Dive into the world of crisis management with Stuart Seymour, Director of Security at Virgin Media 02, as he shares invaluable insights on proactive planning and unified strategies. Join host Sean Martin in a dynamic discussion that explores the essence of resilience and the diverse perspectives shaping effective crisis response strategies.
Guest: Stuart Seymour, Group CISO and Chief Security Officer, Virgin Media O2
On LinkedIn | https://www.linkedin.com/in/stuart-seymour-a4b7522/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this episode of the On Location with Sean and Marco, Sean Martin hosts a captivating discussion with Stuart Seymour, the Director of Security at Virgin Media 02. The episode dives into the realm of crisis management, unpacking the complexities and challenges faced by organizations in responding to unforeseen events.
Stuart Seymour shares insights into the significance of crisis management, emphasizing the need for robust planning and coordination across different functions within an organization. He dives into the essence of crises as events that significantly impact business operations and require unified strategies for effective management.
The conversation touches on the concept of resilience, highlighting the broader spectrum that encompasses business resilience, operational resilience, IT resilience, and cyber resilience. Stuart stresses the importance of viewing cybersecurity within the context of overall business resilience and the interplay between various facets of an organization.
The episode also explores the dynamics of crisis escalation, detailing the role of crisis committees in navigating challenging situations. Stuart emphasizes the principle of "prudent overreaction" in crisis management, advocating for proactive measures and coordinated responses to mitigate risks effectively.
Furthermore, the episode touches on the diversity of perspectives in crisis management, as showcased by the upcoming panel discussion featuring stakeholders from varied industries. The panel aims to provide a comprehensive understanding of crisis scenarios and valuable insights for the audience.
Overall, this episode offers a deep dive into the intricacies of crisis management, emphasizing the necessity of proactive planning, collaboration, and adaptability in navigating unforeseen challenges. The engaging dialogue between Sean Martin and Stuart Seymour sheds light on the critical role of resilience in building and sustaining organizational preparedness in the face of crises.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcLEF2H9r2svIRrI1P4Qkr
Be sure to share and subscribe!
____________________________
Resources
Learn more about InfoSecurity Europe 2024: https://itspm.ag/iseu24reg
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Crisis Management – Responding to the Unimaginable | An Infosecurity Europe 2024 Conversation with Stuart Seymour | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new On Location episode. I am Sean Martin. I'm flying solo today. Marco is traveling on his way to InfoSecurity Europe in London. I'll be following suit, uh, very soon and I'll be joining him there. And, uh, a lot of our friends and, uh, I'll say cybersecurity family there in London, as we talk about, uh, all the latest and greatest in terms of business opportunities, how to protect business revenue and, and, uh, Yeah, come together as a community to, uh, to make things better.
So, um, I'm excited to have, uh, Stuart on with us, Stuart, uh, Stuart Seymour, he's the Director of Security at Virgin02. Stuart, thanks for joining. Uh, Sean, thank you very much for having me.
Stuart Seymour: It's an absolute pleasure.
Sean Martin: Good. Good to have you on. And, uh, congrats on getting a spot at InfoSecurity Europe. It's Thursday, June 6th [00:01:00] at, uh, five past two local time there.
And the topic of your session is crisis management, responding to the unimaginable with a few, a few other panelists there. Um, are you excited for it?
Stuart Seymour: Yeah, no, absolutely. I am. Thank you. I mean, InfoSec, um, is one of the go to conferences. Um, in, in Europe, um, and, uh, the panelists that I have a privilege to, to share a stage with are, um, incredibly knowledgeable.
So, so yeah, really looking forward to it. And, um, really looking forward to hopefully giving, um, uh, you know, really worthwhile session and so that other people can, can learn from the multiple shovels in the face that I've had throughout my career. Um,
Sean Martin: that's not, that's not for breaking ground, is it?
Stuart Seymour: No, no, [00:02:00] no, no.
I wish it was. I wish it was. No, this is just from, uh, different crises and, uh, how they manifest themselves. Thank you.
Sean Martin: Perfect. Uh, so I'm excited to get into the topic with you. Um, maybe a few words about who you are, Stuart, what you're up to. And, uh, yeah, maybe, maybe a look back into some of the other things you've done leading up to your, your current role as well.
