“Have I got a job for you,” was the line that greeted Lees on her return from maternity leave in 2014, leveraging her ability to create and get the best out of teams, starting with 53 staff, to reach 250 today.
The division is again targeting double digit growth in the year ahead, with some analysts suggesting it has gone from three to five percent market share. It is part of IBM Security, which Gartner describes as the fastest growing vendor in the global security software market (Gartner analysis) and reportedly the third largest security software vendor, becoming a US$2 billion (£1.6 billion) business last year.
So what insights can we get on the cyber-security market from IBM's activities? Lees told SCMagazineUK.com, “More and more of our clients are asking us, ‘where do we start?' A lot of our clients need our help with that key question.”
The clients themselves have deployed some 85 different products from 40 different vendors and are asking IBM, “We have all these products, why can't you tell us what our road map should be through to maturity?” So Lees explains that IBM is helping a lot of clients look at where they are today in terms of their security posture, and how it can help build that road map for them and build that two-year journey, but also give them that starting point.
“It's coming down from CEO level, board level – CISO level, or ‘head of...' We are also being asked to take an industry point of view to our clients so we do focus on specific industries, but we actually cover the majority of industry sectors. They value our point of view as to what is happening in that industry [regarding cyber-security] and how we can help address those issues.”
Lees adds, “A key concern is that a lot of clients don't have a CISO or [appropriate] head of.., it's a new role coming into the industry, so some people are appointing a person who had security in their title, whether they were doing networking or patching and are now told they are head of security. Quite a few clients have created new roles that are now presenting to the board, which they have never done before, so coming out of their comfort zone. We are helping our clients take messages to the board, as well as helping our clients find CISOs, or put a temporary CISO in from IBM or identify what a good CISO would look like for that particular industry.
“Often it's someone who is business-minded but has an IT perspective as well.”
Asked by SC, should we be looking outside the existing pool of talent, training up non-tech people in tech, or teaching tech people security? Lees responded, “We are thinking that we go more down the business-minded route, rather than tech. We have a lot of people in our organisation with tech capabilities, but often don't have enough of the next level who understand the business risks, and the business priorities when presenting to the board. On the board agenda, over the last 12 months it's very much been the case that where people with a technical focus have been chosen, some have found it difficult to present it to the board.”
What has been especially valuable is people already in the industry sector who understand the workings of the industry. Lees says her clients are saying, ‘security touches so many areas of my business'. You've got the risk team, the advisory team, and it's often about getting someone to pull all those teams together with a security brief for the organisation.
Lees adds, “I don't thinks it's, ‘these are the skills you need, and that's your role' any more within this industry. There is a mix now of both business and technology.
“More and more we have seen business acumen and communication skills come to the fore. I have had CISOs who have said to me, I was the guy at the back of the room doing my day job and now I am the guy attending the quarterly board meeting where security is on the agenda. That's people really coming out of their comfort zone and we are definitely seeing that.”
Another consequence is that non-tech business leaders need greater technical support from outsourced providers, something Lees says is definitely happening. “We talk about being a trusted advisor, it's a lot of trust. You form more of a partnership. To have someone in the organisation taking the lead, and having a partner alongside them gives them more of a comfort zone – and also because of the shortage of skills, if you have a key strategic partner, like IBM and others, they can complement and help them move forward on their strategy.”
The issue remains of whether the client is technically competent enough to know whether they are managing their provider well. With cyber-security there are elements, which are outsourced as a managed service, but it's often a hybrid model. If you don't have particular skills in house, you can take that element and ask your provider to manage it for you. In the hybrid model clients choose the area where they need support with people from their organisation and from the outsourcer, working with their team, ‘training' them up to the point where the work is handed over to the client.
SC asked, how do you convince companies that as an outsourced provider, you are not going to be their weak link? Lees replied, “You can look at the strength of IBM, how much money we spend on R&D and on security, the 1,500 people we have hired in the last year – that capability. We have turned a big corner in terms of being a player in the security business. Three years ago people didn't know we did security. We have our integrated model, end to end, from software through to the advisory business, competing with the ‘big four'. We are lucky enough that we are not seen as a weak link because of our investment in security and the strength of knowledge that we accumulate from our employees and partners.
