Securing the Future Ep. 2: Cyber Resilience, Transparency and Transformation

Securing the Future - ep 2 with Richard Horne cover of podcast

A Q&A with Richard Horne, Advisory Board Member

[00:00:00] Jamie Cowper: Welcome back to the Securing the Future series. I’m Jamie Cowper, I’m the VP of Marketing here at Noetic Cyber. The intention here is, we’re really looking to work with the expertise that we’re very fortunate to have on our advisory board to look at some of the broader cybersecurity issues that every organization is facing today.

For this episode, we’re really focused on some issues around cyber resilience, cyber transformation, and cyber transparency. And we’re very fortunate to have with us a real expert on these issues from our advisory board, which is Richard Horne. Richard, who is the cyber security partner at PwC UK.

Hi, Richard.

[00:00:42] Richard Horne: Hi, Jamie. Good to be with you.

[00:00:44] Jamie Cowper: Great to have you here. Well, maybe if I could just ask you to just to just give me a little bit about your background and how you got to be involved with Noetic.

[00:00:54] Richard Horne: Yeah. So, I guess it goes back quite a long way.

Prior to PwC, I did a lot of work for Barclays building and running cybersecurity for them.

And as part of that, got to know through various technology companies, people like Paul, your CEO and yourself, Jamie.

And as you moved on to different things and solving different challenges, obviously stay close and with Noetic, I think it’s, you know, it’s a big challenge that you’re trying to solve.

So it’s fascinating and great to be able to support you in that.

[00:01:26] Jamie Cowper: Thank you, Richard. It’s fantastic to have you with us on the journey. So, let’s jump in.

I think we’re going to start today’s discussion by looking at some of the more foundational, the kind of the bigger, more general questions around some of the cybersecurity issues.

Well, let’s start with a big one.

What do you see as some of the real significant challenges that organizations are going to face and encounter in the next five years?

[00:01:53] Richard Horne: So, I spend a lot of time, Jamie, with boards and executive committees taking a more higher level strategic view on cybersecurity and what are the challenges.

So, with talking with them, I often boil down to four things, four big themes that organizations are facing.

The first one, called Resilience, is the new standard. So, our whole approach to cybersecurity for many years was driven by privacy and protecting data, the confidentiality of data. And what we’ve seen in the last few years is, is attackers really targeting the availability of systems and data.

And that’s driven a growing understanding of the importance of resilient and organizations being able to continue even after a major cyber attack. And we’re seeing that play out in many ways that we can talk about. So that’s  first theme of resilience is the new standard.

The second theme that we’ve seen playing out more and more is what I call a new era of cyber transparency.

And that really comes back to if the big threat from cybersecurity is major events, essentially making organizations questionable as a going concern, then surely investors and customers who rely on those organizations and other stakeholders, they deserve to know how good their cybersecurity is and how likely they are to succumb to a major cyber attack. And so, this concept of cyber transparency is something we’re seeing really play out.

Those two themes together, you know, we’re seeing financial services regulators, energy regulators, critical national infrastructure more broadly being regulated more and more around the world. And those regulators demanding one transparency and two actions to make them resilient cyber attacks. So, those two themes are certainly driving a lot of regulation globally.

And then as well, we’re seeing it with financial regulation. So, in the US, the SEC requirements around disclosures for cybersecurity, both cybersecurity capability and cybersecurity incidents.

And that’s symptomatic of what’s happening around the world. More and more markets and investors are wanting to know how good the cybersecurity is in the organizations they invest in and what incidents they face, and we’re seeing it also play out through supply chains, you know, organizations at the top of supply chains. They want to know cybersecurity through them. So, that’s the second theme, cyber transparency.

The third one is one you kind of can’t avoid, but it can be quite tricky. And that is what I call a developing social contract between business and government. And you can’t avoid the fact that cyber security is fundamentally is about national interests in many cases.

And for multinationals, that can be challenging—balancing different national interests in different geographies. And yeah, there’s a huge amount of complexity, growing complexity for organizations, even knowing where their systems are and therefore, national interests might come into play with those systems. This can be really demanding.

And then the fourth area, which is a huge one again, is what I call cybersecurity at the heart of disruption. So, we’re in a world where we’re rebuilding how our businesses work. We’re redefining how our organizations function and the driver behind that is technology and what technology can do for us.

And we face a choice as we go through this journey as organizations, as to whether we deploy that technology in a way which makes it secure and makes us resilient to attacks, [and so] putting cybersecurity at the heart of that disruption is really important.

