We ‘Go Phishing’ with Dr Anton Grashion, Managing Director, Security Practice at Cylance, who tells us about life inside and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
Co-creating one of the UK’s first email security-as-a-service offerings back in 1989, when only a couple of AV vendors were able to get their heads around changing the way they charged for their software. My other co-founder, Jim Gordon, still works in cybersecurity too but I think we both look back at that and we’re pretty proud of what we were able to do on a very low budget against some of the biggest names in the industry.
What first made you think of a career in cybersecurity?
I had my own software/database design company at the time, in 1989, and setting up a refinery to deliver email as a service was the real driving force that got me into cybersecurity. Weirdly enough, many years before, my PhD was all about applying AI to oil exploration and finally at Cylance I get to use a bit of that background.
What style of management philosophy do you employ with your current position?
Get out of the way of your staff – give them as much support as they need to go as fast as they can without crushing micro management. It’s important to have structure in your team but you also have to understand that some people like a strong steer while others are much happier being set goals and getting on with it. We have a very strong team ethic and identity at Cylance and we take great care to maintain that.
What do you think is the current hot cybersecurity talking point?
Not all AI is created equal and where on earth are we going to get all the skilled cybersecurity professionals we need? It’s becoming increasingly clear that in order to keep up with, or ahead of, the developing threat landscape we have to utilise AI and Machine Learning. The problem many vendors have is wrenching themselves away from their legacy – after all that’s what has got them this far. Moving from a reactive to a proactive stance is vitally important.
How do you deal with stress and unwind outside the office?
I’m a beekeeper so that’s both grounding and rewarding in so many ways. Much of my working life has been concerned with abstract concepts and invisible threats. Dealing with bees is very ‘real’. I’m also an avid – some would say rabid – rugby league fan. My undergraduate years were spent at Leeds University where I was, to my shame, a rugby union snob. I have since embraced the 13 player code and am evangelical in my support for the format.
If you could go back and change one career decision what would it be?
Choosing to be a lecturer in computing science would be the closest but to be honest I’m happy with all my career decisions. My career has been a series of opportunities that I have been lucky enough to take advantage of. Changing track from offshore oil-exploration via a master’s degree in computer science is probably the best and earliest example.
What do you currently identify as the major areas of investment in the cybersecurity industry?
AI and Machine Learning are seeing a big investment drive and will lead to competition for skills in the data sciences. Unfortunately many people are seeing AI/ML as a must have badge and just bolting a bit of intelligence to an otherwise totally legacy solution is missing the point somewhat.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? Middle East, Africa, Europe, Americas.)
There are cultural differences and sensitivities across all the regions. Much of the threat landscape may be the same but regulatory and cultural environments means responses may have to be different. Privacy means different things in different regions – although GDPR is spreading its reach across the globe. Of course with differences in culture comes differences that a malicious actor can utilise in order to gain access to your assets which means a one-size-fits-all approach really doesn’t work.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
A bigger emphasis on prevention which pays dividends downstream is something the business is looking for. Being able to express benefits of cybersecurity in risk terms that allows comparison of priorities across the business is becoming absolutely essential and not just using a simple ROI calculator.
What advice would you offer somebody aspiring to obtain c-level position in the security industry?
Be open to new and different ways of doing things while maintaining a scientifically critical eye. Make sure you can demonstrate how your security priorities translate into risk reduction for the business as a whole. I know this is a hackneyed mantra – CISOs have to have a better business head but it has never been truer. Also with the scarcity of cybersecurity savvy members at a board level is a great opportunity to continue your career path beyond the operational.