Boris: Welcome to our Interview with Mike Gillespie. Mike is a global Influencer in the area of Internet Security, he is a Director at Advent IM and VP at The Centre for Strategic Cyberspace and Internet Studies.
Advent IM is the UK’s leading Holistic Protective Security consultancy and the Centre for Strategic Cyberspace Security and Internet studies is an international nonprofit organization that conducts independent cyber Centric research, development, analysis, and training in the area of Cyberspace.
Mike, thank you for taking your time and coming to our interview today.
Mike: Thank you for having me. It really is a pleasure. Thank you.
Boris: With your credentials. I believe that we will have a really thoughtful conversation about cybersecurity and emerging threats. From fears of a Cyberspace based New Cold War between Global Powers to emerging fraud threats, to financial services, small businesses, consumers, and work from any anywhere employees, the issue of the cyber security is likely to loom large over all technology discussions in 2021.
Mike, could you tell us a short story about your unique path in the cyber field and what are you guys at Advent IM up to these days.?
Mike: Well like many people who work in cyber security, I didn't step down to do this, not as a career. That is more something that I'm as interested in going back in to the early eighties. I was a kid and with the one of the early generation computers, as I approached 16 I told to my parents, that I would like to go and work with computers and they told me to grow up and get a proper job.
Being the precocious child I was, I didn't listen to them and then of course, there weren’t that many jobs for people working with computers back then.
A lot of it was mainframe based, where we were coding on the punch cards. Even back then, we could never have foreseen what the world ahead of us was going to look like in terms of connectivity. The idea in the late eighties, early nineties that what we're doing today was science fiction back then.
So in just 30 years, the technological advancements, the way in which we can work in a way to really communicate, have changed profoundly. I found myself in the military actually traning as a biomedical scientist, only to be moving into computerized record keeping and being the only person in the unit who knew anything about computers. I ended up working with computers.
So the irony was that having gone off and have gotten a proper job, I actually ended up working with computers anyway.
And from there I was lucky. I was in there in the nineties when everything was happening, as networking came along and computers became more GUI based on the internet and e-mail was introduced. And from there it's just been a whirlwind of trying to stay on top of the changes that occur almost on a daily basis sometimes.
So very, very lucky I've got to do a hobby for a living for 30 years and it never gets boring,
Boris: Interesting. And what are your guys at Advent IM are up to these days, what is your business model?
Mike: One of our key things that we try to do is we work with organizations at a strategic level to help them to put Security processes in place. Whether they're people, physical or technological that are specifically aligned to their business activities and their business objectives. So we want to put Security in place that enables the right people to access right information at the point of need so that they can do their jobs effectively and efficiently.
And unfortunately, a lot of IT Security is based around minimizing risk and focus on confidentiality, but sometimes making that information available to the front line staff, whether it's, as we've seen the last 12 months, Blue Light services or Emergency Services needed an access to real-time data is absolutely critical.
When new technology presents that when your Security model prevents that it actually has a profound impact, not just on your own business, but on society as a whole.
So security has to be more embedded into the business, a more enabling, a more accommodating to manage risk rather than to avoid risk. So that's a lot of our focus is talking to businesses about security, being an embedded business process rather than something that is a specialist subject that often is seen as getting in the way.
Boris: Let's a, a dive deep into our topic of a cybersecurity, especially in this COVID era. We do a lot of work remotely and my question is, does a remote work seem like a trend that will continue, even if lockdowns abate? Has COVID really ended the daily commute?
Mike: I think it has been an absolutely fascinating, not just from a cyber security perspective, but as a social experiment. It's a terrible thing to say when we're in the middle of a global pandemic where we are looking at 2 million lives lost, but there’s a lot of organizations who were entrenched in a very old fashioned mindset about what productivity look like. So organizations struggled to understand whether their staff were working hard, if they couldn't see them.
