Shifting the Status Quo of Cybersecurity

Henry - 00:00:00: Welcome to Ethical Data, Explained. Join us as we discuss data related obstacles and opportunities with entrepreneurs, cybersecurity specialists, lawmakers and even hackers to get a better understanding of how to handle data ethically and legally. Here to keep you informed in this data saturated world is your host, Henry Ng.

Henry - 00:00:19: Hello, everyone, and welcome back to Ethical Data, Explained. I'm your host, Henry Ng, and today we have a very special guest. She is an award winning entrepreneur, international speaker, best selling author and advocate for gender diversity and equality in cybersecurity. And in our pre podcast talk, I've now found out she is an exceptional chef at home as well. I would like to introduce Jane Frankland. Jane, if you'd like to do a quick introduction on yourself and let people know, maybe not what you cooked for your family the other night, but a little bit more about you and your kind of experience.

Jane - 00:00:49: Yeah, cheers to that, Henry. It's so good to be here. And I spent 25 years in cybersecurity. I came into security not having had a technical background, so my background is art and design, so I'm qualified in that area. I came into the industry by actually building my own penetration testing company, which I owned for about 15 years. So that was at a time when literally there were about less than half a dozen pen testing companies, studying in the UK, because I'm based in the UK. But it was really new. Security was really new in those days, so did that. I've worked in some executive positions, the last one being as the Managing Director at Accenture. And I contribute to lots of awards all over the world, some in technology, some in cyber. I've done some in literature as well, because I'm a published bestselling author and I contribute to standards and forums and things like that. So CREST, help to form CREST when there was a problem with it. So you might say I'm probably a technically founding member of CREST, helped to launch Cyber Essentials all those years ago and have contributed through my companies to the likes of OASP. And the other thing that I do, in addition to working my own business, which is all about helping women get into the industry and developing and stay in It, and companies to attract and retain the talent and build those incredible environments that are good for all people, is that I really am a bit of a voice of the voiceless. So I am a women's activist and I do research to kind of further the mission to make women standard in cybersecurity and not exception. So I've put about 352 women through my women's scholarships, the Insecurity scholarships, in the last four years, and that's a value of about half a million US dollars. That's who I am.

Henry- 00:02:56: So, like I said, going through our pre interview sheet, this long list of accolades is absolutely amazing. And one of the things that you just brought up is you're from a design background, and you went into pen testing and cybersecurity. What led you to do that? What was the kind of switch in the brain that went, okay, I've got my background in design. Let's try something completely out of my comfort zone.

Jane - 00:03:16: Yeah, well, I'm a challenger by nature, so I love challenges. And I fell pregnant after graduating with my first son. I've got three kids, they're young adults. So I fell pregnant with my son, and I needed to make a change because although I was working as a designer, I had an agent and I was selling work all over the world. I ended up entering sales, which I vowed never to do. I'm an introvert, and so I ended up doing that. And then I ended up meeting a boyfriend who was in technology and let's open a business together. Let's do this. And because I didn't know much about technology but I was interested, I said yes. I left a good job with great prospects to go and build my own tech company with him. And because of the state of technology at that time, the only areas that really interested me was security or AI. And AI was just too new then. I mean, it was at a time where mobile phones were really new, email was new, not everyone had a website, so security was viable, and that's what we did. So we built a business that was initially an integrator, a value added reseller, and we sold high availability servers, networking kit and security. But we always led with security. And then we just scrapped everything and focused on security after a few years because I could see where the market was going and then honed down in on pentesting, of course.

Henry - 00:04:42: It's funny thing that you said that you were never really interested in sales and you kind of ended up in it. I feel like a lot of us who were in sales tend to have that same thing. When I graduated from university, one of the things I said, I was like, I'm never going to do sales. And eight years into my career, and I'm loving every moment of it, so it's interesting to hear the same thing.

