Littlefish recently hired Katy Hinchcliffe as its new Head of Cyber Security, to spearhead the expansion of its Cyber Security practice.
Katy’s appointment reflects the increasing requirement for Cyber Security services among its existing Managed Services customers, as they attempt to defend themselves against the ever-shifting threat landscape. And they are not alone: the growing cyber security challenge is impacting private and public-sector organisations globally, with the World Economic Forum currently ranking Cyber Security as the biggest threat to the global economy.
We caught up with Katy to discuss a range of subjects including the experience she brings to the role, current cyber threat trends, and her advice for IT professionals seeking to capitalise on the high demand for Cyber security specialists.
What first attracted you to the IT industry?
Like many people, during my university studies for a bio sciences degree I realised I didn’t want to follow the path I had originally opted for. So, I applied for graduate roles and successfully gained a position at the DVSA, as part of their graduate junior management scheme, by demonstrating my transferable skills. It was a happy accident – information security was only just beginning to be acknowledged as a requirement and the Government mandated that all departments and agencies, including the DVSA, had to comply with what has now become ISO 27001. I found myself in an information security role and had to learn fast.
How did you know Cyber security was the right direction right for you?
From my DVSA role, I stayed in security, tending to follow more technical and operational rather than compliance focused positions. I really enjoy being challenged every day especially as the landscape shifts frequently as threats evolve – therefore I’m regularly required to push the limits of my ability, and use my experience, knowledge and creativity, particularly as attackers improve their tools and tactics.
You’ve joined Littlefish’s senior leadership team – what experience are you bringing to Littlefish?
I’ve spent ten years working with UK Government in cyber consultancy and architecture roles, and four years working for a blue chip aerospace industry client, leading the Security Operations Centre (SOC) in addition to the broader Security Intelligence and Compliance functions. During this time, I was frequently exposed to complex and deliberate threats (sometimes state-sponsored).
What Cyber services does Littlefish currently offer and how might the future services portfolio evolve?
We currently offer a range of services that complement our existing Managed Services.
Our CISO-as-a-Service (CISOaaS) provides board-level security expertise, consultancy and leadership, without the challenges of recruiting and retaining a highly-sought after full time employee, who is often difficult to justify financially. This begins with a detailed assessment and includes board level engagement and business case support, to help win investment for strengthening any critical weaknesses uncovered during the assessment, along with an ongoing Security Advisory Board to manage and evolve business as usual activity.
We also offer a User Education & Awareness service which focuses on transforming customer employees into a security asset, through tailored, engaging content, ongoing phishing tests, and a monthly management reporting pack.
Our Critical Hour Framework provides an actionable framework tailored to the customer’s existing security controls, enabling them to respond rapidly and effectively to contain threats when defensive countermeasures fail. This is really key, as response speed has a huge bearing on the impact caused by an attack and having this framework in place acknowledges that breaches are sometimes inevitable, even against the best technical defences.
We also deliver Penetration Testing, and Cloud security services, and are developing our Vulnerability Management service – an in-house monitoring, analysis and remediation programme – watch this space!
Having worked for a global IT outsourcer, what attracted you to join a rapidly growing SME?
This as a fantastic opportunity for me to make a significant impact on, and influence the direction of, a young and ambitious company. The chance to take full control of shaping the Cyber Security Practice and develop the services portfolio, including building new services completely from scratch, was very appealing.
The role suits my blend of hands-on, coalface experience and broad skill set, combined with my understanding of the wider landscape and how all the individual elements fit together to form the complete picture.
Littlefish specialises in providing Managed IT Services, notably Service Desk, End User Compute, Infrastructure Management, and IT Consultancy services – why has Littlefish chosen to invest in Cyber Security?
Cyber Security integrates seamlessly with our existing services – our Service Desk naturally provides many elements of a security service and we already provide an SC cleared secure Service Desk for numerous high-profile Government customers.
Integrating security with the support team is highly effective, providing true end-to-end accountability – for customers there is one provider taking responsibility for the whole service with no ‘fence chucking’. Orchestration is also much easier with one company, reducing response times and limiting the impact of breaches.
As a trusted partner, Littlefish customers frequently ask us to provide additional services of the same high quality so there is a clear opportunity to extend our portfolio and support our existing customers’ Cyber Security strategies.
How can an SME like Littlefish compete in the Cyber security space against global, £multi-bn suppliers, and how does Littlefish differentiate itself?
Littlefish has built its reputation for service excellence on its ability to provide highly flexible and personalised services, and the same will be true for our Cyber Security offerings. Our approach of delivering a core range of customer-focused services as a specialist provider, means we rapidly build up a very detailed understanding of our customers, their users and their wider estates.
