Secure foundations: an interview with Zoë Rose

With the UK government’s current focus on retraining and attracting people from less “typical” backgrounds to fill the cyber skills gap, they might be intrigued to hear that, over in Dublin, botany’s loss has been cyber security’s gain.

When would-be plant scientist Zoë Rose discovered she was allergic to plants, she couldn’t have known that as the lab door closed, another door into the security world would open.

With botany behind her, Rose found refuge from an unhappy time in her life caused by an abusive relationship in an unlikely place: the server room of an accounting firm.

“A lot of the skills I had to learn to protect myself, and some of the skills I learned because I found computers and technology a bit nicer than people,”

Zoë Rose, Cyber Security Specialist

She became an IT manager, and embarked upon a varied career beginning in networking, going back to college in Canada where she was recruited to help set up Cisco Live, and running her own business as a managed service provider. She eventually found herself in the UK working for a privacy and reputation consultancy for high net worth, high profile and celebrity clients, where her interest in security blossomed.

“I find that the side of ethics and privacy when it comes to security very complimentary. A lot of times, it’s almost like there’s this perception that if you’re not doing anything wrong you don’t have anything to hide, and therefore you don’t need privacy. But actually, there’s so much more complexity to it. It’s quite a vital part of having an innovative world and having a safe place for people to live to have that right to privacy,” she says.

Over the years, Rose has taken part in TV shows such as the BBC’s Click: Live in 2017, communicating the risks of Open Source Intelligence (OSINT) and the importance of protecting personal data online to a studio audience.

“We presented it as a comedian on stage who was pretending to do a séance. We were backstage, collecting information and passing it through a mic to his earpiece. It was quite funny, it ended up working really well,” Rose recalls.

On another TV show, however, she demonstrated how even seemingly innocent posts can lead to darker outcomes, showing how a social media post celebrating a small child’s sporting achievement could reveal enough identifying information – name, location, routine – to enable a potential abduction.

“My approach to what I do has always been helping those who can’t help themselves and protecting the vulnerable – because I was that person, years ago, being in that very awful relationship, I had to deal with stalking, I had to deal with posts about me that were not great and that person being quite malicious in gaining unauthorised access and trying to control my life – to now knowing how to protect myself, and wanting to build that approach for other people in a way that they understand,” she says.

“My approach to technology and security is educational, providing more of a context to why it’s important and how to actually make use of it, instead of just being scared.”

Rose volunteers with Operation: Safe Escape, a US not-for-profit that works with survivors of domestic violence, ensuring that they have secured their accounts and devices, are avoiding stalkerware, and are not inadvertently sharing information that could put themselves at risk.

She also combines her passion for personal security with enterprise work as a cyber security analyst, conducting security assessments or penetration testing on the defensive side, as well as awareness training.

Often this extends to helping people to protect themselves at home – especially useful amid the Covid-19 pandemic, although Rose is sceptical that the virus itself has had as much impact on the risk landscape as is usually claimed.

“I well admit: yes, having physically separate people is definitely adding to the risk landscape, you’re having a bigger attack surface, obviously. But I think it’s a bit of a lazy response to say ‘because of Covid’,”

She argues that shadow IT – undocumented technology and processes – predates the pandemic, and that often companies without a Bring Your Own Device policy nevertheless lack any controls preventing people from doing so – logging into email from a phone, for example. But it’s more a question of preparedness than a truly unprecedented workplace transformation.

“I think it’s actually more accurate to say that we need to plan ahead for the work and understand the process and the workload of our employees and build solutions around that. In some situations, because of speed of rollout and sending people home, that has been an issue, definitely, because it wasn’t planned ahead. But I wouldn’t say that’s never been seen before – people have to work from home, and it’s unfair for us to expect, when we have all these mobile devices, we’re working online most of the time, why are we expecting people to physically come into an office?”

Typical enterprise risks observed by Rose include inadvertent data breaches, phishing, business email compromise, invoice redirection, and ransomware. She aims to demystify these commonplace issues that are not difficult to anticipate, but that are sometimes misunderstood by businesses who overestimate the sophistication of the attackers who may not even themselves be technical.

“There are ransomware vendors. They develop the ransomware and they sell it and maybe it’s a one-off cost or maybe you give them a percentage. It’s not this barrier where it has to be these highly technical, highly sophisticated people that are designing, developing and deploying this. It’s a business to them.”

But the impact of a ransomware attack can undoubtedly outweigh the sophistication of the perpetrator, in cost, downtime and reputational damage – making preparation and protection of utmost importance.

“The biggest issue that I see, and this is actually a failure internally, is lack of communication and lack of understanding. I want to do awareness training for the non-technical team members, teaching them different threats and risks and understanding their job in the whole cyber defence machine. But I also want to teach and bring awareness to senior leadership and understanding that security is just a risk-based approach just like any other business thing.”

For Rose, it’s about building the foundations to combat cyber attacks by tailoring solutions in a way that is proportionate to the attack surface of each individual business, meaning that businesses need to understand what the risks are – and what they are not.

“You do see in the news zero days and new vulnerabilities, and it’s important to keep up your threat intelligence and pay attention to what’s going on. But I think we get too excited about new exciting risks, and new exciting attacks, and a new type of ransomware, and a new type of phishing campaign. If we focus so much on these new attacks and these new risks, we’re forgetting that actually the majority of breaches, the majority of incidents are opportunistic,” she explains.

“For the majority of people, the likelihood of a nation state targeting you is pretty low, the likelihood of ‘I want to target you for you’ is pretty low.”

Instead, she says, it’s about building and maintaining the basics – keeping devices up to date, patching, strong passwords, multi-factor authentication, robust firewalls, configuration management, logging and monitoring, alongside strong disaster recovery and business continuity plans, and documented methodology including for vendors and third parties.

She says: “There’s so many things that we have to consider that I think getting too stuck on what’s a sexy issue is actually going to be a bigger risk, because you might be spending money that you don’t have trying to protect against an attack that’s never going to happen, or very unlikely to happen, but you’re failing in a very, very, very simple way.”

Rose recommends that organisations identify their current cyber maturity level, and then use that to assess what maturity level they need to work towards.

“In so many situations they’re spending quite a bit of money on these really innovative solutions worth quite a bit of money but they’re having these huge gaps, because maybe the solutions are only using about 10 to 20% of their capability, you’re spending a very high amount on the licence but maybe you didn’t do the training, so the technical people don’t know how to tailor that or actually make it effective. You’re spending quite a bit of money on security awareness, but you’re not measuring is it actually touching on the behaviours that you need it to, and are people understanding it?

“Documentation is a massive part of cybersecurity. Because if an incident happens, and you have absolutely no idea of what your network is or what the expected configuration is or how things communicate, you’re already way behind, because you now have to identify that and also figure out what’s actually the intruder and what’s just a network.”

Overspending is surprisingly common in cyber security, says Rose, as is underspending on areas like training. Identifying gaps and unnecessary spend can allow teams to budget more effectively and create an appropriate operating model and improvement roadmap.

From there, she explains, it’s about focusing on the 1%.

“You need to look at how can we improve 1% over time, not how can we make the most advanced, sexy solution. And that’s going to protect you against the majority of breaches and incidents, because even if there’s still an incident, you’re going to be able to respond and recognise much quicker because you’ll have controls in place.”