We ‘Go Phish’ with Richard Orange, Regional Director of UK&I at Forescout, who tells us that companies need to be able to know what it is they are up against in the cybersecurity world.
What would you describe as your most memorable achievement in the cybersecurity industry?
Honestly, I think it’s the network that I’ve developed over the years. I’ve been very fortunate to work with some incredibly talented people over the years on some very transformative projects. Lots of them went well, some not so well, but through those experiences I’ve developed some really great relationships that have lasted many years. More recently I’d say the first 12 months at Forescout as we were building out the UK business were very exciting. I’m not sure I’ve ever worked in such a fast-paced environment which was great to be part of.
What first made you think of a career in cybersecurity?
Funnily enough, it technically happened more by luck than judgement. Prior to working in cybersecurity, I specialised in infrastructure, specifically helping customers build virtual desktop platforms. I changed jobs to a company that happened to specialise in both infrastructure and cyber. After about three months, I figured out the cybersecurity side of the business was way more interesting and faster moving, so I immersed myself in it and never looked back.
What style of management philosophy do you employ with your current position?
When I first started out looking for a job in tech, I didn’t have any technical qualifications and was given a chance by somebody who saw my potential. Looking back, this was pivotal to being where I am now, so I truly believe that recognising and nurturing people’s talents is the best way to help them develop professionally. Showing empathy and understanding people’s point of view helps with this and allows me to communicate and manage effectively, while still providing people with room to grow.
What do you think is the current hot cybersecurity talking point?
Something that I believe is more important now than ever is for companies to be able to know what it is they are up against. Until they have visibility of their attack surface, why invest huge sums of money into cyber solutions that only partially address their needs, especially if there are areas of risk that they’re not yet aware of? The big wins in cyber are when companies do the basics really well, so I’m of the opinion that basic cyber hygiene is the most important aspect, even if it’s not the most glamorous. Do all the foundational stuff really well and then invest in the required areas to close out the remaining gaps.
How do you deal with stress and unwind outside the office?
Detaching yourself from work is the first part of the challenge! I’m a believer in needing to test yourself and diving head-first into something new either mentally or physically. A couple of years ago I decided to do a charity boxing match and found it incredibly liberating. A lot of people try to wind down to switch their minds off from work activities, but you can’t exactly be thinking about work when someone’s stood opposite you in the ring!
If you could go back and change one career decision what would it be?
There are lots of things but learning lessons is what’s important. At the start of each year, I look back and reflect on what I could have done better and if a lesson can be learnt – that’s what’s going to help. Changing future actions by learning from previous ones is more important than thinking about changing what is already done. From a professional perspective, for example, what worked in customer engagement 15 years ago might not work today, so it’s important to adapt.
What do you currently identify as the major areas of investment in the cybersecurity industry?
National infrastructure is quickly becoming the new frontline for large scale cybersecurity attacks. Action needs to be taken quickly to prevent this from being a widespread problem. The utility industry, for example, is transitioning towards using more advanced operational technology (OT) such as 5G connected turbines, drilling machinery and drones. This increased connectivity provides a much greater attack surface for the attackers with more avenues to take advantage of. As cybersecurity adoption continues to lag behind the pace of the OT adoption, the imbalance is one that needs to be addressed with a larger investment of cybersecurity technologies that are vital to maintaining the safe use of new equipment. Having said that, before anything else, organisations need to understand what they have on their networks and what they are coming up against.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
Yes, absolutely. Not just by region but by the industry too. The regulatory aspect of cybersecurity is such that differences in both regionality and industry are becoming more complex. Common standards are designed to simplify the problem, but it often actually just makes it more difficult. Each region and regulation has its own set of controls, but within that, there is another level for each industry. There are some examples that help, such as NIS and NIST, within the utility industry but one of the challenges of cybersecurity is that it can be subjective and opinion driven, making it difficult to standardise.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
The current climate has meant that being empathetic is really important. The difference between now and three months ago is night and day. I need to be adaptable in my leadership because the stresses and strains of work-life balance are difficult while everybody is working from home. Equally, it’s important to be clear in communicating what you need from people. Clarity and focus in the areas that you can action relative to the situation help to maintain a high standard of output.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
First off, I’d say ‘keep it simple’. We operate in an industry with an insane amount of jargon, yet the very best leaders are the ones that set clear strategy and connect with their audience in a simplified way. Second, and as a former leader of mine used to say, ‘run to the fire’, identify issues quickly and deal with them. Lastly, I’d say that don’t ask anyone to do something you wouldn’t do yourself, always be willing to get into the trenches and put in the hard yards.