Cyber is as Much Psychology as it is Technology

Cyber is as Much Psychology as it is Technology

November 23, 2020 • Caitlin Mattingly

Joining us this week is Pierre Noel, managing director for Europe at ISTARI, a company providing global cyber resilience services for businesses.

Pierre Noel has enjoyed a remarkably broad professional career, with time spent at IBM, KPMG, Microsoft, and Huawei, in both deeply technical and business roles. He shares his insights on the ways culture impacts security, the importance of threat intelligence (if your organization is ready for it), and why he believes things are likely to get a lot worse before they get better.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 185 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Joining us this week is Pierre Noel, managing director for Europe at ISTARI, a company providing global cyber resilience services for businesses.
Pierre Noel has enjoyed a remarkably broad professional career, with time spent at IBM, KPMG, Microsoft, and Huawei, in both deeply technical and business roles. He shares his insights on the ways culture impacts security, the importance of threat intelligence (if your organization is ready for it), and why he believes things are likely to get a lot worse before they get better.

Pierre Noel:

By design, I’m a deep techie, but I’m quite old now. So I started 30 plus years ago. So initially, I went very deep into technologies. I worked with IBM on creating the first version of AIX, worked on the operating system, the kernel level. Then I got very much attracted to information security, especially because I found out that information security people were meant to think differently than the standard IT people and again, we are talking about 30 years ago.

And I got dragged into information security. I got very, very, very technical on information security. I participated in the open software foundation and in that community, I worked a little bit on Kerberos 5. So I added some small elements into Kerberos 5. Again, long, long time ago.

And then I evolved into better understanding business moving towards understanding the link between information security and the business side. More precisely, risk management, enterprise risk management. I’ve been very fortunate to find a few managers, people who really taught me to be better, to be better as a potential business person, as an entrepreneur. I built two organizations, one which we sold to an American telecommunication company and the second one, which we sold to IBM.

And so I continued into my evolution. I was very much into enterprise risk management and then my good friends at Microsoft were quite interested for me to consider working with them and I loved them. And so I accepted the role of Chief Security Officer for the Asian time zone at Microsoft, which was a wonderful time where I had not only to end all technical and sophisticated problems, but also to help emerging countries to address the emerging cybersecurity issues, a truly wonderful time.

Then I became the CISO of a very well-known company, that is Huawei, the Chinese company. I was the worldwide CISO and Chief Privacy Officer for the enterprise at Huawei, where I learned a great deal on how to operate in a Chinese organization, which was completely different from my experience in operating in non-Chinese organizations.

Then after some time, I got a little bit bored, let’s say, working with Huawei. I moved to Switzerland. In Switzerland, I built the community, an information sharing community with all the Swiss finance community, about 100 organizations across Switzerland. And we started sharing information above and beyond what a typical ISAC, information sharing analysis center would do.

And then I got convinced to join ISTARI, which is the company I’m working for right now. I’ve been with ISTARI for five months. ISTARI is a brand new organization. It’s a different type of organization. And from my experience, I concluded that this is exactly the type of organization we needed to have. So the very moment I learned about ISTARI and about what it was all about, I was really adamant to join and so it is. So I’m now the managing director for Europe, Middle East, Africa, and a little bit for the U.S.A. at ISTARI.

Dave Bittner:

Well, can you give us some insights, what is your day-to-day? What takes up your time these days?

Pierre Noel:

Well, my day-to-day is, I have to divide my time in between three things. One, is to manage my wonderful team as any manager would have to do. Another one is we have a community of members. Some would call that client, I prefer to call them members. These are very big organizations all over the world with which we have decided to have a very close, trusted relationship. And so a certain amount of my time is to engage with this community, try to understand what’s going on, try to understand the emerging problems, trying to understand what’s happening over the horizon, as well as the most immediate problems. So that’s one big aspect of my time.

