Episode 8: What The Ho Ho Ho Is A CISO
Hello, and welcome to This podcast will help you in your journey to be a better cybersecurity leader. It's supported by AWS, the world's biggest cloud company, and by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Rayna Stamboliyska, an EU Digital Ambassador and the CEO at our strategy. In this week's episode, I'm talking to people who track the security industry every day, looking at the latest developments and scoping for upcoming changes or trends that will affect us all. These journalists speak to security leaders about their experiences and cover hack stories and attack groups that make the news.
Rayna Stamboliyska:So, today we'll talk about the major trends of 2024 and the lessons you can learn as cybersecurity leader heading into 2025. And on today's episode, we'll have Anne-Marie Corvin of Tech Informed. Hi, Anne-Marie.
Ann-Marie Corvin:Hi, Rayna.
Rayna Stamboliyska:Thanks for being with us. And you've covered security and technology stories across a wide range of topics, from the rise of deep fakes through conversations with boards around how to get security right. And we also have Joe Fay. Hi, Joe.
Joe Fay:Hi.
Rayna Stamboliyska:Thank you for being with us. So you are a freelance journalist, and you've written for some of the biggest publications in the world around technology, from the BBC on AI and data center issues through to dev class, the register, and the stack on the challenges that developers and other technology professionals face. Before we dive in, what's one word that you'd use to describe the mood in the cybersecurity industry as we close industry as we close 2024?
Joe Fay:That's probably, the same word you could use every year, which would be tired. I always get the impression these guys are working very hard, and whether it's just keeping the lights on or dealing with explicit attacks. So they they always seem to be tired, a little bit burned out.
Rayna Stamboliyska:Anne- Marie?
Ann-Marie Corvin:I'm imagining when you come to the end of the year, just like all other industries, there's a reflective element. So reflective would be the word. It's always a really busy year in cybersecurity, but it just feels busier this year somehow. I just think there have been some really big attacks, especially supply chain attacks. There have been something I'll get on to later, but people sort of suggesting that we reorganize and, like, work in different sorts of ways.
Ann-Marie Corvin:And I I just think there's just a lot to think about. And the thing is that SOC teams and security leaders, they don't have a lot of time to think. They're going from one thing to another. So, like, maybe this is a good time of year to reflect.
Joe Fay:Yeah. That's probably what they thought just before Log 4 j happened.
Ann-Marie Corvin:Yeah. There's never yeah. That was around this time of year, wasn't it?
Joe Fay:Yeah. Exactly. Everyone sort of sort of thinks, okay. Yeah. Now we can well, this is my life.
Joe Fay:You sort of think, yeah, I'm gonna have a bit of a rest, think about, you know, what I can really do next year, and then something unexpected happens. And unexpected is probably the best you can hope for.
Ann-Marie Corvin:Yeah. I was speaking to one CIO, and he was saying that he's finally got the go ahead to get a SOC team to sort of, like, outsource some of his, sort of sock stuff. I'm thinking, like, he must be the only person that's, like, glad to get socks for Christmas.
Rayna Stamboliyska:Give him a break. Talking about stories, what was the most important one for you in 2024? And you cannot say CrowdStrike.
Joe Fay:Oh, see, because I had CrowdStrike at the top of my list to, you know, just because to sort of show how important cyber companies are and how bad it can be when things go wrong. But also because it wasn't just a cybersecurity story, it was a development story and a supply chain story and everything. But, I guess beyond that, the ones that sort of really stood out for me were the NHS attacks in the UK, because it it kinda hits close to home. I've had family members in and out of hospital this year, and it's hard enough at the best of times. But when everyone's having to go back to paper and pen or just nothing at all, it's really hard for everyone.
Joe Fay:And it always just sort of seems so sort of cynical. Really, some of the worst sort of attacks that threat actors can attempt and and pull off.
Ann-Marie Corvin:They just don't care. It's just a business. You think it's the lowest of the low, and we've reported about, you know, hospices and hospice pharmacies being attacked. I think that was in the US. And it it's like they they actually don't see it like that.
