In this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli, along with guests Emma Philpott and Don Gibson, dive into the complexities of cybersecurity budgeting, prioritization, and the importance of community support. Tune in to discover how security leaders navigate financial constraints, legacy technologies, and innovative strategies to make cybersecurity a competitive advantage designed to drive business outcomes.
Guests:
Don Gibson, CISO, Kinly
On LinkedIn | https://www.linkedin.com/in/don-gibson-cyber/
Emma Philpott, CEO, IASME Consortium
On LinkedIn | https://www.linkedin.com/in/emphilpott/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli explore the intricacies of cybersecurity budget management and expenditure prioritization at the Infosecurity Europe event in London. The conversation kicks off with Sean and Marco discussing the challenges of balancing a minimalist approach with the need for robust security programs. The discussion swiftly transitions into budgeting strategies where the hosts are joined by guests Emma Philpott, CEO of IASME, and Don Gibson, Chief Information Security Officer (CISO) of Kinley. Emma provides insights into her role at IASME, highlighting their work on the Cyber Essentials program aimed at ensuring basic technical security controls. Don shares his experiences at Kinley, dealing with audiovisual technologies and their importance in security. The dialogue explores the difficulties organizations face, particularly around budget constraints, legacy technology, and the need for consistent investment in security measures.
A significant portion of the episode is dedicated to the challenges faced by various-sized companies, from micro-businesses to large corporations, in implementing effective cybersecurity measures. Emma stresses the importance of making security accessible to smaller entities and the efforts IASME is making to provide free guidance and support. Don emphasizes the importance of clear communication and leadership at the board level to properly budget for cybersecurity, balance between technology, and staff investment, and avoid the pitfalls of over-reliance on either.
The conversation also touches on the role of community and support networks within the cybersecurity realm. Both Don and Emma highlight the value of having trusted groups where professionals can share experiences, seek advice, and offer mental health support. They underscore how such communities foster a culture of openness and mutual assistance, which is crucial in an industry often grappling with high-pressure incidents and rapid technological changes.
The episode wraps up with a discussion on the dynamics of cybersecurity as a competitive advantage and the evolving nature of security leadership. Emma and Don explain how achieving certifications like Cyber Essentials can provide business benefits beyond compliance, such as improved insurance outcomes and differentiation in the marketplace. Don challenges CISOs to think creatively about how cybersecurity can become a revenue-generating aspect of the business, reinforcing the need for innovative and dynamic leadership in the field.
Tune in to learn more about budgeting, community support, and forward-thinking leadership in cybersecurity from the vibrant InfoSecurity Europe event.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcLEF2H9r2svIRrI1P4Qkr
Be sure to share and subscribe!
____________________________
Resources
Maximising Your Budget Effectively in Turbulent Times – An SME Focus: https://www.infosecurityeurope.com/en-gb/conference-programme/session-details.3783.219365.maximising-your-budget-effectively-in-turbulent-times-%E2%80%93-an-sme-focus.html
Learn more about InfoSecurity Europe 2024: https://itspm.ag/iseu24reg
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Maximising Your Budget Effectively in Turbulent Times – An SME Focus | An Infosecurity Europe 2024 Conversation with Don Gibson and Emma Philpott | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco. Sean. I need to have a word with you. What? Well, I've been looking at your expense reports. I don't know.
Marco Ciappelli: I'm not even putting everything. I
Sean Martin: know. I know. I don't know that you're prioritizing things quite, uh, exactly as we should for the business.
Marco Ciappelli: That's right. You know, I'm trying to get minimalist, but, uh,
Sean Martin: Yeah.
Well, throwing away a couple of shirts is not the same as running a secure tight, tight security program.
Marco Ciappelli: People come to me and say, you need this, you need this, you need that. So I just think that, uh, I need it. But do I really need it? The
Sean Martin: shiny new thing. Do you need both of those services that do the exact same thing?
