We ‘Go Phishing’ with Nick Hayes, Director of Cyber Solutions, SureCloud, who tells us about life both in and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
Getting into the industry in the first place was a great achievement for me and something I was really proud of at the time. I didn’t have a background in cybersecurity when I first started looking into it nine years ago and I was totally self-taught for the first couple of months until I landed my first position as a junior at a security consultancy company.
After that, finding my first critical vulnerability on a client test was one of the most memorable and exciting moments. Nowadays, as I’m in a leadership position, I get the most enjoyment about the development of others coming in on a similar journey and seeing them get the rewards from their hard work. It’s a really exciting sector to be a part of and it’s great to see the next generation progress in their roles!
What first made you think of a career in cybersecurity?
After I’d finished my degree in electronic engineering, I realised that wasn’t an area I wanted to pursue a career in. I then started a graduate scheme at an industrial control company and one of the areas they’d asked me to specifically look into was cybersecurity. I absorbed everything I could and found it so interesting and totally threw myself into it before feeling I had picked up enough knowledge to try for a role as a full-time penetration tester, which I was successful with. I feel like I was lucky in terms of being in the right place and the right time and I owe a lot to my first manager in this industry for taking a chance on me.
What style of management philosophy do you employ with your current position?
I very much err on the side of trusting and empowering my team. I don’t agree with micromanagement generally. Obviously, you have to make sure you’re aligned on things and work together on decisions but I’m very much a person that will let people learn and find their own ways of getting the job done and provide coaching afterwards. The way I manage people has been shaped by the way I’ve enjoyed working with people myself. The person who gave me my first job in the industry had the same style and I enjoyed and respected him for it – he definitely got the most out of me that way. We’re still good friends to this day, I learnt a lot from him and still do.
What do you think is the current hot cybersecurity talking point?
In recent months, there’s been a lot of discussions and commentary around critical vulnerability management, especially around the current state of play around third party supply risk. Notably there have been a number of recent instances which have made mainstream news too, such as Solarwinds compromise and PHP vulnerabilities to name but two. A business is only ever as secure as its third-party suppliers and if those suppliers are careless with the data, or targeted by bad actors, the knock-on effects for security, compliance and ultimately revenue and reputation can be severe.
Additionally, right now, the ‘hybrid office’ is also a hot topic – how can organisations continue to secure their infrastructures and assets while maintaining flexible working patterns and conditions? It’s unlikely that a lot of employees will return to work in a central office location as before the pandemic, so ensuring that the “new normal” is secure is of paramount importance.
How do you deal with stress and unwind outside the office?
We’ve all been a bit restricted with lockdown, but the gyms are finally back open, so I’ve been able to enjoy outdoor classes a couple of times a week, as well as a few rounds of golf. I’ve also been able to get some home improvements done over the past year, which is great, especially as we’re expecting our first baby soon so we’ve been able to get everything ready. That’s taking up a lot of time and planning – very exciting!
If you could go back and change one career decision, what would it be?
I realise I’m in a fortunate position where I can look back and honestly say I wouldn’t change anything. I feel like everything has happened for a reason and I was in the right place at the right time with everything, so it’s all worked out for the best. I’m enjoying my new role at SureCloud and the future looks bright! You can’t ask for more than that.
What do you currently identify as the major areas of investment in the cybersecurity industry?
In terms of where the investment ‘should’ go, businesses need to make sure they have the basic levels of cybersecurity covered and understand what their current tooling capabilities are and ensure they are maximising the most out of existing investment. As we have seen through various well-publicised attacks, some companies are failing with basic security measures, while investing in expensive solutions they might not even need or use. Businesses need to make sure their assets are secured at the network layer and that they’ve employed good coding practices within an application or API, I personally really like the OWASP ASVS for this – these are the baseline level controls that everyone should be doing but are often missed. Invest in and understand how to get the most from basic cyberhygiene and build on that. There is a lot of money spent on big ticket security solutions which invariably are not tuned to the environment they are protecting.
In terms of where we are seeing investment, I have alluded to it in the point above, there are a whole host of tools and solutions out there for protecting an organisation or environment from attack. There are definitely some exciting products on the market right now and which are worth evaluating (once the basics have been done well).
Here at SureCloud at the moment we are starting to invest in how we change our services and products to drive more value for our clients and really help them improve from where they currently are. We are very big on longer term strategic relationships where we can help drive that improvement over time with our clients.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
A vulnerability is a vulnerability, whether that exists in Europe or the Middle East. That said, there are different challenges in the way that people operate across the regions. For example, the US has different privacy laws in different states and in the UK and Europe we have GDPR regulations. The challenges do differ in this respect, but fundamentally they are the same at a technical level.
Social engineering attacks also differ region to region with some attacks having a much higher rate of efficacy in some regions versus others.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
I’ve joined the SureCloud team earlier this year so that’s been an exciting change for me and my role within the business has also changed in the last few weeks. I now lead and have full responsibility for the security testing team. In the future, I think the market will continue to shift generally towards longer term engagements and relationships rather than single penetration tests, operating this way provides better results and an increased understanding of our client’s challenges and how penetration testing rolls into a vulnerability management program and a larger cybersecurity program in a more general sense. Clients’ needs and requirements are always changing and as a consultancy business we adapt and tailor our solutions to meet their evolving needs.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
You need good knowledge and a broad understanding of security concepts. If you’re technical in a certain discipline that’s normally beneficial too, but what will ultimately set people apart is being able to explain technical concepts to a non-technical audience. For example, if you can convert an IT security risk to a business risk, you’ll be able to engage with others at a C-level audience and that’s crucial.
From a purely consulting point of view, don’t be afraid to dip your toe in and try new things – a mentor once told me that you only need to know 10% more than the person you are talking to. I don’t know if I completely subscribe to the 10% view but there is possibly something in that saying.