Ann-Marie Corvin:Some of some cyber goings say that the you know, there's almost on and around thieves, and there are some industries some of them just don't touch. But speaking to the experts, there's no sacred cows. They'll go after anything. And if you look at how many health care companies have been attacked this year, like, it's risen by about 25% this year alone. Yeah.
Ann-Marie Corvin:They don't care.
Joe Fay:Yeah. On a sort of less sort of negative way, I mean, couple of things I found really interesting was the the lock bit disruption way back when. And I kind of when we were sort of talking about doing this, podcast stuff, it's easy to forget just how much happens in a year. And, you know, going back to Anne Marie's point about being reflective. So I I went and I thought, well, I can scroll back over stuff that I've done.
Joe Fay:Or I I went to the NCSC review of the year and sort of going for it. So, oh, yeah. Yeah. Back when whenever it was February, LockBit was, I don't know, you can never say taken down, but was obviously severely disrupted. So it's kind of to see who whoever authorities, law enforcement, sort of scoring a bit of a goal is sort of interesting because it it's easy to get buried under all the avalanche of attacks and the chaos that's sort of being caused.
Joe Fay:It's easy to forget that sort of sometimes, however you wanna describe authorities, organizations can hit back. And sort of in that vein, something else I was kind of interested in, there's a lot of concern about all the elections happening this year, particularly in the EU. And they kind of seem to, come off generally okay, bar misinformation and and and all of those sorts of concerns. But, you know, there'd been a lot of concern within the European Commission, for example, but they seem to manage to be able to hold an election, you know, get results without being too concerned about attacks. It's gonna be a personal thing as to whether it's the right result or not, but it was carried out without being crippled by cyber attacks or or any other kind of attacks.
Ann-Marie Corvin:It's interesting, isn't it, for all the column inches that were written about the year of elections and deep fakes and stuff that there's no evidence that any of it's, like, changed the outcome of any of the elections that we know of.
Rayna Stamboliyska:Yeah. You've had other types of interventions. Right? Like the Romanian presidential election, tampering, you know, influence campaigns, if you like. But none of this was AI powered as, you know, like all the pundits were expecting it to be.
Rayna Stamboliyska:And, it's an interesting one. So how about your story, you know, your most important story without it being CrowdStrike?
Ann-Marie Corvin:I think it's got to be the grenade that Gartner threw in the water during the European conference this September. So there's a packed room full of cybersecurity leaders and vendors, and Gartner takes to the stage to tell everybody to stop focusing and investing in prevention and zero trust. They argued that preventing every single attack just isn't possible anymore, and it's leading to burnout and budget strain. And instead, they suggest that firms start treating cyberattacks like shoplifting in retail or fraud and banking, just writing it off, you know, accepting a certain amount of risk and shifting focus to response and recovery. Their advice is to build instant response playbooks and simulations, especially for hot button issues like generative AI and third party vendors because they say breaches are inevitable, which is quite a, I think, quite a radical move and things to say.
Ann-Marie Corvin:The mantra has been 0 trust for quite a few years now.
Rayna Stamboliyska:Yeah. And what if we extend this conversation? Like, how has the cybersecurity narrative evolved in 2024? Are we finally moving beyond the cyber as a cost center thing? Or what hit you, you know, outside of this Gartner position, let's say, but more broadly?
Rayna Stamboliyska:Have things actually changed in the ways that you report them, in the ways of what resonates with leaders, in the ways that they react to whatever is being reported?
Ann-Marie Corvin:I think that's hard for me to say from that session I was at that conference, and Gartner's advice didn't sit well with everybody. Vendors push back saying that prevention is still king. One even compared it to owning fire extinguishers. You'd rather not have to use them. It is a fascinating debate that reflects how the industry is evolving.
