The Voice of Cyber®

Episode 132: Alan Jenkins
First Aired: September 28, 2022

Alan is a highly confident, effective and adaptable leader, manager & team player, with some 30 years experience in all facets of security, particularly cyber and enterprise security risk management, with a focus on ‘value-at-risk’. Currently, Alan is the Director of Advisory Services for Decipher Cyber, where he works with founder Tinesh Chhaya to grow their business and deliver quality outcomes at a reasonable cost based on the value of change required in a transparent manner.

During his career as a senior RAF Police officer, he has accrued extensive operational exposure in the UK & overseas, in both multi-national & multi-agency environments, against the backdrop of a broad threat spectrum & across all 3 of the so-called physical, personnel & information security pillars.

Since leaving the RAF in 2006, he has added management consulting plus business development, delivery & pre-sales experience in both Public & Private sectors in the role of a Trusted Advisor & SME. After spells at CSC & T-Systems as UK Chief Security Officer and being responsible for end-end security governance, operations and risk, he joined Babcock International Group as their first CISO in 2013. He led the delivery of significant improvements in the Group’s cyber security capabilities to the benefit of the wider business & its customers. After a year as an Independent, he later joined IBM Security in 2015 as an Associate Partner leading activities in the UK’s FinSvces Sector, where he also led the delivery of a £multi-million security workstream as part of a £1.2 billion contract with a Tier 1 Bank. He returned to freelancing in 2018, working through Cybercorre & then joining a start-up, Guardian Cyber Services, in 2019, before landing an all-too-brief role at 2-Sec Consulting. He has been on contract to Hitachi Europe’s Security Business Group since October 2019 and has also been CISO-in-Residence at CyLon Labs since March of even year, supporting 2 Cohorts of startup/scale ups and supporting a CyLon Spark workshop in Oman in 2020.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:22) You're listening to KBKast Cyber Security podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:36) Joining me today is Alan Jenkins, managing partner from Decipher Cyber Consulting Partners, also known as DCCP. Alan, thanks for joining. Alan Jenkins (00:47) Thank you, Karissa. And good evening to you and listeners. It's a morning where I am. Karissa (00:52) So Alan, I want to start firstly with your experience. Now, Tinesh Chhaya is your other partner in your business, your other managing partner, and he speaks quite highly of you and he always seems to bring up that you do have over 30 years of experience in this space, which is admirable. So I want to start there because you made a comment when we spoke a few weeks back saying we haven't helped ourselves in security. Now, you've obviously got a long tenure in the space, you've seen a lot of things, you've done a lot of things, but I'm curious to know what do you mean by this and are we helping ourselves now? Alan Jenkins (01:35) So let me answer that last question first. I think we still have a way to go. Where I'm referring to here is I don't think we've helped ourselves in our relations with either business or the wider public because we've tended to attack and I'm focusing on the cyber side of security rather than the broader sense of security which I've been in for all of my career. And what I'm getting at in terms of how we haven't helped ourselves is we lapse into jargon, both technical and acronym, all too quickly. We don't keep our dialogue simple and we don't talk about the benefits, we don't talk about the opportunity use nearly as much as we talk about the risks and the downside. So our tone, if you will, tends to be negative and that doesn't help people because people want to be optimistic in the whole because it makes living in this turmoil that we're in easier if people think there is good things ahead, rather bad things ahead. So psychologically, we don't set the conversation up in the right way and then when we get to content, we go too much into technical, jargon and acronyms and we just lose people. Karissa (02:56) Yeah, good observation. I totally agree. One thing that's interesting is you said we lapse into talking about jargon and speaking and technical speak. Why do you think that's the case? If we're aware of it, why do we keep doing it, though? Alan Jenkins (03:14) Some of it, I think, is our comfort zone. Most, forgive me if I start switching the words. But most, or at least many of us in the cyberspace come from the technical work stream, the bits and bytes, the digital, the coding element, well, 99% of the population doesn't. So we've got an immediate language switch that we need to do. And that's not necessarily easy to do if in your day to day interactions with your colleagues you're talking technicals. And again, I'm not a psychologist here, but there are some studies emerging and definitely some commentary from the likes of Jess Barker, Dr. Jeff Sparker and others about the mindset, the profiles, if you will, of the people on the defending side in cyber as well as the attacking side in cyber. And they're not in the same space as most folks. So there's a lot of introverts in cyber as opposed to extroverts and that affects the way we communicate as well. But I'm not the expert on that topic. Karissa (04:25) Do you think it's gotten better over time? Like you sort of said before, you answered by a separate question first. But I mean, I was at