WEBVTT 1 00:00:00.000 --> 00:00:02.400 Tom Field: Hi there. I'm Tom Field. I'm senior vice president 2 00:00:02.400 --> 00:00:05.040 of editorial with Information Security Media Group. My 3 00:00:05.040 --> 00:00:08.010 pleasure to welcome to ISMG Studios, Ash Hunt. He is the 4 00:00:08.010 --> 00:00:11.670 global CISO with Apex Group. Ash, after all the virtual 5 00:00:11.670 --> 00:00:13.800 discussions we've had, it's a pleasure to meet you in person. 6 00:00:13.830 --> 00:00:14.280 Ash Hunt: Likewise! 7 00:00:14.910 --> 00:00:16.860 Tom Field: Tell me a little bit about your organization, your 8 00:00:16.860 --> 00:00:17.700 experience first. 9 00:00:18.260 --> 00:00:22.100 Ash Hunt: So I'm global CISO of Apex Group. So we're a financial 10 00:00:22.100 --> 00:00:26.510 services organization, company and fund administration. But we 11 00:00:26.510 --> 00:00:28.730 have lots of interesting parts of the business. We have the 12 00:00:28.730 --> 00:00:32.030 European depository bank, for example, as well as blockchain 13 00:00:32.030 --> 00:00:34.640 companies. So it's a pretty diversified business in that 14 00:00:34.640 --> 00:00:39.560 sense. We've got about 12,000 users. So my scope is global. 15 00:00:40.280 --> 00:00:43.910 And I look after a number of areas, right through from 16 00:00:43.940 --> 00:00:46.820 identity privilege, access management, the internal global 17 00:00:46.910 --> 00:00:50.510 operation center, tech rescue, all these other bits. But it's 18 00:00:50.510 --> 00:00:54.590 great because some of my scope and purview expands way beyond 19 00:00:54.590 --> 00:00:57.800 traditional information security to cover many aspects of the 20 00:00:57.800 --> 00:00:59.960 technology environment, particularly when it comes to 21 00:00:59.960 --> 00:01:04.970 assurance. So it's definitely an interesting role. I was CISO of 22 00:01:04.970 --> 00:01:07.970 a FTSE 250 asset management company that was bought by Apex. 23 00:01:07.970 --> 00:01:11.300 So it's been interesting to kind of go through that acquisition 24 00:01:11.300 --> 00:01:15.410 process. Apex itself also does quite a lot of merger and 25 00:01:15.410 --> 00:01:18.590 acquisition. And this is probably a backdrop to a lot of 26 00:01:18.590 --> 00:01:23.240 the strategic initiatives that I've got moving forward. But one 27 00:01:23.240 --> 00:01:25.580 of the key things that we've been focusing on in particular 28 00:01:25.580 --> 00:01:30.020 is really bringing the whole organization together. So over 29 00:01:30.020 --> 00:01:33.170 time, Apex has grown pretty dramatically in quite a short 30 00:01:33.170 --> 00:01:37.820 space of time. And so it's really incumbent upon me and 31 00:01:37.820 --> 00:01:41.690 other technology leaders in the business to execute a kind of 32 00:01:41.690 --> 00:01:44.480 very much concerted focus on culturally bringing the 33 00:01:44.480 --> 00:01:46.970 organization together, as well as just from a technical and a 34 00:01:46.970 --> 00:01:50.780 process standpoint. So that's definitely the forefront of my 35 00:01:50.780 --> 00:01:51.680 strategy at the moment. 36 00:01:51.900 --> 00:01:53.730 Tom Field: What brings you to RSA Conference, and what have 37 00:01:53.730 --> 00:01:55.320 been your impressions of the event so far? 38 00:01:55.540 --> 00:01:56.500 Ash Hunt: So it's my first time. 39 00:01:56.000 --> 00:01:59.900 Ash Hunt: I would say my impression is, Europe has 40 00:01:56.530 --> 00:01:56.860 Tom Field: Is it? 41 00:01:59.900 --> 00:02:02.960 nothing on this scale. It's a roadshow, like I've never seen 42 00:02:02.960 --> 00:02:06.590 before. So it's pretty eye opening. But as they say, most 43 00:02:06.590 --> 00:02:09.530 of the key meetings take place on the periphery. So it's been 44 00:02:09.530 --> 00:02:13.580 really valuable to me to kind of catch up with a lot of my sort 45 00:02:13.580 --> 00:02:16.760 of U.S. colleagues in the profession, in the industry, but 46 00:02:16.760 --> 00:02:21.320 also, to get some face-to-face time