Pierre Noel, Field Chief Information Security Officer at Expel, on why security with community-based governance is a key business pillar that better positions organisations to become more resilient and target growth
SHARE THIS STORY
It’s been a particularly rocky start to 2026 for the global cybersecurity landscape. From the Substack data breach to PayPal credential-stuffing attacks in February, we are not looking at IT failures alone. These attacks are balance-sheet events: direct assaults on business value, triggering remediation costs and long-term impacts on financial health. Compounded with the conflict with Iran, leading to potential ramifications in the cyber realm, it’s more important than ever for the C-suite to be aligned on cybersecurity priorities.
Despite this, a glaring disconnect remains in planning and execution. Expel’s research found that while 85% of finance leaders view cybersecurity as a key component of business planning, only 40% express full confidence in security’s ability to align with business strategy. To bridge this gap, CISOs must move from reporting on activity and start reporting on resilience and unit cost.
Translating Alert Volume Into Unit Cost
CISOs must change how they present the value of their operations. CFOs are largely indifferent to technical metrics like the ‘millions of blocks pings’ or ‘SOC alert volume’ – to a finance leader, an alert is simply another form of disruption to daily operations.
To fix this, CISOs should introduce the ‘unit of cost protection’. By breaking down security spend into the cost required for a single transaction or business unit, CFOs can understand and manage it from experience. A tiered approach works best here: high-risk business units justify higher protection costs than low-risk ones. This allows CFOs to treat security as a scalable operational expense rather than a black hole of additional tooling – the kind of framing that also resonates in a boardroom.
Mapping Investment to Business Risk Exposure
Expel’s research shows that while 43% of finance decision-makers are confident that security can prioritise investments based on risk, only 46% are confident that security can deliver cost-efficient solutions. To move in the right direction, CISOs should shift from ‘vulnerability management’ to thinking about ‘business risk exposure’, requiring a different view of how threats unfold over time.
It’s all about asking the right questions. Instead of requesting more firewalls to protect a specific timeframe, start asking for the cost of securing diverse digital ecosystems across an extended risk window. The 2026 Winter Olympics is a good example: Russian-led cyber campaigns began raising concerns months before a single athlete arrived in Italy, proving that risk isn’t a one-day event but an ongoing operational cost.
For European organisations, this framing is increasingly non-negotiable. While NIS2 and DORA help make the cost of under-investment concrete and quantifiable, the upcoming Cyber Resilience Act (CRA), with key reporting requirements starting in September 2026, extends this pressure to anyone manufacturing or selling digital products in the EU. Even for purely domestic UK entities, the new UK Cyber Security and Resilience Bill is moving the goalposts toward these same high standards. Ultimately, CFOs must understand that cybersecurity isn’t just about preventing loss; it’s a prerequisite for safe and secure growth.
The Reputational Multiplier
So those are the questions to ask, but how do CISOs deal with the ‘unknown unknowns’, specifically long-term brand damage? While compliance fines under NIS2 or DORA may be straightforward (and important) to model, they rarely represent the full scope of the potential damage. In such scenarios, CISOs should propose a reputation multiplier: a framework for quantifying the financial fallout of brand damage in a language CFOs know and trust, looking past immediate recovery costs to factor in the long-term implications of re-establishing market trust.
The 2026 CarGurus breach illustrates this well. Impacting 12 million users, the cost wasn’t purely technical; it also came from the stock price dip and marketing spend required to repair the brand. For UK companies, where regulatory scrutiny is heightened, that multiplier effect is even more pronounced. This is the language of a CFO, and it helps CISOs better translate the urgency and relevance of a strong cybersecurity posture.
Standardising the Language of ROI
Closing the gap between CFOs and CISOs needs more than just better data; it needs a shared vocabulary. By standardising the language of ROI, CISOs transform cybersecurity from a vague insurance policy into a transparent value driver fully trusted by finance teams. Move away from complicated defensive jargon toward a unified framework of unit costs, and the gap between the CISO and CFO starts to close.
Security has become a key pillar of business operations, and in the current threat environment, it’s genuinely a community-based governance issue. The organisations that get this right aren’t just more resilient. They’re better positioned to grow.
Chris Gunner, vCSO at Thrive – a leading NextGen MSP/MSSP, delivering global AI, cybersecurity, cloud, compliance, and digital transformation managed services – on how CISOs can position their cyber strategy to to become part of how a business navigates uncertainty
SHARE THIS STORY
Quantification of cyber risk is a growing trend. While this can be genuinely useful, in practice it is often misunderstood or over-applied by security leaders. It can range from an arbitrary figure to attempting to model every possible risk on the register in a Monte Carlo simulation. The focus can fall on the mechanics of quantification, rather than how financial decision-makers actually use the information.
Think of the CFO – they don’t walk through every penny in the budget. Instead, they usually focus on the board-level levers that can materially affect the business. These often include three key areas: strategic optionality, removing friction from capital events and avoiding shocks and smoothing operating costs. Security conversations should be anchored the same way.