conferences for the last couple of weeks and it's the same sort of conversation does seem to come up. And I mean, you're obviously in the UK and in Australia, it's obviously quite an inherent global problem, but it still seems to be the focus. What people often say we speak in technical, we should have had the same conversation. Alan Jenkins (04:54) Yet there are two aspects to that. Forgive me. I think there's one in terms of because it is a long standing issue, it's a safe topic to get to and to some extent it also reaffirms my earlier point about we tend to be negative about our outlook because I've certainly seen it change. Forgive me, I've been in security for over 30 years. I've started my career in the World Air Force for 21 years, joined the commercial sector, or Sydney Street as I think of it, in 2006. And I've had a variety of roles, both sides or all sides of the conversation, from end customer to supplier to consultant, bridging the gap. And that's what I tend to do these days. But because of that, my dialogue has changed as my roles have changed. So forgive me if I talk about seniority here, but as I've become more senior in terms of what I do, both in terms of experience but also in terms of role, more and more had to engage with senior leadership. And to do that I've had to adapt the way I talk when I'm talking to the senior leadership and that's whatso and heads off have to do on the inside. Alan Jenkins (06:14) But certainly as a consultant I have to do that as well because I could be talking to a small enterprise 1 minute and a large enterprise the next and you have to change the language according to your audience. You will do that as a communicator and podcast. You know that intimately, but a lot of the cyber folks don't. They have to learn it. And because we've had more people coming into the space, we've got people on different points of, if you forgive me, maturity of that learning curve. So whilst I have seen change, because I've lived through it, if you will, and I've adapted myself and I am conscious of that, others have yet to get to that same point. So we have a spread of approach across the industry. So while some people have made that change, others have yet to. And that is not helping us as well. We don't talk with one voice, but we'd actually have a lot of disparate voices saying slightly different things, not because they necessarily disagree, but because they're at different stages in their learning path. Karissa (07:22) Yeah, you're so true. One of the things that you said, which is interesting, is negative tone. Talk to me a little bit more about that. I do know what you're saying, but I want to sort of open up a little bit more. Alan Jenkins (07:33) Yeah. So if you think about it, we talk about always we should rightly talk about managing the risk 100% guaranteed security doesn't exist unless your laptop is turned off, not plugged in and locked away on a laptop in a safe. And even then, the safe could be broken into immediately. We're into slightly negative outlook in terms of we're trying to manage and mitigate the risks that are out there. So immediately, if you will, that's a negative type conversation, because you're acknowledging the fact that, forgive me, I'm going to say bad guys, the hackers out there, because I should be gender neutral about this, because it's not just hackers and not just males, and they're certainly not just young and hoodies as well, so that the hackers take advantage of that. But to our language piece, that's a negative view. So one of the things I've been talking about, and others for a number of years is talking about our value add, our value proposition. Where do we add value to the business as opposed to just cost them on the bottom line? Because most internal security teams, if not all, but certainly most, are a cost, they are a drag on the business, they're spending money from a budget as opposed to they are earning revenue and therefore profit. Alan Jenkins (08:57) So immediately, when you think about that, when you're talking to the board, who are certainly in a commercial organisation, they are entrepreneurs, they're there to make money, they're there to earn revenue, and it's all about the margins. Owning a profit and loss account is a significant step in your commercial journey. Most security folks have never done that because they're in the budget space. So, again, that affects our language, but it also affects the way we look at things. We're always looking at, as I did this morning, like, what's the breaking news overhead? Who's been hacked? Where's the latest ransomware outlook that is a very negative way to start your day. But that's our world. That's how we rock, if you will. That's not what other people are looking to do. They're looking to see they're checking their stocks and shares. Have my shares gone up? Excellent. Have they gone down? Okay, what am I going to do about it? That you, if you will, pervades everything that we do, thinking, talking and writing. And I think we just need to get a bit more positive about what we do, because we need to make a difference. Alan Jenkins (10:08) We need to make a difference in our businesses, we need to make a difference in our supply chains, we need to make a difference in our customers. But actually, we need to know that we're making a difference for ourselves, because otherwise it's a pretty bleak world. And I do think it's a contributor factor to the burnouts that have attracted commentary and concern over the last couple of years as well. Karissa (10:35) Yeah, great point. So there's a few things in there that I want to sort of explore but I