Drawn to the world of cybersecurity because of James Bond and a passion for change, the CISO advisor, entrepreneur, author and speaker, Jane Frankland talks to ISMS.online about all things security.
How cyber security threats affect businesses
Throughout 2017 it felt as though there was a new cybersecurity disaster almost every day. But which event caused the biggest disruption of last year and have we learnt anything as a result?
“That’s a tough question. Although the U.S. consumer credit reporting agency Equifax suffered one of the worst attacks in recent years with almost 143 million United States citizens being affected, the greatest disasters for me were WannaCry and NotPetya.
“WannaCry was different from most of the other ransomware attacks. With the help of EternalBlue, it gained remote access and ransomware was able to spread across networks at lightning speed. WannaCry infected more than 300,000 computers globally and used two different ways to exploit weaknesses – both from the NSA leakage by Shadow Brokers. Its financial impact was huge, too, with an approximate cost of $4 billion dollars in losses.
“NotPetya showed greater sophistication in terms of the complexity of its attack and resolution. It was also a form of wiper malware. It imitated the look of a ransomware, but its true intent was destruction.”
“They know that as technology becomes smarter, the cloud and the Internet of Things (IoT) will become more interconnected. They know they’re playing catch up too, for their future relies on the technologies of the past – operating systems, computing languages, software environments, which are vulnerable and often unsupported.
“This is why they want to re-evaluate and redefine their understanding of threats, risks, and solutions in an ever-changing landscape. It’s why they ask: What threats should they prepare for? What risks are involved? What processes and procedures should they implement? What types of people do they need to help them do this?
“It’s also why cybersecurity professionals need to be able to answer all of these questions and know how to detect attacks, respond to them, and recover from them fast and with minimal impact to the business.
“It’s why they need to be able to educate the key stakeholders within their organisations and help them to understand how security affects each person’s roles, and then to implement the solutions – be they people, process and technologies. They need to be able to not just protect the organisation but to enable it, and serve it fully.”
Data privacy challenges for organisations
So in your role as a CISO advisor, what are the biggest challenges you are hearing organisation talk about in relation to managing their information security and complying with regulations like GDPR?
“Security is a people business and with a shortage of available talent, organisations are either having to enter salary-bidding wars to entice people away, or accept that they’ve got to develop talent internally, which will take time and potentially expose them to risk, albeit short-term.”
“Although the GDPR shouldn’t present much of a challenge for UK organisations, as they should all be abiding by the DPA and carefully considering and protecting their data, we know that it is. We also know that many organisations will be taking data protection seriously for the first time ever. As it applies to all organisations, no matter what their turnover or headcount sizes are, the greatest challenge for them will be working out what their organisation needs to do in order to be compliant.
“Once again this will come down to their appetite for risk. Whilst the fines for breaching the GDPR is driving a lot of action, there’s a serious risk that the key principles of transparency and accountability will be lost in the noise.”
Communicating and managing risk
So we’ve talked about risk and communication. The NCSC has published risk management guidance for cybersecurity. Do you think this goes far enough in helping micro and small organisations, given the concerns you are hearing?
“No. Whilst it’s a good start, they’ve made a fundamental communication error. They’ve not put themselves in these organisation’s shoes and seen things through their lens.
“Their site has too much information to wade through and links to click on. It’s jargon-rich and has only been given in one format, text.
“As many people learn differently, it would have been better if they’d produced ebooks, audios and videos for SMEs and micro organisations.”
In your book, IN Security, you make the point that women have a natural ability to manage risk, particularly in relation to cyber. Tell us a bit more about your theory behind that.
“Women are fundamentally different to men. They’re different versions of the same species. Whilst past research has indicated that men’s and women’s brains are wired differently, new research indicates that almost everyone has a unique range of male and female structures. 
“However, when it comes to hormones, women and men differ, as both sexes produce the same hormones but to varying levels. The main sex hormonal driver for women is oestrogen, and this encourages bonding, cooperation, collaboration and relationships. It also supports the part of the brain that involves social skills and observations, plus it helps women to determine how they perceive risk and avoid conflict.
