Go Phish: Alan Calder, CEO of Vigilant Software

We Go Phishing with Alan Calder, CEO of Vigilant Software, who tells us about life inside and outside the office.

What would you describe as your most memorable achievement in the cybersecurity industry?

I tend not to dwell on the past, other than to try and work out what I could have done better. Despite all the work we have done so far, we have many years of growth and development ahead of us. I think my biggest achievements are still to come.

What first made you think of a career in cybersecurity?

I suspect I am one of a small number of business professionals who happened upon a career in cybersecurity; I certainly didn’t set out on life with the intent of specialising in information security.

I was running a consultancy firm in London and we saw security certification as a way to differentiate ourselves. We came across what was then BS 7799, which was the British information security standard, and I educated myself to the point where we were able to successfully implement the standard.

After that, I felt proficient enough to write a book to help management teams implement it – entitled IT Governance: A Manager’s Guide to Information Security. This went on to become part of the core curriculum in the Open University’s information security module.

By then, I was genuinely interested in the governance of IT, which focuses more on how boards can ensure that the technology infrastructure enables the business to compete and perform. I went on to write another book and set up an independent publisher as well as building a site and adding more products and services. The group has since grown from a single employee to more than 200 people.

What style of management philosophy do you employ with your current position?

When I was young, I had this very simplistic view that McGregor’s Theory X and Theory Y of management was really all it was about.

My approach to management has evolved and is driven by the current needs of the business in the marketplace. I think there are times when you need to be very disciplined in terms of how the business performs; you have to be clear about what the rules are, what the structure is, how processes will work.

However, there are other times when you can afford a degree of flexibility and freedom. In this industry, most management is about managing change – which can be very unsettling for people at all levels; organisations that become resilient and can cope with a high degree of change end up as dominant forces in their industry.

What do you think is the current hot cybersecurity talking point?

The talking points should be how, as a business and as an economy, we deal intelligently with a situation where the mal-actors are several steps ahead of us in terms of deploying malware and attack software.

They are much better at scaling their attacks, recruiting teams and deploying software; they are much better than most businesses. And I think that’s really where businesses should be worrying: how on earth do we catch up?

The fact we’re still having conversations about complex passwords and how malware is affecting networks is quite maddening because most businesses are sitting ducks for cybercriminals. That is what I think the hot topic of conversation should be.

What do you currently identify as the major areas of investment in the cybersecurity industry?

The major areas of investment differ depending on priorities and perspective. For venture capitalists, for example, it is all about Artificial Intelligence (AI) because it is exciting and will solve all problems (says the optimist).

While technology is a major factor in cybersecurity, the fastest route for an attacker is to take advantage of weaknesses in other human beings.

Around 80% of successful attacks are driven by phishing emails and, frankly, unless you stop people receiving emails and texts, or eradicate technology altogether, we will never stop the attacks.

The best investment therefore is teaching people about warning signs alongside multi-layered defences. You must allow for the fact that however well you’ve educated people, someone will click on things they shouldn’t because it’s so well disguised. That is why you have to have networks that are designed with resilience in mind.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? (Middle East, Africa, Europe, Americas.)

In our experience, not really. The differences are more about proliferation and type of devices.

Africa, for instance doesn’t have broadly speaking quite the same proportion of desktop and laptop end points as we do in Western Europe, but a far higher per head incidence of mobile devices. That means that you don’t have the same exposure to crime targeting, for instance, Microsoft desktop environments.

You have bigger issues around social engineering, hijacking of instant messaging channels and those kinds of things. Other than that, you’re dealing much more with languages and with how to match the social styles in a way that enable you to penetrate networks.

Broadly speaking, the technologies that are deployed around the industrialised world are pretty much the same, which means that attackers can be anywhere in the world attacking you wherever you are in the world.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

I was the major shareholder of a privately-owned company that listed on AIM in March last year.

We created a group of companies with an acquisition-driven growth plan, which means my job role changed to be the chief executive of a listed company with ambitious organic and acquisitive growth objectives. That means that the level of governance and collaboration and transparency that we need to have in the business is significantly different today than what it is was 12 or 18 months ago.

In 12 months’, when the business is bigger than it is now, the extent to which I delegate to others and the framework within which the business operates will have changed again because we will have doubled in size again, so my job role is going through huge evolutionary change, year-on-year.

What advice would you offer somebody aspiring to obtain c-level position in the security industry?

It depends on which side of the fence you want to be on. If you want to be in operations, it’s going to be different than if you want to be on the cybersecurity side. So, if the question is more about being a CISO or somebody with that kind of role, you need to combine both technical experience and business knowledge.

I’ve thought for some years that if you’re going to be a really good CISO, you should combine computer engineering or some form of ethical hacking type of qualification at university with an MBA, because you need to understand how a business works and how security fits into that.

Most of the people you’re talking to are people who run a business and frankly they are concerned with marketing campaigns, top line revenue and growth expansion.

You need to be able to take all that critical stuff and present it in a way that enables businesses to understand why they need to do something about cybersecurity and understand how to help them evaluate what they have to do.

How do you deal with stress and unwind outside the office?

Frankly, I can’t remember. I have to go on holiday somewhere that doesn’t have mobile phone coverage to force me to disconnect. After a week or two, you sleep for longer, your head clears and you’re able to jump back into work again. Unfortunately, weekends are only stop gaps; a time to catch up on sleep and prepare for the next week’s work of grappling with building a business.

I’m not sure that my staff like me switching off for a long period of time because it gives me an opportunity to think about lots of new ideas and they receive a barrage of emails on my return.