Rob Robinson, Head of Telstra Purple, EMEA: “We’re currently dealing with a pretty obvious and growing skills gap, which can be a lucrative opportunity for cyber-criminals”

Did you ever play Risk? We didn’t ask Rob Robinson, Head of Telstra Purple in EMEA, but we don’t think we need to. And if he hasn’t, he’ll be a natural. One trick of this game is to think holistically: to not endlessly pursue aggressive growth if it leaves you vulnerable. The same is true for businesses, who may try and aggressively pursue opportunities such as AI, or invest big in new weapons, without realising the weaknesses they introduce.

And Rob identifies very real, non-board-game risks too. “You’ve got the threat of third-party risk, where, although working with other organisations and integrating new systems can bring a lot of opportunity to a business, it also opens you up to more threats,” he said. “In that instance, any vulnerability that a third-party system could have would become a vulnerability in your system if targeted by ransomware actors.”

He identifies many more challenges coming down the road. NIS2 comes into effect in October, DORA lands in January 2025. Are you ready?

But, to use the metaphor from a certain game, there is one big question: when the dice roll over the next couple of years, when you’re under attack, have you got the strategies in place to ensure you’re ready?

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

I’m currently the Head of Telstra Purple in EMEA. As Telstra’s professional services arm, we support digital transformation efforts across sectors and help bridge the gap between business requirements and technology deployments. 

I’d say I’ve been quite lucky in that I’ve been at the leading edge of the cybersecurity revolution throughout my career, although I’m not sure if that’s by luck or design! Much of my work has been centred around the customers’ needs, and now we see how cybersecurity is increasingly critical in facilitating business outcomes.

In the past, it was easier to treat cybersecurity as a standalone function within the business but it’s becoming increasingly vital that businesses understand the threats, risks, and benefits around their technology strategies. In that respect, specialising in cybersecurity was natural as I sought to help customers achieve their goals and understand that cybersecurity can actually be an enabler for innovation and market leadership.

What are some of the major trends in ransomware that professionals need to be aware of?

There’s a lot out there now for businesses to be aware of. You’ve got the threat of third-party risk, where, although working with other organisations and integrating new systems can bring a lot of opportunity to a business, it also opens you up to more threats. In that instance, any vulnerability that a third-party system could have would become a vulnerability in your system if targeted by ransomware actors. 

We also see an increasing prevalence of AI being used to enhance ransomware attacks. Whilst generative AI might be used to create social engineering attacks with more precision, there is a wider industrialisation of cybercrime taking place making ransomware easier to carry out, so bad actors no longer need to be particularly tech-savvy to drive the same disruption.

There are positive trends out there as well. We’ve seen the multi-layer approach come to the forefront. These emphasise the 3D nature of cybersecurity, ensuring that organisations physically, administratively and technically secure those data access touchpoints. Then, if a ransomware gang attempts to access any data, they’ve got to break through multiple diverse layers of security. 

Tech you need to know: Privacy Enhancing Technologies

What are the biggest cybersecurity challenges those in leadership roles are facing?

First of all, I think there’s the people side of things. We’re currently dealing with a pretty obvious and growing skills gap, which can be a lucrative opportunity for cyber-criminals, as that lack of skills can be exploited. However, we’re also seeing CISOs increasingly invest in new technology to plug that skills gap and enable their security teams to focus on the bigger picture. To develop a fully embedded security culture, awareness programmes should be repositioned as influence programmes. By highlighting how good cybersecurity practice is relevant in other aspects of life beyond work, it becomes more rewarding and the behaviours are internalised. 

Process is also a growing challenge, and it’s becoming increasingly complex, with new regulations like NIS2 coming into effect in October and DORA in January next year. Adhering to these new frameworks is no easy feat, and many people in leadership roles will be looking now at how their businesses need to adapt to meet the latest guidelines. 

And, of course, we’re seeing so much tech innovation at the moment. Look at the boom in AI alone. While this is great for businesses and offers a lot of value and potential, it’s a real challenge for companies to use these new technologies to create effective, comprehensive security while hackers also attempt to leverage them for their own benefit.

On the more positive side, these technologies can simplify processes and free professionals up to spend more time on strategic priorities. While these new security technologies do the heavy lifting of scanning and identifying patterns in unorthodox digital behaviour, skilled cybersecurity professionals now have more time to assess these potential threats and respond accordingly. 

What are some prevention strategies you believe every business should adopt?

In my eyes, thorough business risk and technology assessments are the starting point from which every business should work. We’re not just talking about specific bits of technology or processes around a handful of scenarios, but taking into account the business context. What are the unique areas of exposure? The direct threats? Insights into the customer? Risk assessments must be comprehensive and tailored to the individual organisation’s critical points of exposure. 

The other essential part of the puzzle is organisational culture. People can be potential points of exposure, but if time is invested in upskilling and embedding a cybersecurity-orientated culture, employees can be relied upon as critical points of defence. Technology can’t do everything, and that’s where the people’s lever becomes essential.  

Worth a read: IBM expands Watsonx capabilities with open source

Which cybersecurity best practices are being adopted with the most success by companies?

Many of the strategies I mentioned are being adopted very successfully. Those companies that look at cybersecurity holistically have the most success. Technology alone can’t be used to its full potential without the processes and people in place to use it properly. All three areas must be woven together in security strategies to embed resilience.  

What roles do you think governments play when it comes to cybersecurity?

Governments have a crucial role in improving general cybersecurity resilience, whether by raising awareness or working with the private sector to extend the research base and build necessary regulations.  

Cybersecurity needs collaboration across the market, and for governments, this means not just a stick of complex laws but the carrot of a collaborative process involving all parts of the economy and fostering intra-governmental alignment. The rising tide of cybersecurity lifts all boats, and governments have realised this.  

What’s something that has drastically changed about cybersecurity since you first got started in the field?

The standout change is the attack surface, which is so much wider today. With IoT, nearly everything is now connected to the internet, and many points of entry into organisations exist. 

Another significant change is the sheer amount of data that’s now out there. And yes, more value can be gained from that data, but it’s also much more complex and comes with much more risk. 

As a result, CISOs today have much more responsibility than they did when I started; the stakes are much higher. 

What advice do you have for aspiring professionals wanting to work in cybersecurity?

It sounds obvious, but read the manuals and ensure you understand the processes being adopted within your organisation. Before enacting any change, it’s important to know at a grassroots level what people do daily and the culture in which they operate. Only then can you develop relevant solutions that will stick. 

So yes, I understand and appreciate cybersecurity, but I also marry that up with a deep appreciation of culture and how to drive change within individual business contexts.  

The last thing I’d say is to position cybersecurity as an enabler for innovation. In our current business context, there is so much opportunity to develop new approaches and adopt new technologies to pursue innovation. Cybersecurity should always be a pillar that supports safe and successful transformation.