EP05: Battlefield to boardroom - what cyber security lessons can we learn from the military?

00:00:05:11 - 00:00:40:10

Andrew Rawlins

Hello and welcome. You are listening to the Tech Leaders Podcast brought to you by Mazars. This is the podcast where we take technology topics and discuss how business leaders can tackle them. I'm your host, Andrew Rawlins. Catch all a privacy specialist in technology and digital. And we'll be talking throughout the series with industry guests, specialist speakers and subject matter experts about how businesses are tackling the latest tech developments and challenges whilst minimising risk and ensuring security and regulatory compliance.

00:00:40:10 - 00:01:06:11

Andrew Rawlins

At Mazars, we believe technology can help businesses both large and small help improve and advance their operations, improve productivity and growth. And so we look forward to sharing our knowledge, insights, practical tips and how businesses can leverage technology to gain that all-important edge. And now on with this week's show.

00:01:10:10 - 00:01:36:19

Alex Miller

Hello everyone, and welcome back to the Tech for Leaders Podcast with Mazaar. For our returning listeners welcome back and to our new listeners thanks for joining us. I'm your host, Alex Miller. I'm an Ethical Hacker and Red Teamer. Which means that I break computers and computer networks for a living to help customers understand their cyber risk. In today's episode, we're going to be exploring how we can counter cyber threats using military strategies.

00:01:37:19 - 00:01:50:16

Alex Miller

How does traditional warfare vary to cyber warfare? What can industry learn from this? To discuss this topic, I'm thrilled to be joined by Chris Parker MBE, Director of Government Strategy at Fortinet. Welcome, Chris.

00:01:50:19 - 00:01:51:03

Chris Parker MBE

Thank you.

00:01:51:15 - 00:02:07:09

Alex Miller

Chris is an experienced military officer and has 15 years business experience spanning the oil and gas sector, major construction projects and cyber security. Welcome, Chris. Really excited to have you here today. Thank you so much for taking the time out of your schedule to join us.

00:02:07:22 - 00:02:08:07

Chris Parker MBE

Thank you.

00:02:09:06 - 00:02:25:07

Alex Miller

And I'm sure our listeners are familiar with Fortinet. But just as a reminder, they’re a multinational cybersecurity vendor and have just been named as leader in the Gartner Magic Quadrant for the third year in a row. So congratulations on that.

00:02:25:07 - 00:02:26:04

Chris Parker MBE

Thank you. Thanks.

00:02:27:00 - 00:02:35:15

Alex Miller

Perfect. So we'll get cracking then. Chris, I wonder if we start with your military career. How did that lead you to Cyber-security, was that an obvious transition?

00:02:36:12 - 00:02:53:21

Chris Parker MBE

Well, for me, there's a bit of a gap. But when you look at the two industries, effectively, it's about when you're in the military, whatever level in the military or whatever job you do, it's about managing risk. I mean, even if you're not on operations, you're in training or you're in some other role, you're effectively part of the risk management process.

00:02:53:21 - 00:03:08:19

Chris Parker MBE

So when you think about that and you drop those skill sets into the cyber world, it's actually quite a neat fit. And it's a big push at the moment, including with Fortinet, to try and convince quite a lot of veterans to think about cybersecurity as a career because of course, there's a skills gap.

00:03:09:12 - 00:03:14:14

Alex Miller

I've certainly worked with people on the Tech for Vets scheme and there's been some amazing talent come through that.

00:03:15:02 - 00:03:32:13

Chris Parker MBE

It's a great scheme and I think the thing is it's confidence. A lot of it is confidence where people feel “No, that can't surely be me?”. But actually it is because not everyone in cyber has to be a coder. I mean, it's only got about 20% of people that have to be in that coding level. Other people are in various roles, could be sales, it could be design, it could be customer relations.

00:03:32:19 - 00:03:37:17

Chris Parker MBE

There's lots of things where you have to have an understanding, again, of the risk management process. So it's a really good fit.

00:03:38:12 - 00:03:56:07

Alex Miller

And I suppose the military themselves have been tackling wide-ranging, ever-changing threats for a lot longer than the cybersecurity sector has. I mean, you mentioned to me that your regiment is over 400 years old. Wow. So what principles do the military use when tackling and analyzing these threats?

00:03:56:08 - 00:04:19:12

Chris Parker MBE

I think it's, we all know that security sort of has three parts, doesn’t matter what what role you're in in security, could be in physical security or in cyber security. Effectively, it's about some equipment or technology. Then there's the processes which are really important and the people which of course are vital and really important to things. So in terms of the way that the military evolves and you think of 400 years, for example, the evolution of that knowledge process building up.

00:04:19:20 - 00:04:38:22

Chris Parker MBE

So you can imagine that the people might change and the equipment might evolve, but the processes are absolutely fantastic and the processes evolve too, but they're based on really sound and proven principles, making sure you mitigate risk. So that's why particularly the processes in use in the military are really worth looking at for cyber security.

00:04:39:17 - 00:04:59:00

Alex Miller

And I wonder how the attribution of threats plays into that. Am I right in thinking the military threats, particularly of nations, they're they're pretty well understood and documented, whereas in cyber these capabilities are much less and are much more unknown, I should say. Is that just because they're newer or are where do you think that's heading?

00:04:59:01 - 00:05:20:22

Chris Parker MBE

I think is part of the evolution, isn't it, when you have the threat evolving and we've seen that in conventional warfare, the evolution of threat and the dawn of the tanks, which took over from the horse. In all those sort of famous big revolutions in military affairs as they're known, but I think for the problem with knowing where that threat is coming from, that just means, and again in a military mindset, the huge need for intelligence.

