Interviews 04.06.2024

Five Minutes With: An Associate Professor and University Reader in Cybersecurity

Dr Jason Nurse names AI as the biggest unsolved problem in cybersecurity. And he believes that good cybersecurity training is the bare minimum for improving cybersecurity posture.

In addition to his role in academia, Dr Jason Nurse is also the director of science and research at CybSafe. Obsessed with the people-centric side of cybersecurity, this wannabe chef considers AI the biggest threat to the profession and thinks cybersecurity could learn a thing or two from the healthcare sector…

How did you land in the world of cybersecurity?

I’ve always been interested in technology. At university, I completed a double major in computer science and accounting. When I began my career as an auditor, I realised the path wasn’t right for me. I decided to pursue a technology-based career, which led me to cybersecurity. What sent me down the human-specific path of cybersecurity was my post-graduate education and experience. While completing my master’s degree, I participated in a cybersecurity project, which led me to decide on business cybersecurity as my PhD focus. When I started my PhD, I noticed the social and people-centric side of cybersecurity was being ignored, and the technical aspects of cybersecurity were being favoured. I wanted to do something that could help fill that gap and make the long-ignored, human-centric side of cybersecurity finally seen.

Dr Jason Nurse is the Director of Science of Research at CybSafe. Dr Nurse is also a Reader in Cyber Security at the University of Kent.

If you could retrain for a dream job, what would it be?

A chef. Cooking is a temporal activity, a unique blend of art and science that happens in the moment and offers immediate gratification to those present. I think there’s also a part of being a chef that requires a lot of research, which is something I already enjoy in my current position.

What’s the biggest misconception about cybersecurity?

The belief that people are the ‘weakest link’ in the security chain. This view, often echoed by out-of-date cybersecurity professionals and the media, unfairly labels individuals as liabilities. In reality, businesses are responsible for empowering their employees with the proper knowledge, motivations, and environment. Employees can become crucial assets in protecting an organisation’s data by providing comprehensive support, fostering a positive security culture that avoids blame and fear, and using tools that make the secure choice easy (like SSO). Transforming the narrative from blame to empowerment enhances security and effectively leverages human potential.

What’s the best thing about your job?

The best is the opportunity to shed light on the industry’s underrepresented areas and look for new, innovative solutions to counteract the de-prioritisation of cybersecurity across various sectors. There’s a significant sense of accomplishment in contributing to the development of something bigger.

And the worst?

One of the greatest challenges in this industry is navigating the balance between compliance and culture. Many organisations adopt a compliance-driven approach, focusing on meeting minimum requirements to protect themselves from liabilities. They hold a checkbox mentality which improperly prepares employees for the realities of today’s cyber threat landscape. Changing people’s views on cybersecurity from a simple requirement to a vital part of a company’s consciousness, where everyone shares responsibility, is challenging but crucial.

What advice would you give to industry n00bies?

The best advice I have ever received, which I will pass along, is to take the time to keep learning. I would also implore industry n00bies to set aside time every day to concentrate on critical tasks. There will always be emails and Teams/Slack messages to reply to, but on most occasions, they can wait. It’s also important to block out the outside world occasionally if needed. Focus is important – if you need to pop on your noise-cancelling headphones and put your head down occasionally, you should.

What’s the biggest as-yet-unsolved problem in cybersecurity?

The most significant unsolved problem is the advancement of artificial intelligence (AI), which has made cybersecurity an even more complex issue, moving the goalposts for anyone trying to protect themselves or their business. As AI continues to evolve in complexity, cybersecurity strategies are continuously trying to play catch-up with evolving cyber threats supported by AI. The complexity of AI-powered cyberattacks introduces new vulnerabilities and challenges, complicating detection and prevention.

“The complexity of AI-powered cyberattacks introduces new vulnerabilities and challenges”

What industry or sector do you think cyber could learn from?

The healthcare industry, particularly in its approach to human behaviour change, has primarily focused on encouraging individuals to adopt healthier lifestyles, from increasing their physical activity to improving their dietary habits.

Similarly, changing user behaviour in cybersecurity is crucial for enhancing security and keeping people safe online. Just as healthcare professionals communicate the benefits of a healthy lifestyle and the risks of neglecting health, cybersecurity experts and other leaders must emphasise the importance of adapting healthy security practices, being safe online, and the consequences of complacency.

How can CISOs be more transparent when communicating with employees about cybersecurity?

CISOs can enhance their communication by adopting a more transparent and engaging approach, focusing on the core reasons behind security practices and policies.

I’ve been inspired by the concept of ‘starting with why’, a principle detailed in Simon Sinek’s book Start with Why. Emphasising the underlying ‘why’ behind cybersecurity efforts demystifies the measures and makes their significance clearer and more relatable to everyone involved. Work out what makes your people tick and align your messaging to that.

It is also important to acknowledge that employees are intelligent and capable individuals who can become proactive participants in an organisation’s cybersecurity culture.

Why is good cybersecurity training important for getting employees involved in preventing cyber attacks?

Forrester predicts 90% of cyber attacks will continue to include a human element, such as clicking on a malicious link or opening an infected file. Good cybersecurity training is the bare minimum. It plays a small role in safeguarding an organisation’s data, protecting its reputation, and facilitating long-term success. But most people don’t need or want more training. They need support and guidance delivered at the right time, in the right way. Nudges reinforce safe cybersecurity practices among employees, effectively reminding them to stay vigilant and continuously promote security awareness.

“Emphasising the underlying ‘why’ behind cybersecurity efforts demystifies the measures and makes their significance clearer and more relatable”

What can CISOs do to make it easier for employees to follow cybersecurity rules and practices?

Employees who understand how cybersecurity rules and practices directly impact them have an easier time understanding and following them. They are more likely to care if they feel more connected to an issue.

It’s important that CISOs start with the ‘why’ behind implementing cybersecurity initiatives and then communicate individuals’ stake and benefit from improved cybersecurity. Incentives can be an excellent way to drive a sense of self-importance and individual responsibility, aligning outcomes directly with employees’ roles and responsibilities.

COM-B is an effective strategy for CISOs to use when framing the importance of cybersecurity. Behaviour, or behaviour change, happens because of people’s capability(C), their opportunity(O), their environment, and their motivation(M), which includes a mix of self-efficacy and situational understanding.

COM-B states that for a person to perform a behaviour, they must (1) feel able, (2) their environment must let them, and (3) they must want to carry out the behaviour more than competing behaviours.

Do you think the SolarWinds lawsuit will deter people from taking a CISO role?

It is no secret the SolarWinds saga has sparked heated discussion among CISOs, with many deeply concerned about personal liability. Some CISOs believe they and their peers may walk away altogether or shorten their already brief average tenures. If CISOs aren’t getting C-Suite support in resolving security flaws, is it worth staying in their role and potentially being held liable for issues leadership isn’t prepared to fix? It may well be too much of a risk for some CISOs.

What’s a CISO’s biggest headache?

A CISO’s biggest headache stems from a constantly changing threat landscape, coupled with the increasing demands and scrutiny from board-level leaders. CISOs need to stay ahead of sophisticated and ever-changing cyber threats, but they must also manage heightened expectations from corporate leadership regarding security posture and risk management. Effectively, the role of a CISO has transformed into a constant juggling act: managing board-level communications and expectations, engaging with internal and external parties to promote security, and adapting to a fast-shifting regulatory landscape, all while staying one step ahead of attackers, who are themselves constantly innovating. This multifaceted challenge makes the role of a CISO one of the most demanding in the modern corporate world.

Latest articles

Be an insider. Sign up now!