“Serotonin is the hormone that’s responsible for stabilising moods and regulating anxiety. According to researchers women produce 52% less serotonin than men, which may indicate why they have more of a tendency to worry than men. Then, there’s testosterone, the main sex hormone for men, which is associated with aggression, impulsivity, single-mindedness, independence, a lack of cooperation, power, winning, and risk taking.
“The latter is obviously of great significance to us in cybersecurity. Countless studies have shown that women and men gauge risk differently. Women are far better at assessing odds than men, and this often manifests itself as an increased avoidance of risk. As women are typically more risk averse, their natural detailed exploration makes them more attuned to changing pattern behaviours – a skill that’s needed for correctly identifying threat actors and protecting environments.
“When the Norwegian company CLTRe and Gregor Petric, PhD, Associate Professor of Social Informatics and Chair of the Centre for Methodology and Informatics at the Faculty of Social Sciences, University of Ljubljana (Slovenia) studied more than 10,000 employees across five verticals in two countries within the Nordics, they found women to be complying with rules, and embracing organisational controls and technology more than men. Additionally, whilst men rated their knowledge and awareness of IT security, controls and behaviours much more highly than women, men reported higher levels of risky behaviours, both on their own part and that of their colleagues. 
“These findings correlate with other reports that detail gender differences in regards to compliance and trust online. When HMA, a virtual private network service provider, commissioned a study of Internet users in the USA, they found more women considered what they shared online more than men; were more unlikely to give away personal information such as their birth date, real-¬world address or social security number on a social media profile than men; and were more unlikely to offer this information while chatting online with a friend than men.
“They also found that men reported their accounts being compromised or hacked, or accidentally installing spyware, malware or a virus more often than women. Yet, they found that after women experienced a security problem, women were more likely than men to make lasting changes to their online behaviour in order to protect themselves from future problems. Men, on the other hand, tended to fall back on technical means of protection.
“In addition to these traits, women are acknowledged to be highly intuitive too. Men, on the other hand, tend to be more pragmatic with their thinking. Whether or not you believe it’s because women were withheld information over the centuries and had to develop intuitive skills is immaterial. What matters is their capacity to think differently, because when two sets of people are attacking a problem, they’re able to solve it uniquely and much faster. As not all risk is the same, the dialogue about how to approach it is also richer.
“Women score highly when it comes to emotional and social intelligence, which brings about many benefits, including the ability to remain calm during times of turbulence – a trait that’s required when breaches and major incidents occur.
“Furthermore, in a world that values speed and agility, the ability to use intuitive thinking and make good decisions quickly without having all of the information is becoming more of a necessity.”
Women in cybersecurity
In your book, you also offered lots of practical advice for women wanting to get into the cybersecurity industry. If there were just one piece advice you could offer, what would it be?
“Weak ties that arise from networking are typically associated with finding jobs. Until the sociologist Mark Granovetter published his research, most people believed that jobs were found through strong ties – personal connections with friends, family, or peers at work. What Granovetter discovered was that the primary source of job leads came from weak ties – distant acquaintances, or friends of a friend.
“It turns out that people rarely refer their close connections for jobs because they’re either worried that it will reflect badly on them if it doesn’t work out, or because they’re more likely to know of their close connections’ faults and weaknesses, which they believe could interfere with being a good employee.
“But, this wasn’t all Mark discovered. When it came to information, having a loose and diverse network of acquaintances enabled people to tap into much wider sources of information and expand their thinking. By having a network of like-minded contacts that operate in the same circles as you do, you rarely learn anything new. However, when you’re able to access a wider community, you can access different types of thinking and sort out challenges with confidence. “
“Whenever I speak about this at conferences, I usually break it down into five areas. The first is education. According to Raytheon and the National Cybersecurity Alliance when they surveyed the career interests and educational preparedness Millennials in 12 countries they found that 62% of men and 75% of women said no secondary or high school computer classes offered the skills to help them pursue a career in cyber security. We need to change this and improve the way we’re educating children and young adults about cybersecurity.