with vendors. So you know, 47 00:02:21.320 --> 00:02:23.810 particularly some of my stack that are headquartered out here, 48 00:02:24.170 --> 00:02:26.840 I don't tend to get to meet the sort of senior leadership very 49 00:02:26.840 --> 00:02:29.210 often. So it's a great opportunity to kind of talk shop 50 00:02:29.210 --> 00:02:31.790 and run over some of the work that I'm delivering at the 51 00:02:31.790 --> 00:02:32.570 moment in Apex. 52 00:02:32.000 --> 00:02:34.610 Tom Field: Excellent. As you say, Apex is going through 53 00:02:34.610 --> 00:02:37.550 significant transformation, being in so much merger and 54 00:02:37.550 --> 00:02:40.730 acquisition activity alone, you're sort of in the petri dish 55 00:02:40.730 --> 00:02:45.800 of cybersecurity issues, how has all this transformation impacted 56 00:02:45.800 --> 00:02:46.820 your security landscape? 57 00:02:47.290 --> 00:02:50.110 Ash Hunt: So I think the security landscape, and our risk 58 00:02:50.140 --> 00:02:56.410 landscape really has probably began to evolve now and is 59 00:02:56.410 --> 00:02:59.380 changing at the moment, which is different from I think it's 60 00:02:59.380 --> 00:03:04.090 historic profile for the business. So Apex has gone 61 00:03:04.090 --> 00:03:07.690 through quite a dramatic increase in its size in a 62 00:03:07.690 --> 00:03:12.820 relatively short space of time. And the byproduct of that is you 63 00:03:12.820 --> 00:03:17.710 don't necessarily have the development of understanding, 64 00:03:17.710 --> 00:03:21.490 you know, protection and things like this. That kind of 65 00:03:21.490 --> 00:03:24.730 organically grow in lockstep with that organizational growth. 66 00:03:25.210 --> 00:03:27.790 So you're kind of playing catch up, which is really tricky, 67 00:03:28.150 --> 00:03:32.380 particularly when, in the M&A space as well. You've got people 68 00:03:32.380 --> 00:03:35.020 from potentially different geographies, different corporate 69 00:03:35.020 --> 00:03:38.200 cultures all being sort of brought together very quickly. 70 00:03:39.190 --> 00:03:43.030 So when I came into Apex, about six months ago, one of the key 71 00:03:43.060 --> 00:03:46.720 drivers for my strategy was creating an organizational 72 00:03:46.720 --> 00:03:49.930 design for information security, that did bring everyone 73 00:03:49.930 --> 00:03:54.250 together. So things like having a global internal SOC is really 74 00:03:54.250 --> 00:03:57.280 valuable. Because if we acquire a business, and I pick up an 75 00:03:57.280 --> 00:04:01.750 analyst in maybe Australia, or South America, they can fold 76 00:04:01.750 --> 00:04:04.420 into that structure really easily and understand the kind 77 00:04:04.420 --> 00:04:08.020 of defined purpose in what that brief is driving for information 78 00:04:08.020 --> 00:04:14.560 security and for the business. So you know, in some senses is 79 00:04:14.560 --> 00:04:17.050 got a, you know, a lot of challenges. But on the flip side 80 00:04:17.050 --> 00:04:20.710 of it, it's also a lot of opportunity. I've got a very 81 00:04:20.710 --> 00:04:23.770 global team. I get to work with people all over the world, and 82 00:04:23.800 --> 00:04:26.290 which have, you know, it's very cognitively diverse, very 83 00:04:26.290 --> 00:04:29.200 different approaches. And that only adds kind of 84 00:04:29.530 --> 00:04:32.890 diversification of value to the work for information security. 