Clare Patterson is an Advisory Board member of CyberCompare. As former CIO of Shell Energy, she led cyber security and IT infrastructure transformation programs. In this context, she has been named one of the Top CIOs in the UK. Now, she continues to specialize on cyber security by completing her PhD at the University of Kent on this topic. In the following interview she provides insights into her experiences in the field of IT security, gives recommendations e. g. to invest in OT security and emphasizes the importance of diverse and interdisciplinary teams in the cybersecurity industry.
Dear Clare, it’s a privilege to have you with us today! You have a distinguished career in IT and information security consulting, were named one of the top CIOs in the UK, and have been responsible for IT infrastructure and cybersecurity in a large corporation. Can you tell us an anecdote about your career that still makes you chuckle when you remember it?
I inherited what I was told was a nearly completed project, which had been managed by another consultancy, to implement an upgraded certification authority (CA). The handover was all focused on ensuring the initial keys were set up securely and penetration testing the CA server. The key signing ceremony had been held – and then one of my team reported that it seemed the server wouldn’t generate any certificates. When questioned, the IT supplier explained that they had descoped the certificates from the project, as the client hadn’t provided any specification on them and had signed off on the design. They had delivered a fancy secure box which didn’t actually do anything! They even had the cheek to ask the client to pay them to host the box! We eventually got it all working and it was a lesson in the need to have people who actually understand security managing security projects.
What’s on your mind nowadays? (We know you like solving puzzles, so we are curious about what’s puzzling you at the moment!)
Recently I’ve been trying to work out the best road map for moving towards a zero trust approach. It’s an interesting puzzle as you have multiple vendors providing the different parts: network, authentication, rule-based access, application access, etc. They aren’t always compatible and it takes a lot of effort to determine the right integration approach. Zero trust cuts across architecture, IT infrastructure, identity and access management, cyber defense, IT operations, and IT strategy teams, and engages the rest of the organization to understand the access rules which need to be set up. Organizations need to decide the pace, the approach (“big bang” or building a new environment and gradually migrating to it), what to do with legacy systems that won’t work with the new technology, and who is going to manage the initiative. It’s a lot of effort, but it is definitely the direction organizations need to take as “the corporate network” is being dismantled and they need a more dynamic approach to protecting their data.
What was one of the most difficult challenges you encountered in IT security, and how did you and/or your team address it?
Lots of challenges to choose from! Security projects are often the most complex because they cut across so many parts of the organization. One example that springs to mind involved user behavior analytics. Many vendors will share how clever AI tools can identify anomalies, but these tools are only part of the story. Sure, you have the normal challenges with any monitoring tool of setting up all the data feeds, configuring and tuning rules, etc. What makes this type of project particularly challenging is, first, the Human Resources aspects of managing the ethics and messaging around monitoring users’ behavior, as well as any disciplinary response. Second, business managers must be involved to enable the business context to be factored into the assessment of alerts. We created a multidisciplinary team with people from Cyber Security, IT Operations, Corporate Security & Investigations, Human Resources, Legal and Internal Communications. It still isn’t easy, but it is a really valuable tool as part of the cyber defense monitoring arsenal. People just need to be realistic about what can be achieved with this sort of monitoring and how quickly.
What current technical developments in cybersecurity do you find especially interesting?
Deception technology has really advanced over the last few years and can be a useful tool in early detection of ransomware attacks and even some insider threats. Most ransomware attackers these days conduct reconnaissance of the environment to identify important systems and plan their attack. Decoys created by the deception tools can trigger alerts when the attackers access them. I’ve seen a lot of marketing that promises to reduce the costs of monitoring, suggesting that you can relax more traditional monitoring and rely on deception technology with its fewer false positives (in theory, legitimate users wouldn’t have a reason to access the decoys). But I’m skeptical. Until it’s proven, I think it will actually add to the load on cyber defense teams, as it needs to be actively managed to be effective. The most sophisticated state-sponsored attackers may well be able to adjust their approach so they don’t trigger the decoy alerts. It’s an interesting development and companies should explore and experiment with the technology – but be aware that it won’t solve everything and will take effort to implement and maintain.
What are some non-obvious security controls you often see missing but would recommend in general?
