We ‘Go Phish’ with Richard Cassidy, Senior Director of Security Strategy, Exabeam, who tells us about his career in cybersecurity and his most memorable achievement in the industry.
What would you describe as your most memorable achievement in the cybersecurity industry?
I made a decision a very long time ago to maintain a position as a deep technologist and strategist, with a desire to ride the waves of new technologies at the bleeding edge of cybersecurity. I’ve had many opportunities to sit in C-level positions exclusively. I took a decision, however, to remain a trusted advisor to C-level, bringing a hands-on, experienced view of this vast technology landscape, so I could support the best possible decisions (and thus business outcomes) across as many organisations as I could interact with in my career.
Today, C-level teams have far too much to juggle with the hyper proliferation of tools, creating an industry-wide effectiveness challenge. We’ve lost sight (for the most part) of what we’ve employed the ‘tools’ to do for us in the first place. I take pride in working with CTOs, CISOs and CIOs, in articulating this across the business to enable true security, compliance and risk management outcomes. For me, there are far too many memorable achievements to mention, spanning military, finance, manufacturing, healthcare, pharmaceutical and education. But, being a thought leader in the space of cybersecurity and demystifying the haze of unnecessarily complex functions and demonstrating how to apply technology in a true business outcomes sense has been where I’ve taken great pride.
What first made you think of a career in cybersecurity?
I’d always shown a keen interest in computing and technology from a very early age. I can remember getting my first Atari 2600 at the ripe young age of six-years-old (back in the 80s) and my goodness, it blew my mind. I remember thinking how on earth can electricity be turned into something so amazing. From there I was hooked on how things worked and what made it all glue together.
As a teenager, I acquired a super charged US Robotics V.32 high speed 9600 bps modem, then eventually saved a lot of pocket money for the even slicker ‘Sportster 14,400’ bpm modem upgrade. I assembled my own PC via component acquisition and brought them all together in an old DAN Computing case to get me Internet bound (via the good-ole CompuServe landing portal).
After landing on the various chat (ICQ) forums of old, I managed to join a group of like-minded inquisitive cyber teens in the early 90s.
It was a natural progression into a career that was tech bound. I’ve always had an interest in why things work the way they do, what makes, breaks and improves them and what we can learn from past evolutions of hardware/software iterations.
What style of management philosophy do you employ with your current position?
‘Wisdom is knowledge without pain.’ We really don’t have to make our lives any more difficult than it already is in cybersecurity. We have a wealth of historical information to learn from, enabling us to develop a validated ‘best practices’ approach to all that we do. It’s a case of intrinsically understanding the failures and successes of others, then forging a path in how you manage yourself, your teams and the expectations of those around you in all that you do.
We often neglect the intrinsic part that ‘human factor’ has to play in everything we do and for every individual we are responsible for in management. I’ve always applied the ‘SHELL model of human factors’ in developing a continuous improvement framework in all management endeavours.
The key factor in any management philosophy is one of ‘empathy’ – empathy for yourself, your colleagues and your customers.
What do you think is the current hot cybersecurity talking point?
Without a doubt, IoT/OT Security (especially in the area of Telemedicine) and DevSecOPs, as it pertains to ‘secure coding’ practices.
We’re at a point in history where electronic devices outnumber humans (and have done for some time), with new devices being manufactured in their millions every day. Add to that the proliferation of 5G (and soon Starlink!) providing the ability to connect smart devices no larger than a contact lens to technology hubs in the cloud, anywhere, anytime.
We’ve arrived at a juncture in cybersecurity, where the risks of compromise are at their highest ever. The element of secure coding goes hand-in-hand with the proliferation of IoT and the industry has a core responsibility to adopt frameworks and practices that focus on ‘security first’, as opposed to the ‘consumption economics’ commerce-focused world we’re largely operating in.
Breaches have largely been enabled at a technical level by poor coding practices and therefore, the industry focus on continuous testing needs to maintain its momentum. Vendors in this space need to accelerate their rate of innovation to help businesses better navigate the great cybersecurity minefield faced on a daily basis.
How do you deal with stress and unwind outside the office?
I have far too restless a mind to unwind in the traditional sense of the word. When I do get some spare time, I moonlight on the NHS frontlines as part of South East Coast Ambulance NHS Trust, providing emergency care to those in their hour of need. Beyond that, I also coach martial arts, which has been a passion of mine for 25 years now. I have also recently taken up rugby coaching in the community to ensure I’m giving back. All that said, however, if I could only do one thing as a de-stress/unwind mechanism at all, it would be playing my trusty baby grand piano.
If you could go back and change one career decision what would it be?
Interestingly, I’ve always thought very long and hard about any career decision I’ve ever made. For the most part I’ve always been at peace with what I’ve chosen, regardless of the outcomes.
We’re here to learn, grow and enjoy (as much as we can or allow ourselves to), therefore there’s not a great deal I would change at all. That said, however, if I were to choose I think it would have been to learn more programming languages (BASIC, PASCAL, ROSCOE and PYTHON is simply not cutting it in the modern industry!) and become a dab hand at things such as C, C+, HTML, JAVA and more recently ML programming.
What do you currently identify as the major areas of investment in the cybersecurity industry?
A greener, more sustainable world and the era of the ‘circular economy’ is one that all manufacturers must look to invest in much more diligently in the race to maintain our planet and way of life for generations to come. That said, and taking a more ‘current’ topical optic, is cytotechnology in the area of data security.
The investment in automation technologies and platforms is now a huge focus. If the ‘machine’ can perform the task quicker and more efficiently than the ‘human’ – allowing us to focus on more complex, less cumbersome tasks in the cybersecurity battlefield – then it’s a win for corporations in all respects. Naturally, Machine Learning (ML) is very exciting and we’re seeing some very promising investments in new algorithms that will help re-shape our world of cybersecurity operations for the better, with far wider reaching benefits across all industries. Where this is going is hard to fathom, especially given the recent breakthroughs in quantum computing. But it’s exciting, nonetheless.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
As a global economy, we have become hyper converged in technology availability and national infrastructure capabilities, therefore, we all face very similar challenges in operational needs and thus our cybersecurity challenges.
Nation State activity is at an all-time high, with APT groups becoming less advanced and more persistent through automation, as a result of ‘ as-a-Service’ offerings in malware and attack campaign capabilities. The biggest challenge we face as an industry across all regions is lack of collaboration in tackling the adversary and innovating for the benefit of all corporate security endeavours.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
The CISO role has now become an almost ‘poisoned chalice’ in that many are seen as only a single breach away from a career change. The cybersecurity industry hasn’t helped this notion at all, with many vendors coining the phrase ‘it’s not a case of if but when’ in terms of a breach scenario.
Undoubtedly CISOs cannot (hand on heart) reputably state that their respective policies and initiatives will see their business avoid a breach, nor have they ever been able to. CISOs are having to deal with a rate of data acquisition never before seen in technology history.
That said, however, with such a rate of change C-level teams are learning to adapt and automate in an impressive manner. C-level teams are innovating in cybersecurity practice, providing their respective industries with the accountability and capability driving the best possible protection outcomes to severely limit the damage that a breach may cause.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
Never fail alone, learn to delegate early on. Apply a critical thinking mindset to every area of your business operations and take the time to learn your organisation’s (people, process and technological) strengths and weaknesses.Click below to share this article