The Resilience Factor Podcast
Cyber resilience is fast emerging as the driving force behind critical business continuity in our digital era. Faced with brownouts, blackouts, and the ‘when not if’ nature of cyberattacks, how do businesses harness this resilience for stronger cybersecurity and networking?
Listen in to The Resilience Factor as our hosts — renowned social engineer Jenny Radcliffe and Zscaler’s own Kate Baker — explore how organizations and employees can fail forward to adapt with confidence.
Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies, and practical advice, The Resilience Factor offers audiences insights on the tools and strategies needed to build business and personal resilience.
The Resilience Factor Podcast
S1 E3 Rising from the ashes with Prof. Buck Rogers
Prof. Buck Rogers, Cyber Advisor at Rohkeus Cyber, explains how getting the right people in your cyber security team can give you that all-important edge. In this episode of the Resilience Factor podcast, you'll hear Prof. Rogers discuss unique methods for building personal resilience, when to lean on your peers for help, and why the trick to navigating critical system failures is to treat it like a marathon, not a sprint.
Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies and practical advice, the resilience factor offers the tools and strategies needed to build business and personal resilience in all areas of cybersecurity and networking. Not only that, but you'll get to hear from a range of industry-leading professionals and experts at the very top of their game. Join us as we build a vital resource to drive organizational resilience within a fast-moving security landscape. Hello and welcome to the Zscaler Resilience Factor podcast. I'm your host, jenny Radcliffe, the People Hacker, a professional social engineer and expert in all things human in the area of security.
Jenny Radcliffe:This week we are joined by Professor Buck Rogers, strategic Cyber Security and Cyber Risk Advisor at Rochius. Cyber Security and Cyber Risk Advisor at Rochius Cyber. Having left home at 16 to join the Royal Navy with no qualifications, buck started his cyber career with BT in 1999. Buck has over two decades of experience within the security industry and a storied career. He has held roles such as Global Head of Cyber Intelligence and Threat, as well as Global Head of Resilience and Risk at HSBC. Chief Information Security Officer at the Bank of England. He holds a professorship at the University of Gloucestershire, to name a few. With a passion for building resilient teams and cultures within organisations, buck is expertly placed to provide expert advice and share learnings from his past with us. Welcome everyone. We hope you enjoy this conversation. Welcome to you, professor Book Rogers. Hi Book, how are you?
Prof. Buck Rogers:Good thanks, matt. I love the intro as well. Makes you sound really important.
Jenny Radcliffe:It's really good, isn't it? We need to put, like, bronze swimming certificate and all that in it as well. I suppose the first question we need to ask you is can you explain what makes up the core sort of facets of resilient cyber security systems? What are the key elements?
Prof. Buck Rogers:I think one of the key ones that people don't ever talk about has to be the people that you have. Good recruitment and the human side of it, because technology will change and technology will adapt. But actually having a good, strong team around you who can understand the technology and translate that to other people, I think gives you a bit more of that resilience, because then you can have an outreach campaign, then you can have internal support for stuff, rather than taking an out and out technical approach to cyber resilience as such and I suspect you'll see that change more and more as you would look to see CISOs take more of a business-and-risk type lens rather than a technology focus.
Jenny Radcliffe:I'm so pleased to hear you say that, because obviously, from my point of view, it's all about the humans, all about the people. The only kind of response I'd have is that they say they're doing that already.
Prof. Buck Rogers:but We've both been around long enough, haven't we? And you know you will. You get in a job, you get a CISO role and you'll get inundated with oh, we'll buy this bit of tech, buy this bit of tech, buy that bit of tech. A lot of our peers don't concentrate on the people around them. You know they look at their, their technical skills, but it's the soft skills I think need to get better at developing.
Jenny Radcliffe:Yeah, I mean I think we said when we were sort of chatting before we started to record, that I really see it now that we, you know, we say as an industry, we want CISOs to be at the table and helping with decision making. It's not just the technical side that needs to be brought to that table, you have to be a business professional and that means people, doesn't it. So I mean I agree with you, I think.
