×

Cerby’s Best Practices for Securing Cloud Native Applications

Matthew Chiodi, the Chief Trust Officer at Cerby, joined us on Episode 37 of The Cyber Security Matters Podcast to share his insights into the industry. One of the topics that stood out to us was the best practices that he shared from Cerby’s work on securing cloud-native applications. Here are the highlights of his answers: 

“When people say cloud-native application, that refers to applications that are built cloud-first. If you have a VM that’s running on-prem and you move it to run in the cloud, that’s not cloud-native – that’s just cloud transferring. Quite frankly, it’s a waste of time and money to do that. Cloud-native means that your infrastructure was not built manually, but it was built using infrastructure as code templates, defining what your infrastructure would look like in code first. Then you’re using code to bring up things like lambda functions that only work during a certain period of execution. That doesn’t use a typical VM, it’s usually a microservices-based architecture. 

When it comes to cyber security, the basics still apply. Organisations have a massive data sprawl issue in the cloud because it’s so easy to upload to. If you go back 5+ years ago, if you needed a new data store, you had to open a ticket with your IT department and wait 2-3 weeks or even months, depending on the size of the organisation, before you got access to it. Data also tended to be much more centralised, and there were checks and balances. For a lot of cloud environments, that’s not a problem anymore. Developers generally have a fairly high level of access to create new services and they can create new data stores on demand by calling APIs, so you tend to get data in all different places. 

You have to know where your data is and what it is because if you don’t, sensitive data, like personally identifiable information, can easily end up in the wrong place. Health information that was intended to only be in a production environment can very easily be moved to lower environments that don’t have the same level of governance. I’d advise having a good tool that can tell you what you have and who has access to it. 

Knowing your code – specifically your application security code – is still highly important because you might know where your data is, and who has access to it, but if you’re writing crappy code, you’re introducing a vulnerability to your digital environment. So, you have to know who has access to your data and your code. If I get access to your data, I can do what I want with it. Or, if I get access to your code, I can inject things into your code that will then give me access to your data. 

In terms of what Cerby does; I usually say that in all organisations, you have two different types of applications. A lot of times we think of cloud apps versus on-prem apps, and that’s true, but really it comes down to identity and access management. You have standard apps that you can very easily integrate with your identity provider, and your IT team can manage them centrally in terms of who should have access through that type of identity provider. The other category is what we call non-standard applications or disconnected applications. This is a massive problem space because the apps that fall into the nonstandard category can’t be managed with your central identity systems. Cerby is focused on that non-standard space. 

We connect those non-standard applications back into identity platforms on trial ID. We did a little bit of research last year, and what we really wanted to understand was the scope and scale of the problem, and we found that organisations have a median of about 175 of these non-standard apps. We’ve spoken to some large healthcare companies who have 1000s of these, and we know there are hard costs associated with these applications because if you as an IT admin in one of these organisations have an employee who needs access to one of these non-standard apps, they can’t go through any kind of automated process – they can’t go into your access request system, they’re going to put a ticket in. Once you get to it, you have to manually log into this app, figure out what access they need, etc. and it’s all a lot of hassle. We make it so that you can centrally manage these non-standard disconnected apps, using your existing native tools.

To find out more about securing cloud-based applications, tune into Episode 37 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Addressing Common Hiring Challenges in Cyber Security

As the Cyber Security industry expands, growing your team has become more difficult than ever. On Episode 36 of The Cyber Security Matters Podcast we spoke with Julia Doronina, the Co-founder and CMO at G-71 Security, about the challenges she’s faced when it comes to scaling her team. Julia is also a passionate advocate and mentor for women in tech, giving her some valuable insights into diversifying the sector’s talent pool and making it more accessible. 

What are the key talent topics that need addressing the most?

I believe that it’s important to focus on employee development and to provide opportunities for career growth. With the rise of artificial intelligence, there are many new solutions and projects on the market, so companies and executive teams need to encourage their employees to learn new things and understand these new approaches because they can help optimise processes. The main thing is to support your employees and help them to grow themselves.

Do you struggle to hire based on talent shortages?

We’re a startup and we don’t have a big team right now. We were dealing with different outsourced people who can help us with different activities, like design, copywriting, analysis, and so on. I think that it’s very important when you’re talking with people who you want to attract to your company, to talk to them about the use cases for their skills, not just their CV, to understand how they think and how they can implement their skills into your business. Figure out how they can expand your current situation or activities. 

Early in my career, my skill set was straightforward. I knew the general and traditional channels, and I implemented them. Now I’m trying to use AI. I use Chat GPT, about 20, 30 or even 40 times per day for different tasks because it can help me optimise my processes. My worldview and approach to problem-solving are changing as the world evolves, and I think that we need to encourage people to develop themselves in the same way.

There’s a lack of diversity at a grassroots level, so what can we do to address this?

We need to create an inclusive culture in companies, even in startups. We need to include different inclusivity training and actively attract candidates from diverse demographic groups because they have a lot of insights and skills. It can be great to create programmes to support the development of underrepresented people. It’s important for companies to actively support these initiatives, mostly from the executive point of view, because they are the drivers of the company, so they need to support it.

To hear more from Julia, tune into Episode 36 of The Cyber Security Matters Podcast here.

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Inside Cyber Security Startups

Cyber Security is a growing sector, with plenty of startups evolving in the space to meet the need for unique solutions. On Episode 35 of The Cyber Security Matters Podcast we were joined by Alexandre Sieira, the Co-Founder and CTO of Tenchi Security, to talk about his experiences of startups and entrepreneurship within the sector. Alexandre is an executive with over two decades of experience in cyber security who is currently focused on helping companies leverage the benefits of cloud computing with security compliance through his startup, giving him some great insights into the topic. Here are the highlights of our conversation. 

What’s it like running a security startup?

