Nick Walker, Regional Director, EMEA at NetSPI: “The once dark art of hacking has been illuminated, not only for cybersecurity professionals but also for adversaries”

We’re sure that Nick Walker, NetSPI‘s EMEA Regional Director, won’t be offended if we say that he’s been around. His career may “only” have started back in 2012, but he’s worked for IBM, PwC and NCC – and made significant contributions to application and mobile security in that time. He was also a successful competitor in the prestigious Pwn2Own hacking competition.

Through NetSpi, Nick now runs teams of talented security consultants and provides industry-leading guidance to C-levels and executives in high-powered businesses across the world.

In short, he’s worth listening to when it comes to all things security – and there are many takeaways from this interview. “Without a trusted and current map of all cyber assets, organisations are navigating blind in a sea of potential vulnerabilities,” he told us.

But knowing your assets isn’t enough: you need to actively test your defences. “Penetration testing should not be viewed as a one-off or annual checklist item, but rather as an integral part of a continuous security posture assessment process.”

We also discuss what’s changed in the industry – including what Nick describes as the “democratisation of knowledge” for good and bad – and what future cybersecurity professionals, those looking to break into the industry, need to do.

It’s a wide-ranging interview and we thank Nick for generously sharing his time.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

I’m the Regional Director for EMEA at NetSPI, with nearly 15 years of experience in the cybersecurity sector. My career began with a solid foundation, earning a First Class Honours degree in Ethical Hacking and Countermeasures, which launched me into the forefront of cybersecurity innovation. Since then, I’ve been recognised not only for my contributions to understanding and mitigating complex security vulnerabilities but also for my published research that has advanced the industry’s knowledge base.

My technical skills were further acknowledged through my success in the Pwn2Own hacking competition. This accomplishment, among others, enabled me to offer strategic cybersecurity guidance to some of the largest organisations in the world across various sectors, including fintech, healthcare and retail.

In my current role at NetSPI, I lead a team of exceptional security consultants, blending technical knowledge with business acumen to address sophisticated cybersecurity challenges with proactive security measures. My specialities extend beyond conventional security assessments to include cryptography, mobile application hardening, and the development of custom security tools.

My commitment to continuous learning and effective communication of complex security findings has made me a valued advisor in the cybersecurity domain, bridging the gap between technical detail and strategic business considerations.

What are the biggest cybersecurity challenges those in leadership roles are facing?

In the rapidly evolving landscape of cybersecurity, leaders are confronted with multiple challenges that not only test their resilience but also their ability to adapt and foresee potential threats. One of the foundational hurdles is establishing a secure base for businesses amidst the complexity of digital transformations. A critical aspect of this challenge is maintaining a single source of truth for asset inventory, which is paramount for ensuring data hygiene and security. Without a trusted and current map of all cyber assets, organisations are navigating blind in a sea of potential vulnerabilities.

Another significant issue is the over-provisioning of access rights and privileges. As our computing infrastructure grows in complexity, allocating appropriate privileges without compromising security or operational efficiency becomes increasingly difficult. This situation is exacerbated by a global skills gap in the industry. This is not only a bottleneck for addressing current security needs, but also a strategic concern for future defences, particularly as budgets and investments in training stagnate.

Organisations that cannot keep pace with the transformation of the cybersecurity landscape are at a high risk of failure. This is compounded by the human element, which remains the weakest link in the cyber ecosystem. Despite technological advances, human error and susceptibility to social engineering attacks continue to be significant vulnerabilities.

Economic uncertainties and budget constraints further complicate the situation, leading to increased scrutiny over skill levels and a tendency for organisations to seek cheaper security solutions. This often results in the adoption of tools and services of a lesser calibre, inadvertently increasing the risk of exposure to malicious actors. Thus, leaders are tasked with navigating these multifaceted challenges, requiring a delicate balance between strategic investment, skill development, and the adoption of innovative solutions to safeguard against an ever-changing threat landscape.

Worth a read: LockBit down but far from out

What is your take on ethical hackers and their role in cybersecurity? 

Ethical hackers play an invaluable role in the cybersecurity ecosystem. Their work in penetration testing and vulnerability assessment is not just beneficial but essential for the safeguarding of sensitive data. By adopting the mindset and tactics of potential attackers, ethical hackers can uncover weaknesses in security systems that might otherwise go unnoticed until exploited by malicious actors.

The frequency and depth of ethical hacking exercises are crucial for their effectiveness. Penetration testing should not be viewed as a one-off or annual checklist item, but rather as an integral part of a continuous security posture assessment process. Ideally, it should occur at multiple stages within an application’s lifecycle, ensuring that emerging threats and new vulnerabilities are identified and mitigated promptly. This ongoing approach provides a dynamic defence mechanism that evolves with the threat landscape, offering regular assurance that critical assets remain protected.

As the digital world becomes increasingly complex and interconnected, the role of ethical hackers is set to become even more critical. The escalation of sophisticated cyber threats necessitates a proactive and anticipatory stance towards cybersecurity, making the skills and insights of ethical hackers more sought after. These professionals not only help in identifying and patching vulnerabilities but also in predicting areas of potential risk, thereby enabling organisations to fortify their defences against future attacks.

