On the lighter side of things, we ‘go phishing’ with Tom Exelby, Head of Cyber Security, Red Helix, who tells us about life inside and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
My biggest achievement to date is making the transition from the British Army, bringing in a different and broader risk-management perspective to the provision of cybersecurity consultancy. I estimate that 70% of people giving advice on cybersecurity are technical specialists. Having expertise in risk-management is what I bring to the consultancy side of the industry.
As an officer in the Royal Engineers, I was constantly assessing threats and risks. My career included leadership of a team in bomb disposal which is certainly a field that teaches you about risk-management, incident-management and operating under extreme pressure when the stakes are very high.
That experience has been hugely valuable and gave me a skillset that directly relates to cybersecurity. In consultancy and managed services provision, you must be cool and objective when a client has experienced a breach, but trust and credibility under pressure are also vital.
What first made you think of a career in cybersecurity?
After 15 years in the army, I knew I had a combination of skills, education and experience that was right for the industry. In both cases, you are in highly adversarial and constantly-evolving threat environments.
There is a similar thinking that applies in, for example, threat intelligence and threat-integration.
I also learned that security needs to be all-encompassing. In cybersecurity, there is a whole wrapper of skills that goes around the right technology, involving people, processes too, training, compliance and of course, incident management.
In addition, I have significant strategic and project management expertise, having both worked at NATO headquarters and delivered an £80m procurement project for the British Army. I also have a degree in Internet computing, and another in leadership and security.
I knew I could use all these skills, insights and experience to protect the small and medium-sized firms that account for about 90% of all businesses in the UK. Collectively these are critical organisations, vital to the quality of life in the country.
What style of management philosophy do you employ in your current position?
There are certain core tenets of military leadership I apply that include understanding the people in my team and then deploying their strengths in a very collaborative way that solves problems and provides solutions. I combine the team’s technical expertise with my own experience – remaining calm, coming up with a plan quickly and communicating it effectively.
Much of my approach has been learned hands-on. As in my military career, I am now leading a team that has deep technical subject-matter expertise and experience. I learn, drawing on others’ experience to weld together a team that functions under my leadership. This is exactly what I did in the army.
I am also able to use my broad experience to drive change and foster innovation. This is extremely useful in the private sector, especially in fast paced industries or with businesses who are experiencing fast growth.
What do you think is the current hot cybersecurity talking point?
As mentioned, the cybersecurity industry is fast paced to keep up with cybercriminals. As such, the hot topics can be quite fleeting. Currently, we are still seeing ransomware as the most prevalent threat faced by SMBs in the UK, often exploiting security weaknesses in the supply chain to reach the ultimate target. We have seen that this can be combatted effectively when businesses have conducted cyber-risk management and chosen to invest in contemporary security tools and regular cyberawareness training for their staff. We predict that this threat will persist into 2025 and therefore putting measures in place to be secured against it are even more important.
A new trend moving into 2025 is the importance of Identity. This can involve criminals, utilising AI to impersonate business employees using their voice, words or credentials. The aim of the criminals in this instance is to elicit payments or information from within the business by impersonating those with existing access or authority. Combatting this new threat can be difficult, however there are measures which can be implemented to make things much more difficult to cybercriminals to be successful.
How do you deal with stress and unwind outside the office?
I have two small children, which takes up most of my time. When I do get some free time I enjoy exercise, hillwalking and tinkering with classic motorcycles.
If you could go back and change one career decision, what would it be?
Nothing specific springs to mind, as I have had an exciting and fulfilling career in the military for which I am deeply grateful. That said, there is always more to learn, which is a mindset I wish I had embodied earlier in my professional journey.
What do you currently identify as the major areas of investment in the cybersecurity industry?
We know that approximately 60% of the small-to-medium-sized businesses have no effective cybersolution, which amounts to a major area of vulnerability for the UK as a nation.
SMBs should invest time in considering their cybersecurity risk. This time integrating cyber-risk into their BAU risk management processes will enhance their cyberconscience and allow them to make calculated decisions which may involve treating risk by investing in cyberdefensive solutions.
The cyberindustry also needs to be more flexible about recruitment to solve skills shortages. We should recruit people with broader experience with different skillsets and a fresh outlook and be prepared to train them in cybersecurity. That is why I would strongly recommend the cybersecurity industry invest in ex-forces personnel who are accustomed to learning fast, working under heavy pressure and solving problems for themselves.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
Different regions and industries are covered by different legislation and regulation. What matters most is that businesses understand how to achieve success and reduce their risk. Compliance is going to become more important as industries begin to recognise the risks posed by non-compliance and not having a proactive cybermindset within a business.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
Although I have been in my current role for a couple of months or so, I can already see there is a need for cybersecurity to address AI and regulation.
Over the next 12 months, businesses will need to be more aware of AI use and AI-powered threats and make a judgment about the risks they face. My focus will be on aligning companies’ security strategies with their broader business goals. Cyber-risk is linked to other forms of risk, all of which we need to consider.
Regulations such as the EU’s NIS2 directive is a good example of the regulatory complexity that will affect elements of the medium-sized business sector. In addition, all British businesses will need to take account of the forthcoming UK Cybersecurity and Resilience Bill.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
It’s important to understand the business context of cybersecurity. Cybersecurity has to relate to business strategy and prove itself as a catalyst for success.
It is also important to remember that the tide of cyber-regulation is steadily heaping more responsibility for cyber-risks and compliance on those in boardrooms. Regulation and compliance responsibilities must be areas of focus for would-be senior management.
Anyone with ambition in cybersecurity should spend time with frontline security analysts who get under the skin of real-world cybersecurity as opposed to the hype in the industry. You also need to remain up-to-date with current and evolving threats and technologies.
Finally, make sure you fully appreciate that cybersecurity is about people and processes as well as technology. If you are not focussed on the whole spectrum, then you will inevitably have weaknesses in your defence strategy.