The Importance of Strategic Optionality
If faced with a credible one-year growth plan, CFOs may recommend a one-year office lease despite a 20% premium. This is because it maintains the option later of moving or re-contracting once the growth trajectory becomes more visible. Like most strategic decisions, it is about preserving flexibility in the face of uncertainty, even if that flexibility comes at a short-term cost.
If we apply this to a cyber context, there are often businesses that have taken a calculated gamble with their existing business strategies. While the plan is sound, there is a chance it might not land as expected. When they require security services, the choice between a ‘standard’ and ‘premium’ SOC frames the decision as one of optionality rather than security spend. Paying more now to preserve the ability to adapt later down the line. A simple illustration is incident response. An on-call retainer with defined response times can look more expensive than ad hoc support. Until an incident occurs and procurement becomes the bottleneck. In those moments, flexibility is often far more valuable than marginal savings achieved earlier.
Removing Friction from Capital Events
For CFOs, especially those operating in the alternative investment space, the focus is on structuring capital events. As opposed to managing day-to-day operational costs. One of the most painful points in that process is due diligence. The careful exchange between acquirer and target that aims to provide enough information for each to price risk, without giving the entire game away.
CISOs can materially influence how smooth or painful that process becomes. The most effective support often comes from understanding upfront what the diligence process will look like and preparing accordingly.
For example, they might develop executive-level ‘Security at ACME’ overviews to sit alongside more detailed trust centre or technical reports. Being available to diligence teams for interviews, and for example clearly articulating which services are outsourced to an MSSP, and why, builds credibility between those executive teams.
Decision-makers often don’t look at penetration test reports at a deal level. They are assessing whether the organisation understands its own control environment. A well-prepared CISO who can clearly explain why certain controls exist acts as a trust amplifier during transactions.
It is often the difference between a diligence process that closes cleanly and one that drifts. Two organisations can have similar maturity. Yet the one that can respond within a day with clear, consistent evidence reduces follow-up questions, avoids uncertainty premiums in pricing discussions and prevents security from becoming a late-stage negotiation point.
Avoiding Shocks and Smoothing Operating Costs
For any individual who has worked with a finance partner to define a departmental budget will know that predictability often takes precedence over absolute cost. Contract value can be secondary to payment terms, renewal timing or the ability to forecast spend with confidence.
CISOs can align with this by looking to reduce unplanned operating expenditure. In addition to understanding the cost structure of their controls by communicating with the technical pre-sales engineer, procurement and account teams.
A good example is cyber insurance. While often purchased directly by finance teams, many policies are relatively off-the-shelf and provide access to services the security team already operates or has under contract. Other policies include notable exclusions for the events most likely to occur. Such as a ransomware incident without business interruption cover. In many cases, these gaps can be addressed in-policy with a flat fee or a more predictable cost model.
The value here extends beyond risk transfer and into more predictable costs: replacing reactive spend with planned expenditure.
Aligning Cyber Conversations to Board Priorities
Across all of the above examples, the common thread is that the board is rarely asking security to prove its value in isolation, and is surprisingly comfortable with uncertainty. But they are asking whether the cyber papers support better decisions, fewer constraints and more predictable outcomes for the business as a whole.
CISOs who frame their priorities in those terms will find their conversations move away from justifying individual controls and towards understanding how security choices shape the organisation’s ability to respond to change. In that context, cyber becomes part of how the business navigates uncertainty, rather than a specialist function defending its budget. Speaking the board’s language, ultimately, is less about converting cyber risk into pounds and pence. It is more about understanding which levers matter at that level and showing how security choices influence them.
Security, AI, and Digital Resilience: A look inside Visions CIO + CISO
SHARE THIS STORY
The cybersecurity landscape has never been so fast-moving or complex. The stakes have never been higher. A worsening geopolitical reality and increasingly sophisticated cyber threats mean that the role of security leaders is more pivotal than ever as devastating cyber breaches become a matter of “when,” not “if.” It’s a time for information and skill sharing, networking, and collective action in an industry facing a more challenging future than ever.
Visions CIO + CISO Summit brings together executive security and technology leaders and experts from the largest organisations in multiple industries to network and learn from the people driving innovation in the IT and cyber spaces. This year’s event took place between April 28-30, and featured 8 tentpole sessions, over 30 presentations from key industry figures, and more than 30 speakers across the various panels, fire-side chats and peer-to-peer round tables that comprise the rest of the event. Speakers and solutions providers at this year’s event included Illumio, Threatlocker, LastPass, Claranet, Okta, Covertswarm, Intruder, and Ripjar RPC Services. Also in attendance were IT and security professionals from large scale enterprises, including Currys, Astley Digital, 24/7 Home Rescue, H&M Group, IBM, MUFG (Mitsubishi Financial Group), Federated Hermes, Deliveroo, Experian, Saint-Gobain, and Nordea GSK.
At the event, and afterwards, we were lucky enough to catch up with some of the leaders speaking at Visions and get their perspectives on key trends affecting the IT space — from the ever-relevant issue of security to AI and digital resilience.