Jane - 00:04:58: This is the thing, isn't it? I didn't realize I've been solving problems over the years, so I wanted to go on holiday with my boyfriend, and it cost money and no one would give me a job. So I created my own little business. I didn't realize it. I just made things and sold them for a profit. Got the money within two and a half days. So off I went on holiday. When I was after graduating, I trooped around galleries asking them to show my work in one of their exhibitions. All of these things were sales, and I didn't realize really that that was selling, and that selling really is just helping people. It's a transaction, but essentially it's helping people and solving a problem. So once I kind of got my head around that, then it was easier to do. And that's why I'm very passionate about quality salespersonship. It's a profession, it's a skills alert and you can do it really well. And so, yeah, I'm quite serious about the quality of ethical selling, of course.

Henry - 00:06:03: Especially from a background of, kind of ethics and opening the cybersecurity world to everyone, I think being balanced in the mix is always very important. It's interesting that you said you also had an interest in AI at the time. If you could restart your career right now, do you think at this point in time, AI would be the option that you go down rather than cybersecurity?

Jane - 00:06:22: Maybe, yeah, I think it would be actually something in tech, I really do. Tech to me is so creative and I would really be thoroughly investigating tech. I mean, AI is so interesting. I mean, it's just like with the advancements and developments, particularly over the last few months with Chat GPT, it's just like, wow. Oh my God, I love that. It's so powerful. It's just like, it's fantastic. So it can really add and contribute. Obviously, with any positive, there's an equal negative and we can see how that could play out and is playing out with AI. So, yeah, it would be much more investigative and explorative with looking at technology because it's a big field. Cyber is just a part of that, of course.

Henry - 00:07:11: That's brilliant here, kind of bringing it back into that cybersecurity world. Obviously, you've been in cyber for the majority of your career. What have you kind of seen as the major changes and what do you feel that hasn't changed over your time in cybersecurity?

Speaker C - 00:07:24: Yeah, so major changes are things like language, like when I came to IT, we were talking about it, security information, security, network security. Now we talk about cyber security. So there has been some penetration, testaments and all of that stuff, and the profile, the risk, because there is so much more technology now, we are so much more connected than ever. We have the cloud, we have AI, but it's just this connection and reliance on the cloud that has changed things. So the profile of security has increased, the risk exposure of security and what we do has increased. I think back to when I came into security, you were landed with it, you were given it, you evolved with it, no one had a clue, no one needed to be qualified in anything. It was just like, you're doing this now, it's your responsibility, sort it out, and their careers developed that way. Whereas nowadays there are so many hoops to jump through, you need to be qualified in this, in that, et cetera, et cetera. And when it comes to leadership, the CSOs, they're under so much more pressure because of the risk exposure and just the amount of breaches and attacks that are happening. So that's a huge change that I've seen, I would say a little bit more professional, a little bit it's more diverse than ever before. You know, 25 years ago or whatever, it really was a technical domain, you needed to be pure tech in order to be in it. Whereas nowadays that's not the case. It's so much more diverse, it's scaled. There are more jobs for so many different types of people. There are probably other things that I can think of, but those are just things that are on the tip of my tongue. And then in terms of what hasn't changed, we're still really slow. We are not communicating as effectively as we could do. We need to do a better job of improving our communication and understanding. I think the World Economic Forum called that out in this year's report. So we need to be much more business-like, much more on the case in terms of, well, what are the other stakeholders doing? How does that impact us? How can we work more collaboratively? How can we be more aligned and helpful? As opposed to the department that likes to say, no, we still got that going on for many of us. We need more buying from the top and that is improving. And again, the World Economic Forum stated that in this year's report. So, yes, we're doing a better job of that. We still have low numbers of women inside, that's not great at all. And things like secure development, lifecycle, are we making progress in terms of that? It's got a different name, but I don't really see much change in terms of that. Why aren't these standards being built into products as a matter of course? I remember evangelizing about that blogging about it in 2008, in the early 2000s, rather. I don't see much development there, so those are things that I can think of. I also think we're a bit too slow, not great with change, which is understandable given what we do. So we need to be more open, more collaborative, better communicators, more aligned with other business stakeholders, less defensive and more innovative. Find ways, more resourceful, more innovative.

Henry - 00:10:57: Yeah, of course. I definitely think it's something not just in cybersecurity, but in tech, where I always say technology likes to move fast when we want it to move fast. And then other times it just has that slow plotting pace that you'll see in a lot of cases. But hopefully we can see some fast advancements over the next, I want to say several months, but maybe several years.