I don't know. I need help. You need help. I need help. Well, that's, that's, uh, I think that's a common theme. Uh, Uh, here at the show, we're at InfoSecurity Europe in London at the Excel and, uh, a lot of conversations, uh, even some activities evidently overnight, [00:01:00] uh, where perhaps prioritized budgets weren't, uh, placed properly.
Who knows? I don't know. I'm gonna, I'm actually gonna spend some time today digging into that with some folks, uh, the whole NHS thing. But um, that's not what we're here to talk about today. We're gonna talk about budgeting and spending and prioritizing and getting the most bang for the buck and. And, uh, running a meaningful program.
And knowing that you're doing so, not just blindly doing that. And we have two guests. We have Emma Philpott and Don Gibson on. They're both speakers at the event. Thank you both for joining us.
Don Gibson: Welcome. Thank you for inviting us.
Sean Martin: Good stuff. We're sitting here looking over the Thames and, uh, and, uh, a venue that's being replaced at the moment.
So somebody decided to tear something down and build something new. Another building. Being torn down perhaps, I don't know. Looks like an old relic there. But, uh, I think there might be an analogy there, right? We build, we build stuff. We build [00:02:00] programs. We add to the programs. New products come. We add those products and services.
We need to add teams to run all that stuff. And we just continue to layer on and layer on. And we're told that layered defense is good, right? So, we, uh, It's a, it's a best practice in many cases. And then we were stuck with stuff. We're stuck with old legacy technology and new technology. And we're both in the running the business and protecting the business and, uh, lots to consider there.
Cause you don't just switch, flip a switch and change from old to new. Um, so anyway, I'll stop rambling. I want to hear from both of you. Uh, who you are, what you're up to first, and then we'll get into the topic. Uh, Emma, you first, please.
Emma Philpott: Um, hi, I'm Emma Philpott. Um, so I'm the CEO of iASMI, and iASMI, we're best known for delivering the Cyber Essentials Program for the government.
So that's basic technical controls that it turns out are really, really important to keeping you secure. Um, we do various other things, and we focus on trying to make [00:03:00] things accessible and inclusive.
Don Gibson: Perfect. Don? Um, my name is Don. I'm the CISO of Kinley, uh, which is a global, um, audio visual company. Uh, so when they say, um, the defendants appeared via video link, that's us, to give you an idea.
Um, we're proud holders of Cyber Essentials Plus, uh, as we, uh, supply HMGov. Uh, and, uh, I've been brought in at a time of large change and transformation. Within the company.
Sean Martin: Nice one, nice one. I saw a story the other day from New York, and it was a story, I think it was actually a story in California, but where a defendant appeared on camera, Driving.
Driving, yes. Oh. Yes.
Don Gibson: There's an out queerer than folk.
Sean Martin: So, as humans, we don't always make the best decisions, right? Even when we know what the rules and guidelines are. [00:04:00] So, let's talk about, let's touch briefly on this session you're going to have a little later. Kind of the gist of it. There's a few of you joining.
How did the, how did the panel come together and what was the, what was the purpose of it?
Emma Philpott: So I think the panel was invited by the organizers to, to try and cover, you know, the most, most of the aspects that would be discussed and are interesting. We had a few meetings beforehand and yeah, really, really great.
It's part of the joy of being involved in these kind of things is you meet such, you know, great interesting people. And, and of course everyone, because they have such different backgrounds, have, have a different. Take on the subject. So, yeah, it's going to be a good panel.
Sean Martin: Yes.
Marco Ciappelli: What are the most important perspectives in your opinion?
I mean, having different perspectives is important in everything you look at. Um, Coming at the table to look at from different angles about this topic, which, yeah, [00:05:00] it's about cyber security right now, but it could be applied to pretty much everything. Budgeting, as we were making fun at the beginning, Sean.
So in this case, what kind of, what kind of experts are, should be in the same room to really cover as much as you can?
Emma Philpott: So, I mean there's a lot of different perspectives, which of course when I first came into the sector, I just have my view and I don't realize. It's actually quite complicated. So there's the, there's the little tiny companies who don't have much technical understanding.
