“If we want to seriously, positively change the security culture of organizations, then we will need to see more CISOs in place, and more CISOs who really understand the human and physical elements of security, not just the technical.” ~ Dr. Jessica Barker
Dr. Jessica Barker is a very busy woman. She’s the co-founder of cybersecurity firm Cygenta, and the Chair of ClubCISO, a forum for Chief Information Security Officers (CISOs). And if that wasn’t enough, she also has a new book coming out soon, titled Confident Cyber Security.
With all of those responsibilities in her life, I was lucky to get an hour to have a chat with her. We talked about the trials and tribulations that CISOs currently face, and I asked her what she’d like the public to know about this very crucial role.
KIM CRAWLEY: What have you been working on lately, Jess?
DR. JESSICA BARKER: I’ve been working on lots of things. I’m just putting the final touches on my new book, Confident Cyber Security, which is an overview of the cybersecurity field from the human, technical and physical aspects for those new to the industry or interested in it. At the same time, I've been doing lots at Cygenta, working on our culture and awareness platform C-Gap, doing cultural assessments of clients, helping clients with their awareness-raising and working on OSINT projects, to name a few things.
As the Chair of ClubCISO, I've also been working with the rest of the Advisory Board to plan our next live vote and plan other things for our membership, which has now reached over three hundred CISOs in the UK, Europe and beyond.
KIM: Could you tell me more about Confident Cyber Security?
DR. BARKER: Sure. Confident Cyber Security will be published by Kogan Page this summer as part of their Confident series. It's aimed at giving people an overview of cybersecurity and all of its different aspects. So I look at everything from CVEs to social engineering, from physical security issues to geopolitics. The book covers the diversity of jobs in this field and features lots of case studies of incidents, vulnerabilities and common attacks. It will be published in June 2020.
KIM: Tell me more about ClubCISO and how it supports CISOs.
DR. BARKER: ClubCISO is a peer-based group which aims to give a voice to CISOs, enabling them to network and share their experiences and insights. We've seen amazing growth in the last year, partly through word of mouth and partly through an extremely successful experiment to start a WhatsApp group with our members. They are an incredible network of CISOs, with a membership of over three hundred, who share their questions, experiences, challenges and successes with one another.
It's an extremely supportive group, which I think is so important for people doing a job that can be very stressful and sometimes quite lonely. CISOs are typically under a lot of pressure and in a fairly unique position in an organisation. Every year we run a Live Vote event in which we ask our question our membership on the role of the CISO, the current state of security and hot topics in the industry. Through this the CISOs help to understand where they have common challenges and to exchange experiences on what has worked (and what hasn't) in meeting some of those challenges.
KIM: Does running ClubCISO and writing take up a lot of your daily bandwidth?
DR. BARKER: These two endeavors are both in addition to my day job. Most of my work is as Co-CEO of Cygenta, which I run with my husband. We're a team of six and we work with our clients on all elements of cybersecurity, from technical to physical to human-based issues.
I lead on the human-based work, which includes awareness-raising and behavioural change programs, and sessions with clients, cultural assessments of organisations, OSINT and digital footprint assessments, and our platform C-Gap. C-Gap helps organizations measure their cybersecurity culture, deliver targeted training throughout their organisation, run phishing campaigns and deliver meaningful metrics on culture and awareness in security.
KIM: What’s it like running a company as a husband and wife team?
DR. BARKER: It's fantastic. We love it and wouldn't do anything else. It's also extremely hard work, but we knew it would be. We're very lucky in that we work very well together and we're going in the same direction, a hundred percent. We work long hours and generally seven days a week, but we're doing it together and I think that makes all the difference.
We both travel a lot for work, but we can do that together fairly often, which is an amazing privilege. We love that we have control of the company together and can set the direction completely ourselves, which is one of the reasons we decided to 'bootstrap' it rather than seek venture capital funding. For example, we do lots of outreach work with schools on cybersecurity careers, and we really appreciate the fact that we can just decide to do that. And decide to enable everyone else in the company to do it as well when they want to, without having to justify that time to anyone or seek permission.
KIM: What misconceptions do people have about the role of a CISO?
