If you are credible and capable of delivering then customer's confidence will grow, this will lead to more opportunities and business growth.
MEDIA 7: Congratulations on being named as one of the UK’s Top 30 Chief Security Officers at the CSO30 awards 2020. What has your professional journey been like?
SHELTON NEWSHAM: Thank you, it has been an incredible journey for me. When joined the regional cybercrime unit just over 4 years ago, I had overseen several cybercrime investigations conducted by frontline police officers but the opportunity to run the prevent and protect teams elevated this to a different level. I was able to redefine our approach to cyber protection for businesses and our communities.
The cybersecurity industry has been incredibly welcoming, and I was able to build up key networks across the United Kingdom and beyond. I was able to collaborate with industry and academia to develop new products and provide them free to communities and businesses.
Professionally I was able to learn from some of the best in the sector, people at the forefront of innovation, and dedicated to making people safer. I gradually built up my expertise in several areas and was able to represent UK law enforcement at national and international events.
Being able to design and deliver the largest Police led Cyber engagement project was a real highlight, I was so proud of the National Matrix Challenge and how it empowered children and young people to learn about cyber. The support from all the police forces was fantastic, there remain some brilliant people in Team Cyber UK (Police cyber network).
I was honored to be named Cyber Policing Individual of the year in 2020 at the national cyber awards.
When I was named as one of the UK’s Top 30 Chief Security officers after being supported by industry, I knew I had achieved something special. This gave me the belief that I could make continue to help protect individuals and organizations but from outside policing. To ensure I was best placed to provide the business-focused Information security advice I also completed my MBA. I Left law enforcement in December 2020 and started Newsham Business Solutions Ltd, We’ve gone from strength to strength so I’m excited about the future.
M7: We are also delighted to hear that you will be speaking at Cybersecurity Festival! What topics on cybersecurity are you planning to throw light on for the attendees?
SN: I am really looking forward to the Cybersecurity Festival, the agenda looks brilliant. I will be discussing the importance of security considerations during digital transformation. I have seen many businesses taking on a digital transformation program without driving this change with a security mindset. We expect teams to drive with speed, precision and agility undertaking transformations which will be making significant changes to process and systems, but it is far too easy to fall foul of focusing on a deliverable and not delivering a secure solution. It is a common theme but I will also be discussing staff awareness training and empowering individuals to be a crucial line of defense.
Finding the right individual who aligns their advice to your business objectives is an important factor in driving improved performance across the organization.
M7: How does NBS help companies by reviewing their business functions, risks, processes and implement solutions to ensure they achieve their organizational goals?
SN: At NBS (Newsham Business Solutions) We want to support all organizations fully understand their information security exposure, many organizations are vulnerable through overprocessing or sudden expansion. Triaging organizations and following all the key business processes enables them to look at process improvement around information security. I believe that this should be carried out by someone independent as this will help identify gaps that may not be spotted by internal staff as its an accepted practice. There is an added benefit that by saving money through improvement they can potentially reinvest in security.
I also support organizations that cannot afford a full-time CISO, providing guidance and define metrics to support board discussions.
I also feel that it is crucial that organizations consider all manner of solutions not just technical. A layered defense is important. Management controls are a great place to start, there are many low-cost, high-impact measures we can take before outlaying larger sums on other controls. For technical solutions, I will always work with that organizations to define the scope and objective before approaching the market and making recommendations. I have seen many organizations purchasing all manner of technical solutions which were not the right ones. It is important that the requirement is driven by the business not, other parties.
Finally, we all know our people are the biggest risk in terms of security incidents, I work with organizations to provide awareness training at all levels. Security must be driven from the top, but your staff must be supported and provided with guidance, confidence to report and clear processes to follow. Again, I like to bring back the human factor in delivery at the beginning ensuring specific organizations focused questions can be answered and you can see the confidence grow. This also means that the organization's mission is embedded in the training. I am a supporter of computer-based training after that initial people-focused engagement.
Organisations need to do their research, whilst some organizations are transforming at pace others may benefit from transforming slightly slower. Understanding the market and the factors that will drive your business.
M7: What are the common types of cyberattacks an enterprise is likely to face? What are the preventive measures that companies should undertake?
SN: Ransomware continues to be the biggest threat; threat actors are still finding this the quickest and easiest source of income. Organization's digital assets continue to grow as does the valuable data held by them. we continue to see medical facilities; academia, local government and private organizations targeted across the globe.
User training, robust backing up policy and technical controls are important. Organizations must remember that one technical solution will not stop every threat no matter the cost, remember a defense in depth is important.
Phishing, business email compromise and related frauds continue to have a serious impact on organizations many due to human error, lack of training is a big factor in this. Organizations need to invest in awareness training, empower their staff and with the right deliverables, you can evidence continual improvement and ROI.
Finally, it’s important to consider the expert opinion, many consultants work independently and will focus on the business requirements not upselling. Finding the right individual who aligns their advice to your business objectives is an important factor in driving improved performance across the organization.
M7: What do you believe are the top three security challenges faced by the companies in the post COVID-19 era?
SN: Organisations must review their security monitoring capabilities and incident response protocols. They need to make sure that they have visibility of their new expanded operational environment. The pace at which organizations needed to change their normal working practices and move to remote working practices was in many cases transformation that was not previously planned. Organizations should exercise their current incident response, disaster recovery and business continuity procedures to identify further gaps that have developed.
Organizations should review their staff awareness training and consider the environments of their remote workers. Many end-users would have previously relied on office-based colleagues to ask for advice, this has obviously changed. End users are being actively targeted with social engineering, malicious calls which purport to be from the organization's IT support are successfully gaining remote access to systems. Physical security in the home and the correct management of documents also need to be reinforced. Our staff need our support, it is a change for organizational management and business processes but it's also a major change for staff.
From a technology point of view, organizations should review their endpoint protection, ensure appropriate asset management and patching is in place. It’s likely that BYOD is in place so those basic reviews must include end-user devices. Organizations may need to develop single sign-on or MFA for remote access, whilst these seems obvious it has been very difficult for some organizations to survive during the pandemic so some of these processes may have been missed or put on a ‘backlog’.
M7: What do you think is essential to stay competitive in a market that is going through constant digitalization?
SN: Organisations need to do their research, whilst some organizations are transforming at pace others may benefit from transforming slightly slower. Understanding the market and the factors that will drive your business. I like to use the ‘porter five forces’ model to help organizations retain their competitive edge. Expert advice from security consultants with a business background is also beneficial, understanding the business landscape whilst driving security can lead to real growth.
M7: What is the marketing mantra that you swear by?
SN: My core mantra is
Capability x Credibility = Opportunity
If you are credible and capable of delivering then customer's confidence will grow, this leads to more opportunities and business growth. I have built my career on being credible and supporting individuals and organizations.
Having a background in law enforcement is a unique attribute, my core belief remains ‘to protect and serve’. This transfers into the private sector, I continue to focus on protecting individuals and businesses that are integral to communities. If you are truly credible you will remain focused on your belief and not be tempted to change on a whim.
Capability to deliver on your words and business objectives builds trust, it also helps change behaviors.
For me empowering positive behavioral change around security is an opportunity we cannot underestimate. We can empower communities, build confidence, and secure businesses by delivering real engagement, support and understanding. That is the opportunity………create a safer world for all!