want to touch on. You mentioned value prop. Now, you have mentioned this before in our previous discussions. Now, the value prop in security universally is probably not strong. And as you say, you said it was sort of due to disproportionate amount of introverts in our space, which you have touched on earlier in the interview. So what would be your advice with your level of experience in the industry? And then, I guess, how do we increase our value prop towards security? Now, I know it's going to be dependent and there's not necessarily a set way or a framework, but I'm just curious to know because we often talk about adding value, but how do we add that value? Alan Jenkins (11:24) It's not straightforward, I accept that, but we have to try. We have to look for the right levers, the right measures, if you will, to demonstrate that. Because, of course, if you're not measuring it, you're not doing it is one of those truisms of business consulting. But if I can just take you back to the value prop stems from the value chain model that Professor Michael Porter put together at Harvard University back in the 80s. It's at the core of certainly many, if not most, MBA programmes, certainly in the Western Hemisphere, and I presume in Australia as well. And it's an interesting one. You've got your primary layer and your secondary layer in terms of are you directly contributing to revenue? Are you facing off to customers or are you in the support space where you're enabling that to happen? And the weakness we have in security is security does not feature in that model, despite the fact the quality management and health and safety both do in that secondary supporting line. What's really interesting when you look at it, is actually security happens across the board, because if you don't have security in your production, your manufacturing facility, you don't produce the goods that go out of the door. Alan Jenkins (12:44) And there have been countless examples of that in the last couple of years. I'll go with Honda manufacturing disabled in 2020, I think it was, from a ransomware attack, as one example. There are others. I can remember a peer of mine talking about an issue at a bottling plant in a large brewing company here in Europe where he was able to monetize the loss of production because of a malware outbreak in the production space. That was the equivalent forgive me if I don't get the number exactly right, but I think the days lost production equated to 7 million and I think it was pounds at the time in terms of lost revenue. So immediately he had an impact for an outage to production. Which allowed him to go to the CFO with a business case to say. If you allow me to spend £500,000 here to mitigate this risk so that we can both not eliminate but reduce the chance of it happening again. And if it were to happen. We'll be able to recover much more quickly. I'll save you £7 million and at that point. Your business case becomes obvious because you're spending to save. Alan Jenkins (14:08) So your gain, your value add there is from a 500,000 pound spend, you've effectively insured six and a half million of your revenue. Does that make any sense? Karissa (14:20) Yeah, most definitely. And I think that this is where most people don't get the conversation, because that's what I see. A Bosnian. Cool. Keep talking, Allen, because that's what I want to hear. Yes, we're happy to spend the money with the intent that we don't then lose the money, and I think that's where the value comes down to. But as we spoke about earlier, it's going to depend on who you're speaking to, the discourse in which you are speaking to someone. So if it's a CFO, it's financial, if it's a CEO, it might be financial, a little bit of something else. So I think that this seems to be what most people, in my experience, miss. Alan Jenkins (14:55) Yes, because if you think about it, most of what we do is not directly revenue generating. Actually, we need to recognise that and therefore recognise that much of our activity is actually about brand protection. It's about revenue protection. Forgive me whether it's in the physical sense, you're stopping things getting stolen out of the warehouse that they call shrinkage, which is a hit on your bottom line, because that's a cost. But if you then recognise that, if you can save £10 in the cost space, you've actually saved that in your revenue stream, because for every £10 of revenue, you've got one, two or £3 of profit, depending upon your profit margin. But therefore, to recover that £10 loss of the cost end out of the warehouse, you've actually got to earn one, two or three times that at the front end. So the more you can reduce the losses, actually, the greater you improve the margin. And forgive me, I'm waving my hands here, which doesn't come across with the podcast very well. There's a need here to understand the economics, if you will, the cash flow side, because we're never given a blank cheque, even the wrong side of an instant, when the spending the wallet tends to open, so to speak. Alan Jenkins (16:23) It's still not an open wallet. Just spend what you need. There's still a discussion about, okay, what does this get us? Does it contain the problem? First, the first thing you need to do, or perhaps the first thing you need to do is cheque, you've got a problem. But we're past that. We're now into containing the problem, then we're into recovery, then we're into recovering from the problem. And of course, let's not forget that we don't just want to get back to where we were, we actually need to go a step further. And this is where the insurance model doesn't necessarily