1. What’s the general outlook for the IT and fintech sectors right now? Is this a scary time? An exciting one?
“It’s an exciting time, particularly within the UK banking sector, where we’re seeing a real shift toward customer-centric innovation. Financial institutions are working hard to deliver seamless, secure, and personalised experiences—often by leveraging cloud, AI, and advanced analytics.”
“There’s a strong emphasis on modernising legacy systems, improving digital onboarding, and enhancing fraud prevention without compromising user experience. This push for technology-driven customer satisfaction is creating space for smarter, faster, and more agile solutions—making it a great time to be contributing to the evolution of digital trust and transformation in financial services.”
2. What are some of the challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“Many organisations are grappling with how to secure cloud environments at scale without slowing down innovation. Key challenges include visibility across hybrid or multi-cloud setups, managing identity and access with precision, and operationalising zero trust.”
“There’s also a strong demand for integrating security earlier in the development lifecycle—what we often refer to as shifting security left. People are asking how to reduce complexity, automate controls, and move away from reactive postures to proactive, real-time risk mitigation.”
1. What kind of outlook does an organisation like Federated Hermes have right now towards the industry? Is this a scary time? An exciting one?
2025 is shaping up to be a very dynamic year for the markets at large. There are rapid developments, from geopolitics to booming technology innovation with AI, that are impacting how the markets move as well changing the environment we operate in as a business. As a global asset manager, Federated Hermes is staying abreast of these changes to ensure we can be where the markets are, whilst maintaining efficiency in our operations for strong profitability.
2. What problems are people asking you to solve right now?
The ever changing world of cyber has historically been difficult for businesses to decipher. In the last few years, it has become even more difficult to keep up, with the advent of AI and how it is changing the technology landscape. Whilst businesses are trying to understand this new technology and embed it into their products and operations, cyber-criminal enterprises are leaping ahead in innovation and starting to leverage it in novel ways. The challenge this brings is two-fold.”
“On one hand, businesses are trying to find the right use cases for AI to get their return on investment at every level. This applies to core business functions, as well as Technology departments and the Security organisations. As cyber strategists we are now being forced to be innovators ourselves and not just passive consumers of the latest products and market trends. This brings a new perspective to how we design controls, build our roadmaps and prioritize our budget items. Boards and executive teams are looking for Security teams who are embracing AI and maximizing the effectiveness and efficiency of their programmes.”
“The second challenge is on the defensive side. The average person, as well as the average corporate employee, is lagging behind in understanding what the latest AI models are capable of, let alone understanding how they can be used to conduct cybercrime. Working in security, we find ourselves in a situation where we both need to find ways to keep up with cyber criminals to defend our enterprises, as well as keep educating our staff and management teams so that we can bring them on this journey.”
1. Would you say this is an exciting time for Astley Digital?
“Astley Digital is at a pivotal point in its journey, experiencing remarkable growth and expanding our service offerings. We’re actively exploring partnerships with innovative cybersecurity companies like ThreatLocker, enabling us to provide even more robust endpoint security solutions for our clients.”
“Additionally, the evolving landscape of cybersecurity is presenting us with unique opportunities to leverage AI for predictive threat analysis, streamline incident response, and enhance our managed security services. This moment is particularly exciting as we are positioning ourselves not just as a service provider but as a thought leader in cybersecurity strategy, risk management, and digital transformation for businesses across various sectors.”
2. What are some of the key challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“Organisations today are grappling with a rapidly changing threat landscape, and one of the most significant challenges is maintaining a strong cybersecurity posture amidst evolving threats. At Astley Digital, we address critical issues such as:
“Endpoint Security: Many organisations struggle with managing endpoint security across remote and hybrid workforces. We provide comprehensive solutions that restrict unauthorised software and applications, preventing potential breaches and maintaining data integrity.”
“Third-Party Risk Management: Ensuring third-party vendors maintain security standards is another pressing concern. We work closely with our clients to assess, monitor, and mitigate third-party risks to prevent supply chain attacks.”
“Incident Response and Recovery: Companies are seeking rapid and effective incident response strategies. We offer real-time monitoring, response planning, and post-incident analysis to minimise business disruptions.”
“Regulatory Compliance: Compliance is a growing concern, especially in highly regulated industries. Our team assists with implementing frameworks that align with industry standards, ensuring data protection and reducing legal risks.”
“We are really fortunate to have reach and presence with clients across different sectors. We have professional service specialisms that respond to many of the trickiest and most important strategy and skill challenges that clients face; technology, cyber security, AI, data, and digital regulations to name a few. Not only is it a great time to be helping clients with those issues and helping them make their businesses more capable, effective, successful and resilient, from a selfish perspective it’s an incredible privilege for our people to be trusted by clients to help with these super interesting initiatives.”
2. What are some of the key challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“We help clients with everything from assessing and improving their resilience positions, to complying with the intersections of a range of existing regulations, frameworks and standards, through to future gazing and thinking about what’s possible through challenging the status-quo.”
“Lately that has included a lot of work on things like AI readiness, development of use cases, working on AI explainability and the human element of potential resistance to the kinds of change that AI and other emerging tech are delivering.”