And another aspect of my time is, ISTARI is also investing into cybersecurity and overall digital risks organizations. So I spent quite some time talking with emerging organizations in the digital risks cybersecurity field, talking with venture capital, talking with thought leaders, talking with regulators, trying to understand, well, what is happening? What is relevant, trying to create an ecosystem, if you will, of organizations in which we can invest. And also trying to understand the need for today, tomorrow in the next six months on the typical customer side.

Dave Bittner:

It strikes me that with your experience, you have something that I think a lot of people don’t, which is a real view of the global situation when it comes to cybersecurity. Your experience has taken you around the world, literally. And I’m curious what insights you can share about that experience. I mean, having been to different parts of the world and seeing the way that different cultures approach cybersecurity, are there lessons that you’ve learned there? Are there important take-homes that you can share?

Pierre Noel:

Oh, that’s an extremely good point you make. Well, first let me just share a little bit. I’m very hopeful to sit on the board of advisers of Airbus, the avionic and space and defense organization. I’ve been sitting on this star community as they call it, for many years. And the reason why they invited me is because they said, I understand cyber, I work for an American company. I’m a European person, I’m a Belgian guy from heritage. And I lived 30 years, well, nearly 30 years in Asia.

So I’ve got a very good understanding of what’s happening on a worldwide basis when it comes to digital risk cybersecurity. So you’re quite spot on. What I found out is, well, the risks are the same. I mean, I have worked with, if you will, the equivalent of the CISO of the Chinese government when I was working at Microsoft, and I found out that this gentleman has exactly the same problem as any other CISO anywhere in the world, in any other country or any other enterprise. He’s faced with exactly the same problem.

So the problems we are faced with are the same. The difference, if you will, reside in the sophistication. Some organizations, some countries are way more sophisticated than others. For some, we could speak about bits and bytes issues. For others, we are talking about just learning to walk and certainly not to learn to run. And the other thing that is critical to me is the difference of culture, also at the organization level.

I found out, and I have wounds all over my body to prove it, because I found it out the hard way. I found out that you cannot take something that works in one culture and pluck it into another culture and hope that it will work the same way. It’s not true. Cyber information security is as much psychology as it is technology. As I usually say, behind every cybersecurity incident, you have a human being. Either because you have an attacker attacking us for whatever reason, or because we made a mistake, a human mistake in the way we tried to configure, to deploy our security at the organization.

And so it’s very important to integrate the cultural aspect, to make sure that a message is done, is propagated the right way, make sure that people synchronize and there is some crystallization around some problems. And the way it works in the U.S.A., it’s not the way it works in Korea. It’s not the way it works in Germany and so on and so on. So my experience told me that the problems are usually the same, but the way you address them varies. And you’ve got to be very cognizant of this cultural aspect to be able to do it the right way.

Dave Bittner:

It strikes me, I wonder if a good analogy is the car industry. We have car manufacturing all over the world, but some people prefer a car made in Germany. Other people prefer a car made in England or one in France or the U.S. Each of those cultures brings their own unique sensibilities to the process of designing and manufacturing automobiles. Is there a similar thing in cyber?

Pierre Noel:

That’s exactly right. Yes. In some organizations, you are in a position where you can instruct everyone on what to do. In other organizations, even in the same industry, you just cannot do that because the culture will push back and people will ignore you. So in some places, very similar to your automobile analogy.

Some people would like a big truck. Some people would like a very lightweight French car and whatnot. So in cybersecurity, I really found out that you just cannot come and say, well, it worked in my bank in the U.S.A., therefore, it’s going to work in my bank in Japan. Well, no, it’s not going to work the same way.

Dave Bittner:

I want to get your take on threat intelligence. And the part that you think that it plays in an organization’s defenses.

Pierre Noel:

Well, threat intelligence is critical once you have reached a certain level of sophistication. A mistake some people make is that they jump straight into threat intelligence, whereas they do not have the basic right, so that is a mistake. Threat intelligence is something, I repeat myself, critical, but you have to have a good need for it.

