, I spoke with Ashanti, a Rust developer who’s always mindful of security. She explained how Rust is a more secure language, and she explained holochain to me.
This time, I spoke to Nicola Whiting
. As the Chief Strategy Officer of Titania, she works on how AI can be implemented to prevent cyber threats caused by poor cyber hygiene.
: Please tell me a bit about yourself and what you do.
: I'm the CSO of Titania. My time is split between looking at where the industry is going (particularly in terms of AI and the movement towards self-healing, self-defending systems and how to get Autonomous Mitigation to be reliable enough to do that) and how to keep Titania at the cutting edge of all that for our clients.
I also spend a lot of time advocating for diversity and inclusion (because it makes us stronger), as well as for growth.
: That's fascinating! How do you think AI is benefiting cybersecurity now, and how do you think it will evolve in the future?
: I think AI has huge potential to reduce the strain on our talented defense and security teams. But, at the moment, it often makes these teams' job harder, not easier. Many of them have 'alert fatigue' from the inherent inaccuracies in those systems. (A case of bad decisions done fast.) My belief is that it's because many of those systems are underpinned by interpolative data.
One of the ways AI needs to evolve is to add more deterministic (versus probabilistic) data, so that AI solutions make more accurate decisions which are easier to validate.
It's a subject I love unpacking, as I believe it could have major impact on the future success of our industry. (I spoke on this topic at RSA
, and will be speaking at Infosec on a similar idea, as it has a nation state-level impact.)
: Please tell me a bit more about Titania.
: I'm so proud to be co-owner of such a fantastic company. It was founded in 2009, and along the way, we've picked up the UK SME of the year from the UK Chamber of Commerce and a Queens Award for Innovation.
: Is it a small- or medium-sized enterprise?
: We're still a small business, but we trade in 95 countries, and 80 percent of our business is in the USA. We were founded by Ian Whiting, and our products originated from need.
: Did you and Ian get into cybersecurity at around the same time?
: No, Ian has many more years in the business. He started in Network Administration and Support, then went onto Disaster Recovery; was part of the early teams involved in creating Virtual Reality; worked on complex Document Management Systems and finally took all that experience into Penetration Testing, where he became a GCHQ-accredited CHECK Team Leader.
That's where our flagship product Nipper came from. Ian had to do build reviews as part of his role (taking hours per device). He automated that, and now our clients can find vulnerabilities on 1000s of build configurations, accurately and in minutes. It uses virtual modelling and intelligence to understand the interactions between settings that makes it the trusted tool for every branch of the military (except the U.S. Coast Guard) and 37 federal agencies.
: That's amazing! Well then, when did your interest in cybersecurity start?
: I was in cyber quite early on, initially in Remote Control Desktop software and later in databasing. I then took a career break to follow other passions and became an award-winning jewellery designer and chairman of a craft guild. I ended up back in tech with Titania as they needed commercial expertise. (I was the third employee.)
Ian focused on the products, while I focused on building the relationships with our key clients and how the business could scale.
: I have done quite a bit of research on fileless malware, and I know that's becoming more common. Has that been a special challenge for AI threat detection?
: Sorry, fileless malware isn't one of my areas of expertise, but I'd love to read any articles you've written on it. I attended a few RSA discussions on that subject. Interestingly, the common consensus seemed to be it wasn't truly fileless, as a script was involved for delivery. It came up in the malware briefing.
: Which sort of threats are you more specialized in?
: Those that come in through poor cyber hygiene; it is where many breaches are ultimately attributed to.
Ian Levy of NCSC says it's where our most serious CNI breaches are likely to occur. Esse Miller of the DoD says it's what "keeps her up at night." And a few days ago, Bobbie Stempfley, Director of the CERT division at Carnegie Mellon, agreed it's where most of the risk came from but lamented that it's not seen as a "sexy" security topic for boards.
That's why I'm so interested in AI. That is
seen as a "sexy" topic, but I believe unless it gets its data feeds right, it's heading down an evolutionary dead end.
: What's one of the biggest cyber hygiene mistakes that organizations make?
: Sadly, the biggest mistakes are that they're still not getting the basics right. Inadequate patching and poor password management are still major issues, ones which AI done right could certainly help solve.
: I've seen those lists of some of the most common passwords like "password" or "qwerty." Are these exceptionally poor passwords used a lot more often than I would assume?
: Yes, there are whole lists of them, and they don't change much year on year. It's why human behavioral study, nudge theory and neuropsychology should be part of a CISO's toolkit. It goes hand in hand with the software and hardware systems.
: You are both a cybersecurity practitioner and a business person. How would you encourage more women and nonbinary gender people to enter into those roles?
: Wow, that's a tough one. It's still not as easy as I’d like it to be, to get ahead in the cybersecurity industry. On a positive note, there is a growing movement of people changing that and taking positive affirmative action to open up the training, coaching and supportive environments needed to encourage more women and nonbinary gender people into our industry.
At a recent event I was speaking at, I suggested that those type of organizations have more than the standard legal non-discrimination statements. Instead, they should say right up top on their job adverts how they welcome applications from all diversity groups and then state ones they feel they're underrepresented in. This could help encourage people from all walks of life to apply..
It's small practical things that often make such a huge difference.
: That's brilliant. Yeah, sometimes job listings could improve immensely. You have a lot of great ideas. Do you have anything else that you would like to add before we go?
: Thank you, Kim – it's the first time I've done an interview like this. You made it really enjoyable.
I'm not sure I fully covered how Titania can help solve the AI problem, but I guess that's okay as it's not about us. If you wanted some additional diversity thoughts, then check out this article
I feel quite passionately that boards "do diversity" more enthusiastically when they don't view it as a social exercise but understand it's bottom line benefits.
You really rock at this, by the way. It felt really natural talking to you. Thank you.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.