“Of course an evergreen core of our work is digital resilience, including cyber security, so we do a lot on ensuring that new technology adoptions including those with AI sprinkled throughout them, are digitally and operationally resilient by design.”
“We’re at a turning point where AI is no longer a side conversation—it’s embedded in the way Deliveroo operates. That shift brings real momentum and urgency to the work we do in securing AI adoption and protecting digital environments.”
2. What are some of the key challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“The main concern is how to adopt AI without opening the door to unmanaged risk. Businesses know they can’t sit this one out, but they’re looking for help building the right guardrails to manage risk; especially with evolving regulation and the rise of AI-powered threats like deepfake vishing and advanced phishing.”
1. What are you here at Visions to discuss with your peers in the cybersecurity and IT space?
“The first panel I was part of was the Threat Detection & AI Panel Discussion. We were looking at establishing trust, mitigating risks, and safeguarding security in the age of AI. I focused on how to balance the benefits of AI with the challenges of building trust, managing risks, and ensuring security.”
“Then, I had a deep dive into looking at an age where individuals don’t verify, they just take information, no longer researching to see if the information is correct.”
“I always remain sceptical, whilst understanding the value of efficiency. AI is now embedded in so many tools, but now the main concern is the people within the organisation. Monitoring and education are essential. People will often try to find a shortcut and the easy way to go about things. Until training, governance and understanding is at a level where there can be trust, I suggest turning it off.”
1. These are challenging times for cybersecurity teams. How has 2025 been going for you and Ripjar?
“Ripjar utilises new and emerging technology to solve customer problems in cyber threat investigations and anti-financial crime compliance. We’ve been able to help organisations achieve record results – identifying connections, anomalies and potential risks, while reducing false positives and increasing true positives – leading to best-in-class results in many industries. We’re excited to be sharing that technology, alongside further innovations, with other organisations as we expand our global coverage.”
“The advent of generative AI creates vast risks and opportunities. It also shifts perspectives on existing machine learning and artificial intelligence technologies. It has been exciting to see how the newest AI can be combined with non-generative AI and other technologies to create new solutions to the problems that keep our customers awake at night.”
2. What are some of the challenges organisations are facing that you can help them with?
“Ripjar serves customers in several areas. Our anti-financial crime customers are trying to make sense of the ever-expanding business risks presented by their customers and counterparties in a tumultuous world. We’re able to help them in that journey, whether it’s responding to changing Russian or Middle East sanctions or aligning with the massive political changes that have impacted PEP (politically exposed persons) regimes all around the world.”
“Using foundational AI, we find broad risks in the media – which is often referred to as negative news or adverse media. That means reading through millions of daily news articles to identify risk signals which are important to those handling the world’s global payments or trading internationally. Agility is a key requirement for our customers, and machine learning and AI make it possible to make sense of huge quantities of structured and unstructured data quickly and accurately.”
“Our cyber customers are sophisticated threat investigators working in complex environments, including a number of MSSPs. They rely on our data fusion and investigations software to identify potential threats to their data and ultimately their businesses.”
Looking at the future
The shadows of GenAI, looming threats, and a shifting regulatory landscape loom over the global cybersecurity and IT communities, but the tone is also optimistic. While every leader we spoke to at Visions CIO + CISO acknowledged the threat posed by emerging technologies, many were also excited by the potential of GenAI tools to detect threats and help strengthen cybersecurity defenses.
Given how quickly the circumstances surrounding cybersecurity have changed in just a few short years, it’s almost impossible to predict where we’ll be by the end of the decade. However, the experts we spoke to at Visions are approaching the future with both eyes open — watchful for new risks, and determined to capitalise on new opportunities.
The next Visions CIO + CISO Summit (Autumn, UK) is taking place at the Allianz Stadium in London on 13 – 15 October, 2025. Learn more and register to attend here.
Meet, greet, and learn from fellow IT professionals at VISIONS CIO + CISO Leadership Summit on the 28th to the 30th of April 2025. At the Allianz Stadium in London, you’ll discover the newest solutions and strategies on the market, while making meaningful connections with your peers.
SHARE THIS STORY
Over the course of the VISIONS event, attendees will have access to over 30 presentations and eight different sessions, as well as panels involving numerous expert speakers, and peer-to-peer roundtables.
Interface Magazine is thrilled to announce that our magazine is a media partner of VISIONS UK! For the CIO + CISO Leadership Summit, VISIONS is offering a VIP code for our readership. Secure your free pass here and use the code INTF-VIP for the full VIP experience!
Taking the challenge out of change
The pressure to modernise is at an all-time high, but the VISIONS CIO + CISO Leadership Summit provides a welcoming and informative atmosphere for you to learn about updating your systems, tackling cybersecurity threats, and building AI strategies.
The event is reserved for executives, and aims to support your professional and departmental goals across the board. The programme is tailored to enlighten, educate, and support CIOs and CISOs in their technology journeys.