Jane - 00:11:16: I think tech does, will put a slowness on it. It's just like, Hang on a minute, what's going on here? It's like, have you done this? So it's really understanding the businesses needs and working with them so that we actually achieve our goals together. That's what's needed. So, yeah, tech does move fast. Cyber can move a bit faster. And we have seen that the pandemic was actually really good for us in so many ways, but it really does. We don't like change. We don't. And that's a human trait. Humans work really hard to maintain the status quo. But especially in cybersecurity, change means risks, change opens up danger. And I think we need to be moving with technology as opposed to being more obstructive of it. And we need to be breaking down these doors so that we are building in secure development practices right at the very start. So we're lowering exposures and bugs and also not being so wasteful.

Henry - 00:12:14: From what you just said. That kind of idea of waste and sustainability is actually the next point I wanted to raise. Obviously, some experts are arguing that data and sustainability analysis are essential to building resilient companies. What are your thoughts on that? And do you have an example of a time in your career where you use data to aid in sustainable development?

Jane - 00:12:31: Yes, I definitely am a big believer in data. Data can tell lots of different stories. I like building data. I like looking at data, I like data. It could have been a data scientist or something like that. I love stats and like patterns and things like that. So yes, it helps us to be more intelligent about building solutions and really discovering root problems. And it helps us with the investigative side of things. And it's really important that we get a grasp on that so that we can actually solve the right problems and do a better job of that. So data is hugely important for me in terms of how I've used data, I've looked at certain problems and wanted to investigate them. So is this really a problem? How deep is that problem? So, for example, I did a groundbreaking bit of research on women at security events and how they were being harassed, or having to deal with inappropriate behavior, or using their voices as speakers, as panelists, as thought leaders. And certainly when it came to events, like what they wanted at events, in order for them to go to more and be more involved. So I did that because I'd heard lots of stories. We've all heard the stories, but the data wasn't there. So I did a study on that to ascertain well, what is the problem? What do women want? Are women using their voices? Do they want to speak at events? I've got conference organizers telling me we can't find a woman to speak. I've got women telling me that they want to speak, et cetera, et cetera. So what's really going on? So that helps to build a picture and it also helps us to look at trends, it helps us to evaluate, well, are we making an impact? Are we doing any better? What's going on? And so it's really useful for me, it's a starting point. And when I was working on the IN security movement and building the Code of Conduct which is for all people, but particularly women, safe at events so that they go tomorrow and can have an enjoyable experience without feeling fearful or threatened or not going at all. And it really needed to be done. So is the code of conduct making a difference? What is the state of affairs? Are we doing any better? And of course, when we start measuring all of those things, we can improve so that we're not being wasteful, because wasteful is not good for sustainability, it's not good for our planet, of course.

Henry - 00:15:04: And if we're looking at that kind of data and sustainability side, what approach would you recommend to kind of businesses to integrate both data and sustainability into their, say, cybersecurity solutions moving forward?

Jane - 00:15:14: Yeah, well, it's looking at really mapping people profits and planets to securities of people process and technology. So, for example, I wrote a blog on this, I've given keynote talks on this fairly recently, actually late last year. So it's really looking at and I always start with people. So what is going on with your people? How can you be less wasteful in terms of your people? So treating them well, making sure that their needs are being met, making sure that your recruitment practices are unbiased, and there are many things that you can do that because there's so much waste that goes into the people aspect, people not staying at companies. So you're having to recruit again, so that requires resources, you're having to start projects again or projects aren't being seen through so that there's more waste to that. So there's a lot that can be done there. Again, on the processes side of things, the secure development lifecycle, the DevOps side is an instant win. So it's really looking at, well, how can you get into the lifecycle earlier so that you are fixing bugs sooner and being less wasteful? So I think you save something like 75% of your cost, your incident response costs, if you can get in earlier into the lifecycle, you can reduce 50% of bugs again if you get in earlier to the lifecycle. So in terms of that return on investment, it's that, but that's only if it's strategically possible. So for some companies, they have to be fast to market, they can't wait, or speed is of the essence, so they've just got to get it out and then retrofit. But most companies can afford to do it. So the earlier that happens and the sooner that security and internal audit are involved in that process, the better it is for lowering waste. And then just in terms of tech, it's making better decisions. Or you can kind of even go back to procurement with the processes. What are the requirements in terms of your processes, your procurement processes? Are you asking for these criteria to be met that we built in as a process? Are you sourcing green technologies? Are you using technologies that are better for the environment. How are you evaluating those and those suppliers and vendors and so on? And of course, when it comes to the technology and creating it, we can be creating and innovating with all of these things in mind. And I think it's when you look at the generations, certainly millennials, it's front and foremost for so many millennials and centennials, I found having kids that are young adults, I don't think that they're exceptionally unusual. We're big on the planet, in my family, but they are so much more up to speed with all of these things than me. And I think that is how they are more in tune with the planet, the environment, that responsible side and I got so much hope for that generation and the centennials and of course, the others that are coming up. So they can really help to improve our situation and not tolerate as much and just create a safer, happier and more prosperous world.

