Leaving GCHQ: Securing Critical Infrastructure Transcript

In this episode from the Cyber Made Human Launch Party here in Cheltenham, I’m joined by the wonderful Cath Golding, who has an incredible amount of experience. We’re talking about how to communicate from CEOs to investors, to end users, to fellow techies, depending on who your audience is, based on your business and your goals. Let’s get started.

Alice: Thank you so much for being on the show today. I’d love to start by just hearing a bit about your background. We’re gonna talk about how to communicate cyber, which is not just for the non-techies. We’re covering everything from CEOs to investors, to key stakeholders, to fellow techies, and you’ve got a wealth of experience.

So to begin with, just tell us a bit about who you are and your background please.

Cath: Well, thank you for inviting me. It’s a pleasure to be here. Um, so yes, uh, I got into the cybersecurity profession by accident, I think, as a lot of people my age did. I did a maths degree and was privileged enough to work at GCHQ.

Back in sort of the year 2000. Cybersecurity wasn’t even a thing. It was information assurance network defence and I was working in research at the time, and I was sort of asked to. Joined this very new team to work on what is now cybersecurity; it was very much in its infancy then.

So it’s been, um, just fantastic watching how it’s grown, although also very scary. So I worked there for about 10 years. Uh, I worked abroad for a time, so I had a great time. But I did feel you’re slightly in a bubble, right? As you walk in the doors. Security is everything. It’s sort of in your DNA for everybody, from you know, the directors down to the people that serve coffee and the cleaners, they’re all cleared.

So I wanted to experience life in the real world, so for the last 10 years I’ve worked in CNI critical national infrastructure organisations, um, and heading up the security in those. So yes, it’s been, um. Quite an exciting ride. 

Alice: Yes. When you say you came out of the bubble, I remember we talked a bit about this before, but you actually then went to critical infrastructure, so I do imagine that they still have quite a level of understanding, or at least the people at a certain level do.

What would you say? It’s not entirely going from GCHQ to commercial. 

Cath: There were some moments where I called it my patio door moment. When you, you know, you walk into something that you didn’t expect, where for something that seems sort of obvious in terms of checking your employees or, you know, putting some security controls in place.

So that was kind of quite early on, but I quickly learned that, and that’s the kind of main thing I’d really like to talk about, is cyber’s just not a technical thing. Malware and things like that. It’s a business risk, right, and so yes, over the years, I think. As a CISO, you really have to translate that risk into what it means in business risk.

Alice: Yeah. And when you say it’s a business risk, I think in Cheltenham we often actually hear it’s a business asset. We hear secure by design, and that’s kind of like something people will use to market the team that they have when they’re building technology, that that’s kind of just part of everything that they build.

It’s secure because most of them have worked at GCHQ when they go on to commercial companies, people outside that remit. You know, aside from national infrastructure or maybe within that space as well, there needs to be a lot more education about cybersecurity.

Cath: Yes, definitely. And I think you are right in the kind of, secure by design, that is, you know, the kind of utopia that we don’t have to sell, it is just built as being secure.

But unfortunately, in my experience, it’s not always the case. Right. Um, and it’s primarily due to financial reasons. You know, CEOs will want to sweat assets. You know, they’ll want to make as much money as possible, um, and sometimes that means sweating the assets, and they might be more difficult to secure.

So you find yourself, sometimes, you know, it’s easier when you, you know, you’ve got a team and they’re developing a new product, a new service, and you know, it is about inserting yourself and like you say, you’re. You should be an asset. This should be something that is sold, in terms of, you know, this product, whatever it is, it’s also secure.

Not that the customer is always on board with that, because it might cost more. Um, but yes, it’s, it’s often easier to get in there from the beginning. Whereas when you’ve got these kinds of legacy systems, um, that are, that are kind of crumbling and they’ll cost a fortune, that’s where some of the real challenges lie, and it’s where. Yes, certainly with the, you know, the CEO, the executive and the board, you know, you have to present the risks in a way, ’cause you can’t fix everything. No. You know, and, and, and that is the thing with, with cyber, and I think one of the things we’ve, we’ve got wrong in terms of, um, we need to be bulletproof.

You know, we, everything’s got to be perfect. It’s never going to be perfect. So you’ve got choices to make. Where do you put, your money, where do you put the resources? What is the biggest risk, and what means the most to you? Um, so yeah, a lot of it is about translating that data and the decisions.

I remember doing my math degree decision-making under uncertainty.  And I, and I think that’s really what being a CISO is about, in terms of presenting the options, in terms of what, what you will get back from an asset and from a security perspective.

