In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Ben Aung, Global Chief Information Security Officer of Sage Group. Based in the UK, Aung shares some unique perspectives about cyber threat intelligence sharing, public-private sector partnerships, data privacy, and diversity—drawing from his experiences as a private sector CISO and a Deputy Government Chief Security Officer in the UK government.
I’ve observed a healthy rebalancing of emphasis between prevention and preparedness or response. In both government and private sector organizations, it’s become apparent that breaches can and do happen to anyone. You can't buy your way out of this problem, there is no such thing as 100 percent security, and you can’t keep your head in the sand as a mitigation strategy. The prevalence of global data breaches has forced many organizations to assume they will get breached—and they take response, damage limitation, and recovery as seriously as their prevention programs. Despite the received wisdom that it’s a case of when, and not if, a data breach will occur, that wisdom feels more tangible now. This situation forces organizations to tackle difficult, ingrained cybersecurity culture and process issues.
Also, there has been an acceleration in the inadequacy of a human-centric approach to manage the security of a large global enterprise. For example, the traditional detection and response model, represented by a SOC full of analysts and screens, is becoming outpaced by the volume of data and events that we now must interrogate to identify and get ahead of attacks. This reality increasingly disproves the idea that people alone can keep up with threats. At Sage, we are increasingly finding huge effectiveness and efficiency gains by leveraging automation and orchestration in our platforms. Sure, they are buzzwords and there is a lot of snake oil surrounding these areas of security. But the hours, minutes, and seconds we can take out of our response time through reducing dependency on human actions are paying dividends.
In terms of maturity, I see quite a difference between the CISO role in the UK and US. Five years ago, there weren't nearly as many CISOs in the UK compared to today. The title existed, but the roles were often fundamentally different. A CISO five years ago was analogous to an IT director—a supporting leadership role where the CISO led a technical or compliance team, served as part of the corporate IT organization within the business, oversaw a budget, probably reported to the CIO, and had little contact with an executive committee or board. Today, a CISO is increasingly comparable to a CTO or CIO. I have a bias, but this evolution must be a great indicator of maturity—that cybersecurity is now considered a top tier business risk and accorded the right level of executive oversight.
I also now appreciate how lucky I am at Sage. From day one, it has been clear how much importance is placed in this area by our Board, Chief Executive, and wider executive team. The trust placed in us by customers and colleagues to safeguard their data is paramount. I haven’t experienced the struggle for access or engagement that I often witness elsewhere. Obviously, it puts the onus on me to facilitate quality discussions and help risk owners articulate what is important, but that’s a hugely rewarding component of the role for me.
I believe the changes in the role across five years have also altered the strategy for recruiting CISOs. Previously, CISOs often originated from within “traditional” IT security teams—with a few coming from law enforcement or government—and led within a subset of a broader IT organization. Recently, I’ve seen some great CISOs coming from the developer community. A deep understanding of the web is so critical in an increasingly SaaS- and cloud-first world. Today, an effective CISO in a corporate environment is considered a senior executive of that organization and involved in strategic decision making across a range of issues. From a personal perspective, I was fortunate to supplement my technical background with six years of policymaking experience in the center of UK government, which has stood me in good stead in that regard.
It’s not the be-all and end-all, but I think a seat at the executive table with the influence it brings is the gold standard for CISOs. They are accountable for the success or failure of an organization’s security, providing value for the money invested in their team and capabilities. They are increasingly a true business leader in that sense.
In addition, they must balance a degree of credibility with technical teams and be equipped to make the right call on very technical issues, while also being credible and fluent with senior stakeholders on the executive committee or board—maintaining confidence in both these camps. For me, the hardest thing about my job is doing the best I can for both my team and for leadership. Both audiences can take up a lot of time and sometimes require me to switch between two different parts of my brain. As the UK’s largest technology company, Sage has many brilliant leaders who straddle this dichotomy and from whom I have already learned a great deal.
GDPR gave CISOs and security teams exposure, momentum, and funding to deliver and validate compliance with the new law. The regulation provided a good opportunity for CISOs to get under the hood of some longstanding data management and governance issues and make some progress that, without GDPR, could otherwise have remained in the “too difficult” pile.
Pre-GDPR, much of the preparation work I saw in organizations wasn’t dealing with new aspects of security. The regulation focuses on the fundamentals—data hygiene, good governance, and basic cyber controls, applied consistently—but gave it all a very good push under the banner of GDPR. My sense was that after GDPR took effect, most organizations let out a sigh of relief and stayed relatively static while they moved on to other things.
Over the last six months or so, what I’m seeing is a kind of reawakening as organizations review their GDPR plans and posture to ensure that their compliance assumptions match reality. GDPR helped introduce a more sophisticated and broader appreciation of data privacy issues. In large corporate environments amongst chief executives and boards, leadership has become much more aware of core data privacy tenets than they were before GDPR. This community understands data privacy more because they had an overt role to play in becoming compliant, with responsibilities that weren’t just left to security or legal professionals. The base understanding of data privacy has increased, which can only be a good thing.
Some of the high-profile GDPR penalties such as fines, litigation, and class-action lawsuits introduced an interesting component into the impact assessment of cybersecurity failures. If an organization experienced a major data breach before GDPR, then pseudoscientific models might help you work out what damage it would do to your brand or how much money you would lose based on calculations such as cost per record. Now we know that if you sit on a vulnerability that either you or the wider world is aware of, and that vulnerability is exploited, leading to a large loss of PII data, then you stand a good chance of receiving a fine in the tens of millions of pounds. This is a sobering and more tangible reality to even those with a tangential interest in security.
