Security Enables!: Rory Alsop, Head of Tesco Bank Information Security and Cyber Risk

Can security be more than a gatekeeper? Rory Alsop, Head of Information Security & Cyber Risk at Tesco Bank, reveals how integrating security into Agile workflows transforms it into a business enabler. He explores cloud migration challenges, managing supply chain risks, aligning with evolving global regulations, and using metrics to prioritize critical vulnerabilities. Rory also shares insights on fostering collaboration, improving operational resilience, and the role of the community in advancing cybersecurity practices.

This transcript was generated automatically by AI. If you find any mistakes, please email us.

Rory
0:00:00
It's pointless having a metric that doesn't let you do something about it, or that if you do improve it, it gives no value to the business. So you're looking at things like vulnerabilities. Am I handling those vulnerabilities in a timely basis and prioritising the critical ones that are critical to my business applications? That's important. So moving people off a, can you show us that you're handling all of your critical vulnerabilities on platforms that host a critical service within a two-week time frame, that's much better.

Ganesh
0:00:34
Quite interesting the idea of business criticality versus what data is going through there. I never had that conversation before, but it makes perfect sense.

Announcer
0:00:42
Hello everyone, you're listening to Cloud Next, your go-to source for cloud innovation and leaders insight, brought to you by GlobalDots.

Ganesh
0:00:55
Security in the banking sector is a delicate balancing act.

Ganesh
0:00:58
On the one hand, you have strict regulations and a low tolerance for risk, and on the other, the constant demand for innovation and the move to the cloud, which push these boundaries every day. How do you foster a culture

Ganesh
0:01:10
where security becomes a business enabler rather than a blocker? I'm Ganesh The Awesome, Solutions Architect at GlobalDots and today we're joined by Rory Olsop, Head of Information Security at CyberRisk in Tesco Bank. Rory brings a wealth of experience in navigating these challenges, fostering culture change and aligning risk with innovation. He is also the Deputy Chair of the Information Security Forum, a global thought leadership

Ganesh
0:01:36
community advancing best practices in security. Rory, before we start, what should people know about you?

Rory
0:01:41
Tell the listener a little bit about yourself. Okay, thanks for inviting me on to talk. My background is really, I came from a long tech network admin, systems admin background. So came up through the ranks in technology, but at the turn of the century,

Rory
0:01:59
started leading teams in security and cyber risk. So 12 or 14 years worth in consultancy roles, working mostly with financial services, possibly a number of industries. And then more recently in key senior roles in global and national banks.

Rory
0:02:19
So focusing very heavily on what can we do? As you highlighted in your introduction, how can we position security in a place that works with the business? So my focus has been very much around getting that favor where we're not stifling the business,

Rory
0:02:35
but we are enabling the business to progress safely. So for the past nine years now, very much banking, very much leading the way and giving a direction based on industry good practice, which is where the ISF comes in, based on expectations of year, two years, three years ahead, looking at that threat horizon. And

Rory
0:03:00
a lot of it down to just personal experience. What we've been through, everyone's seen the pain points, there's various different routes to fixing those. I'm sure we'll get a chance to chat about some solutions to make security a little bit more of an enabler rather than that traditional blocker.

Ganesh
0:03:14
Thanks for that intro and it's close to my heart and I am also a similar kind of a background because I was a service desk type person and worked my way up through the ranks and then eventually ended up working in the banking sector myself. So I know a lot about the pains of security in that environment and they're definitely definitely the most stringent and most of the time the pushback from developers, you know, that is the hatred, I would say, of the security people inside an IT department

Ganesh
0:03:55
is well known. You worked in this culture change business quite extensively. What are some of the key lessons that you could teach us about cultural change to stop us being seen as blockers and actually seeing us as enablers?

Rory
0:04:07
Well, I think initially it was a well-earned reputation because security back in the day was very much a no. It was a stop, you can't do this, it's not safe. Yes, you've built something but no. And that was for very good reason way back when, where you had a perimeter, it was your security, everything outside was bad, everything inside was safe. So it was very black and white. The challenge with that is you don't innovate.

Rory
0:04:34
What can you do? Because any business decision takes risks. Now, the mature position for a business is it takes risks. It takes credit risks, it takes market risks.

4
0:04:44
Cyber is just another one of those.

Rory
0:04:45
How much risk do you want to take? So getting into that position really requires a fundamental change around what security does, as well as how it looks at it. So if I give a simple example, traditional development of a new software application, security would come along at the end and check it, go, oh no, here's some unsafe things, go and fix them. And that's not timely, it's after typically the due date. It breeds resentment because you're stopping all this good work.

Rory
0:05:14
Whereas moving to a functionality where security or cyber risk is up front with the developers at that initial architecture stage, here are things you can do that are safe by their very structure. Why not use them as your building blocks? So by the time you've gone through it, being part of that process along the way,

Rory
0:05:32
there'll still be some end checks, but it's not that gatekeeping role. It's more of a, we helped you do these things safer. You could do other things if you want, but you're taking more risks. So you start putting a good chunk of that decision-making on risk to the business owner.

Rory
0:05:47
Do you want to take a bit more risk? You can. You might be able to accelerate this process, but it's a little bit more dangerous for you. And the role of a cyber risk team is to say, is to help them effectively understand how much that extra risk is worth.

Rory
0:06:00
If I look at a startup, startups are all about taking a lot of risk because you can't afford to put all the controls in place. You're typically trying to get your product out, bang, bang, bang. Your turnover rate is really high. You know there's a bunch of controls you want to put in there, but if you try and hammer them in too early, you just stifle everything. So, whereas at the other end of the field, you've got bricks

Rory
0:06:23
and mortar banks that have been around for a hundred years, very heavily regulated. You don't want to go above your risk position, because if you do, you're going to have to talk about that to shareholders, to the regulator, to audits. You can take higher risk, but you've got to be able to justify it, and it's got to be there for a business reason.