It seems so glamorous – like it’s all staying in swanky hotels and talking to high-flying financiers in the VC world. Actually, it’s a lot of hard work. It’s it’s long hours. There’s no limit to the work you have to do – you can’t just say, ‘This is not my job description’ because, as an entrepreneur, your job description is infinite. When you’re an early-stage employee or a founder, you have to do everything from carrying boxes to making customers their coffee. You’re writing proposals, paying the accountant, double-checking the tax calculations, interviewing, hiring and leading people. It’s super hard to find people that are decent at all of those things or that enjoy doing all of those things, so at least 40-50% of the time, you’re doing stuff you’re not very good at or that you don’t enjoy until the company becomes big enough to hire people who are specialised in that task. You have to have a lot of energy to keep working, and you need a high tolerance for doing things you don’t enjoy. But the upside is getting to build something from scratch, and that’s super amazing.

You’ve been involved in several startups. Can you pinpoint any key themes that have made them successful?

It seems obvious when you say it, but you need to be doing something that people need. In technical startup terms, that’s called product market fit. You need to be building a product or service that people actually need and are willing to pay good money for. Then you need to execute it well because even if you are building something that people are willing to pay for, if you don’t make them aware that you exist, or you’re spending more than you’re earning on marketing, you’ll go broke. It all comes down to ideas and execution.

What do you think are the key ingredients you need to get investment?

I’ve been involved with three companies, one of which we started bootstrapped, then raised private equity for very late in the game. That was CIPHER. With a services company, it’s super easy for you to finance yourself, and you typically don’t need a lot of investment at the beginning like you do when you’re building a product. It’s very easy to get started and generate cash flow if you’re in the services business and you know what you’re doing. We wanted to do international expansion, so that’s when we raised private equity, which is a whole different ballgame from venture capital. 

Then with Niddel, we were a product company, but we weren’t bootstrapped. We could afford it because we had sold CIPHER, so we were using our own money to work for a year without getting paid because we had our savings. With Tenchi, this is our first VC-backed company, which is a completely different experience. It’s a different kind of sale. But, if you know how to run a company and you know how to sell, you just need to figure out what the buyer wants. You need to find the right buyers for what you’re selling and figure out the best way to communicate what you’re offering to them. Fundraising is no different. You need to be able to describe what you’re doing and why it’s interesting, and you need to find the right VCs who are active in your industry or sector but don’t have a conflict. 

The biggest difference is that when you’re talking to a customer, you’re saying, ‘Hey, this is the product, these are the technical features, these are the benefits of using the product’. Whereas with VCs, they’re looking for different things. They’re trying to assess the team background, dynamics, founders etc, especially if you’re an early-stage startup. The thing you need to think always when you’re talking to VCs is that much like security people, they’re trying to mitigate their risks. They’re so interested in founders because a lot of companies and founders fight amongst themselves and split up. Venture capital is a high-risk investment strategy, so you need to try to mitigate your risk for them as much as possible. 

What makes a good entrepreneur?

You need to have a high tolerance for pressure, handling setbacks and adjusting to doing everything yourself. There are a lot of people who flourish in the large enterprise environment where your job is narrow, and they get super specialised in what they do. They get to know everyone, work the political channels inside the company to get things done and they get joy out of it. One of my startups was acquired by a large company, and we were able to deliver amazing results there, but I did not enjoy the process of working there as much as doing entrepreneurship. 

If you get the right person in the wrong environment, they’re not going to succeed. There are people that would be amazing at an enterprise that would suck at being entrepreneurs. I’m the reverse; I think I’m good at entrepreneurship, but if you put me in a large political enterprise with lots of well-established processes and bureaucracy, I’ll slowly wither and die. It’s just I’m not going to enjoy myself and I’m not going to flourish. It’s all about matching the person with the environment. 

To hear more from Alexandre, tune into Episode 35 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Championing Women in Cyber Security 

Gender diversity has been a pressing issue within the cyber security industry for a number of years. On Episode 34 of The Cyber Security Matters Podcast, we were joined by Julia Weimer, the Director of Professional Services, EMEA at Lacework, to discuss the issue. Julia is passionate about gender diversity in cyber security, and actively participates in industry events and forums as an advocate for women. Julia regularly shares her insights and guidance with aspiring professionals to empower them in entering the cyber security space. 

Do you think mentoring and public speaking are good ways to spread awareness of women in STEM and tech? 

Absolutely. This is an opportunity for women to speak but also hear about the struggles of women in the industry. That helps people in the room feel like they’re going through a similar experience to the speaker or maybe find a nugget of inspiration to take on a new challenge or do something different. I think that it’s worthwhile to explore events like that with women and men. I say that based on the sheer numbers alone because there are more men in the industry, so we will need their help to get us to the next stage. 

I’ve witnessed the benefits of sponsorship in my own career. If we can bring more men into the mission that we’re on, we’ll have an equal composition of men and women in tech in the industry much faster. I really do believe that the more we can bring our male allies in the better the industry will be. We can empower them to speak on our behalf when we are not able to, bring a woman to a meeting that she wasn’t invited to, and speak up on our behalf when they know that we’re not being paid the same as our male counterparts. Those are opportunities for us to bring men into the conversation and realise it’s a men and women problem.

What advice do you have for male allies who want to stand up for women more?

Invite them to that meeting, include them in the conversation, and get their advice. Getting feedback from diverse perspectives is so important in the business world, because business can be quite boring if everybody has the same perspective and the same opinions. It’s it’s healthy to be challenged and see problems from a different viewpoint. Invite women to meetings, speak up for them, and if you notice a woman is quiet in the room, ask for her advice after the fact or ask what she thinks during the meeting to make her feel included.

What advice would you give as a mother who is successful in your career?

Being a woman and mother in tech specifically makes you realise that so many things outside of motherhood really don’t matter. It’s given me the confidence to know that if I need to take my child to a doctor’s appointment rather than taking a meeting, I will do it every day. I’m privileged to have a job where that’s okay and where my peers respect that. My advice to other full-time working mums is to lean into both. You can absolutely have both. Don’t let anyone make you feel bad for choosing that lifestyle. 

A lot of mothers have faced judgement for choosing not to stay home – there’s a lot of judgement that’s passed on women in general. But as a mum in tech, I truly lean into both. However, realising that you can’t do it all is important too. By that, I mean making sure that you can let your to-do list carry over to the next day. If you have responsibilities at home and in your job, you have to recognise that you may not get to everything that day, but be able to make the right decision for yourself. One of the key points when you look for a new role is whether you will have the people around you to support what you’re trying to do as a mum but also as a full-time employee.

