Danny LopezTraining Session Video
Session Description
I just thought it would be good to be able to give you a few thoughts on what we’re seeing, the trends that we’ve been monitoring and focusing on over the last few months, the way we see things going forward. And then I also wanted to give you a few thoughts from where we’re coming from when we think a lot about how teams should be structured, organisational design in the world of COVID, even not so much COVID, it’s kind of everything that’s been leading up to how we think about all the design and how teams should be structured going forward. So those are the two areas that I wanted to cover.
The first thing I would say in terms of what are we seeing right now is that threats are constantly evolving. I realize that I’m stating the obvious in many ways, but it is fascinating, because at the end of the day we are all doing what we’re doing, because we want to keep people and organisations safe and we find that we are facing sometimes common enemies, sometimes enemies that crop up left, right and center, and that whole space is constantly, constantly changing. The former CEO of TalkTalk Dido Harding used to say that we spend all our time building walls, and the bad guys are just building ladders. And these walls are getting taller and taller, and these ladders are getting taller and taller, too. And that’s kind of the nature of our business. In a way it makes it different from so many others, because the more innovative we are, the more innovative the bad actors are, and that kind of constantly defines the state of speed and pace and thinking that we have to put into delivering the solutions that we do. But I think that pace is just going to get faster and faster over the next few months or the next few years. And it’s not just because of the bad actors, but it’s also because our worlds, our everyday lives are increasingly defined by technology. And the more tech there is, the more threats there are going to be, and it just goes hand in hand. On the one hand we think about 5GE and we think about blockchain and we think about AI, and these all are bringing extraordinary benefits to us as people, as companies and to society, but with those benefits a whole host of threats come, and it’s the name of the game. And that’s what way we’re heading into.
The second thing I’d focus on, which I think is on the one hand very scary, on the other hand we can make such a significant impact to be able to help (when I say we, as you know the security community) is the increase of threats that SMEs (small and medium enterprises) are facing. I’d feel that it just doesn’t get much media attention. If you have a massive data breach and a huge company you read about it, but the SMEs, the small players, they don’t get the coverage. But the reality is that when it happens, it can be crippling and it can bring a company down in minutes. And I think that it’s our responsibility to make sure that we try and help this community as much as possible, because they are very vulnerable, they are in my mind the least prepared, because SMEs, particularly the sort of smaller end of SMEs they’re thinking about their cash, they’re thinking about the cost base and they’re thinking about a whole host of challenges. I’m generalizing, but the reality is that you try and put some money towards coming up with a few solutions that you might have heard are going to be helpful and then you just cross your fingers and you hope for the best. The former FBI Director Robert Mueller used to say that there are basically two types of companies: those that have been hacked and those that will be hacked. And that is just the reality that we are facing right now. Whenever I talk to SMEs myself (and you know, we as a team do), we don’t want to scare them, we don’t want to go down this route of saying, you know, do something about your security, because otherwise the world is kind of going to end you. I don’t think that the fear factor is helpful, but there is a very important element of our overall education around. Threats, the impact of threats, how you go about securing your company as a whole, how you learn about cybersecurity and the solutions that can be put forward, because ultimately I think it’s only when something really bad happens many times a lot of the smaller companies pay attention. There’s a famous Mike Tyson quote that everybody has a plan until they get punched in the face, and I think that happens unfortunately quite a lot in the SME space. So that’s something that we’re very focused on and as I say it’s a sort of overall education process and one that I think over the next few months particularly with the current environment is going to become more and more important.
Another issue that I would raise is data breaches. I don’t think they’re going away. This is something that we’re just going to hear more and more about, that we as an industry need to be able to offer obviously solutions to, but whether it’s easyJet recently or BA was a high-profile one, NHS (I’m talking about examples here in the UK, there are countless of others around the world), unfortunately I think that this is just going to become something that we’re going to have to get used to reading about and hopefully the industry being able to do far more about it. I mean it’s quite worrying that some companies spend decades building their reputation and in a matter of seconds that reputation can just be shattered with a data breach, and we see that a lot with many of the big companies. We read about it and there are some very interesting studies about the overall perception of towards that company and the overall reputation impact is absolutely massive, and the reality is that what the bad guys are stealing is worth a lot of money. There is a lot of value to it, and a combination of the impact on the company, the reputational impacts and the value of the data that can be captured I think would mean that we unfortunately will be seeing more of that in months to come.
The next piece is something that I’m sure we all talk about a lot and that’s the fact that as business processes, as infrastructure moves to cloud, we as an industry are seeing more and more that we have to come up with new approaches to be able to come up with solutions that are cloud native and that help people with this transition. Obviously that has become extremely relevant over the last three months where over night hundreds of thousands of people have suddenly had to work from home. There is far more reliance on the cloud and the solutions that used to work kind of pre-COVID and pre that transition, and not necessarily they’re going to work going forward. And I don’t think that COVID has changed anything in particular, but I think what it has done, it has just accelerated that needs to be able to come with a whole bunch of different approaches.