00:05:20:22 - 00:05:39:12

Chris Parker MBE

So proper refined information to make intelligence and threat intelligence is an enormous fundamental in cyber security to make sure we're aware of not only where the threats might come from, but what sort of threats they are, and actually being really clever, thinking about what might be coming next because no one wants to get caught out. You've always got to overmatch the target.

00:05:39:21 - 00:06:01:20

Chris Parker MBE

And that's very much the same in in the military philosophy. But that can have problems as well. But you can't just keep throwing resources at it in a limited resources world. You know, if you're in the financial sector, you might have a bit more budget than perhaps a public sector local council. But the reality is you've got to keep over matching a threat and you've got to know where you where you put your assets and your resources.

00:06:01:20 - 00:06:22:00

Chris Parker MBE

It's a choice. So you can take it to something like military protection, maybe take a tank. So there's always this huge issue with tank armour that, yes, you could make it more and more thick, but that makes the tank heavier and more cumbersome. So you have to have a bigger engine. And if you have to have a bigger engine, that makes it even more cumbersome and thirsty and everything else.

00:06:22:10 - 00:06:38:23

Chris Parker MBE

But also, you perhaps want to have a bigger gun on the tanks, got to have a gun on it as well. So you have this cycle in the form the thing gets bigger and bigger and bigger, whereas actually the reality is moving around quite fast is actually quite a good way of staying alive on the battlefield and agility in cybersecurity.

00:06:38:23 - 00:07:03:19

Chris Parker MBE

So simplicity, the ability to respond is the same thing. So it's actually this practice combination of having equipment but also good processes and good people and keep blending that and refining it to make sure you get the right mix. But it is that response to the threat you've got to know, which is why certainly Fortinet and other companies in the industry are really strong on threat intelligence, because that's the most important part of finding out what you need to do.

00:07:04:06 - 00:07:27:03

Alex Miller

Yeah and I guess we are kind of classifying and monitoring threat intelligence in a more strategic way in the industry through APT groups, which for our listeners that stands for Advanced Persistent Threats. And it's a kind of mechanism for classifying threat actors based on their behavior and their capabilities. So is that a step in the right direction towards kind of the traditional military strategies?

00:07:27:03 - 00:07:48:00

Chris Parker MBE

I think it is. And it really I mean, that sort of mentions what we perhaps term something like strategic threats is some things which are very high impact and APTs advanced persistent threats. I mean I always say to people, it does what it says on the tin. So they're advanced. It's very high and technically capable threat. But also that persistence is something that is really hard to get rid of or avoid.

00:07:48:00 - 00:08:08:02

Chris Parker MBE

They're coming at you and they're coming at you in ways that perhaps haven't been done before. So it's really the hardest part of threat to fight against in the cyber world. But what does that mean? Again, in the military principle, you always match the worst opportunity. You always think about the worst scenario. And if you're ready for that, then if you roll back from that, then everything should be fine.

00:08:08:14 - 00:08:32:12

Chris Parker MBE

But there is of course an example where if you are a small local business based in a small town in the UK, you don't really want to be resourcing against advanced persistent threats because it would be nice, but you won’t be able to necessarily afford it. So there's a balance of risk and perhaps those smaller users and perhaps even smaller public sector areas are becoming again, a bit like the agile tanks, the ones that are lighter moving around on the battlefield faster.

00:08:32:18 - 00:08:53:23

Chris Parker MBE

So perhaps they just can't be seen as much as a big organization such as an oil company or a financial institution or a government department, something big, big to attack. So this Advanced Persistent Threat thing won't go away. But that's something again, that threat intelligence, we're constantly watching that, monitoring it. At Fortinet, we do it all the time to make sure we're aware globally of any new threats that emerge.

00:08:54:05 - 00:09:23:01

Chris Parker MBE

And of course, the important part about having any intelligence is sharing it. I mean, it really is in the militaries, nothing worse than you finding out someone's been hit or had a casualty. When someone knew about something that was going to happen and just didn't share it. So we have automated threat intelligence being shared through all our systems in Fortinet, and those systems allow users to see and if I had that in the military in the days when I was in the military, that would have been incredible to be able to see everything on one screen and know that everything's automatically being secured.

00:09:23:10 - 00:09:31:02

Chris Parker MBE

That's that's heaven. So there's some great technology going on now which allows us to always stay ahead of that threat, which is really important.

00:09:31:14 - 00:09:52:05

Alex Miller

And how should business leaders be narrowing down that threat intelligence? I think sometimes the threat landscape can seem overwhelming. It's so large, as you said, if you're a small organisation, APT groups are probably not something, as you said, you want to be concerned about the threats too overwhelming and it's not reasonable. How should businesses narrow that.

00:09:52:06 - 00:10:11:19

Chris Parker MBE

It comes becomes one word really automation. I mean you cannot cope with it. The amount of stuff coming out, some of the customers today out in the market may be getting thousands of attacks a day or a week. I mean, it's an enormous level to cope with. And so automation has to go there. But in the military analogy, that's what happens in the military world as well.

00:10:11:23 - 00:10:29:13

Chris Parker MBE

So if you take warfare at sea, so you now have had missiles coming in or you might have a bomber coming in to try and take out your warship, then actually automated systems have been going for quite some time. People have seen the videos on YouTube of these amazing guns that come out and shoot down the the missiles coming in.

00:10:29:19 - 00:10:47:03

Chris Parker MBE

But again, they're they're refined very well. It's high tech stuff because you don't really want to be harming a seagull that happens to be flying past because that's not particularly fair or environmentally friendly and it's also a waste of resources. So things have to be tuned appropriately. So automation has to be there and that's based on good integrated systems.

00:10:47:16 - 00:11:10:05

Chris Parker MBE

But also the rise of A.I. artificial intelligence has allowed the tuning of that system to constantly be there, a learning process so that the correct response can be matched to the correct threat always and very swiftly, day and night. So that I think is the most beautiful advance in cyber security because it doesn't rely on the weakest part, which is us human.