You know, how do they, achieve security. There are the medium sized companies who are starting to, you know, hire security professionals, but maybe have a budget problem. There are the large organizations that often have massive digital debt. You know, they've, they've given smartphones to everybody and then not replaced them for many, many years.
And to ask them to do that when they have thousands and thousands of them, it's a very big investment because they haven't been investing as they go along. And then there's things [00:06:00] like charities who, you know, You know, people give donations for the charity to use it for their main purpose, not for them to spend it on cyber security.
So what do they do? So it's, it's very, much more complicated than you would first think as an outsider.
Don Gibson: And the people involved with, with that, um, for me are, um, Both technologists, um, cyber security leaders, but then also people beyond that. Um, so people at sea level who are actually making the decisions.
We need to be able to enable them to make the right decision, to tell the right story to them. Uh, so they are able to lead. It's what they're supposed to be doing. So therefore, these are the scenarios. This is what we're looking at. Whether it's the risk profile, whether it's the, uh, fiscal risk profile, whether it's the technical risk, everything all together tells a story and then you can make an informed decision.
Emma Philpott: And it is made harder by some of, obviously in every sector, some of the sales. You know, [00:07:00] you get some great salesmen or women coming along and saying, my gadget is really expensive, but it will solve all your problems. And of course, you know, nothing solves all your problems. So if you don't have a. An understanding of cybersecurity, trying to understand who is selling snake oil or not is really hard.
Sean Martin: So I, I think we're an industry driven by technology, right? And taking that to the next step, we're an industry that has a set of experts that understand things that others don't. And they kind of keep a lot of secrets, right? The, the, the researchers and the. The hackers, uh, good hackers that, that build these products, right?
And so there's this, there's already a separation between what, what the technologies do and how that supports the business. Um, and I guess what I'm trying to lead to is that security teams then are trying to decipher [00:08:00] how the technologies protect what I'm building for my business to make it run. And, and I, my sense is that we're not, And we talk about the CISO having a difficult time speaking to the board, right, to make that translation, that jump.
But when we're looking at budgeting, right, how do we, are we set up as a, as a function to properly budget? I mean, we can, we can probably talk about risk, we can talk about controls, we can talk about response. Can we talk about budget? Are we, are we set up for that?
Don Gibson: I think, I think we have to, especially if you're running, uh, uh, uh, should we say a more advanced risk?
Profiles such as the fair method, right? That gives you a percentage of how, how it will actually impact, which, at which point you're able to, um, give a fiscal number against it, at which point you can start having very frank conversations. And it's back to the very, very beginning basics of, of, uh, of cybersecurity, of [00:09:00] if something costs a hundred thousand dollars to fix.
and the tool to fix it costs 10, 000, that's a really easy conversation to have. However, if it's the other way around, that doesn't make much sense. So therefore you hold that as a risk. Go, I'm not going to fix that. It's not cost effective right now.
Emma Philpott: But if I, if I can, um, the customers have to take some responsibility.
So it's very easy for a company to have to make risk decisions based on budget, you know. It's always like, kind of, I mean, I've run a small company, and I know that you do what you have to, to get through that month. And it usually doesn't involve the extra stuff. Um, so, uh, deciding a risk appetite as a company is one thing, but as a customer, it's another.
You need to impose some things on your suppliers, I think. Because otherwise, unless it is, you know, make or break for the contract, sometimes they're not going to invest in things. They'll hope for the best. So it's quite a [00:10:00] big responsibility as a customer as well.
Marco Ciappelli: I think from a psychological perspective, it's that attitude that if I can't get all I need, then I'm not going to get anything.
I think that's the wrong approach. And obviously, this retaining The knowledge and I call it the shaman mentality, like I got the power and I'll tell you, but I'm not going to tell you everything so I can keep the power. It's not beneficial for society and the business in general, so there needs some guidelines and to know that, you know, a list, get the basic and then go on.