Something else that we talk a lot about is doing more with less, again obvious, but the challenges are increasing; we have to move incredibly fast, speed up processes, and I think the automation piece here is absolutely key, trying to identify every single manual process that we can and how we’re going to automate that. The DevOps environment now is moving steadily into a DevSecOps environment, so that security is very much at the heart of the entire journey, whether it’s building, testing, deploying. Security is as I say at the very core of that process, and the more we get that right, the more we are going to be able to ship sufficient and more importantly, not just as importantly, efficient software. So I think that there’ll be a huge rise and focus on the automation piece. Moving away a little bit from kind of our day-to-day I think that we also as an industry and as leaders in the cyber security space, we have to stay really connected to the geopolitical macro environment that we’re all facing. And I think that even when we’re talking to our clients, when we’re talking to people in the ecosystem, understanding what’s going on between Russia - US tensions, China - US tensions, the entire geopolitical landscape that, let’s face it, is more chaotic now, it’s definitely more chaotic now than it has been ever in my lifetime from a global geopolitical standpoint. And I think that’s very important to understand, because it feeds into accepting that state sponsored cyberattacks are going to continue increasing not just in frequency but in impacts, in sophistication, and miss-chaotic geopolitical landscape that I mentioned is essentially just an ideal environment for that to thrive. And we have to accept that we have to be ready for it, we have to participate in many ways and then we need to be able to act on it and just as importantly, we need to be able to give advice to all of our clients. And we can of course give a lot of advice on the technical side, but as I say, I think just giving advice on the technical side it sort of loses its spark and it loses its context if you don’t actually have a pretty decent understanding about what the overall macro geopolitical tensions are in the first place.
A few more things to share. Just like I think data breach is here to stay, unfortunately I would say exactly the same about phishing attacks. They’re really effective, it just needs one person per over many thousands or even hundreds of thousands to have real impact and if anything, that efficiency unfortunately is increasing. So they’re here to stay which means that we have a greater responsibility to to do something about it, which brings me to that conversation around culture and training, which I think is hugely important, but at the same time I think it’s important to kind of make a big distinction about what training and culture can actually do versus what it can’t do, because there are I think too many companies out there who think that if you train people the right way, who are not necessarily that tech-savvy and you instill this culture of security, then you won’t get attacked or if you do get attacked people will be trained, therefore it won’t happen. And I think that’s a very, very essentially grave mistake to make. I think the right level of training is all about awareness, and awareness can go a long way to playing an important role in security, but it’s definitely not a solution. Our view of respect recently to doctors in the front line who received loads of attachments and obviously that’s what we do at Glasswall: we help organizations with a threat from file-based threats. And the reality is that a doctor is a doctor and wants to spend his or her time helping others and applying what they’re good at. What they don’t want to do is spend 10% of their day every time they get an attachment trying to figure out whether they should open it or shouldn’t open it or how they go about opening it, etc. So I think that there’s an element of overall awareness that is important, but in this particular example a doctor should spend 99.9 percent of their time on what they are trained to do. So I think that the culture piece is important, the awareness piece is important, but it’s our responsibility to provide solutions that will actually deal with these threads. A lot of talk around whether COVID has accelerated and increased the number of attacks by using COVID as a sort of way in. I think the reality is that the bad guys will always exploit vulnerabilities and they will always draw people when they’re the most vulnerable. So I don’t think it’s necessarily an issue around. COVID has led to an increase in attacks. I think COVID just provides a nice, easy way, just like the US election will provide a nice way in three or four months time. And these big global events that essentially mark our day to day, distract us from a lot, because we’re spending so much kind of emotional tension worrying about that issue, that then you get something in your inbox that’s related to that and all of a sudden you’re not as sharp as you should be. So I don’t think it leads necessarily to more attacks, I just think it’s an easier gateway.
A couple of final thoughts on security before I move to team structures. Firstly, there is I think a skills gap in the cyber space, and the more I speak to other CEOs and people in the industry, I think we all accept that we need more cyber knowledge, we need more cyber trained people and there is a gap, and hopefully one that we will be able to address over the next few months, but it’s a challenge for us as an industry.
The other thing I’d say is something that we take very, very seriously. We talk a lot about humility and learning at Glasswall. And I think it’s a really important topic to spend these 30 seconds on, because when something goes wrong internally, two things can happen: you can just sort of try and hide it and move on and think about the next challenge or you could do a massive deep dive into understanding why something went wrong and what learnings you as a company are going to take going forward. And I think that in cybersecurity that is extremely important: being able to put your hand up internally and saying - there was a mistake, let’s learn from it, let’s apply maximum humility, let’s analyze to death, let’s share amongst everybody in the company and let’s have that spirit of openness and collaboration is key, because without learning you’re not ready for the next one.
