Q&A with Jane Frankland: GDPR, CISOs, and Women in Cybersecurity

Jane Frankland is an award-winning entrepreneur, speaker, and consultant in cybersecurity and entrepreneurism. For more than 20 years, Jane has been focused on cybersecurity, and has been actively involved in OWASP, CREST and the Cyber Essentials scheme. She a prolific author, having been featured in leading publications and appeared on iconic British media programmes. She has also just published a new book about women in security.

We recently had the opportunity to ask Jane for her thoughts on GDPR, her new book, and why it’s so important to bring more women into the cybersecurity realm. Here’s what she had to say!

You’ve run a penetration testing and cybersecurity consultancy for nearly two decades. The sector has undoubtedly changed in that time, so what do you see as today’s top two most pressing cybersecurity issues for enterprises and their CISOs?

It really depends on the type of company and whether it’s driven by compliance or security. If it’s compliance driven, then the main focus is on the GDPR, as the regulation comes into effect in May this year. CISOs are particularly concerned about whether they’re going to be adequately prepared in time. Many are also concerned about its interpretation as many areas are still being debated amongst those made responsible for it. No one’s happy but the advice that’s being given to UK businesses by reputable solution providers is not to panic, as essentially it’s just a more proactive revision of the DPA (Data Protection Act of 1998) with severer sanctions for non-compliance.

If the enterprise is security driven, then right now there’s a lot of focus on cyber terrorism, state sponsored attacks, and maintaining trust. Last year, we witnessed some unprecedented disruption, as WannaCry and Petya ransomware hit businesses, and serious new vulnerabilities like BlueBorne were discovered in almost every connected device. Traditional institutions in banking, media, law-enforcement, judicial and government sectors were scrupulously targeted and that’s why CISOs within them are working so hard to ensure they know how to detect attacks, respond to them and are resilient. So, whether it’s ransomware cyber-hijacking or something else they have to have answers ready, recover fast and with the minimal impact to the business.

You’re a CISO Advisor and have served on the advisory board of ClubCISO, which brings together senior cybersecurity leaders. When you’re speaking with these security executives, what are they most concerned with on the operational side? Is it internal struggles, access to talent, lack of awareness, or something else?

It’s all of those things. Access to good talent is a huge concern for them but so is retention. When it comes to awareness most are talking about culture and addressing it. But, the other area that affects them, operationally, is communication. Many have risen up through technical ranks and when it comes to being able to engage with the board or other stakeholders in the business they struggle. It’s rare to encounter a CISO who understands business plus how to sell and market, and     knowledge of these areas and skills are needed.

Related to GDPR and your “Minimalist Guide,” what is the absolute minimum organizations can (or should) do with respect to GDPR?

In my view, all organizations should have completed a readiness assessment, have formulated a plan and be implementing it.

In a post for Microsoft’s Modern Workplace series, you argued that GDPR can be used to help organizations “increase their revenues through improved brand positioning and innovations.” Since CISOs are being pushed to bring GDPR and security issues into the boardroom, can you explain how they can turn the security conversation from a necessary expense into a driver of business growth?

The GDPR presents a huge opportunity for organizations to cleanse dysfunctional practices, cut uneconomical expenditures, and deliver profits. It enables trust, transparency and data protection to be built or rebuilt, whilst advancing revenues.

Smart CISOs are therefore using the GDPR as a business enabler, and are seeing it as a means to take their business to the next level. Instead of focusing on negative aspects, like how much work they’ve got to do in order to comply with the GDPR, they’re embracing it and sharing success stories with their clients, customers and strategic partners. They’re communicating what they’re doing to improve their data protection and how they’re complying with the GDPR. Essentially they’re using the legislation as a unique selling point and way to position their organization above another in the market.

Related to GDPR, vulnerability disclosures, and other security issues that are increasingly influenced by government entities, what role do you think governments should be playing in the cybersecurity sector?

In my opinion government should be taking a much more proactive role in cyber security. The appetite is there and over the past two decades, I’ve seen the UK government try. They’ve started some good initiatives, like the Cyber Essentials Scheme, the Cyber Security Challenge and the NSCS. However, I believe there’s room for improvement. As they’re the single largest buyer of products and services, I’d like to see them setting standards for security, leading by example and collaborating more with industry. Their processes and systems should be examples of excellence.  

Your new cybersecurity book is titled IN Security: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe. Why do you think it’s so important to bring more women into the cybersecurity sector?

IN Security is all about why a failure to recruit and retain women in cybersecurity is making us all less safe. It’s a book for men and women and is fundamentally about performance. We know from research that gender-diverse teams are more productive, innovative and able to stay on schedule, and within budget, compared to homogeneous teams. Furthermore, when women are at the helm of business, in leadership roles, not only does Gross Domestic Product (GDP) improve, but also there’s more diversity in the workforce, contributions to charities and support of local businesses. And, when women are politically and economically empowered, societies are more stable.

But, the reason why women matter so much in cybersecurity is because of the way they view and deal with risk. Typically, women are more risk averse, compliant with rules, and embracing of organizational controls and technology than men. They're also extremely intuitive and score highly when it comes to emotional and social intelligence, which enables them to remain calm during times of turbulence – a trait that's required when major security breaches and incidents occur. Having better diversity is crucial as it enables the industry not to be blindsided and to perform to a higher standard. This book is all about that. It includes hundreds of stories from women and men around the world plus a tonne of data.

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.