I see disorganization at two levels. I see organizations that are sophisticated and have a capability to absorb threat intelligence because they’ve got their own threat intelligence officer and whatnot. And I see organizations that have reached a level of maturity, where they see the value of threat intelligence. It’s actionable to them, but they do not have the capability to absorb. In which case, they need a threat intelligence that is a little bit more digested for them.

But so if I have to summarize, I would say, I see three categories, organizations that are not yet in a stage where threat intelligence could benefit them and we still have a lot of them, organizations that are in the stage where threat intelligence could benefit them, and we are talking about a peer-to-peer discussion, that is someone like Recorded Future can feed information to the threat intelligence officer, he/she knows what to do with that.

And you also have this category of an organization that will benefit from actionable information, but you have to give them the information in a very precise way. You should not expect them to do the investigation by themselves. You have to tell them, through a book, okay, this is page one, this is what you have to do. This is page two, this is what you have to do, and so on. So we’ve got the three categories. At least from my understanding of the market right now, this is what I see.

Dave Bittner:

Are organizations typically self-aware when it comes to understanding where they are in that journey?

Pierre Noel:

Oh God, no. Oh, no. Usually, they’re not. Yes. But again, the mistake or the fault might reside on the threat intelligence companies, because of course, the purpose of a business company is to offer its services or technologies, so they’re trying to reach out to as many people.

Let me take the example of Switzerland, a wonderful country. The finance industry in Switzerland, wonderful people, truly wonderful people. But however, I would not qualify that every finance organization in Switzerland is at the level where they can really receive threat intelligence and make it actionable.

Some of these finance organizations are at a stage where they have to do other things that are more priority, higher priority in order to ensure that they have decent cybersecurity protection before they look at threat intelligence. Yet the threat intelligence people, the salespeople would contact them and tell them that if they had threat intelligence in place, of course the environment would be significantly more secure. That’s not true, but fair enough. They’re trying to position their technologies. I respect that. But definitely, these organizations by and large are not ready. And if they receive threat intelligence, they won’t know what to do with that.

Dave Bittner:

Again, getting back to the experience that you have, it seems to me that you have the ability to translate between different people in different worlds. You have deep technical understanding, but you also understand the business side of things. And I think that’s a valuable and rare thing to find out there. I mean, I suppose you’ve certainly found that to be to your advantage.

Pierre Noel:

Well, I must admit, yes. I think I’ve been extremely lucky at the moment when I dug deep enough on the technical side that I found that perhaps there was no point going any deeper, but it was time to understand the motivation behind it. And I started going into better understanding the business and the risk management at the enterprise. So I think I have been extremely lucky.

I also recognize that many cybersecurity experts, even at the CISO level, did not have that opportunity, did not have that chance. And there is definitely across the community, a need to enlighten. That’s probably not the right word, but expose our wonderful cybersecurity people to other parts of the business, other parts of the problem so that they can understand where cybersecurity fits. And they can also understand to communicate themselves a little bit better.

I’ve got a good experience. Again, one of these experiences that gave me a wound somewhere on my body. I worked with an airline organization several years ago. I worked for the IT department of that airline organization. And we started looking at the risks, at the cybersecurity incidents that could happen. And we started identifying many cybersecurity incidents, potential incidents that is, risks.

And so we said, oh my God, this is really important. We absolutely have to go to the board and tell them about that problem. And so we built our landscape of the risks and this big risk that we should not tolerate, these risks are bad, they are really bad and this risk somewhat, okay. So we were really gung ho.

And we went to the board and we exposed what we had found out in order for the board to understand that cybersecurity was really important. And you know what? The board laughed at us. They looked at us and said, well, thank you very much, but what you consider to be a big risk in the context of your cybersecurity, in my context of an airline where a plane could crash and people could die, this is nothing.

