Speak to your area of expertise and then yield the floor. You cannot know everything in cybersecurity. There’s just too much information and to tackle it requires cross disciplinary engagement. I attended a meeting where a leading global law firm assembled their team of experts. Each expert then stayed on their own message to interrogate the utility of a solution. They were able to make a sensible decision quickly because they could assimilate the information and apply it to their own business. Ultimately, they were able to manage a significant threat quickly and efficiently.

A Doctor of Law and subject matter expert in cyber governance and risk mitigation, Rois Ni Thuama is Head of Cyber Governance for Red Sift, one of Europe’s fastest-growing cybersecurity companies.

Working with key clients across a wide market spectrum including legal, finance, banking, and oil & gas, Rois writes and presents on significant cyber threats, trends, and risk mitigation strategies.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Sure. I grew up in Cork. Then I spent some time making music videos and documentaries in Africa before coming to London. I got a job working for Shazam, the music recognition app, and fell in love with the startup scene. I’ve worked almost exclusively with startup firms since. I’ve also had the opportunity to work for some really large firms as they were creating new departments or working on novel projects. My doctoral thesis is in corporate law, specifically looking at provisions in the Companies Act 2006 relating to electronic communications.

Corporate governance was already huge, but firms had not yet caught on to cyber governance. As cyberattacks are the primary source of significant losses for firms, it was clear to me that defending firms and helping them to preserve value by implementing sensible solutions was going to be critical. Cyber governance is not yet a hashtag, but it’s my mission to make it so.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

To Kill a Mockingbird had a profound effect on me as a kid because of the sense of moral, social justice, and fair play throughout. The overarching theme of telling the truth even though it might be upsetting for others, moral courage and doing the right thing had a huge impact on me. It’s a great book and has probably launched more legal careers than Treitel on contract (a very small joke for lawyers).

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Years ago, I worked at Shazam with some phenomenally smart people. Then a few years ago, I learned that these same people had pulled together to build a phenomenally smart platform. With this smart platform, it would be possible to address the most significant cyber threats. The line that hooked me was when our CEO Rahul told me that the vision was ‘to solve the biggest cyber problems’. My only question was where do I fit in?

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I don’t know if this is funny. I certainly wasn’t laughing then, but it was a dumb mistake that I’m willing to share.

I’d secured a chat with a CISO at a global firm, he had good reason to talk to me. The firm had a lot of UHNW clients whose data he needed to protect, and the firm was especially vulnerable. Throughout the call, I kept say yes Jim, you’re right Jim. I know Jim. How about this Jim? Dammit Jim, I’m a doctor not an engineer. I never actually said that. Anyway, to make a long story boring, his name was not Jim. I learned three lessons that day. 1. Double check someone’s name before you use it liberally and 2. Lack of attention can kill a relationship before it starts. Jim never took my calls or responded to a single email after that. Spoiler: the firm remains vulnerable.

The final lesson is that even though people in leading roles have clear tasks, duties, remits, and responsibilities, they are still human. The price of poor communication means this firm remains extremely vulnerable.

Are you working on any exciting new projects now? How do you think that will help people?

Yes. It’s in its infancy so I can’t share any details. But I can tell you that it will help people because we should be able to drive down the instances of cybercrime based on the insights we derive from the data.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Lawyers are stepping up.

It is right that professionals that you hire to help you protect and defend your firm are joining the conversation. Lawyers tend to think in terms of defensibility: how can we defend this firm, this decision, these assets? That means they already have the right mindset. You can avoid the problem by considering how things might go wrong in the future and ensuring your firm has the right policies, protocols, people, and tools in the right place that are doing the right thing.

Regulators are stepping in.

The EU is introducing a package of digital measures to enhance operational resilience of the financial services sector. It’s a clever bit of legislation that will have broader implications for other global firms.

Boards are stepping out of their comfort zone.