Alice: So we’re gonna talk through a couple of examples of communicating to different people.

So imagine if you are in a board meeting talking to a CEO. Um, M&S  SEO might listen to you this week, but prior to this week, they might not. Um, what would your job be as the CISO or as the technical person who’s talking to a CEO, who’s really profit-driven, is in a really unpredictable market, and maybe has to make cuts to the team?

If you are going in and saying, I wanna use M&S as an example, we need to invest. Or maybe I’ve answered your question, but how would you present that to someone who doesn’t care about cyber and just cares about profit?

Cath: It’s a really good question, and there’s no. Easy answer. I think, um, a lot of time it’s all about, you know, you want to produce metrics.

Just like the CFO will produce, you know, charts in terms of, um, you know, how the finances are going, how our profit margins are doing, and you want to show progress in, in the same vein, which is actually really hard. So, you know, say for example, um. You know, you’re not doing any monitoring, and so suddenly you put in a monitoring system, and so you are detecting loads of things, loads of incidents, and one week you detect 50 incidents, and the next week you detect 80 incidents. Does that mean you’re getting better at detecting them, or does it mean you’re getting less secure because you’re having more incidents? So there are a lot of nuances in the metrics.

And what I’ve, I’ve found in my experiences, um, it is, and this is all about, you know, Cyber made human. I think too often in cybersecurity, we forget the human element, and it is about technology, and the cybersecurity industry is thriving. It’s fantastic. And I think certainly in the UK it’s great to see all these, you know, small businesses popping up and growing.

It’s absolutely fantastic. But. In my view, sometimes what they get wrong is their fear factor. They’re selling absolutely with this fear, fud, fear, uncertainty, and doubt. Oh my God. You’ve gotta have that. And it’s really enticing as a CISO, oh yeah, we need to buy that because that’ll decrease the risk.

But actually, if what I like to do, um, with the board and the exec is to kind of talk about, I like to compartmentalise it into the human element. So, ’cause there’s always a person behind it. And so whether it’s, um, like I say, I work in CNI, so there’s a big concern about state-sponsored attacks. I mean, you know, with the, um, Spain outage, the power outage.

I work in the energy sector at the moment and, you know, there are questions, is it a cyber attack?, and that’s really concerning ’cause we rely so much on technology now. 

Alice: Yeah. Do you think it could be a cyber attack? 

Cath: It’s possible. I think they’re saying they’ve ruled it out, but certainly that is a big concern for, um, for the energy sector and for the government.

There’s a lot of regulation and a lot of pressure. Mm-hmm. Um, but yes, it’s sort of like if you have, you know, if you’re up against the Russians or the Chinese and you are a company. It’s gonna be very, very hard to stop them. Yeah. Because if they’re targeting you and they’re motivated, so you’ve gotta kind of look at what the return on the investment is on that side.

But, you know, to your example, it’s very good with Marks and Spencer. Yeah. It’s far more likely that, um, a company is gonna be vulnerable to a ransomware attack. Um, so I think it’s really, really important to, to go through that scenario with the exec and the board. And what they would actually do, because I do believe, the criminals are actually more at, you know, it’s an arms race, right?

Between the cybersecurity professionals and the criminals, and you know, the capabilities always, uh, you know who’s better at it. But I think they have got better at their business model, um, because it used to be that, you know, oh. Never pay the ransomware because they won’t give you the data back.

And you are, you know, I used to sort of feel over my dead body, do you want to pay a ransom because you are, you’re giving them money to then go and attack other people. But they, you know, the criminals have got a lot more clever and they will choose the money appropriately for you and they will give you the money back.

And, you know, there are lawyers involved. Fascinating that kind of world. So you need to talk to the exec in terms of. What would you do, um, and do you need insurance and all those sorts of things? 

Advert: The Cyber Made Human Podcast is produced by Alice Violet Creative, my content marketing agency based in she. We specialise in complex brands, which primarily means those in emerging technologies, cybersecurity and intelligence. We’re able to take abstract, clinical, and difficult topics and make beautiful, compelling and results-driven content. So get in touch with us for digital marketing and all your content needs.

Alice: So, if you were in a board meeting, you’ve got the CTO, the CMO, you’ve got all everybody around the room, and you’ve only got a quick sentence to speak to the CEO who’s making costs, what would your key message be for why we shouldn’t cut cyber? The cyber team, for example, 

Cath: The disruption, I think that cybersecurity is moving more into. resilience. Yeah. So it’s coming closer to business continuity. So like I say, we’ve been so focused on detecting and protecting and buying, you know, things that will hopefully mitigate things.

