Episode 6: The Crown Jewels with Jon Staniforth
Hello, and welcome to What the Hack is a CISO. This podcast will help you in your journey to be a better cybersecurity leader. It's supported by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Rayna Stamboliyska , an EU Digital Ambassador covering the intersection of tech security and policy, and the CEO at R Strategy. In this week's episode, I'm talking to Jon Staniforth.
Rayna Stamboliyska:Hi, Jon.
Jon Staniforth:Hi.
Rayna Stamboliyska:So Jon has spent more than 20 years leading cybersecurity teams at different companies, big companies mainly, covering everything from logistics and telecom businesses to gaming, retail, and banking. So in your career, you've led teams, worked with the business lines, and set up security and compliance teams from scratch in some really large enterprises. And your most recent role was a CISO for the Royal Mail. So how did you get into cyber and IT in particular?
Jon Staniforth:IT was nearly 30 years ago starting off actually really working for Shell. I was in a quite lucky position that I actually started from graduate recruitment for Shell. Nothing to do with technology. At a time where they were starting to use PCs and laptops to actually support recruitment and assessment centers, then realized I actually quite enjoyed it. So using the the computer, so I almost became, like, a junior sort of support person for the recruitment team, even though I was supporting the recruitment team as more of an admin.
Jon Staniforth:So it sort of almost fell into it. Got a personal interest, started to sort of learn how to do more support. Then another role came available in Shell, which was, in the Shell shipping, and basically got involved with a support desk and managed a support desk that you could ring and get anything from a pen to a computer as a sort of single combined department in those days. And then was very lucky that they started to merge the Shell shipping companies. So we got the opportunity to start rolling out sort of Novell NetWare, then they merged the oil and trading and the shipping companies, and I've got to merge and support Microsoft, very early days version of Microsoft to Windows.
Rayna Stamboliyska:Wow.
Jon Staniforth:Yeah. OS 2 and that sort of side with a token ring network and a very, very old, ethernet network from from an own u b 3270. So very old.
Rayna Stamboliyska:Wow. Come on. That's not old. That's vintage.
Jon Staniforth:Yes. Exactly. Antiques.
Rayna Stamboliyska:I mean, there is a special, yeah, flavor to what we do today and what we, you know, live through today comes from. I find that sort of experience and feedback extremely valuable because it's the history. You know, it's our roots, where you come from, where like, how things emerge, and the fact that, you know, you were talking about supporting users. Yeah. This is something that's I mean, we work we do cybersecurity for the people.
Rayna Stamboliyska:Right?
Jon Staniforth:Yeah. A 100%.
Rayna Stamboliyska:So I find it extremely valuable to be talking about the people first and foremost. And speaking about the past, you know, from your beginnings, do you think security has moved on? I mean, as fast as it should have done? And how are we dealing with problems? Are we still having the same problems today?
Rayna Stamboliyska:Are we having new ones? Especially, you know, vis a vis people.
Jon Staniforth:I suppose security itself has obviously gone from quite a technology focused, network focused attacks and sort of early viruses in those days. So much more sophisticated, as you know, and phishing and social engineering, which sort of wasn't so much around in the old days. It was the people breaking in with sort of SQL Slammer and things and trying to see what they could do. Obviously, the evolution of cyber attacks and cyber itself has changed. In those very early days, there were no tools.
Jon Staniforth:I remember having to read NACS and NACS and actual network traffic as a detailed of all, because there weren't Siemens SOC tools. I think as an industry, obviously, it's grown from almost nothing. There's some basic antivirus products right the way through to the full suite nowadays. I think in terms of the users, cyber is a type of quality function. So the reality is that anything that is quality related, whether it's, you know, health and safety, whether it's ISO 9000 or on quality assurance or or cyber, Unfortunately, businesses have to start to understand how valuable it can be to them to actually incorporate it into their business process flows and their value chains.
Jon Staniforth:And the adoption of technology and functionality as consumers, all of us, even us in cyber, we like the latest Wizzy thing. So I think we've got a human nature problem of people like functionality, they like new things, and they want them to make their lives easier. And quality type of things, assurance takes more time and can be expensive. People don't always want to spend on it. It's a proverbial speed to market for adoption.
Jon Staniforth:And I think what's happened is society is using technology much more. My first mobile phone was actually a briefcase with a battery in there and an old handset when I worked for Shell. That was the on call phone. It was the size of a briefcase. And then we moved on to the Nokia brick, which was the, you know, thing with a 4 hour battery life.