Agenda
Eight sessions
30+ presentations
30+ speakers across panels, fireside chats and peer-to-peer roundtables
Alongside your free pass, use the VIP code INTF-VIP to also gain access to the following:
Complimentary accommodation for one night
On-site food and drinks provided
Multiple networking receptions with open bar
Travel reimbursement
Designed to address your challenges
This event aims to put an end to the usual wandering around the exhibition hall in order to find the information you want. During registration, you’ll have the chance to explain the current challenges you’re facing in business, and Visions will do the hard work in arranging meetings with a tailored set of solutions providers. You’ll be connected directly with the people who can help, in a bespoke, no-pressure environment.
Register today! Click here to book, and use our unique media partner code for VIP treatment: INTF-VIP
Kelvin Moore, CISO & Acting Deputy CIO, on a successful cyber transformation journey at the US Small Business Administration driven by federal agency collaboration
SHARE THIS STORY
This month’s cover story celebratesa successful cyber transformation journey driven by federal agency collaboration.
Welcome to the latest issue of Interface magazine!
US Small Business Administration: Evolving with Technology
Kelvin Moore, CISO & Acting Deputy CIO, reveals a successful cyber transformation journey at the US Small Business Administration driven by federal agency collaboration. Moore is tasked with securing a platform that offers support for small businesses and entrepreneurs. “It’s my team’s mission to ensure cybersecurity across the agency from an operational perspective and in turn guarantee the security of the programs that support our constituents.”
NAB Private Wealth: Comprehensive, integrated, and relationship-led
NAB (National Australia Bank) Private Wealth’s Michael Saadie and Mike Allen share a vision for comprehensive, integrated wealth management enabled by technology but driven by people. We learn more… “To achieve efficiency and simplification, we’ve consolidated all wealth operations under one channel,” Saadie explains. “Previously, JBWere, nabtrade, and our investment advisors operated independently. Now, we’ve brought these teams together and integrated them end-to-end. This means our operations team provides core capabilities serving all distribution channels.”
The AA: Driving growth with a powerful legacy
Nick Edwards, Group CDO at The AA, talks about the organisation’s incredible technology transformation and how these changes directly benefit its customers. “2024 has been a milestone year for the business, marking the completion of the first phase of the future growth strategy we’ve been focused on since the appointment of our new CEO, Jakob Pfaudler,” he explains. Revenues have grown by over 20%, allowing The AA to drive customer growth. “All of this has been delivered by our refreshed management team,” Edwards continues. “It reflects the strength of our people across the business and the broader cultural transformation of The AA in the last three years.”
Piedmont Healthcare: Data-driven progress
We first spoke with Piedmont Healthcare’s Mark Jackson in the winter of 2022. Since then, the scope of his role at the healthcare provider has expanded considerably. Now its Chief Data Officer (CDO), Jackson has overseen a reorg of his 45-strong team. “I take a lot of pride in efficiency,” he reveals. “I think it’s the key component of our success. Everybody experiences failure. What I want us to do is have the ability to fail quickly and get to working solutions faster because I believe in this way, we can deliver a lot of value with a small and nimble team.”
Nuffield Health: Agile digital transformation
When we talk about incredible digital transformations in Interface Magazine, it’s really only a snapshot of an organisation. In reality, this kind of digital transformation is an ongoing process with no end. When we spoke to Jacqs Harper and Dave Ankers from Nuffield Health in 2022, they had a few things in mind to keep them busy as the charity’s big change evolved.
However, as this transformation evolved, an explosion of change happened in so many directions. Far more than the organisation’s technology team intended. Harper (who leads Technology at Nuffield Health), Ankers (IT Strategy & Delivery Director), and Mark Howard (Head of Technology Engineering) have followed up over 18 months after the initial interview to really dig into all the exciting things that have changed since then, and expand on all of Nuffield Health’s ambitious plans.
Also in this issue, we round up the top events in tech; get advice from Bayezian on how to avoid the risks associated with jailbreaking LLMs and speak with iGTB CEO Manish Maakan about leadership in the FinTech space. And to keep up to date with the latest insights and developments in this space check out our new launch, FinTech Strategy.
For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent,…
SHARE THIS STORY
For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent, Martyn Atkinson, to learn how an ambitious growth agenda, combined with a people-centred culture, is driving change for customers and colleagues across the Group.
Welcome to the latest issue of Interface magazine!
Welcome to a new year of possibility where technology meets business at the interface of change…
Lloyds Banking Group: A technology & business strategy
“We’ve made significant strides in transforming our business for the future,” explains Martyn Atkinson, CIO for Consumer Relationships & Mass Affluent at Lloyds Banking Group. “I’m really proud of what the team have achieved. There’s loads more to go after. It’s a really exciting time as we become a modern, progressive, tech-enabled business. We’ve aimed to maintain pace and an agile mindset. We want to get products and services out to our customers and colleagues. We’ll test and learn to see if what we’re doing is actually making a meaningful difference.”