What’s one piece of advice you give to someone entering the industry?

Women statistically do not apply to jobs that we do not feel qualified for. If there’s a job that seems interesting to you, apply for it. It just takes the first meeting for someone to see your potential or hear what you have to say. I think there’s no problem in saying ‘Why not’ and just going for it and giving it your best. 

Breaking into the industry has seemingly become harder. It is about using relationships to open a door. The more networking events you can attend, the more people you can meet and interact with, the better. You’ll meet respectable people in the industry who can help you and connect with you on LinkedIn so that when you’re asking for help and using the network to be able to do that, the right people will see it.

To learn more about gender diversity and the opportunities for women in the industry, tune into Episode 34 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Mobile Application Security 

Mobile application security is a growing part of the Cyber Security industry. To help us understand and address those challenges, we were joined by Chris Roeckl, the Chief Product Officer at Appdome, on Episode 31 of The Cyber Security Matters Podcast. He shared his perspectives on the state of the sector, his insights into the key challenges of keeping mobile applications secure and its impact on compliance. Read on to find out what he said. 

How do you assess the state of the mobile security space as a whole?

The mobile app security market is rapidly changing. There are lots of reasons for that. Probably the most important one is that mobile apps are now the dominant channel for interacting with digital brands. It’s not about websites anymore, it’s all about mobile. The bad news here is that people who break into networks are zeroing in on mobile apps, which is driving the mobile security market. 

The challenge, particularly in today’s economy, is that CISOs and other decision-makers within mobile app security don’t have as many resources as they had in the past. They are either freezing their hiring or letting go of developed cybersecurity engineering teams just to cut costs. It’s like that old analogy of cutting off your nose to spite your face, but it is the reality of business today. They’re also trying to zero in on how to do more with less because 

budgets are under scrutiny. The thing is, bad actors aren’t taking the day off because of budget cuts and personnel reductions. The number of attacks just continues to grow and grow and grow. 

We don’t like to focus on scaring our customers or prospects, we want to help them. We don’t spend much time talking about the bad actors doing bad things, but they are, and the mobile brands we support know that. We don’t have to take that message to the market, so our focus is on getting them to an outcome. How do we how do we solve this problem? Every mobile brand’s challenge is unique, and our goal is to make sure that we can solve those unique challenges for them. 

How are these key challenges within mobile application security addressed?

The first thing that you have to realise is that web-based and desktop apps basically all have the same technological components, which makes it fairly simple to solve security problems. Now, in the mobile world, apps are built with 15 different development frameworks, which you can mix and match. You may have heard of things like Swift, Java, or Kotlin. They’re all different languages that you can code in. That creates unique scenarios. It’s not homogenous; it’s heterogeneous, which makes mobile app security difficult. 

The other thing is that there are a couple of different approaches to solving that. If you go back 5, or 10 years, software development kits were developed by security companies for mobile, and they basically give you some code. Your job as an enterprise or mobile brand was to add and maintain that code in your own application, which had its own challenges. The most simple challenge was that the software development kit you got might only work with 3 of the 15 development frameworks, so as a mobile developer, you have to make a choice to say either I need to rewrite my app to get in the security bits, or I need to go look for some other solution and then cobble it all together. 

At Appdome, we decided to take a completely different look at the market. We built a machine that takes account of all these frameworks and then builds an implementation of the security based on the buttons you tick on the platform for the security protections you need, and delivers that solution, with no coding needed. In a world where you’re losing resources, we think the movement to more of a machine-based approach to mobile app security is going to win the day. 

How does that impact the compliance side of things?

Cyber compliance is a really critical topic. Firstly, there are external regulatory compliance requirements. Secondly, there are a bunch of internal-facing requirements. Mobile brands oftentimes publish some sort of cyber pledge on their website for general security, saying ‘We protect your data this way.’ What is becoming very apparent is that those cyber pledges apply to the mobile app too – it’s not just about the website anymore. It’s not just about the way that your data is protected in the backend infrastructure; it is all about the mobile end user using a mobile app. 

Being able to do things like ensure that the cyber protections are actually built into the app is a cyber requirement, but the work is done by developers. So how do you bring the developers and cyber team together? Do you produce artefacts within the production process that say, ‘This encryption was added’, ‘Obfuscation was added’, or do you reverse engineer whatever the features are that the mobile brand is looking for? The ability to do things like UI testing is super important too. All of those compliance elements have to fit together into this jigsaw puzzle called mobile app development. Over the last two years, we’ve seen this go from kind of a low-level thing to a high priority within cyber organisations.

To find out more about securing mobile applications, tune into Episode 31 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Exploring Key Talent Topics in Cyber Security

There are talent shortages across the Cyber Security sector, and startups are no exception. On Episode 30 of The Cyber Security Matters Podcast we were joined by Crystal Poenisch, the Director of Product Marketing at Chainguard, to talk about her views on the talent issues facing the sector. Read on to find out what she said. 

What do you think companies can do to attract people from diverse and non-traditional backgrounds into the cybersecurity industry?

I think they’re already attracted – I think they’re desperately trying to get in. There are people more qualified than me that can’t get jobs. Companies need to make their company accessible and welcoming to diverse people from different backgrounds. I couldn’t be a director at a public company, they had to give me a ‘head of’ title because I didn’t have a master’s degree or an MBA. That was just five years ago. There are people who are attracted to the industry, so it’s about recognising the ones we can bring in and train up and not looking at it like we’re training them from the ground up. People from non-traditional and diverse backgrounds are often the fastest learners and the most agile and innovative people I’ve ever employed. 

How have you seen diversity kind of change in the industry since you joined?

It hasn’t changed as much as I’d like. I wish it would change more. I think one big thing that is really heartening for me is that there are male allies and allies across the board for people from all backgrounds, not just women. There is a lot more blatant support for these things and a greater recognition of the need for diversity. We need to hire more people, so more people are coming in and it is more welcoming. I see that the women who have come after me have had a much easier time, and it’s a lot easier to join now as someone from a non-traditional background.

You mentioned that bringing in people from a wide range of backgrounds benefits growth. Could you explain that a bit more? 