Henry - 00:18:23: Definitely.I think it's the open access to information about what being unsustainable can do to the planet is out there now. And even if I look at my nieces and nephews in junior school, they're being educated about sustainability. And I think it's definitely, I agree, it's just something that's going to be more prevalent for the future generations just on that idea of people. And as you spoke about, one of the things I really wanted to focus on in this podcast was your advocacy for diversity and increasing female presence in cybersecurity industry overall. When did you kind of start noticing this disparity? Obviously, it's still going on, like you said. And why, in your eyes, does it matter that there's diversity in the cybersecurity space?

Jane - 00:19:01: Yeah, so I first started noticing it probably in about 2015 when I wrote about it. I wrote a blog that I'd been meaning to write, but I picked up an IC Squared report and saw that the numbers had really dropped. I think they dropped from about 19% down to 11%. And it was a consistent workforce study report that had been done multiple years, I think every two years they issued this report. And I was really shocked because when I came into security all those years ago, you really didn't find women in the industry at all. I remember meeting a female client once and it was like, wow, this is amazing. It just doesn't happen. But by that time, I knew so many more women, so I was just really shocked at the low numbers, but then I could see them plateauing, and I thought, that's not a really good sign. And that's really why I took action and led me down a path that I didn't expect to go down or journey on. And that's like how the book started and really my investigation into it. Well, why do women matter? Because every sector, every industry that you look at, people are saying, yeah, we want more women. If there are less women in that industry or sector, then they're usually working hard to try and improve that. But why it's nice to have more women. It feels better if we have more women. It's more natural. Women can add to the diversity of thinking in terms of experience and things like that because they have unique experiences. But for me, the big one is that we see risk in a different way to men. So women see risk in a different way to men. And there have been hundreds of reports that look into this. You can look at the World Economic Forum who actually have been tracking this for years, I don't know how long, but a long time. And you can put in a criteria to the Global Risk Perceptions report just to see, well, how do women's risk views differ to men? And it's interesting. So if we don't evaluate risk, including women, we're going to be out in terms of our risk management and assessing risk and reducing risk in cybersecurity with the work that we do is what we're all about. So it makes sense if you're short on women, you've got an issue with risk. So that's why it's really important. Women are naturally suspicious.

Henry - 00:21:26: I would say inquisitive rather than suspicious.

Jane  - 00:21:29: Suspicious, we can hone into the detail. We spot things that just don't seem right. And there are many theories on why that is, which I don't need to go into an argument, but I think we're naturally cautious, which comes down to how we're evaluating risk and we see it in a different way. We're naturally cautious, suspicious. We have high emotional intelligence. It's not that all women have that and men don't, but typically these are traits that women have. These all add to us doing a much better job in terms of reducing attacks and protecting environments better. Also, if we have more women in our organizations, if bad actors are exploiting us through attacks that men are more likely to fall for than women, then again, there's some bolstering there. It's just like women might not fall for the same types of attacks. So there are many advantages to bringing women in which I go into in the book. So in my book Insecurity, there are like 200 data points on why women see risk in a different way to men and what we need to do to improve the situation. So that book really is a manifesto, a call to action for all people. And it's incredibly inclusive from readers who are young, children, teens, all the way through to people who aren't in our industry, who now understand our industry and the challenges that we have. So I've had some guys give it to their kids, their wives, a whole variety of different people. And importantly, with the book, what it really helped to do, which I was quite unaware of when I wrote that book, which was a research project, essentially, was how alone women were feeling. So it's really helped women to not feel alone and not wrong. It's just like, oh, it's not just me. All that happened to you too. So it was really unifying in a very positive way.

