The field of cybersecurity can be a somewhat unforgiving working environment. Bad actors will quite literally stop at nothing to wreak havoc for their own personal gain, financial or otherwise. Unfortunately, no public holiday or even pandemic, offers a hiatus from their malicious pursuits.
Security professionals are burdened with unrelenting pressure to protect their organisation; all whilst likely understaffed. Moreover, keeping cyber safe is often an expectation that is taken for granted. It would seem that ‘recognition’ is only ever achieved when things go wrong – that is, they are forced to shoulder the blame. Studies have shown time and again, the toxic environment that this engenders. Indeed, one report found that, as a result of the stress, the average job tenure for a CISO is just 18-24 months; significantly less than the average 8.4 year tenure of CEOs.
Yet, the work these individuals do is vital. Recently, we witnessed one of the world’s leading foreign-exchange establishment, Travelex, brought to its knees as a result of a ransomware attack. SMEs are widely affected, too. The 2019 Verizon report has shown that 43% of cyberattacks are in fact targeted towards SMEs, 60% of which will likely fold within the subsequent six months. Critical infrastructure such as hospitals, power plants and banks are not exempt from these threats either. Every day that these institutions are kept cyber safe, is another day that livelihoods, and even lives, are safeguarded.
More than ever, we need to lift these individuals working hard behind the scenes. We also need to commend those who are educating the public about cybersecurity as it is a responsibility that the community, as a whole, should bear; particularly as our society becomes increasingly reliant on technology and the internet. The Security Serious Unsung Hero Awards is an occasion to do just that.
With only two weeks left until nominations close, it seemed fitting to reach out to former winners and learn more about what the awards have meant to them, what they have been up to and who they think is an unsung hero.
We spoke to Jonathan Armstrong, partner at Cordery Legal Compliance and Captain Compliance winner 2019; Paul Simmonds, CEO at the Global Identity Foundation and Godfather of Security 2019; Dan Raywood, deputy editor at Infosecurity Magazine and Cyber Writer winner 2019; and Javvad Malik, security awareness advocate at KnowBe4 and Best Security Awareness Campaign winner 2019 under Host Unknown.
What does the Unsung Hero Award mean to you?
Of the four former winners we spoke to, all agreed that the Unsung Heroes Awards are most valuable because they demonstrate the community’s appreciation. In Jonathan’s words, the benefit derives from “a sense that the community values what you do”. Paul added that it is “extra special” knowing that this award is from his peers. The award even offered him a conversation starter to reconnect with old friends who congratulated him.
For Javvad, this recognition also plays into the bigger picture, as bringing great accomplishments to the forefront helps in bolstering the overall image of the cybersecurity industry as well. He said: “By humanising our industry and showcasing some of our top talent, we can help outsiders to better understand us. These awards also showcase the initiative of cybersecurity professionals and spotlights unique ways of addressing security issues, or how to approach these, and get buy-in from their executive structure. The added recognition reinforces these best practices.”
What contribution have you made to the cybersecurity community since that has been most meaningful to you?
All four have also been busy at work since their wins and have continued to make some remarkable contributions to the cybersecurity community. Paul, for instance, has been contributing to the body of knowledge around cloud, zero trust and identity. In fact, he has been asked to contribute to the World Economic Forum’s identity work.
Dan, Javvad and Jonathan have considered their greatest contribution to be the ability to simplify the complexities of cybersecurity. In Dan’s words, it is “in trying to explain what can be a pretty complicated subject in an easy to understand format”. Javvad also attempts to do so, whilst injecting humour and relatability – an important facet to any awareness campaign.
Jonathan raised the example of a client he worked with recently. His client is a global healthcare organisation that provides essential services and goods to hospitals and medical facilities across the globe. However, as a result of coronavirus, 15,000 employees had to move from working in the office to working at home – almost overnight. On top of moving people, the organisation had to continue working quickly, if not more quickly than before to make up for delays in the supply chain. Getting this wrong could have had drastic consequences, as hospitals would be forced to close down wards as well as operating theatres. In order to address the complicated legal issues surrounding this new reality, Jonathan endeavoured to break them down into a clear, and straightforward set of tasks. What’s more, the project offered a case study to pull learnings from which Jonathan and his team then used to create an FAQ document for others undergoing the same process.
“The difficulty with the pandemic is almost everybody was working from something that had no guidelines. The last time some organisations did anything like pandemic-planning was in year 2000. They have had to dust off that 20-year-old plan and try to make it work,” he explained. “So, if you can act as a sort of pathfinder – go first, work out what sort of issues are involved – that’s a real value to people.”
In a similar vein, Dan clarified that he has always tried to learn more in order that he can pass knowledge on. Unlike Jonathan, however, he has sought to be the ‘pathfinder’ for individuals as opposed to organisations.
“I guess my most meaningful contribution has been in me proving that I can do something – be it live video presenting, large research projects, event moderation, conference speaking. If I can do it, I hope I can prove that anyone can.”
What do you think are the most important qualities a nominee for this award should have?
For Paul, anyone who tries to advance the cause of the cybersecurity profession and the body of knowledge around it, would get his vote. Adding to this, Jonathan asserted that the cybersecurity industry needs more individuals who engage with people of different ages, and levels of understanding about cybersecurity issues.
“Quite often the security community talks amongst themselves and then criticises people who are outside the community when they get it wrong,” he said. “I think what we need to do more of is educate the general population and not just each other…Security Serious plays an important role in this – to get people to get out and share their awareness of issues.”
With regards to the Captain Compliance award specifically, Jonathan argued that the real skill is trying make the complicated simple – explaining to people what the issues are and offering alternative ways to manage them as well as reduce risk.
“There are many within compliance who make up the “department of No” – they tell you why you can’t do something and, while sometimes that’s the right answer, usually it isn’t. If all you say is no, people don’t understand how they get to a yes.”
In terms of the Cyber Writer award, Dan offered the following advice.
“In a sector where there is plenty of expertise, and where a lot of people want to share their thoughts, consider these points if you want to do some writing on the side of your main job:
- Firstly, don’t just cover the same thing as everyone else, try and stand out and either give a new perspective or cover a different subject altogether.
- Secondly, if you’re going to do something intended as an opinion, deliver an opinion – people want to know what you think.
- Thirdly, use statistics and context sparingly, and only to back up an argument, not to be the core of your argument (have your own view, and use someone else’s view to back it up).”
And there you have it, some great insight from some amazing unsung heroes! If you know anyone who deserves an award for the work that they do in the cybersecurity community, make sure to nominate them here now. Nominations close on the 31st of August.