Gavin Grounds joined Verizon, a global telecoms supplier, in September 2018. Today, he’s part of the organisation’s Corporate Information Security executive leadership team, where he heads up the Informational Risk Management & Cyber Security Strategy.
In 2004, Gavin Grounds founded the BCS USA Section and served as its chairperson for nine years. In 2017, he was re-appointed as the chair and has a mission to invigorate and transform the activities of the Institute in the USA.
Here we talk with Grounds about digital transformation and how organisations can change while still remaining secure.
As a Brit, how proud are you of representing the BCS in the USA as our chairman?
I joined the BCS when I was living in Bermuda. When I moved to the USA, I initiated establishing The US Chapter of BCS in early 2000 and served as its first Chairman. I personally derive a lot of value from being a member of the BCS, not least because they helped with my education and the BCS Certification was really very helpful for my immigration to the US, with my VISA, then Green Card and now US Citizenship. The US Department of Labor assesses the BCS certification very highly. So, I was already predisposed to recommend the BCS personally and really wanted to help pioneer it within the States.
So, tell us about your career?
I was raised just outside of Liverpool, England. After leaving school I went to Halton Tech to study electrical and electronics engineering. Then, when I moved to Bermuda with an earlier role, I went through a BCS programme at Bermuda College to complete my bachelor’s degree. I lived in Bermuda for five years before moving to North Dallas, Texas where I lived for a couple of years. I then moved to the south of Spain for three years before moving back to Dallas, Texas. After about four or five years, I moved to Malaysia, living in Kuala Lumpur. I moved to Austin, Texas and I’m now based in New Jersey.
Do you see change as an adventure, something to be embraced?
It absolutely is. There are lots of small things that do change with an international move like for example, voltage. The Americans are on 110v compared to the 220v that we have in the UK, which is a great way to either blow your hairdryer up or come to the US and run your hairdryer on half speed. When we first moved to the US, texting was becoming a big thing in Europe and the UK, but was still new to North America. The way technology was used in day to day life, was different.
Often people ask, ‘which of all those places did you like the best?’ And the answer is, I like all of them, but just for different reasons. In some places it’s all about the people and the culture and that was probably the biggest highlight. Other places, it was the way technology was used in different ways. As an example, living and working in South-East Asia, to me it was truly amazing to see, from 2009 to 2012, almost a decade ago and yet the proliferation of the handheld device there, it was already kind of overtaking the PC.
In America, as well as parts of Europe at that time, it was the other way around. There were more PCs but everyone thought that the handheld was something you made phone calls with and occasional texts. I enjoyed seeing those differences and just the way IT and technology are consumed at both the business and the consumer and individual level.
As technology changes, how do you feel cyber security will change?
There’s this whole idea of what you call defence in depth, it’s the layers and some people describe it like an onion, where you’ve got the super-important stuff right at the heart of it and then there are degrees of separation and degrees of protection fanning out from that. There are still numerous scenarios where that is absolutely necessary and appropriate. That’s where you’re protecting core critical data and where you’ve still got fundamental control on all of the operating assets. So, there are still business cases like that and the importance of that model will never diminish.
Having said that, oftentimes when people talk about IT, or they talk about the role of a CIO or the role of a CISO, I’ll often remind them, ‘What does the ‘I’ stand for?’ It stands for Information. So, when people talk about “IT” they often think about the tech and they forget about the information. When they talk about a CIO they’ll think about IT operations but they forget the ‘I’ is for Information. And with a CISO, people often have the same mentality, and they forget that the ‘I’ is for Information. So, it needs to be more than just a “Corporate Data Protection” play - it needs to be oriented to protecting actual Information.
As an example, I have a smart phone, I have internet, I use social media, I use Amazon, I use Alexa, I use Google Home - but if I’m taking a business call from my home office, I make sure that I don’t have that kind of tech enabled. Why?... because none of that tech is necessarily directly connected to my company’s IT, nor is it necessarily controlled by my company, but I need to protect the Information pertaining to my company that is potentially inadvertently exposed to these kinds of services and tech.
Is there anything that worries you about the way business and digital transformation is going?
I think it’s exciting. One thing that does worry me, is that it seems that a large portion of the cyber security community focuses almost exclusively on bad actors - or specifically, on trying to detect and figure out what the bad actors are doing - and don’t recognise that the exponential speed of change and transformation in the consumption models and capabilities of the technology field, is in itself an equal security threat.
For example, practitioners focus on firewalls and data loss prevention - while in the meantime the world has already moved on and you’ve got Internet of Things (IOT) and Smart Homes and cameras in your house and microphones in your house and in your car and a lot of telecommuters that are working from home and working from public places and that’s all accommodated and facilitated by the change in technology.