Ann-Marie Corvin:And I always think it's good to consider process. It's like, should we be doing the same things over and over again, or should we just, like, occasionally step back and look and see if something's working? I think people won't stop investing in prevention, but maybe they should be investing more in response. And I'm definitely seeing a lot more companies getting involved in simulations and tabletops. I was privileged to be able to sort of sit in a 1 on Black Cat this year in Black Cat USA, and it was a health care tabletop.
Ann-Marie Corvin:And they've got local law enforcement people, people from the Vegas PD, they had health care professionals, they had software developers, and they mixed them all up and simulated a sort of health care attack on a fictitional hospital. And just going through the process, you just think of things that you don't read or you don't hear in keynotes. Yeah. No. It's fast so, yeah, I I see more investment and time looking at prevention going forwards in the next year.
Ann-Marie Corvin:Interesting.
Rayna Stamboliyska:How about you, Joe?
Joe Fay:I'd agree with everything Anne Marie said, so I'm gonna have to think of sort of something else sort of interesting to talk about. Just recently, I've been writing about post quantum cryptography. I guess, for me, one of the interesting things has just been taking a look at just the whole issue and just stretching my brain. First of all, you gotta try and get your head around quantum computing before you can start thinking about post quantum security. I'm trying to think of a way of describing it that doesn't include a sort of profanity for the purposes of this podcast.
Joe Fay:But, I mean, it takes a sort of readjustment of your brain. So it's just been really sort of interesting because on the one hand, you've got all those day to day things that people have to worry about. We've already sort of talked about AI and deep fakes and all of those worries for this year, but it always sort of seems to me the part problem is people are having to deal with just the very basic problems, the the ID problems, phishing, and everything like that. Even as they're trying to get their heads around, oh, what do we do now that AI is powering these cyber attackers? So then how do they start thinking about, okay, we've got to update all the encryption across our organization and in all these embedded devices.
Joe Fay:So fascinating, and I'm just very glad that it's not me that's having to do this sort of thing. I just get to read the interesting stuff, speak to really clever people, and write about it, and talk about it with you guys.
Rayna Stamboliyska:This is an interesting way. So I have the opposite question. What's one on the reported security trend that you believe should get more attention, well, from journalists from one side, but also from cybersecurity leaders and teams?
Ann-Marie Corvin:We're very focused on AI, and a lot of the attacks and frauds are quite basic and quite scattergun and quite automated. And, yeah, it's not very interesting, but they they're very effective because of the the sheer scale that they're on. And I also think that there's there's a physical element that to some sort of cybercrime that people don't like to talk about as much. Like, there's an old fashioned thing called a telephone, and people still bring up businesses to try and get emails and to find a door or a way in that they're unable to do on a computer. So it's that more analogue stuff and that more kind of automated stuff.
Ann-Marie Corvin:People just trying it until they land a victim. I guess it's just not very technical, so it doesn't get mentioned that much. But I'm imagining in terms of scale, there's more of that sort of stuff going on than AI based attacks, although I'm sure that will cut.
Rayna Stamboliyska:And why do you think it's not getting covered enough? Like, is it because it's not sexy?
Ann-Marie Corvin:Yes. And it doesn't involve that much technology. It's a telephone, an email. It's a lot of social engineering. We don't know the details too much, but Poundland was affected earlier this year.
Ann-Marie Corvin:I think they lost 15,000,000 due to a kind of social engineering slash clicking on the wrong email type situation.
Rayna Stamboliyska:Yeah. It's an interesting one because I'm seeing, especially among more elderly people, they never pick up the phone if they don't recognize the number, which has become a sort of a way of not, you know, having the the mental load of thinking, is that person going to scam me out of, you know, my retirement money or whatever. And so I'm seeing an increasing number of elderly who don't pick up the phone if the kids, you know, haven't saved the phone number into it.
Ann-Marie Corvin:My dad got scammed either last year or the 84. He'll he'll kill me for saying this because he's a really careful, clever, intelligent man. Will Coaster's just about to close down. So, again, it's in the news, and this link said electric bikes are available for £25, but you've only got, like, a window. There there's always time pressure for these things, and you've got a window of about, like, a day to take this offer up.
