WSJ Cybersecurity interview, featuring Crossword Cyber Security, CEO, Tom Ilube
Hi, I’m Jackie Hunter. I’m editor for Wall Street Journal Custom Content in EMEA. I’m here in London for the WSJ Pro Cybersecurity event on behalf of NETSCOUT. Jackie: I’m here with Tom Ilube from Crossword Cybersecurity. Welcome to the event. Tom: Thank you. Jackie: Let’s talk about cybersecurity. What are your biggest concerns about security that’s specific to your company and your sector? Tom: I think my biggest concerns are whether we are innovating as fast as the people attacking us are innovating. There’s a whole community out there that is constantly innovating different ways to come at your company and get in and so forth. And I’m not sure that the industry is moving at that pace in order to keep up with them. Jackie: Can it ever? Tom: I think it can do, if it cooperates more, because I think what happens is the people out there who are attacking, they cooperate informally all the time. They’re sharing ideas. If you want to launch the latest DDoS or credential stuffing attack, there’ll be some tools that you can get hold of and make use of and so forth. Organizations are quite siloed in the way they approach cybersecurity. So there’s almost a culture of the CSO at one company doesn’t want to share their dirty laundry with the CSO at the next company. So we don’t share nearly as much as the people who are attacking us. I think if we did, then we will be able to innovate a lot faster. Jackie: And as your company undergoes digital transformation, what are the biggest challenges that you face? Tom: I think the biggest challenges over the next probably five years or so is as artificial intelligence becomes part of the way organizations do business rather than sort of something different and special over there, it just becomes part of everyday business. How people start to attack AI based systems, we don’t even understand the AI based systems, let alone the way that they’ll be attacked. But I think that that is kind of a sleeping, but emerging challenge that could be a real problem over the next few years. If your company is making decisions based on the way a particular AI algorithm works, and I, as an attacker, have figured out a way to manipulate that AI so that it behaves differently, and it’s a black box to you so you don’t even know how it’s supposed to behave. That’s going to cause your companies some real problems. Jackie: And do you see your operations and security teams merging more alongside digital transformation? I think operations and security teams will need to merge more, but I think as they merge and as they come together, you then need almost separate security oversight again. You’ll sort of need to reinvent some oversight to keep an eye on what those combined operational security teams are doing. You have to sort of keep that principle of you’ve got to put the security in place, but you also need someone standing at arms length- Jackie: to observe it Tom: to observe it, yeah. So if they merge, you’re going to have to recreate that sort of observer role. Jackie: Okay. So always, those has to be a standalone security aspect inside of business. Tom: I think there has to be that observer role. Yeah, that looks at that, but I think that operational teams and development teams as well will have to become much more security aware. So in the past when I started out as a developer, the developer doesn’t care about security at all, because the security guys do that. I don’t think that’s tenable anymore. As a developer you have to be trained and as an operations team, you have to be trained in security, but there’s still going to need to be some oversight looking over the shoulder. Jackie: Okay. And what are your biggest initiatives when it comes to cybersecurity and business over the next five years or so? For us it’s about understanding actually the R&D end. What are universities doing in cybersecurity? What research is going on now that will see the light of day over the next two, three, four years. And can we get our hands on some of those really interesting ideas, drag them out of the university, turn them into real world propositions and start to deploy those. Jackie: But presumably the universities would want you to do that? Tom: Not necessarily. So some universities are very academic, they almost don’t care. And they’re doing the research for research sake. Other universities, they want to do it, but they don’t really understand the challenge involved. So I’ll go and see a university professor and say, “Have you solved this problem, X, Y, Z?” And she’ll say, “Yes I have.” And then she’ll produce an academic paper and hand it over. And I’ll say, “What on Earth am I supposed to do with that?” So sometimes they’ll stop a lot earlier than you would expect them to. And you need to kind of reach quite a long way in to take those ideas and turn them into something that you can really do something with. Jackie: Okay. Back to companies. What are the responsibilities of the C-Suite? How are they evolving? As businesses become more reliant on technology for their success? Tom: They are having to become obviously smarter about cybersecurity. They seem to me to be doing it in different ways, so some C-Suites and some boards will hire a dedicated cybersecurity person or a cybersecurity professional to sit on the board, and that person will become the focus of the cybersecurity conversation. That can work because it means that the CSO coming in to the board and presenting whatever they’re presenting knows that there’s a cybersecurity expert sitting across the table from them. It can also go the other way where other people around the board table sort of say, “We don’t need to worry about cybersecurity because that person’s worrying about it.” The other way that I’ve seen it work is where the executive of the board will create an advisory board and we’ll have real expertise in that advisory board and that’s the way they bring the knowledge to the party. But either way, C-Suites and boards need to understand that cybersecurity is one of the few things that has the potential to fundamentally destroy or damage an organization. There aren’t actually many things. You can launch a marketing initiative if it doesn’t go right, you launch another marketing initiative or you fire your marketing director or whatever. You can do something wrong on HR, but then you sort of sort it out and so forth. If you get things fundamentally wrong on the cybersecurity side, it could mean the difference between your company existing a year later or not existing at all. Jackie: And let’s talk, let’s bring government into the discussion. How can government and businesses work better together to solve some of the biggest cybersecurity issues today? Tom: I think government definitely have a role to play in multiple ways. So deep in government there are people who will be aware of some of the cybersecurity challenges that are order of magnitude more complex than companies are facing. So to what extent can they share insight into what’s coming over the horizon? To help companies deal with that? I think governments can play a role in creating an environment of innovation, encouraging the cybersecurity startup sector, seeding it in some ways so that you’ve got a lot of innovation. Israel has been very good at that. America’s been very strong in that area in certain areas. UK to some extent, but also not so much in other areas and so forth. But you’re starting to see governments play a role. One of the important things in cybersecurity is having testing grounds. Where can you test what you’re doing? And particularly where cybersecurity overlaps with AI and with big data and so forth. Governments have a lot of data, so their data strategy in their open data strategies, how can that relate to strengthening the cybersecurity sector? I think that overlap is really important as well. Jackie: Let’s talk about the impact of 5G. What impact do you think it will have on the way companies do business and how will it benefit them and what might the risks be? Tom: 5G is one of those fundamental things. I think it’s one of those areas of technology where initially we underestimate the impact and then five or ten years out we think, my goodness, it’s sort of changed everything. I think what it does is it takes us to a world where everything is digitally alive in a way that it isn’t at the moment. Everything sort of wakes up, and therefore everything can be useful but everything can be attacked as well. And so the whole landscape for cyber changes. If almost everything in the room is enabled because the capacity is there with 5G to think about how does my light bulb become online? How does my phone, my phone is already online, but my car and the streetlights, and everything becomes internet enabled. Everything is connected in a way that it wasn’t in the past. Now if I’m an attacker, I then look at that and say, “Right, that’s my army. If I can get hold of those, if I can control those things, I can line them up and use all of them to attack your company.” And if your company is not ready for a world where anything can be attacked at any time, it’s going to be really fundamental. Jackie: Wow. Do you think that’s going to change our behavior as humans? Not only in a business context, but- Tom: Absolutely, I think it will change our behavior as humans, as well as therefore how we need to defend against the attacks that will come. But also I think it presents a massive opportunity as well. But I would say it’s discontinuous. It’s not a continuation of where we are now. A world where 5G has been rolled out and has been integrated into everything is a different digital world to the world that we have today. Jackie: Tom, thank you very much. Very interesting insights. Tom: Thank you.