Jon Staniforth:And now we're all walking around with something with this massive compute power. So I think the challenge will never actually go away of adoption versus integration of cyber. But the actual underlying technologies, you know, we're we're now talking AI and quantum and so on. But the underlying fundamentally is irrelevant to the technology change. Adoption's always gonna be a bit faster, I think.
Rayna Stamboliyska:Yeah. The way I see it, you will always have end users. And even us, you know, you and I, despite our knowledge and expertise and so on, we are still someone's end user. Right? Yep.
Rayna Stamboliyska:So to me, like, there are fundamental things that whatever the technology and the buzzword of the day, you still need to, one way or another, implement trust
Jon Staniforth:Yeah.
Rayna Stamboliyska:And bring it, well, at least with the least friction possible to everyone.
Jon Staniforth:Yeah. 100%. How do you make controls as easy as possible so people don't realize they're following them?
Rayna Stamboliyska:Right. Right. I mean, a lot of people, especially, you know, with your experience, come from infrastructure, from IT, and from networks. Right? Because that's how things were Yeah.
Rayna Stamboliyska:At that time. And is there something or someone, you know, an event or a person that inspired you or that kind of accidentally brought you, or I don't know, into more security, you know, rather than more IT?
Jon Staniforth:I think it was the influence from those early days of Shell because the old trading was very much about availability. So in those days, even if we wanted to change your a hard disk failed in a RAID array, we'd have to go and talk to the trading floor directors to say, what trades have you got on, and what's the risk of even pulling the discount? Your system might slow down. It might crash versus waiting for the weekend and so on. So I think without realizing it at the time, I think was very much that side.
Jon Staniforth:And I say the user engagement, because we we had to have really heavily engaged, you know, change controls. It was very strong, and we had some really simple rules, which is if you did the change late at night, it'd be the first one in the morning. So it took it took you after CP a few times on the office floor for a couple of hours. It it it taught you to very much, sort of understand your changes. So so that got very well ingrained in practical purposes.
Jon Staniforth:So I think that was probably the underlying. Then I actually moved to a telco in the Netherlands, and the Netherlands adopted ITIL much faster than, actually, the UK adopted it. This was in the mid nineties. And so I actually deployed a lot of ITIL practices, not actually knowing about ITIL. And then a company called Pink Elephant came in and did an assessment of us, and we were I hadn't realized, but we deployed some bios that saw us common sense.
Jon Staniforth:So I think those elements drew me into oh, actually, I've got a bit of a flair for this. And then, obviously, a high availability company, again, being a sort of pan European telco, meant that I had to be much more aware of it. And then, basically, started to realize, you know, outages. We had some of the early SQL Slammers and things like that in those early days and realized that actually that was the fundamental of what users wanted was why aren't my systems working?
Rayna Stamboliyska:Yeah. This resonates with me, not so much the telco or something, but the way you speak, you know, the way you've gained experience and the way you speak of things is you seem to be the kind of person who likes to get into a place where nothing exists
Jon Staniforth:Yeah.
Rayna Stamboliyska:And build it from scratch. Am I right on that?
Jon Staniforth:Yeah. Yeah.
Rayna Stamboliyska:I mean, I tend to do that quite a lot as well, and it's a very different challenge than arriving in a more or less mature situation where you refine and make things more perfect, you know, or more mature. It's a very different way of looking at things, looking at people and interacting with whatever environment you have. Right?
Jon Staniforth:Yeah.
Rayna Stamboliyska:So I would like us to go to that a little bit more, you know, like, what it is to be the 1st person to lead security at an organization, what it is to have the blank sheet, and why do you enjoy this?
Jon Staniforth:Yeah. I'd say sometimes it's greenfield, and sometimes it's what we call brownfield. You know? So you've you've inherited some stuff where somebody's got a a company who's had a policy, but knows actually paid any attention. So I think it's a combination of I'm naturally nosy.
Rayna Stamboliyska:Welcome to the club.
Jon Staniforth:Yeah. So I think that, yeah, I think good cyber people are. So it's trying to understand what that business is doing, why they want cyber or security, and what its objective is, which bluntly, 20 years ago when I first started in a BPO, they really only wanted somebody there because some of the customers had asked for a cyber person. The company itself didn't want to actually invest in security. Yeah.
Jon Staniforth:And I've learned the hard way of, oh, actually, really? Why not? So I think there's, what I've learned is try and find out how your business actually makes money or what it really, really cares about. Some businesses might be at the phase of their journey. So I've worked for private equity.