“In all but a few universities around the world, undergraduates aren’t being taught that in cybersecurity, you have to understand people, business, principles and concepts, as well as technology, or given methods to do so. Additionally, they’re not being prepared for team working. However, they’ll be required to liaise and collaborate with experts in many areas, like physical security, business, regulations, marketing, finance, and so on. And, many are, astonishingly, unaware that they’ll have to stay current on advances on both the offensive and defensive sides, as they’ll be expected to provide advice on which cybersecurity technologies will meet a particular business requirement, as well as understand how they fit into an organisation’s overall cybersecurity posture.
“Cybersecurity graduates are coming out of university book¬smart but not work¬ready, and many hiring managers are relaying their dissatisfaction with the current education system, and the implications in terms of increased susceptibility to cyber attack. As cybersecurity is a dynamic field, with new threats and defences appearing daily, they’re right to complain, for there’s a real need for a competent workforce with a sound knowledge of how to implement, coupled with experience and practical skills.
“When it comes to career pivots and ways into cybersecurity from other careers, we must address this for there’s a real need. However, there’s hardly any information on exactly how to do this.
“The second area is marketing. Today there’s still a misconception that cybersecurity is a purely technical domain. However, the truth of the matter is that cybersecurity has never been a stand¬alone discipline. It was born from IT, is a specialism within IT, and treating it otherwise may prove to be a costly mistake for cybersecurity.
“This brings me onto the third area, professionalism, as many within the industry want to professionalise it, like accounting, law, medicine, and engineering, with charters, regulatory bodies, and formal education programmes. Others want it to remain vocational. Those who prefer a more vocational route point out a couple of things. The first is that those from the armed forces and police, who make up a large percentage of our workforce, haven’t come from an IT background. However, they’ve taken the basic principles of physical security or intelligence and applied them to cyber with success. The second is that cybersecurity should be seen as a career for those in IT to aspire to, and not a profession with entry-level positions. They maintain that all positions in cybersecurity should be earned with significant experience in IT and that a degree that’s specific to cybersecurity isn’t required. Rather, hiring managers need to become great talent spotters, looking first within their organisations for skilled professionals who, despite having no stated experience in cybersecurity, can quickly adapt to cybersecurity roles. Professionals could, therefore, be within IT or outside of it, such as HR, legal, customer services, personal assistants, or even sales, PR or marketing.
“The fourth area is hiring and recruitment. This can be improved tremendously through formalised processes and technology. Thanks to advancements in the latter, data can help to inform and reduce bias, too. Tools, like Textio, can analyse the language used in job descriptions and ensure it’s neutral. Certainly, when it comes to women, language is often unintentionally, gender-coded and plays to a range of stereotypes, ideologies, and belief systems that surreptitiously try to justify the status quo. When job descriptions aren’t checked for gender bias they can put a lot of female talent off applying.
“Finally, the fifth area is environment. From the dialogues I’ve had with women in the field, I know that the reasons they cite for moving jobs are misalignment to their organisation’s culture, burn-out, unfair treatment, feeling bypassed for promotion, or on account of family. Corporate cultures can be hostile environments for women in cybersecurity as some are still built around male bonding and facilitated by the sexual objectification of women.
“Improvements in culture can make an enormous difference to the way that every cybersecurity professional operates in the workplace, not just women. One to tackle proactively is the work-hard, play-hard culture – that ruthless, macho competition to arrive early, stay late, work harder and party, which remains prevalent amongst many cybersecurity organisations and consultancies, yet has been shown to increase turnover rates and absenteeism, and stifle performance and profits.
“The unspoken old-fashioned rule for managers, or anyone aspiring to be one, is that if you leave before a certain time, you’re not committed to your job, and promotion will be unlikely. The pressure is particularly noticeable for women, especially if they’re mothers or carers. In environments such as these, many women either accept the reality that if they won’t conform to expected standards, their careers will be stifled, or overly compensated by working harder, staying later, and adopting more of a male persona. They’ll try to fit in, or otherwise, they’ll hide their family arrangements.
“If anyone has an appetite to learn more, I’d encourage them to read my book, IN Security. It’s available on Amazon in a paperback and Kindle format. They can also approach me for talks, training, coaching and consultancy.”
Are you looking to manage your risk and information security?
Not ready to get started? Subscribe to receive more articles like this.
The information in this blog is for general guidance and does not constitute legal advice.