00:11:10:05 - 00:11:24:16

Chris Parker MBE

Because I mean, I have to sleep, I have to go and have a party some time and sometimes I may be feeling a bit ill or at work and I can't really perform to 100% level. But an automated system, pretty much, is always there day and night and that's what's the best security people can get.

00:11:25:19 - 00:11:54:09

Alex Miller

And as part of these improvements to the kind of technology of the three pillars we talked about people, technology and process, do you feel like improvements to technology there'll always be that people back stop, right? Even though maybe people are quote unquote the weakest section. Actually in some ways, we're also the strongest because as these AI and technology advance and there's always or I don't know, maybe there won't be but at the moment, certainly there's questions that AI can't answer.

00:11:54:17 - 00:11:57:19

Alex Miller

And we need people to kind of come and add the common sense.

00:11:57:20 - 00:12:17:08

Chris Parker MBE

Absolutely right. And I think, again, remembering my point on humans being potentially the weakest part because we do have off-days and as much is that part. But we are very strong. Absolutely. And the decision making process, the ability to focus and the key thing that systems and automated processes can help us, is having that what we call in Fortinet,

00:12:17:09 - 00:12:36:23

Chris Parker MBE

A single pane of glass is something that a human can look at one screen, one pane of glass and make a decision. And in the same in the military analogy, to allow a commander, which is exactly what is happening in a response in a cyber instance, someone to make a decision in the organisation, based on really accurate, focused, good intelligence of what is going on here.

00:12:37:04 - 00:12:57:13

Chris Parker MBE

Is this an attack or is this perhaps a deception attack? Is something else going on and the ability to actually make a decision. Yes, you're absolutely right, Alex. The human is still, in my view, the best person when it comes to complexity, because our brains are actually the most amazing processes. We can really do it. And and in the military, don't forget, that's still the way as well.

00:12:57:13 - 00:13:18:17

Chris Parker MBE

I mean, people talk about automated aircraft, drones and things, but actually the ability to know where to prosecute an attack or to report something, the what they call the mark one eyeball and the human brain is still a really incredible system. So it's not without that blend. I mean, we don't drop the human out the process. I think what we actually do is we enhance it.

00:13:18:17 - 00:13:24:13

Chris Parker MBE

We make the human more useful, more focused and make an easier decision. And that's the best part.

00:13:24:15 - 00:13:29:13

Alex Miller

Yeah, I think that's a really good point and that's certainly where I see the improvements in technology going as you say.

00:13:29:16 - 00:13:29:24

Chris Parker MBE

Yeah.

00:13:30:04 - 00:13:33:12

Alex Miller

Proving greater assistance to people to make better informed decisions.

00:13:34:16 - 00:13:34:22

Chris Parker MBE

Yeah.

00:13:35:13 - 00:13:58:24

Alex Miller

I wonder also if there are some scenarios where cyber warfare and traditional warfare they actually meet? What's really the difference if we see a kinetic or a violent effect in something compared to a soft effect, a cyber effect, perhaps? You know, if I'm yes, a kinetic effect versus me on my laptop turning something off that creates negative output for a company.

00:13:58:24 - 00:14:00:00

Alex Miller

What's the difference there?

00:14:00:01 - 00:14:16:03

Chris Parker MBE

Yeah, there's some in warfare is much the same I suppose, because there's this sort of soft effect and then there's a hard or kinetic effect. And really we think about it in cyber is also the same because we think about it. It could be a soft effect in the cyber attack, could be someone stealing some data and then retaining it for the time.

00:14:16:03 - 00:14:36:15

Chris Parker MBE

Then they want to release it or embarrass an organisation, for example. But a hard attack may be something where they want to actually really genuinely disrupt. So actually an attack for operational technology to perhaps disrupt a public utility system or something like that. We've seen these sort of attacks before anyway. So I think I think there's always a difference in the level of attack there.

00:14:36:24 - 00:14:56:01

Chris Parker MBE

I don't think there's any easy comparisons to draw between the types of attack in military and the types of attack in cyber. I would talk more about the effect on the operator or the user. So the effect is it's something that we don't know anything about because some data has been taken and we just don't know until suddenly some emails are released on the web.

00:14:56:01 - 00:15:16:22

Chris Parker MBE

And it's very embarrassing for everybody or is it something where we suddenly find while all the lights off? Why is everything going wrong here? What's going on? And, and so the effect on the user is the key part. And that's where, again, automation and AI do amazing things now. There's a new technology, latest technologies, which just as in the military, well, there's an evolution of technology going on in the cyber world.

00:15:17:03 - 00:15:38:13

Chris Parker MBE

It's incredible. Some of the new systems we have systems that are the electronic equivalent of sitting on the network and just watching and waiting and almost literally just looking about on the network and seeing for abnormal behavior and things that shouldn't be going on. Yeah. And if you think about in a in if that was a a building or a human response, that would be the equivalent of of guards walking around with torches at night and saying, what's going on here?

00:15:38:13 - 00:16:04:22

Chris Parker MBE

Why is this window open? What's going on? So there's those sort of systems. And then we also have systems which even deceive. So if something does penetrate and get through to deception level, you can actually have replication of the network and things where systems are available for people to think that they've actually found something interesting. Absolutely honeypots the famous term, but then also to be shut down and literally locked in there or observed.

00:16:05:04 - 00:16:29:04

Chris Parker MBE

So I mean, these are great new advances in technology which are really helping cope against this overwhelming threat. And actually, we have to remember that cyber security is still ultimately a big game of psychology. There's someone at the other end trying to prosecute these attacks. So therefore, if they start to see that certain organizations are using really high tech, it's going to make them have to really do a tough job to get in a really hard job.

