A

Welcome to cyberatthettop, a podcast from RSAC that unpacks real experiences, lessons learned and practical strategies from CISOs at some of the world's leading organizations.

B

Cyber resilience has become one of the most critical priorities for security leaders, shaping how organizations prepare for and recover from disruption. But what exactly does resilience mean and how can you put it into practice? Today, I'm delighted to be joined by Emma Smith, CISO at Vodafone, who has led a major security transformation, strengthened resilience across global operations and navigated moments of intense pressure in the telecom industry. We'll explore what cyber resilience looks like in practice and how to build it. And also how do you create an organization that can withstand disruption and recover with confidence? So let's get started. Emma, thanks so much for being here. Great to have you.

A

Thank you so much for having me. I'm delighted to be here.

B

Emma, I was wondering, can you just start off by giving us a quick overview of your role?

A

So, as you mentioned, I'm the group CISO at Vodafone. I thought I'd maybe talk a bit about Vodafone first. So we're a European and African telecommunications company and we believe heavily in being able to connect our customers all over the world to help them live and enable their lives. Just to give a sense of scale, we operate in 15 different countries across Africa and Europe and we've got investments in about 40 more. So a large global footprint, about 360 million customers using our mobile network and our fixed networks. We've got undersea cables, satell and a very large fintech business in Africa. So a super exciting and challenging footprint to protect. And one of the reasons I love working at Vodafone is we are really focused on a sort of broader company purpose about using technology to enable people's lives. Businesses build sustainable societies and really we think that trust and inclusivity underpins that, which is a great platform to then go and build security across an organization. I've been here for 10 years and before that I was the Chief Security officer in a UK bank and I was there for 13 years. So cyber through and through. My role's a bit broader at Vodafone, so I also have IT architecture, which means I own part of the solution to some of the security challenges. I've also got a data analytics team and I look after kind of the pan technology strategy and governance, so everything that pans IT and network risk management and strategy.

B

Wow, amazing. And that's a huge estate. So Much of the world relies on Vodafone for critical communications and infrastructure and you've led a significant security transformation there. How has that shaped your personal definition of cyber resilience? Especially because you're spread over so many geographies.

A

I'll talk about personal resilience first because I think working in cybersecurity you've got to have a certain high threshold and high resilience and build that up. And I think my roles have kind of shaped me. I think started my CISO journey the month before the financial crisis hit the bank that I worked for and we had a number of really public facing incidents. So I was kind of thrown really into the deep end that tested me. I grew so much when I was in that period of stretch and change and trying to lead a team through a period of uncertainty as well as respond to some cyber attacks. So I think I learned about the importance of people collaboration, understanding each other, valuing differences and having a, having a really clear mission. And I think that that's important in what we do because it keeps you focused even on a bad day, tough day. And then the definition of cyber resilience, we've been talking a lot about this in Vodafone. We've built a really strong solid security baseline. But we think resilience is the destination or the journey that we're on. I like NIST's definition that talks about anticipating, withstanding, recovering from and adapting because we know that adverse conditions and threats will keep getting worse and keep challenging us. And so I really like that definition. We've used that to think how do we then deploy security and cyber controls across the organization to make us adaptable, withstand those impacts. So we think about that and then we maybe explore it a bit later. But we've also been looking at how do we measure resilience and what is the difference between security and resilience and how do we take that next journey. And we're thinking about how reducing the scale of impact of attacks, kind of reducing the blast radius and reducing the impact. We're then thinking about how do we measure improving speed of recovery over time and that's an important factor in resilience and then minimizing the impact of attacks, particularly on customer services and customer anything that affects our customer base and then no repeat incidents. So one of the things we're super humble here at Vodafone, we kind of assume we're never finished, never complacent about the risk that we face, always learning and improving. And I think one of the key parts of resilience is that ability to learn and adjust and adapt.

B

Oh my gosh. I just think about the word resilience in the context of such a giant telecommunications company in this industry where services are critical and everything's 24 7. What's at stake if an organization isn't resilient?