But actually it’s, it’s about risk and it’s about how you respond. So yeah, unfortunately, Marks and Spencer’s, you know, they’ve had to shut everything off. And I read the co-op is going through something similar. They’ve had to shut down their IT systems, so. Yeah. Increasingly, my job is about, you know, it, it, it’s not just cyber, it’s about failure or supplier failure.

And it’s communicating to the business, particularly the chief operations officer, the CEO and people like that. Like, are you prepared? Because if there is a cyber attack, yes. You know, the cyber team and the IT team will be working, you know, ahha to try and get everything, you know, back up and running as quickly as possible.

But how does the business continue to operate? Yeah without losing, you know, massive mass money and, and customers and things like that. Because, you know, actually, if an incident is managed well, it doesn’t necessarily have to be detrimental. 

Alice: Yeah. Okay. And then in terms of investors, I guess, is that a similar decision if a similar communication?

Because if you are talking to a cyber startup, for example, and they’re trying to get investment or maybe a tech startup that just needs to consider their cyber element, how would you communicate to their investor about the importance of this? who’s super profit-driven, maybe even more so than the CEO.

Cath: Yeah, I mean, I think the, you know, the market is, is going into, um, uh, what you call it, verticals. So I think it is about absolutely knowing your customer. Yeah. Um, and I, yeah, I used to be a mentor on the CyLon program. Sorry, I know this is CyNam. Um, but yeah, it’s sort of, uh, you know, know who your customers are and what you’re trying to mitigate, I think too often, um.

You know, startups and companies, they’ll be selling in terms of like, oh, there are so many incidents, it costs this much, and, you know, it’s really bad. Fear, uncertainty, and doubt again. And actually it’s like., I am a customer and I want to know what you are doing for me. So which controls are you improving?

What is gonna be my return on investment? Um, and I, I think investors will want to know that as well. I mean. We have a joke in the CISO community. There are loads of buzzwords like AI and blockchain, and things like that, which, yes, absolutely have their place. And that’s really great. And maybe that will entice the investors because it sounds all, you know, new and exciting.

But for CISOs, it’s often like, oh, here we go again. Right? You know what, you know, what are you actually trying to do? I, I, you know, you want to know? The proof and it’s really difficult in cybersecurity, ’cause how do you test it, in a real-world scenario? 

Alice: Okay. And then finally, I guess, how would you communicate to an end user who isn’t technical at all?

So this is just maybe a small business owner who knows they need cybersecurity, whatever that is, and they don’t actually understand what they need, why they need it, or what the right product to invest in is. They don’t want scaremongering. What, what’s the key?

Cath: I think the key. You know, like I say, cyber and technology is so integrated in our lives, and too often people are scared by it.

Oh, cybersecurity. Oh, you have to be a cyber ninja and know about cryptography and things like that. So they’ll be put off by it. It’s not that scary. It is just, you know, another risk that you should be considering, so I think just like. You know how you look after your house and your car.

You don’t want to be vulnerable to that kind of opportunist-type attack. So you wanna make sure you lock things up. You know how you look after your phone, you know? Crime with phones being taken massively on the increase. And so much of our lives is around the phone.

So, for a small business, I think it’s expanding in terms of like. What is important to you? Yeah. And what would you do if it did come under attack? And also some of the easy things that you need to do to protect it, like putting on two factor authentication and making sure you are, you know, you’re, you’re patching your system.

So I think it’s about keeping it, you know, it, like I say, it’s not rocket science. You can do an awful lot. Mitigate 90% by doing just some of the basic stuff. 

Alice: Yeah, and I think that’s a nice way of putting it, actually, by kind of talking about it as your laptop on your phone rather than data, which is the exact same thing, really.

Yeah. But as soon as it becomes something physical that can be stolen, and I think to an end non-technical user, they get what you’re saying, then it’s just like an insurance of making sure it can’t be stolen basically.

Cath: Yes. I think you’re right. You know, cybersecurity is often this, it is this abstract thing.

You know, it’s about malware and hacking. Yeah. To most people walking down the street, you know, they don’t understand it. Yeah. But actually, like I say, it’s not rocket science. It is just your, you know, it’s your assets, it’s your service. It’s, you know what you’re doing, your IT, your data, and it, and it’s about doing the, the cyber hygiene.

Alice: Yes. I have got one more bonus question, actually, ’cause I’ve just thought of it as a marketer who’s chosen this stunning venue to have a cybersecurity podcast and a cybersecurity event. And I’ve just been to UK Cyber Week, and we’ve got Cyber UK next week. When you walk around, a lot of these conferences, CyNam, do gorgeous events.

