I’m born and raised in South Africa, based in Cape Town, and lived here my whole life, except for a few short years studying in Germany. But I don’t actually work for the South African office, I work for global operations, and specifically for our technology and marketing division. My role is global head of security research, and I run a small team called the “Security Research Center.” We represent an investment by the business into authentically understanding and talking about security problems, without an agenda. I have a very privileged position, I’m given the space and the resources I need to sincerely try to understand the problems we are dealing with, without any concrete expectations about what we will find.
Exactly! Exploring quite freely. Like anyone, I have stakeholders, there are many people in the company who are interested and invested in what we do: strategists, product managers, the marketing team, and so on. So, I don’t work in a vacuum, I have to serve the interests of these stakeholders and answer their questions.
It’s very diverse. With research, the hard thing is the questions. Finding an answer is genuinely a question of time. But finding which answers to look for, that’s much harder!
These questions come from our leadership, or from my team and our own curiosity. The biggest facet of my job is curiosity.
Depending on the time, depending on what’s going on in the world. For example,we might try to understand the implications of the war in Ukraine from a cybersecurity perspective. What is really happening? Is it escalating? How does it affect our customers? How do we have to behave differently?
Another recent example was around COVID and the lockdown. One of the questions we were curious about was this narrative aroundpeople working from home and the threat increasing at the same time.
In a similar context, we’ve been looking at another major change at that time: remote access, from a technology point of view, the new and major use of Zoom or Google Teams. We spent a lot of time analyzing the new security postures, the benefits and downsides of these collaboration platforms. What do you really mean by “secure” platforms? How do you make them secure? The question here is: what are the security attributes that we want and expect regarding the threat? How can we agree on how to take action, based on these attributes? How should our business and our customers use these platforms? We chose 6 or 7 of these technologies and put them in front of these attributes.
We go back to this one and only focus: what is the question? And immediately, what authentic data and expertise can we access to answer that question.
Here is how my team works: every year we agree on a set of themes we will work on. I keep saying: ten themes, and they keep reminding me: actually, it’s twelve! So, we have twelve and the researchers are assigned to the themes, with priorities. That requires them to stay plugged into their thing. The first challenge, as I said, is finding the question you want to answer. Some of them come to us naturally, some of them we find via the regular deliverables that we produce. For example, we produce an update every month, we produce the annual Security Navigator. It’s a guideline for our work.
And then we define a research project that will determine what the question is. What method we want to follow. What data will we need and use. What milestones we want to reach.
As a research team, we have the freedom to go down new routes until we have an answer. But because we’re working in a commercial environment, not an academic one, we must have milestones and deliverables. For example, by the end of the first two weeks, I would expect the researcher to write a post describing the question. Even when we don’t necessarily have a grandiose conclusion, we produce something.
The research method itself is multidisciplinary, so we might have technical evaluations and validations, we might use social science methodologies (for example studying cybercrime through the lens of academic criminology), we spend a lot of time on data, what we call data pipelines.
There’s a whole range of relationships. It starts with operators who give us what we call “operation intelligence security.” What they see, day to day, is the first thing to start with. Then, we have our “intelligence functions” which look outside for various aspects of the threats and vulnerabilities, etc. Then we collect external data: security news - what happened What has been published in the media? And we regularly monitor platforms used by criminals. We also have relationships with partners in this field. It’s very rewarding to share expertise.
It’s part of the work, it’s it's an ongoing activity that we probably spend too much and too little effort on… We may think about it harder than other people do, but not hard enough, I think. I mean… we have this project called “State of the threat,” which is an ongoing effort to explain: “why we’re seeing what we’re seeing.” If you understand why, you can stop making predictions about the future!
The way we talk about cyberdefense is synonymous s with the climate and the weather. You may have heard this metaphor: If you want to deal with it in your daily life, you wake up and ask yourself: “do I need to take an umbrella today?” The only way to know is to look through the window, see what it looks like. “Oh, it’s raining. Oh, there’s wind.” All you have to do is to put on your coat or take it off. What we’re experiencing is functional climate. Climate is a much bigger system, with many factors: oceans, a global pressure system on the Atlantic, ranges of mountains, coasts, etc. They determine what the weather will be like at a given place, at a given moment. In cyberspace, what we’re trying to do is try to describe what those factors are and how they can have an impact, what weather could emerge from this.
We can draw models, yes? We design a model. It allows us to hypothesize. Not predicting but seeing and explaining how things connect with each other. For example, the evolution of a currency and the effects. We have a visual, even if people disagree.
The most important skill is curiosity. I really wonder about things. You must keep pushing through and avoid easy answers. Then, me and my team have cyber skills, I mean, we have to understand every facet of the problem. Finally, communication, strangely enough. You’re only valuable if people understand you, what you’re doing and saying.
The most challenging thing is data. Despite all the data we have, cybersecurity is just a massive black hole of data. Either we don’t have it, or we can’t have it. We will never read inside the mind of a criminal, we don’t know. We just have to investigate, theorize and hypothesize. It’s a lot of guess work.
The second biggest challenge is integrity. We operate in an industry where the talkers like to tell a compelling story: something positive, coming up and worthy. Maintaining this in this context is difficult. Sometimes, your answer is: there’s no answer, there’s no answer. People don’t want to hear that. The listeners, the people who want to have solutions, they also yearn for simplicity, they yearn for: “Tell me what the problem is, what the solution is.” Most of the time, our answer is “This is not simple. I don’t have a direct answer. But I can help you push yourself out of your comfort zone.” Most of the time they don’t want to go there. I don’t blame them, but that’s the difficult part, getting the message across.
10 October 2022
6 October 2022
19 December 2022
28 August 2023