And if they can't see them, how can you be sure that they've worked that 37 and a half hours a week? But actually it was a really outdated model, particularly certainly here in the UK where we are very much a service-based industry, more than anything these days.
Productivity is about output, which is about understanding what you arr trying to achieve. So if we can work with our employees to understand what it is we expect from them in terms of output, does it really matter whether you work nine to five, eight till three, seven to 11? If you take five hours off in the middle of the day to take the kids to the beach during the summer, assuming you are not in lockdown, of course? It doesn't.
Where you work and when you work are far less important than how productive you are. I'm speaking to a lot of people, they are definitely talking about a significant downsizing of their office space through 2020 - 2021.
What this has shown is that people can work from home and be trusted and be productive. And while it take us anywhere from two to four hours of somebody's day, every day, commuting, adding greenhouse gases, wasted time, a whole range of other factors and actually you can get up, have breakfast with your family and be in the office for nine o’clock and still be productive,
The downside of that is of course, as this has gone on, while it started off as a short-term measure of people working temporarily from the spare bedroom, or in some cases using an ironing board as a desk, it has become quite isolating for people.
So we have to continue to use some fantastic tools that we've got now in terms of online collaboration, but we need to use them more in terms of how we continue to engage with and touch base with our teams.
So one of the things that we did from an early day, as soon as we closed the office down, and sent people home, we had a team coffee break, and every day you dialed in with their coffee and discussed how the the week went.
It wasn’t work. It was fairly much about humanizing the situation and providing support, friendship and companionship for people who had found themselves in a very isolated position.
Do I think this is a long-term trend? Yes, I do very much so. So there are some interesting research being done just in the last few months and certainly here in the UK it has showed a much less desire to go back to a safe office workspace than anywhere else in Europe. About 34% of employees were prepared to go back to work when they could compared with 60 to 70% as some of the other European countries.
But what's also interesting is one of the pieces of research has been around people who have never worked from home before. And pretty much half of all of the people who have never worked from home before have responded to say they prefer it, or they want to continue to work from home in some capacity, maybe not full time, but in some capacity going forward. So I think we're going to have a much greater remote mobile workforce than we've ever had in the past.
Boris: From an information security perspective, was the rollout to a remote a success and what would you expect in the future with regard to Security of remote communication?
Mike: Well, I think we have organizations who were well-prepared, who already had an agile mentality, who were already gearing up to having a larger remote workforce and they done that pretty well. A lot of organizations, almost had to mobilize their work force with 24 to 48 hours notice. So there are potential challenges further down the line in terms of how devices were procured and rolled out.
We've got a significant amount of people who have never worked from home before who maybe don't have the Home Working Security Culture that we're going to have to deal with.
And we're going to have to spend more time on quality education, awareness and engagement with those people to make sure that they continue to be a secure workforce in the same way that would be in the office. So. things like policy, education, engagement and technology will probably have to be reviewed and brought up-state in retrospect, which is always a challenge when we mustn't forget that those things need to be done as we deal with the emerging challenges as well.
Boris: And what additional risks does remote working offer? Do these new risks really require special attention to mitigate?
Mike: Well, I think one thing that we saw was almost a tripling of the amount of malicious traffic directed to homeworkers. In some markets there was an increase in security incidents, but actually in the main there weren’t. There was an increase in malicious traffic, but that hasn't necessarily converted into an increase in breaches, which we would consider it to be an incident.
So our workforce generally responded to that quite well. Of course what we know is that a phishing attack is more likely to succeed any time when the work force are under stress pressure, when they are destructed, when they find themselves in a position where they in an uncomfortable or a unusual position. for all of that. That's pretty much sums up all of those things. So we have to be careful to stay engaged with our staff.
The big thing I see with IT Security education is often that we are telling them, this is what we don't want them to do, but we don't necessarily engage with them to give them a set of principles, to understand what we do want them to do.
It's all very well saying to somebody - don't click on a phishing email, but if they don't know what a phishing email looks like, if they don't know how to recognize it or they don't know what to do when they do get one, they can't behave in the way in which we do want them to behave.
