5 minutes with Ian Thornton-Trump, CISO of Cyjax

Meet Ian Thornton-Trump. He is the Chief Information Security Officer at Cyjax, and an ITIL certified IT professional with 25 years of experience in IT security and information technology.

From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cybersecurity analyst/consultant for multi-national insurance, banking and regional health care. His most memorable role was being a project manager, specializing in cybersecurity for the Canadian Museum of Human Rights.

Today, as CISO Cyjax, Ian has deep experience with the threats facing small, medium and enterprise businesses. His research and experience have made him a sought-after cybersecurity consultant specializing in cyber threat intelligence programs for small, medium and enterprise organizations.

In his spare time, he teaches cybersecurity and IT business courses for CompTIA as part of their global faculty and is the lead architect for Cyber Titan, Canada's efforts to encourage the next generation of cyber professionals.

Ian will be speaking on Day Two of International Security Week (ISWeek) on Countering the cyber threat and future trends, discussing current and future trends affecting cybersecurity, including the impact of COVID-19. Register for ISWeek 2020 for free now: https://www.internationalsecurityexpo.com/register-for-international-security-week

Security Magazine: What are some comparisons between nations with longer term cybersecurity strategies where governments stay in power longer (e.g. Russia, China) compared to shorter, sometimes fixed term governments (e.g. USA, UK)?

Ian: There has been a lot of discussion on this subject in recent months. I tend to believe that geopolitical realities and national policy objectives are not really swayed by the character or nature of governments. In general, economic forces and issues such as global pandemic and climate change are beyond the sphere of influence of nation state governments. This dates to the end of the Cold War and my general view of how nations have “staked a claim” in cyber or otherwise. As an example, the recent change in US Government may impact rival relationships in a positive direction. It’s unlikely though there will be cessation of cyber hostilities with China, Russia, Iran and North Korea – they will remain protagonists into the forceable future.

Security Magazine: Which type of government is better for the success of effective cybersecurity strategies: governments that stay in power longer, or shorter terms?

Ian: If I had to pick, I would say western democracies have an advantage of agility when it comes to policy, but its impact is limited. When it comes to cyber and intellectual property, clearly there is a western advantage but I think government is subordinate to the free market economy we live in.

Security Magazine: What are the issues affecting organizations outside of government and the public sector?

Ian: Despite government investment in programs and support for companies, a big issue is ransomware, which continues to affect businesses at pace. As soon as General Data Protection Regulation (GDPR) was rolled out, the industry suspected ransomware around data would become a key cybercrime tactic, and indeed it has. Only recently, Capcom, creator of Resident Evil and Street Fighter, has been demanded to pay $11m in bitcoin by hackers. There is now a multi-headed issue of traditional ransomware and holding data hostage.

Additionally, even though companies are spending large proportion of money on security, attacks are still on the rise. Demoralization sets in, because they’ve been certified, they have invested in trained staff, and some have even adopted cutting edge technology, but the capabilities of hackers adapt and succeed every single time. There is a sense now that we are resigned to the internet being a terrible sinkhole for businesses, particularly those with sensitive data, and that their defenses are inadequate against the threat of cyberattack.

However, if you are getting hit by ransomware you haven’t been paying attention to the last five years and if you think the protective technology purchased three years ago is still relevant to the current threat, you’re wrong! The rapid pace of technology creates a rapid change in the attack surface and malicious software capability.

Security Magazine: Should companies be looking to spend a lot on cybersecurity technology then?

Ian: No - it’s important to remember that the solution to every problem is not always buying expensive cybersecurity products, and it’s important that vendors realistically situate their product. Marketing is always aspirational but it should also be truthful – emotions around fear, uncertainty and doubt are used significantly to make companies believe something is a miracle product when in reality, it’s not. But, if you feel uncomfortable about where your risk is, do something about it.

Security Magazine: How should businesses go about protecting their cyber assets?

Ian: Firstly, organizations should build a threat model – what are the most important things that need protecting? What are the worst outcomes if those things are not defended? Then you need to choose a cybersecurity framework and put in security controls to mitigate the threats. Understand your threats, and if you don’t know, ask someone who does! Staff, consultant, and have them look at your attack surface and have them tell you the most cost-effective way of mitigating risks.