Jon Staniforth:I've worked for public companies. They're phased their journey where they actually are just trying to sort of keep the company afloat. And then the reality is you're trying to do the best you can with cyber, but really nobody cares. Then you've got maybe another stage of the cycle where the companies that need introducing compliance. I first did PCI compliance in 2,006, 2007, that sort of era.
Jon Staniforth:And trying to sort of say, well, we only need to do it because these clients want us to do it. And that sort of thing. I even had to go to the board and present to get people to do a security awareness training because we were paid by the employee on the phone, not for those other things. And so it was a P and L recognition for 60,000 people to start doing compliance training an hour off the phone. And, of course, every site had its own p and l, and that was time off the phone.
Jon Staniforth:So it had to go to the board to even do what we now take for granted as awareness training.
Rayna Stamboliyska:Wow.
Jon Staniforth:So I think it's trying to understand that. And I'm not saying it's easy because in every company, each stakeholder, each officer of the company in the exec team has got their slightly different mission. Hopefully, we'll pull them together. So you've gotta really understand the company, then start to understand the stakeholders, then then start to understand the direction. And then, ultimately, it's about the speed.
Jon Staniforth:So people talk a lot about risk appetite. I think it takes a year or 2 to develop in most exec teams because everyone says I don't want no cyber risk. But then when you say x $1,000,000 to fix it, suddenly they wake up and realize they may not have that.
Rayna Stamboliyska:Right. No. So I I have so many questions here. You mentioned the board. What lessons have you learned about, you know, working with boards on precisely that understanding of security, of risk, of the time it takes to not necessarily build risk appetite, but to build a team that can own that risk appetite.
Jon Staniforth:It's quite a cultural transition. I've been in several companies who have had to rewrite the technology and cyber risk framework and almost get people lined up even in the technology functions to what matters, which may not always be the cyber risk, may not always be the top one. If you've got something that's linked to health and safety, it could be the company's better off spending on that than they are on cyber. So you've gotta start to be a bit honest about sort of where you are relatively in even the technology and cyber functional alignment. Then you could almost start to do the same at the business level, where in some companies I've been lucky where I've been able to properly integrate the risk frameworks with the enterprise risk and actually get the whole company start to think about risk.
Jon Staniforth:I've I've sort of been lucky in a couple of organizations where I worked on operational and enterprise risk as well as this hybrid technology and trying to reassign the accountability back where it belongs. That doesn't mean boards have deliberately ignored risk. But if you're a senior person and you're gonna make some really hard choices, it's much easier to push them downhill if you if you can. And so reassigning accountability as a CSO, I think, is a key part of the role, and that'll take different amounts of time with different board members.
Rayna Stamboliyska:Yeah. So how many more companies do you think are in that position of needing a CISO, especially, like because we are in nearly, you know, 2025. Like, it's 21st century. How many more companies do we have that are in their beginnings of a cybersecurity journey? And another question is you're a seasoned professional, right, with a huge amount of experience, and you've seen, like, so many things, I'm sure.
Rayna Stamboliyska:And, you know, you have so many anecdotes of completely crazy things happening. So when should those companies give someone like you a call?
Jon Staniforth:I think it's a a combination. So the amount of companies, I just say, it's it's still more than 50% need need some help. Yeah. Obviously, the very large, the FTSE type of companies or the Fortune 500 are broadly in a better shape. However, many of them are still on their journeys.
Jon Staniforth:The the o t the operational technology evolution of cyber has really only happened in, I'd say, in the last 3 to 5 years in most areas. Obviously, some industries have been going a lot longer. We look at the even the ransomware visible attacks, and that is just joining our operational technology up to traditional IT, if you like, and and and that's you know, people swapped out serial cables for network cards. They didn't redesign the operational technology. So there's all that that underlying to go.
Jon Staniforth:So I think on that side, it's it's hey. It's like death and taxes now. It's gonna be there forever, and companies aren't gonna get away with it. I think regulation will carry on getting stronger. We're seeing that with the Telco Act.
Jon Staniforth:We're seeing that in the US, although Trump may reverse some of it. But but we're seeing that sort of indication, which typically companies are regulated in any for any reason in my view when broadly, they're not doing the right thing as a sector. So, you know, governments focus on them, whether it's a health and safety regulation or something, you know, financial regulation or, in our case, cyber related ones. I think that's a and that'll carry on, I think, for years, which is sort of what you can keep predicting until more systemic adoption occurs. In terms of when someone calls people like us, I think it's back to where's that company's maturity journey.