Stuart Seymour: Yeah. So, um, I'm very, uh, Blessed to be the group, uh, chief information security officer, um, for, um, Virgin Media O2. So that's the combination, um, of two amazing brands, Virgin Media, um, and O2, so broadband and, and on the mobile side. Um, And, you know, critical in connecting people. [00:03:00] Um, and again, part of the real amazing work that we saw, you know, the company do was, you know, during COVID when people really needed that connection.
So I'm, I'm, I'm thrilled to be, I'm very privileged to be, uh, the CISO of, of, of that company, um, very, very blessed to have the team that I do. Uh, prior to that, I was at, uh, BAT, British American Tobacco. Before that, I was at Centrica, who are the owners of British Gas, Direct Energy in the States. which is a integrated energy company.
And prior to that Lockheed Martin. So that's how I came to be, um, you know, where I am.
Sean Martin: And, uh, I was looking at your profile there, the risk advisory group, and I'm, I'm a, I'm a risk nerd. And I'm sure everything you started with there, uh, [00:04:00] runs through everything you're doing now. I had to guess. So a lot of, uh, a lot of SecOps, a lot of incident response, um, and, uh, yeah, lot, lots of fun stuff.
I'm sure A few sh, few shovels flying around there. Um, so th this topic of crisis management, um, the title of the session is responding to the unimaginable. I think I understand why those two go together. The question I have to start off with is, is, Is it really unimaginable, or can we imagine it and then we choose not to?
Stuart Seymour: Yeah, no, no, no, that's a really good question. Um, a lot of it is unimaginable. And I study philosophy, and I have a favorite philosopher, and his name is Mike Tyson. And [00:05:00] he said, everyone has a plan until they get punched in the face. And part of crisis management is absolutely about preparing, about imagining, about scenarios, about war gaming, but then there are things that just come out of such a left field that, that some of it is unimaginable.
So if you think about. Even though it's not a specific cyber event, but if you think about something like COVID 19, you know, before we had, um, you know, swine flu, then we had Ebola and it was all contained in separate areas. People took it seriously as, as they should have, that those two aspects, but nobody imagined COVID and nobody imagined a pandemic that would.
You know, lock the world down to, to the extent [00:06:00] that it did. We we'd had different, uh, epidemics if you will. And, and we had all these, uh, pandemic plans. And I remember doing the pandemic plans when I was at Centrica and I was responsible for resilience and people were looking at things like swine flu and, and Ebola and things like this.
And, and, and, you know, looking at the containment, but nobody imagined COVID. So there are aspects. that are absolutely unimaginable. Um, but there are a lot of aspects, the majority of the aspects which, which you can foresee and you can plan for. And I, and I guess, you know, the first part Dealing with a crisis is all about, um, you know, the planning and the preparation, you know, wasn't raining when Noah built the ark.[00:07:00]
Sean Martin: So what is, uh, maybe a definition from you as well? Because is a crisis a situation where you didn't imagine or you didn't plan? Or, or you didn't practice, or I'm just wondering where, where it becomes, it moves from event to incident to crisis, yeah.
Stuart Seymour: So the way I, and again, great question. So the way I look at, you know, that escalation process is a crisis, first of all.
is when an event has a significant materiality to the business and that can really impact the business. Um, and it's also that combined with the requirement to, um, bring together [00:08:00] different parties and coordinate those different parties so that your external communications is the same as your internal communications, which is the same as your HR strategy to deal with that event, which is the same as the IT strategy, which is the same as the cyber strategy, which is the same.
And, and it's all the, that coordination so that. The person that's speaking to the press isn't saying, yes, we've got all this in handle. Yes, we're doing this when the I. T. person is actually saying, well, no, we don't because we're still investigating. So I think for me. And companies will have very clear, clearly defined escalation proceeds.
Um, and those are, you know, governed by the type of business that they do, whether, you know, the business. So if you think about [00:09:00] something like a bank, so it's the CIA triad, right? It's the confidentiality, integrity, availability. So. If you think about a bank, an issue to do with integrity and integrity of data is material.