Prof. Buck Rogers:I think that's so right it's a bit like and I've seen this you get our peers that are really good technicians brilliant, far better than I'll ever be and they get promoted to a cso role. Because that's how you retain them, because you want to keep them, so you want to pay them more, and that's where we we've got to look at. Actually, you can have a really good technical career and climb up the ladder and get rewarded for it, but you may need a different skill set to have a more CISO type, risky business career, because you need softer skills.
Jenny Radcliffe:And I guess what's important there is to support people in that role, isn't it? Because if you have been technically focused and managed to rise through the ranks and become a leader and team leader, I suppose we don't always have that kind of support within the business to make sure that those people also have those management and business skills, because the two are not. You don't necessarily do those. If you do a technical qualification track or certificates, right, I mean it's on the job and then it's some guidance, I guess, from your peers and the rest of the organisation to be a good people manager.
Prof. Buck Rogers:Yeah, I think on the resilience theme, looking across your peer group getting help, I remember the first time I had to present at the Bank of England. So you go into this massive 17, whatever 100 building. You know people talking Latin and I had a disco leg. You know when your legs shake. But next to me was head of finance and we'd go for coffees. He's shape, but next to me was head of finance and we'd gone for coffees. He's like you got this. I was like, right, he's with me and you know and it went off.
Jenny Radcliffe:Okay, it makes me laugh that you're going into the bank of england, people are speaking latin and you've got a disco leg. It's just, it's painting an image for me. I've been in that bank of england officially. Um, obviously that makes me laugh. Yeah, go on. So you say so, he's with me.
Prof. Buck Rogers:And then yeah, and I think it calms you down a bit, because I spent some time talking to him. He said, look, you've explained it to me and I've walked him through as a non-cyber person. He understood it. And suddenly you think you got this Deep breath and off you go. And I think, having that peer support I think as CISOs we think important, more important than we are. We're normally only one item on a really busy agenda and then we don't can the support against. You know our peers. Where's the head of risk? Where's the head of finance? Say, does this work? Do you understand this type of stuff? I think that helps. And then finding um, if you're lucky to find a mentor, my, my boss at the bank of england, charlotte hogg, was brilliant and I should be ever grateful once you made me go and get tested for dyslexia and dyspraxia in my 40s, which was insightful of her. And two, she was always there to support and guide, but not take charge.
Jenny Radcliffe:I think that's the most important thing. I think you said a few things that I just want to pick up on very briefly before we move on. But that whole idea of um having people to support you and and the idea that we think that our agenda and security certainly there is this tendency to think, but this is the most important thing, because the idea, because we know the risk I always say we're professionally paranoid, it's what's going to happen if it goes wrong yeah I think it's difficult sometimes to stop being frustrated about it when you're in security, if you, if people aren't with you.
Jenny Radcliffe:So I you know, yeah, to have a support at that level, a sponsor, a support at that level, a sponsor, a mentor at that level, and to bring them along. I think that's a really good point actually. But I want to talk a bit about the rest of your career, because even just reading that little bio at the beginning, like what a varied and amazing career you've had, what we'd ask is how does it differ from all those different organisations we mentioned at the top? What we'd ask is how does it differ from all those different organisations we mentioned at the top? You know we mentioned BT, hsbc. You're a professor, I mean, talk to me a bit about how it differs and any kind of moments. Yeah, it's weird.
Prof. Buck Rogers:I think the military, doing the military so young, is a brutal skill, but a good one. You know, you join a warship, just turned 17 years of age and you're in the 80s and there's a range of people up to a lot older than that. You sort of get a bit of personal resilience. The difference I found was when I left government and I joined HSBC is traveling and then having to work. Because you go away with government because of security reasons. You go to meetings in the States. Say, meeting finishes, your day's finished. Hsbc well, you've got people in hong kong so you'll be on the call at three in the morning and suddenly that that pressure of you're always on there's no walking away from it and that that consistency of you've got to deliver, you got to do this, got to that. I think finance section be quite brutal. You get moved on all the other bits and pieces. Bank of england was brilliant, but then it was good, it was time to move on. I got new skills.