And then the final piece that I wanted to touch upon on security is the fact that I don’t think there’s any silver bullet on anything. If I think about us, we deal with threats in attachments. Attachments are weaponized these days. They can be undetected in inboxes or shared drives for a very long time, and then one unfortunate click and you have a problem. We know that traditional solutions are not enough to be able to deal with this problem and we have invested very heavily in having the technology that deals with this threat. Are we a silver bullet? We’re not a silver bullet, we are extremely good at what we do and we are one solution when companies are facing a whole host of problems, not just us or a number of others. And so I think a layered approach to security where you’re able to draw in world-class solutions for different problems is where we’re at. But one way are not at is two solutions will solve my entire life. And I think that’s very important, because understanding that a layered approach is the way to be able to deal with threats we think is key.
Let me move very quickly to the more human side: the organisational design size and team structures, which is something that we spend a lot of time talking about. And I think it’s fair to say that over the last three decades whether it’s digital revolution, remote working, freelance working has changed the way we are, the way we are structured. I remember working at Barclays 20 years ago and we were already working from home. We didn’t call it working from home, you had to call it LIW: location-independent working, because it was a real stigma about saying that you were working from home, and this is a sort of what I always used to think is ironic. And the bank used to say to us: please work from home, but don’t tell anybody that you’re working from home. And that to me is the sort of journey that we’ve been on over the last 20 years. We’re actually encouraging people to work from home, I’d say we have to, but it’s fine that we talk about it. And I think that that’s been one of the key changes, and COVID has obviously accelerated it. I don’t think we’re in a world now where it’s about employee numbers. Employee numbers don’t equate to growth, they don’t equate to profitability. Employee engagement equates to profitability. And so then we all face this challenge of flat structures, hierarchy, what does organizational design look like. I think it’s different, for a lot of it is driven sometimes by personalities. I’m not a believer in massive hierarchy, I’m not a believer in a completely flat structure, I’m somewhere in the middle, leaning more towards flat. But I think that it is very dangerous sometimes to think that you can achieve everything you need, however big or small the company is, particular however small by having a flat structure, because if you lack those internal processes, if you lack the ability to be able to go to somebody, you lack the overall direction and vision that some people are going to provide. I’m not saying you need 10-15 layers, but you need something that allows you to be able to operate effectively as a team. And I think that that’s something that we probably all grapple with. So the challenge I always think is how flat can you go without being completely flat. And that’s kind of the overall theme that we follow when we try and come up with the right solutions to organisational design. Obviously agility is absolutely key. You can set up teams for specific projects and then you can disband them - we do a lot of that, we operate in many ways through a squad model, and I think that’s all part of how teams are going to evolve as long as everybody is abiding by the same values. There’s a total understanding of what goals are and there is alignment on that, because operating in an agile squad environment where actually you lose track of what you’re trying to achieve in the first place as a company and what values you are driven by then can actually lead to real challenges. And so I think that is very important, and I think leadership is hugely important, and one of my favourite quotes (it doesn’t necessarily apply to the overall theme of organisational design, but I think it does show how important leadership is) is from Alexander the Great and he said that he was more scared of one lion leading a thousand sheep than one sheep leading a thousand lions. And I think it’s a very relevant quote because it just shows the overall impact, whether it’s one, two, three, four individuals can have at the top of an organisation who end up setting a lot of the vision and setting a lot of the traction that everybody’s trying to achieve and then get everybody in unison to follow behind. As I say, it’s not a numbers game, it’s an employee engagement game, where to me the two main themes that are absolutely fundamental in having the right organisational design, is having effective networking. Even if your organisation is of ten people, doesn’t matter; effective networking internally and effective collaboration, and if you have those two, then I think you’re very much on your way to having the right overall org design.
So just to sort of summarize overall, I think that we are at an extremely exciting juncture for our industry. The tragedy that obviously we have faced as a society over the last three months is very real. There is huge uncertainty about where we go from here. We keep talking about unprecedented times, but even having gone through these three months as a society we face these challenges and we’re very proud that we’ve adapted so quickly. Yes, I think it’s still fair to say that you’re going to look at the next 6, 12, 18 months and who knows what’s coming our way. Having said that the adaptability we’ve shown so far gives you a lot of reasons for hope. And us as an industry, we play a key role. I mean it’s something that I think about a lot. It’s not about whether we sell more, whether we grow more as a company, whether we become hugely profitable as a result of all of this now. It’s the responsibility that we have to play a key role in securing the ecosystem that we’re very proud to be a part of. And that to me is the key. A few trends that we have that bring us to where we are right now, a few learnings over the last three months, clearly a different way of doing things when it comes to people bring to having the right organisational design and then the role that we need to play. But for us as an industry I’d say the future is bright, but at the same time we have a massive responsibility, and that’s not a bad thing to have.