If we can be obsessed over, you know, those security problems as a matter of quality. Shipping a car without brakes is oft used analogy. It's not as good as your analogies though. J, you are very good at analogies, I have to say.

A

Very good indeed.

B

I know we're burning through time here because of Course we are, because pick any one of these topics and talk to you about it for two hours. Make a nightmare for our editor.

C

Maybe we can do it in San Francisco when we are together over a coffee.

B

We will. And we'll have to have you back again for part two. But there is one issue I do really want to ask you about because it's so important to cyber leaders. You know, we have lots of listeners who are here for the geekiness and the fun and to listen to fascinating guests, but they have to go back, you know, to their desks and try to lead their organizations forward. And it's about communicating with, you know, the board level decision takers in organizations that aren't all about cyber and all that clued up necessarily about it. Now we touched on this many times on the show before, but probably not as much as we should given its importance. So it's, I suppose it's a bit like one of, you know, Kieran's London buses, but it's got stuck in traffic, which is frankly, frankly very London indeed actually. But you're here now and you've advised loads of different companies and individuals. You know, you're a senior figure in a massive company in Deloitte. You do board level strategic engagement all over the world at mind boggling scale. So give us some do's and don'ts for CISOs communicating with the board. Things that cyber leaders listening can take away and apply to make their lives a little bit easier and their businesses a bit more secure.

C

Oh wow.

B

Big question. I know, sorry.

C

Yeah, big question. Very big question. Again, we can have one podcast just on this topic, to be honest, but there's a lot been talked about and I am a big believer of simplicity rather than complicating these materials, complicating these things. And one thing I learned long time ago when I was in a role in one of the financial services, I used to see board papers which are loads and loads of pages with loads and loads of data. I completely get it for regulatory reason, traceability and everything else. We do need to have some of those papers. But what needs to happen in the boardroom is the quality of the conversation. So one technique I have used quite well, it took a little bit of a courage to kind of start with. When I inherited one organization, I was given a pack, said this is the pack that we discuss with the leadership every month. I looked at the pack and I thought, oh my God, I don't think that makes sense and it takes a lot of time. So I asked my team how much time it takes to produce that pack. And then they gave me an idea and then I applied kind of how much typically it costs. I put a sticky note on that deck and when I next time I went to the leadership team meeting I said what is this? What is this number? A sticky note. I said this is how much it is costing you. And it was a very interesting penny drop moment in that meeting. The leaders basically said powerful device, very oh, so nobody told me saying my predecessors obviously I have inherited it but I don't think it has the level of information we should be using and discussing. Do you guys read it and everything else? He said no in the beginning we started reading it but we don't really care attention to this. So why my precious resources are pulling together that deck every month and month without getting challenged or what's the value that's coming. So end of the day it comes back to the value conversation. And we changed the game after that really folks sat down to talk about what really we care about. Have the conversation with the exec members. What is it that you want to know and what is it that you should know and what is it that we must know? Because from the regulatory standpoint so having a very clear conversations and agreeing to that it took a while to get to that point. And then I went next step forward and as I obviously became more senior and more mature build more, more confidence. In one of the board meetings I said do you want me to talk to the slides I have prepared or would you rather listen to your csa? So I like to think about good, bad, ugly. Let me tell you what is good. Let me tell you where we are bad. Let me tell you where we are ugly. So now I whenever I send the papers to the board I always put a very clear instruction that I'm going to assume the papers are being read. But that's where the responsibility comes. Giving them in advance and then focusing on the conversation. Sitting across the boardroom, looking in the eye and basically letting them ask any questions and answering them rather than going through the deck. Because this KPI Kris they serve a purpose. But what it really requires is actually an engaged board is to have good conversations and engagement happens when you start linking cyber where the organization is trying to do the business strategy. So a lot of hard yard happen behind the scenes and also building your one to one relationship with the board members members. So for those 15 minutes in the boardroom are not going to give you everything but those 15 to 20 minutes outside the boardroom with key members of the board are so essential to understand their priorities, understand where they're coming from and then making sure you're able to address that and also get to know the person and for them to get to know the season.

B

Yeah. Speak their language, know their priorities. Sorry, Kieran, you've got something much better to say. Go on. After you.

A

Well, I was just going to say, if you had a few minutes with a board member or if there was a board member listening here, what would you say to them about how to use the CISO time Most people effectively,

C

I would say give your time, spend time, because end of the day, this conversation is all about cyber. A lot of people think cyber is too technical and everything else it is, but it doesn't mean we have to be scared from this. It's about spending time to understand because every organization has gone through a journey and they are on the journey already and that requires investment of time. So for me, my plea to every board member is spend time with your ciso, help them explain to you the journey they have been on, the challenges, and ask the question, how can I support you in this mission?