DR. BARKER: Sometimes, people expect CISOs to know everything, which of course is impossible. Some CISOs might be more technically-focused, whereas some might be more business or people focused, but the breadth of this industry means there's no way that one person can know everything in detail. CISOs need to be able to rely on their teams.
Another common misconception is that CISOs should be able to fix everything. People can mistakenly believe that if there is a security failure in a company the CISO must have been neglectful. The politics of an organization can be extremely influential in whether a CISO is empowered to do their job or not.
Finally, people can expect that all CISO roles are the same, which is not the case at all. A CISO in one company might be quite different to the CISO in another. This industry is still fairly new, and so the CISO role is even more so. It's still being defined.
KIM: Do you have any advice for someone who aspires to be a CISO one day?
DR. BARKER: I would advise someone who aspires to be a CISO to work to really understand the relationship between security and the strategic objectives of organizations. In other words, how you can align security with the wider business and show that it is an enabler. Show the return on investment. Listen to how the board speaks, what their concerns are and what their priorities are.
Also, take the time to get to know other departments in organizations - HR, Legal, Finance - because part of being a CISO is listening to the wider business and influencing it. Building up a great network is really good for anyone who aspires to be a CISO.
KIM: Do you think we are going to need a lot more CISOs in the next ten years? Are there a lot of companies that should have a CISO but don't?
DR. BARKER: Yes, I think we will. If we want to seriously, positively change the security culture of organizations, then we will need to see more CISOs in place, and more CISOs who really understand the human and physical elements of security, not just the technical.
KIM: Do Chief Information Officers or Chief Technology Officers do too much work that should be delegated to a CISO?
DR. BARKER: That's really dependent on the organization; how the responsibilities are split and structured varies so much. Some organizations will have the CISO reporting to the CIO or CTO, some will have the CISO reporting directly to the board. There's no ‘one size fits all.’ What's interesting, speaking to the CIO community, is the sense from them that the CISO journey is about five to eight years behind the CIO journey. So, some of the issues that CISOs have been struggling with the last couple of years (where they sit in the organization, for example, or getting board buy-in) were issues that CIOs were overcoming five years ago.
KIM: Do you think the CISO role will be more difficult ten years from now?
DR. BARKER: I think it will become more defined, which will help, as it will be more understood by the public. There are of course always new challenges, new vulnerabilities, new technologies, which add complexity. More and more organizations are undergoing digital transformation which is often very challenging for CISOs. As we embrace the Internet of Things (IoT) at the corporate level, that adds more complexity again, and we will start to see that play out more in the next ten years.
I’ve never been in the CISO role, but Barker’s insight makes me appreciate how important the position can be in a company, and how complex their jobs are. I really enjoyed speaking with Dr. Jessica Barker, and would like to thank her for her time.
About Dr. Jessica Barker
Dr Jessica Barker (@drjessicabarker) has been named one of the top 20 most influential women in cybersecurity in the UK and was recently awarded one of the UK's Tech Women 50. Co-Founder and Co-CEO of Cygenta, she is a popular keynote speaker internationally, as well as a frequent contributor to print and broadcast media.
She appears on the BBC, Sky News, Channel 4 News, Channel 5 News, Radio 4's Today programme, Radio 2's Jeremy Vine show and more, and has been published in the Sunday Times, Grazia and The Guardian, as well as industry press.
Cybersecurity skills are in huge demand - recent estimates suggest there will be as many as 3.5 million unfilled industry roles by 2021, meaning there are vast career opportunities to be taken.
Confident Cyber Security is here to help. Written by expert author and speaker, Dr Jessica Barker, this guide will give you a clear overview of the world of cybersecurity. Exploring everything from the human side to the technical and physical implications, this book takes you through the basics:
- How to keep secrets safe
- How to stop people being manipulated
- How to protect people, businesses and countries from those who wish to do harm.
Featuring real-world case studies from organizations and people such as Disney, the NHS, Taylor Swift and Frank Abagnale as well as entertainment, property, social media influencers and other industries, this book is packed with clear explanations, sound advice and practical exercises to help you understand and apply the principles of cybersecurity.
Confident Cyber Security will be released on June 3rd, 2020, published by Kogan Page.