Rory
0:06:41
So you've almost got that entire continuum of high risk for high return right now, a more stable platform where you do want to take incremental risks for certain reasons, but then you probably want to remediate them again once that reason's away.

Ganesh
0:06:53
Yeah, that makes perfect sense. And yeah, it's interesting talking about that conversation you have with people because we're in the old days of being the gatekeeper. And I've since sort of moved out of that world, so I don't do any of the gatekeeper business stuff, but in the old world of being the gatekeeper, I feel like the problem was that there was a gate and it was at the end. There wasn't a conversation happening at the beginning. So they're sort of secure by design and giving people frameworks and having tools plugged

Ganesh
0:07:32
into their code, doing static code analysis from the moment they're developing them to give a higher level view, we're probably in a much better place now

Rory
0:07:40
than we have been historically. Yeah, and you've got that with a lot of, yeah, the majority of developers around the world these days use Agile, even if you're wider business doesn't. Agile is very much a thing that software development works well within. And being able to build security modules as non-functional requirements so that at your very first set of stand ups and your PI planning, you understand what's going into it.

Rory
0:08:06
Again, decision can be made to not use those, but it's higher effort. You've got a smooth low friction pathway, which has be approved modules that the risk is understood and they follow the framework and guidance. Use those, everything's easy, it's quick, it's low effort. Bang, you get it out the door.

Rory
0:08:25
If you decide to take a different route using new technology, a new platform, okay, there is some more oversight needed. So it does become slightly higher risk. So you find that behaviors follow the slightly lower friction route. So it's almost there getting the right behaviors just by showing the easy pathway, but allowing other things if business really wants to do them.

Ganesh
0:08:44
like there's an unrespected or not unrespected, that's not quite the right word, there's a misunderstood social role of a lot of the security practice in order to become friendly with the teams or to see you as a cohort as to what they're doing as opposed to, you know, we better hide what we're doing from the security guy in case we get caught doing what we're doing. And I'm guilty. I've been on both sides of the fence.

Ganesh
0:09:19
I know it for sure. I've seen it and done it. But I think with that, that sort of social role is definitely sort of, you know, not everybody has it. And I tend to sort of think in there without trying to be too disparaging to my colleagues out there in the tech world, you know, we're a lot of us are keyboard and mouse people, you know, we weren't

Ganesh
0:09:41
designed for front of stage and trying to do that.

Rory
0:09:43
A lot of this is around changing cultures and as such it needs the people to people communication. Two of the big roles that I've taken in global banks have been off the back of a section 166 report from the regulator which is basically a, you have failed in governing your cyber risk effectively, fix it. And it's quite a high threat from a regulator. So you're building or entirely changing an organization

Rory
0:10:12
from failing to manage this, failing to govern it, to accepting that building a team, we're going to be making recommendations, so there's a lot of credentializing yourself. You know, why are we the ones who can come in and tell you what to change? You know, we resent someone coming in and telling us that everything we're doing is wrong.

Rory
0:10:30
So being able to do that, potentially yourself, articulate why this is a good thing for not only the technical developers, because it does reduce their personal risk, it's better for the business because they get a better view of what's coming. In reality, pushing this through is one of these things that you can't do at developer level or individual business level. It's very much a, you've got to get the tone from the top. So, when we think about what metrics make this work, if I've got a business where the key metrics are

Rory
0:11:02
around profitability or growth or delivery to customers, that's what's going to drive everyone's behavior. Because that's what they'll get paid for. So getting something in at remuneration committee level or ex-co level which says you're also going to have to have a requirement that might be based around sustainable community, it might be based around risk management or risk reduction for customers, for colleagues, for different areas of the business. That's key because honestly without Honestly, without it, those business leaders are not going to drive things that aren't

Rory
0:11:42
going to lead to them taking their maximum take-home. It's very commercial at that level, where you have metrics, that's what your business expects from you, you do them. So there's an aspect which is aligning that very commercial nature of, well, what did it for me at Remco level, all the way down to, well, what are we wanting to see for our customers,

Rory
0:12:05
for our colleagues, for the community at large? And it's not easy. Like I say, the initial view when I've come in and done this in organizations is resentment, distrust, you look like you're coming in to pick holes with what I'm doing, I'm going to get in trouble.

Rory
0:12:22
Whereas within Mastery, the challenge is getting them to listen to the, I'm actually coming and get you budget to fix the things that you know are wrong without you getting in trouble for it. Because once it's already broken, there's no point coming in and wrapping someone over the knuckles saying, it's all your fault, you're fired. Because they've already been in there, they probably know the problem.

Rory
0:12:42
What's much better is to say, bring out your dead, let's have a good look at everything that's in there. Let's empty the skeletons out of the closets and ensure that you get budget for the ones that are important to materially reduce risk for the business. If you then mess up afterwards, yeah, that's maybe a separate conversation, but you might as well give the benefit of the doubt of moving from a punitive culture or a finger-pointing culture to one which is more open, it's focused on doing the

Rory
0:13:08
right thing for the business, and it brings security along into that new world. It's very healthy all around. We've not, over the many years I've done it, I've not seen anywhere that has disapproved at an organisation level. There's been some individuals who've gone, I'd like my bit to not have any reds on it, because in the old world, red marks from audit or external audit

Rory
0:13:32
would typically get you something dinged off your bonus if you were seen enough. But changing that around and saying, you've got a red if you make that amber or green in these timelines that's you doing the right thing. Yeah don't need to then sit back to it or if you do how fast you handle it how effectively you handle it is now your new metric.

