Thales’s Bridget Kenyon: ‘The number of women in infosec is decreasing’

25 Jan 2019

Bridget Kenyon. Image: Thales

Bridget Kenyon, CISO at Thales, on the rise of borders in the cloud and how to get more women working in infosec.

Bridget Kenyon is global CISO for Thales eSecurity. Her experience in information security started in 2000 with a role in network vulnerabilities at the UK ministry of defence’s Defence Evaluation and Research Agency (DERA).

Following this, she took hands-on roles as a network administrator and a systems administrator, before returning to her chosen field as information security officer for the University of Warwick.

‘The nefarious side of technology is just as advanced as the ethical side’

Kenyon has advised many of the major UK banks on payment card security as well as clients in the educational, retail, telecoms and hospitality sectors. During this period, she also became involved in the development of ISO/IEC 27001 and other standards relating to information security management.

At University College London, Kenyon devised and implemented a complete information security management scheme ab initio.

She strongly believes that “information security is fundamental to reliable business operations, not a nice-to-have”.

Tell me about your own role and your responsibilities in driving tech strategy.

My primary focus is infrastructure security. That doesn’t just mean IT infrastructure, it means the operations and everyone in the organisation of Thales. Everything from: did you leave the door of the server room open? Do you leave things on your phone? Are you letting people see over your shoulder on the train? Are you having a really loud phone conversation about how you are going to fire someone? That is all information security and it is within my remit.

And then you have the obvious: can we be hacked? Are we being hacked? Do we train our staff? So, it covers quite a remit. We have a large contingent of highly technical staff so you have to use a completely different vocabulary and approach to people who turn up to the party with a tech background versus people who have a sales or marketing background. You have to know where they are coming from and what their job is, because their job often drives how they see security and whether it is helping or hindering them.

2018 was a terrible year for privacy and breaches, and I understand that threat detection today could be six months or longer? That is optimistic. I’ve worked on host breach investigations and that is an optimistic figure, six months. I’ve seen 18 months.

What are your thoughts on hackers learning AI and deep tech?

The nefarious side of technology is just as advanced as the ethical side. Just because you are good at tech doesn’t mean you are automatically going to fall on the side of the angels.

Will cybercriminals always have the upper hand?

This is just a new playing field for old stories, that’s the thing to bear in mind. Just because it is happening in cyberspace doesn’t make it different from what has happened for many generations. In the real world, people have always tried to steal and deceive. The fact that this is happening on the internet simply means it is happening far faster and by channels people are less familiar with and don’t know whether to trust.

That’s the real problem: trust. There’s this gap between what you believe and what is the case, and people don’t understand or don’t engage with technology in such a way that there is a gap.

You could connect with someone you think you know on Facebook or LinkedIn, and it could be a complete stranger that happens to have the photo of your friend.

People like to trust things. People like to optimise. We don’t have time to do slow, rational thoughts all the time, so we skip things and look for shortcuts. It is not stupid, it is not bad, it is just what we do because it is more efficient and sometimes we come up with the wrong answers.

Because we have to learn these things for the first time, people use skip techniques to try and come to an answer faster, but these techniques don’t work. We will slowly develop ways to improve our decision-making and there will still be skip techniques, just better ones.

How bad is the shortage of skilled security professionals?

There has been an opening of the eyes over the last two or three years in the media and general population. There is a problem and it is not going to go away, and most companies are following suit and they need someone to manage it.

The more short-sighted companies are looking for someone to make the problem go away and that’s where you will start having your problems because people will look for a magic, all-purpose cybersecurity person.

And this magic, all-purpose cybersecurity person has got to have every possible skillset, from technical through operational, into strategic and ideally management as well. And they have got to be available for maybe £4.50 an hour! So you see, there is this element of unrealistic expectation in organisations when it comes to recruiting security professionals. These magical people do not exist and that’s part of the problem.

The other part of the problem is that there is a genuine increase in awareness and therefore an increase in requirements for the jobs available, and the number of people available is not increasing at the same rate. People are asking for a level of experience that isn’t common. That’s the general perspective.

Across the IT industry, women are a minority. In the security element, is it particularly glaring?

Yes, it is. If anything, in information security the number of women is decreasing rather than increasing, which is quite alarming.

How do we reverse this?

I fell into it because I found it fascinating. I applied for a job and it turned out to be absolutely fascinating. It was never an intent to deliberately become part of a minority. But certainly, people feel conspicuous if they are unusual, and making a big deal about them being unusual is a great way to put them off. That’s one thing.

But flip it over and try to make it normal and something that people do not remark upon because they see it all the time. That means building it into media, into schools, making an attempt to normalise technology that is just technology; it’s not for boys or girls, so you are not saying women in tech any more than you are saying men in tech. It shouldn’t be an agenda, it should be asking why you don’t have an even mix and identifying the latter as the problem rather than making a fuss around a token woman in a security centre.

You can’t train a teenager to buck the trend; what you can do is encourage society to be less scornful. You make tech more normal, more visible, and something that aligns with what people think is cool or is adaptable, and connect it to things that maybe are less traditional – that’s a way to swap it from being common for this gender only.

It’s not about making it for girls. It’s about making it for everybody.

Be cautious about creating role models, because if you do that you are creating unreachable targets in many cases. Bring the role models closer; make them less starry, less heroic, but more real.

What big trends in security do you predict, especially with trade wars ongoing and Brexit approaching?

I think there is going to be a wider political issue where you have had things like cloud activities available everywhere and it is all-pervasive and you can work anywhere – which is glorious until you realise that the laws are determined by physical location of data.

Countries are withdrawing like snails, putting a barrier up and withdrawing into their shells. The Great Firewall of China is an early example of this but a lot of nation states have started to create these boundaries. We are seeing little forays into cyberspace labelled ‘let’s see what happens if we attack that company’ and the people doing the attacking are governments.

Suddenly, the magic space where cyberspace has no borders hits politics and hits strategic autonomy. It’s like the difference between the Wild West and the America we see now, which has state laws and structures. The ‘anything goes’ approach is not sustainable long-term. Not when you put your hospitals online, anyway.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years