This greater depth of understanding about privacy in the business (and what happens when it goes wrong) just wasn't available before GDPR, and I think it’s a major step that has significantly elevated the whole discipline. It has also helped prepare many organizations to deal with the strengthening of data laws in other jurisdictions.
While I was in government, I would often hear companies voicing concerns that the government sat on a body of threat intelligence that would help them move the needle of their own defense if this intelligence was shared more widely. There is some truth to this assumption. However, my experience is that threat intelligence isn't always as useful as people think. For it to be useful, you need to be able to use it—and use it effectively. If you're just dropping in some IoCs into your tooling but you lack the right processes, lack a proper response, and lack the ability to effect change in the wider business, then the threat intelligence is moot. In and of itself, it doesn't solve anything.
In terms of a counterpoint to industry concerns, government could probably be more candid about the fact that a lot of threat intelligence is closely related to sensitive equities it cannot divulge easily. Cyber threat intelligence sharing outside of a protective bubble is not always an easy decision to make, and the balance between risk and opportunity isn’t as obvious as you might think if you're on the outside. Businesses often don’t understand the fragility of these circumstances. If you have threat intelligence about a particular actor or adversary, then just by dint of making that knowledge available you might undermine something more valuable. Dr. Ian Levy, Technical Director of the National Cyber Security Centre, wrote a fantastic blog about another facet of equities—vulnerability disclosure. I thought Ian shone a very honest light on the delicate trades that agencies like GCHQ must make day in, day out.
In the US, I generally see a more fruitful and mature system for cyber threat intelligence sharing than I see in the UK. Beyond just the sharing of threat information, I observe something in the US more akin to a shared national mission. That’s incredibly powerful. It's about more than trusting a corporation with sensitive information that they can use to protect themselves, but rather a clearer appreciation on both sides of the equation that organizations are more than the sum of their parts when it comes to the national interest. In the UK, we're not quite there for a few reasons, and it seems to me we lack some of that shared purpose. US institutions also have greater permeability—people at the top of US federal and state cybersecurity organizations have also worked in the private sector and probably will go back. Many cybersecurity workers and leaders have often moved between the public and private sectors, creating a close bond between the two. I'm sure it's far from perfect, but it’s a closer relationship than we have in the UK. My hybrid government and private sector experience is relatively rare for CISOs in the UK.
I slightly take issue with the talent shortfall point, which is a figure you obviously hear a lot. I frequently see early stage or graduate individuals really struggling to get their foot in the door, so I think there aren't enough entry-level jobs. That’s not to say there isn’t a deficiency, but I think it’s most acute in the mid-career stages and focused around a few scarce skillsets. For example, in the UK, security architects who really understand public cloud are like hen’s teeth. We should invest more time, effort, and resources into creating graduate-level jobs that are easier for people who have some cybersecurity knowledge but no experience to get into the profession. However, while on paper these candidates have everything they need to get started, the overhead to a company can be significant because these employees will need support before they can become effective. Daniel Miessler wrote a great piece recently about what entry-level employees can do to add value and offset a company’s coaching and development investment.
Diversity is a tough issue. In the UK, the National Cyber Security Centre has done loads of excellent work with schools such as all-girl cybersecurity competitions. I spoke to a recruiter recently who works across technology sectors, and she told me that experienced women in cybersecurity are now outstripping male counterparts in earning power and that “the resume of anyone decent who comes in to see me just flies off the desk.” That feels unique to the technology profession. However, while everyone trying to rebalance diversity in their teams is a great thing, it’s obviously indicative of something wrong—and that we all know is wrong. Obviously, there aren't enough women interested in cybersecurity roles.
As a community, we could do a lot better. Some really unfortunate toxic attitudes still exist. If you contrast security with how far the broader technology profession has come in recent years (albeit still with a long way to go), it's night and day. In cybersecurity, there is still a drinking and lads' culture and a number of wannabe James Bond types. And in cybersecurity product marketing, the messaging and tone is very sci-fi and action film-esque. This culture affects the public perception of cybersecurity and to me, highlights immaturity within the industry. Considering this, I’m not surprised if the few women who come into the profession find they just don't like it very much.
From a personal perspective, I'm very picky about events that I attend. I tend to find many of them repetitious, and I've heard the same war stories a million times over! I think there is a massive untapped opportunity for progressive, empathetic, and diversity-friendly security conferences. I think those events would be a huge commercial success in the cybersecurity industry if an organization picked that idea up and ran with it. Maybe I’ll organize one!
Security teams are normally stretched, with more to do than the capacity to do it. Pressured by time, it’s easy to have a bias or prejudice to recruit quickly in your own image. This is a false economy and it leads to groupthink and a paucity of new ideas. The cybersecurity challenge is already hard enough and we need all the thinking and experience we can muster. I know from my own background in UK national security, which has big problems with diversity, particularly at senior levels, that diversity doesn't happen organically. You must work hard at it. Even small things like having your job adverts assessed by your diversity and inclusion team can make a difference. As a leader, I am also keenly aware of the attitudes I project and the language I use. I’m really proud that our team delivers fantastic work at a high tempo and sometimes under challenging circumstances without compromising on colleagues’ family responsibilities and work/life balance. At Sage, I’m also surrounded by so many fantastic female leaders—including my own boss—so we have a great platform from which to build.