When building a startup, you need people with skin in the game who want to win as much as you do. People who have not been given a shot are gonna be pretty hungry to win, and I think that was our competitive advantage at Okta. We intentionally hired people from non-traditional backgrounds all over the world, and we adopted an international, remote-first style of work, even before COVID. 

We said, ‘Let’s get people from all different backgrounds who align with our values, and hire team players who are resilient, who want you to win, and who aren’t just in it for the paycheck. We’re looking for the people who are genuinely trying to change their lives, and get into cybersecurity to make their life better for their family.’ Those people are deeply invested in your success and are going to help you grow in ways you may not even imagine. They have so much to offer from different backgrounds, and that will come in handy when you really need utility players who are passionate about your company. 

What are the key talent topics that need addressing the most at the moment?

I can only speak for what I see in startups, but I think the Cyber Security industry faces a massive talent shortage. There are stats out there saying that there are a million jobs that we need to fill that we’re not filling. There’s a lot of people saying we could just automate those roles, we don’t need to increase diversity, equity and inclusion in the talent base, or that we could figure out a technical solution. I don’t want to say that’s naive, but we need to think bigger than that. 

Some leaders do this well, but I think we don’t hire for things like grit, resilience or people who have something different to bring to the table. When you have people always solving the same problems the same way from the same backgrounds, you become worse problem solvers. We need to adopt the mindset that we have done a less than sufficient job securing our critical infrastructure for the last however many years because no one has paid attention to the industry as a whole. It hasn’t been regulated, and diversity has not existed in Cyber Security. We’re seeing a lot of holes, and we’re seeing the pitfalls of that. 

There are a lot of problems we cannot solve in this industry right now because we don’t have enough innovative people involved. I speak from a Western and American perspective, but our biggest challenge is finding talented people. We need to learn to recognise talent in a more broad and cross-functional way because different people bring a lot to the table. If they haven’t been working in cybersecurity for 20 years, that might actually be a benefit. We need to learn to recognise different skill sets that maybe we haven’t had traditionally. 

To hear more from Crystal, tune in to Episode 30 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Addressing Diversity at a Grassroots Level

Diversity and inclusion have been prevalent topics across the Cyber Security industry for a number of years. On Episode 28 of The Cyber Security Matters Podcast we spoke to Aarti Gadhia, the Principal Security Specialist at Microsoft and the Founder & CEO of Standout To Lead, about her perspectives of diversity in the industry. With over 15 years of experience in the Cyber Security space, as well as being named as one of the Top 20 Women in Cyber Security Canada, Aarti has some incredible insights on the topic. She also shared her advice for companies who are looking to address diversity at a grassroots level, which you can read below. 

“Change is taking place – which is good – but we need to accelerate that change. There are so many statistics that show how far we still have to come. ERG’s have been formed to influence changes at an organisational level, but everyone has to solve this problem. We shouldn’t just leave it to the affected groups to solve it. The first thing we could do better for diversity is acknowledge that everyone has a bias, including me, and we need to challenge it. Hiring managers need to find ways to challenge their own biases, which means starting by looking at your existing process and seeing where you could improve it. Each hiring manager needs to challenge their own process and look beyond just having 50% of resumes that are from diverse candidates. That process needs to be changing. 

The industry as a whole has been talking about changing the requirements. Instead of putting the emphasis on the number of years’ experience that you need to have in order to get a management position, the emphasis should be on demonstrating strong leadership qualities, right? Just changing that will give people an opportunity. There’s a great one that I saw on LinkedIn, where men get hired on what they’ll bring to the company or role, versus women, who are hired based on what they have to prove. Give everyone an opportunity! Instead of pursuing the standard or traditional qualification you’ve always hoped for, change your requirements to give other people a chance. 

After that you need to look at retention. The industry is doing a good job in bringing more women, but that’s not what it’s about, because at the same time women are leaving the industry. There are two reasons for this: the first is a barrier for growth opportunities, and the second is a lack of inclusion or belonging. We’ve heard in one of your other podcasts someone who shared that she was told she was emotional at work. The issue is that feeling of being labelled. We don’t feel welcomed when we can’t bring our true authentic selves to work, and that’s why we leave. 

I’ve seen many organisations try to solve this problem by sending us all on leadership courses, but it’s not about a lack of leadership skills. It’s about opening the doors and fixing that broken rung on the ladder. You’ve got women in your company, but what are you going to do to retain us? Are you going to give us the opportunity to develop? That’s another thing that the industry needs to really think about; how do we grow diverse talent and retain them? How do we make sure that they can continue to be their authentic selves? 

Finally, we need allies. We’re seeing allies in the industry who are supporting us, but we need more to take action. I get so many allies that come to me saying, ‘this is important because I’ve got daughters’. My next question to them is, ‘if you didn’t have daughters, would this still be important to you?’ It shouldn’t be a checkmark exercise for individuals. Everyone needs to solve this problem. It shouldn’t be hard to solve this problem if everybody’s on board. For allies, think about what you can do. Start thinking about what you can start implementing – don’t wait to be told. Don’t worry about saying the wrong things, because what really matters is that you’re genuine. We just need your voices. We need everyone to be on board, because that’s how change is going to take place. Try different things out – even try reverse mentoring. There’s a lot that you can learn. Try seeing things through our lens to better understand what’s happening. 

There’s a lot I could talk about when it comes to what needs to change. Fundamentally though, it comes back to those three things: bias, retention, and allies.

To hear more from Aarti, tune into Episode 28 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Inside a CTO Role

The role of a Chief Technology Officer develops as rapidly as the technology that they work with. On Episode 27 of The Cyber Security Matters Podcast, we were joined by Nurettin Erginoz, the CTO at Radiflow, to explore his experiences in the role. Here’s what he said:

Can you tell us about your journey to becoming Radiflow’s CTO? 

I had just started as a teaching assistant at the University when DDoS attacks became much more popular in some hacking groups. They were targeting some government places and agencies. I got an invitation from one of the companies that is famous for innovative application firewalls and DDoS mitigation and protection services. I joined them as an information security management and technical director. 