Jon Staniforth:If they haven't got much money in their hand and they've really got hands on and they're a small SME, then it could be they just need to get some of their IT people taught a bit to the basics and stick with some of their sort of material. We've we've got the National Cybersecurity Council, which has a sort of top 10 cyber controls, and that might be enough for them. I think as the company starts to understand its product and how integrated its product is within their value chain, which itself is in education, many companies don't understand they're totally reliant on computers. They have you switched electricity off, many of them stop. But the non obvious businesses.
Jon Staniforth:Do you know what I mean? An online website, obviously, knows it is a Just Eat or whatever delivery. You know, their whole business is that, banking trading flaws. But many companies haven't really understood, even at their executive level, that they're reliant on technology. They sort of know, but they don't really realize.
Jon Staniforth:And the CrowdStrike was a good example of some companies that obviously didn't realize how reliant they were on technology. Yeah. Yeah. Relevant of whether it was a cyber instance and suddenly companies stopped working. So I think there's a an evolution of senior management outside of cyber that has to happen where people who've grown up with computers will eventually become the leaders of companies.
Jon Staniforth:Whereas the leaders of companies often didn't you know, IT was just the thing that happened in the corner. So I think people like me and the next generation of CSOs will continue to be needed, But I think it depends on the maturity of the organization as to when you need someone with more experience, and whether it's a, yeah, hands on firewall engineer, which is really part of your IT function, or it's more integrated strategically with your business.
Rayna Stamboliyska:Yeah. More of a Bizo, you know, business information. Yeah.
Jon Staniforth:Yeah. And if if you think about it, that many organizations, even the big four, still keep on saying cyber is just an operational risk. There are other reports that say, well, actually, isn't it part of your strategic risk, your financial risk, not just your operational technology risk? And I think that's that evolution of us becoming more risk leaders and that sort of vein of the CSOs that are talking about actually aren't we in every risk aspect and risk decision of the company
Rayna Stamboliyska:Yeah. Yeah. Yeah. As
Jon Staniforth:opposed to we're only dealt with when you talk about a new application. The the technology businesses understand that because they don't exist so much or that they're more understanding of that. Whereas a a business is a bit of a combination of making things or bricks and mortar. I think there's still a lot of learning to, you know, prove another generation of it.
Rayna Stamboliyska:Yeah. Well, speaking of bricks and mortar gets me thinking about your most recent role, you know, where you led cybersecurity in the Royal Mail.
Jon Staniforth:Yeah.
Rayna Stamboliyska:It's an organization where you had to deal with IT security, obviously, but also operational technology, also with regulators. And, well, leading cybersecurity at one of the biggest and most high profile brands in the UK, you know, things that have been existing since 16th century, which is kind of I I still can't get my mind around it. Right? So why did you decide to step into that role? Like, you were the first CISO, you know, that Royal Mail had.
Jon Staniforth:Yeah. Yeah. So so they'd they'd had sort of director of IT security before that, and I think a head off before that. But as a CISO, since the split from government, nobody sort of branded that role. So the first thing was really scoping.
Jon Staniforth:Scope and scale was part of the reason I chose to go there. The operational technology, I like to sort of learn, keep learning. Again, I think it's a trait of cyber folks. So I've done agile and integrated that big data and telco and networking, so so different types of cyber. And, really, it was size and scale.
Jon Staniforth:The executive team that was there wanted to try and change the organization, so I'm interested in sort of business change and transformation. They needed to modernize the the the underlying technologies in Royal Mail and the ways of working for delivering the post. So that was really a big big reason I went for the change.
Rayna Stamboliyska:This is where we get to talk about the good and bad things. You know? You've had to deal with serious security events at all those organizations. I mean, it would it would be more surprising that you wouldn't, you know, have to deal with them.
Jon Staniforth:But Yeah.
Rayna Stamboliyska:So when you look back, you know, how big a deal were those issues? What are the things also that you tell yourself to work on or prepare for now that you can have the benefit of hindsight?
Jon Staniforth:Yeah. Hindsight's a wonderful thing, isn't it? Right.
Rayna Stamboliyska:We are always right in hindsight.
Jon Staniforth:Yes. Exactly. Yeah. No. Throughout my career, from the Shell jobs through in those days, it was helping set up Shell's crisis management rooms.