Jenny Radcliffe:So I think it's a common thing that they're all established brands, but there's a big difference between commercial, non-commercial, I think yeah, I mean I always say in security the job doesn't respect the hour because you know you've got that friday night and I we have a bit in our business where we say we've got a couple of hours and if it clears that few hours you're going to get your weekends, and if it doesn't clear those few hours you know that weekend's going to be. And everyone who's ever worked in any job in security goes oh yeah, I know exactly what you mean. That Friday night, come on, let's not have a panic, let's not have an incident.
Prof. Buck Rogers:Yeah, normally bank holiday weekend.
Jenny Radcliffe:Christmas Eve. Please now Talk to me a bit about, because one of the things you spoke about, the CBEST and TBEST.
Prof. Buck Rogers:So when I was at the Bank of England, there was a requirement I think it's the Treasury that they wanted to test the resilience of the UK financial sector. So we came up with CBEST, which doesn't stand for anything and that's intelligence-led testing for systemic, important banks. So this is end-to-end purple team it's called now where you take real, real life threats and you model it against an organization's critical systems and then you churn out vulnerabilities whatever you do, and that was copied by the. I'll put under open copyright. I thought that's the right thing to do. The bank supported that and that's turned out to tiba, eu I think istar in singapore, and then t best for telephony and g best for government, and I'll always be proud of that. That's what helped me with my professorship. I got a nice paperweight award from the um governor this has been widely adopted.
Jenny Radcliffe:You made it open source massively beneficial to protect people and everything, and probably met people, made money and you got a paperweight. But but saying that that'll make you a hero in the community because people be like, yeah, that's the right thing to do, but my wife hates that paperweight.
Prof. Buck Rogers:Every time we're dusting or cleaning the stud it's like do you really want to keep that?
Jenny Radcliffe:yeah, I do so look, let's, let's get on to a time when perhaps you dealt with an instant failure, um, you know, or an instant or a failure scenario, like, like. Talk to me a little bit about the mechanics of that, because you must have seen a change over the years in that kind of career. Is there one that sticks out that might be a good example for people to learn from.
Prof. Buck Rogers:There was a critical system failure which had a wide impact and I think the difference from early career something could go down, there'd be no socials.
Jenny Radcliffe:No.
Prof. Buck Rogers:People would whinge and moan about it, but it wouldn't get dragged down to the public domain. So the pressure was completely different. When you then use an important system, within minutes you expect people, expect to provide comments or you expect to do stuff, and the pressure slowly mounts. The longer you take to make an assessment or to take action, the bigger the pressure. And if you haven't practiced beforehand, um, then it becomes even more problematic because you always you spend so long defending your position, you never get a chance to improve it. So we lost this critical system. It was down for an. Then it becomes even more problematic because you always you spend so long defending your position, you never get a chance to improve it, so we lost this critical system. It was down for an extended period of time.
Prof. Buck Rogers:I think key learning for that was it's a marathon, not a sprint. You may be on call for the first four hours. Who's taking over from you? And I always remember that you know so many single points of failure in the staffing method because you know I'm in charge, I'll do it, but you can't keep going forever. And it took an hour. It took I can't remember now it took well over 12, 14 hours to get it right and then the cleanup afterwards. But it was that it was a marathon and it was a. It was like two heavyweight boxers slogging out trying to get to the end do you know what?
Jenny Radcliffe:what interests me when you talk about that and you say you know you can't keep going forever as a leader to make that team resilient, one of the things that I've seen an instant response in the rooms I've been in is making people take a rest and making them switch off because they've got to be rested. If it is like the two heavyweights slogging it out, rested. If it is like the two heavyweights slogging it out people um, something that you said again is like you know, you get to see the people's character and how they react under pressure. I sometimes think the way people react under pressure is the true person, the way someone reacts when they're angry. So speak to that a little bit. So from you know, how did you kind of encourage or create situations in your roles that have allowed people in a high pressure job, like the one that we all do, to take those breaks, because you've said you know from experience that that's very valuable, right? So what sort of things did you do?
Prof. Buck Rogers:complacency is the enemy of resilience. So, having that right, I'm going to do the first two hours and then you can take over. I'll tell you what I've slightly different I've always done. I've always found a non-cyber person to be my instant buddy, and what I mean by that is it could be someone I'm a friends with and when instant kicks off, they're my shadow, because they then provide a critical view as a non-cyber person and somebody's brave enough to go. You know what buck I think you're talking about your butt.
