Meet the expert: Jenni Parry to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Jenni is an Associate Director of Cyber Risk with Aon, a role that involves her providing guidance and consultation to organisations, helping them to identify and evaluate their cyber risk. This, in turn, facilitates the creation of ongoing strategies that consider factors like change, corporate culture, and risk tolerance.

Jenni appears exclusively at PrivSec Global to discuss Zero Trust culture and how it can drive organisational resilience in the digital age.

Below, Jenni answers questions on her professional journey and the themes of her PrivSec Global session.

Could you outline your career pathway to date?

My first real job was an IT Operator, this was back in 2000. In this role, I was responsible for monitoring the systems and batch along with performing checks to verify systems were stable and backups were being performed. It gave me hands-on experience of the industry and the various roles available in IT. After a couple of years in that role, I left work to have my children. After three years of being a stay-at-home mum, I then began my undergrad in Computer Science with UCD.

After I graduated, I became an IT Auditor and Risk Consultant for four years with EY. This role gave me great experience auditing different financial institutions, checking their controls, and seeing what risks there were. I learned very quickly what broken controls and processes look like, and what the impact of these factors can be. Resilience assessments were also a large part of the role.

From there, I went to Canada Life where I was an IT and Cyber Risk Manager for two and a half years. That was a very different role, I went from being the auditor – coming in and observing and documenting everything – to actually being on the ground and working with the various infrastructure teams. I wore a couple of different hats in that role.

I was, obviously, the Risk Manager, so I managed the risk register and performed risk assessments. I was the lead for Data Privacy as well, so I would have been doing a lot of DPIAs, and a lot of other assessments in that area. This was a brilliant learning opportunity as at the time there were a lot of new security tools being implemented i.e. EDR and SIEM. As I reviewed the documentation it gave me a really good understanding of how these tools actually work! I was also responsible for overseeing the Vulnerability Management programme. This gave me first-hand experience of SAST testing, DAST testing and penetration testing. I had to ensure that testing was performed and identified vulnerabilities were being addressed on set time schedules.

I joined Aon in 2021, where I currently advise clients on how they can improve and increase their security posture. For anyone who has gone through the cyber insurance process, you’ll find there are a lot of questions and a lot of forms. The problem with cyber is it’s not a simple ‘yes’ or ‘no’ game. So, I try to shine a light on the grey areas; by talking to our clients, I’m able to identify those compensating controls, and really articulate what people are doing to try and mitigate the risk of cyber.

Why is a Zero Trust approach more relevant now than ever in terms of how companies secure their digital estates?

I think there are two sides to this. Firstly, regarding the whole cybersecurity landscape, it is evolving daily, and traditional security tools are losing their effectiveness. The number of attack vectors is growing at a crazy rate, add to this remote working and you have a real challenge on your hands. 

This has also been compounded by the ransomware as a service (RaaS) model, which has lowered the barrier of entry for would-be attackers. You no longer have to be a coder or developer to orchestrate elaborate cyberattacks to get into private systems and exfiltrate or encrypt data! On the other side of things, you have more organisations migrating to the cloud, and things need to be managed in a more intelligent and dynamic way in this environment.

Zero Trust enables that shift because it introduces micro-segmentation. This means all assets, such as applications, systems and data are protected on an asset-per-asset level. 

You’ve got far greater control of who is accessing what. With zero trust, both the user and their device are authenticated and verified before they are granted access, it also requires recertification after a certain amount of time, which means that access is time-bound, and automatically revoked.

What cultures and technologies should organisations have in place to enable the Zero Trust approach?

Regarding culture, I think one of the biggest concerns to enable this approach is about effective change management. Organisations need to be able to carry their people through change. There may be whole new ways of accessing data and systems, and this will be dependent on the set-up. I think when it comes to your people, you have to give them plenty of prior notice. They can then come along with you on that process, and that makes it a lot easier for everyone concerned.

With regard to technology it’s worth keeping in mind that different vendors offer different options. Zero Trust is more of a concept then a tool. However, it does provide much needed granularity. As with anything new there will be risks introduced into the environment that will need management and oversight.

When implementing, you need to start small, test Zero Trust on selected processes and critical assets. Ensure the correct protections and policies are in place and then build up.

Depending on the setup i.e. the location of the trust broker, there could be latency introduced so this too will need to be effectively managed.