The concern is, if the cybersecurity community at large, doesn’t keep pace with that transformation and the speed of change in the way technology is consumed, then, to me, that’s the biggest concern right there. Potentially, there will be as much, if not more, information loss and a lack of compliance with data protection requirements as a result of not keeping pace with change, than there will be from losses as a result of bad actors. Equally, for the cyber security community that is focused on the bad actor community, we need to urgently get our heads and arms around using Artificial Intelligence and Machine Learning much more effectively, as part of the core of what we do.
How compatible with security is the agile method of development?
I would split the question in two parts. Is it compatible with, let’s say, the software development lifecycle? Is it compatible with the old methodology? It can be and should be. However, in my experience, very few organisations have security embedded end-to-end in the entire lifecycle. All too often, under the old methodology, organisations typically have a security team that would be engaged, potentially, in the early days and then re-engaged before you promote to production.
In that way of working security is almost always viewed as a showstopper with developers having to go back and do the legwork of a rework. So, in the older model there was inefficiency. Security was the kind of thing that was a bolt-on. In terms of the agile model, or even in the more cool, DevOps and DevOpsDevSecOps, I think the change that is needed is for security to become part of the entire cycle. With security engaged with every function of the lifecycle at every stage, it’s actually then easier to fail fast, fail often and go-live fast.
So, you don’t wait for the system to be built, security is there from day one?
Exactly. Security needs to be everywhere from the initial early stages right through to production. Security needs to be part of that process in the early hours and days, not just added later in the weeks and months. So, the security team needs to become part of that development cycle, from the ideation stage right through development to production and operation. It’s got to be integral, that’s probably the right word. Security should be an integral part.
You can build systems that are risk averse, but can you ever negate the risk of user error?
I don’t think you can negate the risk. I think there are things that can minimise or control the impact, but we have to assume that there is always going to be user error, operator error, or developer error at some point. The error may be accidental, or deliberate, but that’s human nature at the end of the day. So, we need to look at what mechanisms, what techniques and what tooling we’ve put in place to minimise the impact of human error. But again, I think that’s like any other aspect of life. With life there’s always risk. What it really boils down to is managing what is acceptable risk. We’ll never eliminate human error, but let’s try to do what we can to minimise the frequency of it, minimising the impact and dealing with it effectively when it happens.
To what extent do you think that AI will change security systems?
To date, the cyber security profession in general is playing catch-up with the cyber criminals. As these cyber criminals get their hands-on and become proficient in using machine learning and AI nefariously, how are we going to respond to that? My answer is, why are we waiting for that? In the cyber security community why are we not already using machine learning more prolifically?
Why are we waiting for the bad guys to do it and then respond? Let’s flip that and put the shoe on the other foot and say, ‘Yes cybercrime is a multi-billion-dollar industry’ but then on the other side of that, business is a multi-trillion-dollar group of industries so let’s get there first. Stop relying so heavily on humans and swivel chairs in a SOC, and as a community, really join the fourth industrial revolution and use ML and AI to get ahead of the game in cyber defence.
There is social concern that AI could be given bad data and so ‘learn’ badly. Is that a worry in security systems?
If on the human level, you give a group of poor-quality leaders poor quality information, what’s going to happen? If you give that to somebody running a country - a prime minister or a president - and you have poor decisions based on poor data and poor information, then what’s the outcome going to be? So, are we going to let a machine make the same bad decisions? And what about AI that is programmed with unconscious biases already baked into the foundation?
That’s probably a whole separate article right there! But to my mind the same principle still applies. We can create the same damage with humans today. The difference is that as humans, we do it more slowly. In the context of cyber security let’s get there and get ahead of the game with the high speeds, whether it’s with ML, AI or quantum, we should get there first. Protect at chip speed, protect at wire speed and so respond in true real time.
Do you think quantum computing will be a game changer for security?
I think it will be, primarily, not exclusively, around speed. I’ll use the example of machine learning. If we think about machine learning applied in a quantum computing model and the ability to, at chip speed, be able to take massive amounts of data and do all kinds of crazy analytics on that data and then form conclusions. The machines will do that and iterate on that. And then with quantum computing if you think of the speed and magnitude of data that can be handled and the sheer volume and spread of heuristics and analytics that can be applied, as the machine learns, self-corrects and evolves itself, I think that will be a game changer.
Multi-billion-dollar businesses want to use machine learning. Multi-billion-dollar businesses want to use quantum computing because they get there faster. But then the other risk is the speed of the change. Whereas, in this moment, cybersecurity and risk management still keep pace with the speed of change for the most part, quantum computing brings a different scale to the table. But it’s like any automation. When you automate a process if it goes wrong it just means that the catastrophe is bigger. If you’ve got an automated production plant and the process isn’t human, then if something goes wrong it isn’t just five widgets that come out wrong, it’s five hundred thousand widgets that come out wrong.