Jon Staniforth:I was an IT support person, so it was really for all disasters. So I suppose I've got some of the concepts of how does sort of gold, silver, and bronze, you know, the strategic being gold, the sort of silver being middle management, the bronze being the operating teams. How does that sort of framework start to work? So I think that sort of gave me a good grounding. All disasters are physical things, you know, oil spills and things.
Jon Staniforth:So I was more an observer of that. And, again, that gave me I think that was a a very good career grounding for me. In the telco sector when I was there, it was it was fixed telco in in the Netherlands Pan European company. But, again, you sort saw availability in that sort of how do you react to something. And even my in those days, there weren't many hosted comms rooms, so we had failover comms rooms and things that I was responsible for building and resilience and redundancy sort of across 13 countries in Europe.
Jon Staniforth:So I think some of it came naturally, and I've had that sort of experience from that sort of IT days. And then back to the point you made about it's about the users and what is it the company's trying to achieve. And I think what I've learned over time is to get more refined and honed on that mission and not get too carried away with the technology part of finding out and investigating what's happened and why too early. And I've been involved in frauds and things where I've sort of run a a more holistic sort of instant function. And sometimes you have to go, well, what's the actual objective?
Jon Staniforth:Is it to prosecute someone or is it actually just to get the business working, deal with the issue? And so working with lawyers over the years and, other people, that sort of helped give me a balance, whereas that natural inquisitiveness and the technology person would wanna drill into what's going on. So in my latest sort of instant, I have to sort of say to people, the ransomware event at Royal Mail, the proverbial burglar's got in the door. We know they've messed up our house, but we don't yet know how they got in, and we don't yet know how they executed with the data. And at what point do you stop spending money on that during the forensic investigation if the business is now more focused on operating, recovery, and so on?
Jon Staniforth:And, similarly, was in an event several years ago that that went very public. It's a different organization, which is more a data breach. And so it's how do you keep the customer satisfied than they don't derisk themselves by switching off giving you their data. So it was very much a what's the mission of the organization for that particular event. And then probably what I've learned is to get much more, that's your role.
Jon Staniforth:That's your role. What can I pre prepare? And recognize that frameworks tend to work better. We talk about playbooks, and I think playbooks work well when it's, you know, I've got a bit of a some viruses running around on some IT equipment. What's my SOC do?
Jon Staniforth:And hopefully, they're sort of containing it before it escalates to a crisis. But crisis frameworks, I put one in place for a company, and we used it for everything from an earthquake in Chile to a shooting to cyber incidents to frauds because the framework was site, country, global, depending on how level it escalated, and we could pull even people from different countries. Dealt with the earthquake in Chile many years ago, and I don't speak Spanish. So we pulled out the Spanish crisis team who spoke Spanish. We pulled out the North American one who could help us with the HR, the Central American one, and, actually, that sort of concept of frameworks and crisis teams like that tends to work better because you don't know exactly what's gonna happen.
Jon Staniforth:Yeah. Some somebody somebody tweeted tweeted out the Royal Mail ransomware notes within a couple of hours of it being printed on a printer or a rogue member of staff. We'd still don't know who it was, but it didn't really matter if it was out in the public. Who are we still investigating the issue?
Rayna Stamboliyska:Wow. Yeah. That gets you some
Jon Staniforth:yeah. So playbook wouldn't have helped you if the playbook is don't don't tell anyone until you actually understand the problem, then tell people.
Rayna Stamboliyska:Right. Right. It's interesting because, I mean, you just said it. You know, it's not about the bits and the bytes only for cybersecurity leader today. So what are the things that have surprised you, but in a way that you realized you could not take for granted, you know, that others can learn from?
Jon Staniforth:Good boy. I think the thing for me was my transition from a technologist to a sort of cyber person was and that sort of continued evolution is just not assuming people actually understand how technology is helping them. So whether it was even an IT person, you know, they understand their bits of technology, but they don't understand that necessarily joins up to the whole piece of the pie of how the business is using the technology. You often hear about the IT department are looking after the servers, but they don't know what data's on them. So that sort of assumption, I sort of made, I'd say, more in the early days.
Jon Staniforth:And on the as I said, on the business side, I very much thought that people at least I think they're expecting to understand a computer, but I I expected them to understand how the computer supported their business processes. And I think people disconnect a bit. So they're the things that are still big, which is, you know, to actually understand, I've been in several companies where as the seesaw, I've had to help actually map out the actual business process, macro components. Wow. And then actually help the business understand, right, this is actually how you're making money and these are the key systems supporting that.
Jon Staniforth:And from that, then surely these are the ones you want to protect. Yeah. But that can take months in some companies to actually even get through because because not that that organizational knowledge is within silos.