Ann-Marie Corvin:And it took him through to a site that just looked like Wilco's site. It looked no different. And he clicked on it, and he sort of paid the money, and he obviously didn't get a bike. But, yeah, there are a lot of people that just take advantage of what's been in the news, how good it is to mock up a company's website, and, you know, if something's too good to be true, it's just the old mantra, isn't it? It probably is.
Rayna Stamboliyska:Thank you for bringing this up and the shame associated with it. Right? Because we see this a lot from people who get scammed through investment scums, through that sort of very brick and mortar, you know, scums, if you like, and who are absolutely ashamed or afraid, you know, to speak up, which makes it even more difficult for us to know the extent of it and to also know what gets them to kind of trust that sort of approaches. And what I find interesting is I'm seeing an increasing number of news reports, journalists interviewing people who got scammed, and people who kind of decide to go with their face and their name there on TV and speak about this, about how that happened, about, you know, and I know the BBC has done some work or was it channel 4 on romance scams, you know. And and there are a lot of those things out there, and this is absolutely needed because I mean, how do you fix trust?
Rayna Stamboliyska:Right? You can come up with all the AI stuff in the world. Yeah. How do you fix this? It's not very doable, at least not easily.
Rayna Stamboliyska:So one way of doing that is to kind of know that you can be a very smart, you know, a smarty pants and still get scammed just because you're human.
Ann-Marie Corvin:You know? And on an enterprise level with companies, I I think it's great when a company's being attacked, and then they come out. They just say, look. We've been attacked, and this is what we've done, and we want to without jeopardizing it. No.
Ann-Marie Corvin:Without risking to be wanting to be attacked again. Like, these are the, you know, lessons that we've learned from this. I think there needs to be a lot more information sharing, and I think people in the industry kind of realize that.
Rayna Stamboliyska:Yep. Keep that thought. I'll get back to you on it in just a minute. Joe, what do you think is the most well, at least one on the reported security trend that, again, you believe deserves more attention?
Joe Fay:I guess, you know, Anne Marie sort of covered it. And it is that its headlines will be about AI or ransomware, as you say, really sort of eye catching stuff. And most of what happens is, most of what hurts people is really sort of quite mundane, low level sort of tax scams or whatever and taking advantage of human nature. You know? They all work because humans tend to work in certain ways, and perhaps the industry or large parts of the industry maybe forget that.
Joe Fay:So I don't know if it would be a trend or maybe it's just sort of an observation. Just sort of going back to very consumer y normal people, The sort of mechanisms put in place to protect them kind of don't work very well. You know? It becomes really onerous to do something with your bank where it's supposedly trying to protect you, but it's stopping you from doing what you need to do. I had to pay the builder a year or 2 ago, and it was just really, really difficult.
Joe Fay:I don't know quite how you could sort of get around that putting in mechanisms to protect the financial companies, but also protect the people, but allow them to do what they need to do day to day and don't end up kind of and I guess this applies to a corporate level, that you don't end up in a situation where people have to bypass the security mechanisms to just to get what they need to do done. So, yeah, maybe that's an observation rather than a trend, but we can look at all the really eye catching, high level stuff, AI, sort of post quantum algorithms, whatever. But just a a lot of this stuff doesn't work for people on, on a day to day level. And that's maybe that's what doesn't get reported and then doesn't get sort of incorporated into security vendors' strategies, their thinking, and their product development.
Ann-Marie Corvin:I'd say in another thing that doesn't get reported is the impact that cybercrime has on people. I'd like to write a lot more about that next year. If you're interested, Joe?
Joe Fay:Yeah. Yeah. Yeah. Definitely. Definitely.
Ann-Marie Corvin:Jason times writes for us, so just teeing him up.