Ganesh
0:13:49
Just changing that around. And you talked quite a lot about those risk metrics. It would be interesting to know when you're pulling one of those skeletons out of the closet, how do you decide on like a risk KPI or what could people learn from you, basically having done this quite a few times, because I'm sure there's people listening thinking,

Ganesh
0:14:12
well, we'd like to empty the skeleton closet, but they all just look like skeletons. So where do we begin?

Rory
0:14:17
That is quite a big bit of work. In working through this with OneBank, we ended up with a couple of hundred local metrics that we could monitor that were useful. Not necessarily ones that go up to board level, I think they're still down to 10 or 11 in that case, but items that you, it's pointless having a metric that doesn't let you do something about it or that if you

Rory
0:14:39
do improve it, it gives no value to the business. So you're looking at things like vulnerabilities. Everyone has vulnerabilities. Old school boards would typically see you've got X size of vulnerabilities. That's a big number. To my mind, the absolute number is pretty much irrelevant. It's probably better to have less, but if it's 10,000 or 800 or 60,000, probably not relevant. Am I handling those vulnerabilities in a timely basis and prioritizing the critical ones that are critical to my business applications?

Rory
0:15:11
That's important. So moving people off a, we want you to reduce number of vulnerabilities by X percent each quarter, to a, can you show us that you're handling all of your critical vulnerabilities

Rory
0:15:23
on platforms that host a critical service within a two week timeframe, that's much better. You might still have a long tail of lower risk ones, but you're prioritizing those that have most material impact. I mean, none of this is rocket science, obviously, but it's a nice simple example of moving to a more managed, better governed vulnerability management system

Rory
0:15:41
and getting off that old one. Takes you to a place where you can understand what you're doing with your risk. Similar to patching. We could say that we're patching 98% of our servers every month. Is that good? It might be more important to patch 100% of the critical servers and not worry so much about the others or patch really critical vulnerabilities within a week, and some go to then a month, one's lower down the tree,

Rory
0:16:07
might be a three-month or next upgrade cycle. So again, it's prioritizing what's best bang for buck or best impact to the business as a whole.

5
0:16:17
That's quite interesting.

Ganesh
0:16:18
And you say it's like fairly self-explanatory, and to people in the security business, it definitely is. One group of people that I would think it's probably, or my own opinion, and I'll let you answer, one group of people that's probably not apparent to, I would imagine, are the financial regulatory authorities.

Ganesh
0:16:38
So you said talking about vulnerabilities in the stack, yes, this is a business critical app, this is just a backup app that does something in the background that's not front-facing, but what does that look like in a regulatory way?

Rory
0:16:52
Regulators actually have really picked up the game over the last few years. There was always this reputation that they were a bit behind the curve. And to be fair, regulations have to be built for regions, for countries, and so typically they are a little bit behind the curve. But if you look across the regulators around the world today, there's much greater focus on not being prescriptive on, for example, it's much more around the key focus at the moment around operational resilience. How

Rory
0:17:25
can you show that your business is resilient in the current environment, knowing that there's external threats, knowing that ransomware is a very existential threat, knowing that outsourcing to the cloud, so you have a supply chain that might be many tiers deep within the cloud, how can you as a business show that you still are governing your business effectively and worst case happens, you can recover?

Rory
0:17:51
So it means the regulators get a chance to look at not just your protecting your external perimeter and you're doing firewall stuff, which classic stuff, we still need to do it, but also you're thinking all the way through, are you detecting attacks?

Rory
0:18:06
Are you looking at everything that's happening in your cloud environment? And if the worst happens, do your backups work? Can you rebuild your organization to a point where you can manage to still be a business? Or are you down for longer that period and you've gone bust?

Rory
0:18:19
So they're actually being very good and they're sharing more information between them. So back in my HSBC days, we worked with regulators all around the world. And not to be too fine-pointed, there were many conflicting regulations where it would

Rory
0:18:32
be hard to meet one and another. Now there's a lot more read across. So you've got HKMA looking at a particular set of regulations, and then you've got the Fed and the US looking at a particular set. They broadly meet the same requirements.

Rory
0:18:45
And NIST has really helped us with this. So NIST from the US, it's still quite heavily focused. It's come from government initially, it was quite academic. It's getting more and more useful. But the combination of NIST and then the ISF standard of good practice,

Rory
0:19:05
which takes a lot of what NIST has, but makes it a little bit easier to apply to an organisation and to measure and to understand the risk from each decision. It means you can do, even in a global organization, you can monitor what you're doing, you can align that to the various regulations and you can deliver consistently. So it puts you in a position where not only are you able to get a bit ahead of the curve because

Rory
0:19:31
you can see what regulations are coming down the line, say the Fed and New York State legislature tend to be a wee bit ahead of the curve, whereas some of the other regulators are a little bit behind. But you can start to build that view which says here's what we know is coming from the regulator this year, here's what we think is coming next year, let's plan ahead, let's look at that forward pathway, which at the end of the day it does save revenue, you're getting an opportunity to re-highlight where you are already complying with regulation and have a discussion with the regulator to say, we're not quite on that

Rory
0:20:12
one yet, but this is our plan to do it, so we will be there then. And that's a much better message to go proactively to a regulator rather than coming and hitting with a big stick to say, you didn't meet it.

Ganesh
0:20:22
Well, that's quite warming to know because my day is dealing with the regulators, which is, well, it must be 10 years ago now. And that was a nightmare because we were some of the first people using AWS and they had no idea what AWS was. So we came up against enormous amounts of friction.