If you think about, uh, a telecommunications company like mine, availability is material. And depending on where, what your company does will depend on what thresholds meet a crisis. But for me, um, it's to do with the impact combined with the coordination of multiple functions to have a singular, um, strategy, a singular voice, singular source of the truth to be able to deal with this event may or may not [00:10:00] be, you know, foreseen.
Sean Martin: And when, when I see the word crisis, I think of hair on fire.
Stuart Seymour: Yeah.
Sean Martin: I'm going to guess that it doesn't have to be though, right?
Stuart Seymour: No, no, no. And that's really interesting. And that's, so when I lecture on crises and crisis management, I always lecture it. On a principle called prudent overreaction. And I think one of the mistakes that some companies make is equating crises with a loss of control and therefore being very reticent to call a crisis management, uh, committee or team together, um, because that to them would suggest that it's in extremis.
And, you know, the. Like you said, that there is a loss of control, [00:11:00] whereas a mature crisis organization will call, um, you know, the crisis committee together as part of prudent overreaction understanding because they've been through this road year before, and they've had the shovels in the face that it's easier to stand something up and then wind it down once you no longer need it than actually stand something up while you're playing catch up.
So not only building the aeroplane while you're flying the aeroplane, but also while the aeroplane is on fire. And it's easier to and more mature organizations will espouse this principle of prudent overreaction, call a crisis committee as they anticipate an event. And like I said, it's easier to be on the front foot and [00:12:00] deescalate than the other way around.
Sean Martin: So thank you for that story. I mean, it's fascinating to, uh, to get into this. I'm sure when you're, when you're in the midst of it, it can get, uh, can go. Can get quite interesting as well. I want to talk a bit about kind of the structure. I'm looking at the structure a few points from the from the session where it talks about internal procedures, methods of exploitation, looking at responsive recovery with respect to security strategies, communications you touched on.
And then the last bit is resilience and, uh. The, uh, you call it, or the, it's called the post event wash up, the, uh, right, the, the post mortem. So those elements, um, as you're thinking about a crisis management plan, do [00:13:00] you think most organizations have those in place or what are your thoughts on that?
Stuart Seymour: Yeah, no, I, I do believe that most organizations will have.
you know, those in place and, and, and again, going back to COVID most organizations have had to respond to a crisis because COVID affected us all. Um, so I do think that. You know, lessons have been learned. I mean, for, for me, COVID was, was sort of really interesting because as, as we were kind of pre COVID trialing as part of our resilience strategy, trialing working from home strategies, we were very risk averse.
We would only roll 50 people on at a time and test the work from home and et cetera. But then, you know, you know, from one day to the next here in the UK, almost we were, we were sort of shut down and it's like, [00:14:00] you know, you all need to work from home and suddenly that had a greater imperative to sort of, to move forward.
So do I think that, um, the companies have crisis management plans? Yes, absolutely. Um, I think the majority of them do. Um, do I think that there, Tested, maybe less so, um, and that, you know, the scenarios, uh, sort of thought through, uh, and really exercised, um, it all depends on, on your senior leadership and senior management, you know, I'm very lucky that all my senior leadership are incredibly bought in, but I know speaking from peers that some of them aren't as, you know, Um, you know, bought in as, as, as they may be.
Um, so are there plans and procedures? I'd say predominantly [00:15:00] yes. Um, are they exercised? Yes. Um, to a certain degree.
In terms of the, the, the resilience aspect. It's interesting, Sean, because as, as you were, as you were speaking, you know, I was thinking about resilience in two ways. resilience about the practitioners because you can only run so many four minute miles with 50 kilos on your back. Um, and again, what quite a mature crisis management program and team would do is, you know, you have your alternates and you have people that are read in and you have people that are, you know, you, you have a really good bench that can come in and come out.
It's almost like an ice hockey match, um, where people come in and come out. Um, and it's seamless. But then there's also the resilience and about lesson learning lessons. And I think [00:16:00] potentially that bit is harder because when you have a crisis, something's gone dramatically wrong and it could either have been, you know, as a consequence of somebody's actions internally or, or, or as something externally, but predominantly.
you need a very strong culture that has psychological safety within its core, so that when you do lessons learned, it doesn't turn out into a finger pointing fest and let's look for somebody to hang because it was clearly their fault that they didn't secure the S3 buckets or whatever it might have been.
