Sitting on stage at a recent cybersecurity conference, Sunil Patel was the real voice of cybersecurity that too few in the industry seem to hear: stretched thin, having to “secure more with less”, facing a perilous threat landscape and yet still having to act as a business enabler, not a blocker.

Global cybersecurity spending will hit $183 billion in 2025 says Gartner. A conservative estimate of the vendors in the space is 3,200. Listen to their many voices and you’d sometimes be forgiven for thinking that downstream at the enterprise security coalface, money is sloshing around

For most, it’s simply not and Patel – Information Security Officer at British retailer River Island – was candid about the scale of the challenge. 

Not enough people; too many tools?

The uncensored truth? “Cybersecurity” is essentially him and two analysts for an estate of over 200 stores “with 6,000 people servicing those stores, plus another 2,000 in our main distribution center and head offices.” 

The challenges – on top of being a threadbare team – are many, including shelfware: “We [seemed] to have a lot of tools in place, and [were] probably getting 5%-6% of the true value out of those tools,” he admitted. 

Patel decided to almost reverse-engineer this environment, looking at processes and “how can we automate them so [we get a] smaller tool set and much more efficient process management” for starters, he explained.

He also wanted to be able to streamline reporting for IT and leadership with a better central security dashboard that cuts through the noise. 

“I’m not going to get any more people…”

Patel was speaking at UK Cyber Week with Chris Wallis, CEO of Intruder, an exposure management platform that helps customers like River Island with vulnerability scanning, attack surface management and cloud security posture management in a single platform. 

(By helping organisations identify unknown assets, like subdomains, untracked APIs, login pages, cloud services et al, Intruder delivers easy to understand that lets users prioritise and remediate attack surface weaknesses, whilst audit-ready reports streamlines compliance.)

Patel was clear that he was having to think out of the box, not least because, bluntly, more troops were not coming to help his team out. 

As he put it: “ I'm not going to get any more people for the next 18 months. We just simply can't afford the head count at the moment.”

Ruthless prioritisation 

Ruthless prioritisation was needed, he said: “I had a list of 20 things. If I try to attempt all 20 things, I'm never going to get around to doing them all to the standard expected, with the resources that we've got in play. 

“So whether that be people, process, technology, it's a case of  sitting down with the leadership and saying, ‘I'm going to prioritize these five things because they have the biggest impact on the business.’ This is where Intruder helped us out, because we were struggling with vulnerability scanning in terms of how to manage it, how to get a view of what we've got, and what risks we're carrying; that was a top priority.”

Creating self-serve environments 

One of his biggest priorities as Information Security Officer at River Island was giving developers and IT more broadly self-serve security capabilities.

“For me, failure is for us [security] to become a gateway,” Patel said.

Democratising risk reports and more has helped unblock potential bottlenecks here, he suggested: “We've created a capability now where business or technology stakeholders can automatically do their own third-party [cybersecurity risk] assessments, and we oversee and have final sign off. We took that process from a month to three hours.”

Get a 14-day free trial of Intruder

That’s been possible in large part because of Intruder’s ease of use and clarity of output, he said. Intruder CEO Chris Wallis, a former penetration tester, whose company now has over 3,000 customers, added: “In my pen testing days you would run a scan like Nessus. The findings would come back and sometimes you’d have to Google what's in the response. 

“You have to say, ‘ what's it actually trying to tell me here, because I don't understand what the risk is?’ So we actually put a lot of effort into those issue descriptions at intruder; to really explain the risk and why we think it's a problem. Simplicity is often underrated in cybersecurity,” said Wallis.

“Straight on the Jira board…”

Practically, Patel added, that meant his small team is able to work on “attempting to take ourselves completely out of the loop: when Intruder spots something, it goes straight onto the JIRA board, the people responsible for that application or service, whatever it is, then use us as a consultant,” he explained. And if his team is ever stuck, Intruder are at the end of the phone and highly responsive, he told the audience. 

“When I’m choosing a vendor or a partner, the key thing to me is ‘can I trust the people I’m going to be working with?’ And when the proverbial… is hitting the fan, are they going to be on the end of the phone to help? 

“Can I also call them to say ‘I don’t know what this means’ or ‘I need some help or guidance’. The human relationship is a high priority,” Patel added, concluding that he is working to democratise security across the organisation. “I try to also make metrics public within the organization. Everyone should know, because it's ultimately, everyone's responsibility.”

Does that mean the company is invulnerable? Of course not. It’s a constant battle to stay secure whilst doing more with less.

But with reports based on incident response data showing that vulnerability exploitation is THE leading cause of breaches, being persistently vigilant to your exposure has never been more important. 

Delivered in partnership with Intruder

The link has been copied!