Rory
0:20:40
I remember those days.

Ganesh
0:20:42
It was quite good, especially when your backup was another region of AWS in the States and it's like well what if both of those regions go down you're thinking if we lose the United States and Ireland there's some there's some there's like there's a meteor here but that move to the cloud and lots of those old old hundred-year-old banks have definitely not finished that and I would say probably some maybe didn't even start that yet. Looking at that, what do you see as some of the biggest hurdles

Ganesh
0:21:17
for those guys who are trying to do that and keeping within the risk tolerance of those organizations? What does that look like?

Rory
0:21:24
You've got a couple of pros and cons. I mean, if done well, an assessment of the services and applications stack that you currently have so that you could then migrate it to the cloud, gives you the opportunity to do a lot of modernization there. But honestly, a lot of companies don't do that.

Rory
0:21:44
They do a lift and shift. So what you've got is all the things you knew about and didn't know about replicated into the cloud somewhere. And it suddenly gets a lot harder to figure out those things you didn't know, because one of the big things about cloud is you're losing hands-on visibility. Now, folks like AWS analysts

Rory
0:22:04
actually have rather amazing toolkits which let you find out a lot, a lot of discovery there. But where you've got kit in a data set, you can always go around and touch things. You could physically check every single item.

Rory
0:22:16
You could check the linkages. It didn't require much imagination to see exactly where you would have problems.

4
0:22:22
If you were an organization

Rory
0:22:23
that did a lift and shift in the cloud, all of a sudden what you're really seeing is communications coming back out of that cloud and it becomes a little bit ephemeral, but you don't really know what's there, this dynamic platform spinning up and down as you need them. So getting that accurate visibility of exactly what your estate currently exists, currently consists of, can be a problem.

Rory
0:22:48
So I worked with one organization that dynamically, they would spin up and down by 20,000 odd servers over the course of a day. It gave them a licensing issue, but which back then was before folks like Microsoft and some others had sorted out proper dynamic licensing.

Rory
0:23:03
But it also meant that we didn't really know where we wanted parameters around particular zones. We didn't know exactly where all the information pathways were. So we didn't really have a good way of articulating what our risk was at any particular time of day.

Rory
0:23:19
As I say, AWS have brought in some rather good discovery tools which helps a lot now. So you can understand what's in there. You can run tools like CrowdStrike, QoLess, et cetera, and get a pretty good understanding on. We know now what we've got.

Rory
0:23:30
If we can modernize it, then that does make life an awful lot easier. One of the outstanding problems, especially for large organizations,

4
0:23:38
we typically don't just plonk something into the cloud.

Rory
0:23:40
We typically outsource microservices to multiple cloud vendors. They might outsource to multiple cloud vendors where we probably know our third parties pretty well and maybe our big fourth parties. Beyond that, most organizations don't really know

Rory
0:23:57
how deep their full supply chain goes. So you see a lot of comms these days around that understanding of entire end-to-end supply chain. Now I don't see many large organizations doing this well yet. There's almost a, well it's gone beyond fourth party, it's probably less important. Could be the case, but there's absolutely no way to rely on that. So I'm very cynical of companies that say that. I would far rather say, do we know what information is passed from this service?

Rory
0:24:34
If we know what information is there, how critical is it? What's my worst case if it goes wrong? And almost making the demarcation lines beyond this point, even tainted data won't affect my business, or it won't affect my business decisions, or it won't be able to take me down. So that slightly changes the way we look at both data and services.

Rory
0:24:55
We also have the availability issue. Is one of those services that underpins our core platform, is it run by one or two folks out of a garage? Because again, you might not know that, it's just a service. And we see more and more reports of small services

Rory
0:25:11
that are compromised or their maintainer sold them to somewhere because they were deciding to retire. There's no visibility of it, but it could underpin something rather critical. So I think summarizing it, my real worry is visibility of not just the cloud services, but the full depth of the supply chain, which worries me. On a broader supply chain side, I still have a concern around, it's a good route for ransomware or compromised credentials that allow an attacker into an organization because you're just sharing so much information with so many platforms that you don't necessarily have any direct control over.

Rory
0:25:58
And that should unnerve anyone a little bit because that risk just spreads out. Losing your perimeter means that you're having to deal in less definites.

Ganesh
0:26:11
Very interesting what you said, and I had the same issue in Migrating to the Cloud because I'm also old enough to remember that any piece of equipment that you put in there, you knew you put it in, and you knew what was going on with it, and then you arrive at the cloud and obviously, when you first arrive, all the doors are shut. It doesn't take very long for someone to start opening all the doors,

Ganesh
0:26:33
and then you don't know where you are. And quite interesting, the idea of business criticality versus what data is going through there. I never had that conversation before, but it makes perfect sense because actually, is your front serving web server or your API server, is that business critical? And the answer is like 100%.

Ganesh
0:26:53
But is that necessarily the vehicle where data goes through that is sensitive or critical? It's two different things. It's another way to sort of measure your systems, which, yeah, that's actually quite an interesting concept. But go back to those millions of services that are in AWS and you obviously want the latest new buttons and all the innovation and blah blah blah.

Rory
0:27:18
In a highly regulated industry like the banking one, how do you align that with the business, you know, with business priorities versus innovation and what's a roadblock or things that consistently you hit? a little bit more. Typically, the upside certainly for where I currently work is having that all as part of Agile does let us go, you've got a business idea, there's that sanity check around, do technology think that this is possible? And then you've got the, okay, can this be done with the existing modules that we know about and have approved? So if that answer is yes, then we're actually pretty comfortable and we can fast track applications through.