So how do you build a program like that?
Emma Philpott: Well, so we've been involved in cyber essentials, which is the basic. It is literally meant to be. We should be doing these, if nothing else. But we hear, particularly from larger organizations, that it is really difficult. You know, I, one multinational law firm was telling me, I don't know, about months ago, that it is the [00:11:00] most difficult certification internationally that they get, but they think it's a very high level.
So it, it kind of shows that it's very easy to spend a lot of money and get a whizzy, flashy thing, but actually putting security in your company, doing the basics is, is quite difficult. Um, and so that's why people would rather. Maybe spend a bit more money and get, and not have to involve the rest of the company.
Don Gibson: I think, I think that's it, because you're talking about culture and, and how if people are used to things happening the way they happen and then you have to change what they're used to because you need to change the culture, then there can be either dragging feet or friction or, or engineers going, oh, we can't do our job anymore, or whatever else, when it's actually something has changed in their world and they don't like it, which is sometimes it's just a tough conversation.
You've just got to sit there and go like it or lump it. [00:12:00] That's it. Other times it's a case of education and, and leading them through. And I say that, uh, good cyber leaders need to be enablers. We need to enable the business. We can't be the people sitting there Therefore, if I'm saying no, I'm You, A, you really should listen to me because I don't like saying it, but B, I tend to give, uh, an alternative.
So you want to do X right. You can't just sign stuff off to Box or, or, uh, move it or whatever else. We're able to set up this in SharePoint and external SharePoint site and you can ship it out that way. Right. And so I'm cutting down the shadow IT, I'm cutting down the potential data leakage, and I'm increasing the control over it.
Okay. Is it as nice as clicking on a whizzy app and doing what they used to do? No. But I don't care. So there's a lot of times it's like I'm trying to hold their hand, I'm trying to lead them through. But sometimes you've just got to say no. [00:13:00] You've got to be the tough parent.
Sean Martin: And so, one thing that's coming to mind is, I think one of the points in your session is around, uh, staffing versus technology and, and, I don't know, maybe Don, your perspective on this, and then of course yours as well, Emma.
But do we, do we set, who, who sets the, the different parts of the budget, right? Because we're given so much for people, we're given so much for CapEx, we're given so much for OpEx, and, and you have to kind of work with some of those, within some of those boundaries. Mm hmm. And. So if you, if you say I need technology but I don't have enough budget for technology, or I need more people but all my budget's in technology, or you're hoping that technology solves it so you don't have to worry about the people management aspect of things.
Who sets that big picture and how does that impact what you [00:14:00] do as a
Don Gibson: CISO? For me, it's about starting the conversation at the top level, at the board level. And leading it on a risk basis as, uh, at which point you start going, right, this is the picture we're faced. This is the landscape. This is what we see the future to be.
Now let's work backwards. You're getting me, giving me this. That will get X. Now, do I have the potential to use whatever technology I have a little bit better and free up some of the extra, uh, cap there that I could move across to staff to either enable my staff a bit better, give them more training, which would help retain them.
So we don't have the churn, which is extra cost, and et cetera, et cetera. And you start leading that conversation through. So there's lots of little bits plugging together that actually make a, a correct answer for it. Um, for me, the big ones are, uh, make sure the board are fully aware. of everything and the [00:15:00] impact of their, uh, decisions.
Staff need to be properly looked after, both fiscally, mentally, training, et cetera. Stop that churn because it's far more costly to get people in and let people go than it is to keep them and look after them properly. And then make sure your technology is working properly. Get the proper return on investment on that.
Make sure I'm yet to be in a company where everything that you are entitled to. is turned on and working.
Marco Ciappelli: Um, I have a question. So we live in this world, we said, with this, everything is blinking, everything is new. We are an event. We were at RSA conference not too long ago, and we actually had a conversation about A monster that is feeding itself to survive, like, you know, and, and so here I'm thinking on one side, you're constantly told that your technology is old, even your smartphone, it's old in a year and you should get a new one and where do you [00:16:00] stop to the point like, okay, what I got is good enough.
