Interview with Dave Whitelegg

Email interview held on 12th September 2017 – as follows between Alan Radley (questioner) and Dave Whitelegg (relator):

1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

Thanks to regular sensational media hacking headlines most organisational leaders are worried about their organisation’s cyber security posture, but they often lack the appropriate expert support in helping them properly understand their organisation’s cyber risk. To address the cyber security concern, an ‘off the peg’ industry best practice check box approach is often resorted to. However, this one-size-fits-all strategy is far from cost effective and only provides limited assurance in protecting against modern cyber attacks, given every organisation is unique, and cyber threat adversaries continually evolve their tactics and methodologies. In these difficult financial times of limiting cyber security budgets, it is important for the cyber security effort to be prioritised and targeted. To achieve this, the cyber security strategy should be born out of threat intelligence, threat assessing and a cyber risk assessment. This provides organisational leaders with the information to take effective cyber security strategy decisions, and to allocate funding and resources based on a subject matter they do understand well, business risk. Nothing can ever be 100% safeguarded; cyber security is and always should be a continual risk based undertaking, and requires an organisation risk tailored cyber security strategy, which is properly understood and led from the very top of the organisation. This is what it takes to stay ahead in the cyber security game.

2. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

Simply put insecure IT systems and people are behind every breach, insecure IT systems are arguably caused by people as well, whether it is poor system management, lack of security design, insecure coding techniques, and or inadequate support, it all boils down to someone not doing security right. For many years seasoned security experts have advocated that people are the weakest link in security, even hackers say ‘amateurs hack systems, professionals hack people’, yet many organisations still focus most of their resources and funds heavily on securing IT systems over providing staff with sustained security awareness. Maybe this is a result of an IT security sales industry over hyping the effectiveness of technical security solutions. I think most organisations can do more to address this balance, starting with better understanding the awareness level and risk posed by their employees. For instance, the security awareness of staff can be measured by using a fake phishing campaign to detect how many staff would click on a link within a suspicious email. While analysing the root causes of past cyber security incidents is a highly valuable barometer in understanding the risk posed by staff, all can be used as inputs into the cyber risk assessment process.

3. Where do you go to find your “science” of cybersecurity?

While cyber security controls appear simple to follow in policy statements and best practice guides, the reality is they are not always easy to implement across diverse organisations. When attempting to resolve complex security problems it can be easy for security professionals to lose sight of the goal of cyber security. To keep clarity, I think it helps to strips away the technology from the problem, and learn the security science and lessons from history.  So reading military strategy books like Sun Tzu’s “The Art of War” can improve how you think about and assess the cyber adversaries facing the organisation. Delving into the science of psychology is invaluable when seeking to bring about effective and positive staff security awareness and behavioural changes in the workplace.

4. Do you recommend a particular cyber security blog that our readers could follow?

Of course, my own IT Security Expert Blog, and my Twitter accounts @SecurityExpert and @SecurityToday are well worth following.  My two favourite blogs are Bruce Schneier’s blog, Bruce is a true rock star of the industry, and Krebs on Security blog is also an excellent read, Brian provides the behind the scenes details of the latest hacking techniques and data breaches, and pulls no punches with his opinions. Both these bloggers have books that are a must read for budding cyber security professionals as well.

5. What keeps you up at night in the context of the cyber environment that the world finds itself in?

The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.


Thank you kindly Dave Whitelegg for taking the time out of what must be a busy schedule to answer our questions in such an honest way.

Interviewee: Dave Whitelegg,

Founder and Author of the IT Security Expert Blog at IT Security Expert Blog and Website.

Dave Whitelegg – Biography

Commercially oriented and highly experienced Cyber Security & Data Protection Professional with 20 years of Information Security leadership and management. Proven track record of managing cyber risk & improving business security postures within varied scale & diverse business operational environments, including financial services, large high profile enterprises & the military.

Information / Cyber Security, Data Protection Law (GDPR), Incident Management & Investigations, CyberCrime & a PCI DSS subject matter expert.

Responsible for delivering PCI DSS compliance at the UK’s largest Public Sector Payment Processor, which processes in excess of £3 billion annually. See the PCI SSC PCI Perspectives Magazine article for further info.

Subject Matter Expertise & Specialisms

  • Business Cyber/Information Security Improvement Strategist
  • Cyber Security Threat & Risk Management
  • Cyber Crisis/Incident Management & Investigations
  • Hacking, Cybercrime & efraud expert
  • DPA & GDPR compliance
  • Payment Card Industry / PCI DSS
  • ISO27001:2013
  • Internet of Things Security (IoT)
  • Web Application & Software development security
  • External/Internal Threat Intelligence
  • Information Security Due Diligence M&A & Third Parties
  • Professional Certifications:
  • CISSP (since June 2006)
  • PCI Internal Security Assessor (QSA trained Jul09 / ISA trained Apr13/Apr14/May15/May16/Jun17)
  • Computer Hacking Forensic Investigator (C|HFI)
  • Certified PCI Internal Security Assessor
  • IRCA Certified ISO27001 Lead Auditor
  • Expired CCSP (Cisco Certified Security Professional), CCNA, Master CNE, MCP

Information / Cyber Security writer, panellist & public speaker/presenter, & the author of the internationally renown “IT Security Expert Blog” (http://blog.itsecurityexpert.co.uk).

Speaker at Security Leadership 2016, CxO Dialogue Information Security & Risk Management (Econique), PCI London (AKJ Associates), Merchant Agent Risk Forum, SC Congress, E-Crime Congress, War on Hackers & RSA Conference Europe.

Contact Dave on his LinkedIn here.