Um, and of course, if you have that culture where Well, you could have a culture where it's, you know, few were over that. Thank goodness. And everyone [00:17:00] just goes home. Then you also have a culture where it's few. Thank goodness. Right. Who are we going to shoot? And then there's the more mature culture where people are, um, you know, more receptive to learning.
And there is that psychological safety where you say, okay, um, no fingers, no pointing. What happened and where can we learn what went wrong? How can we improve and let us just make sure that this never ever happens again. And I think that that bit is, is, is the more nuanced and the more mature organization that's able to say, let's bring all these people to the, into the room.
And then therefore there's, there's no people that are defensive. There's no people that are protectionist. There's no people that are, um, that won't give you the whole version of events and say, look, It was my fault. I missed, I misconfigured, like I [00:18:00] said, the S3 buckets or I, in a physical world, I I left the doors open and the river flooded in.
Sean Martin: Yep. I feel we could have a whole conversation on the bench and the hockey analogy. Maybe we can do that at some point. But I want to No
Stuart Seymour: maple leaves.
Sean Martin: Alright. I'm a king slash rangers fan.
Stuart Seymour: Uh.
Well, at least you didn't terminate the interview right there and then.
Sean Martin: That's right, we're still going. Now somebody else might, no.
No, but I am, what you just described though, it makes me think of something else that I've heard quite a bit of the last few weeks. I've had a lot of conversations. Resilience keeps coming up. And I want your perspective on, there's business resilience, operational resilience, IT resilience, business resilience.
Cyber resilience is in there. And, [00:19:00] and I have a feeling that, that cyber thinks that cyber resilience is all that matters. Well, it does in their world. Um, but we tend to kind of forget the full business resilience and all the other pieces between, um, That big picture in ourselves, lots of it.
Stuart Seymour: Yeah. That's
Sean Martin: you're talking COVID in one part and, and it plays a role.
Security plays a role in that. And maybe that's an example where we did well, kind of maybe.
Stuart Seymour: Yes.
Sean Martin: But then generally I think maybe we, we kind of forget that big picture.
Stuart Seymour: Yeah, no. And, and, and I think, you know, us as cyber practitioners, sometimes can be a bit myopic. Um, I'm, I think I'm very blessed insofar as within my remit in Virgin Media, [00:20:00] too, I have to look at the entirety of the picture.
And I'm in charge of, you know, global resilience. And when we, when we deal with crises, And crisis management. It's not just cyber incidents that have escalated that are within my purview. It's, it's everything that, that reaches the crisis threshold. Um, and all that needs a coordination of the teams, as I explained before.
So, so yes, no, I, I, I think, um, the point you, you, you make Sean is. It's quite opposite. And I think the point that resilience is broader than cyber, um, is it's very well made, and I also think that at the end of the day, we are here to serve and protect the business, um, and, and we lose sight of that at [00:21:00] our peril.
It's one of these things. Where you said earlier in the conversation, really interestingly that you, you know, you're a risk nerd and that really resonated with me because my role, I view my role as a risk practitioner because I can never 100 percent secure a business, any business, because the only way I can secure a business is take your phone and your laptop and Smash them up, put them in a Faraday cage and bury them in a garden.
But then there's not much business going to be done so that there, there is always an element of risk and it's our job as cyber practitioners to be, um, the exponents of risk to make sure that the risk is known and understood. And then that the senior leadership of the, of the company make an informed decision on the risk.
And then [00:22:00] when we move into resilience to understand, um, That we are but a, but a cog in a, in a, in a greater, in a greater entity, in a greater machine. Um, I think the moment you start thinking in such a nice, uh, Isolation is the way, um, I think it's a hiding to to, to a dangerous place.
Sean Martin: Yeah. And then we, I, we could probably say, I dunno if the reverse is true, is the right, right way to put it, but if the business doesn't look at how some other event might impact or rely upon.