There’s no one solution, so educational awareness is another tool in your armory to preventing risks from materializing - pay attention to NCSC/CISA/FBI alerts. If you are reading about a giant company that has succumbed to phishing and ransomware, that should serve as a warning as to what could happen to you. Go to your IP staff and ask what will prevent this from happening. Then, it’s simple: get cyber essentials certified (plus robust backup), get a pen test and monitor the external attack surface.

Security Magazine: How should cybersecurity companies convince businesses that it is worth investing in cyber protection?

Ian: Certain functions in organizations consume information differently, so outputs need to be tailored to their audience. For example, cybersecurity professionals will have a tough time convincing operations directors they need digital defense, unless they have a pen test report that says they have holes in their system. We need to ‘hack businesses’ into understanding the need for security controls.

Cybersecurity companies should also try to support prospective clients by showing the return on investment and be clear about the deliverables. Rather than charging as one big cost, use business-friendly rates.

Security Magazine: How much of a global leader is the UK in the cyber arena?

Ian: The UK is number one because it has taken a more proactive approach at a policy level and decided that long term strategic investments will bring more capability and technology. For example, UK is putting a lot of budget into STEM, to prepare the next generation of cyber professionals for jobs. There are programs to turn around young people participating in cybercrime. The UK government has identified that the digital economy is ripe for growth, and is therefore investing in it for the long term.

However, I would say law enforcement activity and arrests are hugely lacking - it seems to be outsourced to America. Funding for bringing cyber criminals to justice is extraordinary in US and easily outpaces all other countries, plus they invest a huge amount in intelligence. The UK has abdicated on the enforcement side, and the justice system is mostly equipped to pursue traditional crime. However, it’s also possible that we simply have no visibility of their activity because of the UK’s closed court system, whereas the US issues press releases every day about those they have charged.

Security Magazine: How can governments control the mis/disinformation arena?

Ian: We run into freedom of speech and freedom of belief issues as it’s a complicated topic. We live in a diverse Western society that in many respects has a protected right to speech and belief. There is only so much we can do to combat ‘alternative facts’ before governments would simply have to outlaw certain viewpoints – but are they willing to do so?

There also has to be a criminal damage component in order for a justice system to engage and charge someone. In the past, arresting someone for a belief would be unthinkable, but the dial has shifted and there are now exceptions. Material support for extremists e.g. liking and retweeting a social media post or going to Syria to join terrorist group, is illegal.

Security Magazine: Is social media to blame for the spread of misinformation?

Ian: We are quick to throw social media companies under the bus but is it not an education problem? There needs to be accessibility to accurate information – it’s unlikely people will consume peer reviewed journal papers

Now, social media companies are moving into a realm of deciding which thoughts are legitimate, and taking action when they aren’t. This is a problem when we apply Western values to other places and do not consider the viewpoints of other cultures – multinational social media firms are not governments.

Security Magazine: Is GDPR coming of age with the Marriott and British Airways (BA) fines?

Ian: GDPR set out with the best of intentions – it’s a great idea in theory to move data privacy forward in the UK and amalgamate all the EU laws that were a big impediment for business. However, it’s lost a lot of steam because the government is struggling to provide basic services – why are they going to start caring about cookie policies at the moment?

The ICO is in a terrible position, because its resources are – rightly – being stripped in favor of vital services (health, supporting the unemployed, food) and so the backlog of cases/complaints grows every day. It also means that companies like Marriott and BA, which were fined under GDPR, are now being given government bailouts due to their sectors crashing.

People don’t care right now – in the future, perhaps, but by then the ICO will end up looking into businesses that have gone under or no longer exist. Then, the ICO will be told they are anti-business and the whole thing will fall apart.

Additionally, the largest perpetrators are not UK businesses in companies house, they are multinational conglomerates - the companies have more money to spend litigating and avoid the fines. but it is potentially now going to be deemed ‘anti-business’ in the post-COVID world.

For more information on International Security Week, visit https://www.internationalsecurityexpo.com/international-security-week or join the conversation online:

• Follow International Security Expo on Twitter: https://twitter.com/ISE_Expo

• Follow International Security Expo on LinkedIn: https://www.linkedin.com/company/internationalsecurityexpo/

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.