So I'm thinking in the budgeting while you're bombarded by all of this, what. What's the lifespan, let's say, on, on the technology that you have? Where, where do you stop the investment in people to use that technology because you have to actually update that technology? And I, I have no idea what the answer is.
So, is there an answer?
Emma Philpott: So, obviously, it, it usually depends on how long the software, particularly, well, and some of the hardware is supported. And so, we're in the hands of the vendors. And some of them, are better than others. Some of them are trying to support more, you know, which is a really great thing to do.
Some of them, the support time is getting less and less. And not just that, the notice, you know, they suddenly say, we're going to stop supporting this. And it gives hardly any notice, which means it's very, very difficult, particularly for larger organizations to plan in the replacement. Um, [00:17:00] you know, a lot of people talk to us about how we want to be more.
Friendly to the climate and stop throwing things away. It's really hard. If things are not being updated, uh, you know, how, how to keep them be more friendly to the environment and stay secure is a really difficult thing.
Don Gibson: I completely agree. It's, it's, um, one of the things we're going to be talking about is, uh, one of my expectations, especially towards my architects, is to keep very close eye on the product managers, have a good relationship with our vendors.
So we actually understand what's coming over the horizon, what new bits are coming, what, what we have, what we have access to, but also when something going to go end of life, when's it going to go into support? When do I start needing to lead the conversation with my CTO or CIO and go, we've got this coming in the next 18 months, 36 months, whatever.
Sean Martin: You're talking about your general ops [00:18:00] systems. You're talking about your mail and your HR and your EDR. Operating systems. ERP. Everything.
Emma Philpott: All software, yeah.
Don Gibson: Yeah, absolutely. And that's under your purview. Hardware. That's under your purview. Um, I make sure it is. Yeah. I don't care if someone else is looking after it.
I still want to know what's happening. One of the most
Emma Philpott: important things. And it's really hard. To know whether your software is supported or not. Um, we, it's one of the biggest questions we get, Because, you have to say, that yes, my operating systems are in support. And for little micro companies, you know, the, Two person shop, they, they ring up, they don't even know what kind of computer.
We have to sort of get to the, does it have an apple on the cover or not? How do they know if their operating system is in support? It's really hard to find. So we've actually got a webpage now with all the links that we can find to try and help people find out if the operating system they're using is [00:19:00] in support.
They don't make it easy and that's a big barrier to security.
Marco Ciappelli: And I was actually going to go there because I like to talk about small business. I come from a family of, you know, mom and pop shop and, and everything is relative. Like you, you run that big company and you know, you have enormous expenses.
But again, even if you're a mom and pop shop or a small office, a small studio, even that seems to be a small amount of computer and software that you have. But compared to the business. That's a lot of money.
Emma Philpott: Yeah, it is. And, so, one of our biggest aims, we've been doing CyberCentrals now for ten years, and our real aim was to make it accessible to the smallest of companies, one person companies.
Obviously, we try and make it as low cost as possible, but we, and, and it is easier the smaller you are to implement the controls. You can do it for free. As long as your software is up to date. That's the kind of key. It's just about going in [00:20:00] and changing settings. But you know, I say that, my mom, you know, would have no idea.
So we keep trying to publish guidance how to put in the Cyber Cyber Essentials Controls for free. Every time we publish it, we kind of, we, uh, we get sole traders to have a look at it. And always, we need to make it easier. We need to make it easier. And that's, you know, so we're trying, but the, the vendors, the people who design computers and software, they need to help us.
They need to try and make it secure out of the box.
Don Gibson: With that, you also can't be, um, You can't diagnose to use certain vendors. So, uh, for example, we're full mom and pop shops, et cetera. As much as I dislike using them in big companies, Google got everything out of the box right there. You get a Chromebook, you have everything backed up to the cloud.