Henry - 00:23:24: I think that's a really good point. I have these conversations personally at home. Like women in general just give balance to I want to say men's brashness. That's probably the best way to phrase it, where we kind of go head in and don't really take into account every single thing on the side. Whereas the women that I've worked with and in my life, they're also methodical and they see all the step by steps that I would just miss on a common basis. And I'm really thankful to work with them and have those people in my life. So, yeah, I completely agree. I definitely need to have a read of Insecurity. It sounds like something that I'd actually quite enjoy.

Jane - 00:23:56: Yes, and I need to add some more research in there as well because more research has been done. There is little research out there specifically when we're looking at cybersecurity and risk management and the difference that gender diversity makes or full diversity. But there are some newer kind of reports that have happened since I wrote that, and I really want to get those in because there was one that was written by Cass Business School, and they looked at banks and the misconduct fines and they looked at diversity in all its forms and specifically gender diversity to see what made the difference. I would have expected from all of the reports that I'd read to see it's going to be full diversity. But actually, it wasn't. It was gender diversity that made the difference. Because of that, they were able to lower the risk management and the bank's misconduct fines by something like  

7.48 million. I think it was US dollars per year. So that’s just one. Now we need more sources of data to be able to build a picture to categorically say, okay, this is the impact that can be made, which then enables us to get more companies to invest in it, as opposed to just paying lip service or wanting to look like they do care about it through branding and marketing efforts and things like that, whilst not actually changing or doing much to change the situation.

Henry - 00:25:25: Of course. Outside of that ideal of inclusivity and diversity, would you say there are any other changes to cybersecurity that would be top of your list? What would be the one thing if you could snap your fingers and make the change? What would it be?

Jane - 00:25:38: Better leadership and they don't want to put upon the leaders because they're doing an incredibly hard pressurized. It is so tough out there. They are bombarded. I mean, they have whole adversaries within the organization so it's really difficult for them. But an investment in leadership, I would like to see that change because I think there's an opportunity for leaders to really change the situation from down, from where they're leading through their teams and through to employees within their organizations and then up as well. So it's just like you've got such an opportunity, you get the investment that you need in order to improve your leadership or you invest in yourself. That would be a big difference. And I need leaders to be more open and not to be closed off. That fixed mindset, because I hear them saying one thing, but then I see them being closed off. So I want them to be much more open, much more collaborative, and listen better, listen better, and then take action.

Henry - 00:26:37: Would you say that the idea of people that are actually making active changes but behind closed doors are not actually making those changes? Would you say that that's a commonly held belief, that is your main thing that you disagree with about the industry? Or do you have another common cybersecurity belief that you passionately disagree about?

Jane - 00:26:55: So if we're talking about women in cyber, it's just not enough of a priority. They've got to lower their attacks. So here comes a requisition from HR, or Diversity, Equity, and Inclusion or any SG metric that they have to meet, and it's just like, oh, for goodness sake, it's compliance for them. So even if they do believe in it and want it, they've just got a hell of a lot of a job to do. It's just like, well, we need deliverables, we've got to find someone to do this, and there aren't enough women, so where are we going to find them? And we don't have time and we're going to lose business or we're going to be attacked and so on. So it is really hard on them. And then also, if they are facing the issue of not having enough budget, not having enough buy in from their stakeholders, whether that's finance officers or other MDs or partners or CEOs in the business, then they can be blocked. So it's like, I want to make this change, but you're not allowing me to make this change and this is going nowhere. So I see a lot of ten years that aren't long. They're short tenures. So two year tenuress, and that is just not acceptable because a new person comes in, they start again and it's just absolute madness. And particularly so, certainly if I was a company and seeing this pattern, this trend going on as CEO of a company, I'd be asking the question, what the hell are we doing? Why can't we keep these CISOs, these heads of security? Why are they going within two years or just after two years? What's going on? When CIOs last for about five years on average, I think, and the average tenure of someone is about four years. So wasteful, it's so nonproductive, and you just get different solutions coming in and more money. And time being wasted.