So I learned the hard way that if you want to be understood, you’ve got to align your message with what’s happening across the organization or across the country. But you have to elevate your message and realize that what is critical for you, might not be necessarily understood by the other people in the organization. And that doesn’t mean they are dumb and you are bright. That might mean that you are missing some element into the multidimensional aspect of the business.

And so there is a clear need for CISO and cybersecurity practitioners to be humble and to realize that we have to integrate what we know in what we do in the context of an organization, in a context of something larger. And there is a need for us to speak in a language that can be understood by these people who by and large because they see us as wizards, these people, we speak a strange language. We don’t have a clue of what they do, but well, they seem to know what they’re doing and that’s where the communication ends.

I think this is a problem that needs to be addressed. Like I said, I’ve been extremely lucky that I have been given the opportunity to look at both sides of the world, if you will, and have been able to do my best to merge them. But this is badly missing.

Dave Bittner:

As we look ahead towards the future, as you look toward the horizon, are you optimistic in the direction that we’re headed? Do you think we’re on a good path?

Pierre Noel:

Oh no, of course not. It’s going to get exponentially worse before it gets any better. No, no, no. It’s terrible, it’s awful. I mean, the best we could do, the best we could do is to remain just one page ahead, but usually we don’t. We human beings, we are very optimistic people by essence or optimistic animals. So if you show me something negative and something positive, most of us will remember the positive one and we tend to forget the negative one.

So if you come to someone and say, there is a 20 percent chance that this plan is going to crash, or you’re going to have an accident with a car. Yeah, but there is 80 percent chance I’ll be okay. Well, yes, there is 80 percent chance you’ll be okay. Looking purely from a technology point of view, if you look at these technologies that we humanity have adopted over the past 30, 40 years, we did not really adopt this technology with our eyes wide open.

In fact, we adopted these technologies because they were cool. And that was probably one of the main motivations. And now, you see that we are going into a world of intensive IoT. Everybody is talking about 5G and a new revolution. Everybody’s talking about self-driving cars. All this is wonderful, but do you really think that a cybercriminal will sit down and not try to monetize from that? Of course, they monetize. They want to monetize.

And these people are extremely bright and where we see a cool technology, something that makes my life easier, cooler, simpler, whatever, they see a way to make money. And of course, they will continue to do that. And that’s true for cybercriminals and it’s equally true for nation states. Sometimes nation states don’t necessarily want to attack you. They want to instill fear in you. If they can make you uncertain about your future, if they can send the right message so that you don’t know what may happen tomorrow and so you cannot trust anybody and so on, well, that’s a success for them.

So we are not ready for that. We, as a human being, we, as the way we end all risks and we, as the way we end all digital risk, digital resilience, we absolutely are not ready. So I’m repeating myself. The best we can do is probably to remain one page ahead, but things are going to get much worse with the explosion of IoT, the explosion of 5G, which will enable a lot of things that we cannot envisage today. Yes, these lots of things will be really cool, but there won’t be proper security behind them. So it’s going to be a huge mess. Let’s have fun. Don’t you agree?

Dave Bittner:

I like it. I cannot disagree, but I just, I have to say, I enjoy the way that you deliver that message with a chipper voice.

Pierre Noel:

What else can we do?

Dave Bittner:

Yes, yes. No, I’m with you.

Our thanks to Pierre Noel from ISTARI for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Technology and Human Stories Intersect at the International Spy Museum

Technology and Human Stories Intersect at the International Spy Museum

January 18, 2021 • Caitlin Mattingly

The International Spy Museum in Washington, DC is a private non-profit museum dedicated to the...

SolarWinds Orion Breach – What It Means for the Industry Writ Large

SolarWinds Orion Breach – What It Means for the Industry Writ Large

January 11, 2021 • Caitlin Mattingly

Stories about the recently uncovered breach of the SolarWinds Orion software have been dominating...

AI Enables Predictability and Better Business

AI Enables Predictability and Better Business

January 4, 2021 • Caitlin Mattingly

Joining us this week is Aarti Borkar, vice president of product for IBM Security She shares the...