The closing keynote discussion of the InfoSecurity Europe 2022 conference was titled ‘Next Generation, Next Challenges, New Opportunities’ and was moderated by Eleanor Dallaway, editorial director of Infosecurity Magazine. Dallaway was joined onstage by specialists Marc Avery, CISO & director, Cyber Chain Alliance, Jonathan Kidd, global CISO, Computershare and Chris Green, head of PR and communications at (ISC)². The panel explored how we can anticipate the future of cybercrime to better prepare for the challenges and opportunities.
The start of the session saw uniformity of opinion amongst the panel, believing that while the strategies and methods of cyber-attacks haven’t evolved a great deal in recent years, both scale and versatility have, with organized cross-sector campaigns now being observed.
Established techniques such as phishing remain an “effective delivery mechanism,” and the loosening of the work-leisure distinction has meant employees are increasingly suspectable of falling victim to an attack due to the growing tendency to check and respond to work emails outside of office hours, with employees failing to adopt a secure mentality outside of the workplace. This theme resonated with Dallaway, who stressed that there is an “interesting psychology of falling victim to an attack,” emphasizing that more education is needed to ensure secure behaviors are retained in both work and social domains.
The question of mental health within the cybersecurity industry was then addressed by Dallaway, especially in the wake of the pandemic, highlighting that while the “industry weathered this well,” the sector’s professionals may be increasingly suffering from issues like burnout. Recent years had been very hard on the industry’s staff, claimed Kidd, especially given the “500% increase of COVID-19-era phishing”, meaning pressures and responsibilities on cybersecurity workers were very intense, particularly with the added complications of remote work. The shift to working from home was very difficult, commented Green, and while the sector generally has “very high job satisfaction,” stress and burnout are real problems. Conversely, balance to the remote work topic was provided by Avery, who asserted that many small and medium-sized enterprises (SMEs) dealt well with the changes to working practices, with multiple businesses achieving a rapid and secure transformation overnight, although “in-team communication and documenting processes suffered.”
Getting the Basics Right
The panel then shifted focus to the topic of whether cybersecurity as an industry is “getting the basics right,” with a particular focus on smaller businesses. The panel agreed that SMEs shouldn’t assume they’re safe despite having the baseline of cyber essentials covered, with Kidd underscoring that common cyber-attacks like commodity phishing remain effective. The importance of heeding the advice and documentation on the National Cyber Security Centre’s (NCSC) website was reiterated by Avery, as “this will prevent 80% of attacks.” Speaking more positively, Green believed that basic cyber essentials amongst many SMEs are an area of the industry that we’re predominantly “getting right.”
The sector’s diversity challenges were then considered. Hiring practices within the industry are risk-averse, claimed Kidd, as there’s a tendency to recruit established personnel, and instead, the industry needs to “look in the right places” and take on risks in bringing in and developing junior people. This point resonated with Avery, who told the audience that “we need to think differently.” Dallaway considered whether placing too much emphasis on qualifications and formal training could limit recruitment.
The session finished with each panelist offering an “actionable learning point.” The need to bring young talent into the sector was highlighted by Green. This point resonated with Kidd, who added, “we need to take risks in recruitment.” The role of marketing was stressed by Avery and Dallaway, concluding that we need to change how the industry is seen externally.