A

Yeah, I mean, telecoms are critical national infrastructure, I think, in most countries now. And I think that's because we're providing connectivity to consumers and businesses and governments. And if you think about some of the services that you. We all depend upon that the communications companies operate. So, for example, being able to phone emergency services when you need them most, being able to contact loved ones when you need to most. And so. And it's those moments that matter that are really important. That's why resilience is so important across the network. And we connect all parts of society. So everything from governments through to small businesses, large businesses, and then people like you and I interacting with our families every day. So we really do take that role as critical national infrastructure really seriously. And it can have a massive societal impact. I mean, I take a sort of parallel example. We saw power outages in Spain and Portugal and that had a massive impact on everything from the road system, homes, businesses, livelihoods, being able to take payments. And telecoms is a bit like that. So if we have a large significant issue, it can really affect multiple different sectors and economies in the countries that we operate. So really impactful. And then we're very heavily regulated for all the right reasons. We're a heavily regulated sector. And so that can have implications when things go wrong as well. And unavailability of services is something that regulators monitor. And then most of all, I kind of think about trust. So I think any resilience impact or something that impacts customers and is significant can really undermine trust. And we know it's really hard to, to gain trust and then also keep it. So we think it kind of underpins the digital economy.

B

But you're so right. I mean, I have five kids and I just assume always that the telecommunications infrastructure is going to be up and available. If they need me, they can call me. It's almost just an assumption and a reliance. And I wanted to ask you about controls in general. Many organizations know the kinds of controls that they should have in place, but they often struggle to make them stick. There's a project, you get something installed, you get it rolled out. Why do you think that there's such a challenge around making controls and their efficacy stick in the Business.

A

And often people talk about security basics, don't they? And I think it's anything but basic to get controls in a way that they are automated, sustained, you know, they really stick. So it's not basic. It's really hard, I think, to get the hygiene and the good security baseline in place. And I guess why is that then? I think so knowing what the controls are is the first step in the journey and being able to prioritize those. So knowing how controls reduce risk I think is vital so that you can prioritise efforts on the things that have the biggest impact and then making sure that they are configured correctly to do their job. I mean, how many times do you read about something where there was a control in place, but maybe it was misconfigured, it wasn't in line? So making sure that you're kind of tuning all of the, and operating the platforms that you run as security controls and then it's really challenging to make sure every little corner of the organization and the technology that we need to protect is covered with these controls. So getting coverage across all little parts of a very large organization is super challenging. And so when we're measuring control deployment and control effectiveness, we're thinking about does the control actually mitigate the risk? So is it adequate? And, and then we're looking at, does it and does it go everywhere? Have we covered everywhere? We missed anything. And it's always those things that you miss that kind of turn up and you're like, why did we not know that was there? So I think getting that in place is challenging. And then obviously vulnerable. New technologies, new vulnerabilities all of the time, it's a moving landscape. And so not only do you have to deploy, you know, operate, say vulnerability management or patching, it's a regular continuous sport that we have to play all of the time. So I think there's often a perception, I think from out, from people working outside security discipline is that you kind of deploy a security tool and then you're done. But actually, as we know, it's like this continuous operations and engineering of the platform and then continuous response to what you're finding and always sort of pushing the dial. And then people, right people are really important. And having a team of people that are curious and sort of happy to push the boundaries really helps when rolling out controls.

B

Let me ask you this. When you look back on your transformation journey, what actions that you've taken do you think have had the single biggest impact?