Prof. Buck Rogers:You need to think about this, that and the other, and I found having a non-cyber buddy helps as well, because it helps you continue reframe the way you're looking at stuff, which takes the pressure down a bit. And then, yeah, just making sure we've got a roster, people have stood down, there's refreshments, that and actually some people can say it may be critical system to you, but if they've got to pick their kids up from school or they've got an important doctor's appointment, that's most probably well, it is more important. So have you got a plan b and a plan c that you can build into it?
Jenny Radcliffe:the idea of having a non-cyber instant buddy is absolutely brilliant book. I think that's a genius idea, mate, because obviously because we're so focused when something like that happens and it brings in everything you've said at the start about making sure that someone's business focused and team focused, and we do tend to get very myopic in those incidents.
Prof. Buck Rogers:So that's that, that's a great piece of advice and it was, I mean, and it's done me good to have that, yeah, that person just, and they provide that challenge. They've got a bit of strength of, of character. You get so sometimes so focused on what's going on with the pressure. I think having that something go right, take this to reframe it, and I think your own personal resilience is like any other muscle you've got to train every day and I think, going through instances.
Prof. Buck Rogers:But, like you've just said and it's terrible and I feel really guilty for this I've I've ended up really disliking people because of the way they react to an incident. You know you've really raped them, they're really nice and then suddenly they try to put you under the bus or they change what they're doing and you think, come Monday, tuesday, whatever, how can I look at you the same way again?
Jenny Radcliffe:Pressure is a truth serum.
Prof. Buck Rogers:Yes.
Jenny Radcliffe:And when you're under real pressure and you're up against it, it's like is this someone's drunk or they're on truth serum? Suddenly someone who says all the right words and this goes right back to what we say in the beginning says all the right things publicly, says everything exactly what we want to hear under pressure, truth serum. Suddenly we see, are they rude to people who are reporting into them? Are they, uh, dismissive of ideas? Are they someone who will keep going and keep going, not take any advice, and then fall over? It's so true, tell me, um, but I did say that you did tell me what some of your team building endeavors. I think this was at Bank of England, I think.
Prof. Buck Rogers:Yeah, we've done various ones. So we did canoeing. We canoed from Henley to Reading, lovely, through four locks, and I think it was really interesting. So half the team thought, yeah, fine, we'll just do it. The other half of the other half half loved it. The other half would have killed me, I think, think. But it was all about a bit of personal resilience, a bit of grit. We did some stuff in ashdown forest which was really good for training awareness. Um, we had a brilliant training awareness lead. So with inside the bank, we did stuff like a tiki bath or people going on summer holidays. They could get there. They could get a, um, a holiday prescription for their mobile to make sure it was safe. Um, to range a different stuff just, we have a meditation room but didn't you have an 80s?
Prof. Buck Rogers:yes, oh, spin, yes. So 80s spin, yeah, good job. But there's a gym there and we used to do a spin class on a take a spin class on a thursday. So I'd provide the 80s mix and we'd have um, if you did the first one, you got like a lumis sweatband and then if you, if you did enough of them, you got a setomis leg warmers and there'd be a good five or six people, because we put into people's objectives that they were responsible for their social, emotional and physical well-being. So if they needed to do stuff, go for a run during work time, then why wouldn't you support that?
Jenny Radcliffe:It's brilliant because it's fun and people are under pressure and it's a fun thing to do and it's a bit silly, and I also think that a great tagline for this podcast will be paperweights, leg warmers and truth serum. Now, so you know, thank you for providing us with a brilliant tagline for it frankie.
Jenny Radcliffe:So you know, I suppose just getting towards kind of the end of what we're saying, but there's a lot of personal resilience required to bring resilience to an organization, isn't there? I mean, it's about character and things. You know, what advice would you give some of our listeners now to to help, to help them to build that mindset, because you know your military background. It's a mindset. I believe that's what all my military colleagues and friends have told me. So what advice would you give today's it teams and cso's just to help build that kind of mindset?
