Enhancing Security to Mitigate Cybersecurity Risks

Matt Foster, Head of Information & Cyber Security, Lookers PLC (LOOK: LON)

Matt Foster, Head of Information & Cyber Security, Lookers PLC (LOOK: LON)

Matt Foster is highly experienced in global operating structures with expertise spanning a wide range of security areas, including risk management, regulatory compliance, policy development, security architecture, cloud security, identity & access management, incident response, outsource relationship management, business continuity, and information technology auditing.

What are some of the major challenges and trends that have been impacting the Enterprise Security space lately?

We’re definitely not talking about ‘the new normal’ anymore – because it’s already here. The current global crises in health, social justice, climate change, war and conflict now demand a rapid rate of change that show no signs of abating any time soon.

Our business and social evolutionary needs are existential in nature but that mustn’t mean we descend into anarchy and throw risk management away. In today’s challenging and dynamic business and economic environment, enterprise security has never been so important and getting the right architecture in place is paramount. Now, more than ever, we must be able to take pragmatic risk-based decisions quickly.

Firstly, with so many sectors forced into digital transformation by the impacts caused by the pandemic, CISOs have a brand-new set of stakeholders to educate and feed the right information into key decision making. Secondly, we’re also seeing increasing awareness of the criticality of our supply chains in both physical and digital forms. The risks we saw as unpredictable ‘Black Swan’ events only a few years ago are almost everyday occurrences now, with supply chains more fragile than we may have ever realised.

What keeps you up at night when it comes to some of the major predicaments in the Enterprise Security space?

We’ve been talking about the risk that Shadow IT – the use of information technology systems, devices, software, applications, and services without explicit IT department approval – present for a long time.

“Enterprise Security Has Never Been So Important and Getting the Right Architecture in Place Is Paramount”

For me, it’s the areas where we don’t have good control visibility in the broadest sense that keep me awake. A failure in Enterprise Security tends to be catastrophic in terms of impact, even if the probability is, or at least used to be, vanishingly low. That may well not be a first party one. A successful ransomware attack can be just as devastating down the supply chain – and that worries me.

Just because we have put in defences for our structured data and systems, the ransomware threat does not necessarily go away. Unless we continue to manage vulnerabilities and have robust, air-gapped, and regularly-tested recovery capability, we may as well be crossing the road with a blindfold on.

Can you tell us about the latest project you have been working on, and what are some of the technological and process elements you leveraged to make the project successful?

It’s critical we have confidence in our defences and control effectiveness. Maturity assessments, supplier audits, third-party party assurance only go so far. I need to be confident our locks can’t be circumvented, and we do this through Purple Teaming – ‘mystery shopping’ for Enterprise Security.

It’s early days yet, but I’m going to sleep a lot easier knowing it’s not just the bad guys testing my defences.

Which are some of the technological trends which excite you for the future of the Enterprise Security space?

At a purely geek level, homomorphic encryption provides an exciting opportunity to allow us to not depend on purely contractual controls in the cloud when we really care. More importantly, I think we’re starting to see a shift in recruitment behaviours. Hybrid working has changed the job market forever, removing geographics boundaries in a way we’ve never seen before.

The threat landscape changes too rapidly for us to focus on talent with five years’ experience in technology Z or in defensive capability Y. Instead, we must, and I think are beginning to, focus on bringing diversity of thought process and problem solving to the security workforce.

I’m certainly proud of the results I’ve achieved with bringing fresh young talent into the cyber security profession.

How can the budding and evolving companies reach you for suggestions to streamline their business?

You can always contact me on LinkedIn (https://www.linkedin.com/in/ mattfoster42/).

Do the basics well, don’t get hung up on the latest and greatest, build security in from the start and most crucial of all measure everything.

It’s not good enough simply to ‘do’ either. We need to demonstrate we’re doing it – every single day. E

Weekly Brief

Read Also

An Alternative Approach to Cyber-Security Structure is the need of the hour

An Alternative Approach to Cyber-Security Structure is the need of...

Michael Somers, Head of Cyber Security, CVS Group
Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.