00:16:29:09 - 00:16:32:16

Chris Parker MBE

Whereas perhaps maybe a few years ago it was a lot easier for the attacker.

00:16:33:09 - 00:17:03:17

Alex Miller

Certainly I think the amount of data being able to be ingested by blue teams by defensive SoCs (security operations centers) is really increasing. But it is interesting that there's some kinetic effects as a result of cyber and industry will be feeling that as you said, an operational technology even in just offices. If I can turn the AC off and it suddenly gets a bit warm or even worse than that, I can turn off the cooling system in a server room through a cyber attack and potentially cause a fire or something like that.

00:17:04:00 - 00:17:09:22

Alex Miller

It's interesting that we're now seeing potential kinetic effects as a result of perhaps soft kind of attacks and cyber.

00:17:09:24 - 00:17:32:07

Chris Parker MBE

Absolutely. And I think, again, remembering that the human can be at risk there, that we perhaps get into habits and we perhaps don't see things that are repeated as easily or abnormal behaviors as easily as a machine might do. We often do see things that are abnormal in our homes, and we say that that's not right. I didn't leave out there and you don't know why something has moved or a window is open, so that's our natural human instincts.

00:17:32:07 - 00:18:00:22

Chris Parker MBE

But automated automation wise that can be seen straight away. So it's another great use of AI, whereas I can tell you, for example, in Fortinet, some of the AI introduction into some of our products has increased capability by perhaps 25% straight away because it allows, again, the tightening of that security nut to make sure that the ability to spot abnormal behavior in something is just not right through some form of process of artificial intelligence on that system, learning on that organisation that this is not right.

00:18:01:05 - 00:18:25:00

Chris Parker MBE

That person should not be accessing those folders because they shouldn't be doing it on a weekend. And those sort of things that just abnormal. Now, there may be normal things that are happening there, but the ability to flag it up, that's the most important part of that early phase of resisting a potential cyber attack. And if it's someone is working at the weekend and just wants to go and find a CV or something, then that can perhaps be explained and that can be at least be known.

00:18:25:00 - 00:18:26:19

Chris Parker MBE

And that's the key part. It can be found early.

00:18:27:10 - 00:18:52:18

Alex Miller

Yeah and I guess this is an interesting part where all two jobs are quite different because my job as a Red Teamer is to test the effectiveness of these kind of products and controls. And I guess that's an interesting parallel between the military. We talked before about thinking enemy and I guess that's essentially what my job and the foundation of Penetration Testers and Red Teaming’s whole philosophy is. Is that really one of the best examples of cybersecurity using military strategies?

00:18:52:18 - 00:19:09:10

Chris Parker MBE

Yes, I think it is. And I think when you look at it, the vitality of having that practice, the rehearsal is a fundamental in military operation. So before any operation, any patrol, any level I was in, there was always a rehearsal or a discussion or people would use a model and they work out and say, what can go wrong here?

00:19:09:10 - 00:19:32:21

Chris Parker MBE

What can go wrong there? And the ability to Red Team is a human factor integration as well. The penetration part being very good for technology assessment, but the combination of those, those systems using them together are vital. I really do believe. I always say to people that, you know, unless you're introducing that level of rehearsal, learn about mental process, then you get a bad day.

00:19:32:21 - 00:19:53:06

Chris Parker MBE

And it's going to be a very bad day because if you think about it, there's is a beautiful expression in the military flying world when they're training and they say there's no new air accidents, only new pilots. And what that means is that if people apply themselves professionally and we are all professionals in this industry, but we've got to behave like it, we've got to study, and that can be tough.

00:19:53:11 - 00:20:21:00

Chris Parker MBE

We've got to find time to study and look at incidents and things that got on. So instantaneously, that pilot who studied an accident report where he saw a sudden increase in engine temperature, he'll know immediately what's going on and he'll know what probably has caused it because he's read about it. He studied his profession. And we ought to do that in our profession because a Red Team or a Pen Tester or indeed just studying attacks that have happened elsewhere in the world can allow people to say, I think I know what's going on here.

00:20:21:09 - 00:20:44:10

Chris Parker MBE

And there's a great story, which I think many people know, the listeners out there to the podcast, would have been aware of the Sony. A great incident in 2014 a very, very bad hack that was going on. Very famous but we won’t dwell on that but then one of the big things that came out of it afterwards is that a very young person, an employee, had spotted the vulnerability and flagged it up.

00:20:44:13 - 00:21:02:10

Chris Parker MBE

But the senior people in the IT department were actually very negative about it. This being raised, but also had a real go at the individual almost to the point of bullying, and that poor individual left the organization and then they got hit. So even that shows us a great lesson because that's all about teaching these lessons, which is very military.

00:21:02:19 - 00:21:23:10

Chris Parker MBE

How can we learn from these things? And therefore we should say “Well let's not be like that”. These people in that department who were poor, it wasn't Sony was poor, it was the individuals being negative, which had an impact on the organisation. And what happened was very bad. So let's not do that. Let's make sure we listen to our young people, especially because they see things very differently to those of us who've been doing things a bit longer.

00:21:23:10 - 00:21:42:13

Chris Parker MBE

And we get confident, sometimes a bit relaxed and as humans and therefore someone young, someone fresh saying this doesn't look right or I think someone could get in on this. That's a beautiful thing we should encourage in our organisation. So even there’s an example, we just done one of where you just do a learning process and improve things in the processes in the organisation.

00:21:42:24 - 00:22:08:19

Alex Miller

Yeah, I guess the military is very good at continuous improvement and I certainly see when I'm talking to businesses, so many are focused on the end goal of security as opposed to actually the process of continuous improvement. Security's intangible right? And it's not really a useful frame of reference. And when we look at ISO 27001, the international standard of cybersecurity, really the heart of that is continuous improvement.