Joe Fay:Yeah. And I guess on top of that one thing, I don't know about you, but now when I see any kind of large disruption, and I'm sort of thinking last week in the UK, there was, massive problems with the trains. And my automatic thinking is, yeah, that's a cyber attack. That's, you know, some sort of state actor trying to cause disruption or something like that. And I just sort of wonder whether they're for some organizations, it might be in their interest to sort of let people think, oh, yeah.
Joe Fay:Yeah. That that's not their fault. That's not their incompetence. That's some really sophisticated state actor with a massive cyber farm and really good AI stopping me getting from where I live to London when actually, it's just, again, day to day incompetence and stupidity on the part of organizations and people.
Rayna Stamboliyska:Oh, yeah. You got me triggered like PTSD triggered with this sophisticated.
Joe Fay:Oh, I really I really didn't want to do that. Sorry.
Rayna Stamboliyska:No. No. But I mean, it's like we've grown so, yeah, exhausted of this sophisticated thing. Like, just own it. It happens and it will happen again.
Rayna Stamboliyska:So just own it. Don't, you know, kind of bullshit us with the sophisticated, you know, mister Putin is not sitting in his high castle thinking about how to disrupt, you know, the day train from, I don't know, Birmingham to London. You know, it most probably is a group of teenagers known as scattered spider, by the way, especially for English speaking countries. Right? Which gets me to another question because Anne Marie was also kind of leaning into this earlier.
Rayna Stamboliyska:How do people or companies respond to crisis situations? Like, we have those every other day. Can you think of instances where organizations got it right? Like, do you have an example of a particularly effective crisis communication that you've covered this year? Because, again, communication can fool the crisis that's already there if it's badly handled.
Rayna Stamboliyska:And more often than not, still, people mess it up when they they try to talk about it.
Ann-Marie Corvin:I remember during the summer, like, when I was in Black Cat speaking to the guys that know before, which is a sort of cyber platform that trains you to sort of watch out for phishing emails and and stuff like that. And they got hacked by a North Korean hacker through LinkedIn. They employed someone that they thought was someone else, and it turned out he was working as part of a North Korean hacking farm. So there are just to go back slightly, there there there are lots of computer specialists working kind of really for the North Korean government. And they go into companies pretending to be someone else, usually using LinkedIn, changing their profile.
Ann-Marie Corvin:And they get jobs working in, you know, IT support or software developers, you know, for big multinational companies. And the money's going to the North Korean government and their weapons programs. And they're not necessarily trying to hack or break into the network. The prize is the wage. So we don't know how many companies there are out there where because so many people are remote now and be are being hired remotely.
Ann-Marie Corvin:And NoteToBe were very good because it happened to them, and they're effectively a cybersecurity company. And so it's a little bit embarrassing. I don't think they got very far into the network, but the fact is that they were really open and transparent about it. And they started talking about it and sharing what happened. And as, you know, I certainly know a lot more about North Korean hackers after that story and also after the the excellent Lazarus heist podcast that BBC Sounds do.
Ann-Marie Corvin:But, yeah, just just being open and transparent about trends like that really helps.
Rayna Stamboliyska:Yeah. Their blog post was very explicit. I remember this because it triggered, like, this snowball effect of so many people talking about those farms and North Korean infiltrated people posing as IT support or whatever, and even sometimes exfiltrating data from the companies that hire them, which then is used for, you know, other cybercrime operations and so on and so forth, which again, all nurture North Korea's weapons program. It was very forthcoming of them, and I to me, that's like one of the examples that stood out as people owning, you know, stuff and being very open about it. How about you, Joe?
Rayna Stamboliyska:What stood out for you?
Joe Fay:Nothing stood out, I'm afraid, in terms of people handling it very well. But I mean, but that that might be partly down to me. As a journalist, you're maybe working quickly and you cover things when it's all exploding and when everything's going wrong, and when probably a lot of organizations haven't really got their story together. And I don't mean as in a made up sort of story, PR story, but, you know, they don't know what's happening. And I guess it's down to me and people like me to, you know, as as Anne Marie was sort of saying earlier, to go back and look more at the after effects and and what happens to people afterwards and sort of see how people are communicating in the wake of it all.