AFRICOM: Organisational resilience through cybersecurity
We also speak with U.S. Africa Command’s (AFRICOM) CISO Ryan Larsen on developing the right culture to build cyber awareness. He is committed to driving secure and continued success for the Department of Defence. “I often think of every day working in cyberspace a lot like counterinsurgency warfare and my time in Afghanistan. You had to be on top of your game every minute of every day. The adversary only needs to get lucky one time to find you with that IED.”
OLYMPUS DIGITAL CAMERA
ALIC: Creating synergy to scale at speed with Lolli
Since 2009 the Australian Lending & Investment Centre (ALIC) has been matching Australians with loans that help build their wealth. It has delivered over $8.3bn in loans to more than 22,000 leading Australian investors and businesses. Managing Director Damian Brander talks ethical lending and the challenges of a shifting financial landscape. ALIC has also built Lolli – a broker enhancement platform built by brokers, for brokers.
Sime Darby Motors: Driving digital, cultural, and business transformation together
Sime Darby Berhad is one of the oldest and most successful multinational companies in Malaysia. It has a twin focus on the Industrial and Motors sectors. The company employs more than 24,000 people, operating across 17 countries and territories. Sime Darby Motors’ Chief Digital & Information Officer Tuan Jean Tee shares how he makes sure digital, cultural, and process transformation go hand in hand throughout one of APAC’s largest automotive multinationals.
Also in this issue, we hear from Microsoft on the art of sustainable supply chain transformation, Tecnotree map the key trends set to impact the telecoms industry in 2024 and our panel of experts chart the big Fintech predictions for the year ahead.
Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and how companies can measure, manage and monetise to realise the potential of their data
SHARE THIS STORY
Our cover story explores the rise of data and information as an asset.
Welcome to the latest issueof Interface magazine!
Interface showcases leadersaiming to take advantage of data, particularly in a new world of AI technologies where it is the fuel…
How to monetise, manage and measure data as an asset
Our cover star is pretty big in the world of analytics… We meet the guy who defined Big Data. Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and learn how companies can measure, manage and monetise to realise the potential of their information. In his first book Laney advised companies to stop being fixated on hindsight-oriented analytics. “It doesn’t actually move the needle on the business. In the stories I’ve compiled over the last decade, 98% have more to do with organisations using data to diagnose, predict, prescribe or automate something. It’s not about asking questions about what happened in the past.”
Canvas Worldwide: A data-driven media business
Continuing this month’s data theme, we also spoke with Alisa Ben, SVP, Head of Analytics at full-service media agency Canvas Worldwide. Data has transformed the organisation, and what its clients do. “We look holistically at the client’s business and sometimes the tools we have might be right for them, sometimes not. It’s more about helping our clients achieve their business outcomes.”
TUI Musement: from digital transformation to digital pioneer
At travel giant TUI, handling data effectively is paramount when communicating consistently and meaningfully with up to 25 million customers annually. David Garcia, CIO for TUI Musement, talks about the tech evolution driving the travel giant’s provision of experiences, transfers and tours. It’s a big part of its operational shift from local to global. “As a CIO, I’ve always been interested in how the tech innovations we drive can support the business and add value.”
Hiscox: making cybersecurity more accessible
Liz Banbury, CISO at Hiscox and president of (ISC)² London Chapter, talks to us about how cybersecurity can become a more accessible, realistic career path for almost anybody. “When I was at school, topics like computer science didn’t even exist,” Banbury explains. “In one of my first jobs, over in Hong Kong, we were still using a typewriter! A lot has changed. My key point here is that there’s a lot of cybersecurity professionals who are really good at their job. They are inspiring, and have come from all walks of life. Crucially, they don’t have a maths, computer science, or technological background at all. But they still make great cybersecurity professionals.
Portland Community College: Risk vs Speed in Cybersecurity
Reet Kaur, former Chief Information Security Officer at Portland Community College, discusses the organisation’s transition to the cloud amid a digital transformation journey. “I don’t want to work with people who just say yes all the time. I want my ideas challenged to help forge the excellence in the security programmes I help build.”
DBHDS: Cybersecurity in healthcare
The Virginia Department of Behavioral Health and Developmental Services (DBHDS) exists to create ‘a life of possibilities for all Virginians’ and transform behavioural health. Its focus is on supporting people across the entire commonwealth. It helps them get the support they need in order to take wellness and recovery into their own hands. In an area like healthcare, sensitive information is all over the place, meaning cybersecurity is a priority – and this is where Glendon Schmitz, CISO at DBHDS, comes in. “The security team exists to help the wider organisation achieve its objectives with data. We’re there to protect the business, not the other way around.”
Also in this issue, we schedule the can’t miss tech events and get the lowdown on IoT security from the Mobile Ecosystem Forum.
Financial services organisations are trusted with far more than just money; they’re also responsible for keeping customers’ highly sensitive personal and financial data under lock and key. We’re hyper-aware that the growing value of this data means financial organisations are prime targets for cyberattacks – but this isn’t the only threat they face.