00:22:09:00 - 00:22:13:04

Alex Miller

So that's another military strategy that we're starting to see happen, is it?

00:22:13:06 - 00:22:34:12

Chris Parker MBE

No it is, absolutely. I think the big thing that's come out of those processes, which is the formalisation of what certainly anyone who's military would see those or experts, you would see those processes and see them as quite normal because there's constant improvement. So again, before any operation goes ahead, there's lots of training, lots of looking at what's going on currently in the operation, what could go wrong.

00:22:34:12 - 00:22:50:07

Chris Parker MBE

The risks are assessed. We would have a risk matrix in our organisations today. How much they get used is the question. I always say to people, “Can I see your risk matrix?”. And they sort of only work out how long they take to find it because there should be a link on their desktop. But that's a great tool.

00:22:50:07 - 00:23:06:15

Chris Parker MBE

It's not something just to state something and say, that's it again, you know, it's actually a tool. So a risk matrix, just as the military have, you constantly evolve and look at it and you examine at a sector that's really good at this is the oil and gas sector for safety reasons. They are really hot on risk matrix and you have to discuss before meetings.

00:23:06:15 - 00:23:27:11

Chris Parker MBE

Any risks are in the room and they want to keep their statistics low because safety, of course, is vitally important in what is a very dangerous sector with volatile liquids and people at risk. So they are really hot on that. So that sort of almost a health and safety type approach, you know, in a different sector certainly taught me a lot that by using those processes, rehearsing and again it's back to Red Teaming.

00:23:27:11 - 00:23:48:03

Chris Parker MBE

Can we learn from getting external people to come in rather than just us being confident our own systems are okay? It's a complex blend of things needed, but whatever happens, it's that helix, it’s that progression forward. It's not a cycle. It's a constant moving third dimension helix going forward. And that's what the military always aspire to.

00:23:48:11 - 00:24:09:23

Chris Parker MBE

I think in the cyber security industry, we do that as a vendor. We're always improving our equipment, our quality controlling, our checking. I mean, that's why a lot of people are surprised when people say there's a vulnerability. Actually, a lot of the times most times the vulnerability is actually something that's being found by good quality assurance and someone's just tightening that helix and making things better.

00:24:10:05 - 00:24:26:04

Chris Parker MBE

So what I always think is that we should celebrate it because vulnerability is a sign of something getting better rather than everyone being negative about things. And if we're never going to improve things, then there's going to be more gaps because the threat, the adversary is always improving. They're always trying to get at us.

00:24:26:04 - 00:24:33:21

Alex Miller

Goes back to what you were saying about the Sony hack. And actually, if we listen to people and our teams and accepted, diversity of thought that actually we would all be more secure.

00:24:33:24 - 00:24:35:01

Chris Parker MBE

Hmm, absolutely.

00:24:35:09 - 00:24:56:07

Alex Miller

I think it's interesting, the people part of the people technology process kind of ‘triad’. We see in the military you have got very strong roles and responsibilities. Right? Everybody knows the chain of command and their roles and responsibilities. I see that a lot less and cyber things are a lot greyer. Do you think that's an issue?

00:24:56:10 - 00:25:14:24

Chris Parker MBE

I think it's a great point. I think it's something that actually concerns me sometimes in some organizations because again, back to the human factors, people have to go away. They sometimes get called away, they might fall sick or a loved one might be ill. So people have to know instantly who is what we would call in the in the military, the second in command, and perhaps in the third in command.

00:25:14:24 - 00:25:37:11

Chris Parker MBE

Now, this is in the military formally stated before any operation, even a patrol going out somewhere in a foreign country somewhere would always be saying before the patrol. And that's largely actually redundancy being built into the systems, what we would call, but it's been built into the command and control. So for example, if something happens to me on the patrol and I have to go off somewhere or I have to take a casualty off somewhere, then it might be you, Alex.

00:25:37:11 - 00:25:56:21

Chris Parker MBE

You have to take over. And then everyone would know instantly something happens. Who's in charge. There's not going to be some debate in IT, “Well, who's making the call here? Who is deciding?”. And that's not a good place to be. So there's a fundamental organizational responsibility and that you can use things like the RACI matrix and other responsible responsibility tools which are there in business.

00:25:57:06 - 00:26:15:14

Chris Parker MBE

But actually it just needs to be stated. And I think also more and more we're seeing where there's too much in the cyber industry, too much being loaded onto one person. That's normally the CISO. Of course there are other terms for it, but if we think about that load that's being increased, then he or she cannot cope with those loads.

00:26:15:16 - 00:26:34:07

Chris Parker MBE

I think the office of the CISO, as I tend to call it, we end up being the CISO. And in large organisations, I think that will now be a career change. I would encourage it for having a deputy CISO so perhaps times two, and then you might have assistant CISOs below those. So there's always redundancy there and this is a career path, this is a career chain.

00:26:34:08 - 00:26:45:05

Chris Parker MBE

And these people, of course, as we spoke before, are not necessarily going to be coder level capability, but they're just into managing cyber and the procurement of equipment and other such important things.

00:26:45:21 - 00:27:03:03

Alex Miller

Yeah. And just for our listeners, CISO. Chief Information Security Officer right? So I wonder if there's something to be learned about the roles and responsibility from the kind of checking the checker standpoint. We talked about this before, what is checking the checker?

00:27:03:03 - 00:27:20:22

Chris Parker MBE

Checking the checker. If there is one thing from the podcast that people take away is checking the checkers. Because it's such a brilliant military principle and it's an evolution of those hundreds of years of military, especially in the in the British and American and other great military systems where they fundamentally have got better.

00:27:21:06 - 00:27:41:00

Chris Parker MBE

So checking the checker is about saying the system, the organisation is never going to be content, that everything's being done. We're just going to check and we're not only going to check, we're going to ask someone to check on that person doing the check because that means there's no risk, no problem. Now, people might find that a little bit awkward in the military.