Rayna Stamboliyska:Right.
Jon Staniforth:And so you'll get the marketing person understanding their bit, but actually they didn't realize that it was wrong. This sort of finance person who wrote the code 10 years ago actually is a accountant.
Rayna Stamboliyska:Right. Yeah. Now now it has this fancy name of business impact assessment
Jon Staniforth:Yeah.
Rayna Stamboliyska:Which is an like, it's the right way of, like, naming it. I'm very curious, you know, as to how many people actually do it. Right?
Jon Staniforth:Yeah. And and also back to maturity. So I think I don't oh, that was something I've definitely learned. Keep the jargon inside the technology function in cyber.
Rayna Stamboliyska:Right.
Jon Staniforth:So even with risk management, it's like, yeah, you gotta find the right way of getting them on board. Otherwise, it's just this artificial exercise that people don't understand. So try and make things tangible. So, yeah, the way I tend to do the I'll put the macro BIA is think of a 3 circle Venn diagram and go, well, one focus is how the business makes money. Another focus is the how the business operates and which systems and business processes fall into that.
Jon Staniforth:So making payroll. Payroll in itself doesn't make revenue. Yeah. So that might be an operating system. And the third sort of insert from the Venn diagram is your compliance, which might be in some businesses only sort of privacy and GDPR, I said only, or in other businesses that it might have, let's say, wider regulatory implications in financial services.
Jon Staniforth:So if you start to think of those 3 vendor diagrams and go, where do they overlap in 2 areas or even all three areas, then you can start to hone in on the crown jewels or the whatever you wanna call the most important systems. I think that's a more tangible way of people understanding how it hits their business and talking about BIAs.
Rayna Stamboliyska:Right.
Jon Staniforth:Because some of these businesses have no business continuity plans. ITDR might be around a few key systems, and many organizations are still yeah. That's another set sector of overlapping with cyber where many organizations don't have great BCP plans unless they've pre recognized the value or they've had an incident to realize they need to invest in it.
Rayna Stamboliyska:Yeah. It's it's a cold subject anyway, you know, until it isn't. You know? Yeah. Exactly.
Rayna Stamboliyska:So which gets me to the question of, like, how do you see the role of cybersecurity and of the cybersecurity leader evolving over the next, say, 10 years? Let's be, you know, bold.
Jon Staniforth:Yeah. I think we're gonna continue to see that. How do we integrate better with business process flows, make life easier for people so as more tools come in? I analogy a lot to cars and houses for people. But if you imagine when I was a kid, cars used to be locked with a key.
Jon Staniforth:And you put it in the door on the outside of the car and you turn the lock, and many people chatting to their friends and family would wander away from their car and not even lock it because they were chatting and it was painful to where we've developed over the years from sort of, you know, remote key fobs to handhelds now to our mobile phones for some people with cars or fingerprints. So everyone's been trying to make the evolution of locking a car so it doesn't get stolen easier and easier for the consumer. And then obviously, the cars themselves are changing, you know, sort of without the right key. They don't switch on or they're isolated and, you know, to stop the average thief from stealing the car. So I think as cyber, we will take lessons from some of those very practical things that are on mass consumer because, yeah, and go, well, how do we apply more of that to people's everyday life?
Jon Staniforth:And then the other part, which unfortunately linked to cars is, we accept the risk of people get damaged and killed by cars. And as a society, we've decided that the functionality of the car is worth that risk. Whether we're sitting in the car or whether we're the ones sort of hitting pedestrians, as a society, we've accepted that. And I think cyber's gotta move from this sort of dark it's all yeah. We're we're we're gone from the it's really scary, and it only happens to other people to national security organizations.
Jon Staniforth:Governments going, no. It will happen to people because it's integrated so much with the technology that has come along. That how do we teach people enough to, on the whole, make them drive safely, but as a cyber function, stop trying to take all responsibility on? So I think the role will have continued to evolve of education, business awareness, integrating toolsets, making people's lives easier.
Rayna Stamboliyska:Right.
Jon Staniforth:That's where we've got to keep going. But it's never going away. Yeah. Their health and safety systems, you know, 20 years ago, you weren't told you can't walk down the stairs with a cup of coffee in your hand. Now some companies, you can't walk down the stairs with a cup with a cup of coffee in your hand because they're worried about health and safety.
Jon Staniforth:So you gotta find the right balance.