Rory
0:28:05
So we say, we know that it's safe, we know that it's safe. All you're doing is some cosmetic here or you're pulling in this information.

4
0:28:11
Great.

Rory
0:28:12
And those are the nice using things. The challenge is where we're looking at a request that is requiring new functionality or possibly an entirely different channel. So obviously being a bank, we have mobile applications. Everyone's got a mobile application. What happens if you want to do something different for whatever reason? Is there a different

Rory
0:28:34
channel that we need to use for an accessibility requirement or do we need to do something different for certain classes of customer, whether they be vulnerable customers that need something additional or different? Are we wanting to take on customers in a different part of the world? So we started to make some different decisions there and each of those will be the ones that have a risk decision associated. So if it's a purely technological assessment, great, we'll go and have a look at whatever

Rory
0:29:02
the new technology is, we'll highlight the issues, we'll put some sort of quantification on it. And this is an area where there's different approaches to doing it. And I'll come back to that in a second. Where it's more, you want to do this in a different part of the world, it might be that, okay, we're going to start conducting business in country

Rory
0:29:19
X. That might just be a much higher risk. That's not really a cyber issue anymore. That becomes a business decision. It could potentially be an HR decision. Do we want to have employees in that part of the world? Is it a country that is actually sanctioned? Would we be able to do that at all? So it might be that that initial idea from the business is kiboshed by HR. It might be kiboshed by legal. So there's a full team that should be doing

Rory
0:29:45
this piece of work, not just security. So being able to sit in that kind of workshop and be just another one of the risk guidance team makes life a lot easier. So my role where I currently sit, I'm just a part of operational risk.

Rory
0:30:01
It means I'm not necessarily affiliated to IT, I'm not affiliated to DPO, I'm not affiliated to legal. I look at cyber risk in the round and it means that I can not cherry pick, but I can get information requested from colleague help. I can get information requests from HR if I need. And I think that's the bit that helps us embed properly once you get up to board level, because then the board goes, these are operational risk numbers. It's not, you know, cyber, that big scary new complicated thing.

Rory
0:30:30
Because some boards would still see that as the case because it's relatively new in the grand scheme of risks and it's incredibly dynamic compared to some of the other ones. But if it's just another, here's the operational risk, yep, there's the cyber bit of it, there's the tech bit, there's the data bit, we get this in the round, let's make some decisions. But the, the, the innovation piece versus the regulation piece. And I, my gut feeling is, and not even my gut feeling actually,

Rory
0:31:01
cause I've tried to sell products into some financial organizations and we've lost out on the basis of it's two guys in a shed, even if it's absolutely the best product in the world and whatever, that risk is too much that it's this. And even not even two guys in the shed, sometimes it can be a very amazing startup, but it arrives at a bank before it's got enough employees or enough whatever's. So I feel like banks particularly Yeah.

Rory
0:31:30
Yeah. And that really comes back to that operation resilience. A bank's got to look at it. So, okay, that service, that application, that tool, whatever it is, if that goes down, what do we do? Okay, if it's critical enough, what assurance do we have that it won't go down?

Rory
0:31:50
And that can be, if I look at what our third party oversight team look at, does this look like a stable company? Does it have the relevant funds? Has it got the capital? Is it growing? Is it stable? Even director checks, do the people in charge of that organisation have any criminal record? There's a lot of

Rory
0:32:13
elements that all reduce that decision risk. If we say IBM's going to provide this, that's generally a pretty low risk decision for an organisation because they know what IBM does, it's there, it's got a whole slew of, if something did happen to IBM or if they messed something up, there's a whole lot of things that would be done. If it's two people in a shed, what is that backup? What's going to happen from a legal perspective or a financial perspective if something goes wrong? So, yeah, in thinking about a couple of startups I've seen go through the process, there is definitely that mileage in selling the product or service to all the

Rory
0:32:54
financial services first and working your way up because that decision line, if you're looking at a global, one of the big five or six banks, they're going to be looking at, well, you're only in one country, that might be a problem for us. You start to get to some fairly high tier decisions. Whereas if you're looking at a small local community financial center, then they might actually be able to say, yeah, we can take you on. Do you want a desk in our offices? There's a totally other end of the spectrum there. We've seen that in some countries where a bank may well just go, yeah,

Rory
0:33:30
we like what you're doing. Do you want to be part of our payroll?

Ganesh
0:33:33
Yeah, that's definitely the easier way of doing it. It may have tickled me talking about IBM because the old joke in IT that nobody got fired for buying IBM. Still true today, still going. I want to come into some of the other stuff that's outside of your day-to-day role. And we mentioned that you're the deputy chair of the Information Security Forum and you do a lot of stuff around thought leadership in there. Can you just give us a bit of an insight, unpack what the mission is and what comes out of this forum?

4
0:34:10
Sure.

Rory
0:34:11
So it's one I came to after sort of sitting on a number of community organizations. As part of this journey along, I realized probably about 2003 or 2004, but it was the community that was making security work. So, started working with the like ISACA and then ended up joining a company that was a member of the ISF, so you get more visibility there, and then the Chartered Institute of Information Security. So, of those, the beach got an aim to effectively improve security in their community. The ISF specifically is a not-for-profit member organization.

Rory
0:34:55
So typically the main population that's members of the ISF are Fortune and FTSE, and then 50 or 100 companies, but there's a lot of small ones as well. It's just, it makes a lot of sense to use something like the ISF in things like heavily regulated roles. We see a lot of financial

Rory
0:35:16
services for example. But there's a number of small organisations that use it for slightly different reasons. And I'll kind of touch on both ends. So I'm just trying to remember how many years it's been around. It's certainly 26 I think I have in my head. I may be wrong and I'll apologize to the the chair if I have, but I think it's about there. The aim is very much to provide a set of tools and research and community out to the membership.

