As part of our Interconnection Between People, Process and Technology book produced in partnership with Tanium, we spoke to Dan Jones, Senior Security Advisor, Tanium and formerly Service Owner (Defensive Cyber Operations), UK Ministry of Defence.

“Imagine how many of the world’s problems we could solve if we got the right people in the right room working in the right way.”

There’s no doubt in Dan’s mind that ‘people’, or more specifically ‘leadership and culture’, are the most essential elements of cybersecurity success.

“Cybersecurity is a people problem that’s dressed up in technology. Prioritise getting the right people because they will help me figure out the right way of working with whatever technology I’ve got my hands on at that time so I can exploit it better.”

Dan’s pride in the diverse team he built during his eight years leading the service development delivery of defensive cyber operations for the UK Armed Forces is plain to see.

“Diversity was the answer to all of my questions, problems and prayers because I had a brilliant set of people that wanted to work and come in to make a difference, and they came from all kinds of walks, backgrounds, life experiences and all types of genders.”

Dan believes that strong, visionary leadership in cybersecurity is essential. Leaders need to be able to understand the challenges and risks, and to be able to communicate effectively between the IT and non-IT aspects of the organisation. They need to have the knowledge and skills to understand the technology and the challenges that the people working with that technology face daily.

“It all goes back to leadership, ways of working and culture. None of this is technology-based yet, but you have to have the technology in order to be able to realise that vision. But without the right people working in the right way, your technology is left in a sort of stagnant state.”

He highlights the fact that as every organisation is different, “there’s not a ‘one size fits all’ for your people, process and technology conundrum”. He also explains that when considering the impact of people and culture, leaders should also reflect on how their culture extends to their suppliers and partners in that space.

Dan views the resistance to change that stems from fears about the impact of AI on jobs as more of a cultural issue than a factual one. Indeed he believes there is enough demand for IT skills to keep people employed even with AI entering the industry.

People are resistant to change, he argues, because they are comfortable with what they’re doing. This reliance on entrenched procedures or legacy ways of working can impede the successful adoption of AI, so strong leaders and visionaries will be needed to guide people through these changes.

People will need to be upskilled and reskilled into roles that require human intellect for decision making. Dan argues that this can be achieved by automating tasks that computers can handle and allowing people to focus on monitoring and decision making.

“To have strong cybersecurity foundations, you need to have good patch management efficacy and, at the moment, that is predominantly a manual process with loads of checks and balances in place. We need to move people to a point where we’re going to let the computers run it to a degree or to a set of parameters that a company is happy with in terms of how quickly those updates come through, and move people to a point where they’re looking to intervene to stop an update happening when there are indicators.”

Dan paints a picture of an ideal scenario where, with the right leadership mindset, tools and ways of working, teams can be proactive rather than reactive to threats.

“When I was working in the Ministry of Defence, I wanted to enable my people to fight back. I didn’t want them to be on the back foot having to react to things all the time. I wanted to be able to put them in a position where they could get on top of things before there was a problem."