Cyber to either protect the cyber bits or to leverage the cyber bits for other pieces Yeah, I think that there's a lot to a lot to consider there, of course
Stuart Seymour: No, there is and I think it's as again as a cyber as a cyber security a cyber security Practitioners and as an industry, [00:23:00] I don't think we do ourselves many favors because Predominantly, I think, when we're challenged, we revert to jargon and alphabet soup.
Um, and when we think about security,
we don't really We sort of typically, sometimes, try and go for Try and make good, great be the enemy of great. Did I get that right? Or great be the enemy of good. Do you know what I mean?
Sean Martin: This idea. I'm not, I'm not able to help you much there. No, no, no, don't, don't confused as well. Which one is it?
Stuart Seymour: No, no, no.
Don't let, don't let great be the enemy of good. In other words, don't go for the gold plated standard and [00:24:00] spend three months finding that extra 10 percent when good is good enough, that's what I meant to say. No. Rather inarticulate way.
Sean Martin: Well, you
said it well, and I think everybody's going to understand.
Um, Stuart, uh, you have a few fellow CISOs and a VC. So join me on, on stage. They're different. Uh, it's like manufacturing, uh, maybe a technology company, and then you have a cybersecurity agency, agency of Catalonia, so quite a wide variety of. Perspectives there. What do you, what do you expect to happen on stage?
We all come together and is it use case time? Storytelling time? What's going on?
Stuart Seymour: Um, I, [00:25:00] I'm actually really looking forward, not just to the, to the, to the event and not just to InfoSec, but, but to the panel because it's so diverse. Um, and, and diversing in its, in its background, like you've just said, you know, there's the government of Catalonia and, and, and other industries, talco and, and, and the rest.
And I think that that diversity of industry and diversity of experience and diversity of pressure. Um, as it comes to the crisis can only help, um, expose, um, amazing learnings. Because if, if we go back to when we were talking about the CIA triad, You know, the government of Catalonia has different, um, imperatives to me as a telecommunications [00:26:00] company or as the fast moving goods company.
And therefore a crisis for, you know, a crisis for me might not be a crisis for them and vice versa. And it would, it's going to be fascinating, um, to see the different perspectives and the different learnings from each of those. Um, because, um, The different focuses that each of those entities has, I think, will give a greater richness to the audience.
I'm hoping so, anyway. I'm excited.
Sean Martin: Uh, I'm excited. And, uh, yeah, that's why it caught my attention. Uh, just to see the, the group and, and, uh, I'm thrilled you and I had a chance to chat. And I'm, I'm hopefully, hoping we can have a chance to connect there in person as well.
Stuart Seymour: No. Definitely.
Sean Martin: Very good. Very good.
Well, Stuart, uh, I hope, hope you and, uh, the panel have a great time, uh, sharing [00:27:00] stories, uh, sharing, uh, shovel marks. Yes. With each other.
Stuart Seymour: Punches in the face. Punches in the face. Just like that amazing philosopher Mr. Tyson said. I'm looking forward to seeing his fight as well.
Sean Martin: Does he have a fight coming up?
Stuart Seymour: I think he has a fight with, um, with a YouTuber.
Sean Martin: Conor McGregor? No, no, no.
Stuart Seymour: I think one of the Paul brothers. So he's coming out of retirement to fight.
Sean Martin: There you go. Hopefully he remembers some of the lessons he's learned over the years. Not too many, uh Punches in the face. All right. Well, um, we all have our own cyber punches to, uh, to deal with.
And, and this session crisis management, responding to the unimaginable can certainly help, uh, Stuart. I'm excited to meet you there in person and to hear this session along with your fellow panelists. [00:28:00] It's Thursday, the 6th at 2 0 5 local time there in London. And, uh, So thanks again for this great chat.
You're, you're welcome back anytime. I think there's a couple of topics in here we can, we can spend more time on for sure.
Stuart Seymour: I'd love to come back whenever you'll have me, Sean.
Sean Martin: Yeah, it's been an absolute pleasure. I appreciate that. And for everybody listening, thanks for joining me for a new on location episode as we, uh, do our chats on the road to London and, uh, hopefully Mark will join me for the next one and we'll see everybody there for InfoSecurity Europe 2024.
Thanks everybody.