Henry - 00:28:42: So it's not good, of course. And maybe something for the younger listeners or people at the start of their cyber security career. If you could go back and give your younger self some cybersecurity advice today, what would that be?

Jane - 00:28:56: That's such a hard question. I really need to think about it. Yeah, well, it would be to be more visible. If I think about my younger self, I pushed everybody else forward. I kept out of the limelight. I was really scared. Scared to speak to any press, journalist speak. I only became a speaker not that long ago. It was my biggest fear. I'm an introvert. I'm actually a very shy person, which so many people find it hard to believe. But it would be to really get more visible, like, invest in that and stretch yourself so that you've got that as a skill, because you need it in today's world, it's a useful skill to have. So probably don't be so fearful. Yeah, I was like the person behind the camera and that type of person, rather than, don't pick me, I don't want to do it. No, push everyone else forward. Whereas I've had to become like that. And I did become like that because I knew it was important for the mission. So the mission helped me to find the courage because it's something that I believed in. So it's, understand your why and what you want, what you're passionate about, what your mission is, if you have one. If you don't, that's fine. Get more visible, use your voice and build those skills.

Henry - 00:30:13: Definitely something I tell my team at SOAX is definitely, do not be afraid to rock the boat, because that's how you make the changes in your industry.

Jane - 00:30:20: Yes, but some companies and individuals don't like that. I've worked for places where they don't like challengers. They just want people. And if you're not a yes person or you raise your head above the parapet, then it's just like, there's the door, out you go. Because they just want yes people. So you got to find the right environment for you. It's really important so that you can come and be yourself, be you at the source. My platform for women in cyber, we say, be you in the workplace. That's one of our mentors. Be you in the workplace. That's what we want. We want that belonging. We don't want that fitting in. We want to be able to come and be ourselves without hiding.

Henry - 00:30:58: Of course. Okay, so what app piece of software could you not live without on a daily basis?

Jane - 00:31:04: Well, I'm really enjoying Chat.

Henry - 00:31:07: Chat GPT.

Jane - 00:31:08: Yeah, I really am. It's fun. It's just like, oh, wow, so exploring that at the moment and really, like, seeing its capabilities, just having a play. I'm really enjoying playing with that bit of software at the moment.

Henry - 00:31:20: Brilliant. And you being, like you said, a bit of a data enthusiast when it comes to solving problems. Have you ever used a set of data to solve a real world problem? Could be in a workplace, in a professional environment, or it can be in a personal environment, maybe around the house or something like that.

Jane - 00:31:36: Well, I think it comes back to the IN security movement. So the research that I'm doing there, so, yes, that's led by research by data, so the surveys, so the harassment, it would be nice to think that, yes, that all started and was solved by the data. What's the problem? What's going on? How do we solve it? So, yeah, I think data is a bit like a seed.

Henry - 00:32:03: It's definitely more of a starting point of a journey and it's something that will keep growing and gaining insight on and it's definitely something that doesn't stay stagnant for too long. Yes, brilliant. Well, that's all we have time for today. Thank you very much for joining us on the podcast and thank you, all the listeners for tuning in this week. And Jane, do you have any final messages you want to leave with our listeners?

Jane - 00:32:23: I just like to say thank you so much for having me. It's been absolutely wonderful to speak to you and to answer your excellent questions. It's been so much fun. That's all from me.

Henry - 00:32:33: Brilliant. Well, thank you very much, guys. It's great to have you all listen in and you can catch us next time on Ethical Data, Explained.

Henry - 00:32:40: Thank you. Ethical Data, Explained is brought to you by SOAX, a reputable provider of premium residential and mobile proxies, the gateway to data worldwide at scale. Make sure to search for Ethical Data Explained in Apple Podcasts, Spotify, and Google Podcasts, or anywhere else podcasts are found and hit subscribe, so you never miss an episode. On behalf of the team here at SOAX, thanks for listening.