Joe Fay:I mean, I know someone this this is something that happened in 2023, but I know a couple of people who are affected by a hack of a large outsourcing company that was handling pensions in higher education, and that was a big deal at the time. Understandably, lots of, you know, lots of people were affected, just haven't really heard anything since. So you can maybe handle a story badly and handle the communications badly when things are happening, and then there doesn't really sort of seems to be much in in the way of a follow-up because people get on with their lives. People have other things they worry about. How many people really do check their credit records or sort of credit scores in in the wake of stuff?
Joe Fay:And then companies can blithely carry on being incompetent or porous or leaving themselves open to hackers, and it maybe doesn't really affect their business in the long term. So maybe that's the worrying story that me and Anne Marie should be going back to look at a bit more closely.
Ann-Marie Corvin:I try and be less doom mongering. I feel it's too easy in cybersecurity to be negative because it feels like the attackers have got the upper hand, like, the whole time. It's the harder job to be a security leader in in, like especially in the environment today. And if I am allowed to mention CrowdStrike, just in terms of how the cyber community responded to it and how they all pulled together and helped businesses that weren't their clients or customers, they went in there and they helped them reboot their computers. And, you know, I I don't think the cyber community and the cyber leaders who were working overtime during that weekend in July ever got enough credit for all the extra hours they they had to put in when that incident happened.
Ann-Marie Corvin:Like, to take a step back and kind of commend that.
Joe Fay:Yeah. And that that's absolutely right. When we're talking about, as I say, large outsourcing company that was sort of rather porous, I would not point the finger at the security people per se, because they can only work within the budgets that they're given. They're not the ones who are then dealing with the customer follow-up afterwards and helping the end user customers in the wake of it. So, you know, cybersecurity people, they do an incredible job.
Joe Fay:That's why they're tired at this time of year. And if they're lucky, I have time to reflect. But, what we sort of spoke about, you know, whether security is a cost center or or not. And I think probably for many organizations, it probably still is. That's that's not a good thing for people working in cybersecurity, But it's also not a good thing for us because we are the people who end up getting affected in the long run.
Rayna Stamboliyska:Yeah. Right. So we've been talking about this encircling sort of towards it or around it. It's been some time that, you know, security leaders must balance technical demands of the role with increasing need for communication skills, but also business acumen, you know. So when we look forward in the coming year, what skills do you think will be most crucial for those leaders in 2025?
Rayna Stamboliyska:And you were mentioning about, you know, burnout and fatigue. How about, you know, approaches to personal growth, especially sustaining or improving on mental health? Because, again, I mean, if you are a leader and you have that mission and that job, you're sort of also expected to provide support to your team on that, you know, and to be, well, solid enough to also kind of defend approaches or programs or you name it that sustain, you know, your, yeah, mental health and personal well-being in times of under duress, especially in in the times that follow. So, yeah, how do you think are those methodologies or those programs evolving? Are they there at all?
Rayna Stamboliyska:Should they be there? Or, like, what's your take on personal growth for leaders and their teams in the year that's ahead of us?
Joe Fay:I was looking at some employment predictions for 2025, just sort of recently for a piece I'm writing. And this was sort of like more broad sort of tech rather than just security. But one thing that really sort of jumped out was, you know, they're sort of frontline workers. They want more focus on some mental health and well-being. That that's more important for them, particularly after sort of quite a tough few years in sort of tech job markets in general.
Joe Fay:So I think it's it's something that people are crying out for. This is sort of a broader technology workforce issue. Apparently, people are quite reluctant to move at the moment because if they've got somewhere that does focus on their mental well-being, that does sort of help them with their work life balance, Unless there's a really good reason for them, which might might be financial, but might not be for them to move, they're less likely to move. So I guess whether, all security organizations are there in terms of sort of thinking about well-being, They probably should be because we know there's sort of ongoing skills issues, shortages of the right people. So maybe paying people over time when there's particular crisis might might not be enough.
