Interview – Michael Jenkin MBE – Brunel University
NICKY PENNYCOOK [00:00:03] Welcome back, everyone. We’ve got another great guest here for you now, that guest is Michael Jenkins MBE. Hello, Michael. How are you doing?
MICHAEL JENKIN MBE [00:00:14] Hello, Nicky. Yes, delighted to join you this afternoon.
NICKY PENNYCOOK [00:00:17] Great. Thanks so much for joining us. It’s great to be have you here. So, again, could you just tell us a little bit about yourself and what it is that you do?
MICHAEL JENKIN MBE [00:00:27] I mean, first of all, some fascinating discussions that you’ve been sharing and putting in friends or so less, so well done. I’m the Chief Information Security Officer for Brunel University. And I also do a lot of advisory work for other agencies as well. But, what are my kind of passions is keeping an eye on nation states, cyber crime, cyber espionage and all that kind of stuff, because I spend a lot of time researching the advanced persistent threat teams. And insofar as it’s really important for my day job and for my teams in cybersecurity at Brunel but also I do a lot of research because I write a lot of spy thrillers as well. So I will be, you know, with the hobby and the work here. It’s the criminals in the nation state. Criminals sort of end up doing the gloom for me.
NICKY PENNYCOOK [00:01:21] Wow, that sounds really interesting. Love a spy novel as well. So obviously, like you say, you do a lot of research and cybersecurity is obviously always evolving. What does the next generation of cybersecurity look like to you?.
MICHAEL JENKIN MBE [00:01:38] Well, I guess in a way, I’m quite pleased that we’ve just delivered what we would serve a unified cyber security platform with a number of partners. And I set out on this journey about 3 years ago, and the aim was to bring in a very tight strategic partnership. One of the problems we’ve always faced in I.T. security insiders see the multitude of vendors that we operate with. And my vision was very much by providing a single platform that provided intelligence, if you like, actionable intelligence, so we could act upon those in the analytical side and the forensic investigation side. So I partnered with Cisco, Exabeam and Kipu. So a triumph of strategic industry partners, kind of built the cyber and privacy team and the university over the last 3 years. I’m delighted to say that the Cisco, the Cyber Security Operations Centre, has been operational for about 6 months now. We built it last year. The instrumentation fitted the next generation scene, which is from Exabeam, which gives some fabulous Artificial Intelligence and stitching together actually of the activity that we see in the environment, which certainly helps our investigations in terms of flash to bang detection. So action side was massively reduced and it’s kind of nice that we’ve now we’re kind of optimizing that now. We’ve seen a lot of activity that we’re able to take action against because the intelligence is there in a simple format, as well as configuration of the automated side of data loss prevention and the rest of it. So that’s the future for us, really, which is zero trust environments, sort of few things next generation instrumentation in tech.
NICKY PENNYCOOK [00:03:39] That’s great. Thank you, Michael. So, you obviously talked a lot about the research you do and things that you’re doing yourself within the university. Taking that, should all companies be looking at updating their security capabilities or is that only for bigger companies? what are your thoughts on that?
MICHAEL JENKIN MBE [00:04:00] Well, I mean, every company is different, aren’t they Nicky? And each company is different. It’s got a different risk posture, different risk appetite, different funding. And the trick, in a way, for any CISO, for anybody involved and I think security is getting the idea of the executive board. And being able to, in very simple English language, present the risks. And of course, all of those risks are criminal risks in a sense, whether nation state or serious organised crime. And it was really interesting go back 3 years ago because in the academic sector, we’ve got different sort of levels of maturity across the sector. And I wanted to take a bit of a stage further and take it into next generation tech and zero trust. Because we are a big target with research and intellectual property in terms of the national picture. It’s very important to the nation that we protect that intellectual property. So the trick for many different businesses is actually what’s the balanced proportionate benefits of investment that is needed to suit your own business model in your own goals? I mean, for some businesses, if they don’t invest heavily in cyber, they’ll go bust. You know, cyber criticality for some companies and for larger organisations, it’s about brand credibility. And for us, it’s about making sure that intellectual property is, you know, correctly sort of secured. So the trick for me was getting to the executives and talking in terms of criminals or after our data set or after our intellectual property. How do you feel about that? And oh, by the way, this is how they do it. And I think after a period of time, I was delighted that a couple of executive champions supported me and we managed to get quite a significant investments to go through a 5 year cyber and information security capability bill. But it’s not just tech, you see. You’ve got to change the culture of the organisation at the same time. So there’s been a lot of parallel activity. And in a way, one of my major sort of ambitions, in a sense all those years back, was just getting our community to care about dates and personal dates of intellectual property, the research data and peer challenges themselves. But hey, there’s criminals coming in after our data, criminals care to get it. Let’s care a bit better. So it’s been one kind of journey. It’s you know, it’s a long journey, but we’re kind of getting there. We’ve got the next gen tech, which is helping the defense and the threat hunting, of course, which is a really important part of the posture.