It's got antivirus. It lets you know, he's got a password manager [00:21:00] in there, um, lets you know about, about threats to passwords and accounts. And, All of a sudden, well, hold on, that's, that's a really quick, easy thing that you could say to people. However, you can't sit there saying, saying, saying, go to Google.
Right. That ain't gonna work.
Emma Philpott: Yeah, it's, it's, that's a hard one. Yeah. But, you know, it's not just, you know, How do I put the security in place? If you have an incident, if you get ransomware or something, where do you go? As a, as a sole trader, how do you find someone who knows what they're talking about?
There's so much snake oil out there. It's all really hard, but we, I mean, we as IASMI trying to put free guidance online so you can put the controls in place for free. If you don't need a certificate, you don't have to pay any money. So that's, but it's still hard.
Sean Martin: So let's talk a bit about the community.
I'm fortunate enough to on a, on a weekly basis and, and Chatham House Rules get to hear some interesting stories. [00:22:00] Bet you do. Yes. And um, but the, the beauty that I find in that is the, the community aspect.
Marco Ciappelli: Mm.
Sean Martin: Where, They're able to openly and candidly share with each other, I'm about to embark on this project, I've had this incident, I'm struggling to get budgets, I'm struggling to keep staff, whatever the situation is.
And they come together, and they don't always have the answer, because one might be a bank, another one might be a business. water district, right? So different situations. Um, but generally they have, they share the same objective, which is to your point earlier, which is to enable the organization to succeed in a safe and secure fashion.
So they, they share their ideas and their thoughts, um, your, your perspective on the role and value of community. And I suspect you're a part of some of them as well. And then, and then to you, Emma, um, [00:23:00] Your view on that and how I think there's value in that for some of the smaller organizations while there are chambers of commerce or things like that that they can leverage.
Don Gibson: So, yes, I am a member of a number of, I call them cabals. And they are invaluable.
Marco Ciappelli: You'll
Don Gibson: quite often see a few of the same faces. in, in the, uh, in the different groups. Um, but there's always a take, there's always some knowledge. It's always freely shared. There's always, um, some, um, advice given freely. Um, so there's, there's that on the knowledge base.
There's also the support aspect of it. Uh, I was in a particularly nasty incident and a previous CISO that I'd not worked with for. Maybe four years called me up and went, if you need anything, my team's yours. And I must admit, I nearly cried at that. It was so wonderful. [00:24:00] Um, so, uh, there's that. And with that, um, something else I talk about is, um, mental health support, uh, especially for CSOs or, um, if your team is, uh, impacted by, uh, depression.
High impact events and the like, how to look after them, and this also, uh, appears in the, in the, uh, in the groups where we actually look after each other, um, which is awesome. And that's, that's male and female. Um, we're obviously massively inclusive. We want to have underrepresented people. people in our, in our wonderful industry.
Uh, but the majority right now are middle aged white men and middle aged white men tend to sweep things under the rug and don't talk about it. And having groups like this really make a big impact towards that. So, yeah.
Emma Philpott: We have something a little bit similar in that, so we license the assessments to a network of certification bodies.
[00:25:00] Most of them are micro or small companies, lots of one man bands, cybersecurity experts all over the country. We've got about 350 of them. And we have face to face events, we have seven events. It's a year. And whenever they do training, they're face to face. They meet each other. And they build these really great relationships.
So I mean, on the face of it, they're competitors. But actually, they're, they support each other. And because they're so small, one of them will get a big job that is too big for them. And they'll bring all the others into it. So you start seeing them working together. But um, yeah, our certification bodies are amazing.
They really are. They're the most entrepreneurial and expert people that, some of the people I've met.
Marco Ciappelli: I think sharing information has been one of the things that, I guess, Sean, that we heard a lot in the past year, year and a half, has been one of the non technological solutions to the main cyber security problem, because you may be going against what you [00:26:00] think about a competitive advantage.
But in reality, it will be a societal advantage that will really, really benefit.
