Decoding Cybersecurity 2023: An In-Depth Chat with CISO Graham Thomson

In the ever-dynamic domain of modern-day threat landscapes, the conventional approach to security is limited and needs transformation using the infusion of intelligence from security data nodes, accompanied by an exceptional degree of agility. A swift and resolute trajectory for agile security has to be charted to help steer cyber security capabilities in unprecedented changes. This interview with Graham Thompson delves into the current trends and challenges impacting security architecture, sheds light on the evolving cyber security landscape, and details his experience as a seasoned chief information security officer (CISO).

Graham J. Thomson is a CISO at Irwin Mitchell and has a proven track record in innovative information and cyber security leadership. With experience across multiple industries, he excels in creating risk-based security frameworks. Graham is a recognized thought leader in the field, dedicated to blending modern security theory with practical experience. Graham leads all aspects of information and cyber security for his company, while spearheading their client-facing cyber audit practice. He also volunteers for TechVets, bridges veterans into IT careers, and is a member of the advisory boards for EC-Council and the Cyber Resilience Centre. With exceptional leadership and strategic thinking, Graham empowers businesses to operate securely.

1. How would you describe your experience as a CISO at Irwin Mitchell?

My experience as a CISO at Irwin Mitchell has been both challenging and fulfilling. Starting from scratch, I’ve had the opportunity to build and shape a cutting-edge cyber security practice. This has involved assembling a talented team, implementing robust security measures, and fostering a culture of cyber awareness within the organization. The journey has been rewarding, as I’ve seen the positive impact of our efforts in safeguarding the firm and its clients from an ever-evolving threat landscape. The company has a genuine focus on people, and the culture is one that fosters trust and collaboration and really inspires people.

2. How did you end up as one of the founding partners of the North West Cyber Resilience Group, and what was the catalyst for that venture?

The National Cyber Resilience Centre Group is a not-for-profit company, funded and supported by the UK Home Office, policing, and business partners, set up to help strengthen the reach of the UK’s national cyber crime program. It was born out of a realization that cyber security is a shared responsibility and crowdsourcing expertise was an effective way to help local organizations be more cyber-aware and cyber-secure.

Along with a small number of security leaders in the North West of the UK, I was invited to help forge the collaborative platform where organizations, both public and private, could pool their knowledge and expertise to address the growing cyber threats in the local business community. It really plays into my passion for cyber security education and dedication to protecting businesses in the region.

3. Can you share your thoughts on how SOCs can evolve in the era of advanced cyber attacks?

In the era of advanced cyber attacks, security operations centers (SOCs) must evolve to become fully proactive, driven by intelligence and insights from security data points, and highly agile. This involves incorporating automated threat intelligence, automated detection and response, and applying threat-hunting techniques to enhance the protection of the business. Additionally, fostering collaboration between different teams in the business, such as project teams, and adopting a risk-based approach to incident prioritization is key to staying ahead of sophisticated adversaries.

4. Can you tell us more about your background in Molecular Genetics and how you’ve incorporated that credential into your cyber security career?

When I left school many moons ago now, I chose to study genetics at the university. It was a relatively new science, and I was really fascinated by it and what potential it had to benefit humanity. Although I never worked in that industry after graduating—I joined the army instead and became a military intelligence operator for a few years, which was immensely challenging and fascinating in its own inimitable way—it has provided me with a unique perspective on the complexity and dynamism of cyber security. Just as genes provide the code for life and determine the traits of organisms, which interact together in an ecosystem, software code determines the traits of apps, websites, and devices we use, which all interconnect to create the global digital landscape. Where biological systems have viruses, diseases, and immune systems, the digital world mimics this with its own well-known problems and solutions: cyber security is like an immune system for the digital ecosystem. This understanding has informed my approach to building a holistic cyber security strategy, incorporating wider-ranging elements such as technical controls, user education, and continuous improvement based on data-led insights. What’s equally unexpected and amazing is that my divergent experiences of genetics and military intelligence have aided my journey through cyber security and given me a unique perspective for problem-solving in that space.

5. What is your opinion about the role of AI in cyber law, and do you think it will replace professionals?

AI has the potential to greatly enhance many industries, particularly in processes such as data analysis and pattern recognition. If there is one industry where AI has already had a massive and positive impact, it is cyber security. For several years, we’ve been using AI tools to detect and prevent cyber attacks and non-cyber breaches, and it works well. I foresee that AI will catapult many other industries to work even smarter. However, I don’t believe it will replace professionals. Instead, AI will augment their capabilities, automating repetitive tasks and allowing people to focus on more complex tasks that need human skills. Human expertise, judgment, and creativity are irreplaceable, and the role of AI should only be to empower professionals as a tool rather than replace them.

In my view, AI will not render us obsolete. Such assertions have accompanied every major development in technology and mechanization since the dawn of the Industrial Revolution, yet the workforce continues to grow. Instead, AI will contribute to an even more diverse employment market. And this is exactly what I’ve seen in cyber security: AI has taken away laborious data crunching processing from humans, allowing us to focus on other aspects that add benefit. There are still more jobs than people to fill them in cyber security. So as machines automate our previous responsibilities in many jobs, they enable us to explore and occupy novel niches that were once unimaginable.

6. What are the biggest challenges you faced as a CISO and technology leader, and how did you overcome them?

The biggest challenges I’ve faced as a CISO and technology leader include keeping pace with the rapidly changing threat landscape, securing executive buy-in for necessary investments, and establishing a security-aware culture within the organizations I’ve worked with. To overcome these challenges, I’ve focused on maintaining a forward-looking approach, building strong relationships with stakeholders, and continually emphasizing the importance of cyber security to the business’s success. Cyber security is a business risk; it’s not just an IT problem, and every colleague has a responsibility to work securely.

7. How would you advise upcoming companies to prepare for cyber security audits and emerging threats?

I would advise companies to start by making someone responsible for cyber security. Then create and execute a strategy, quickly establishing a solid foundation for their cyber security posture. This includes implementing a risk-based approach to security, tackling the biggest gaps and real-world risks first, ensuring adequate employee training, and adopting a defense-in-depth strategy. In addition, it’s crucial to stay informed about the latest threats and best practices, engage with industry peers, and invest in the right tools and expertise to support your security program. But if you must do one thing, get the basics right first. The basic cyber hygiene controls will mitigate most of the threats.

8. What are your favorite cyber security conferences or events, and do you have any plans for attending them next year?

Some of my favorite cyber security conferences include Infosecurity Europe, UK Cyber Week, CYBERUK, and DTX Manchester. These events provide valuable insights into the latest trends, research, and solutions in the field, as well as offering excellent networking opportunities. I need to manage my time carefully, so unfortunately, I can’t attend everything, but I make sure to attend something annually as they play a vital role in staying informed and connected within the cyber security community.