00:27:41:00 - 00:28:03:18

Chris Parker MBE

There's actually no one sees it as difficult or offensive if someone goes into check. I used to have to do it as a young officer. I used to do these weekly checks on perhaps the ammunition or the oil and gas, dipping the tanks to make sure the right amount of liquid was still there. Now, that wasn't seen as offensive. What was actually happening there is it means that the person who's doing the checking actually knows that he or she will be checked on.

00:28:04:00 - 00:28:25:14

Chris Parker MBE

Yeah. Now that therefore means is that the effect on the organization is if that person is having a bad day or is tired or has been unable to do their checks. I mean, how many times have we seen I've been able to do the patching, says someone in an IT department, because I've just been too busy. Well, okay. But then if they know there's going to be a check, perhaps a weekly or monthly check by someone senior saying let's just check the patch register and where are we up to?

00:28:26:08 - 00:28:45:13

Chris Parker MBE

And if that's the case, then those people know they have to put their hand up, which is a beautiful thing in an organisation because that improves safety for all the data and the people and the organization, because they're saying, I'm really struggling here with the workload. I just can't do these patches and I can't do this or that. So they know that they're not going to get caught out because they put their hand up.

00:28:45:20 - 00:29:09:04

Chris Parker MBE

But the organization becomes safer because that's an example where someone would just say, okay, we'll get in some extra help this week or by some professional services, or it may be to come in and assist us for a day and get us up to speed. That's just made the organisation safer. So it's back to how these processes, which sometimes seem a bit odd and perhaps can seem a bit tight and people think that's almost offensive, saying I'm not doing my job properly.

00:29:09:06 - 00:29:16:15

Chris Parker MBE

It doesn't matter because if the culture is there that people say, hi, you're here to do the check, that's great that that's the way it should be.

00:29:16:17 - 00:29:18:16

Alex Miller

So we need to get over our egos a little bit here.

00:29:18:24 - 00:29:37:11

Chris Parker MBE

I think when it comes to safety and security, egos have to take a backseat. Exactly. And I think that process, back to that process part. If the process is really good and everyone knows why it's there, that's the big thing. Don't bring in a process anywhere and just impose it. Explain why it's there and say that system. You know, you might be having a bad day some time.

00:29:37:12 - 00:29:58:24

Chris Parker MBE

Or you may be overloaded. You know, I'm going to come round and check. So this just means put your hand up because I don't want to be checking. And then you tell me I've not done the checks for some time. And don't forget, that happened in the military as well. When you sometimes do these checks and it would all come out that someone's just lost something and just struggling with that job, they were perhaps not competent or capable or just were having some problems in their domestic life.

00:29:59:10 - 00:30:03:22

Chris Parker MBE

These are human factors, so at least we find out about it. That's what checking the checkers is all about.

00:30:04:10 - 00:30:23:14

Alex Miller

Yeah. And I see that in Red Teaming that it's an interesting dynamic if I'm checking how good somebody is at defending when that's their day job, it's important that that's not taken personally. We're actually working with them, even though in a direct sense we're working against somebody. It's interesting how many things that can crop up from the people technology process stack.

00:30:24:20 - 00:30:35:22

Alex Miller

If technologies may be not configured properly but is excellent or maybe, you know, an alert hasn't shown when it should do or whatnot, just making sure that those are spotted before an actual breach happens is what you’re saying.

00:30:36:16 - 00:30:59:12

Chris Parker MBE

And that's happens also when people like Fortinet as vendors, when we would go and we wouldn't just sell something and then walk off, we actually go and visit and check and make sure everything's okay. And almost like a sort of an update, you'd pop down or get in touch. And often we find people haven't, because electronically we can tell, haven't activated perhaps licenses they bought, so they bought something they just haven't got around to getting it up.

00:30:59:13 - 00:31:09:24

Chris Parker MBE

Now and some people watching it might be intrigued to hear that. But again, human factors, people are very busy and understaffed and they've got issues and perhaps they forgot.

00:31:09:24 - 00:31:10:17

Alex Miller

Yeah, I can resonate with that.

00:31:10:17 - 00:31:11:06

Chris Parker MBE

It does happen right?

00:31:11:07 - 00:31:29:05

Alex Miller

The amount of Red Teams I've been on with technology is awesome, but it hasn't been configured properly. And therefore, like you're saying about the pane of glass, the lens that operators, that's people in blue teams and protective defensive teams are seeing isn't giving them good data. So they've got great technology, they've got great people, but they're not working well together.

00:31:29:05 - 00:31:32:23

Alex Miller

The processing facility hasn't been configured and therefore. Yeah.

00:31:33:13 - 00:31:50:09

Chris Parker MBE

Well, that's why that's why Fortinet has staff because it's not just the people doing the design and wonderful tech stuff, which we have out in California and a few other places. But amazing. But for me, the beautiful thing is that we've got the staff to be able to help and check. So again, if people find that they’re, they think that might be the case.

00:31:50:09 - 00:32:10:21

Chris Parker MBE

They should just ring up and say, I didn't understand it and we can easily help and interrogat it . But I still think that's back to process and anything that helps that helix, that tightening of the security nut all the time. Because coming at us the other way is another helix of the bad people who are trying to disrupt our systems and our life and they will be improving their systems all the time.

00:32:10:21 - 00:32:13:02

Chris Parker MBE

So we have to keep our helix going as well.

00:32:13:20 - 00:32:22:14

Alex Miller

And what about that process point when you hit the unfortunate scenario of having a breach, how does the military deal with incidents and what can we learn from that?