You can say to a child don't go any further than two hundred meters. But if they don't know what two hundred meters is like, you can't expect them to stay within your distance. It's the same in Security education.
We need to provide them with the education, not just the rules and that it has to move to a principal based rather than a rule-based situation with policy. So people know what we're trying to achieve and working with means being a part of the solution rather than feeling like they're continually being told, don't do that, don't do that.
Boris. How do the information security professionals feel about such wide spread remote team requirements, and has increased the pressure on them? Because normally if you are in the office environment, you have your nine from five and you know it, but if you are at home environment, you can in fact work a whole day for your boss.
Mike: That's right. And I think there's, again a sort of splits appearing in the people that I'm talking to. There are those that are horrified at it because they believe that unless you can see in the user, you can't trust them to do the right thing.
There are those who are embracing it as a new way of working. And they're stepping up to that challenge and working with their organizations, take them to a place of maturity, whether this can be achievable.
And then there are, those who already gone through that change who already have recognized that, where it was the last time you saw a static desktop in an organization anyway?
Most of online users would be mobile and to some extent for a long time, we just haven't been recognizing that. And so there's a whole range or professionals out there depending on the organization they work for and culture they used to work.
And that also goes to the sectors as well. When you've got highly regulated sectors, whether it's a fear of information loss, they tend to be much lower. It's more of a moving towards allowing staff to work remotely. And so they've got a much bigger uphill journey now to get themselves to a place of maturity to manage that safely.
The safe management is possible. We just need to embrace it and move forward with that as a new way of working.
Boris: What part has the relationship between the communication and Security played in remote working success? How are senior leadership attitudes changing and adapting to remote leadership?
Mike: Again, I think they pretty much the same sort of split, but you have organization's that mature, who understood that users were intelligent, adults motivated, the vast majority of the employees, they want to do a good job and they don't need somebody sitting on their shoulder all the time for them to do a good job.
But there's now some middle leaders in particular with approach that if you don't keep an eye on your staff and they will slack off.
And so now how do we know they're not slacking off because their working from home when we can't see them and they're the ones that are struggling with this hiatus.
And then there is a third group of those that have been shocked by it at first and then seen their staff because they've allowed them to find their way of working.
They've actually seen their staff productivity increase not decrease. I think that what we've also seen is that organizations that embrace the other skills that they have within their organization, people who work in marketing, communications, training and development, leadership in development were they have all been involved in this new model, they have been much more successful.
In a nice of possible words, a lot of it people aren't particularly good communicators. Communication is seen as a soft skill rather than the skills that is integral to being a good security manager. So if you're not a very good communicator and you’re not from an education background, why are you expected to create education content for your user base?
Surely, you should be using your subject matter experts, your communications, marketing, or even people who have got a good understanding of human psychology and human behavior. If you can get behavior experts, psychologists and people like that who were part of the development of your education program, you're going to develop education that changes culture and behavior rather than education that ticks the box.
Boris: Some Security news that we saw lately report in the rise in sales of software to remotely monitor staff, sold as kind of productivity monitoring. What are your thoughts on this and where do you think is the line between spying and reasonable monitoring lies? What do employees need to be very open legally and ethically?
Mike: Well, I think the first thing that strikes me about a lot of these tools is how quickly the sales teams started to focus on the functionality that these tools have to be deployed in stealth. To me, where I'm talking about a culture of openness, engagement and trust, developing staff to be an integral part of the solution.
To deploy a remote monitoring tool in a stealth mode, without employees being aware of that, that allows employers to access their webcams, their microphones, monitor their keystrokes, see what's on their screen, just from a pure ethical perspective to me strikes the wrong tone.