SHARE THIS STORY
In fact, not a day passes without these firms’ own employees putting data at risk from within, says Tony Pepper, CEO. Egress…
You might think that, when it comes to reducing overall breach risk, employees represent low-hanging fruit – surely it is easier to control the actions of a company’s own team members than it is to defend against external attackers? However, this not the reality experienced by financial firms worldwide. While external attackers are always motivated by malicious intent, the employee population is far more heterogenous and, in a sense, much more human. This makes understanding and mitigating insider risk a more nuanced exercise. Just because it is difficult, however, doesn’t mean it is impossible. It’s crucial that financial services companies shift the dial on insider risk and reduce breach frequency, because the penalties for failing to do so are becoming increasingly draconian and the repercussions from customers much more severe.
The recent Egress Insider Breach Survey aimed to understand the different attitudes towards data sharing and ownership among employees in financial services companies and the approaches that IT leaders in the sector are taking to managing insider breach risk.
We found a whole range of diverse profiles of people who put sensitive financial data at risk for very different, but very human, reasons. Some need monitoring to keep their less-than-honest traits from getting the better of them, while others need a helping hand to save them from making genuine, well-meaning mistakes. And across all respondents, we also found confusion over who really owns data, contributing to the more cavalier attitudes displayed by some.
Deliberate “data breachers” – from well-intentioned but reckless to disaffected and destructive
Our study found that the financial services sector has more than its fair share of deliberate “data breachers”. Of the thousand employees we questioned, almost a third (32%) said they or a colleague had intentionally broken company policy when sharing or removing information in the past year. This compares with just 15% of healthcare workers and 11% of government sector employees.
The reasons given for this deliberate flouting of security policy varied. One-third said they were simply trying to get their job done but didn’t have the appropriate tools to share data safely. On the face of it we might have some sympathy with those employees, but would consumers and businesses want to bank with those firms?
It’s more difficult to be sympathetic with those motivated by self-gain, including the 41% who took data with them because they were moving to a new job. And we have even less sympathy for the 15% who compromised data because they were angry with the company and wanted to deliberately cause harm.
Operator error – mobile, tired, under pressure
Even with their firm’s best interests at heart, employees still make mistakes. 30% of financial sector workers said they or a colleague had caused an accidental data breach in the past year – again more than twice as many as their public sector counterparts. A third had sent an email to the wrong person and a further third had clicked on a link in a phishing email.
Their reasons behind these breaches varied from the pressure of working in a stressful environment, to tiredness and rushing. A significant proportion, however, said they made an error due to using a mobile device – and given the current requirement for mobile remote working during this COVID-19 pandemic, this is a definite cause for concern.
Breach detection gaps and technology limitations
Next, we examined what IT leaders in the sector have in place to mitigate insider breach risk. Concerningly, 60% said the most likely way they would discover an insider data breach was via internal hand-raiser reporting by either the employee themselves or a colleague. Only one third felt that their breach detection systems would pick up the issue.
In a similar vein, traditional data protection technology use was surprisingly inconsistent across financial firms. Email encryption, anti-malware and secure collaboration software were in use by fewer than half of financial sector companies. Again, raising the question whether consumers and businesses would be willing to trust their data to financial firms if they knew they didn’t have systems in place to protect it.
So, why is this the case? From the data we uncovered, it seems as though organisations are resigned to a proportion of insider breach incidents occurring, accepting them as an inevitable result of doing business and employing people. But this doesn’t need to be the case. It is possible to apply human layer security solutions to mitigate these risk factors and make a positive impact on breach frequency figures.
Human layer security – a helping hand and a watchful eye
Take the issue of rushing or tiredness. This can lead to users adding the wrong recipients to emails or failing to spot the subtle changes in familiar email addresses that denote targeted phishing attempts. This risk can be overcome with tools that use contextual machine learning to analyse what the good security behaviour looks like for each user and support them with alerts that tell them they’ve added an unusual recipient to an email, or that they are about to answer a phishing email. A small prompt is all these users need to stop them from making an error and causing a data breach.
Similarly, when using mobile devices with smaller screens, it is very easy to choose the wrong attachment and send sensitive data outside the organisation to the wrong recipient or to the right person unprotected. If an employee is less than honest, our always-on, constantly connected culture also enables them to deliberately do so too. However, it is possible to stop these incidents with an intelligent solution that scans email and attachment content and identifies data such as personally identifiable information (PII) or bank account details to alert users that they are about to send information to an unauthorised recipient, or without the correct level of encryption applied. If the user persists, the risky email can be blocked from being sent and administrators alerted to a potentially intentional attempt to breach data, so they can respond accordingly.
Ultimately, the most effective way to address human-activated threats to security is by implementing tools that support and manage users when they are at their most humanly vulnerable; tired, rushing, under pressure, angry or self-interested. As our research and wider evidence shows, the financial services sector is more than averagely vulnerable to insider data breaches, meaning human layer security must be a priority for IT leaders in the field if they hope to reduce breach frequency and keep sensitive data firmly in the vault.
How digitalisation is bringing the fight to industrial security threats ~ It’s no longer a question of whether your business…
SHARE THIS STORY
How digitalisation is bringing the fight to industrial security threats ~
It’s no longer a question of
whether your business will be attacked, but rather when it will be attacked.