Beyond penetration testing, tools such as breach and attack simulation technologies, along with continuous attack surface monitoring, augment the capabilities of ethical hacking. They allow organisations to assess the effectiveness of their security measures and configurations continuously, identifying gaps that could be exploited by attackers. This holistic approach to security, combining ethical hacking with other proactive defence measures, signifies a mature cybersecurity strategy.

What are some prevention strategies you believe every business should adopt?   

Firstly, understanding and managing what you have is fundamental. Asset management, attack surface management and change process management are critical components of this strategy. By maintaining a detailed inventory of all assets and continuously monitoring the attack surface, businesses can identify potential vulnerabilities and make informed decisions about where to allocate their security resources.

Secondly, continuously understanding your risks is vital. This involves threat modelling, penetration testing, ongoing “live fire” exercises such as red team operations and maintaining a continuous testing cycle. These practices help businesses anticipate potential attack vectors, understand the evolving threat landscape, and test their defences against simulated real-world attacks, ensuring that vulnerabilities are identified and addressed proactively.

Developing an effective incident response plan is equally crucial and regularly testing it ensures that businesses are prepared to respond swiftly and efficiently to security incidents. A mature and responsive remediation process, which includes clear responsibility and accountability mechanisms, coupled with effective employee training programmes, enables the entire organisation d to manage and mitigate the impact of cyber threats.

Finally, investing in tools such as Endpoint Detection and Response (EDR), Breach and Attack Simulation (BAS) and Attack Surface Management (ASM) are instrumental in detecting, analysing and defending against cyber threats. These technologies, when integrated into a holistic cybersecurity framework, provide businesses with the capabilities to continuously monitor their digital environment, identify and respond to threats in real-time, and adapt their defences based on evolving risk assessments.

Worth a read: What is AIOps?

What’s something that has drastically changed about cybersecurity since you first got started in the field? 

One of the most dramatic shifts I’ve observed in the field is the democratisation of knowledge. In the early days of my career, hacking was shrouded in mystery, largely accessible only to those with the tenacity to navigate its complexities through self-directed learning and trial and error.

This approach, while challenging, fostered a profound depth of understanding of the technology and the innovative thinking necessary to identify and exploit vulnerabilities.

Today, the landscape has shifted significantly. A wealth of information, guides, and training platforms are now readily available, including tutorials to hands-on virtual labs and competitions that simulate real-world cybersecurity scenarios.

This evolution in learning accessibility has had a dual-edged impact. The once-dark art of hacking has been illuminated, not only for cybersecurity professionals but also for adversaries. On the one hand, it has lowered the barrier to entry for individuals aspiring to careers in cybersecurity, enriching the field with fresh talent and perspectives. It has also enhanced the capabilities of organisations to defend against cyber threats by fostering a broader understanding of cybersecurity principles among their teams.

On the other hand, the same resources that empower the “good guys” are equally available to the “bad guys”, equipping potential attackers with the knowledge and tools to launch sophisticated cyber assaults. This has led to an arms race, where both defenders and attackers continuously adapt and evolve in response to each other’s tactics.

Reflecting on these changes, I believe the shift towards greater accessibility of cybersecurity knowledge is fundamentally positive. It promotes a more inclusive and informed cybersecurity community, capable of rising to the challenges posed by an increasingly complex threat landscape. What’s more, it underscores the importance of continuous learning and adaptation for cybersecurity professionals.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

For those aspiring to carve out a career in cybersecurity, the journey can be as challenging as it is rewarding. My advice to budding cybersecurity professionals is two-fold, addressing both offensive and defensive aspects of the field.

On the offensive security front, the landscape is indeed expansive. My recommendation is to narrow focus early on. Cybersecurity encompasses a wide range of specialities, for example network penetration testing to cryptography. Identify an area that not only piques your interest but is also in high demand. Concentrating learning efforts on becoming proficient in a specific domain can significantly enhance their effectiveness and value in the field. The temptation to dabble in multiple areas is great, but without deep expertise in at least one, they can risk becoming a jack of all trades and master of none.

From a defensive standpoint, the ability to quantify and prioritise is indispensable. Cybersecurity defence is not just about identifying vulnerabilities; it’s about understanding the real-world risks they pose. Not every critical vulnerability warrants immediate action if the practical routes to exploitation are non-existent. However, this doesn’t mean such vulnerabilities should be ignored. The concept of “time of exposure” is particularly important in defence, emphasising the need to mitigate threats swiftly without compromising the business’s overall security posture. This requires a deep understanding of their assets, the potential impact of changes to systems, and how these changes affect their security landscape.

Whichever path aspiring cybersecurity professionals take, remember: the essence of cybersecurity lies in continuous learning and adaptation. The threat landscape is ever-evolving, and so they need to remain ever-curious and resilient in the face of challenges. This approach will not only propel their careers forward in but also contribute to the broader mission of safeguarding the digital world.