[00:05:44] Jamie Cowper: Thanks Richard, we covered a lot of ground there.

When you look at those areas, Richard, what are the developments and trends that, that you are personally most excited about in cybersecurity?

[00:05:55] Richard Horne: I think there are some really interesting solutions starting to evolve or, or ways of organizations thinking about how to confront these challenges.

Firstly, for many organizations, both in terms of resilience, transparency and, and understanding the impact of disruption, getting a granular view of what their technology is, how it interacts with each other, what technology is critical to the ultimate operations of the business and so on.

You know, those deep gnarly questions are having to be asked and organizations are starting to face up to them in different ways. And, you know, with, with different levels of success, but they’re all driving to this need to really understand that at the coal face. What is our business in terms of the digital  functions that support it and the different technologies that support it?

And then, what I think is really exciting is the ability, once you’ve got that understanding to then automate some recovery. So, more and more organizations–especially in the highly regulated industries–are having to work out how, if you have a destructive cyber attack­­–which might be ransomware, or it might be some different kind of attack– but essentially destructive;

How do you rebuild your technology from scratch and automate that so you can do it quickly, and do it in such a way that you can continue operations as a business? And those are big, hard questions. And there are some really exciting approaches happening in organizations who are who are starting to be able to do it, which is amazing.

[00:07:30] Jamie Cowper: Yeah, the heart of cyber resilience is the ability to recover and to continue business operations despite the challenges we face.

So, one more general question–and we would have to ask this in the current era– but what do you think is going to be the impact of generative AI on the future of cyber security?

[00:07:53] Richard Horne: That is a great question, and I think there’s  different extremes of [an] answer to that in a way.

I think there’s no doubt, and we’re seeing it play out already, that the ability to trick human beings with convincing deep fakes of individuals.

And we’re seeing kind of scams as it were already, that are using deepfake voices or deepfake videos. And you can only see that increasing more and more, which I think then, just drives more importance on the ability of how you almost accept the fact that individuals are going to be tricked;

So therefore, how do you still secure your environment, secure your technology, or secure your business processes?

I think that will continue to develop quite quickly in terms of the importance of the, “Okay, someone’s been tricked. Now, how are we going to deal with it?”

I think there are some longer term things that are going to be really interesting, you know, the ability to automate attacks, the ability to be adaptive in how attacks play out and so on.

But, at the same time. using AI to counter those is absolutely something that organizations are working through, and tech providers are working through. So, I think to some degree, it will probably drive a bit of an arms race.

[00:09:25] Jamie Cowper: Let’s go back, Richard, to one of your four areas, and this idea of cyber resilience as the new standard, Richard, for organizations that really need to think about how do they respond to cyber threats.

So you know, we live it, it’s a very dynamic environment. Everyone’s constantly rebuilding different areas, different business priorities. How do you really help to define cyber resilience for businesses, around these unexpected interruptions?

[00:09:52] Richard Horne: Yeah, and that’s there’s a really interesting point in your question, actually, Jamie, and that’s organizations who need to think about cyber threats.

I think one thing that ransomware has really driven is an understanding of organizations that you might not think of yourself as a target for cyber attacks, but you might be.

And whether that’s been, health providers or [different] organizations, charities who would normally say, who would attack us?

Well, unfortunately, the sad reality of life today is people will… And all organizations need to think about their resilience to cyber-attacks. But then, what does resilience mean?

I think, firstly, it does mean security in terms of building good defenses.

The ability to stop attacks and attackers getting through, and when they do get in to be able to identify that, isolate them, contain them and deal with them before they’re able to have an impact.

But then I think it also goes further than that. And if you do have an attacker who’s been able to get past those defenses and have an impact, how do you deal with the impact?

And what we see in many organizations is traditional approaches to business continuity that aren’t built around business continuity to a loss of IT or to a cyber attack. And organizations are having to rethink, “what does business continuity mean?” You know, could you continue business for weeks without your technology?

And those kinds of questions are hard.

But then it also means being able to recover your technology and focus more possibly more attention on what is your ability to recover when you’ve had a destructive cyber attack.

[00:11:40] Jamie Cowper: So, what key factors do you believe are essential for businesses to integrate cyber resilience into their operations?

[00:11:49] Richard Horne: In terms of integrating cyber resilience, the first is a mindset, and I think it’s really interesting looking at organizations thinking about AI today, and where you have new technology that can transform how organizations work.