But legally, certainly here in UK, our Information Commissioner has been very strong for some years now saying that employee monitoring is all well and good, but it has to be open transparent, staff needs to know what their rights are and all of the information that's collected as part of the employee monitoring falls under personal data and needs to be collected, processed and dealt with a safe and transparent manner. So again, are staff is going to work harder just because you've got a piece of software on their screen?
I've worked in organizations in the past where people worked “flexi time”. So if they come in half an hour early and go home haalf an hour later, they accrue an hour's worth of flexi time. And over a course of months that builds up to an extra day of holiday. That doesn't mean that they've worked any harder or any more productive. It just means they worked for an hour longer each day. And actually that's convenient to them because it gets them before all the traffic and they leave after the traffic.
Productivity software is only going to work if it's deployed in a way that's actually going to enable the employee to work better, more effectively and more efficiently.
If all that's there is to provide an extra pair of eyes and to spy on them, you're going to drive down their motivation, drive down their engagement. You will drive down all of the employees' loyalty to your organization, because they will feel devalued as a result of that. And that's before you get into the legality of deploying it in stealth mode, which is a data protection GDPR nightmare waiting to happen.
Boris: I would like to take this opportunity to ask you about a recent breach involved the SolarWinds, allegedly by Russian hackers. How do you think about this incident as a professional and how should we think about it as a individuals, consumers and citizens.
Mike: I think what it has shown once again is the potential of frailty of the whole software supply chain. If you can insert anything malicious at a prime level or you can go to the source, and if we move away from SolarWinds for a moment, let’s just think about something everybody will be using on a day-to-day basis.
So if, for example, if you are using a Microsoft operating system, you are probably automatically downloading and deploying Microsoft patch updates, now if I'd like to subvert that and insert something that is malicious in to those patch updates. We are as a supply chain, as consumers, we are trusting, that the ultimate source of these updates is trustworthy.
And that's exactly the same with SolarWinds. Once you get at that level, everything that has downstream from that, all of the cascading through proliferation of those software updates is going to get corrupted. So you target one organization, but you compromise thousands. That's to me a much bigger return on investment than trying to hack thousands of organizations. We've seen this within the finance sector, with point of sale systems and finance systems, Swift banking system.
It just continues to show the frailty of that whole software supply chain. And really we say supply chain, but is it a chain it's more like a web, like a whole ecosystem of onward cascade and demand. So I don't think we've seen the last of SolarWind compromise in terms of what is potentially going to happen.
What we do know is that we were already got some major organizations, and FireEye was the first one to come out and talk about it that would have had significant compromise, not just of themselves, but their whole client base potentially. So supply chain assurance, there is an area that still is a very immature as a very few organizations could genuinely tell you who was in their supply chain and probably no more than one or two arms length from an organization. You have no visibility of who you are connected to at all.
Boris: They call it now Third Party Risk management, kind of a new discipline.
Mike: We keep doing it, we keep calling it a new name and give it a new discipline. But actually it's an age old thing, which is a supplier assurance. Anybody who has access to directly or indirectly your information systems is a potential threat as well as a potential ally. But that also has to include any organization that you are dealing with within your supply chain for offline Management of your information as well.
We talk a lot now about cybersecurity, but when I first got involved in this world, it was information security.
And sometimes that focus on cybersecurity has led us away from acknowledging that we still have a huge amount of offline information. Paper-based, our archiving and backups, all of those information assets need to still be part of our security strategy.
If you think about it, now, we're talking at doing cloud backups, where's the cloud backup and who they’ve subcontracted the storage of cloud backups to? And what are the offline storage of the cloud backup that was sourced by your initial cloud service provider?
So we already with four links down the supply eco system. And we have no idea now of who is handling our information. I can remember how many years ago we were being told, go cloud is more secure, cloud is just more secure than you can do it yourself. Go cloud is more resilient, cloud will be more resilient than that you can and it will be more cost effective as well. Now we're being told what you have to buy a cloud security.
