Dominic Trott, UK Director of Strategy and Alliances at Orange Cyberdefense: “Cyber resilience should start in the boardroom”

Invite Dominic Trott, UK Director of Strategy and Alliances at Orange Cyberdefense, into your board meetings at your peril. For let’s just say he has firm views.

“Unfortunately, there are still businesses that view security as a checkbox on their compliance list,” he told us. “In such cases, organisations are unable to address security as part of a broader and consistent enterprise risk management strategy.”

This is why – as the title of this interview suggests – Dominic believes that security begins in the boardroom. And they must think more deeply than they currently are, making it part of their strategy rather than an add-on. Just as foolishly, they could waste money on the wrong things whilst not investing where they should: “A lack of business focus on the security strategy can lead to organisations missing out on adopting new tools and technologies that could provide a competitive advantage.”

So, on second thought, perhaps you should invite Dominic to your meetings. After all, Orange Cyberdefense is Europe’s largest managed security services provider. And, Dominic himself has plenty of experience, as his answer to our first question shows.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

My career in cybersecurity began in market analysis when I started at the European IT market analyst house PAC in 2007. I began as a general software and IT services analyst but within three years started to focus more specifically on cybersecurity research. My interest in security was triggered in 2010 when I was asked to join a team tasked by the (then) UK government Department for Business Innovation and Skills (BIS) to conduct a review of the UK cybersecurity market (the report is still publicly available here).

In 2015, I moved on to IDC – one of the global IT market analyst leaders – where my remit expanded from the UK to the European security market. Here, I rebuilt IDC’s syndicated reporting for the European security market, took on leadership of the research team, and merged the formerly separate Western and Central/Eastern security research units to create a single entity.

I am passionate about connecting innovative security solutions with tangible business outcomes, so when the opportunity arose in 2020 to drive Orange Cyberdefense’s UK vision, strategy and roadmap I jumped at the chance. At that point, Orange Cyberdefense’s UK entity was in its infancy, providing me with the opportunity to effectively shape the future of a security ‘startup’ within the framework (and financial backing) of Orange, one of the world’s largest companies. My current role sees me focus on security strategy and alliance management across our portfolio of services and technology vendors.

The cyber extortion (ransomware) threat landscape continues to evolve quickly. The past 12 months saw the number of cyber extortion victims globally increase by 46%, marking the highest numbers ever recorded, according to our Security Navigator 2024 report.

In addition, large, English-speaking economies continue to account for the highest numbers of victims, with over half (53%) headquartered in the United States, followed by the United Kingdom (6%) and Canada (5%).

Over the past two years, we’ve also seen an evident increase in activity in the hacktivism space to support causes of a political or social nature. For example, attacks from hacktivist groups involved in the war against Ukraine have reached record highs, with Ukraine, Poland and Sweden the most impacted by the pro-Russian hacktivists we track.

This upward trend is being exacerbated by other geopolitical events that have sparked the creation of new groups, most recently spawned following developments in the Middle East.

Worth a read: Tech you need to know: Privacy Enhancing Technologies

What are the biggest cybersecurity challenges those in leadership roles are facing?

Amid political headwinds and economic uncertainty, the ‘cost of doing business’ is top of mind for security leaders, making it harder for them to make spending decisions – including for cybersecurity. Given factors such as inflation and the lack of business confidence that sustained geo-political and economic uncertainty have caused, they are faced with ‘in-real-terms’ or even actual budget cuts for security, often for the first time.

This challenging backdrop forces security leaders to be as agile as possible to continue responding to the evolving security landscape because classic market drivers – the evolving threat landscape, increasing digital transformation, mounting regulatory reform and the ongoing skills shortage – mean that security teams are expected to deliver more with less. It’s no longer an option to respond with salami-slicing costs, let alone taking no action.