work, because your cyber insurance is to get you back to where you were. It isn't about covering any improvement CISOs to prevent you going there. Again, and forgive me, I'm going to use another buzz phrase here, and I'm just conscious of what I'm doing. But the increasing use of resiliency, or resilience, I think, is a very critical one for us because it recognises that that we're never going to be successful all of the time. But actually, the business doesn't care about how long it's taken us to detect a problem. Alan Jenkins (17:24) They're only really interested in how long it takes us to get the lights back on or the production line moving, or the damage limitation in place, such that the fines for a breach because there's a data loss going out there, we've got our arms around it and we know what that's going to be. So they can make provisions of the financial statements. Those are all response sides. They're not detect and prevent. So, again, we need to think more about the whole piece, not just the piece in front of us. And that's not necessarily everybody's forte. Karissa (17:59) Yes, so true. We talk about no one cares how long it took to protect something, but then I guess the role is reversed. Like, bad example, but you're in security and then you've got an account receivable. You don't want to care how long it took someone to get an invoice paid to the company because it's not what you do. Right, of course, like, everyone's like, no, we haven't got any money, we can't pay anyone. That's a problem. But until it gets to that point, everyone's like, oh, that's just part of what you have. I know it's a bad example, but I think it's sort of the same of, well, no one's going to care until it gets that level of criticality. Alan Jenkins (18:34) Look, I think that is a good point, but where my eyes and ears were open to it was when I was reporting to a CFO directly I was sat around the table with I think there were 14 of us, it wasn't 13, I think there were 14 of us and twelve of those were FDs financial directors, including the CIO, who was an FD on second. The only two were not were me and the head of procurement and of course the head of procurement talk numbers all the time so effectively the only one at that point who wasn't talking numbers. I was talking risks. I was talking red. Amber Greens was me and I had to adapt my language because of that audience but also because I recognised what my boss or CFA was interested in was numbers so that's where I shifted to putting value at risk what is the upside. What is the downside? What do I get for this spend? And that was. I suppose 2008. Forgive me. 14 years ago and that's where I started to find out about the value proposition and Porter and all of those things because I haven't done an MBA it's actually one of my regrets in hindsight I shouldn't done an MBA before I came out of the Air Force at the right age rather than recognising it too late but that's because of where I was at the time as opposed to where I have got to in terms of my audience change I moved out of the operational fighting fires that we all go through into that more strategic talking to the business. Alan Jenkins (20:13) Putting our budget request together for the next year. Talking to the board about what we're doing on a quarterly basis not just by exception talking about progress and improvements. Obviously. Inevitably talking about things that are happening both in the wider world but also closer to home in terms of incidents but you have to be mindful of the audience and adapt your language. Both your language in terms of tone but also in terms of content to reflect what they're interested in I am still interested in the level of detection speed and trying to move that needle so that we reduce the lag time between flash to bang to detect. I know that's important, but that's an operational metric, that's not a business metric. The business metric is are we reducing our response times on the whole as a trend over time? Because clearly one incident is not the same as the next so you can't do a direct comparison but if you take a step back and you look at the trend. So long as that trend is moving in the right direction. You're doing the right things and of course if it doesn't. Then you have to start investigating as to why what was odd about that incident. Alan Jenkins (21:31) What did we not get right? And no plans survived contact, sorry, there was a military slang there, forgive me, I'm guilty of the same thing using languages I come from the military world so I still find myself, as I just did hang on, stop. That doesn't necessarily work. Have to do the translation and that's the art of communication. And in fact this is unusual for me. I haven't done very many podcasts where it's radio and obviously through the last couple of years we've been doing it remotely through the screen. Karissa (22:09) Doesn't sound that way, Alan. Alan Jenkins (22:10) I have a face for radio, so actually this is probably my better medium. Karissa (22:15) Doesn't sound that way. Alan Jenkins (22:18) So my point here is I'm using my body language because I do that and actually I think better on my feet than I do sitting down. I've been told a number of times by my other half, you're going to wear a hole in the carpet as you're walking backwards and forwards. Well, some of that is because of where I started in the military, where you don't stand in one place, you don't stand out because you might get taken out. So you move. And whether you're in a command post or an ops room, you can't stay in one place because there are a number of people you got to talk