Matt Brett is one of the most experienced security consultants on the CRMG team. He works closely with our clients to review their current policies and implement new standards and processes that improve resilience. He has a deep understanding of the cyber world and the latest threats businesses face. Below, he talks about his journey into the world of cyber security and why his most feared cyber threat is the one we don’t know about yet.
Tell us more about your role at CRMG? What are your day-to-day duties?
I get involved in a wide variety of client, strategic and product management initiatives, so don’t really have a typical day. In terms of client work, I am most often found conducting policy reviews and writing new standards, processes and control libraries. I also regularly conduct security assessments against a variety of global frameworks, and in recent months have been using my experience in security operations to develop incident response and business continuity plans. This is a task that requires a lot of client engagement to develop an effective solution, at which point we have some fun and test it with a cyber simulation!
My product management background means I also get involved in developing and shaping CRMG products such as Risk Genie using a combination of client feedback and practical experience from our customer interactions. Finally, I support CRMG’s founders Nick and Simon in shaping and delivering the overall CRMG strategy using Lean Sigma techniques.
What attracted you to the cyber security industry? Have you always worked in this space?
Like so many, I arrived in cyber security more by accident than design. For the first ten years of my career I held a variety of roles in IT service and project management at a major pharma company, then (hankering after a change) I moved into a role driving business process improvement across the support services including finance, HR and IT.
An internal reorganisation then forced a change, and I was pulled into security operations leading the digital forensics team. I had almost zero security experience at that point and the learning curve was near vertical, but my manager’s request was simple – add structure and run the service improvement playbook I’d applied elsewhere to build our capability and improve relationships with key customers. Together the team and I delivered that very successfully, and I realised security was an area that was full of opportunity, even if my current skillset was not well matched to the challenge.
I then targeted a CISM certification to broaden my security knowledge, and after taking on further roles in the ICS transformation team and security programme office, moved to CRMG in 2021 to further broaden my experience.
What’s the most interesting part of your job?
Working with a wide variety of organisations across many sectors, all with different business drivers and threats to consider. I particularly enjoy helping organisations to identify opportunities to maximise the value that can be delivered from their budget using a risk-based approach.
What is your most feared cyber threat and why?
The one we don’t yet know about! The evolution of cyber threats is so rapid it can often seem impossible to keep up, so my primary concern is always the vectors the bad guys may already have thought of, but that we in the profession have not.
Of the threats we do know about, it’s the rapid adoption of AI that feels the most significant at present. Threat actors are increasingly utilising AI within their attack chains, but thankfully it can also be beneficial to the security teams defending information assets and solutions.
Perhaps the most challenging area relates to the potential unintentional consequences of applying AI to a business process or value stream – if you don’t know how AI has made a given decision, how can you assure a system or process? It’s something the CRMG team have been putting a lot of thought into in recent times alongside our colleagues at Advai, the leaders in ‘adversarial AI’ stress-testing techniques.
What’s the biggest change to the cyber threat landscape you have seen in the past few years?
The rise of double and triple extortion ransomware. With global enforcement activities disrupting their revenue streams in recent times, ransomware groups are increasingly moving to lower and slower attacks. Staying under the radar, they are using a mixture of encryption, incremental theft and the threat of disclosure to intimidate organisations and individuals into payment – a very disturbing and unsettling crime of which to be a victim.
How will cyber security continue to evolve?
The cyber skills gap is proving difficult to close despite a decade of focus by governments, education providers and businesses worldwide. Because of this, I suspect we’ll see an ever-increasing drive to automate security tasks such as policy writing and supplier assurance so that security professionals can concentrate on other, more complex problems.
The increasing trend for applying quantitative methodologies to risk management will also continue, though as a Lean Six Sigma person, I do sometimes wonder “how quant really is quant?” given the relatively small data sets most organisations can access to conduct their assessments.