From battling cyber threats to confronting burnout, the future of cybersecurity depends not just on technology, but on mental resilience and cross-sector collaboration.
Bronwyn Boyle, CISO at digital payments provider PPRO, spoke to Infosecurity about how innovation and co-operation are key to overcoming the advancements of attackers.
At the heart of cybersecurity are people whether that means telling the human story behind cybercrime or supporting each other’s mental wellbeing.
Boyle is an advocate for mental health support in cybersecurity through her role at Cybermindz as a UK board member. During the conversation with Infosecurity, Boyle spoke candidly about her personal experience with burnout and how security leaders can make changes to support, and retain, their staff in today’s stressful environment.
Infosecurity Magazine: As the CISO of a global digital payments platform, what are the primary cybersecurity challenges you are concerned about today?
Bronwyn Boyle: No surprise but AI is changing the game radically. It is dramatically lowering the barrier for the bad guys and it’s challenging very established traditional security controls we’ve relied on for many years.
AI is bringing lots of innovation but the asymmetry in terms of the pace that the bad guys can use it in attack versus how the good guys can use it in defense is a real challenge for us.
It’s an area where we really need to embrace a more innovative and collaborative approach to allowing AI to unlock the value in defense strategies.
The other thing that gives me pause for thought is the level of professionalization of cybercrime, the level of state-sponsored cybercrime and where there is an intersection point between human trafficking, modern slavery and cybercrime.
For me it’s about raising awareness and helping people understand.
This is a fairly new frontier, so we need global cooperation and to start looking into how we improve data flows, how we improve collaboration to try and take down the route source of what we’re seeing from a cybercrime perspective.
IM: What do more innovative approaches mean to you?
BB: It can mean anything, from better use of AI and defensive strategies to how we’re looking at the end victim perspective.
I’ve been doing a lot of work at an industry level around using modern storytelling to build empathy and an understanding of who can be impacted by cybercrime – like the story of the Tinder Swindler and Cecilie Fjellhøy.
This can lead to innovative solutions in response, like the scam checker Ask Silver, which is a great startup focused on providing in the moment WhatsApp guidance on things that could be a scam.
I love the idea that we’re focusing on following individuals’ day-to-day usage patterns and understanding where their user journey is going and being part of that end-to-end user journey.
IM: How are you enabling customers to be part of the defense against scams and cybercrime in the financial sector?
BB: At PPRO, we’re playing an interesting role in the payments ecosystem because we get to see a lot of what’s happening both upstream and downstream.
As we’re getting more sophisticated usage of data flows coupled with new industry frameworks, we are going to have a lot more insights into where transactions are coming from and where they are going to. We’ll also have a much better view of being able to correlate sender and receiver information.
I think that is going to unlock a whole new world of coordinated response across the payments and banking ecosystem.
IM: How do you balance competitiveness with collaboration across the financial services sector?
BB: I spent a number of years working at Lloyd's Banking Group, leading their cyber transformation programs and at the time Sharon Barber was our CIO. She was one of the first people who really pushed the banking industry to focus on collaboration for anything to do with cybercrime.
You don’t just want to be better than the competition, you want to really force down the ability of the attacker to penetrate across the ecosystem.
"You don’t just want to be better than the competition, you want to really force down the ability of the attacker to penetrate across the ecosystem."
If it’s not you today, it could be you tomorrow. This is one of those areas we have to be collaborative. We have to work together as a community.
I’ve been in communities where people are at the coal face working on very intense, very distressing incident response. An example would be the people at Marks and Spencer, they’ve been working so hard and hats off to them.
There’s no point sitting in the armchair and saying, ‘we would have done this better’.
And I absolutely abhor salespeople who would use it as an opportunity to sell a solution, we have to support each other and rally around as a community.
IM: Can you tell me about your role at Cybermindz and the aims of the organization?
BB: For a long time, we have acknowledged the fact that cybersecurity can be a very demanding career. It does take a toll on practitioners. We're seeing a lot of burnout and folks leaving the profession. We’re also seeing challenges in entering new talent into the pipeline because our PR image is not that great.
I have been through that journey myself. I had a bit of a wobble in my own life being in a situation where there were multiple things happening.
I care very deeply about my job. I care very deeply about the companies that I serve and the people that are at the end of those. It can be difficult to disconnect when you're in that constant vigilance mode, and you're nearly always in fight or flight mode.
I was probably burnt out myself but didn’t quite realize.
Then I met the team at Cybermindz and we started chatting and they started to talk about the symptoms of burnout.
And I was like, ‘I have that! I think this organization might be beneficial for me.’ What I love about it is it's very empowering. The idea is that you take proven, scientifically validated practices on mindfulness, awareness and ungrounding and you weave that into your day-to-day life.
It means you can focus on reprogramming your neuroplasticity so that you're moving yourself out of that fight-or-flight mode into something more stable that improves your sleep, emotional regulation and your ability to make decisions under pressure.
I was very blessed that I came across Cybermindz at the time because first, I could really recognize the issue, and second, I could really see the benefit.
I’ve been supporting the organization as an ambassador and a VP of resilient communities here in the UK to build a message to help reach communities and companies to get them on board.
IM: What would your advice be to leaders that want to embed this sort of mental health support into their teams?
BB: If we get into that mode of normalizing these conversations it means we can avoid people hitting crisis point with burnout. This will then help us avoid losing talented people who belong in our community and need support.
Taking preemptive measures are huge in terms of avoiding more critical situations downstream.
It’s the same way we do crisis scenario exercises or preventative software controllers. It all adds to your defensive strategy and avoids more of the response and recovery.
If we talked about our latest cyber framework as it applies to our heads, we can all agree that preventative mode is really helpful.
"If we talked about our latest cyber framework as it applies to our heads, we can all agree that preventative mode is really helpful."
The other piece is opening the scope to have conversations about mental health and feel okay about it. That’s a very big cultural shift and I think we need to lean on it.
Cyber folks are used to normalizing pressure and it can come at the expense of people not being aware of the stress they’re under.
I think having that empathetic environment where people can reach out and get some help is important.
IM: What steps would you recommend to leaders to build a strong cybersecurity culture within their teams and organizations?
BB: Every single person in PPRO is part of our security team and part of our defenses. I really believe in fostering shared accountability and making your people feel empowered. Also, getting them excited about being involved in the security mission.
That’s a great way to break down silos and ensure people feel invested in supporting security and upskilling where they can.
Another piece is for us to speak the language of the business and enable the business. It is easy to lax into technical jargon but it’s important to position what we're doing in a way that is clearly articulating business value and is aligning with strategic business goals.
It’s one of the reasons being a CISO can be a bit of a lonely place in certain companies because in many ways you are often cutting across the goals – or could be perceived as doing so.
Challenge yourself in your thinking and your way of working to ask where does the business need to go? How do I enable that safely? How do I talk about my mission in a way that can resonate with everybody else’s goals? Focusing on these questions unlocks that force multiplier effect and it can make everybody feel that much better about succeeding.
I think that the idea of shadowing the c-suite and sitting down and spending time understanding their priorities is paramount.