85 00:04:33.490 --> 00:04:37.120 But at the same time, it is also challenging as we take on new 86 00:04:37.120 --> 00:04:40.300 businesses, and we will still continue to do that, to try and 87 00:04:40.300 --> 00:04:42.700 get ahead of the game and ensure that you know, what we're 88 00:04:42.700 --> 00:04:45.550 purchasing is secure that they can fold into a common operating 89 00:04:45.550 --> 00:04:49.630 model. So, again, six months in, it's not only just that people 90 00:04:49.660 --> 00:04:51.850 normalization that we're doing, but it's also the same with the 91 00:04:51.850 --> 00:04:53.950 tech stack as well. It's trying to get us consistent set of 92 00:04:53.950 --> 00:04:56.560 solutions that are harmonized, working well, working in an 93 00:04:56.560 --> 00:04:59.320 orchestrated manner, so that when we do acquire a business, 94 00:04:59.320 --> 00:05:02.020 they're set patterns and tools and people and processes that 95 00:05:02.020 --> 00:05:02.860 they can fold into. 96 00:05:02.900 --> 00:05:05.226 Tom Field: Sounds good. I know it's a great theory, but in 97 00:05:05.276 --> 00:05:08.197 practice doesn't always work. So M&A, it comes with its own 98 00:05:08.247 --> 00:05:11.118 unique issues. Security often isn't involved up front with 99 00:05:11.168 --> 00:05:13.693 that. Security can be an afterthought in merger and 100 00:05:13.742 --> 00:05:16.663 acquisition activity. What have you found to be the role of 101 00:05:16.713 --> 00:05:18.050 security in what Apex does? 102 00:05:18.000 --> 00:05:20.400 Ash Hunt: So I think historically, as a general rule 103 00:05:18.000 --> 00:07:10.170 Tom Field: So Ash, you say, you're six months into this 104 00:05:20.457 --> 00:05:23.715 of thumb, that is absolutely true. It's always, you know, 105 00:05:23.772 --> 00:05:26.972 shifted, right, and you want to shift it left as much as 106 00:05:27.030 --> 00:05:30.344 possible. And one of the core things that we focused on in 107 00:05:30.402 --> 00:05:33.488 Apex is setting up a persistent team to really look at 108 00:05:33.545 --> 00:05:37.146 integrations so that we can have the same set of skills and the 109 00:05:37.203 --> 00:05:40.746 right set of skills, engaging with that company as early on as 110 00:05:40.803 --> 00:05:43.890 possible, you know, even around the transition service 111 00:05:43.947 --> 00:05:47.033 agreements, so that as they become on boarded, we know 112 00:05:47.090 --> 00:05:49.834 exactly the exploit of limitation as to how much 113 00:05:49.891 --> 00:05:53.491 they're going to be integrated - when, into what tools. We have 114 00:05:53.548 --> 00:05:56.749 some advantages, particularly in our pocket of financial 115 00:05:56.806 --> 00:05:59.950 services, in that there's there are a lot of mainstream 116 00:06:00.007 --> 00:06:03.607 standardized solutions, but that also breeds its own challenges 117 00:06:03.664 --> 00:06:07.265 where, you know, the companies might be on a different version, 118 00:06:07.322 --> 00:06:10.523 and you know, they're not going to be able to map across 119 00:06:10.580 --> 00:06:13.666 straightaway. And you'd be surprised how much that can 120 00:06:13.723 --> 00:06:17.038 extrapolate. And then your timelines are going to increase 121 00:06:17.095 --> 00:06:20.296 and increase. But from a security standpoint, our intent 122 00:06:20.353 --> 00:06:23.554 is to get as far left as possible in that process, to be 123 00:06:23.611 --> 00:06:26.926 involved and to kind of, I guess, act as a handrail to the 124 00:06:26.983 --> 00:06:29.898 organization that's coming on board, because it's a 125 00:06:29.955 --> 00:06:33.041 challenging time for them as well, you know, I've gone 126 00:06:33.098 --> 00:06:36.470 through the process multiple times in businesses before and 127 00:06:36.527 --> 00:06:39.728 it's, you know, being acquired is not an easy thing. And 128 00:06:39.785 --> 00:06:43.157 there's a lot of peripheral factors that we have to kind of 129 00:06:43.214 --> 00:06:46.643 account for. And one of the key benefits that we've noticed, 130 00:06:46.700 --> 00:06:50.072 particularly over the last few months, bringing information 131 00:06:50.130 --> 00:06:53.159 security earlier into that conversation has been that 132 00:06:53.216 --> 00:06:56.416 organizations with perhaps a lower security posture, and 133 00:06:56.474 --> 00:06:59.788 perhaps not the same level of investment, are now going to 134 00:06:59.846 --> 00:07:02.989 benefit from a wide global enterprise set of solutions, 135 00:07:03.046 --> 00:07:06.532 people processes and technology. And so I think that's a huge 136 00:07:06.590 --> 00:07:10.133 boon to them. Because if they didn't have a lot of security in 137 00:07:10.190 --> 00:07:13.334 place beforehand, they're going to get folded into that 138 00:07:12.390 --> 00:07:19.740 role. How do you see the next six months shaping up? What are 139 00:07:13.391 --> 00:07:14.820 structure pretty quickly. 