Then IBM has a role there too. I was initially responsible for Central and East Europe there, but they upgraded my position to the whole of Europe. That gave me the chance to meet different cultures and see different attacks in different geographies and sectors. 

A big milestone for me is going to big educational places or different sectors like government, military, etc. to see exactly what is happening there. I built a team as a Deputy General Manager from scratch – I created the whole cybersecurity team and SOC and forensics labs as well. Afterwards, I jumped into a startup, which we took to exit in three years. I got hands-on experience with mergers and acquisitions, then transitioned directly into this CTO position, concentrated on the strategic part, because security is a live sector. 

Even day-to-day, everything is changing in our sector, so strategy is very important here. From a product perspective, the attack surface and technical elements, together with the strategic selling points, mean that there is a lot to stay on top of—even before reaching regulatory milestones.

What are the main challenges that are that are faced by any CTO?

For any CTO, it is a challenging role. Previously, it would have consisted of managing the research and development team and focusing on coding, but now everything is changing. We have DevOps teams and SEC ops teams, and everything is connected. The threat landscape is changing too, so CTOs have to understand whether they’re coming from cyber or not. All CTOs have to understand the threat landscape, because of the concerns around security and balancing it with business goals. The product should be running without security blocking its process or development. 

Compliance and regulations are another challenge for CTOs. The number of regulations is increasing day by day, so CTOs are having to get familiar with the area that their product or company is in. When their management adds another topic connected to the supply chain, that adds more security as well that we have to understand. It’s a CTO’s responsibility to manage the vendors and understand performance and risk levels as well. 

There are so many challenges to juggle, like incident response, cloud security, IoT mobility, and the board and executive committees’ coordination. Communication is another big topic that all CTOs must concentrate on because we are always talking with stakeholders. 

To find out more about life in a CTO role, tune into Episode 27 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Facing Challenges in the Cyber Security Industry 

The Cyber Security industry faces challenges on a daily basis due to the nature of its work. However, its challenges aren’t just security threats. On Episode 24 of The Cyber Security Matters Podcast we were joined by Michele Chubirka, a Cloud Security Advocate at Google, to talk about the wider challenges in the industry. Michelle has led a remarkable two-decade career in cyber security and has a background as a cloud native expert, giving her a wealth of insights into the space. Here’s what she shared with us: 

“Information security can be a struggle. There’s something called witnessing windows or common shock, which is when we see the small violence and violation that happens in our day to day lives. Well, that’s information security to a tee. You have the big breaches and traumatic events – you’re reading about it now with the movement hacks, ransomware, etc. – but every day you experience the vulnerabilities in your organisation. You report on them, saying ‘Hey, you have these vulnerabilities and they don’t get remediated’, and the solution technically seems very simple, but it’s really an adaptive challenge because it has a lot of dependencies and unpredictable human beings are involved. 

A lot of security people experience burnout after a while, because you want to do the right things, but there’s a social issue where people don’t or won’t collaborate well enough to solve the problem. Cyber Security is a challenging field because people are drawn to doing technical things and being engineers, but then find out that they have to work with people, which is a very different skill set. When I started, teams were super small and you could solve a problem end to end yourself. That’s not the case anymore. Now you have huge teams of hundreds of people working on a single application. Now you have to worry about getting people to talk to each other. You have to resolve conflict. 

I wish somebody had taught me to improve my people skills as well as focussing on my technical skills in my professional development. The social science that I’m studying is restorative practices and restorative justice, which is about building human capital or social capital by finding ways to repair harm, restore relationships and build community. If our organisations and companies aren’t communities, we’re going to struggle to build a truly secure cyber environment. 

The problem is that people are really attached to this idea of security being like law enforcement or a military framework. We think of threats as attackers, and there’s a lot of accepted victim shaming. When something happens within an organisation and the bad guys leave, you’ve got to clean up and recover from the trauma of what happened. That’s when the blame shifts. People start asking ‘Who can we blame internally for this problem?’ Then you get some victim-perpetrator oscillation where there’s a blaming game. Then the victims are being held to account as perpetrators because they didn’t secure their systems or they didn’t do the things that you asked them to do. That’s not helpful. 

There are a lot of reasons why developers don’t always write secure code or update their dependencies. Sometimes the systems that security people put in place are not friendly or easily consumable. Developers may be under really tight timelines and they’ve got way too much on their plates, so how much is really their fault? There are often swirling, interpersonal, conflict-ridden situations that create anger and resentment, because security professionals are doing their best but they feel like they can’t make enough change. This is exactly what happens when you’re faced with these witnessing windows, where people are disempowered but aware of what’s happening. When you’re in that situation, you know what the problem is but you can’t change it, the results are stress and eventual burnout. 

That’s really the problem with information security right now. People are building great technologies and there are new techniques coming out every year, but the attacks only get worse, and the job seems to get harder. So what are we doing? I think the reason that the situation is the way it is is because we’re having people problems – it’s not simply a technology problem. 

To learn more about the challenges facing the Cyber Security industry, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Inside Data Loss Prevention

In recent years there have been growing concerns around privacy and data loss. On Episode 22 of The Cyber Security Matters Podcast we spoke to Chris Denbigh-White, the Chief Security Officer at Next, about data loss and how it’s affecting the industry. Here are his thoughts: 

Data loss prevention has always been the ugly friend of cyber security. If you mention DLP to 9 out of 10 cyber professionals they’ll say, ‘this doesn’t work, but we’ve got to do it’. It’s effectively a tick-box exercise, but it’s a box that does nothing. It’s the old adage of a firewall that has allow rules going both ways. We have to do it though, because otherwise some of our users either complain massively, or are blocked from doing their job. That’s something that Next aims to address; we’re trying to provide DLP that makes sense. That means using machine learning to understand user behaviour. 

I like to understand people’s business processes and build guardrails around what they actually need for security. We’re here to ensure that people who do business and make money don’t lose all their data or have it stolen, as well as protecting them from getting massive GDPR fines. Security itself doesn’t make the business any money, but not having security can cost a business a lot. That means that we need to understand what is valuable to the business and find a way to protect it. 

