In the September print edition of Professional Security Magazine, we focused on ‘burn out’ that some cyber security people are complaining of. As cyber has faced a talent shortage for a while, it plainly matters if people are leaving the industry early, or at all, for an avoidable reason.
Things are connected – cyber threats faced, and how cyber professionals are facing them, including burn-out – Scott Nicholson, co-CEO of the consultancy Bridewell, suggested when we met at the Infosecurity Europe show (the first in person since summer 2019, and itself hit by rail strikes), at Excel in London Docklands where his company was exhibiting.
He’s been 20 years in cyber. He was in the police, then joined IBM as a senior cyber security consultant; which including taking chief security officer roles. As with so many chiefs, it sounds like Scott’s work is partly making contacts with others outside his company, partly holding the reins of the company. As MD he’s working with the UK official National Cyber Security Centre (NCSC), on such things as the Cyber Essentials scheme (as the NCSC seeks to check how effective the scheme is), and the CESG Certified Professional scheme, that’s for practitioners in information risk and audit. Scott is also working with the industry body ISC2 on training, strategy and messaging.
About the firm
Bridewell has about 190 people and eight offices around the UK; it’s just set up in Houston, Texas (with an eye to the oil and gas sector). Its 24-7 cyber centre in Cardiff looks after some of the biggest names and operations around, such as airports, defending them in cyber terms, wherever the attacks are coming from, including nation states. The centre detects threats coming, responds; does digital forensics, ‘which gives us access to lots of data, lots of insight’. The aim there is to offer research as an industry viewpoint, rather than from a company that can (inevitably) be biased.
To pay or not to pay
We asked about ransomware, and ‘to pay or not to pay’, as featured in last month’s Professional Security; either way, you can’t avoid a decision? Scott replied in terms of Bridewell research, based on its work across finance and critical national infrastructure (CNI). Ransomware is nothing new. Also widely acknowledged is a ‘skills gap’, not enough cyber people. A lot of places are doing ‘digital transformation’ while they don’t necessarily have the staff or the ability to keep up with what that means. Hence IT things are designed insecurely; businesses move faster than their staff can keep up with; and they get breached by hackers.
More of the interview on page 46 of September’s Professional Security, that you can freely read online.
