BSI’s Stephen Bowes: ‘Data management needs a layered approach’

2 Aug 2019

Stephen Bowes. Image: BSI

Stephen Bowes, head of technology at BSI Cybersecurity and Information Resilience, talks about his approach to driving tech strategy, protecting and managing data, and the trends that are changing the cybersecurity industry.

Over his 25-year career, Stephen Bowes has gained extensive industry knowledge and developed expertise in the areas of cybersecurity, risk management, cloud security, solutions delivery and project management. Bowes studied mathematics and physics at Trinity College Dublin, and during his studies he worked at CERN as a nuclear physicist on the renowned discovery of anti-hydrogen.

Today, Bowes serves as the head of technology at BSI Cybersecurity and Information Resilience.

Tell us about your role and your responsibilities in driving tech strategy.

In my role, I am responsible for identifying new and emerging technologies and leveraging them to deliver technology projects to advance our skills, both internally and externally, for our clients. Technology plays a crucial part in what we do and it’s very important that we don’t just advise on best practices, but also recommend preferred technology to our clients.

A core part of our strategy is our technology portfolio forum that I chair. It’s comprised of team members across several departments. During the forums, we scan the technological landscape to identify software and services that meet the current and potential future needs of the company and our clients. We meet regularly to ensure that we stay ahead of trends and to apply a rigorous screening process to ensure that what we select is the best of its class.

What are the biggest security threats to your business?

Like any of our clients, we are subject to a range of attack vectors, including email phishing, social engineering and attacks on our supply chain. What helps us remediate risks is our active technical staff engagement, our use of appropriate technologies and our continual planning. We also maintain a strong culture of awareness around cybersecurity.

We have a highly skilled and mature incident management team following defined processes, which ensures that we have a measured and collective response to threats. Being ISO9001 and ISO27001 certified means that we are subject to several internal and external audits annually. This really cements the right mindset needed to identify and react quickly to any threats that might arise on a day-to-day basis.

In your view, how can we better protect and manage data?

I would say that understanding data and its life cycle, from creation through to destruction, is fundamental! As data is stored, knowledge of those storage repositories, irrespective of where they are, is crucial. Secure processing of data via databases and applications, the secure transporting of data, and the acceptance that the internet is now part of the corporate network needs to play a part in the data security strategy of any organisation.

Cloud services are a core part of the current digital transformation for organisations. The role that the public cloud plays in an organisation’s supply chain resilience has become so important. Due diligence needs to be taken to protect an organisation’s data assets. What needs to be recognised, regarding data being placed in the public cloud, is that it is not automatically being backed up. While cloud providers have strong infrastructure resilience, any issues that arise in the data, such as inadvertent deletion or deliberate manipulation, are synchronised within that architecture – this may cause organisations issues at a later point if that data is called upon.

Organisations also need to review any blind spots in their data architecture, such as having visibility of data movements between cloud providers or across data centres.

Identity management is incredibly important, so securing users’ identities using features like role-based privileges, single sign-on and multi-factor authentication is vital. Especially as we diversify our users’ working models and our application estate evolves outwards.

Ultimately, data management is a layered approach that needs to be incorporated into a company’s processes. Data owners need to recognise the responsibility that they have.

What are your thoughts on digital transformation and how are you addressing it?

It has been a fantastic time to be in the industry, observing substantial digital transformation taking place. The extensive use of the public cloud, changing of working methods, adaptation to new technologies and the breaking of the traditional ‘castle and moat’ model has revolutionised working life today. It has provided opportunities for businesses to grow beyond traditional boundaries, utilise scalable technologies at a fraction of the price, and become more attractive to new global talent.

It poses challenges too, particularly for C-level executives, where management, governance, security and risk are concerned.

We have adopted several innovations into our technology suite and one example that stands out for me is remote working – my team no longer work in an office 9 to 5. The transformation is still in progress, and I’m looking forward to seeing it evolve and being part of it over the next few years.

How do you lead and coordinate your team?

I try to lead by example and have been fortunate to have worked with exceptional professionals, companies and clients over the years. A pragmatic, business-oriented approach is adopted by my team members, of which there are seven in total. This puts our clients’ needs first, ensuring the technologies we use do the heavy lifting, allowing our team to apply insightful analysis as needed. We also work closely with our global BSI family to achieve synergies, raise standards and diversify the support structure for our clients.

What major tech trends do you believe are changing your industry? How are you aligning with these trends?

There are several technologies such as machine learning and SOAR (security, orchestration and automated response) systems that are really coming into play in our industry at present.

With the volume of events being generated and the corresponding shortage of skilled staff, it means that C-level technology executives are becoming more reliant on technology. They are using it to analyse the events and apply actions based on predetermined logic, allowing them to free up their staff for higher value analysis. The machine learning system’s accuracy is increasing in incremental stages as systems handle more events. While there is no all-encompassing solution available at present there are several options that organisations should review if this is a strategic objective for them.

I also recognise the financial trends such as the shift from Capex to Opex budgeting that is proving challenging for many businesses. While we extoll the virtues of cloud-based services, and rightly so, this budgeting shift is reducing the leeway that a C-level executive has when it comes to adjusting work programmes and requirements. Before this shift, exercises like the extension of hardware life cycles gave executives the flexibility to meet an unexpected non-project-based item. This flexibility is shrinking year on year as the shift in percentage budgeting moves more towards Opex.

Another similar challenge in our digital transformation journey is the need to find budgets for securing new channels that arise but had not previously been budgeted for. In order to meet these challenges, we look to avail of security features bundled into existing services. We conduct return on investment exercises, comparing the costs of legacy security arrangements to newer technology.

Are you spearheading any major initiatives you can tell us about?

We have recently acquired a cybersecurity consultancy based in the US and we are working through the integration process now. They bring different ideas, technologies and processes with them and whilst there is an overlap upward of 80pc, they have new and different ways of doing things, which excites us.

As our cybersecurity practice is now a global one, we are achieving synergies in reporting and technology, which brings savings of time and money. This means we can reinvest in what we do to further elevate our delivery and service levels. Our global expansion also makes us more attractive to new hires, which is an advantage in today’s challenging recruitment environment.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Kelly Earley was a journalist with Silicon Republic