to. But if you think about we all sit around the table, why is that? Well, actually part of that is because you then take height out of the equation. I have the advantage of being six foot two, but even I look up some people, but most people are shorter than that. Particularly as we're trying to attract more talent into what we do. Make it, if you're pardon the term, by making it attractive. To some extent we've got to make it sexier in terms of talk about the value, talk about the things that we can do, but we've also got to draw harder to find talent into the talent pool. Alan Jenkins (23:35) And at this point I'm not just talking about the gender piece in terms of bringing more women into the space. I have seen that improved but it's still got a long way to go. But we've actually got to bring in neurodiverse talent and not just because they're good at analysis, though they are. There is a correlation in the IASME team here in the UK have been working this along with others in recent years about taking people who are neurodiverse who otherwise struggle sometimes, in fact often to get into employment because they don't fit the common way of working in an office. But actually they're really good at analysing data. They're not necessarily data to scientists, they are good data analysts. And there is a correlation between maths and music that's been known for some time, but the likes of Alan Turing and his team at Bletchley back in the late thirty s and forty s breaking Enigma when you look back at who they were, they were a really diverse talent pool, including females, by the way. And the film the name escapes me at the moment, but with Bernard Camarader and others is really good. Alan Jenkins (24:52) It's a really good depiction. But there are some really odd characters in there, obviously not least chewing himself. We need more of that. So I don't want unfortunately, we don't yet have cloning, so you can't clone me. I want a team around me who are not, yes, men and women, but bring their own point of view from their own experiences, their own talents, because then we get the sum of the whole is greater than some of the parts. And that's what we really need to succeed. And unfortunately, I think the hackers are better at it than us a lot of the time. Karissa (25:28) Yeah, absolutely right. I think I like your tangents. I love a good tangent. So I think that that's good. Alan Jenkins (25:35) Sorry, forgive me for deviating a little. Karissa (25:37) No, deviating is always good because you're thinking, I took your head off the castle, or whatever you want to say. So I think it's good. And that's how we get the organic conversation. That's why I have the show, to really get inside people's mind. Okay, so we've spoken about the value, but you touched on a few things just there, which I'm interested in, which is, are we focusing then on too much, like, on the tech side of security, rather than what we sort of gain or what the business gains from a security perspective? So what I mentioned before, revenue protection, brand protection, those are the things the business gain if we do security correctly. Yes, but I'm curious to know what there seems to still be this dislodgement, like we're focusing too much on the tech and I'm interviewing any people on this show, and it's like we're not there to just do security. Right. We actually are there to support our business. I do believe in certain instances this gets lost, perhaps. Alan Jenkins (26:42) Yes, we do. And I'm going to have to define some terms here to explain where I'm coming from. Cyber has become a commonly used term for what we do, but it's actually not well defined. And there's some grey area in there that often I exploit, actually, because cyber is not well defined. I take advantage of that. But cyber is not the same as It security. It security is a subset of cyber, but cyber is a lot more. Cyber includes the human element. Cyber includes optimising processes. It is not just about configuring and hardening the technology in the infrastructure or secure coding done right in the middleware stroke app space. Cyber encompasses a lot more. One of the best ways of thinking about this, and forgive me, is the way the military thinks about this. Now, in terms of cyber is now the fifth domain of warfare. And if you're immediately going, it's the fifth, or what are the other four? Well, land, sea, and air and then space are the more conventional, if you will, four domains. Cyber is now the fifth, but cyber is the only one that touches each of the others directly and actually is an increasingly critical space in terms of the way warfare is conducted both offensively and defensively in those other four domains. Alan Jenkins (28:12) And actually, the special missionary operation, the war that's going on in Ukraine started by Russia, is a good example of this. One of the early things the Russians did was to hack the visa terminals, the satellite terminals that were commonly used in Ukraine to take them out of action, such that the passage of information was disrupted between Ukrainians military but also its civilian population, so that the Russians had the advantage they could use surprise and advance more quickly. Now, fortunately, that was not a winning strategy, but it was definitely a disruptive strategy back in February and March. So we've had some tangible examples now of where cyber is being used in warfare, but that applies equally in the commercial space in terms of why are we suffering so many ransomware attacks? Well, it's because the exploitation has impact across a business. But the means of exploitation, the insertion