Rayna Stamboliyska:Right. So, okay, let me push you kind of more drilling into that. Like
Jon Staniforth:Yeah.
Rayna Stamboliyska:Is there a black swan event that you could imagine would affect cybersecurity leaders and that they should consider?
Jon Staniforth:Oh, pardon me.
Rayna Stamboliyska:Yeah. I know. I have those questions.
Jon Staniforth:I think we're gonna continue to see more of the, CrowdStrike y type of impacts. I'm not saying the Crowdstrike event particularly, but the world's more and more reliant software. We're getting faster. There's that side. I think data integrity and data with the AI, I think we're gonna continue, unfortunately, seeing some bigger booms around the world.
Jon Staniforth:The biggest black swan, I'd say, is most sectors are relying either between them or individually as companies on very, very old technology. The world doesn't understand we're still running on mainframes that support most of the banking systems.
Rayna Stamboliyska:Right. Or on Excel sheets.
Jon Staniforth:Or or yeah. On Excel sheet well, Excel sheets, you could argue are modern, aren't they? But, they but do do do do you know what I mean? It's I I think the western world is quite fragile if you actually look at the underlying ecosystem. And, and a CrowdStrike type event demonstrated that fragility, I think, more than anything.
Jon Staniforth:So that's what I'm saying. I think we're gonna see more of those type of things, which is why I think that business resilience, really understanding those core systems. If I've got a 1,000 systems in my company, I've only got enough money for 10, then are they the right 10 on protecting and can I recover from them? So I think that that's it'll be more on mass events will will come and hit us.
Rayna Stamboliyska:Mhmm. Gotcha.
Jon Staniforth:Because we're so interconnected in the ecosystem. Yeah. Because that's what it is. And we can't all do several 1000, 3rd, and 4th, and 5th party assurances and measure them all. And we can't do you I mean, I think we gotta be more realistic about it.
Rayna Stamboliyska:Right. Yeah. Yeah. No. You're right on that.
Rayna Stamboliyska:I mean, there are things that at scale just can't function anymore as usual. I mean, when you're at small scale.
Jon Staniforth:Yeah. And we've got these mega mega companies, whether it's the Amazons and AWS's, the Googles, the the mega organizations that are supporting so many industry sectors and countries now that if something happens to one of them, which, again, they're all doing as much as possible to prevent, but they still have major outages. You know, how how many companies are linked into sales for example companies, but there's big companies at cross sectors that lots of organizations are leveraging in the SaaS world, in the public cloud world, in the underlying ecosystems that we'd be naive as a human race if we thought, well, something couldn't happen.
Rayna Stamboliyska:Yes. Yeah. Yeah. I agree with this. What does the future hold for the the size of role?
Rayna Stamboliyska:You know, how would you improve it so you could have the most impact?
Jon Staniforth:The boy magically teach the exec teams a little bit more about technology. This is a complicated one. I think you got I think we've got a problem with identity. So we've got one set of organizations and CSOs, and I mean consultancy firms and things like that. The CSO's gotta become more of a business leader, not a technologist.
Jon Staniforth:And that's the direction we've been going in, and it's understandable because, you know, technology has been adopted across all parts of the business. It's not just in the finance team running spreadsheets or accountancy tools anymore. It's pervasive in every organization. However, there's another set of people now going, well, is there now a merger between the CTO or the c the CIO role and the CSO role? So how confusing is that for boards?
Jon Staniforth:You get one set of people going, your CSO needs to be business aware and more risk aware and less technical. Another set of people, and you can read articles online, go, now we should be merging the CTO role and the CIO role, but there's meant to be a natural tension between the two. So it's quite interesting. So I think for me personally, I analogies to, like, a CFO function. The CFO function has been around for 1000 of years if you go yeah.
Jon Staniforth:It's very mature. We're very young. But the CFO has a responsibility to the company, but they're not responsibility for every piece of spend in the company. They do the budgets. They make sure the company does taxation.
Jon Staniforth:It's not gonna be, you know, break any laws that the chief executive and the other people know their responsibilities and what they are and allocate them. I would see the cyber function, the best thing we could do is try and take that analogy more and go, no. You you're responsible for your platforms in your part of the business. We're educating you. We're gonna make sure you don't break the tax rules or the cyber rules and the basic thing, but, ultimately, you're accountable for it.
Jon Staniforth:I think that's personally a better way of blending us in, recognizing that the technology function has to also start to build it. You know, we keep on hiring accountants that can't count. If you hire a server engineer that can't actually implement the Microsoft top ten security recommendations on a Microsoft server, why have you hired them? That's not a security shouldn't be seen as a security role anymore. That should be seen as you've just hired an accountant that can't count as a CIO.