And yes, there’s a massive upside to embracing that. Thinking through as you embrace it, are we embracing it in a way where we could survive if this went wrong, or a cyber attack caused it to give wrong results, or caused it to cease to function? Could we still continue business in our new business that’s now reliant on this technology?

That kind of thinking about what our reliance on technology is and how we would continue business if that technology was removed by a cyber attack is key—it’s a mindset thing more than anything else.

[00:12:46] Jamie Cowper: Do you see the new regulations you touched on as driving more of that cyber resilience culture?

[00:12:54] Richard Horne: Absolutely. I think there’s quite a lot of examples of regulations, be it  financial services regulations here in the UK, in the US, elsewhere.

You’ve got regulations like DORA coming from Europe, you know, all sorts of regulations, lots of energy regulations are all focused on the same thing.

And that is basically building resilience to cyber attacks. And they often are driving organizations to do that, gain a deeper understanding of their technology, a deeper understanding of what technology they have, where it is, how it interrelates to each other, and how you would rebuild it if you, if you were hit by a cyber attack.

And that depth of thinking, many organizations hasn’t happened, and it’s been regulated, regulations that is starting to really drive it.

[00:13:47] Jamie Cowper: Thank you, Richard.

It’s clear here that cyber resilience is a complex challenge for organizations that really needs that proactivity and strategic planning.

And thanks for sharing your expertise around these areas.

So, let’s, let’s talk maybe a bit about then cyber transparency and this concept of a new era of cyber transparency.

Interesting idea about how, how can organizations really cultivate a culture of cyber transparency, from the ground up, if you like.

[00:14:21] Richard Horne: Yeah, I think these themes are challenges. They’re not things that there are easy solutions for.

But they are absolutely challenges that organizations are having to face into and whether it’s your private investors demanding greater visibility over cybersecurity and organizations and they can be quite demanding.

In my experience, in terms of there being specific controls, do you have these in place, specific capabilities? It can be insurers asking questions, you know, we’re seeing a lot of cyber insurance now driven by really detailed questions around what cybersecurity do you have? But then you have markets where maybe you wouldn’t want to be public with a lot of detail around your cybersecurity, but you do have to be public about your capability, your governance, how competent you are as an organization to deal with cybersecurity and increasing scrutiny on whether you’re truthful in how you present that or not.

So, organizations are having to really think through in a different way about how they can give transparency.

And in some cases, where it’s more public, how you can give sufficient transparency without exposing everything that you wouldn’t want to expose publicly because you wouldn’t want to publish your vulnerabilities.

[00:15:41] Jamie Cowper: Sure, certainly, as a cybersecurity provider, we’re constantly being asked by prospective or existing clients to attest to the level of security we have in our SaaS solution or the product development lifecycle. And good ways of sharing that without having to recreate it every time is obviously beneficial.

[00:16:01] Richard Horne: Yeah, absolutely.

[00:16:04] Jamie Cowper: So, can you talk about any innovative approaches that you’ve seen to help organizations really build out that cyber transparency without compromising their security posture?

[00:16:15] Richard Horne: Yeah, so I think there’s certainly some organizations, especially ones in regulated markets, or regulated industries.

We’re seeing quite a bit of organizations trying to get more of a percolated ground up view of what’s our cyber risk and starting with a lot of detail around assets and you’re building up a view from there to a more comprehensive overview that gives them a defensible position.

I think a lot of organizations are challenged by, ‘we can give a perspective on our cybersecurity capability or competency or what have you, but how would we defend that?’

And what’s the defensible approach? If we were then to suffer a breach, how would we be able to defend that? We were right to say what we said. But at the end of the day, we’re all vulnerable somehow. So creating that defensible view that maps data from a mass of assets, all with varying degrees of capability, vulnerability, and so on around them.

How do you map that up to a defendable overview is something that we’re seeing organizations grapple with and start to start to get different approaches.

And I think no approach is perfect, but at the end of the day, it’s about having something that’s defensible more than anything else.

[00:17:46] Jamie Cowper: And you need to be able to articulate it at a level that boards can understand now.

[00:17:53] Richard Horne: Yeah, absolutely. I think some organizations are trying to talk about the value of risk and things like that, which I think is still quite a way off, in my view, really getting to be truly meaningful. But something that starts to give a feel for at least how things are changing, how they’re developing and how, if you invest here, would you get more bang for your buck in terms of managing a risk than investing here or not? Those kind of questions are the questions that organizations are really trying to get more data around to be able to make sensible decisions and defend them.