Boards recognize they must learn more about cyber threats and cybersecurity. Boards are adapting to the new order as it gives them a competitive advantage — good cyber security is central to their business’s strategic imperatives and they acknowledge that buy-in from the top is vital to ensure that the right tone is set.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

My overarching concern relates to the amount of noise in our industry. There’s a huge amount of information and not all of it is good. You must select the right information to pay attention. You can easily sense that a problem exists before you fix it. Rely on the Intelligence Community (NCSC or FBI) to verify that it is a significant threat. In short, rely on trusted independent experts. A lot of the large firms associated with risk management make their money after an attack. This means that providing sound advice to avoid the attack in the first place is a conflict of interest for those firms. If a firm makes money in the aftermath of an attack on your business, don’t rely on them for good preventative advice. It seems that everyone wants to be at the command center on the starship enterprise, whereas the reality is a lot of good security can be achieved by taking a methodical approach. Don’t think bling! Think belts and braces.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

The rise of e-Tort or cyber liability is going to become increasingly problematic for firms trying to navigate their way post attack.

Large law firms are gearing up their teams to start engaging in this conversation to protect their clients. While law firms want to protect their clients, the other side of this coin will be for law firms to seek to recover for damage or losses incurred because of another’s cyber negligence.

This means that in the event that a firm suffers a cyber-attack, they will need to deal not only with the traditional issues like business disruption and remediation but also civil suits potentially in the form of class actions.

This will especially be the case where the following elements are met:

The threat is well known, understood & reasonably identifiable, The solution is: Well known and understood, or recommended as a global industry standard solution (see NIST, National Cyber Security Centre), and Affordable and proportionate to meet the threat.

Until now firms have avoided censure and liability by either claiming that (i) the attack was conducted by a sophisticated actor (i.e. a nation state) or (ii) that the attack was sophisticated.

However, this is rarely the case. Most attacks are not conducted using advanced methods. In 95% of attacks, it begins with phishing or business email compromise. Or as was the case with Colonial Pipeline an administrative oversight to change the password of an employee who had left the business. All of this speaks to cyber negligence and firms, investors or shareholders that suffer losses may well seek to recover.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I can tell you a story about our client who was able to avoid losses in the region of 500,000 dollars.

This client, a global energy company, implemented OnDMARC to protect their email. When a firm paid out on a bad invoice, our client was in the clear and able to avoid losses and a potentially lengthy and expensive legal battle. The loss lay with the company that had failed to take adequate care. Had the other firm taken a few sensible measures, they could have side stepped this technically trivial cyber-crime and avoided the financial loss.

Assume that your firm or one of your suppliers will be attacked. Then ask yourself: Are you able to robustly defend your decisions? No one will expect a firm to be able to defend against the next Stuxnet, but they should be able to defend against well-known threats.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

MFA for everything Passwords are a minimum 12 characters Use universal password manager (UPM) to store my passwords OnINBOX to do the heavy lifting on inbound attacks

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Good question. I’m going to assume two things. Firstly, that you haven’t stored all your passwords in a word document for the bad guys to harvest and use at their leisure. Secondly, that you have implemented multi-factor or two-factor authentication.

If the bad guys are busy in the background, they are diverting operating system capabilities so you may find your system is unreasonably overloaded and appears sluggish. Another good indicator is that you get pinged by SMS or some other multi-factor authentication apps and you can’t account for it. You may inexplicably have to deal with random pop ups. If you can recall the hell that pop ups used to create, you will have a Pavlovian response to this.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

There are lots of things to do in advance, including tabletop exercises which would identify any areas for concern. And of course, firms need to have a workable incident response plan and a jump bag ready.

But your question relates to what can be done once the team has confirmed that an attack is underway and when standard malfunctions are ruled out. As soon as the attack is categorized as severe then the priority must be to stop the attack from spreading. Two top tips:

Isolate the devices by blocking connectivity. In other words, switch it off. Quickly. Shut down systems and reroute components.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Failing to categorize assets as essential. Email is an essential business tool. Emails often contain commercially sensitive information. Email is also the easiest way into a business. In fact, insecure email is the starting point for 95% of targeted cyber-attacks. Yet less than 2% of 49 million apex domains surveyed have implemented the global industry standard protocol DMARC to protect their brand, email, and reputation.