Rory
0:35:50
Now, the tools are very useful. I use a couple of them, but a lot of organizations use BITS. I've mentioned the standard of good practice already. It's effectively a set of standards for information security and IT security based off a massive expanse of organization that have either been members or who have had benchmarks done or who have published their standards and policies and so on. It effectively gives you an opportunity

Rory
0:36:21
to measure yourself and any part of your security controls, your environment, framework, etc. against a pretty good bar. And you can set that bar to be high risk, low risk, etc. And it helps articulate what sort of improvements are needed to get yourself to the next level. So it is, in fact, a standard of good practice.

Rory
0:36:47
It goes down to the nth degree, so you can go really into depth as to what your IT staff need to do, or you can take it at policy level, go, this is what we're trying to do, here's the guidance. But not only that, there's a number of other tools that align and fit in with it.

Rory
0:37:04
There's the IRAM tool, which is effectively a risk assessment methodology, plugs into standard good practice. There's a relatively new tool that helps quantify cyber risk. There's a third party cyber risk assessment tool. The way the thing's set up now is it's basically a package

Rory
0:37:21
and all of these interlink. So if you are trying to improve your risk using the IRAM, you've got standard good practice to build. It's still in that slide. You've got your third party assessment tooling that helps you feed in from that side.

Rory
0:37:38
So you can get a good picture of how secure and how solid and how risk managed your organization is. So as a core, that's the main body of what is provided to all members for the ring. Now, make sure that remains current, I'm ahead of the curve and so on.

Rory
0:37:56
There's also research provided. Now each year, there's a number of topics for research and they get voted on by the membership. So if the special quantity says, actually we want to really know about quantum computing, research will then be done. So one of the things that smaller organisations use the ISF quite effectively for is almost

Rory
0:38:14
additional staffing. It's like having some research staff on your payroll that can go off and do things. So gaining additional information about AI ahead of the European AI coming in. That was very useful to a lot of members. It's not just the what's the legislation going to look like, what does this mean? And one of the tools that the ISF produces called Threat Horizon actually has a forward-looking, so two or three years ahead in the future, what could happen? What would

Rory
0:38:46
be our scenarios that would impact us negatively? What's likely, what's unlikely, but if it did happen would be really bad for us. So that also gives folks like me a really good opportunity to sit with my board, say these are some possibles, we're quite well protected against this, but if this scenario happens we're not so well protected, I would like to do something to improve that. And it takes into but also combinations of things like climate change, rising global unease, even migration of humanity, combine that with the unsettled nature of Russia and Ukraine, Israel and the

Rory
0:39:28
surrounding areas, even America with some of the stuff it's doing, China, Taiwan and so on. We've got a whole series of different threats. If they all aligned or something happened at the same time, what would that mean to us? So the threat horizon gives a pretty rational view of optimistic and pessimistic outcomes

Rory
0:39:49
that could happen here. Very, very useful. And in terms of the community itself, it's an opportunity for all of us to meet with peers and sanity check ourselves. I mean, that is one of the other things I do with me quite a lot is I'll sit down with

Rory
0:40:01
CISOs, heads of risk, CROs and almost have a, we're seeing this, we're doing this, are you doing the same? And that's quite high value that you don't really get any other way. Because we all kind of think we're doing things right. You know, when you look at it, the market, they do something really clever. How do I emulate some of that?

Rory
0:40:24
And it breaks down some of those barriers where in the past, if security was, don't tell anyone anything, it's ours. Eyes only. Now security is very much, if I get better at this, then my wider community gets better as well. So there's a lot more of that sharing.

Ganesh
0:40:39
Yeah, I've definitely seen that uptick as time's gone on. And we do a lot of work with airlines and airlines are particularly good at cross chat and having weekly or monthly calls where, you know, we're seeing X, Y, Z, we're all airlines, we're all going to be attacked the same way. So they do a lot of information sharing. And I'm very glad about it because there definitely was like a, a keeper's mentality where you...

Ganesh
0:41:08
It really was. It was seen as an operational advantage or a commercial advantage. Yeah, yeah. Like Gollum with his information, it's like, that's not helpful. You know, we need to learn from each other. I want to go back one step. I'm just interested in that threat horizon. The threat, because it sounds unbelievably complicated, but what does that actually look like in terms of a consumable? It's like a set of documentation that is filled out or it's actually a piece of software. What does that look like?

Rory
0:41:36
Yeah, it's actually a set of documentation. So it's initially pulled together by the researchers and then members of the ISF, we have a number of events each year, some are local and then we have our global congress each year. And at that, members are asked to go through and provide comment. So it's distilled down to a, here's how those scenarios might look, here are things you could do about it, which is the high value for any security team or wider team. There's also a, effectively an executive summary that comes out that is,

Rory
0:42:17
this is what your board needs to be thinking about. So currently things around, as I mentioned, sustainability, AI and so on, are very high on everyone's agenda. Organizations are moving towards using AI, we know this. AI is not very good for the environment, we know that, so how is that going to be balanced? There's a series of information points that boards should be starting to think about, but also then the supporting information underneath for teams to be able to provide their boards with the information as it's relevant to them. So, guidance on

Rory
0:42:49
how we could look at our supply chain and understand what their ecological footprint is. Do we want to have visibility of that entire chain? Do we want to ask each of our suppliers whether they use AI and if they do, what for? So that we can start building – there might be some risk from the things that AI doesn't currently do very well, but also there's a, it uses power. It uses an awful lot of power. If I want to be able to articulate to a regulator what my carbon footprint is for the entire end-to-end, for a small organization it's quite easy, for a global multinational you're talking an awful

Rory
0:43:28
lot of effort. So there's some guidance in there as well on how you would approach that. It's updated every year, plus there's additional supporting information that comes around. The CEO of the ISF, Steve Durbin, he provides a lot of updates on exactly this sort of thing to members, and then provides podcasts out to non-members as well that are pretty high value and they give a taster for those folks who aren't members currently. It'd be interesting if they ever really take the green agenda to the edge,

Rory
0:44:04
because all those Python coders are going to be in big trouble, because it uses 10 times more energy than C++. So C++ is going to come back into fashion big time if we ever get to the end of that one. And we'll be back into RISC processors.