Joe Fay:You know, they're they're gonna need to think a bit more about how they look after people on an ongoing basis.
Rayna Stamboliyska:Marie, how about you? What do you think?
Ann-Marie Corvin:I think in terms of business processes moving forwards, I just remind, like, security teams to stop speaking in jargon. You get it in the press releases. You hear it in the keynotes. It kind of makes people switch off. It makes board members who are not technical switch off, And so you're not gonna get what you want.
Ann-Marie Corvin:Just speak in terms of business and impact, but just drop all the acronyms and the, you know, the all the language all the language and, you know, just just sort of tell it like it is. Speak in business terms rather than technical or or cyber terms would be one thing. I also think people in terms of skills and training but AI is coming. There's no doubt about that. AI and copilots and agents.
Ann-Marie Corvin:And there does seem to be increasing evidence that they're gonna, you know, help with all these alerts that people are getting every day. They're gonna help SOC teams. But you'll need training to be able to kind of manage that AI. So I I really think that that would be something that security leaders should look at investing in for their teams next year. In terms of mental health, why not invest in mental health as cost center?
Ann-Marie Corvin:Why not make that an actual you know, it's an investment?
Rayna Stamboliyska:Yeah. Well, you know, let's see how that taboo thing is gonna go around. It's always complicated to talk about what you're going through, especially when people are tired, irritable, not feeling well, you know, not on their best games. Being in a position of vulnerability and opening up about it, especially when you are seen as the person who has to protect everyone else, that's a tough cookie to crack to me. You know, like, how do you do that?
Ann-Marie Corvin:Do you know, I think the younger generation are much better at this sort of thing. You know, the Gen z's and the Millenniums, they don't mind talking about their mental health quite so much. And I do think that they will break some of these taboos that more experienced workers and older workers just you know? And it's it's like neurodiversity. People talk openly about ADHD and being on the spectrum and autism and how justments should be maybe, like, made around them and that we're all part of a diverse team.
Ann-Marie Corvin:And you need those people with those different thought processes on your team, and you should just acknowledge that and try and without bending too much, accommodate their needs. So you've got a more balanced team, which will ultimately be more productive, I I think.
Joe Fay:It'll be a challenge for security leaders. I think particularly, as Anne Marie said, getting that balance because it's probably fair to sort of say, I mean, part of the way you learn to deal with terribly stressful situations, you know, big outages, big attacks, or or the like, is going through terribly stressful situations repeatedly. So I guess it's how do you work out what's stressful enough to help, you know, particularly your sort of younger team members and sort of bring them through the organization? How do you sort of balance tempering them or, you know, whatever sort of slightly aggressive phrase that that you might want to use? Because progressively, as you go through your career, you'll and as you move up in your organization, you will be dealing with more and more stressful, horrible situations.
Joe Fay:I mean, you know, imagine if you were one of the people having to deal with somebody, the NHS attacks where it's not just the prospect of money or data being stolen, but really quite life or death type stuff. So you need people to have been somehow helped to become mentally resilient enough to, to deal with those situations, but resilient enough to be able to do that, not repeatedly, not every day because, you know, that's not fair to anyone, but, you know, people have to be able to go through that, come back, and do it again. So it's a long term issue, and, yeah, I guess people need to think, how do you develop people for the long term to do that? I don't know how you do that, but
Rayna Stamboliyska:Yeah. I mean, it's none of us here, I guess, obsess over this explains everything sort of approach or this solves everything like a one size fits all. I'm glad that we got to talk about this because it's not something that people openly talk about this, which is sort of a shock slash disappointment to me because we've been there. I mean, we had COVID, you know, and we've been there. We talked about it, you know, as a society about helping others who are not doing well with whatever's happening around them.