One that is often neglected as it isn’t exciting, but so fundamental, is robust asset management. It’s hard work to get right and needs to be continuously maintained, but there isn’t an easily tangible return on all the investment. However, without it none of your monitoring, patching, incident response, or testing is going to be effective. You know when it’s poor, as you’ll have lots of surprises, but it’s a bit like tidying – there’s often something more appealing than tackling that messy garage, attic, or drawer, even though you know once it is tidy it will be easier to keep it clean and you’ll find things quicker. You know it needs sorting, but other priorities always have a bigger pull. My recommendation is to set clear accountabilities for keeping each type of asset up to date. And then, every time you stumble across inaccuracies or missing data, investigate how to make it simpler for people to keep things up to date – adopting a sort of total quality management approach to continuously improving accuracy. Leadership plays an important role here in setting the expectations and culture around fundamentals such as asset management.
Acquisitions and partnerships are often areas where exposures crop up. Again, it’s partly about the lack of visibility and unclear accountabilities. My recommendation is to always pay attention to those fringes of your business, where things are less standard or less controlled by the core IT team.
It seems more than 99 percent of all cyberattacks are not OT-specific. In your experience, is it still worth the effort and expense to invest in OT security?
Yes, definitely. We are seeing more government directives as they realize the potential vulnerabilities of critical infrastructure. It’s a really challenging space. The IT and OT spaces have traditionally been separated between engineers and IT professionals, with few people having expertise across both domains. This divide is exacerbated when the organizations are led separately up to the board level. There can be very strict tolerances around failures, lots of niche suppliers who have prioritized reliability and operational efficiency over security, and lots of legacy systems. This isn’t so different from the situation in the financial sector, but the financial sector has had to invest in cybersecurity measures for at least the last 25 years, The OT sector, in turn, has until relatively recently had the luxury of not needing to be so concerned with security and regulations about it. It’s better for companies to begin understanding the risks and investing in this area before they are forced to either by regulations or incidents.
Many CIOs and CISOs tell us they are swamped by marketing from cybersecurity providers and consultancies. What would be your advice to vendors on cutting through the noise?
First, invest the time to understand your customers’ business and their current priorities. Then explain how your product will solve the challenges: not just in terms of a the software product, but also people and processes. Software features can be amazing, but they don’t actually improve security on their own. Often if you’re a software vendor you’re just selling the software, so I recommend collaborating with others to offer complete solutions to companies. Understand how your product fits into existing ecosystem and how it will be implemented and maintained. Demonstrating that you really understand the challenge and can pull together all the parts to solve it will make you stand out. CIOs and CISOs are super-busy and need security providers who can comprehensively tackle an area rather than having to pull together and integrate all the piecemeal solutions themselves.
What is a half-truth or a wrong statement (in your opinion) which you still encounter often in IT security?
“People are the weakest link.” There’s often a perception that companies would be secure if only people had enough awareness about security and complied with the policies. The industry has a tendency to assume that incidents caused by “human error” happen because people are uniformed, daft, or disobedient. To tackle security, we need to really understand why people have behave in a way that makes us vulnerable to an incident. The “five whys” technique can be useful to unearth multiple contributing factors and the dilemmas your colleagues face. The majority of people come to work each day to do a good job, but they face competing priorities and make choices within the context of a team’s and an organization’s culture. It’s harder to solve than just rolling out another awareness campaign or issuing more policies, but I believe good security is built upon the psychological safety to discuss dilemmas and a learner mindset to challenges and incidents. This gives organizations greater adaptability, where people become a strength in improving cyber resilience.
Women in cybersecurity: Are there too many of them? :-). Any thoughts you’d like to share with the audience?
Over my career I have seen the number of women in the industry grow enormously, which is great, but it’s still a long way from 50 percent. I think the image of cybersecurity portrayed in the media and promoted by a male-dominated industry is one of nerdy technology-obsessed young males wearing hoodies. To be a good security professional, it’s important to have a good technical understanding, but successful cybersecurity is often more about negotiating, influencing, listening, collaborating, and communicating. The technical problems are often easier to solve than the organizational, team, skills-related, and financial ones!
Diverse and multidisciplinary teams are needed to cover all aspects of security. Ideally you want a mix across many dimensions, not just gender but age, background, nationality, cognitive styles, etc. There are lots of complex challenges to solve and we know more diverse teams are better and more creative at solving problems. There aren’t enough skilled people in the industry, so we need to ensure it attracts the brightest and best women and men from all groups across society.
If you could send an e-mail to all CIOs of the world, what would be the core message?
That’s a tough question as the CIO role is so broad. Organizations are more and more dependent on IT, dealing with enormous growth and greater expectations, and often have to keep all the old stuff running at the same time. To me, it’s vital to invest in your people: a great team with second-rate systems is better than a struggling team with fantastic systems. Having capable people will ensure good decision making, productive teams, and a good relationship with the non-IT parts of the business. These are all essential to having the IT the business needs and can count on.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.