Therefore, security leaders must find new ways to demonstrate the value of the investment decisions they seek. They need to focus their activity and investments towards the most critical risks that are most contextually relevant. If they don’t, they risk trying to ‘boil the ocean’ and diminishing the impact of their spending power by diluting focus. A lack of business focus on the security strategy can lead to organisations missing out on adopting new tools and technologies that could provide a competitive advantage.

What is your take on ethical hackers and their role in cybersecurity?

Ethical hacking is a valuable tool that offers a profound understanding of a business’s security state by identifying and reviewing the extent to which hidden vulnerabilities pose a security threat.

Ethical hacking goes beyond a traditional penetration test (pentest), which often acts as a tick-box exercise for compliance purposes. Pentests typically focus on an agreed area, whereas ethical hackers employ a more mature methodology, simulating threat actors to conduct authorised cyberattacks to identify any vulnerabilities across a company’s entire attack surface.

When ethical hacking is combined with end-to-end security tools tailored to address the specific weaknesses their tests uncover, and regular employee awareness and education programmes to ensure they keep abreast of developing security threats, businesses can achieve invaluable synergy between ‘people, process and technology’.

Worth a read: IBM expands Watsonx capabilities with open source

What are some prevention strategies you believe every business should adopt?

Unfortunately, there are still businesses that view security as a checkbox on their compliance list, or at least feel that they cannot afford to treat it as anything other than that. In such cases, organisations are unable to address security as part of a broader and consistent enterprise risk management strategy.

Cyber resilience should start in the boardroom, with organisations aligning cybersecurity closely with their business objectives and strategy. Achieving this requires enhanced collaboration between CISOs, security and the wider leadership team. This will foster a deeper understanding of internal security needs and how they can support business goals by understanding and defending their most important assets, tailoring policy and protection in line with contextually relevant threat and risk, and maintaining ‘business as usual’ in the face of attacks.

Executive meetings should therefore treat security as an enterprise risk management topic, emphasising the significance of partnerships and collaboration between the board and security teams. Once this relationship has been fostered, stakeholders across the company can decide where security investment is best placed to gain the greatest bang for buck. This could, for example, include alignment with cybersecurity standards, such as the NIST framework, to ensure good security posture is in place, investment in cybersecurity awareness training to incorporate security good practice into company culture, or adopting a Zero Trust approach to ensure access isn’t granted to those who shouldn’t have it – whether sought nefariously or innocently.

While prevention is better than cure, businesses must also ensure they have put in place appropriate people, processes and technologies for detection and response to help maintain business as usual if, or when, a cyberattack does strike. Experienced channel partners can help by recommending the best solutions for each business and even managing the process end-to-end to ensure that nothing falls through the cracks.

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good?

Organisations using GenAI need to be aware that these tools open their data to third parties, making them prone to exploitation. While some providers of GenAI embrace robust standards for data privacy and security, this is not the case for all.

Given the rise of ‘Shadow AI’ usage, it is more important than ever that organisations build awareness and drive compliance to enact guardrails that facilitate and safeguard the adoption of GenAI. These guardrails will need to be appropriate for each organisation’s specific context but should include: the enactment of policy to set out compliant behaviour; the development of processes to guide best-practice usage; and the deployment of technology to facilitate privacy and assure access. This should minimise the risk of sensitive information falling into the wrong hands.

However, we are also seeing a rise in cybercriminals using GenAI for malicious purposes. It is lowering the barrier of entry to cybercriminals by making code writing – whether the reuse of existing code or original creation – easier and faster.

This is why forward-thinking organisations are integrating GenAI to make their security operations more agile. They are gaining significant efficiencies in terms of speed of response to security threats by helping security analysts prioritise the most impactful engagements. GenAI is also reducing the risk of burnout by automating lower-value and repetitive tasks such as aggregating log data.

Avatar photo
Tim Danton

Tim has worked in IT publishing since the days when all PCs were beige, and is editor-in-chief of the UK's PC Pro magazine. He has been writing about hardware for TechFinitive since 2023.