It is clear from speaking to Jordan Schroeder that he knows a thing or two about protecting your business from cybersecurity threats.
Schroeder has a raft of accolades, including winning the CISO of the year award in 2018 and working with the Scottish Government to build information security plans for the country. After working in cybersecurity for many years in Canada, Schroeder took a keen interest in the British standard for cyber protection.
He was watching the UK take steps to look at cybersecurity as a national problem, and decided that was something he wanted to be a part of.
Then he got the opportunity he was looking for: “During one of the conferences I was speaking at, someone approached me and said ‘We have an interesting job for you,’ and after laying it all out, it was trying to drive cybersecurity strategy for most of the universities and colleges in Scotland,” he says.
“How do you get the universities, which are these incredibly complex networks representing some of the oldest parts of the internet, and align them and mature them fast in order to comply with new regulations, new laws and new directions? And I thought, ‘well, that is something I have just got to try.’”
After four years working in Scotland, Schroeder is now the Deputy Managing Director & Managing CISO at shared technology & information services company HEFESTIS and believes that cybersecurity is one of the most vital areas for any business to focus on.
Scotland is making a name for itself in the world of cybersecurity and its technology sector continues to raise eyebrows both across Europe and further afield. Crucially, the country emphasizes collaboration, Schroeder says, which is a big reason that he decided to settle here.
“Scotland is so willing and so able to collaborate, even amongst competitors, to make sure that what they do is the correct way of doing it; the right way of approaching cybersecurity, and just being able to jump into that pool and provide value and help. This is an amazing opportunity and I am so glad I am here,” he says.
And the Scottish Government appears committed to this exchange, creating the Public Sector Action Plan – a series of “action points” it says are designed so that the government, public bodies and key partners “will take steps to further enhance cyber resilience in Scotland’s public sector”.
Schroeder believes the plan is “a unique opportunity for Scotland to figure out where it wants to go together and backed by resources from the government”.
Scotland already has a cyber resilience strategy in place which provides an “ambitious framework for action,” according to Deputy First Minister and Cabinet Secretary for Education and Skills John Swinney.
“Many organisations in Scotland’s public, private and third sectors have already prioritised putting in place sound cybersecurity measures. But we are realistic about the need for further, concrete actions to help achieve our ambition,” Swinney said previously.
And this boost for cybersecurity across a range of sectors has become particularly important during the coronavirus pandemic. Schroeder says the cybersecurity landscape is changing rapidly because of the pandemic, and as such, organisations must adapt to evolving threats.
Schroeder says: “Work from home has opened up a whole bunch of new risks that we have been trying to ignore for a while, and we have been trying to put off thinking about or dealing with, but now we are forced to deal with it.
“A lot of organisations have very rapidly tried to catch up with this; more protection; different approaches; different ways of handling security and those threats, and this is pushing a lot of different change and investment.”
- Leader Insights | Intern to CEO with SalesAgility’s Dale Murray
- Leader Insights | David Farquhar, Chief Executive, Intelligent Growth Solutions
And investing in cybersecurity right now is one of the most important things a business can do. A spate of cybersecurity breaches across hundreds of companies in 2020 alone indicates that protection against cybercriminals is vital for business.
Cybercriminals continue to use more sophisticated tools to attack digital systems, so investing in emerging technologies could be the best way to keep cyber threats at bay. Schroeder says that transitioning away from antiquated ways of working will also be essential moving forward.
“You can try to dig with your hands, but a shovel works ten times better. A person can dig only so far with analogue tools,” he explains. “The more technology that you leverage, the more a single person can do, and when it comes to digital information the same is also true.”
But this change comes with its own set of problems. More tech can lead to more issues and a greater degree of complexity.
“Any problems or errors or malicious actions that happen within that digital information also gets multiplied,” he adds.
“What this means is that cybersecurity is going to be more important because we are generating more and more digital information every day, and the impact of that gets lost because we don’t have the same level of control over how that information grows and the life it can take on,” Schroeder asserts.
Analogue tools cannot entirely protect an organisation from threats from malicious actors online, so a business leader must boost security themselves through training and understanding.
“For a CISO, what you need to do is understand that you have limited resources – you cannot fix everything – but what you can do is get very good at two things,” Schroeder comments.
The first being risk management – understanding threats and opportunities and prioritising resources whilst maximising opportunities within digital information and digital technology.
“That takes experience and a broad range of perspectives. To look at those threats and those opportunities and how you can approach them, and that broad perspective is very important for a CISO,” he believes.
Secondly, a business leader must carry out people management. All too often, Schroeder suggests, security practitioners view people as the enemy or an uncontrollable element that is likely to “mess everything up”.
He says: “What we forget is that all of this information and all of these tools exist to help people, and being able to connect with people better, and to understand how they connect with information technology is crucial.”
According to research in July by security firm Tessian, 43% of workers have made cybersecurity mistakes that negatively impacted their organisation. Without the right training, this number is likely to remain, if not increase.
“[Cybersecurity] is going to be a problem forever as long as people are involved. Errors and mistakes are going to happen, and it is nothing to do with digital technology it is just that people are people, humans are humans, and they are going to make errors,” Schroeder says.
- Meet nine of Aberdeen’s coolest technology companies
- Cybersecurity framework launched to protect NHS and public sector
- Greater support needed to boost female representation in cybersecurity
Often CISO’s see a human error, blame the user, and then turn to training to help solve the issues. Training can be seen as the only tool to eliminate human error, but Schroeder says that more needs to be done to solve the problem.
“If we can take a look at we can do to help an end-user out, then we might be able to dramatically reduce the errors, increase our security and go far beyond just more and more training,” he suggests.
So, what advice would Schroeder give to business leaders who want to try and build cybersecurity within their organisations? He believes that identifying the difference between linear and non-linear problems is key.
“Most people learn how to solve technical problems with technical solutions,” he notes, “and that is great, but that is just one half of the coin.
“The other half is bringing the skills to deal with non-linear, non-ordered, non-technical problems, and recognising those, not shying away from them, and not thinking that they are someone else’s problems, but taking on that responsibility to learn how to deal with them successfully,” Schroeder adds.
His most pertinent advice, though, is communication: “If you cannot listen and build people skills you will be limited because you won’t be providing solutions and providing what your customers and clients need because you are focused on the technology and not the goals,” he comments.
“You are limited in your ability to improve the security of an organisation or an individual because sometimes the solution isn’t more tech and more gadgets, sometimes the solution is sitting down and listening, and understanding someone else’s point of view.
“If you can learn to do that and accept that this is also your job, you will do so much better and have so much more impact in your ability to secure and protect information and people.”