How did you end up in your current role at Mimecast, and what attracted you to the industry?
I’ve been with Mimecast for 12 years. I started in a channel role in the UK in 2007 and worked in a range of roles across channel account management and sales before opening the regional HQ in Melbourne in 2013.
Like most people who work in the tech sector, and specifically cyber security, I really enjoy the fast pace of the industry. It is constantly changing, and I’ve been lucky enough to be with the company during a time of huge growth, an IPO and a number of acquisitions. Email is such a vital part of business communications that working with our customers and partners to improve this crucial part of their cybersecurity adds immediate value. This is rewarding.
What do you see as the biggest risks for organisations now, and where do they come from?
Our customers have large and sophisticated technology and security environments, and while they are very savvy when it comes to security, the problems they are solving are complex and moving at a faster pace.
Apart from the ‘weaponising’ of technology to increase the volume and variety of email threats, we also see more sophistication in the way that social engineering is now used to manipulate users into opening nefarious emails.
With the volume of threats increasing so substantially and approaches changing so rapidly, perhaps the biggest risk is that the event that will happen in 12 months’ time isn’t even on our radar yet.
What security-related behaviour or policy have you observed to change the most in the past year?
There’s certainly an acceptance among our customers and partners that security awareness training has been largely ineffective – and a realisation that they must think in terms of behavioural change, rather than compliance. Security awareness training and testing is fast becoming a must have capability for organisations as increasingly, hackers have found success and are exploiting an uninformed, apathetic or careless insider.
Our customers and partners have been looking for a way to formalise their security processes to address the ‘human element’ of cyber resilience, by measuring outcomes rather than completion rates, that are analysed through metrics and end-user testing. Employees inevitably play an important role in maintaining a secure business environment so there is an appetite to ensure that we can address the human element in a meaningful way. While there will always be increasing sophistication in the type of threats, and the technology response to them – investment in structured cyber awareness programs are increasing.
Is the security industry getting better at using tools like threat intelligence and collaboration policies to work together against a common threat?
Yes, we absolutely believe it is. In almost all cases, customers and prospects we talk to are looking for ways to consolidate the number of vendors they utilise to a smaller number of platforms that ideally integrate easily with each other.
We're seeing more collaboration with other vendors allowing customers to maximise their current or planned investments, reducing administration time, and immediately gaining deeper insights into today’s advanced threats.
The vendor landscape is cluttered and fragmented, and there is a crop of best-of-breed vendors working in partnership with the aim of taking the pressure off CISOs when making investments in security products, away from siloed solutions. This is a very important development in the cybersecurity sector, and one that we are pleased to be a part of.
How has availability of cloud-based services changed the way you deliver your solutions?
Cloud has been at the heart of our offering since inception and having a pure cloud, multi- tenant architecture means that we can innovate quickly, while customers can benefit from our strategic acquisitions and threat intelligence functions. We have acquired four companies in the past year and all of them quickly integrated deeply into our existing architecture, becoming part of the core fabric of Mimecast’s platform.
Our customers need to be able to respond quickly, and at scale, to threats – and a cloud native, hyperscale service that allows for adaptability, security tech and engine stacking at scale with no latency has been an important part of our ability to effectively support the organisations we work with.
What changes have you seen in your engagement with senior executives and board members?
There has been a growing awareness and focus on cyber resilience at both the board and senior executive level - particularly in terms of risk management, governance and business continuity.
A good example of this is The Australian Institute of Company Directors (AICD) cybersecurity education program for directors and executives run in conjunction with CSIRO’s Data61 that started at the end of 2017. There is a growing understanding that being cyber resilient is vital for an organisation to meet its organisational responsibilities. It isn’t just about ticking a box, it is ‘table stakes’ for being a viable business, but fundamental to an organisation’s ability to function.
How has increasing regulation changed your security priorities and those of your customers?
The regulatory environment of NDBs and the GDPR has helped make privacy a priority, and while we may have some confidence that information is held securely (as there is now a carrot and stick approach to securing personal data), the NDB Insights Report highlights that we still have a long way to go with one in three incidents still relating to human error. We need to ask the question as customers and businesses – what information does a business need and why? The ethics of privacy affects everyone, and businesses can only start to address this with a cyber resilience strategy and whole-of-organisation approach.
While not a regulation per se, The Royal Commission into the Financial Services Industry sent a shockwave through the sector, as well as other industries not directly affected. While the focus of the Royal Commission was about misconduct, it was very clear how much time and resources were spent scrambling to get the requested information together, and the role that email played as part of the evidence that process was (or wasn’t) followed. As a direct result, we are seeing big shifts in the strategies that organisations are taking to archive their email in a way that is accessible, but also secure and cannot be deleted.
What difference do you see between government and private sector in cybersecurity needs?
For the most part there are more similarities than differences between government and the private sector. Both are ‘broad churches’ with some areas of government and the private sector having very mature cyber strategies, while others demonstrate there is still a lot of work to be done from an awareness perspective.
One of the other similarities is around merger and acquisition activity in the private sector, which in government would be equivalent to ‘machinery of government’ changes. Both require a detailed review of cyber resilience plans to ensure that in each case the new organisation has implemented the highest level of protection and hasn’t inherited vulnerabilities or poor practices.
An area where we see a marked difference between public and private would be in the ‘war for talent’. We know that employees with cyber skills are often difficult to find, and the private sector has a lot more flexibility in what they can offer in terms of remuneration packages. This can be a challenge for government, but on the other hand we also see a lot of skills transfer within the public sector that can level the playing field.
An example of this might be someone moving from defence into a different part of government in a cyber role.
So, while there might be budget limitations on how government might be able to compete with the private sector, they do have the advantage of being able to draw from the experience of a large and diverse public service.