Ganesh
0:44:16
Yeah, yeah, exactly, yeah. Super interesting stuff. Before we let you go, we'd like to have one sort of personal question which the CISO of Expel dubbed it the DeLorean question, and that's if you could go back in time and give yourself one piece of professional advice or other, what would that be?

Rory
0:44:42
I mean, this might not be the sort of thing that I would necessarily say to my kids, but I probably wouldn't have bothered aiming for a master's degree and I would probably have left university a bit earlier because in reality, university gives you the ability to learn and gives you that preparation, but it really didn't prepare me for anything that I do in my professional life. I did engineering, which is good, you understand how electronics work and so on, but in reality, every single thing that I've done this century has just been from experience and working in the field. So while I think the university is still useful

Rory
0:45:23
and they can get you a certificate that gets you to add a certain level into something, they're not a patch on gaining experience. So my eldest, he's in his final year doing a cyber security degree. And the most important thing I've given into him is get your internship, get yourself a job for this final year. So he's done that, by the time he graduates he'll have had a year of experience under his belt and honestly I think that's the single best thing he could have done. The degree itself is good, it's at Naper University which is

Rory
0:45:53
choosing us as some of the best cyber security graduates but that experience is what an employer is going to look for. Yeah, that's very, very sound advice and a great note to leave us on.

Ganesh
0:46:07
Roy, thank you so much for giving us your time. You've been totally great. Any parting words?

Rory
0:46:12
No, I just think be aware that the pace of change in cyber is continuing to accelerate. It'll never get boring. There's always a discussion around roles that are required, there's never going to be a gap, sorry, never going to be enough people to fill the gaps in the cybersecurity industry. So, you know, it'll be there for the rest of your career. Why not join cybersecurity and have a career for life?

Rory
0:46:38
You will never be out of a job. That is absolutely for sure.

Ganesh
0:46:43
Yep.

Rory
0:46:43
Yeah, solid. Rory, thank you so much.

Ganesh
0:46:46
Thank you for having me. This episode was produced and edited by Daniel Ohana and Tom O'Morvinson, sound editing and mix by Bren Russell. I'm Ganesh The Awesome. And if you're ready to deep dive and start transforming the way you approach cloud practices and cybersecurity strategies, then the team and myself at GlobalDots are at your disposal.

Ganesh
0:47:06
We are cloud innovation hunters, and we search the globe looking for the future tech solutions so we can bring them to you. We've been doing it for over 20 years. It's what we do. And if I don't say so myself, we do pretty well. So have a word with the experts.

Ganesh
0:47:21
Don't be shy. Don't be shy. And remember that conversations are always for free.

Related Content

  • Rethinking IT Security to Build Resilience for the Modern Threat Landscape
    Cloud Security
    Rethinking IT Security to Build Resilience for the Modern Threat Landscape

    The recent two decades have changed how applications are built, delivered, and used. We used to have isolated networks with predictable entry points, but today, that has been replaced with a dynamic, interconnected web of APIs. The consequence of this is the dissolution of the traditional security perimeter. Today, protecting a single network boundary doesn’t […]

  • Cybersecurity Without the Buzzwords: Nir Rothenberg, CISO @Rapyd
    Cloud Security
    Cybersecurity Without the Buzzwords: Nir Rothenberg, CISO @Rapyd

    Forget buzzwords. Nir Rothenberg, CISO at Rapyd, brings brutal honesty about what cybersecurity work really looks like. From lessons at NSO to scaling security in a global fintech, Nir shares why doing the basics right—patching, prioritizing, and partnering well—is what truly matters. We also cover AI, burnout, and building strong teams in a multi-cloud world.

  • CloudHub 2025: Tech Leaders on Vetting, Scaling & Staying Ahead
    Cloud Security
    CloudHub 2025: Tech Leaders on Vetting, Scaling & Staying Ahead

    Recorded live at CloudHub 2025, this episode brings real-world insights from security and DevOps leaders on the challenges of cloud security, solution vetting, and balancing innovation with risk. Featuring Alex Nayshtut (Cellebrite), Einat Shimoni (Lusha), Sagi Levanon (Wotch Health), Anna Lerner (SolarEdge), and Alon Krispin (Allot). Join us for a candid discussion on how today’s tech leaders navigate the ever-evolving cloud landscape.

  • Closing the Gaps in API Security: How to Build Visibility and Protection for Modern Enterprises
    Cloud Security
    Closing the Gaps in API Security: How to Build Visibility and Protection for Modern Enterprises

    APIs may be your organization’s greatest enabler, but without proper context, they can become its Achilles’ heel. APIs power modern digital ecosystems, connecting applications, enabling seamless machine-to-machine communication, and driving operational efficiencies. However, as APIs become the backbone of enterprises, they also represent an expanding attack surface — one that traditional Web Application and API […]

  • Compliance Without Chaos: Meiran Galis, CEO @Scytale
    Compliance Automation
    Compliance Without Chaos: Meiran Galis, CEO @Scytale

    Security compliance is a major roadblock for startups—time-consuming, costly, and complex. But what if it didn’t have to be? Meiran Galis, CEO & Founder of Scytale, reveals how startups can automate and streamline compliance without breaking the bank. He shares his journey from EY to building a startup, explains why AI will transform compliance and gives candid advice on startup growth. Tune in for insights on SOC 2, ISO 27001, AI regulations, and scaling with confidence.