via an email, via clicking on a link, it's all too easy for the hackers to find one poor soul who does click. Perhaps my language is poor there, but the one poor soul, the unintentional insider who clicks on the link, they didn't mean to open the front door or the back door to the hackers, but they're busy. Alan Jenkins (29:42) It's one email amongst many. They don't necessarily pick up on the signs that if we've done our security culture piece correctly, that they should pick up on. There's always a human element here and I'm afraid there are still weaknesses in our human approach that we need to tackle. And if you don't mind caring, so I'll come back to that, because that's one of the things that I've changed in 25 years and I'm just mindful I might be losing my thread here, but the point about defining cyber being more than just It security is it's not all about technology. You have to do the people and process, but people don't think of it that way. So part of the problem with our reporting chain of the CISO and all the cyber security sector team reporting into the CIO is that you're positioning what we do in that technology stack, and that is not helpful. But businesses, large and small, they can't necessarily adopt the three lines of defence because that's an overhead that they just can't support. So we've got to be a little agile of it or with it. But I'm not a fan of the CISO working into the CIA. Alan Jenkins (30:55) I don't think it's the right positioning. The angle where I think becomes most obvious as to why cyber security isn't just in the It space is the people element. You've got to take your people, your colleagues, your staff on a journey, but recognising that security is not what they do for the day job. So we're asking them to. Be aware, look out for these things, when, to your earlier point about the accounts payable team are absolutely just focusing on invoices purchase orders, chasing up the bad debtors, that's their day job. But if we don't make them aware not just aware. But if we don't give them the right tools and nudges as to what to look out for when an account is changed and addresses changed. That's why business enabled fraud happens. Because they're not thinking in a security manner and this is the heart of the problem and it comes back to some extent in terms of our mindset and security is atypical is abnormal compared to the rest of society. I find myself managing risk in pretty much everything I do. Even today, I'm thinking, right, I'm headed into London later, but actually it's going to be a long day, I'm going into a conference for the day, but I'm going on to a dinner this evening. Alan Jenkins (32:29) As simple as, Right, do I take a raincoat with me or do I just rely on an umbrella? But not to have either with me would be unacceptable risk, given the weather forecast and the fact that we're now into autumn. So I'm immediately thinking about what can go wrong, as opposed to the sun's going to shine all day because it's shining at the moment. Most people will go for the positive and they'll take the risk. We don't tend to. Sir, I have an umbrella in my backpack even through the summer because we get summer showers. That's not how most people operate. That's a human characteristic, if you will, that I've become more and more aware of as the years have gone by. So my earlier point, about 25 years ago, when I was late 20s, actually stationed security officer. I was the head of a 40 strong team, including dog handlers, at an air force station in North Scotland. Probably best tour in my military career because it was my team. We had four squadrons of aircraft, two helicopters, a long way from headquarters and a beautiful part of the world. It was just brilliant, two years. Alan Jenkins (33:45) But when I started, I thought it was all about fences, dogs, active security measures, counter intelligence work. We were doing some early stuff in computer security, and the security education, which was on the list of things to do, was probably 10th on my list of top ten. Today, it's probably in my top three. And actually, if I think about what I'm trying to do in terms of influencing a customer or a board or an investment team or even a startup, actually, that probably means it's number one, because I'm trying to influence them to operate in a more secure way than they would otherwise do without my influence. Now, that's a long way from security education in terms of what should you do? This is how to do it. Do not do this, which was the old traditional way. And I'm not a great fan of that anymore, but you still got to give guidance, you still got to establish guardrails. But somehow we have to nudge people to do the right thing. People still give their passwords away for chocolate, for the price of chocolate. It's shocking, but it happens. Why? Because people value the immediate reward of a chocolate and they don't recognise the consequences of their password. Alan Jenkins (35:13) Now, they might do if that password is to their bank account, but they don't recognise that using a common password across all their accounts is a single point of failure. So we have to work with them. And then you get into the so where do I secure that password? Do I write it down? Yes, you could write it down, but make sure it's written down in a slightly obscure fashion and not left on a Post It note on the whiteboard in front of your screen. And it's those sort of detail pieces that the majority of people don't consider because it's not the way they think. And influencing them to operate in a slightly different fashion than they're comfortable with is something