Emma Philpott: But it is really embarrassing if you have an incident. I mean, we had an incident, I don't know, about eight years ago or something. And, uh, It's, I mean, it's awful. It's awful when you're the team going through it and then on social media, you always get everyone weighing in, you know, blaming you, spreading rumors, spreading gossip and just sometimes with someone reaching out and saying, I hope you're okay means everything, but it's embarrassing to admit.
And, you know, as a CEO as well, it's important to lead by example in terms of embarrassment. Because, you know, I've clicked on links. Well, I'm in a hurry. I've owned up. And then I've told the whole company, I've just clicked on a link. I'm feeling really embarrassed about it. So, so that's really, um, that's really important, I think.
Sean Martin: And, [00:27:00] one thing, sorry, we just had a nice, uh, nice visitor. Um, so, one thing I want to, I was going to comment on the, uh, we mentioned snake oil, right? And I think the other The other thing that comes out here is what actually works, right? What products work? Is it really AI? Do you get the support you need? A lot of that stuff comes out by interacting with each other.
And if we leverage trusted entities, um, uh, to support you, you get some of that, you get some of that as well. Um, Marco, lots of, lots of stuff to consider. I'm not going to
Marco Ciappelli: buy a new phone. You're
Sean Martin: not going to buy a new phone? Well, the funny thing is that I think I'm
Marco Ciappelli: happy with the one I have.
Sean Martin: So I, I made a decision, it was a year and a half ago, to, I always get the maximum drive space on my phone.
Except a year and a half ago I decided, nah. I'll just do everything in the cloud. And now I'm struggling to, uh, keep free space even for stuff that we've been recording. [00:28:00] So, I'm gonna have to make another business decision and sadly make a change on my phone, I think. But, but that's Because you
Marco Ciappelli: cannot predict the future.
I can't predict the future. You couldn't predict that you could record in 4K, let's say. So, that's, that's Exactly. How far can you, how far can you look into the future and you use, if you're driven by fear, how far can you And by a good, good, I'm doing air quote for people of course now watching this, uh, salesperson, then, uh, you're probably going to spend the money.
Emma Philpott: Yeah. But also, hopefully, you'll be driven by the possibility of doing more work. Yeah. So when people start saying, like when the government says you've got to have cyber essentials, for example, you get cyber essentials for one contract. Suddenly, you're probably ahead of some of your competitors in going for the other contracts.
Interesting point, yeah. It can be a positive. Yeah.
Sean Martin: And we've heard that we're actually starting to see some, some progress there where it's security posture is a competitive advantage.
Emma Philpott: Yeah. [00:29:00] That's great. And so when you get cyber essentials, you get insurance if you're a small or micro and that has now also started to be an advantage because some companies, particularly in financial services, can't get cyber insurance anymore, not for anything affordable.
If you get cyber essentials and you're a small or micro. You get it for free. So, you know, suddenly these other things start, it becomes a business benefit rather than just a cost.
Don Gibson: And with, with that, um, one other thing is that, uh, I think that CISOs especially need to be far more dynamic. And when I talked about enabling the business, um, I'm currently talking with my company about how to make security an actual saleable product.
And it's, it takes, it's a whole new take on, on the dynamic. And if suddenly that's a new revenue stream, that's a, that's a big thing to talk about. And so therefore, My challenge to, to any CISO out there or any person wanting to be at this [00:30:00] level is to how to think outside the box and how to create something different and new.
We're supposed to be leaders.
Sean Martin: Yep.
Don Gibson: We lead.
Sean Martin: Yep, absolutely. Absolutely, you just unlocked a bunch of thoughts, but I'm gonna, I'm gonna wrap it here. I could keep going for another hour on this. Um, maybe we'll have you back and do some more chats.
Don Gibson: Happily.
Sean Martin: Uh, so. Thank you both very much and best of luck with the, uh, the session today. So thanks everybody for listening to, uh, this episode and stay tuned for more coming to you from InfoSecurity Europe in London.
Thanks everybody.