NICKY PENNYCOOK [00:06:49] Absolutely. And I’m afraid we’re nearly out of time and just to touch on, you said about your 5 year sort of strategy. 5 years is obviously a very long time in the cybersecurity space. Are there any changes that you’re expecting to see at all?
MICHAEL JENKIN MBE [00:07:09] Yeah, I mean, it’s very interesting because geopolitically, I watch what’s happening geopolitically with the the existential threats that are coming in the world of hybrid warfare cyber espionage and so on and so forth. And the threat picture is just going to increase and you can see that from geopolitical tensions across the globe anyway. And I think there’s a lot of quick wins that can be done to make sure that you’ve got your posture right. And one of the big advantages of working with the likes of Cisco and Exabeam is that we’ve conducted a simulated attack exercises that allow our I.T. practitioners and engineers to see exactly how nation states are coming in. So whilst we do all the good stuff, the penetration testing and all the policy driven stuff, there’s nothing better than seeing out an attack that will come through those defenses and then start to plug them. So that’s what we’re at at the moment.
NICKY PENNYCOOK [00:08:01] Okay, sounds great. And I just had a message that say that we can carry on a little bit longer Michael.
MICHAEL JENKIN MBE [00:08:08] All right, okay.
NICKY PENNYCOOK [00:08:08] That’s good news. So earlier you’re talking about, obviously you’re at educational institutes and a lot of people are possibly targeting businesses like that. How can you defend yourselves better? And also places like governments and critical infrastructure companies.
MICHAEL JENKIN MBE [00:08:29] I think the way forward with all of this, if you talk about the national the critical national infrastructure and organisations that are critical to the nation being, you know, they put a lot of investment in these days and for our type of organisations is a zero trust environments. But zero trust is not just about technology. It’s about culture and that demands that we change the thinking of the communities and the business, the I.T. practitioners, the security engineers, everybody has to buy in. So what zero trust environments actually look like? And what’s the effect that they’re trying to deliver? So I think, you know, what I’ve seen in the past, many of my advisory roles is that it’s an organisation set off on a journey to build capability. But often they get partway down that sort of road map and they have to stop and take a different branch, and I think that costs money. It’s kind of retrofitting. I think the most important thing is to fix your cyber posture to the business model and get your thought leadership right with some good critical friends, as I call them, as strategic partners. Get that business thinking right to get your road map absolutely spot on before you start investing and moving forward and tightening all the capabilities that you’re trying to put in place. Otherwise, businesses will keep spending money scratching their head. And it’s not we’ve got to make sure that all the business buys into the common goals of what we’re trying to do.
NICKY PENNYCOOK [00:10:07] Absolutely. Do you think many places and again, we’ve had to change the way we’re working very quickly. Has this affected much that you have seen or do you think things are more or less remaining the same in the security space?
MICHAEL JENKIN MBE [00:10:23] No, I’m seeing because I mean, I speak to a lot of CISO’s across different sectors and spend time in other sectors myself. And I think it’s mixed, isn’t it? And it all depends on, again, you know, the important people, the money going to the people who are going to release the money. The executive board, where there is a clear definition that sign strategy, strategic cyber security impact will impact the business. Then they’ll invest and they’ll make the right kind of bring the right people in for that. I mean, nowadays, with the existential threats that we’re about to see in the next couple of 3 years, as well as the cyber security has to be in the top 3, if not top 5, maximum strategic threats to any business. And it’s it by actually carefully creating the right narrative for executives to understand exactly what not in tax terms, in criminal terms, what does that mean to me as a business? So I think we’re seeing across sectors, you know, different people are moving at different paces. But I think, you know, I’m seeing a lot more improvement and I think the industry is doing really well in saying, hey, we’ve got to move this way, kind of single platform, actionable intelligence, zero trust environments. Get that doctrine correct. Get that thought leadership right and you can make big wins.
NICKY PENNYCOOK [00:11:51] Absolutely. Michael, it’s been an absolute pleasure speaking with you today. I would love to hear more about the spy novels, but we want to save that for another time. Again, thank you for joining us, its been great.
MICHAEL JENKIN MBE [00:12:06] Yeah, lovely.
NICKY PENNYCOOK [00:12:08] And that was Michael from Brunel University. I had a great chat with him there and we’ll be back shortly with our next guest.