A

I want to give you a multi part answer. I Think I'm not sure if there's one single thing that I would pick. I talked about people just now. I think everything we do in cyber security is built on people. Most of our adversaries are human and they are humans operating even technical attacks. So I think building the right operating model for your organization and having the right people is vital because without that and the right culture across the organization. So when I joined Vodafone, we're quite locally empowered. We really respect the cultures in which countries that we operate. We give local accountability, but cyber's a little bit different. So in cyber security, we've decided that the right model for us is to have a vertical across the whole globe where we operate the same operating model, consolidated tooling, global visibility, global response, and made that decision about seven years ago. And for us, that was the right operating model. It may not be the same in every organization, but being really clear on that has helped us a lot. We then got a common blueprint in every country that we operate in. And that means we're quite a harmonized security team, but still in touch with what's happening locally with regulators, customers, threats. So that for us has worked really well. And we've gone about making everybody sort of really in tune with the mission so that people are part of the big picture. And then I think there's a piece about delivery and strategy. You asked me about contracting controls a moment ago, but I think we've got to be known for being able to deliver and operate cyber control, so actually having an impact. And often, I think when you're with the board or senior stakeholders, they'll be constantly assessing the credibility of the security team and the security leaders. And so being able to show that we know our stuff and we do what we say we're going to do. We're really transparent about the problems and we ask for help when we need help. I think that senior engagement and showing that we can deliver on the things we say we were going to do, we did in Vodafone. We set a set of technology priorities each year to the whole company, and they're based on the strategy. We take input and we syndicate them and we review them together. And then each year, in the summer, six months before the budget process, we issue the next year's set of priorities within three year targets. And that harmonizes the company around a consistent set of priorities. Now I own that process as well as owning cybersecurity, which really helps in setting targets for every country. And then we track those all the way to the CEO, that's had a really, really good effect. And I also attend the budget meetings of all the large parts of the company, all the large operating companies, to look at how capital is being invested and is it being allocated to the big priorities. And then I'd say the other thing we've worked really hard on is transparency. So all the way up to the board, external stakeholders, we issue a cyber fact sheet externally every year. So sort of building credibility and trust through transparency and consistency of reporting, I think is important. And sort of being transparent about cyber risk, the actions that you're taking and the things that are and are not going well. And then we've been quite hands on with our board, so we had them to the Cyber Defence center to come and visit and sort of meet the real teams, get the teams to take them through how they work, kind of making it real. And then in each of our countries we run a cyber simulation with the exec team at least once every two years. And my team will go in remotely, we'll fly in and we'll put them through their paces of a simulation. And there's usually not a good outcome to the simulation. So it makes them kind of feel cyber risk. You know, they're immersed in a real experience and having to make difficult decisions. So that helps to bring it to life, I think, and make what can be quite intangible, tangible.

B

So much of what you said just sounds like building relationships, building trust. You mentioned transparency. You mentioned consistency. It's how internal stakeholders may trust you, it's how you may trust other people, internal stakeholders, how external stakeholders may trust you and trust the business. How do you build and maintain trust? You talked about transparency, you talked about consistency. What's the secret?

A

I mean, I think, can you imagine how hard the job would be without the trust of senior stakeholders? It's hard enough already. So I think being seen as the team that will take accountability is part of that. So I think cyber is a shared, shared responsibility for sure. It's not just the cyber team who own the risk, but also being seen to take accountability and not just admire the problem, I think starts to build, you know, reliability and so people can see that we're taking ownership of what the risks are and what to do about them. And then we ask for help when we need help and we ask for money when we need money and all of those things. And then tailoring what we're talking about to the audience because there's no point in going into an audience that's very focused on commercial targets. And talking about something super, super technical on cyber. So kind of adjusting the way we present and talk about cyber and then also framing ourselves as a business enabler. I think we all want to enable growth and customer service for our company. Doing that in practice is really challenging and not being the bottleneck for growth and new tech and delivery. So that I think that's a topic that challenges us all the time. But when you show that you're taking it seriously and you're aligned to the business goals, it goes a long way to sort of forming that bridge between helping each other with each other's objectives and then I'd say being really prepared for discussions. I remember listening to a CEO talking a while ago, a presentation I went to about him going into the board and how he used to be quite defensive and not like the hard questions from the board. And he said the very day that he decided to go and embrace those questions and enjoy those questions and want the difficult conversation, it led to a completely different level of trust, trust with his board. And it made me think, you know, am I sometimes too defensive when I'm going into the board? And actually if I embrace the questions and really lean into the discussion, it creates a completely different two way relationship and I'm actually hearing different perspectives that do make you think differently. So that was, I thought was a great piece of advice from that CEO about those difficult conversations are there for a reason, like embrace them, lean into them.

B

That is such a great idea. And a tip, you know, most people go into this mode, like you said, of being defensive and look, I told you we were going to do this, we did this, and here's what that means. But it is those questions that help shape you, help shape your organization, but help the person on the other side say, yeah, this is a partner of mine, I love that. And you've talked so much about the team, like the importance of the team, trust of the team, reliance on a team, especially with an organization of this size. What capabilities or qualities do you believe are most important for a resilient security team?