Rayna Stamboliyska:Well, Excel does it for you. No. I'm kidding. But yes.
Jon Staniforth:So Yes. But but they have to understand numbers if if they're deaf in finance and things. And we we still, as many organizations, are accepting technologists that can't do the basics.
Rayna Stamboliyska:Yes.
Jon Staniforth:And that's what I mean. That's so I think that's where we've gotta stay close. And then, obviously, then it's much easier for people to design systems with cyber built in. Yeah. But I think, ultimately, we've gotta become more like the I'll call it the CFO function.
Jon Staniforth:You might start business partners, the buy so, with with with a part of the organization. You might have an embedded accountancy function in some, you know, complex parts of your business. But, ultimately, your CFO reports to the board the budgets and progress and reports risk on tax and where you're spending this much on advertising versus this much on risk. That's gotta be more, I think, where where we've got a good analogy.
Rayna Stamboliyska:Right. Yeah. Well, wow. I got carried away in so many thoughts listening to you. Sorry.
Rayna Stamboliyska:So, yeah, thank you for this. It's been very rich as in very much resonating with so many challenges that we have today. You know, like that last question you had got me thinking about no code and low code that are starting to enter large enterprises, you know, with with worldwide presence. And Yeah. And it you know, like, how do you do technology when you don't understand the basics of technology?
Rayna Stamboliyska:Right? So this is something and how do you account for those uses?
Jon Staniforth:Yeah. And that's what I mean. So how do we build controls again? So your driving instructor doesn't sit next to you in the car every time you get in the car, I hope.
Rayna Stamboliyska:Yes.
Jon Staniforth:So so that's what I'm saying. We we've gotta help blend in the right tools. You know, seatbelts weren't in cars 30, 40 years ago. So I think even with that toolset, we're not going to be able to do what we I started doing as well in the sort of nineties where you lock everything down and users can't do anything because business wants flexibility. So you write low code, no code.
Jon Staniforth:Those elements is what why I'm saying we've gotta have tools and things that build it in, educate people better to take their own responsibility. And, again, I think that's happening more, but shift away from this. The CISO's gotta fix the world. The CSO can't try and fix the world, whereas we were expected to 20 or 30 years ago. And now we've gotta be much more no.
Jon Staniforth:The cyber is everyone's we say it's everyone's responsibility, but we've gotta how do we help people actually just understand and adopt that? They still think that means open the engine of the car, and they have to fix the car. And I'm going, no. It just means you've gotta put petrol in the car, recognize that you're meant to drive on roads, and, yeah, the basic signs.
Rayna Stamboliyska:And not kill anyone in the process.
Jon Staniforth:Yes. But recognize that sometimes accidents happen. It may not maybe the person steps out in front of you. It may not be your fault. You know?
Jon Staniforth:But how do you then you know, you're in the fire brigade. You don't just drive off in the opposite direction. You're in the ring ambulance. Do you know what I mean? And I think that's that bit of scaremongering.
Jon Staniforth:You know, we're gonna teach people fishing. We're gonna have got the anti anti fishing people. I I I've never believed in blame and the users anyway, but if you don't teach people the awareness of this is what a phishing email might look like in a bit of experience, then how do they, you know, how do they know what to look for? So I do personally believe in phishing training awareness. I don't believe in punishing people.
Jon Staniforth:I believe it's a it's just another way of journaling that this stuff can happen.
Rayna Stamboliyska:Right.
Jon Staniforth:But if you don't teach people anything, you just go there once a year. They're they're saying, well, there's this thing called phishing. But, yeah, try to teach them to spot the differences unless they're obvious. And particularly with the AI, it is is dumb. So how do you use technologies that if they click on something, it's an accident, then, okay, what does it do?
Jon Staniforth:So that's where your micro segmentations, your other tools and access control and everything else start tipping back into play, which is just the foundation controls we've all talked about for 20 years. Right.
Rayna Stamboliyska:Thank you, Jon This has been wonderful. It's been a wonderful conversation.
Jon Staniforth:Thank you.
Rayna Stamboliyska:And that's all for this episode of what the hack is a CISO supported by Sysdig. If you enjoyed the conversation, then please give a review where you listened to this podcast. It helps others find the show and learn too. You can also subscribe so you never miss an episode. I'm Rayna Stamboliyska, and I'll see you next time.
