Expert Interview: CyberSecurity

Our ‘Thinking Out Loud’ series, delves into the minds of our experts, to find out about the important topics our clients are challenged with today.

This interview is with Florian Pouchet, Senior Manager at Wavestone with 15 years’ experience in cybersecurity. Florian who leads the Cybersecurity and Operational Resilience for Wavestone UK, providing oversight across a number of cybersecurity strategies, remediation programmes, crisis management exercises and recovery planning. He covers areas from strategy to execution across large-scale companies.

We discuss the current trends in the Cybersecurity space, explore the challenges he is seeing first-hand and Florian offers his personal thoughts on what can be done to address them.

I’ll approach this question by looking at the technology trends and what’s happening in the in the field.

In the last few years, we have observed the number of attacks increasing, as well as the level of sophistication of these attacks: overall threats are on the rise. This is confirmed with our  CERT-W reports, which found that the number of major incidents doubled last year.  I must mention the ongoing situation in Ukraine, which will have lasting impacts on businesses worldwide. This is also true in terms of cyber-attacks that could spread worldwide very fast. We all remember the global scale of collateral damage created in 2017 by the ransomware NotPetya, which was targeting Ukraine.

Attackers are professionalising their evil services. For instance, there are more and more “Cyber-Attack-as-a-Service” platforms (for example “ransomware-as-a-service”). Even commercial models have evolved and become more accessible to evil-doers by developing services that are pay-as-you-go, which is really slicing down everything in an easy to consume way.

Overall, we are in a world where the problem is only going to get worse.

The second key trend I see as important is the evolution of organisations.

Today, data is everywhere and an organisation is now a sum of many parts. This is not new, but, the COVID pandemic and the change in flexible working has made organisations realise and accelerate the move. Organisations are pushing for a faster cloud adoption, continuing to spread data outside company walls.

We are seeing organisations really shifting towards a Zero Trust model. It’s only the beginning, but there is real progress. It’s beyond the ideas stage, with programmes and strategies starting to be formed. I think, in the next five years we will see a lot more of Zero Trust Models, and the generalisation of such programmes.

The key challenge is the agility of organisations. Adapting to the threats and changing the way things are done. I think a key difficulty will be on the integration of the cybersecurity function, specifically into the wider organisation and of course, having the right people in place to deliver it.

Integration

There is a number of challenges to the integration of the cybersecurity function into the wider organisation: culture, wider processes, other functions and business lines.

I will start with culture. It’s been a problem for cyber for as long as cyber existed: it’s seen as expert topics, for a specific set of people. Moving away from this and building an understanding so that everyone feels concerned, interested, and can contribute to cybersecurity is something organisations see as a real challenge. We want to break habits, but it is hard – we are creatures of habit.

Secondly, integration into the wider processes of the organisation. Previously interactions with board-level executives were mainly for reporting. Now, with more incidents and major investment in cybersecurity improvement programmes, the cybersecurity team is progressively closer to the boardroom. However, there is still work to do to adapt the language and contribution. It needs to become a topic that everyone at the table can understand and be involved in.

Thirdly, integration in other functions, in particular with agile development processes, the new ways of delivering. During the pandemic, there was an acceleration of development and new platforms. It made organisations really think about security in Agile processes and secure development.

Lastly, integration with business lines, in order to make cybersecurity a business differentiator. A simplistic example of this is a bank, who’s main asset is the trust their customers have in them. It used to be based on your reputation and how thick the safe doors were and the bank would advertise all this to strengthen the customer trust.

In today’s digital world, you could imagine the bank building very strong cybersecurity measures and also to proudly boast about it and why they are better than their competitors. In practice, our clients are looking to more specific use cases to transform the cyber expertise into business value.

Again, it’s a question of channelling the skills and expertise of the function for other purposes, even simply marketing and communication.

Recruitment is very tough in the cybersecurity industry. It’s very hard to find talent – we are all fighting for the same skills! And while we need to face all the threats, we have a people gap that continues to widen. The government is putting great initiatives in place, like Cyber First, to address the topic and to enlist younger generations and to get them interested. But, these initiatives will take years to be visible on the market. So, the gap still exists, and we will probably be starving for talent for the next five to ten years.

There is a need for cultural change. A practical application is to build a cultural change programme that isn’t just about awareness, but really addresses the positive and beneficial impacts the function has on all the stakeholders and employees. Then, the topic is seen in a different light, not as a blocker or as mandatory training; rather as an asset, a new skill to learn. A cultural change programme with these elements can achieve that attractiveness.

Attracting the talent and of course retaining it is vital. This is something that the function hasn’t addressed much until recently. There is a need to focus on career paths, training programmes, evolution perspectives and the different ways to evolve in the function. Working on these kinds of activities and creating these assets will be part of the solution in the next few years and will help change the overall perception.

Cyber is of course a heavy user of computing resources. But, in particular in two ways.

Firstly, everything around encryption. Encryption operations themselves are quite heavy in terms of computing power. Based on my understanding about the impact of cryptocurrency, the computing power is very heavy. This is an aspect that needs to be addressed, particularly as quantum computers emerge. There will be a need to review and reconsider how we do encryption with different algorithm and different ways. It’s a good time to review how much a given algorithm consumes in an operation.

Secondly, is around backups. For all resilience and continuity reasons we backup many things. There is definitely a lot of optimisation that needs to be done. A good example is smart backups, which saves only the necessary data needed to recover and rebuild the infrastructure (eg. infra as code vs. full image). This in turn will reduce the overall footprint in cyber.

Progress can be made around these two points, but it will take time.

Due to the broad aspect of the discipline, requiring so many different skills, a consultancy is well placed to support and bring value to the table. Wavestone can bring value by helping to connect the dots, to formulate and communicate efficiently, to work with different stakeholders, and to bridge the practical expertise gaps, if there are any.