As technology grows, so do many of our skills gaps. According to Forbes there are going to be 3.5 million unfilled positions in the IT industry by 2021. Do you see that we need to step up and educate more people in IT?
We need to educate more people and cross-train the people that we’ve got. If you think again about some hiring practices that are fairly prolific across the industry you’ll see, ‘Must have excellent previous experience, must have a bachelor’s degree’ and so on and so forth. I think we need to rethink that approach for certain roles and certain functions, where for example, you may not need to already have a bachelor’s degree to be amazingly effective at the job.
As an example, look back at trades and the apprenticeship model. If you were looking to be a plumber or an electrician or a carpenter, you’d become an apprentice. You didn’t go to college for four years, get yourself a degree, then come back and then try to learn how to do a trade. I think there is a big opportunity and a big need, particularly in cyber security and IT in general and with everything we’ve talked about.
The whole space is itself in a transformation phase. I believe we should reintroduce the concept of the apprentice model, getting real life training on the job, learning directly from experience, being productive for the business already and in parallel, earning a respectable certification along the way. Without it, I think we’re missing a whole chunk of the workforce and we will always be under-gunned.
If we look at the millennials and actually post-millennials now, all the tech we’ve talked about here is now an integral part of their lives, they use it every single day. It’s Instagram and Snapchat, not letters and phone calls (or even Facebook for many now!) That’s the kind of talent that we need to bring into the industry. We need to say, ‘Look, we’ll get you on an apprentice programme and you’ll get qualified and a degree at some point along the way as well.’
I think that’s good for the individual, I think that’s good for business. There’s a lot of focus on women in tech and how it’s still in a lot of areas a male-dominated space and I think this could be one approach to help promote change, by getting that talent engaged and intrigued with this space, much earlier in the education cycle and attracting the creativity of young women and men alike.
According to the latest BCS diversity report, less than 17% of women make up the IT industry. For the US, in the cyber security workforce, it’s less than 14%. Why do you think women aren’t going into IT?
I think it would be an interesting overlay to look at those statistics and see if it’s an over generational. If you did it as a bubble map you could do gen X, gen Y, millennial, post-millennial and take that view. I think it would be interesting to see if we factored in the generational aspect, if that would give us a bit more insight on it.
My guess would be that it’s still male-dominated, although I would optimistically like to hope that we’re at least seeing a trend of a bigger relative female population in gen Y and millennial demographics. But, again I think a lot of is rooted in the current education model right through to the way we’re recruiting into IT today.
You also have to factor in the unconscious biases of the leaders themselves and address some of the impediments to candidate selection, promotion and retention that are actually as a result of unconscious bias. We’ve talked a lot about transformation and the way business is going through a transformation and IT is going through a transformation, yet I think we’re still recruiting and developing talent in an old-fashioned way in the IT industry, globally - that needs a transformation too!
Do you think the language needs to change or do you think the roles need to change?
I would take a look at any job posting on LinkedIn as typical examples. How many of them say they require a bachelor’s degree in computer science? And then compare that with how many that don’t? How many females in the gen X or older demographic, or even gen Y, have taken a bachelor’s in computer science or in science, technology, engineering, and math (STEM) in general? Because right there, and if my assumption is correct, if we look at how many people are taking a Bachelors in computer science specifically, and of course you have cyber security courses now at certain universities so I would group that all together, I would hazard a guess, or perhaps at least hope to see, that more women are taking Bachelors’ degrees in computer science today, but I would guess that it’s still not close enough to 50%.
So, just to sum up. What’s the biggest challenge the cyber security industry faces?
The biggest challenge is the exponential high-speed pace of change in the way that technology is consumed and applied both in business and in everyday life. You mentioned the word evolution earlier, but it’s almost like revolutionary, every day every year. That speed of change in the core technology consumption and delivery models - that is the biggest risk I think in cybersecurity.
The biggest challenge because in general as an industry, whether we look at incoming security technology, security solutions, security operation in terms of the various disciplines within cyber security, the cyber security industry, in general, is actually not keeping pace with the way in which technology is changing. Just take a look at the SANS top 20 or the OWASP top 20... most of the issues cited are the same as they were ten years ago. The whole industry needs to up its game, catch up and transform at the same pace as the technological revolution.
Note: “The opinions and views expressed here are my own and are not necessarily representative of my employer, or other organisations with which I am affiliated.” - Gavin A. Grounds