Cyber attacks, particularly those on public sector and utility businesses, are
now a regular, often daily occurrence. Here, Robin Whitehead, managing director
of systems integrator
Boulting Technology, explains how this is impacting the role of the chief
information security officer (CISO) and resulting in the need for end-to-end
digitalisation.
It’s a simple fact that data makes the modern economy turn.
Being the first business to take action, based on the insights gained from some
pivotal piece of information, gives businesses a distinct competitive
advantage. However, it’s also quickly becoming a fact of life that the same
data is being targeted by skilled cybercriminals intent on stealing this new
currency and even causing maximum damage to infrastructure.
We can see the potential scale of cyber crime if we look at
the number of data breaches made each month. For example, in December 2017,
security firm IT Governance reported that 33.8m records — including a mixture
of personal and business information — had been leaked around the world. In
November 2017, the number was 59m.
Sophisticated
cyber attacks
With the world facing the likes of WannaCry, Petya and NotPetya
in 2017, sophisticated cyber threats are the biggest technological fear in
2018. Although sectors such as financial services and the public sector are
most at risk, there have also been numerous high-profile attacks on utilities,
oil and gas and food manufacturing environments in recent years.
At 9:30am on 27 June, 2017, confectionary manufacturer
Cadbury was hit by a cyber attack, which halted production at its Hobart
factory in Australia. Computers at the facility were infected with the Petya
ransomware virus and displayed a message on the screen demanding payment in
cryptocurrency.
Later that same day, NotPetya — a variant of the Petya
virus — went on to do further damage to facilities across Europe. NotPetya exploits
a backdoor in the update system of a Ukrainian tax-preparation programme
running on Windows and used by around 80 per cent of all Ukrainian businesses.
It uses a vulnerability in the Windows operating system called
EternalBlue — originally believed to have been developed by the US National
Security Agency (NSA) — to encrypt the filesystem’s master file table (MFT),
preventing the system from locating its own files.
Launched on June 27, 2017 — on the eve of Ukraine’s
Constitution Day holiday — NotPetya quickly spread to networks in Russia,
France, Germany, Italy, Poland, the UK and the US and affected many sectors.
“It’s massive,” Christiaan Beek, a lead scientist and principal
engineer at McAfee, told WIRED about the situation in Ukraine. “Complete
energy companies, the power grid, bus stations, gas stations, the airport, and
banks are being targeted.”
The new CISO
It should come as no surprise then that the advice of IT
and security experts is now being sought at the highest levels of business. The
role of the chief information security officer (CISO) is also changing in
response. Acting as the head of IT security, the CISO has traditionally been
responsible for things like operational compliance and adherence to ISO
standards as well as performing IT security risk assessments and ensuring that
the business is using the latest technologies.
However, increasingly, the CISO must now also drive IT
security and strategy, guiding everyone from the shop-floor staff to the most
senior officials in the business on how best to protect them from cyberattacks.
The modern CISO now takes a seat at the boardroom table, ensuring business
continuity, come what may.
Modern CISOs need to be visionaries and good communicators
in their own right, exerting their influence at all levels of the business to
bring about long lasting technological and security change.
End-to-end digitalisation
For industrial businesses, this change cannot come soon
enough. The desire to integrate manufacturing networks with the outside world
and the increased use of smart data is driving efficiencies and cost savings in
sectors from food and beverage, pharmaceutical and automotive to utilities such
as gas, water and energy. At the same time, it’s also leaving them vulnerable
to attacks that can lead to business disruption and extended periods of downtime.
Part of the reason for this is that many businesses have
traditionally operated in silos, with information technology (IT) and
operational technology (OT) experts not historically well aligned to the same
objectives and outcomes. However, as we increasingly use more
internet-connected devices such as PLCs, HMIs, intelligent motor control
centres (MCCs), telemetry devices and smart meters — all relaying millions of
data points to centralised and often remote SCADA and ERP systems — it will
become crucial to take a joined-up approach to industrial operations. Cue
end-to-end digitalisation.
For many businesses, replacing hardware and software to
allow functionality such as standardised Fieldbus communications, real-time
cloud data, analytics and centralised control across every aspect of their operations
is neither a cheap undertaking nor one that is quick to enact.
After all, most engineering plant managers have built up a
complex system over many years, retrofitting new components and modules to
existing equipment. This is driving the need for end-to-end digitalisation,
moving away from fragmented system control, maintenance and upgrade towards a
holistic approach that encompasses system-wide transparency, alarms and notifications,
including analytics that can deliver actionable insights to improve process
efficiency.
At Boulting Technology we’re helping our customers
introduce cybersecurity measures to retrofitted equipment in existing
industrial setups. Our range of control systems, networking products,
intelligent motor control centres and more, form an integrated system that
gives engineers easy and secure access to their operation around the clock.
Ultimately, end-to-end digitalisation will help companies respond to attacks
and breaches in minutes rather than hours or days.
So, while we come
to the realisation that cyber attacks are simply a normal part of doing
business, take heed of your CISO’s advice and rethink your end-to-end
digitalisation strategy.
