Cyber Insights: Dr Jessica Barker in conversation with Chris Dunning-Walton
Jessica Barker, CEO and Co-Founder of Cygenta and chair of ClubCISO, spoke with Chris Dunning-Walton, Director of InfoSec People and CyNam to discuss Jessica’s new book, “Confident Cyber Security”, which brings the human side of cyber security to the forefront and addresses some of the challenges faced by CISOs and non-technical security leaders. Jessica and Chris discuss the current challenges in the industry, the future of cyber as a business enabler and the go-to books for leaders in cyber security.
CDW: Thank you for joining us, Jess. Congratulations on your fantastic new book, “Confident Cyber Security”. What inspired you to write the book?
JB: I was actually approached by the publishers, which was very nice! The publishers have a series called “Confident…” for example “Confident Coding” and “Confident Web Design” and they wanted to do one for the first time on Confident Cyber Security. I came onto their radar and I jumped at the chance to write something that I would have loved to have read ten years ago, when I was first starting out in the industry. Also, the title “Confident Cyber Security” fits perfectly with the work I do and the ethos we have at Cygenta of how to be positive, how to be empowering, how to help more people understand cyber security and not be intimidated by it.
CDW: So why this book and why now?
JB: It feels like over the last few years we have seen a real increase in attention on cyber security and it has now gone mainstream. We consistently see it in the news, or in movies and TV shows about all sorts of things and you see cyber security popping up as a theme. There is much more of an understanding that cyber security cuts across all our lives now as we are so much more dependent on technology, so it felt the right sort of time to write something that would appeal to lots of different people. Also, we have seen much more recognition around the human side of cyber security over the last couple of years, so it felt like a good opportunity to write something that brings together the technical, physical and human sides of cyber.
CDW: Jess, you own a successful business in Cygenta, you are very busy on the circuit giving up so much your time willingly to talk with people like me, and you’re the Chair of ClubCISO. How do you fit everything in?!
JB: Well, very little sleep and lots of hard work! But I enjoy what I do so that helps massively. I also have a great husband who is also my business partner so that helps a lot because we are always a team, whether that be work stuff or home stuff, which is very fortunate. We also have an amazing team at Cygenta who work really hard and are very smart and dedicated people, who help us as a company move forward and grow. You can’t do it all yourself; having the right people around you is fundamental to success.
CDW: So, what frustrates you most about our industry currently?
JB: I see lots of positive in our industry. Our community is really positive, and we can achieve so much when we collaborate. Collaboration is so powerful in cyber and we see that in Cheltenham with all of the initiatives here; everything going on at Hub8, with CyNam and with what the NCSC are driving with CyberFirst Schools. What we achieve when we band together is amazing, so I get really frustrated with the occasional negative elements of the industry. There are some people who unfortunately have a tendency to tear others down and let their competitive natures drive how they behave and that’s frustrating because, the way I see it, most of us are in this job for the same reason; we want to make a positive difference and work together to achieve so much more.
CDW: In business it seems there is a misconception that in order to be an effective leader, you have to be an aggressive “Alan Sugar” character. “Nice” seems to be an underrated characteristic in leadership unfortunately. What helped you to become an inspirational leader?
JB: I was recommended a great book a few years ago when we started Cygenta by some friends, Nicola and Ian Whiting at Titania, ‘The Go-Giver’ by Bob Burg. It completely reflected our own ethos at CyGenta and it sums up that you don’t have to be cut-throat or try to knock others down in business to be successful. If you support others, that can be a truly effective business strategy as well as a great way of just being a really nice person!
CDW: What are you most excited about for the future of cyber?
JB: I love seeing new people coming into the industry, whether that be school leavers, graduates or people who are mid-career and transitioning across. I love seeing people come in from different backgrounds and under-represented groups, who might see things differently because they haven’t got a technical background or bring skills from a different industry; I find that really exciting. We are such a broad field that if we are seriously going to solve some of the problems facing us, we need lots of people who have different experiences and can think differently to face new challenges and solve problems differently.
CDW: As a sector, we still seem to struggle in gaining traction around the uptake of cybersecurity across nontechnical areas of the business. Do you think the message that cyber isn’t just a technical concern is getting better?
JB: It takes time and it’s a big shift in thinking. I think we have a long way to go with that; I still talk to boards who need a lot of education to understand the people element. I also find that some managers within businesses have kind of got the message but seem to think they just need to do some work on security awareness to fulfil a requirement and tick a box. I think we have got some way to go to really enable people to understand what it means to embrace the human side of cyber.
CDW: The book gives some great advice about finding a career in cyber. Sometimes we find that hiring managers can be generally risk-averse by nature – that’s their job! Is there a way that we can show the benefits of hiring capable people on an Attitude, Aptitude, Appetite basis (the risky option), rather than always looking for someone already doing the job?