  • What are the biggest business worries in 2025?
    Cloud Cost Optimization
    What are the biggest business worries in 2025?

    No matter their industry or profession, practically every business in the UK and around the world has concerns for the year ahead. Whether it’s employee retention, rising costs, or simply finding new customers, each and every business owner has to make crucial decisions around these fears in order to successfully lead their company forward. However, […]

  • From 2024 to 2025: The Evolving DDoS Threat Landscape
    Cloud Security
    From 2024 to 2025: The Evolving DDoS Threat Landscape

    The numbers from the DDoS landscape tell a troubling story. In Q3 2024, DDoS attacks reached unprecedented levels, reaching a record-breaking Tbps and billion packet-per-second attack. These hyper-volumetric campaigns tested the resilience of global networks against attackers who are becoming faster, smarter, and more resourceful. They also became a wake-up call for IT leaders who […]

  • Universal ZTNA: How Does it Compare to Traditional ZTNA?
    Cloud Security
    Universal ZTNA: How Does it Compare to Traditional ZTNA?

    How will you protect your network as cloud-first strategies and hybrid workforces redefine the modern business landscape? While Traditional Zero-Trust Network Access (ZTNA) solutions laid the foundation for secure access, Universal ZTNA is rewriting the rules. Imagine a solution that unifies your security policies across all environments, simplifies management, and scales easily. That’s Universal ZTNA. […]

  • How eBPF Enhances Threat Detection and Cloud Observability
    Cloud Security
    How eBPF Enhances Threat Detection and Cloud Observability

    Cloud-native environments are growing more complex and distributed. This growth makes security and performance observability even more critical to modern DevSecOps strategies. Enter eBPF (Extended Berkeley Packet Filter), a revolutionary technology that can run sandboxed programs in a privileged context such as the operating system kernel, which enables enhanced: Its ability to extend kernel capabilities […]

  • Rotating Pen Test Vendors Isn’t the Best Approach: Here’s Why
    Cloud Security
    Rotating Pen Test Vendors Isn’t the Best Approach: Here’s Why

    How do organizations ensure their penetrating testing remains insightful and free from complacency? For many years, the answer was vendor rotation — the practice of changing pen test vendors every few years. But does this approach still make sense today? While it once served a crucial purpose, the administrative burden it creates can be significant. […]

  • Is Your Architecture Ready for Kafka? Yaniv Ben Hemo, CEO @Superstream
    Cloud Infrastructure Design
    Is Your Architecture Ready for Kafka? Yaniv Ben Hemo, CEO @Superstream

    When does your architecture outgrow REST APIs? Yaniv Ben Hemo, Co-Founder & CEO at Superstream, joins us to unpack what Kafka actually is, when you need it, and why it’s often misunderstood. From real-time user experience to scaling microservices and optimizing for cost—not just performance—this episode is a practical guide to understanding Kafka’s role in modern data strategy and how Superstream is helping companies get more from it.

  • Weak Defences: The Most Hackable Sports Passwords
    Web Security
    Weak Defences: The Most Hackable Sports Passwords

    We get it. Thinking of another password that you haven’t used before can be frustrating – especially when we have to change or update our passwords so regularly. But while it might be tempting to use your favourite sports teams and clubs as passwords, it’s a risky move for your cyber security.  Using unique passwords […]

  • Solving Network Security Issues for Rapidly Growing Global Businesses
    Web Security
    Solving Network Security Issues for Rapidly Growing Global Businesses

    Introduction Ryohin Keikaku is a global manufacturing and retail company that handles everything from product planning to sales for products known as “Mujirushi-Ryohin” in Japan and “MUJI” overseas. To keep pace with its rapid expansion—adding 100 new stores annually in Japan—and its growing global presence, now spanning 225 locations across 20 countries, including 50 stores […]

  • Optimizing Cloud Costs: Ido Kotler, Co-Founder & CPO @ Pelanor
    Cloud Cost Optimization
    Optimizing Cloud Costs: Ido Kotler, Co-Founder & CPO @ Pelanor

    Cloud cost allocation is broken—but why? Ido Kotler, Co-Founder & CPO of Pelanor, reveals why traditional FinOps tools fail and how a smarter, data-driven approach can fix them. We dive into the power of eBPF for cost visibility, the challenge of multi-tenant environments, and how effective altruism shapes Ido’s leadership. If you're scaling in the cloud, this episode is packed with insights on cost efficiency, accountability, and decision-making.

  • 4 Common Kafka Installation Errors – And Proven Steps to Avoid Them
    Cloud Cost Optimization
    4 Common Kafka Installation Errors – And Proven Steps to Avoid Them

    Apache Kafka is the platform of choice for real-time data processing, but getting it up and running can feel like an uphill battle.  With high throughput and fault tolerance, companies like Spotify rely on this distributed streamlining platform to deliver seamless services for over 600 million global users – supporting everything from log aggregation and […]

Amplify Your Cloud Security

Technology, security threats, and competition all change rapidly and constantly. Your security stack must, therefore, be ahead of every emerging threat and, just as importantly, enable full-speed business processes by reducing friction in critical workflows.

Achieve this with GlobalDots’ curated solutions:

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services