A

When we created the single operating model about seven years ago, I also worked with an external partner to put together a cyber Leadership Academy. Because it's really obvious to me that cyber is a lot about leadership and a lot about tech and you've got to have both. And so we did a leadership academy together. And that involved everything from doing psychometric assessments, assessments, talking about the different skills that we needed, building development plans, and we've carried that on. So we kind of learned together. As a set of leaders across my organization, we have actually about 80 people now that are part of that leadership academy. And the idea was that in each country, my cyber teams have got to be able to engage from the top to the bottom of the company and sort of drive change and have an impact. So it was predominantly about that and about people developing their own personal leadership style, but one that did have an impact. So I think that's one thing. I think I'd also say it comes down to sort of the tenacity and restlessness. I talk a lot about being sort of restless and being tenacious, but I think that that sort of we're never finished, always just wanting a bit more and pushing, pushing harder to keep raising the bar on how we do things. And then humility, learning, admitting mistakes, saying sorry, asking for help, being adaptable. They are very important and we won't get all the calls right. Sometimes we've got to make difficult decisions in the heat of the moment and they won't always go right. But knowing that and being willing to sort of hear it, and then one of the values that my team all resonate with is integrity. Typically you find that security teams have got really high integrity, and as long as that's balanced with some pragmatism, but doing the right thing, even when no one's looking.

B

And I'm just thinking about the massive scale and structure of the estate that you're protecting. How do you structure and govern cybersecurity to support resilience without slowing down the business? Because you mentioned this earlier, right? There's a perception that security's coming in. We may stall things, we may stop things. How do you. How do you do that? How do you alleviate that perception and make folks partners in it and wanting to do it?

A

I'm not convinced, Hugh, that I've managed to succeed in that yet. I think we try.

B

A very honest response to the tough question.

A

Yeah, yeah, exactly. And so we try really hard. I mean, with a number of AI use cases that we're all trying to work through and get a good, responsible AI outcome on, it's challenging. It's challenging to sort of scale up, I think, especially on demand for things like AI, or really get scale across the kind of DevOps pipelines that we have. So we've done a few things. We try and build patterns whenever we can so that we can reuse patterns and actually put those in the hands of the developers and engineers so that we're kind of empowering them to do security rather than having to come to us. I still think we've got a happy problem where we have huge demand for Security by Design resource in Vodafone, which is a good happy problem. It means that people are coming to us to review what they're working on. But scaling to that's been super difficult, especially in different legislative environments as well, and making sure that across Europe and Africa we're doing the right things by all the different legislation. We've done a lot of work to try and prioritize different use cases or projects based on the business impact. Is it customer facing? Does it have customer data? What would happen if so that helps us to get the balance of where we put the effort and then we're just looking at how we automate some of the workflows that we have, particularly in our Security by Design pipeline and AI. If I look after the responsible AI team as well, how do we try and automate that so that as much as possible of the workflow can be in the hands of the developers and the process is less manual? So that's the journey we're on. Do I think we're there yet for sure? Not no. There's more to do, but I think showing a real open respect for the other people's objectives. So we're not really siloed and only thinking about security. I know that the company objectives are my objectives and I need to work really hard to try and help others be successful.

B

I want to ask you about one of the things I think has plagued cybersecurity in general for a really long time, which is metrics in cyber. We've never really had fantastic metrics. Really hard to kind of communicate in the right way around measuring cyber and how much risk have we covered and communicating that to all kinds of different levels in the business. But now you're also talking about resilience and measuring that. How is measuring resilience similar or different from the challenge of measuring cyber?