140 00:07:19.740 --> 00:07:22.050 your biggest priorities as a security leader? And how are you 141 00:07:22.050 --> 00:07:23.130 going to measure your progress? 142 00:07:23.600 --> 00:07:28.400 Ash Hunt: So I think for me, all I care about is loss exposure, 143 00:07:28.550 --> 00:07:32.810 and being able to quantify that, in financial terms and stress 144 00:07:32.810 --> 00:07:36.200 test any of the investments that I'm making as a CISO, and 145 00:07:36.200 --> 00:07:39.830 actually not just as a CISO. I really want that to be true for 146 00:07:39.830 --> 00:07:43.100 all of the decisions that we take in technology. You know, 147 00:07:43.130 --> 00:07:45.770 every business in the world runs on technology now. So it's 148 00:07:45.770 --> 00:07:48.800 really just operational risk, you know, the kind of concept of 149 00:07:48.800 --> 00:07:53.510 cyber risk just doesn't exist. And so, for me, I probably spend 150 00:07:53.510 --> 00:07:57.440 as much of my time trying to track down where our most 151 00:07:57.800 --> 00:08:02.180 frequent loss exposure is coming from being generated from. And 152 00:08:02.180 --> 00:08:04.760 so each time that we're taking decisions, because no one's got 153 00:08:04.760 --> 00:08:07.910 an endless budget, I need to be able to kind of validate that 154 00:08:07.910 --> 00:08:12.230 when I am going to the board and I'm engaging with ExCo, and 155 00:08:12.230 --> 00:08:14.960 we're asking for additional funds or funds to be redirected 156 00:08:14.960 --> 00:08:18.020 in a certain area, that we can actually demonstrate the return 157 00:08:18.020 --> 00:08:20.540 on investment for the business, both in financial terms, but 158 00:08:20.540 --> 00:08:23.270 also in kind of security value add and how much it's going to 159 00:08:23.270 --> 00:08:27.740 improve our posture. So for me instilling that kind of, you 160 00:08:27.740 --> 00:08:30.980 know, metrics-based, and data-driven thinking in the 161 00:08:30.980 --> 00:08:33.800 organization is really pivotal. And I'm lucky I look after 162 00:08:33.800 --> 00:08:36.230 technology risks where I can kind of infuse that thinking 163 00:08:36.620 --> 00:08:40.850 across the organization. But really, for me, it's kind of 164 00:08:40.850 --> 00:08:44.180 completing that half journey that I've done so far, ensuring 165 00:08:44.180 --> 00:08:46.010 that the function is still growing, you know, we're on a 166 00:08:46.040 --> 00:08:48.800 definitely a significant growth journey as a function in the 167 00:08:48.800 --> 00:08:51.590 organization, ensuring the rest of the stack is kind of 168 00:08:51.590 --> 00:08:54.290 normalized, you know, bringing together multiple external 169 00:08:54.290 --> 00:08:57.800 providers and tool stacks, etc. So getting that cleaned up and 170 00:08:57.800 --> 00:09:00.710 orchestrated well, and then finally working on process 171 00:09:00.710 --> 00:09:03.290 improvement enhancement, but ensuring that every decision we 172 00:09:03.290 --> 00:09:05.900 take is going to be one that gives us benefit at the end of 173 00:09:05.900 --> 00:09:06.200 the day. 174 00:09:06.770 --> 00:09:08.030 Tom Field: Well-said. Ash, thanks so much for taking time 175 00:09:08.030 --> 00:09:08.930 to speak with me. Appreciate it. 176 00:09:08.990 --> 00:09:09.740 Ash Hunt: Pleasure; cheers, Tom! 177 00:09:09.860 --> 00:09:11.990 Tom Field: That was the conversation with Ash Hunt. He 178 00:09:11.990 --> 00:09:14.750 is the global CISO with Apex Group. For Information Security 179 00:09:14.750 --> 00:09:17.450 Media Group, I'm Tom Field. Thank you for giving us your 180 00:09:17.450 --> 00:09:18.410 time and attention to that.