I spend a lot of time doing. But actually I'd like to get into the schools to do that, because you need to get to people as young as possible, such as it becomes habit. Rather than requiring their conscious mind to do it, you need to get it into their subconscious. But at that point, I'm potentially into brainwashing and otherwise indoctrinated people. But why do I operate the way I do? That's a damn good question, and others have asked that question a lot. Alan Jenkins (36:32) My father was a chartered accountant, my mother was effectively a secretary, but she was bilingual, French and Spanish as well as English. And unfortunately, that didn't carry over to my brother and I. But interestingly, my brother and I both went into the military. My brother went into the army and military intelligence. I entered into the air force. Initially, I wanted to fly, eyesight got in the way, so I had to find something else to do. I did a degree in electronics and systems engineering, but didn't finish it, and found my way into security, which hadn't been an option for me at 18, but opened up when I got to 20 watt. And by 22, I found myself as a flight commander, looking after 35 in charge of nominally 35 live armed policemen and subsequently women, looking after a third of the Air Force's nuclear weapons. Success was defined by nothing happened. That's where my people skills, if you will, started, or certainly in terms of practical effect. And then my tour up in Scotland. Where security education was tense. And then working with CFO. It's been an interesting journey and one of the things I've taken to more and more and I will do next week and I will do in November. Alan Jenkins (37:48) Is sharing that experience with the next generations. Because. Unfortunately. I'm in the old guard these days. I still don't think of that myself that way. But that's the realistic label. I've got to find a way to transfer my experience and knowledge, both good and bad, to the next generation, because we can't afford for them to take 30 years to get to the same place. We just can't afford that. And it's one of the reasons why I'm on here, is to share that knowledge more widely. Not because I've got all the right answers, because I've got things wrong over the years, but I've tried very hard not to repeat mistakes. And that's something where we have to be agile, we have to adapt, we have to communicate better, not just internally, but externally. We have to share what works as well as what doesn't work. But we've absolutely got to be positive about the difference we can make from doing our day jobs and make it sexy to draw the talent into what we do, because I'm going to be retiring in the foreseeable future, five to ten years or so, and the job won't be done. Alan Jenkins (38:58) Security is about again, forgive me, I'm going to finish on the definition here. In a sense, security is about enabling people and organisations to operate without fear of interruption. That's almost a textbook definition of security. And thousands of years ago, it was about making sure they got running water, they got food and they got a wall around their homestead or their village or their town. Well, to some extent, we need to be thinking that way in the cyberspace, but the days of a secure perimeter have gone. I am going to throw that zero trust buzzword in there more to illustrate that the world has, in some senses, actually got riskier as we become more connected. I was talking about the It security team, but actually we need to be talking about operational technology and securing that. And then I think we've got to get closer to the safety case. People. Because the consequences of getting a mass transit system or an airliner or an elevator wrong. For whatever reason. It could be down to a cyber attack that starts to affect people's lives and that's kind of where we're at. Without getting too pessimistic about it. Alan Jenkins (40:18) But we've definitely got to get better at operating securely in our connected world. Karissa (40:25) No really great points again, because I think that's what I do. So we don't all have the right answers, we've got different experiences, like whether it is 30 years or whether it's three years, like there's still a level of insight that people may have that perhaps others may miss. I'd like to sort of maybe end on this question, because I'm obviously conscious of your time, but how we sort of encourage people to focus on the value side of security. We sort of pepper this throughout the conversation, but is there any sort of stands out for you when I'm asking you this question because again, I think that we talk about the value side of security but then what does that mean still? What is the value? Alan Jenkins (41:12) The value is about engendering trust. Trust is a slightly intrinsic term. It's not necessarily tangible, but it affects everything we do. A few years back, day one enrol, as the first group seesaw at a FTC 100 company, I hadn't even finished my onboarding and I got told I was sharing a crisis meeting at 04:00 in about 2 hours because we haven't cleared the attackers out or they haven't cleared the attackers out. So we had to get around the table and work out what we're going to do next. And we couldn't play Whack a Mole. We had to do something a little bit a lot more strategic and a lot more expensive. And that was the start of a very fun seven months for me. Not just the security team, by the way. We pulled in the It team, finance team and beyond. It became a real collaborative effort across the support sides of the business, but I also had to make sure the business and