Rayna Stamboliyska:And we're back to square 1 of sorts, you know, of not talking about it again. So, yeah, thank you for bringing this up from the start. I have 3 quick fire questions for you to close-up this conversation. So number 1 is which emerging trends do you believe will demand the most attention from security leaders?
Ann-Marie Corvin:I would say the supply chain security will remain a major concern because the high profile breaches like the ransomware attack in London Hospital and CrowdStrike, you know, it's like all of these 3rd party supply chain issues. So I think that will be a main focus going forward next year as it was this year, but, like, even more so next year.
Joe Fay:Well, I guess I'll jump on skill shortages then because it seems the hiring market's gonna pick up in the new year or at least be a bit more buoyant. And there probably won't be enough good people to go around, so people are gonna have to think about, you know, how do we bring on that next generation of people? How do we develop the people that we've got? Because you you can't just sort of keep dipping in the same well again. You know, you you need to ensure that people are learning new things and that you've got new people coming into the sector.
Joe Fay:This is a long term challenge, so you need people in there for the long term.
Rayna Stamboliyska:So number 2 quick fire. What regulatory changes should security leaders be preparing for?
Joe Fay:We know what might be happening in the EU, but I think because of the change of government in the US and what that's gonna mean for the sort of US cyber strategy, I think maybe they need to prepare for anything. I think it's very hard to predict what the policy, what the sort of starting point will be for how the US government's gonna look at cybersecurity, and that will have knock on effects for everyone else and around trade in sort of cybersecurity products and services.
Ann-Marie Corvin:Yeah. In the US, it's looking likely that there's gonna be less regulation rather than more. But I wonder how things are gonna play out in the courts. Things are gonna play out in the courts more. There's an increasing pressure on tech vendors to deliver secure by design software with agencies like the CISA doubling down on this, and lawsuits like Delta Airlines versus CrowdStrike might push accountability even further.
Ann-Marie Corvin:If CrowdStrike loses, that could set a precedent for holding vendors liable to costly disruptions. So that's not, you know, anything to do with government regulation, but I think in the US, it's gonna play out in the courts a bit more. In Europe, you've got DORA, which is officially rolling out in the EU in January. That's all about ensuring financial entities can withstand and respond to digital disruptions for banks and insurance companies and and the like. But the twist is that the CISOs are now at the front and center of ensuring this compliance.
Ann-Marie Corvin:So that's another big challenge for the years ahead, I'd say.
Rayna Stamboliyska:Alright. And number 3, what's one do and one don't for cybersecurity leaders as we head into 2025?
Joe Fay:Do keep reading the tech press to keep abreast of what's going on, and maybe to don't clam up when things are going tough, whether, you know, from that sort of mental health point of view or whether from the actually explaining to the rest of the organization and to the customers what's really going on or how bad or how maybe not so bad things are.
Rayna Stamboliyska:Thank you. Anne Marie?
Ann-Marie Corvin:I would say don't speak in jargon, and I would say just do review your processes. So don't do things because that's the way they've always been done. Because when you're busy, that's what you always do. So why I mentioned the Gartner story was it might not be the right advice, but it makes people think the threat landscape is changing. Are we doing things in the right way, or do we need to look at investing in other areas or strengthening other skill sets?
Ann-Marie Corvin:So, yeah, do review your processes.
Rayna Stamboliyska:Thank you. And for closing up with the end of the horror story, you know, one liner horror story, we've always done it that way. Exactly. Thank you for being with us today and for all those thought provoking conversations. Keep up the great work.
Rayna Stamboliyska:Again, thank you. And dear listener, what is on your mind as we head into 2025? Any lessons that you have learned, please get in touch or comment. Read the publications that our guests write for. And if you enjoyed this episode, please leave a 5 star review where you got this podcast so that it helps others find the show.
Rayna Stamboliyska:So, that's all for this episode of What the Hack is a CISO, supported by AWS, the world's biggest cloud company, and by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Ryan Osmoboliska, and I'll see you next time.