“The reason why our chairman formed our business in the first place is because we've been securing ourselves and other companies for over a hundred years. We have methodologies that are based on our knowledge to secure a 450,000 employee organisation, of which 60 percent are mobile, so we took that to market.”
IBM has sought partnerships where it sees gaps in the market, including utilities, oil and gas companies. It offers cloud security assessments for companies that know they have to go to the cloud, but ask is it secure? An assessment finds out what sort of data that they are going to put in the cloud. “It's giving people the confidence that putting information in the cloud is going to be OK. What you put there depends on the industry. We have our own cloud business, so for IBM, security in the cloud is a seamless business and we take joint teams with our technical capability to the client.”
Regarding SCADA and control systems, Critical National Infrastructure (CNI) – IBM says it is trying to raise awareness in that space. “We have a demo centre at our UK Lab Campus in Hursley. With our partners, we are able to do a live demo on how you can hack into a water system or oil and gas system. The key thing is our technology around resilience and looking at how we can help against hackers who attack remotely. Many of our clients have tech skills but often not the CNI Scada skills as well, so there is a gap in the market that we are continuing to help with.”
On the IoT Lees notes that it is both a consumer and an enterprise issue so it's going to touch many people. “We have an IoT business unit with many projects underway. If it's connected, it's vulnerable, and so security has to be baked right in from the start.
Lees also notes how employee awareness has come up in every client meeting. Large companies can have major security policies in place but a lot of their teams may still click when they shouldn't, leave laptops open or leave USBs lying around. People are failing audits because they haven't focussed on issues like BYOD. “We have tools that help manage that so they can lock down what they can or can't access because that's critical; you've got the employee awareness of day to day, then you've got BYOD.”
Lees was asked how IBM deals with the skills shortage, both in relation to its own staff and on clients' behalf. She told SC: “From an IBM perspective we run monthly assessment centres. My current team have an amazing network and they go out to their own networks – people they link with on Twitter, they've brought in a lot of good people; and when people go to companies, others follow and we've had a lot of good people that way; and we've had specialist recruiters help us. When we take on specific clients in say oil and gas and SCADA we've had specialist recruiters help us there, too.
“Clients are struggling to fill vacancies. It's quite a small world, the security space, and people leave from one client and turn up at another so the first now has a gap and that's why our hybrid model with temporary CISOs really works because they're struggling. And if the CIO has been tasked with, ‘go find us a CISO', for them, a lot need recruiters to help because that's not their skill set, to decide what makes a credible CISO to put in front of the board. They're struggling, and that's why they need companies like IBM and others to support them.”
Regarding attracting a more diverse range of applicants to the industry, Lees says, “The non-tech piece is critical, because you get a balanced view across the business. We run an apprenticeship scheme across IBM and that's really helped us. We focus on STEM candidates, as well as good arts graduates. They look at things differently and have brought a lot to the table.”
On gender, Lees notes, “It's about attracting women into security and technology. I am also working on a programme to look at our technical pipeline of women, to start early on and build that pipeline of women in the technical community. But it's difficult. I am doing a lot more public speaking at women in security and women's events to raise the profile that there are women in this sort of job. I spoke at a Merryl Lynch event with 80 women and there were women coming up afterwards saying ‘I'd love to work in security,” It's getting it out there that you can join security and there are lots of different roles as well.
“We also have a strong veterans stream – ex armed forces, that is included within our intelligence area. This community continues to grow within IBM and we are also involved in the cyber reserve programme."
A recurrent theme is collaboration and how security professionals don't talk about what's going on with their peers. Lees says a key thing that came out of meeting CISOs is that we don't collaborate enough. “People don't share how they are dealing with threats – we are too guarded. We need to talk about what we are all doing, where we are all seeing the threats. We need to understand more about what's going on in the market, look at applied intelligence and work with the next generation of security operations.”
“Collaboration is clearly the way ahead," with Lees concluding, “Our clients are asking us to partner with some niche players in our 1,200 competitors and we are willing and it works. It's what our clients require. It's what the industry requires.”