00:32:22:14 - 00:32:44:08

Chris Parker MBE

Yeah instant response. The biggest part about any military incident I've been involved in, I've been involved in a lot is that most cases I can't think of many where they didn't actually do anything different to what I'd found in my training. So good training, good rehearsals goes back to Red Teaming, working out the scenario and again empower the young.

00:32:44:08 - 00:33:02:01

Chris Parker MBE

If there is someone in the department who's young, who has got a fresh mind. Ask them to have a look at what can go wrong and write some scenarios and those things can really help then, perhaps once a month, once a quarter, any organisation have a of an afternoon, it's often great to do on a Friday afternoon, get it all done together and work out what gaps there are appearing.

00:33:02:07 - 00:33:39:08

Chris Parker MBE

So that instant response is based fundamentally in the military on preparation and drills. So that's back to processes, so instantly doing things. So but there's two levels I would think there's normally those drills which are response, so often that can be automated in our systems in Fortinet we have a lot of fantastic stuff that can help some of our systems do 50,000 alerts on the day whereas a normal analyst can perhaps cope with 30 or 40 if they’re really going at it. So the automated systems can really allow when you having that volume of threat coming in which some organisations sadly see, to overmatch that and beat that away with the response

00:33:39:08 - 00:34:04:11

Chris Parker MBE

skills. But then that's the immediate level. But then there's that higher level of response, which is more, more executive, more thinking about the organisation. And I used to run an organisation, a company myself, where we used to help advise organisations post-breach on what they would look like post-breach. What was interesting is the biggest thing that would impact on the organisation would not necessarily be just the technology.

00:34:04:19 - 00:34:26:13

Chris Parker MBE

It would be the way that they communicated this out to their people, their shareholders, their stakeholders. And also internally, back to that Sony incident, which is a great one to study. They didn't really get their information out internally through HR or have a redundancy system. They went dark. Therefore, people were tweeting and speaking and ringing their friend who works for the media and all that stuff.

00:34:26:13 - 00:34:50:01

Chris Parker MBE

So you got to control some form of output of the information. So the biggest parts about doing these Red Teaming and learning is that those fringe things, those things that seem unimportant, often become the most important, communications, media, PR, post incident, post breach. And of course, the big thing is to make sure that people are reassured. It could be people, public servants, it could be the public.

00:34:50:08 - 00:35:04:19

Chris Parker MBE

They need to be reassured, and customers, that everything's okay. We've invest in good systems. We're dealing with a what is ultimately normally a criminal activity, an illegal activity. So to put out some sensible lines there can normally help yeah.

00:35:05:01 - 00:35:13:06

Alex Miller

Yeah it's amazing how much, as you said, preparation and something not being novel can help you kind of have more gusto in that moment to deal with things.

00:35:13:06 - 00:35:33:17

Chris Parker MBE

And people who never know. I mean, if unless they rehearse it and they've got to rehearse it and I find they are joy at seeing the light bulbs come on. When people say this has been an amazing 3 hours because I've got this whole list on a whiteboard of things that we need to do and we're going again, tighten the knot, get the helix going again, and add to the great technology to make the whole system of security get better.

00:35:33:21 - 00:35:35:19

Alex Miller

It's just that little bit less scary.

00:35:36:03 - 00:35:59:09

Chris Parker MBE

Yeah, absolutely. And that and that's a very good point. I mean, it actually adds to that reassurance and competence and confidence in staff, especially in the IT department, that they're able to deal with this. They can they can cope with it. And what we find is often people forget new joiners in the organisation. So we may get a young man or woman join the organisation and they feel themselves, okay, this is great.

00:35:59:09 - 00:36:13:23

Chris Parker MBE

But then they happen to be on duty on that day. But they weren't involved in the rehearsal that happened six months ago. So often people forget that when you bring someone new into the organisation, good process, that they should always run a team rehearsal again to make sure they're all brought into it.

00:36:14:03 - 00:36:32:04

Chris Parker MBE

So there's some great sort of little tweaks there, a process that can just make sure that I think it's Murphy's second law, isn't it, that things will go wrong, but it'll go wrong at the worst time. And it's always going to be when the perhaps the most junior person is on duty and perhaps the most senior person is away at a family wedding and the phone is off.

00:36:32:04 - 00:36:43:04

Chris Parker MBE

So this is always the thing. So rehearsals and preparation and sound military principals perfect for cyber security and can tighten that helix and tighten up security nut.

00:36:43:21 - 00:37:03:06

Alex Miller

As you were saying with intelligence earlier on that actually goes back the other way, right? Because we have attackers using open source intelligence, things they can glean from the Internet, maybe the person at the weddings posted about it. We know that they're not on shift. Maybe the new joiners shared lovely information about their new role, as would be something that attacker would probably target, right?

00:37:03:08 - 00:37:26:07

Chris Parker MBE

Absolutely. I’m afraid that people are now waking up to the fact that, sadly, in our society, people will look at those things, those feeds. That doesn't mean people can't have any fun. I think people are just going to be a bit circumspect about what they are posting and saying. Sometimes a bit of awareness. I know that this great organisations are that can help any organisation by looking at what's being posted by them and done.

00:37:26:12 - 00:37:41:13

Chris Parker MBE

But then also on the on that sort of deeper level, that sort of dark web level, there's some wonderful new technology which is ongoing in the industry at the moment. We've got a new product out at the moment which is causing some great excitement, which is called FortiRecon. And again, it does what it says on the tin.

00:37:41:13 - 00:38:01:09

Chris Parker MBE

It's actually reconnaissance back on to your own organisation from our expert researchers who will look and actually look inside on the dark web as well as to what's being seen about your organisation, what's being offered, but also, perhaps more importantly, what you look like. And that is a fundamental military principle. Whenever you are doing any defensive position, you would always be taught.

