Experts at IP Expo Manchester discuss their security priorities

Numerous stands are scattered throughout the conference floor at this year’s IP Expo Manchester, most promoting ‘the next best security solution’ to keep consumers safe in a multifaceted threat environment.

But cutting through the myriad of choices – and the inevitable onslaught of buzzwords – is often easier said than done, particularly for a company that’s just waking up to security awareness.

“Looking at what the vendor is going with is the last thing that you should be doing,” said Dave Lewis, advisory CISO at Duo Security, speaking on a panel at yesterday’s conference.

“You have to define your risks and determine what you’re trying to achieve before you even talk to the vendor.”

Lewis was joined by three other industry gurus who reflected on their individual experiences of building successful security teams to fit in with the current climate’s needs – often from scratch.

Jon Hawes, head of detection and security innovation at Photobox, said that the most difficult thing was recruiting the right people.

“Do you have people that can get to a level of abstraction where they can understand that businesses are complex systems, that we’re trying to implement controls, and thus friction, into?” he said

“If you don’t have people that can bring that kind of thinking into your environment and inform the way that you take decisions then you will fail, because you will not understand the overall architecture of the business that you’re working in.”

Better metrics in data science, coding, and diplomacy were other traits that Hawes recommended that security team leaders have.

“Product management is massively underrated,” he said.

“What we should be doing in our PoC (proof-of-concept) is taking that solution, putting data into it, getting data out of it, sucking it out of an API, and putting it into some analytics that we care about – not the crappy dashboards that they [vendors] give us.”

All panel members placed a huge emphasis on the ability to work across departments to get the best results and, more importantly, to get the job done.

“You will need people who can work with coders, who can work with vendors, who can get vendors on your side,” Hawes said.

Matthias Maier, a self-described security evangelist at Splunk, works with many different organizations at various levels of implementing security operations.

“We try to hire for cultural fit,” he said.

“So this means that they are creative, open to new ways of doing things, are hungry to learn, and can collaborate with a team.”

He added: “It’s something that I’m seeing with customers more and more.”

Maier also highlighted how the experienced companies have started to become more transparent about their own security practices over the years.

“Even big organizations like banks who, in the past never shared anything that they did on the IT side and the security side, are going to conferences and speaking about how they do cybersecurity and the tools that they’re using,” he said.

For Greg Iddon, senior security specialist at Sophos, hiring for cultural fit translated into simply possessing the right attitude.

“It’s about having [the right] mindset,” he said.

“If you’ve got somebody who has the capability to read, consume knowledge, and take that on board, you can develop people – you can’t really inspire people to be proactive, inquisitive individuals.”

A lot of those qualities can come from non-traditional security areas, Lewis said, particularly when it comes to integrating basic procedures from the start.

“Folks can be specialized in one thing, but without any experience and dealing with the core fundamentals,” he said, listing off protocols that tend to get skipped out of boredom of laziness, such as patching and log management.

“Making sure that people are focused on those core fundamentals – [that’s] one of the things that I would look for when building a security team.”

RELATED ‘These are not services – these are architectures that operate in society’