Prof. Buck Rogers:practice gratitude with the first one um, focus on what you can control. Reach out for, uh when you need help and support, both professionally and because there's almost like, uh, we all do it's almost narrow bins, isn't there to think I don't need help, I'll battle through this. Or actually, sometimes you have crappy days, um, and knowing when they are, and then exercise your resilience because, like I said, it's like a muscle and the more you push yourself into resilience and you push yourself, the more it learns. But yeah, I would definitely say practice gratitude, focus on what you can control, um, and then just look at unconventional methods of building resilience. I've got um, you can't see it, but behind my desk over there. I'm a massive Moomin fan and I've got Moomin quote and it, it. But behind my desk over there. I'm a massive Moomin fan and I've got a Moomin quote and it's there and every day I look at it and it says the main thing in life is to know your own mind, and I think that would be one of my key things.
Jenny Radcliffe:I think that's great advice and I think the biggest sort of takeaway that I would echo from all of that wisdom would be when you say you know, focus on what you can control, don't try and change the color of the sky. There's another one that I'm told by a mentor somebody mentors me. It's like you can't change that, so don't try. But what can you change? And if you can't, can find someone else who can, and don't be scared to ask for that help, and I think that's just genius. So final question I do wonder what your answer is on this. What would you consider your resilience superpower to be?
Prof. Buck Rogers:I think most probably at times, my stupidity in the fact that I try to find some sort of meaning in the struggles I'm going through through. So you know, as other people battle against it, I try to think, well, not sat cross and atters type thing, but I'm trying to find some meaning or some value in what I'm doing. Um, and then I don't need to be the smartest person in the room. I mean, somebody called me a cockroach. It's because the problem with you, buck, we stamp on you and you keep coming back.
Jenny Radcliffe:Oh well, I'm glad that they framed it a bit better than what I was like, did they? And what happened?
Prof. Buck Rogers:Yeah, yeah. But if I leave anything is reach out to people, don't be isolated. You know, now we've had a chat, if I had a problem I wouldn't think twice about calling you, saying Jenny, I'm sure you've got a wide experience.
Jenny Radcliffe:What, do you know what? It would be an absolute pleasure to speak to you again in any capacity, and I look forward to doing so. Thank you so much, moomin fan. Paperweight holder, guardian of the paperweight and guardian of the luminous 80s leg warmers for now, thank you so much for all your contributions to the resilience factor podcast Factor podcast Professor Buck Rogers.
Prof. Buck Rogers:Thank you.
Jenny Radcliffe:So let's reflect on that conversation with Professor Buck Rogers. He believes that one of the most overlooked core facets of resilient cybersecurity systems is the people.
Prof. Buck Rogers:Because technology will change and technology will adapt. But actually having a good, good, strong team around you who can understand the technology but can also play human aspects to it and translate that to other people, I think gives you a bit more of that resilience.
Jenny Radcliffe:And that we should not hesitate to use unconventional methods to build people's personal resilience.
Prof. Buck Rogers:We used to take a spin class on a Thursday, so I'd provide the 80s mix, because we put into people's objectives that they were responsible for their social, emotional and physical wellbeing. So if they needed to do stuff, go for a run during work time, then why wouldn't you support that?
Jenny Radcliffe:And when critical systems failures happen, fixing them is a marathon, not a sprint.
Prof. Buck Rogers:You may be on call for the first four hours. Who's taking over from you so many single points of failure in the staffing method? Because you know I'm in charge. I'll do it, but you can't keep going forever.
Jenny Radcliffe:Professor Rogers reminds us CISOs not to be isolated and that we can build resilience by leaning on our peers.
Prof. Buck Rogers:As CISOs we think far more important than we are. We don't can the support against our peers, whether it's the head of risk, whether it's the head of finance. It's like does this work? Do you understand this type of stuff? I think that helps.
Jenny Radcliffe:The Resilience Factor podcast is brought to you by Zscaler, a leading cloud-based cybersecurity platform revolutionizing the way businesses protect themselves from cyber threats. By transitioning from traditional appliance-based systems to a cloud-delivered model and the implementation of zero trust principles, zscaler provides businesses with optimal protection from cyber threats.