00:38:01:09 - 00:38:18:12

Chris Parker MBE

From day one, you go out to where the enemy would come from and you have a look what they're approaching. And it's much easier then to see issue. So to see an organisation, to see if there's only two or three IT staff, can we perhaps work out who they are, get on their Facebook, those sort of things. So then we just have to warn our staff.

00:38:18:19 - 00:38:37:14

Chris Parker MBE

So all these things are good processes, good principles, but again, new technology, later systems out there that can really help enhance and they have done already. They're started to really secure organisations by spotting these things in the attack phase very early. That's the beauty of it. They spot and defeat it before it even happens.

00:38:37:14 - 00:39:01:07

Alex Miller

It's amazing. I wonder if we just step back from things a little bit now. The the cyber world has changed so much in the last ten years and in the UK we've definitely become more open about our cyber capabilities, right? We have the National Cyber Security Center, the NCSC, which is basically a public facing wing of GCHQ designed to tackle, tackle cyber threats.

00:39:01:17 - 00:39:11:12

Alex Miller

And we also have more recently the National Cyber Force. Do you think in the next ten years we're going to continue becoming more open? Is this something industry should be more open about their cyber capabilities as well?

00:39:12:00 - 00:39:31:17

Chris Parker MBE

It's a different one, isn't it? Because in the military principle, you don't want to reveal your hand and your defenses because again, since medieval times, that's normally a bad thing because people then get in. But I think transparency is definitely on the up. It's part of society's trends. I personally welcome it. I don't think it's something we should be fearful about.

00:39:31:17 - 00:39:52:12

Chris Parker MBE

We just have to be cautious about. Always think about what what could be the impact of revealing this information. You mentioned NCSC, and again, on the defensive cybersecurity side, they are the the prime plug in and we deal with them at Fortinet and have a great relationship with them. But they're extremely good professionals. And I can't talk for obvious reasons about some of the detail of those things.

00:39:52:12 - 00:40:21:05

Chris Parker MBE

But what I can say is that we are really lucky in the UK to have a truly professional and world class National Cyber Security Center, but they also are a group of individuals and people that if people are thinking about a career or a job, it's a great place to think about applying to, especially the young., the graduates. Because it’s a wonderful start for your careers, but the other other one to mention is really that the NCSC website I personally think is one of the best websites for cybersecurity.

00:40:21:12 - 00:40:43:14

Chris Parker MBE

It doesn't matter whether you're a small business or a large organisation, whether you're a CISO or an IT leader or a junior, then you can learn so much from that website and if nothing else, again from the podcast, if you are thinking, if you're watching this podcast thinking I want to learn stuff, then actually just make a marker every week you will spend an hour on that website and your knowledge will grow is tremendous.

00:40:43:21 - 00:40:51:22

Alex Miller

Agreed. They have so much tailored advice and guidance for free to different organisations, sectors. It's it's a really, really useful tool.

00:40:51:22 - 00:41:25:14

Chris Parker MBE

But transparency you mentioned Alex and that's part of it, the website is part of it. There's an awful lot on there which is being shown and organisations like Fortinet and we really pride ourselves on being very transparent. So we will always promote and put information out there about when there's been things like vulnerabilities or issues. It's always easy to talk about the new equipment and new products, but we also say when things have been improved, again, quality assurance process, when things have been tightened and gaps have been filled, that's a huge part of the cybersecurity process and we're very transparent about that.

00:41:26:05 - 00:41:46:01

Chris Parker MBE

I think that's welcomed. It's part of societal trends. It doesn't always mean if other people aren't transparent, that they don't have the same issues. But I think as a company we're right because the posture to be transparent with your customers and the people who are paying money and working hard to protect themselves, you've got to be honest and transparent as much as you can.

00:41:46:01 - 00:41:47:23

Chris Parker MBE

It's part of being ethical.

00:41:48:03 - 00:42:05:22

Alex Miller

That's a really good point and we've covered a lot here, Chris. This has been a really good session. If you could point us just to one, if I do the, the sinful thing of asking you to choose one military strategy of all of the things we've talked through here today, what would you suggest people should take away?

00:42:05:22 - 00:42:37:19

Chris Parker MBE

Yes, I think that the one thing to take away from this, again, back to 400 years of military development and how can we learn and improve our cybersecurity? I'd say it's actually about preparation. The big thing is preparation. From that, it's probably got a few strands such as training. I mean, it might be Red Teaming and Pen Testing, but it's that preparation. Get your shots in early, get your preparation in early because if you get your your chance to train, it's like being an athlete, get things right before the big game starts, then you will have a much better chance of success.

00:42:38:12 - 00:42:53:09

Chris Parker MBE

So I think the big military success of the last 400 years where things have gone right have normally been based on really good training, preparation and get things ready before. Easy to talk about technology. And Fortinet love talking about technology...

00:42:53:09 - 00:42:54:14

Alex Miller

Don’t worry I am guilty of that too.

00:42:54:18 - 00:43:06:05

Chris Parker MBE

We're good at it. But I still think let's everyone think about while that stuff's going great, what can we all do as individuals to help prepare individually or as an organisation? Preparation. Sound preparation.

00:43:06:21 - 00:43:09:00

Alex Miller

Excellent. Great advice. Thank you so much, Chris.

00:43:09:00 - 00:43:09:10

Chris Parker MBE

Thank you.

00:43:09:21 - 00:43:16:12

Alex Miller

And that concludes this instalment of the Tech for Leaders podcast. We look forward to having you join us again. But for now, farewell.

00:43:17:19 - 00:43:44:13

Andrew Rawlins

And that brings this week's episode of the Tech for Business Leaders podcast with Mazars to a close. If you enjoyed today's show, please do subscribe to the series and leave a review to help us extend our reach and keep technology at the heart of the business community. We look forward to sharing more with you on our next episode, but for now, please do take care and thank you for listening.

+