That’s different from typical data loss prevention tools. We need to understand things like ‘how does this company deal with things like insider risk and insider threats?’ We’ll think outside the box, like ‘Why don’t we address risks through behavioural change and training people on better cyber practices, rather than relying on draconian controls?’ I strongly believe that what we’re doing increases business cadence and reduces friction by approaching DLP in that way. That’s something that I think AI and machine learning are going to help people understand better, because they’ll be used to understand the people around us better and therefore they’ll uncover internal and external threat actors more effectively. 

The way that we approach things is by helping companies understand what normal is, and helping them to address the question ‘Am I happy with what that normal is?’ Our solutions are built by asking things like, ‘Do I want people uploading things to this web application and not that web application?’ That’s a well trodden path to data loss. Another common issue is the use of copy and paste. On one hand, I want users to be able to copy and paste because we’re advocates of strong and long passphrases and the use of password managers – all of which utilise copy and paste. But on the other hand, I don’t want people copying and pasting swathes of sensitive data from sensitive apps and into a text file that’s then emailed off. 

We’ve moved away from just file based data loss, because people lose data in more ways than you’d think. There are copy and pastes, web uploads, Chat GPT prompts… being able to understand and control your data in those ways is its own tool. There’s a business process where we help companies identify their normal and their risks, then we set up specialised guardrails in a super simple process. I think that’s the future of the space. Companies that develop schooling to support security that’s done with people are going to succeed moving forward, whereas increasing levels of draconian control and intrusions are going to come to an end. 

To learn more about protecting your data, tune into Episode 22 of The Cyber Security Matters Podcast

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

From National Security to Cyber Security With Mark Daniel Bowling 

The Cyber Security space is an exciting one to be part of. On The Cyber Security Matters Podcast we regularly ask our guests how they get into the industry, and on Episode 21 our guest had a fascinating answer. We were joined by the CISO of ExtraHop Mark Daniel Bowling, who has over 20 years experience in Cyber Security, beginning as a special agent and cyber crimes investigator for the FBI. Since then he’s transitioned into several roles, most recently as the Chief Risk, Security, and Information Security Officer at ExtraHop. He shared the story of his unusual career path and his advice for other people who want to make a similar journey. 

How did you first get into the cybersecurity industry?

It was almost entirely a consequence of my service in the FBI. I spent six years in the United States Navy, where I was supposed to go into submarines, but I ended up on a carrier because we won the Cold War back in ‘91, so we just didn’t need as many subs. I did a little bit of time in the corporate world and didn’t love it, then I joined the FBI in 1995. That was right as cyber was becoming a thing. We didn’t even have a cyber division in the FBI back then, but we had a cyber investigation section coming out of the white collar branch. We created what was known as NIPC, or the National Infrastructure Protection Centre, then eventually when Muller came in, in 1999 or 2000, he created the cyber division. I grew up in the FBI and cyber at the same time, because I was an Electrical Engineering and Computer Engineering technologist, so it was the right place for me to go. 

I made a great career in cyber in the FBI. When I retired from the FBI I went to another agency, which was the Department of Education, making a transition from a very serious law enforcement and intelligence community agency to the one that was more public facing. After that I retired from federal service and then I went into the public sector as a full time employee, but then I started to move into the consultant track where I’ve had multiple great partnerships with customers, and it was really good. I went back to full time employee status when I came to ExtraHop a couple of years ago. So that’s the route that I took, but I would say my experience in the FBI was really what pushed me into cybersecurity.

Who or what has been the biggest influence in your career?

Because much of my career was in public service, the biggest influence has been the amazing public servants that I met in my career. My role model was a man in the United States Navy named Admiral Larsen. He was a four star Admiral, and I worked for him in the Pentagon. He was just an amazing man. Anybody who knew Admiral Larsen recognises what a great leader he was. 

In the FBI there were a couple of amazing public servants too. I would say David Thomas, who was one of the early assistant directors of the cyber division, was also a great man. He helped build the cyber programme within the FBI. He was one of the great men I knew in the FBI. 

And then at the Department of Education there was a man named Chuck Cox. He was in the Air Force Office of Special Investigations before he went over to the Office of the Inspector General. He has since passed away, but he was a tremendous man. Each of those individuals modelled public service in an amazing way for me.

How do you feel your background within the FBI has shaped your career working for a security vendor like extra hop?

I think it’s absolutely vital that anybody who works in security understands the nature of threat and risk. If all you do is think about technology, you’re missing the boat. The job of the business is to stay in business, make money, acquire and retain customers, sell more products, provide better services and increase not just your profit margin, but also your presence in whatever sector you’re in. They don’t want to have to worry about cyber security, so the cyber security folks have to understand the threats to the business for them. 

You have to be able to see things in terms of risk, and that’s what the FBI did for me. One of the things that Muller did when he came into the FBI was created priorities, and we created those priorities based on the risks. After 1991, the number one priority in the FBI was counterterrorism, number two was counterintelligence, and of course, number three was cyber because of the growth of cyber attacks at that time. So what I learned in the FBI was to see things in terms of risk, understand a threat, appreciate the capabilities of the threat actors, and then turn around and prioritise and your resources appropriately to reduce the threat either by remediation or mitigation. If you can create compensating controls around the threat, it reduces the actual risk. At the FBI I learned that you can accept some threats, others you just have to remove, and some you can create compensating controls around. 

What one piece of advice would you give to someone entering the industry?

I would tell them to one, stay humble, two, listen, and three, be willing to do things that you’re not comfortable with so that you can learn from the experience. There’s different reasons for learning. You should learn how to do something you’re not comfortable doing so that you appreciate the people who do it on a daily basis. You should learn to do something to understand the level of effort that it actually takes, so that when you ask people to do it as a leader, you know what they’re going to do for you and what they’re going to have to give up to get it done. 

To learn more about Mark Daniel’s experiences and insights, tune into Episode 21 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Securing the Cloud in Cyber Security

Securing the Cloud is a major challenge across the Cyber Security industry. On Episode 19 of The Cyber Security Matters Podcast we spoke to Abhishek Singh, the Co-Founder and CEO of Araali Networks, about how Cyber Security professionals are navigating the growing challenges of keeping the Cloud secure. Abhishek has 25 years’ experience in Cyber Security, including a period in which he led a team to build a data centre scale platform to enable micro segmentation and security in a virtual machine environment. This wealth of experience gives him some great insights into the current issues around securing the Cloud. 