B

I love that package of advice, shall we say, to both parties. And it's only going to matter more in the coming years. I mean, we spent a lot of time in this industry fighting from, you know, jit's corner desk all the way to the boardroom. But with all the more technology that we're rolling out and how businesses are changing and AI and everything else going on around us, the role and the importance of these relationships and ability to articulate cyber risk and resilience as a part of business strategies is just going to be absolutely crucial. So I suppose, you know, knowing we're thrashing against time here, but wanting to finish big in utility to cyber leaders. You know, you've thought about cyber leadership issues a lot more than most. It's apparent in your wonderful analogies. So I thought it'd be nice and perhaps uplifting at the end here to invite you to paint a picture of what it might look like as a profession in, say, five or 10 years time. This could backfire horribly. If you say that 99% of people are unemployed and the world has ended due to terminators. But what would be a better cyber security profession? What this look like in five to 10 years if we're successful JIT, the

C

most important thing will be where cyber as a profession is not just seen. The responsibility of the people who have got cyber in their role title where people care. So developer cares an Application owner cares, they understand their ownership. I have written a lot of pieces around ownership culture. I have a big reaction to the shared sense of shared responsibility model because the person on the left thinks the person on the right is doing it. Person on the right things person left is doing is nobody does anything. It's about owning the outcome. And I personally think the cyber means will mean very different as society would feel very different if people understand that ownership. A developer understand what does that mean, an application owner understand what that means, a CISO understand what that means, a cyber incident responder understand what that means. And everybody is playing their part of ownership and they're doing it really well. And I think if we can get to that point, we will not be winning, we'll be be thriving. We will be in a space which I call the state of nirvana. I think we can get there, but main point is, you know, get the people to care about this topic.

B

Well, look, we've covered so much here, Jitel, wonderful package of advice for security leaders. Lots of things they can apply. And I shall be using the five breaths tactic in several of my meetings today, I suspect. But we do have to bring things to a close, don't we?

A

But not before surely, this one given there's been so much sage advice on everything from technical issues to how you stage calm in difficult situations, whatever they are. So surely James, you're not going to omit your favorite part of the show.

B

No. It is undeniably 30 second takeaway time, isn't it? And I have a funny feeling if we set a timer that Jitenda is going to land on 29.2 seconds with a three analogies per minute density of some sort. I know he likes metrics too. Jitenda. Look, this podcast is about lessons for cybersecurity leaders. So you've done a lot of this already. But to finish the show off here, if you had just 30, 30 seconds with a cyber security leader, what would you advise them? Something to pay more attention to, less something to do every day. It could be anything. What would you tell them to do?

C

Yeah, what I say is this, cybersecurity is not about protecting systems. I think it's about protecting trust. The trust is built by the people. I always say trust is an emotion. And so if we want stronger organizations, if we want stronger society, if we want the stronger nation that we are living in, breathing in, then it's all about understanding that it's a people problem. We have to get people behind it. We have to get different roles behind it because technology will keep on evolving, means it started from laptops, desktop, then we get to the point of smartphones came in, now that we are talking about AI. So the evolution will keep on happening. But what we really need to understand is the cyber security is a mission every day. It's not a job, it's not a role. And it's about protecting the trust, protecting the people, protecting families, protecting the nations at large. And if we show up as leaders that understand the impact behind and they understand the relevance of this role and treat it like a mission, I think we will get to the point. And again, coming back to the obsession with the BAU hygiene, if I have to ask any cyber defender, anybody who's there, be absolutely obsessed with the BAU hygiene, be absolutely obsessed with embedding the ownership culture. Because if we get to that point, I think we will make our organizations and our society a lot more safer and better.

A

The mission of protecting everyday trust every day. Absolutely Lovely. Thank you so much, Chinda. And thank you so much for coming on the show. It's been wonderful having you.

C

No, thanks for having me. Really appreciate it. Thank you.

A

And that is it for this episode of the Cyber Leaders podcast. You can leave us feedback at the podcast site. You can even leave us a rating, preferably a nice one. You can email us nicely or nasty@cyberleaderspodcastans.org tell us whatever you like.

B

And with that, thank you very much everyone for listening.

A

Yes, thank you for listening. Keep cybering from me, Kieran Martin and

B

me, James Line and me, Jit. It's goodbye and friends don't let friends configure Solaris servers without taking five breaths first.

A

Still goodbye,

C

Sam.