leadership was on board. And why was that important? Because they were getting some bad press, not necessarily in the published press but certainly in their customer space. That wasn't helping the business conversations because the customers were aware that we were in the wrong place and it was affecting signing of new business. Alan Jenkins (42:46) So keeping the business leadership on board with what we were doing in terms of improvement where we were going and when we were going to get there was critical success. And when we got there, when we had the Big Bang weekend and we took out the 21 compromise assets and plugged the new ones in and we changed our passwords and introduced two factor authentication and all of those things that we now think of as normal. But I can assure you back in 2013 it wasn't quite so normal but it certainly wasn't cheap to get that call from the West Country some three or four weeks later that they detected no sign. No indications of compromise and to be told we were the first defence prime to close our incident ticket. That was a strategic success. Not just for me and my team. But for the business because it meant the business could then go on to the front foot with their customers and say yes. We've had a lot of work to do. This is where we're at, this is the third party validation, so don't just take my word for it. This is where we're at and we're going to continue and we're going to maintain the defences so you can trust us again and perhaps you should ask some questions of your other suppliers as to whether they're in the same place. Alan Jenkins (44:03) And that changed the business conversation from a okay, we're throwing money at security but we're not quite sure what we're getting into, we're getting a benefit out of this and they started to win more business. And what effect that had for me was in the course of that was I became aware, as you do from the water cooler conversations and such like, that there was a major acquisition in the ocean and actually that acquisition closed about six weeks after we'd recaptured the recaptured our network and all of those sort of things. But that was coincidental in some senses. But actually there were two acquisitions that happened in December 1 was the outfit that I worked for had been working with a third party in the forensics and specialised security race and my employer went and bought that outfit because they decided if we're spending a lot of money with them, we might as well spend money with ourselves. But it also opened a conversation into the major business acquisition where I got into the due diligence team and we were able to do an external view of where they were at and realised that they had a water hole incident on their website, so they were probably compromised. Alan Jenkins (45:22) So actually we wanted to get in and do a compromise session of them before the deal was signed. That wasn't allowed. But what the acquisition team did do was put more money into the contingency part for the transformation of their business to match what we just been through over the previous seven months. It turned out that the additional money and contingency wasn't enough, but at least it gave us something to work with in those early days, which we wouldn't have done if I haven't been talking to the business about what we were doing, why we were doing it and what we were going to achieve from it. So that conversation, that activity, proved the value from security for the first time to those business leaders because they'd only ever thought of it as it security and in the cost space. I've not been able to talk about that as much as I would like to at the detail level, because to some extent there's embarrassing in there, there's that recognition that you had things in the wrong place and you had to change, but that's now much more common than it was ten years ago. Alan Jenkins (46:32) But that's where my value story and I'm so boxing to some extent, that's something we insecurity need to do more of. We need to talk about our successes and be more positive in our communication. Karissa (46:49) Yes, you absolutely are right. We need to try to have more positive thoughts and I get the reason why things did come across negatives. I think you've raised really good points around revenue protection as well as brand protection as well as we're speaking to get started with these people, to ensure that we are tailoring our language and our words that we use to people as well. It's not just to paint them all with the same brush. So I'd definitely love to get into another interview, to go into some of your other experiences that you've had, because 30 years cannot be sent to, what, 49 minutes or however long we've been speaking so far. So I wanted to thank you. Thank you for your time and thank you for your insight as well. Because, again, there isn't an easy answer or an easy way to approach this. But again, that's the whole reason have the show, to get people like yourself on to share your thoughts, your experience and your insight. So thanks very much for your time and I look forward to it again soon. Alan Jenkins (47:56) I appreciate you, Karissa. If I've helped the listeners in any way, then I'll put that down as a success. But there isn't one right way to do things. There are lots of wrong ways to do things. And we need to share what works and what doesn't work so that others don't repeat mistakes. Everybody makes mistakes, but repeating mistakes, not learning from others that's a carbon will sit. Karissa (48:22) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Dot Media, the voice of Cyber.
Share This