Could you explain what zero trust is and what the biggest problems are with implementing it?

Zero Trust has become a buzzword. Zero trust people say ‘trust nothing’, but zero trust is fundamentally a networking concept. That concept is actually very simple. Imagine it as a castle and moat problem, where you have a castle and a moat around it called a perimeter. Everything inside the castle is trusted. Everything outside the perimeter is untrusted. If you have to come into the castle, you come through a firewall, and then you are trusted. So it is a networking concept which relies on perimeter security and having an open interior.

The problem with that approach is that your perimeter has to be perfect. If there’s one bad guy coming in, you’re in trouble. If one Trojan horse seeps in, you’re in trouble. If you’re building a zero trust environment you have to keep your controls inside out. Even if your environment is not pristine, every resource has to defend itself. 

The Cloud is very zero trust friendly in that it denies access by default, so if you want to expose anything online you have to explicitly open it up. However, egress is open. And that is the problem with zero trust, it’s too hard to close down egress. So if someone is already inside, going out is free, and that is what attackers abuse. So in spite of Cloud being very different, very novel, very thought through and upfront, egress is open. And that is the fundamental problem. 

What do you see as the biggest challenges in securing the cloud itself?

The real question is, ‘is the Cloud more secure?’ That is the biggest thing that people need to understand, and there is no straight answer. Depending on who you ask, they will give you a different answer. Many people believe the Cloud is more secure because Amazon has done a lot of good work there, and other cloud providers have followed suit. But the real rub there is, it’s as secure as you make it. Security is a shared responsibility, and Amazon is very clear about it. They are saying ‘we have given you the tools to make it secure’, but they have not done your work for you. Amazon has not secured your stuff. Coming from an on-prem background, when you go into the Cloud where there are new paradigms, it’s very hard to fulfil your shared responsibility. If you have not done so, Cloud is not more secure. 

The other challenge is attackers. On-prem Windows is a fertile ground for attackers to be doing things. They have not exploited Cloud. At some point though, that’ll change. Things like solar wind supply chain attacks used to be science fiction, right? The cloud is like that – it’s waiting to explode. It’s not that it’s more secure – it’s just that attackers have not diverted their attention to it yet. They’re still trying to go after Windows workloads on prem. The moment they come to Cloud, there’s a lot to be had.

Why do you think businesses like Waze have had such success over the last few years?

So the reason Waze has been successful is because of simplicity. Security has been very cumbersome over the years. Orca was the first company who came out and said, ‘We’ll give you a Cloud account, and without any agents we’ll go and survey it and show you visibility’. The ease of use itself was very compelling. My problem with that approach is that by showing your Cloud position, you’re making yourself more vulnerable. I know I’m vulnerable. I did not need to see a picture to get that insight. The thing I need to know is how do I not become exploitable? How do I remediate my vulnerabilities? That is still a hard problem, because the Cloud is hard. It’s difficult, which is why it is vulnerable. Showing me my visibility is not helping me become less vulnerable. The thing we should focus on is remediation, and that’s the language of zero trust. The reason this became so popular is because of the ease of installation in a world where Cyber Security is hard to work with. Time to value is unspoken. 

To learn more about securing the Cloud, listen to Episode 19 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Tackling Talent Challenges in the Cyber Security Sector

As recruiters, we’re often faced with a number of challenges when it comes to sourcing talent in the cyber security sector. On Episode 18 of The Cyber Security Matters Podcast we spoke to Jake Bernardes, the CTO for Whistic, about his perspectives on the topic. Here are his insights: 

The reality is that there never has been a skill shortage in cyber security. That is completely fake news. The problems are actually between the hiring manager or hiring team and the candidate. And those issues are extensive. Let’s start with the kind of person that the hiring manager wants. Do they know what the key skills are that that person needs to have? Secondly, people are very bad at writing job descriptions. The next problem is that once you’ve written the job description it gets translated to a job ad. 

We all rely on recruitment in our business. Usually HR are filling in for recruitment functions, and they don’t understand what I’ve told them they’re hiring for. Do they know what I’ve actually asked for? Are they translating something which doesn’t make any sense? Are they adding things because they are standard requests, like ‘must be college or university educated’, ‘must have this qualification’ etc, when I actually don’t care as a hiring manager? The problem is when that person HR misinterprets my request and does not put the right spin on it when it goes out to market. 

There are then two more problems in that situation. Firstly, that description doesn’t make a lot of sense, and secondly it’s not focussing on the right keywords. We’re often having issues with the salary as well, because this is a high-paid field. We’re going out to recruiters who can’t fulfil a role where the requirements don’t make sense and the salary doesn’t work. It’s impossible to find someone that doesn’t exist, so it creates the illusion of a talent shortage.  

The flip side is that I don’t have a shortage of candidates. What I have is an inability to screen candidates properly because everyone has realised that there’s money in cyber so they’ve made their resume cyber orientated. If HR does the screening, they don’t have the competence to know what is or isn’t relevant. They often miss potential gems because the resumes are quite simple but have one really interesting line at the bottom. They just go and find an SRE or cybersecurity analyst. HR puts on a layer of nonsense that they think makes sense, including a salary banding which is completely unrealistic, then throws it to recruiters and hopes that they can turn carbon into diamonds. 

Our industry is a weird one. There are so many people who are very good, but on paper they shouldn’t be good. On paper they should never have even been in the interview. Standard education and experience doesn’t allow me to spot the people who are going to excel, but people’s passion projects do. And so I stand by my statement, there is no skill shortage here. There is a fundamental disconnect and a poor process between cybersecurity leaders and the candidates who are applying. Everything in between those two dots is broken currently.

To learn more about the talent challenges in the Cyber Security sector, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cyber Security and AI: Insights from David Stapleton

AI has been sweeping the internet for months since the release of Chat GPT 3. As the world looks at the implications of these powerful new AI models, the cyber security industry is no exception. On Episode 17 of The Cyber Security Matters Podcast we spoke to David Stapleton, the CISO at CyberGRX, who we met at the RSA conference. With over 20 years of experience in business administration, cyber security, privacy and risk management, David has a unique expertise that makes him the perfect person to share insights on the relationship between Cyber Security and AI. Read on to hear his thoughts! 