So, no shade to CyNam, but a lot of other events can be quite dry. What would you say in terms of what the industry can do? ‘Cause obviously, we as an agency try to uplift and challenge people to do something a bit different. As someone who works for a cyber company,

What do you think internally you can do to make yourselves more accessible and appealing externally?

Cath: Oh my gosh, I could talk for a long time about this. I mean, I’m from Yorkshire, so I like plain speaking. Yeah. Um, and I go around these conferences, and you get the kind of sales pitch. And you kind of like, you want to get to the nub of what? Yes. What it is you’re trying to offer.

So, try and look at it from our perspective, and particularly in the CNI space, we’ve got an awful lot of regulation and compliance to deal with, which is really good, you know, because it, it’s making, it’s a bit of a stick, but it is making, you know, CNI, more, more secure. So it’s kind of like, again, what is your return on investment?

What are you looking for, and from my perspective? Yeah, what are you mitigating and coming straight to it? Mm-hmm. And another one of my bug bears is, um, give me an estimate of cost. Yeah. Um, I recently did a, or it was one in my team, did a proof of value for a a data loss prevention tool. And it, you know, this was weeks’ worth of work, and it found some great stuff.

And, he was kind of like, Kat’s gonna ask how much, ’cause you know, I hold the purse, right? And so I’ve got to decide and propose where to spend the money. Yeah. and when it came back, it was, it was half a million a year. And I, I just couldn’t, you know, I almost laughed. It was like, well, that is such a shame because if you’d have told me that at the beginning, I’d have said.

Sorry, that’s not for us. Right. Because it didn’t, you know, the, the, the loss didn’t equate. Yes. To how much it was, you know, the cures got to be better than the,

Alice: I wonder, as critical national infrastructure, whether they almost see you as a bit of a whale. Absolutely. Because you have to have security. Yes.

They know that if you are the, if they are the solution, you’re gonna pay. But yeah, you, yeah, but 

Cath: I have to justify everything. Yeah, absolutely. So I think my main message is, help me justify it. Tell me what the risk is. Not just in kind of like, oh, there’s been, you know, so many incidents, and the average breach costs this.

We know that we absolutely want to understand you’re right, because we need these products, and that’s why it’s so great working in cybersecurity, how challenging it is and how these products and services are evolving. But unfortunately, there is quite a lot of snake oil and products that you might get bitten by. So, plain speaking. 

Alice: Okay, fabulous. And then my actual final question is, at the end of every podcast, we ask our guests to share either their favourite book or a book that they’re currently reading for the Cyber Made Human bookshelf, which is a really nice way of sharing a bit more insight into them as a person.

Doesn’t have to be related to cyber or what we’ve discussed.

Cath: Am I allowed two? 

Alice: Yes.

Cath: I couldn’t decide. One’s fact, one’s fiction. Okay, perfect. So that’s kind of mine. Yes. So, the cyber one is,, Sandworm. Okay by Adam Greenberg. It’s quiet, it’s, it’s, I think it was written about. 2018, but I think it’s relevant, very relevant today because it’s about the Russian group that went after Ukraine, with the NotPetya and taking down the energy in Ukraine.

And obviously, it hit, uh, lots of companies around the world, including Maersk. But it, again, it’s about that human side. It talks about the group and it talks about how it impacted the companies. So it’s a very readable, factual cyber book. And the other one is a fiction book, called Fundamentally, sorry, I’ve forgotten who it’s by.

It’s less about cyber. Um, it’s more about Shamima. There was, um, an ISIS bride. Do you remember Shamima Begum? Thank you, and so it’s a novel based on that kind of, um, okay. Scenario. Interesting. But it’s about understanding what motivates people, I think.. I mean, it’s a funny book.

It’s actually a comedy book. Wow. It’s brilliantly written, and it just makes you see how these things can happen.

Alice: Thank you. Well, my recommendation for this episode is actually JD Vance’s memoir, Fear Not. I’m not a Trump supporter, but because of everything that’s going on, I thought, let’s listen to his audiobooks.

I’m actually listening to it, called Hillbilly Eulogy, which is all about him growing up in Kansas. And actually it’s quite a good insight because a lot of it’s very shocking and I think it will. Give you a different view on what’s going on. Potentially. I feel like it may have been a little bit of a strategic book, might have put it out to appeal to certain people and appear more relatable.

But either way, I think it’s good to get as much knowledge as you can when making opinions on people. So that’s what I’m currently listening to. And that’s it for this episode. 

So thank you so much for joining us for a live episode, and thank you to our audience.