The 2nd big mistake is simply a failure to do the basics. In real life, firms might augment their physical security with a team of expensive specialists, but they would still shut and lock their doors and windows.

In the cyber world, the information security team often introduces expensive security solutions but fails to do the digital equivalent of shutting and locking the doors and windows. That just never happens IRL. I don’t know why it’s tolerated in the digital world.

But it happens more often than you’d hope or expect.

To avoid or correct those errors you must rely on trusted, independent experts like the National Cyber Security Center (NCSC) or the FBI and address known significant cyber threats as a priority.

Always prioritize basics first, then augment or build on a strong foundation.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

All I see is amazing women in this sector.

Take Lindy Cameron, CEO of National Cyber Security Centre here in the UK. It’s a first class, world leading institution headed up by a woman. Professors Angela Sasse and Melanie Volkamer are working tirelessly to champion sensible solutions that will protect firms and people.

The City of London Police has a phenomenal woman, Angie Cameron heading up their cyber side in the role of assistant commissioner.

My network is full of fabulous women Nicole Keeley head of cyber security oversight at the Civil Aviation Authority. Deborah Haworth is Chief Information Security Officer at Penguin. Kirsty Kelly, Head of Cyber Digital Risk & IT Security Team Leader EMEA with Nomura, Hope Chauland, Product Marketing Manager at CallSign and Mimecast’s Eliza Hedegaard who has probably done more to secure the legal sector than any other single individual.

And of course, I work alongside phenomenal women in Red Sift, for example our Chief Marketing Officer is cool headed and competent. Her role requires clear thinking combined with in depth product knowledge to communicate complex cyber security issues to non-technical audiences. Kudos to Clare Holmes.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

That you can solve a technical problem by training people. The cyber threat landscape can be divided into 3 categories, traditional crimes that have found a home on the internet, true cybercrimes meaning ones that affect the computer and a hybrid of these two types.

If it’s a true cyber crime, you need to give the computer the right tool for the job. Humans are not firewalls or filters. I’d like to see firms stop blaming their staff for something that they shouldn’t be tasked with in the first place.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Speak to your area of expertise and then yield the floor. You cannot know everything in cybersecurity. There’s just too much information and to tackle it requires cross disciplinary engagement. I attended a meeting where a leading global law firm assembled their team of experts. Each expert then stayed on their own message to interrogate the utility of a solution. They were able to make a sensible decision quickly because they could assimilate the information and apply it to their own business. Ultimately, they were able to manage a significant threat quickly and efficiently. Continuous learning is essential and leaders are learners. There are plenty of sectors that are not dynamic and where progress or innovation is slow. Cybersecurity is not one of them. Be prepared to apply yourself to continuous development. I follow the experts on LinkedIn to shortcut my learning because I can’t do the heavy lifting on a myriad of topics. Rely on other experts. Address mistakes, don’t compound them. No one gets things right 100% of the time. Recognising a mistake and then taking steps to remedy that mistake falls to leaders. Leading isn’t just about figuring out the successful routes, it’s acknowledging that other routes are not a good fit for the business. You try, it works, keep doing it. You try it, it doesn’t, you stop. Simple. Where things have worked in our business, we have brought more people in to do that work. Everything takes longer than you think, even when it’s a no-brainer. However excited you get about a stellar idea that will materially impact a business’ ability to defend itself, you need to calculate in personalities, politics, processes, and business culture. Even an internal champion with a bomb proof business case can get stuck in a budget committee reluctant to see the value in the proposition. Look after yourself. It’s easy with Covid and Working from Home to work through lunch, to start early, to finish late.. Don’t do it. Breaks are vital. Read a book during your lunch hour. Listen to a podcast, take the dog for a walk. SIt outside and phone a friend. Be disciplined about looking after yourself. People who are rested and happy are more productive.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

It would have to be Lindy Cameron, the new CEO of the National Cyber Security Centre to find out how she’s getting on in her new role, learn about any new challenges they’re facing and discover how she plans to improve on an already first class organization.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!