JB: That taps into a common discussion we have within ClubCISO. We have over 400 members, all of whom are senior information security leaders and many of them recognise that we focus too much on experience and will say they know that ability and aptitude are way more important, but we are risk averse as an industry. If you’re a CISO who is hiring, you know that if something goes wrong, then the spotlight is shone onto you. It’s a high-pressure position to be in. If leaders who have successfully hired people from different backgrounds and can showcase the benefit of that more, I think that would help.
We need to bring HR into the conversation. I speak to hiring managers who do want to take risks but find that the job spec that goes out will mandate certain requirements that they as a CISO wouldn’t necessarily be asking for. So, we need to enable that conversations between the two parties to find out what is actually required in a successful hire.
CDW: Cyber security leaders seem often to covet mastery; it’s a real driver for some people because that’s how they’ve become successful in their domain – they’ve become a master of a technical area which is backed up with various certifications. Do we think there’s an opportunity in the sector to ask security leaders to challenge themselves on why they’re making the hiring decisions they do?
JB: We all only have our world view to go on, so actively challenging our own beliefs sometimes can always be a good thing; saying “is there a different way to look at this, which could have these benefits?”. Security professionals are so busy, and we don’t always have time to reflect, so we naturally rely on what we’ve always thought and how we’ve always made decisions. Maybe it’s time for a change.
CDW: Perhaps creating a safe space where a CISO can be encouraged to think creatively on leadership and recruitment behaviours could be an enabler to more diverse hires, actively involving HR and demystifying cybersecurity for other business functions.
One of the career paths you talk about in the book is that of the CISO, which is currently an incredibly challenging position. Why do you think the role has evolved into such a difficult one over the last decade?
JB: In ClubCISO we have this unique position where we are able to survey the members every year. Some of the issues we have highlighted in our Security Maturity Report in recent years are the lack of resources or limited resources in security. You are often competing with other departments, trying to secure the budgets that you need. In a lot of organisations that can be really challenging. Similarly, there are hiring challenges, as we’ve discussed, where CISOs really struggle to find the right people for their teams. Another issue is the lack of a set career pathway to becoming an effective CISO and a lack of clarity around what experience and knowledge you really need to be successful. Once you are in the role, how do you measure what success looks like? What are your metrics and how will you measure your progress? If you can’t, you’re in danger of only being visible if and when something goes wrong.
Another challenge that came through particularly this year, was how slow organisations can be to develop their security vision and embrace or enable cyber as a positive change component, despite a CISOs best efforts. So, the CISO can feel like they want to drive meaningful change, but the organisation hasn’t caught up with that or doesn’t value it, which can drive CISOs to look for their next opportunity.
ClubCISO also identifies lots of positive things, though. There is an overall sense that security postures are improving compared to last year and that budgets are slowly increasing, but one of the most heartening findings this year was that most CISOs found that their security capabilities had held up well when Covid-19 hit.
We surveyed the members a couple of weeks into lockdown and most were quite positive about how their organisation had coped so it feels like, during the biggest test of resilience and a huge increase in pace in digital transformation, their organisations had responded quite well.
CDW: A lot of the challenges for CISOs still seem to centre around communication skills. Being able to effectively communicate with the Board and translate between technology, security jargon and business risks remains key to success. Do we think there’s an opportunity for CISOs to gain more structured professional skills development around strategic leadership and communication to be more effective?
JB: Yes, there is nothing easy about learning good communication skills and understanding business strategy. Sometimes the backgrounds of CISOs just hasn’t equipped them to the degree that is suddenly demanded when they are working with the board. So, I think business-focussed development for CISOs would be beneficial around how to work at a more strategic level and the politics of working with and influencing the board. A lot of that comes back to communication; both formally in the form of report writing and presenting, but the informal elements like influencing the board members outside of the boardroom.
CDW: What business books would you recommend to CISOs and other leaders in the business Jess?
JB: “Measure What Matters” by John Doerr, which goes through the goal-setting system that he developed at Intel and then taught to Google, which is about setting meaningful metrics, which I think people struggle with on the human side.
“Radical Candor” by Kim Scott, which is about how to build a culture of good feedback and how to give feedback both positively and negatively; how to make sure you consistently give positive feedback so that you are then in a position to give negative feedback without it causing upset.
CDW: We absolutely would too Jess! The more we can demystify cyber security for people at all levels, the better. Finally, what’s the next book going to be about!?
JB: There is a book I’ve had on my mind since before I wrote this one, which would be for people who are not in security and don’t necessarily have an interest in getting into security, but want to understand how it relates to them a bit more. My own experience really relates to people like that and I would like to do something that tells stories to bring the message out to more people.
You can buy a copy of Jessica’s first book “Confident Cyber Security” here.
Thank you to Jessica for taking the time to speak to us.
InfoSec People provide Contingency and Executive Search solutions across cyber security and technology. All our actions are underpinned by our core values:
- Always do the right thing
- Be the best we can be
- Add value
Working with exciting cyber scaleups and FTSE100 corporates, we find the cyber leaders today who enable secure business tomorrow.