A lot of attention has been paid to AI – with good reason. I have this mental model where if my mother is aware of something that’s in my field, that’s when it’s really reached the public Zeitgeist. When she asked me a question about the security of AI, I knew it wasn’t a niche topic anymore. 

Artificial intelligence is an interesting phenomenon. Conceptually, it’s not that different from any other rapid technological advancement that we’ve had in the past. Anytime these things have come up, the same conversations have started to happen. With the advent of cloud there was a real fear that was sparked – particularly in the cybersecurity community – around the lack of control over those platforms. We had to trust other people to do the right thing. How do I present that risk to the board and get their approval for that? Maybe it’s a good financial decision, but we are introducing unnecessary risks. 

Another example of that may have been the movement towards Bring Your Own Device (BYOD) and allowing people to connect their personal devices to company networks and data. That sounds terrifying from a security perspective, but you can see how that opens the door to increased productivity, efficiency and flexibility. 

AI is not too dissimilar from that perspective, and we can see plenty of positive aspects to the utilisation of artificial intelligence. It’s a catalyst for productivity which could provide exposure to multiple different data points and bring together salient insights in a way that it’s hard for the human mind to do at that kind of a speed. It can also reduce costs, bring additional value to stakeholders and potentially help companies gain competitive advantages. 

Conversely, there are potential risks. It is such a new technology, and we’re still learning about how it works as we’re using it. There’s a lot of questions from a legal perspective about the ownership of the output of different AI technologies, particularly with the tools that produce audio visual outputs. The true implementation and impact of that isn’t going to be known until the courts have worked those details out for us. 

We’re in a position now where some companies have taken a look at AI and said, ‘We don’t know enough about this, but we feel the risk is too great, so we’re going to prohibit the utilisation of these tools.’ Other companies are taking the exact opposite approach: ‘We also don’t know a whole lot about this, but we’re going to pretend this problem doesn’t exist until things work themselves out.’ 

At CyberGRX we’re taking a middle of the road approach where we’re treating AI models as another third party vendor that we’re using for work purposes. We’re going to share access or data with that tool, but we need to analyse it from a security risk and legal risk perspective before we approve its utilisation. That’s a fairly long-winded way of saying that there are amazing opportunities for AI but there are risks. 

We’ve already seen threat actors starting to use artificial intelligence to beef up their capabilities. You could understand logically how artificial intelligence gives a fledgling or would-be threat actor the ability to get in the game and take action sooner than they otherwise would be able to. When Chat GPT first was released to the public, the very first thing that I put into it was ‘Write a keylogger in Python’. That’s a little piece of malware that will log your keystrokes and collect things like passwords or credentials. It just did it. It was there on the screen as a perfectly legitimate piece of software. Since then they’ve tightened the controls, but there was a time when someone with bad intent could start producing different types of malicious software without even learning to code.

To learn more about the uses of AI in Cyber Security, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

RSAC: Insights, Community and Cybersecurity Trends

Spring is blossoming in San Francisco, the highly anticipated #RSAC2023 commences attracting leaders and companies from around the world.

Being my first conference, I embarked on this journey with a mix of excitement, nerves, and curiosity.

The big takeaways from the conference were the valuable insights into the cybersecurity industry, the strong sense of community and the hot topics of investments, the impact of AI and talent shortages. Additionally, we had the opportunity to explore the vibrant food scene of San Francisco, which added a cultural touch to the conference experience.

Grand Opening and Impressive Booths

The conference kicked off with great anticipation, as attendees gathered in the entrance hall, the atmosphere was electric, and the buzz of excitement was palpable. As the doors opened, a polite stampede of cybersecurity enthusiasts filled Moscone South Hall. The sight of numerous booths was awe-inspiring, with companies investing substantial resources to impress and display the immense potential of the cyber security world with exhibits highlighting the industry’s advancements and potential.

Networking calls and conversations up to this point had evolved around RSA Conference, emphasising its values as a place to connect and meet face-to-face.

Community – Diversity & Inclusion

The most profound takeaway from my first RSAC was the vibrant and supportive community within the cybersecurity industry.

As a newcomer, the community came across as surprisingly friendly and collaborative.

I had the privilege of attending the Women in CyberSecurity (WiCys) drinks event, where representatives from Microsoft, Amazon and Google gathered to promote diversity, the motto “not done yet” resonated strongly emphasising the importance of the continuous effort needed to enhance diversity in this tech space.

The next morning, I attended the Women’s in Cyber breakfast, featuring a panel discussion with founders, CEOs and CISOs. The conversation revolved around the challenges faced by successful women in maintaining work-life balance. It was inspiring to witness the support within the community, with ideas exchanged freely, fostering growth and empowerment.

Insights and trends

Apart from the community aspect, RSA Conference 2023 offered valuable insights into trends and concerns.

Investments

One notable takeaway was the significant investment in the Cybersecurity sector. Funding for Cybersecurity start-ups increased from $2.4 billion in Q4 2022 to nearly $2.7 billion in Q1 2023, underscoring the industry’s growth and the recognition of its importance in the digital landscape.

AI – Changing the landscape.

Discussions throughout the conference highlighted the transformative role of artificial intelligence in the Cyber security industry. AI technologies are reshaping the landscape, influencing threat detection, incident response, and overall security operations. The integration of AI into cybersecurity practices has become indispensable for organisations to stay ahead of evolving threats.

Talent shortage and calls for solutions.

Addressing the shortage of talent has become a top priority for organisations with discussions focussing on strategies to attract and retain skilled professionals. Collaborative efforts are necessary to bridge the talent gap and nurture a diverse and competent cybersecurity workforce.

Amid networking and business meetings, we took the opportunity to explore San Francisco’s renowned food scene, indulging in the famous Clam Chowder, Oysters, and the Buena Vista Irish coffee.

While RSAC is over, another key takeaway is that the fight is not over, so we look forward to next year to witness the continued growth in the industry and learn new and innovative ways to disrupt cybercrime.