A

I mean, at the moment we're taking maybe too similar approach. We tend to, as I talked about earlier, we think about we're quite on top control centric when we're thinking about measurement. So we're typically what we do something called key risk indicators. And so these are typically we're measuring how well rolled out and how effective a control is at mitigating risk. We do have some level of risk quantification that we do as well, but I'd say we focus more on measuring those controls. I was reading a really good World Economic Forum article on this topic, actually. I'd Highly recommend a read of it. And it talks about kind of moving beyond static assessment into more security focused benchmarking, more adaptive measures. It had a few different dimensions to it. I can't remember them all, but it was things like trying to measure everything from the leadership, people and culture, responsiveness, crisis management. So finding different measures to maybe the more traditional control measures. And we're really focusing on four things at first that scale of impact that I talked about. So is there a way I can demonstrate that through our actions over time we're reducing the impact of events, attacks, threats and so particularly are we able to protect certain high risk parts of the organization from attack by doing things differently, adjusting the controls, segmentation, that kind of thing. So we're looking at how do we reduce the scale of impact and whether different actions would have led to a different impact had we taken them earlier or differently Speed of recovery. So not just time to respond but really looking at the speed of recovery and going beyond time to respond because I think time to respond can drive the wrong behaviors. It can sort of stop that curiosity and the following of the thread. So time to really recover and learn from incidents and then take going deep on pir. So post incident reviews. I think that really putting time and prioritising doing PIR so that we're learning and then we're going to try and measure any repeat incidents. So did we have the same thing happen in more than one place? And why didn't we learn or adapt our controls? And we think that's a a good measure. And then looking at we don't measure things that got blocked because we think that's a really difficult to accurately measure and a bit delusional type of measure. But we do, we are trying to look at events that didn't have an impact. So where the controls did their job we might have still seen something that got a certain way through the life cycle but actually we managed to not have a business impact or a customer impact or data impact. So I think having a look at whether the controls are effective or not and being able to demonstrate that that

B

is one way and you know I've seen several occasions now that resilience projects have started in a company but and there's a lot of energy and there's a lot of fervor at the beginning and we're going to look at what we have in place now and we're going to have redundancy and we're going to test it and test on a regular basis. But then sometimes those projects Just sort of fizzle. It's like, okay, well we're, we're, we're done with it now, or, you know, we've gotten to the end of it. How do you ensure that resilience stays a priority over the long term, beyond the initial transformation push?

A

I think that's a really good question because a lot of the enablers to resilience are invisible, aren't they? Like, you know, having a really good asset inventory and knowing where the critical services are or, you know, doing. They're all invisible if they're working. And so it is quite hard to keep people focused. I think your question about metrics is part of the key. We're a really data driven organization and we love looking at dashboards and data. So having that data that's regularly refreshed and then for the right audience tailored. So that's one way. And we have the same measures in every country, competitive. And so we sometimes have league tables that show how different countries are performing against each other and that sometimes helps, helps to drive momentum. And then we tend to tell stories of things that have happened inside the organisation or that we're learning from others. And we haven't touched a huge amount on kind of collaboration outside of the organization. But I think it's really important from a resilience perspective. And then using things like simulations, doing so whether in capture the flag with teams or whether it's at a board level, doing simulations, that's important. And then we go through things like decision matrices to make sure we're really clear on who's got accountability for different decisions. And that just makes, makes people, it focuses people's minds a bit more. And then process, we try and try and put, put cyber into all of the normal business processes. So whether it's the annual report process and signing off the accounts we section there and then that leads to our cyber fact sheet or the budget process. Just really trying to make sure it's just a core part of everything that we're doing in the normal governance of the company.

B

So I'm going to put you on the spot and ask you one last question, which is if you had one piece of advice to give another CISO who wants to try and strengthen cyber resilience in their organization, what would it be? What would be, you're in the elevator with them, they ask you the question, what would you tell them?

A

I think it has to be about making an impact. So don't admire the problem for too long. See, we're really good at admiring the problem insecurity I think understand the problem and start to take some action. Try things and if it doesn't work, adapt and change. But I think have an impact and be clear on risk. Risk, impact. And then I probably have to. I have to give you two. Because it's a long elevator.

B

Yeah.

A

Yeah.

B

It's a long. Imagine a very long elevator ride. Yeah.

A

And then I do think personal resilience. I talk, I talked very briefly before about collaboration. So have a network of friends and contacts inside and outside the organization in your team. It's not an easy job. And so actually that humility and leaning on others and knowing when you're having a bad day, ask for help. The personal side of the job, I think don't deprioritize that. It's really important to look after ourselves as well as our teams.

B

Emma, thank you so much for being here. This has been great because you've added so much human dimension to this problem too. It's terrific. And listeners, thank you so much for tuning in. Please keep the conversation going on our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Emma, thanks again. This is great. So great to see you.