Go Phish: David Higgins, EMEA Technical Director at  CyberArk

We ‘go phishing’ with David Higgins, EMEA Technical Director at CyberArk, who tells us about life inside and outside the office. 

What would you describe as your most memorable achievement in the cybersecurity industry?   

The best moments in my career have come when my teams and I have seen the fruits of our labour come to fruition. They are what I remember the most fondly and a big motivating factor for any project I work on. Whether it’s helping with a new product, fixing a vulnerability or supporting a customer, completing one you’ve worked on from the very start never gets old. 

What first made you think of a career in cybersecurity? 

I’ve always been a defensively-minded person. I was goalkeeper in football matches growing up and a wicketkeeper in cricket. Defence is a role I’ve always taken to and enjoyed. Coupling that with my interest in IT meant cybersecurity was just a natural fit. The structure of my degree, which was 50% IT, 50% business, was also a big factor in setting me up for a career in the industry.  

What style of management philosophy do you employ with your current position? 

The management style that works best for me is definitely that of a ‘coach’. It’s an approach I formed through both experience and trial and error. I’ve previously seen managers holding on to power and never delegating work, and it’s a mindset I’ve never bought into. In my mind, it’s vital to impart as much experience and advice to team members as possible to assist their growth. 

What do you think is the current hot cybersecurity talking point? 

The implications of the pandemic, including the surge of Digital Transformation, the rise of Zero Trust architecture and the emergence of frictionless security have changed the security landscape. That said, identity is the hottest talking point in my eyes. 

Identity was previously about enablement in a security context, but recently it’s become more of a risk conversation. Workers are pretty much instantly digitised once they’re set up on an organisation’s system. They’re no longer a physical person on the machine but, instead, they’re on the wire. What I mean is, when they’re logging into something with an ID, to the system they’re no longer a person, but a digital identity.  

How do you deal with stress and unwind outside the office? 

To alleviate stress, I try not to immediately react to things. Taking a break, getting a cup of tea and coming back to the issue at hand is how I approach it.  

Unwinding I’m not so strong at. We’re always consuming content outside of work, whether it’s books, podcasts and so on, so I try to disconnect from the genre regularly. Normally I do that by exercising and spending time with the family, but recently I’ve discovered a newfound love of outdoor cooking. I’ve set myself the challenge of trying to cook Christmas dinner outside too, including the turkey and all the trimmings.  

If you could go back and change one career decision what would it be? 

I would have embraced Linux earlier on in my career if I could go back. I came out of university, which was predominantly a Windows-focused experience, and got a job mainly working with a Windows platform. I just became a Windows guy. The world is now moving away from graphical interfaces and toward Linux.  

I’d also take the opportunity to do more research, as it’s important to understand the bigger picture. Experience has taught me that having only a little bit of knowledge can be dangerous and potentially even have a negative impact on programmes and products, causing delays or being a blocker. 

What do you currently identify as the major areas of investment in the cybersecurity industry? 

Motives and methods of execution change regularly, but identity is still what’s being compromised in most attacks. Threat actors continue to use access and entitlements to extort their victims, whether it’s by stealing data or money, shutting down services, conducting hacktivism or targeting nation-states. 

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? 

At a high level, some would say a risk is a risk. Tactics, techniques and procedures often don’t vary hugely across regions for that reason. But cybersecurity isn’t just about technology, it’s about enabling the business. Culture also plays a huge role and CISOs need to change their approaches accordingly. A coaching-based method of management, where you give your team autonomy to learn new skills while advising them on how to navigate certain situations, is crucial. 

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months? 

It might seem cliché, but we have to address the elephant in the room: the pandemic. Teams could no longer just knock on the door to solve an issue and user demands have changed as a result. 

IT and security used to be central, monolithic beasts. Pretty much everything went through them. Now workers can take a work credit card to sign up to a new online platform or service, for example, which stores cyber-related data that immediately becomes vulnerable. 

What advice would you offer somebody aspiring to obtain a C-level position in the security industry? 

Boards need to think of the bigger picture above and beyond cyber-risk, including unexpected natural phenomena like COVID-19. Security may be vital, but it’s just one risk factor a board has to monitor. 

You also need to know how best to approach the business to succeed. Move away from the doomsayer mindset of ‘if we don’t do this, a breach could happen’ and talk in relatable terms for the business. Communication is hugely important and to move up the chain, you need to talk like a business person.