[00:18:37] Jamie Cowper: That’s excellent, thank you. So definitely a clear role for the appropriate level of technology in helping to shine a light if  you like, to make things more transparent.

And then, how do we share that information with supply chain, depending on where we might sit in a given supply chain, is obviously critical to being able to satisfy the regulators, insurance companies, potential customers.

Richard, the third area you talked about at the beginning was this whole concept of cyber at the heart of transformation, at the heart of a positive digital disruption. And in our industry, we’ve often seen cyber positioned as more of a compliance or as an inhibitor of innovation.

So how, based on your experience, both doing and advising organizations, what advice would you give to security leaders who are really looking to change that perception, to make sure that the wider business sees cybersecurity as an enabler of innovation, not a brake on it.

[00:19:48] Richard Horne: Yeah, it’s a really interesting challenge I think, for many leaders to draw a definitive line between, if you invest in cybersecurity, you’re investing for growth.

But I think it’s really interesting looking back in many organizations and I can think of organizations where they’ve invested in restructuring their IT, whether it’s moving to more cloud based infrastructure, like Active Directory, whether it’s software based networking, a whole load of different kind of controls that they’ve done for cybersecurity reasons. Maybe things around consolidating where their data is and how they protect that, how they monitor it for leakage. And then when it comes to new technologies like AI, to be able to embrace those technologies, they need all of those building blocks that they’ve built in their cybersecurity programs in the past to be able to really embrace the opportunity for AI.

And so I think one thing that’s fascinating around cybersecurity programs is that those that have really thought through their cybersecurity architecture and integrating cybersecurity into their technology architecture overall are far more agile in terms of how they can embrace new technologies like AI, different services in the cloud.

And so to me, I think there’s a real line between cybersecurity done well and agility. And a line between agility and the ability to embrace new technology opportunities at pace and with confidence, and also the ability to deal with some of the disruption in the world, like having to exit a country at pace, as we’ve seen recently in geopolitical conflict.

So that agility that a well thought through cybersecurity program gives you, I think is absolutely key to success.

[00:21:54] Jamie Cowper: Considering the whole interconnected nature of digital infrastructure, are there any measures that you should really think that organizations need to prioritize to really maintain cybersecurity posture during a digital transformation?

[00:22:10] Richard Horne: I think probably one of the key things for organizations to think about is often what gets overlooked. And that is when people are thinking about the digital opportunity, they often focus on the applications and what the applications can deliver for you, and they see the infrastructure as a cost, and that’s a cost to be minimized.

Whereas actually the infrastructure is what’s going to enable applications to be sustainable, to be resilient looking forward, and to have the agility to be able to embrace new applications. And so I think there’s a real shift in understanding in leading organizations that IT infrastructure is less about viewing it as a cost to be minimized, and it’s more about seeing it as your strategic asset that’s going to position you to be able to embrace new opportunities.

[00:23:07] Jamie Cowper: So really thinking up and down the stack, not just be focused on the application layer.

[00:23:13] Jamie Cowper: Thank you, Richard. There’s a lot of think about there as, the whole cyber transformation process for many organizations is still very much ongoing.

So thank you, Richard. We’ve really covered a lot of ground around the idea of cyber resilience is as a new standard and thinking about how can we move past business disruptions and thinking about what are the right, proactive measures and strategic planning to address that.

The whole intriguing concept, of a culture of cyber transparency, of how we share internally, but with stakeholders. To ensure that we are appropriately transparent about controls and best practices. And then finally, we’re moving beyond this idea of a cybersecurity being a brake on innovation, but actually an enabler and a disruptor. We really appreciate your time today, thank you.

[00:24:05] Richard Horne: Pleasure. Really good to be with you, Jamie.

[00:24:07] Jamie Cowper: And look forward to catching up soon. And thank you all for watching this video and watch out for a future episode of the series coming soon. Thank you.

About Richard Horne

Richard Horne is a renowned cybersecurity expert and a valued member of the Noetic Cyber Advisory Board.With a wealth of experience, Richard collaborates closely with boards and executives of companies and governments worldwide. Richard is widely recognized as a thought leader and public speaker on cybersecurity strategy and leadership, sharing his expertise through various platforms to shape the future of cybersecurity practices globally.