In this interview, we spoke with Anthony Scarfe. Anthony is an Information Risk and Cyber Security Leader experienced in delivering technical security architectures, information risk management, security consulting, control frameworks, and effective operational security processes in global organizations. Continue reading and discover his unique insights around information assurance and cyber skills shortage.

1. Can you give us an introduction about yourself, Anthony? How did you venture into the information security world?

It really started at school when my English teacher suggested I should write for the school magazine. Writing articles quickly became an excuse to get in front of a PC.

The teacher in charge of the magazine, Chris Barrington, was a maths and computer science teacher who became one of my earliest mentors. We didn’t have internet access in the beginning, but I enjoyed bypassing a few primitive controls to break out of Windows and play games or send network messages in DOS. 

When the internet arrived, my curiosity naturally progressed beyond what could be done on an individual PC; bypassing network proxies and content filters or creating fake login prompts to fool my classmates into revealing their passwords. I’m still hugely grateful to Chris for tolerating and nurturing a young hacker mentality that led to such a rewarding professional career.

My professional career started on an IT Helpdesk. From there I grew into infrastructure roles in a few different companies, eventually becoming a Technical Architect responsible for designing and implementing secure platforms for restricted Government data.

Achieving accreditation to operate those networks was not easy. I had some humbling experiences with pen-testers in the early days that spurred me on to improve. More importantly, I learned a lot about the ways that technology enables business, and how design decisions that focus too heavily on security can affect the usability of the platform. That perspective on how security decisions impact operators and customers still guide my approach today.

2. Information security and information assurance are both processes needed to build a reliable ICT infrastructure. But how does information assurance differ from information security?

Information Security is about selecting and implementing controls to manage risk. Security Assurance provides a governance function to ensure that controls operate effectively and achieve the intended security or business outcome.

The Security Assurance team provides frameworks, consulting, and support to help the organisation implement effective controls – connecting policies and standards to the real-world implementation through people, process and technology. We then monitor and measure those controls through services like Vulnerability Management, Penetration Testing and Continuous Control Monitoring. These enable us to drive remediation of non-conformance and provide assurance to the business in the form of metrics and other indicators used to manage risk. 

3. You are holding the position of Director of Information Security Assurance. Please tell us about the biggest challenge you are trying to overcome in that position. 

The team has a very broad set of responsibilities that require us to work across practically all business functions and technology domains. Combining that with the fact that we’re in a very fast-growing business, it makes things exciting. We need to be very intentional about working in a way that will scale.

With that context, I think our biggest challenge right now is striking a balance between the strategic activities required to grow the Security Assurance programme with the operational workload that comes with it. A lot of our work is about providing visibility and eliminating blind spots. Every milestone on that journey leads to additional discovery and opportunities to improve. It’s important to have a solid foundation of automated and repeatable procedures to build upon, focus on the most important assets and the controls that you’ve identified as critical.

4. What are the benefits of information security assurance for businesses?

Annual audits are important and they’re not going away, but they are not enough. Nobody wants an audit or a security incident to be the first time they become aware that a control is ineffective.

A key part of our Security Assurance program is Continuous Control Monitoring – building automated mechanisms to collect data about control effectiveness on a continuous basis. Our team strongly believes that this approach can be applied to any type of security control, but the benefits are most apparent in the cloud. 

All major Cloud providers expose configuration information via APIs that can enable control monitoring at scale through automation. If our security standards say that a specific type of resource must be configured a certain way, we can start by defining that configuration in infrastructure-as-code and ensure that the control is built-in. We can then use cloud provider APIs to continuously monitor for non-conformance and trigger a remediation workflow if a non-compliant asset is detected.

For a SAAS company like Elastic, it’s also important that we extend Security Assurance outwards to our customers and show that they can trust us with their data. 

We do that through direct participation in their vendor risk processes, but we make it scale through certifications we’ve achieved for our program, like ISO 27001 which is well known here in Europe, and FedRAMP which is required to sell Cloud services to the US Federal market.

The certification cycle is annual, but eventually I think we’ll see industry standards that make external assurance more continuous. Demanding it for ourselves internally is a good way to prepare for that future.

5. What has been the most important lesson you have learned in 2020 through your work in information security?

It’s difficult to take a single lesson out of such an eventful year. There was not only the pandemic, but several challenging social and political circumstances taking place throughout the year and around the world. 

On the security side, 2020 may be forever remembered as the year of SolarWinds and supply chain; but we also saw vulnerabilities in Zoom and a number of remote access solutions right as they were gaining rapid adoption to enable work from home.

There was an incident at Twitter that had people asking whether a similar attack would have been successful against their own platforms. The Microsoft Exchange vulnerability was technically 2021, but it felt like a continuation of the onslaught.

If I take a single lesson from all of this, it’s that there is a constant demand on us and we will never be finished. We need to make sure we are giving people time and space to pause and relax. Don’t let short-term issues and incidents distract you from the vision.

6. How do you see the information security landscape in Switzerland evolve over the next 3 to 5 years?

I’ve never considered the security landscape to be constrained by borders. Threat actors don’t constrain themselves in that way!

That said, Switzerland has some unique attributes that make it an exciting place to work, with all the ingredients for a thriving security community.

There are highly innovative start-ups coming out of educational institutions like ETH and EPFL that are establishing themselves as, or being acquired by, cyber security companies. “Crypto Valley” is attracting FinTech innovation alongside the banking sector that Switzerland has long been famous for. “Trust Valley” in Vaud and Geneva is another public-private partnership that is acting as a springboard for cyber security start-ups.

We also have great environments for innovation with institutions like CERN, the UN, and the headquarters of local and multinational companies that continue to digitalise their products and services.

7. We hear a lot about a cyber skills shortage, what is your take on that?

It’s true that the market for experienced security people is very competitive and we need more people doing security work, but they won’t necessarily be spending their entire career in the security field.

I was deliberate in talking about starting out on the helpdesk and the time spent supporting and building things. You don’t need to come out of school and go into a specialist security role. Diverse backgrounds and perspectives are critical.

I think most security leaders recognize that they’re not going to be successful trying to do it all alone with a central security team. At Elastic we take a federated approach and try to keep responsibility for security as close as possible to where the work is happening. There’s a network of people across the organization who apply security within their area of expertise. They outnumber the InfoSec department and multiply our impact.

8. What personal development do you do on a regular basis to keep yourself sharp?

I read a lot and listen to podcasts. I try to read about a wide range of topics and not limit myself to security and tech. I also try to balance reading long form writing with the hot takes on social media, which can be difficult!

I still like to get hands-on and play with things. I love how easy it is to spin something up in the cloud and learn by building. I don’t need to be hands-on in my role, but I find it helps to build context, empathy, and credibility which are all important when working with engineering teams.

9. What are your 2 go-to sources of information or support when you are stuck?

I’ve been fortunate enough to work with some great teams and managers during my career. They are usually the number one source of information and support.

I don’t think anybody solves their big challenges or has their best ideas when they’re grinding away at a desk. Those moments only really happen when you get away from the screen and allow yourself some space to think. In my case that means leaving the phone at home and going for a walk with our dogs or out for a long bike ride. I think that counts as a source of support!

10. Finally, if you could give your 25-year-old self just one piece of career advice, what would it be?

Say Yes. Do the project. Make the move. Get out of your comfort zone. That’s where growth happens.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.