But the reason I went to cloud was because cloud is secure. Yeah... and not actually secure. You need to buy a Cloud Security as an overlay. Oh, and you need to buy a cloud resilience, but I bought cloud because it was a resilient. Yeah... But you need additional cloud resilience now. And therefore you need to backup your cloud and therefore you need to backup the backup to your cloud. And all of a sudden you're like, well, hang on a second. This is four times more than I was doing when I have managed to do it myself.
And it's that the emperor's new clothes, that's the fairytale is kind of like, we bein sold to something continually is like an arms race. We were being sold these technologies as a panacea. But of course, once you bought that technology, the supplier has to go and find a new technology to sell to you. Otherwise where's the revenue stream going to come next?
I was back in the days when we could go to exhibitions, I went to an exhibition in London and everybody was selling drone technology.
Buy drones are, make them an integral part of your physical security solution. Then the next year drones were a threat. So now you have whole drone detection and disabling technology because everybody had drones. You sold us all drones. Now you are selling this technology to protect exactly the same companies. I think sometimes the it world is a bit like that. They sell as a solution for a problem we didn't know that we have and then tell us that's caused a problem that we now need to buy another solution for.
Boris: Let's discuss about Brexit and Data Protection Risk. How will EU based data controllers and processors with customers data or an establishment in UK, how will they interact with the UK data protection officer?
Mike: isn't this just one of those $30 million questions now? What is on the horison is just a blank page at the moment. We have the agreement now that we're going to be able to continue to have open borders in terms of data transfers.
But of course, we also now potentially need to have representatives in each other’s country who can represent us to the regulator in each of those countries if we are doing processing, marketing to, selling into, or storaging in another country.
So I potentially might now need to have somebody who is a data protection officer based in any other country where I'm doing work and you might need to get representatives like me in the UK to represent you to the UK’s Information commissioner’s office if you need to deal with them in the events of a breach.
So it introduces a potential overhead and complication that organizations are only just starting to get to grips with. I think that the freedom of information movement, as much as freedom of movement is absolutely vital to business in the 21st century.
And we have only just in the last couple of weeks got clarity over the rules of what that information movement is going to look like. So I think I would say is if we've got lorry drivers being stopped at the borders now and having their ham sandwich confiscated, I just think how much more complicated data protection is than whether you can or can't bring in a ham sandwich into the country.
Boris: Let’s do the the last question. If someone who is listening to this Interview would like to walk away with just two major take aways. What would that be?
Mike: I would say that in 30 years, I have seen several things happened, one is which the pace at which we expect people to work is faster than ever before. And that reduces thinking time, which increases the potential for mistakes to be made. In many data breaches actually are a result of a human error, even when we had the network incursion by a “hacker”.
Often that networking incursion has been facilitated by our own people, either making the mistake or because we don't allow our technical teams the time and the luxury to manage the technology properly. The number of organizations who won't allow network downtime to allow patches to be applied and then screamed blue murder. when the network gets compromised, they are hit by ransomware and they lose three weeks of productivity.
So we have to be able to understand that maintenance of our people, education, awareness, upscaling, but also maintenance of the technology that we invest in is an on-going thing, not a capsule expenditure. We can't just do it once and then expect that to look after itself.
The second thing is that over the last few years, we've increasingly use the term cyber and it has made us focus to some extent on the external threats, that many of the threats to our information assets that continue to come from inside of our organization. We need to go back to looking at our Security holistically because the threats are holistic, but at the moment our response isn't.
A lot of seminars that I attended in the last two years talking about the future of convergence physical and cyber coming together, it happened, the threat converged and our response didn’t.
So if you're going to focus on anything for the 12 months ahead, it would be improving our coordinated holistic security response, and understanding that education is not about 20 minutes once a year but an ongoing process.
Boris: Fantastic. Thank you Mike. I wish you a great success with your, for future growth plans and I hope that our members will find this interview very useful.
Mike: Thank you very much for having me today Boris. I really appreciate that. And you have best of luck with a continuing success in growth of the network as well.