This enhanced knowledge gives us a critical advantage in defending effectively against threats – where we already have great visibility with our Service Desk, Infrastructure and Operations teams.
What forms do cyber threats take and who is behind attacks?
Generally, the major threats of the past were state sponsored. Where previously there was a gulf between state sponsored and lower-level criminal capabilities, this gap has reduced significantly in recent years; cyber criminals and nation states are now much harder to distinguish – in fact, making that distinction has become a job in itself.
Ten years ago, criminal activity typically comprised teenage hackers and disorganised, low-budget and unorchestrated attacks. Today the picture is very different: by 2017 cybercrime was generating $1bn in the US alone and cyber-criminal enterprises are now much more common, with bigger budgets. They are increasingly industrialised, running full offices that work like regular businesses and provide full-time employment – they have dedicated teams responsible for various aspects of development and even include psychologists focusing on user weaknesses (especially useful in support of social engineering) and marketers to brand and market their ‘products’.
These enterprises are making cybercrime more accessible, providing shopping lists of threats such as phishing as a service, which often now include helpdesks that would-be attackers can ring for technical support.
In this environment, even for those organisations employing a robust multi-vendor approach to technical countermeasures, breaches are simply inevitable. Organisations must appreciate this inevitability and ensure they have frameworks in place for enabling fast and effective breach response and management.
You mentioned Phishing-as-a-Service as an example – what are the biggest cyber threats facing businesses right now?
The threats are multiple. Phishing certainly won’t go away because it remains very successful. Users have been at the heart of ninety-five percent of successful cyber attacks and with widespread uptake of the Cloud, users are now used to opening emails, clicking links and entering credentials, which gives attackers the opportunity to gain access. The adage in cyber security that users are the weakest link remains true. Raising users’ day-to-day consciousness of cyber security in their increasingly blurred professional and personal lives so security becomes second nature, and making them aware of the latest techniques would-be attackers are potentially using against them, is now more relevant than ever. But delivery of this awareness and education piece must become more engaging for users, or it will continue to fall short.
Beyond phishing, there has also been an increase in web application attacks over the last two to three years which prey on poor coding quality and application insecurity – which require niche expertise to defend against but can be mitigated by designing security in from the start and ensuring systems are maintained.
The evolving malware threat is also significant, with the development of ransomware with worm like capabilities such as WannaCry, Petya and NotPetya. I’m surprised there hasn’t been more of these strains but perhaps something significant is being stored up. On the positive side, newer operating systems and improved anti-malware software are making it more challenging to create successful worm-like behaviours. This has driven a shift to using more malware-less attacks – that means more impersonation attempts and more credential harvesting and the blending of them together, which is difficult to counter using purely technical controls.
As the threats have continued to evolve, none of the overarching principles have particularly changed: the key challenge is to successfully balance risk with business needs.
How do you stay ahead of the curve when threats are so adaptive and growing at such pace?
Being involved in day to day SOC activity certainly helps, giving me a first-hand view of the threats. Other tools I use include open source intelligence feeds and making use of my network of cyber security peers at different organisations for threat sharing. But it’s tough: it can be difficult to predict the threats you might be facing until you’ve got visibility.
With the widespread adoption of the Cloud, and developments such as the Internet of Things, I’m presented with different kinds of challenges including applying old school principles to new technologies – implementing traditional controls now requires innovative thinking.
With a growing Cyber Security practice, you’re likely to be creating new opportunities over the coming years, so finally, what is your advice to someone wanting to get into Cyber Security?
If you aren’t already, start researching current threat trends and develop an ongoing and up to date understanding of the threat environment – there are loads of open source tools out there so go and explore them and don’t expect to be spoon fed. Try and develop an understanding of how attackers are behaving and the methods they are using. Read relevant industry news sources, and keep an eye on the mainstream media too (there’s not a month that goes by where a high-profile breach doesn’t make headlines).
Some of the most important traits to be successful in this field are curiosity and tenacity, and a real passion for Cyber Security, so I always look for people who can demonstrate these attributes.
About Katy Hinchcliffe
Littlefish Head of Cyber Security Katy Hinchcliffe, is a highly regarded Cyber Security leader. With over a decade’s experience delivering a broad range of Cyber Security services to enterprise clients for global IT outsourcer Capgemini, notably managing the prevent, detect and respond functions on behalf of Rolls-Royce, Katy is now responsible for developing Littlefish’s Cyber Security practice.