On the lighter side of things, we Go Phishing with Joel Molinoff, Global Head of Supply Chain Defence, BlueVoyant, to discuss what makes him tick.
What would you describe as your most memorable achievement in the cybersecurity industry?
The most satisfying thing about working in cybersecurity is helping organisations solve some of their biggest challenges. One memorable challenge was the opportunity to manage cybersecurity for the Super Bowl. While American Football isn’t as popular overseas, the Super Bowl is one of the most-watched sporting events in the world. Preparing for something of that scale is like building a startup in and of itself. On game day, you need to defend against thousands of cyberattacks in the span of a few hours. For an event like this, it takes coordination with almost a dozen stakeholder organisations to evaluate and respond to incidents in real-time.
While that was exciting and fulfilling, the achievement I am most proud of is helping to build BlueVoyant’s Supply Chain Defence business, which helps organisations reduce their third-party cyber-risks by monitoring for threats and working with third parties to quickly mitigate issues. Third-party cyber-risk is a challenge for even the most well-defended enterprises to manage. Building a scalable, effective security solution is tough. I’m extremely proud of what the team at BlueVoyant has been able to do in the span of a few years, to help Fortune 50 companies, as well as smaller organisations, reduce significant risks to their operations.
What first made you think of a career in cybersecurity?
When 9/11 happened, I wanted to do something for our country to help. At the time, I had a successful career in banking but decided to apply to the NSA. I was fortunate to be hired and the years I spent in Intelligence morphed into another career iteration in cybersecurity.
What style of management philosophy do you employ in your current position?
My current team has a wealth of expertise from both the public and private sectors. My role is to encourage, support and empower them to succeed.
What do you think is the current hot cybersecurity talking point?
I am obviously very close to third-party risk as a cybersecurity issue. Organisations are increasingly interconnected with and dependent upon myriad vendors, partners and customers. All these entities may have access to networks and sensitive data or play a critical part in an organisation’s supply chain. Organisations understand this risk, but many still struggle to effectively manage it. Our research shows that 81% of organisations say they experienced negative impacts from a third-party-related cyber breach within the last 12 months. This highlights the significance of the issue for enterprises of all sizes.
Another hot issue is AI. AI is being leveraged on both sides, by the attackers to facilitate offensive operations, and by the defenders to improve the efficiency and timeliness of defence. For example, at BlueVoyant we are particularly focused on leveraging AI for our clients to help automate manual tasks and improve risk-reduction outcomes. Cybersecurity can involve many routine tasks that can make it harder to quickly respond to the most pressing threats. By having AI automate some of these tasks, it frees up analysts to find and focus on more immediate issues.
How do you deal with stress and unwind outside the office?
I enjoy spending time outdoors and trail running. It’s a good way to disconnect completely.
If you could go back and change one career decision, what would it be?
The one thing I would change is I would have spent time working in the public sector earlier in my career. Working in the public sector is a fantastic way to gain experience solving difficult problems and working with smart, passionate people who are mission-driven.
What do you currently identify as the major areas of investment in the cybersecurity industry?
BlueVoyant recently surveyed more than 2,000 C-level executives on third-party cyber-risk and 86% said their budget for this increased. In the UK, that number is even higher with 92% saying their budget for third-party cyber-risk increased. As third-party-related breaches make headlines, organisations are seeing that this is a very real risk and are working on putting together programs to manage the risk.
The other area of investment I am seeing is platformisation. Organisations have tried adding on many vendors to handle many different risks, but it has become unwieldy to manage all those tools. Instead, they are seeking convergence of managing risks through a single pane of glass. For example, they may want to manage multiple third-party risks, such as cyber and other supply disruptions, or internal and external cybersecurity risks in one platform.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
Regions and industry sectors have different regulatory requirements that drive some of the practices employed, but also there are various levels of maturity by region and sector. For example, according to BlueVoyant’s recent survey, 95% of UK organisations say they experienced a negative impact from cybersecurity incidents in their supply chain, which is significantly higher than the 81% of global respondents who indicated the same.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
We’ve seen a large uptick in interest in our third-party risk reduction solutions for enterprise and government clients on a global basis. For my role that means helping larger organisations solve risk problems at an increased scale. In addition, when it comes to third-party cyber-risk, we’ve seen a marked shift from awareness of these risks to actively managing the risk. Organisations now understand that third parties can cause business interruption and data loss. Now, they are trying to put in place successful programs to monitor and mitigate risks from customers, vendors and suppliers.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
For someone aspiring for a C-level role in cybersecurity, I would advise having two knowledge bases. There is a premium on being technical and having depth in the various security domains, but don’t forget to spend time on the softer skills as well. As much as you need the technical language to speak to analysts and developers, you also need business and communications skills, such as being able to present to a board and being able to define and articulate your organisation’s cybersecurity strategy and relevance to non-technical stakeholders.
