0:00:01.5 Bailey Harmon: Hello, and welcome to another episode of the Security Visionaries podcast, a show where we talk to leaders in the security and the networking space about how they are successfully navigating today's changing landscape at their respective organizations. I am your host, Bailey Harmon, and today I am joined by Dan Whittingham, Enterprise Security Architect for Cyber Tooling at Rolls-Royce. Dan's going to share a little bit more later, but for those that don't know, Rolls-Royce develops and delivers complex power and propulsion solutions for safety critical applications in the air, at sea, and on land. Today, Dan is joining me to share his perspectives around industry trends and observations that he's been experiencing as it relates to many global compliance standards that are constantly evolving. So welcome, Dan, let's get into it. Tell me a little bit about yourself and your background.
0:00:56.1 Dan Whittingham: Yeah, thanks Bailey. Yeah, so I'm Dan Whittingham. I've now been working at Rolls-Royce for 12 years. And one of the first common questions I get is do you get a company car, but you've already covered that off with the introduction. I mean, the fact that we are a defense company operates globally, the defense and civil aerospace, along with power systems, we'll make like large gas and diesel engines for land and sea. So as I said, I started off Rolls-Royce 12 years ago. So yeah, started off as an IT security administrator, went into IT security specialist, working with projects and that. And then I went in down the information assurance role, looking at data governance and that. And then I stepped out of that and then went into solution architecture. And then recently I've now taken the role as enterprise architect for cyber tooling.
0:01:41.0 Bailey Harmon: Wow. So across security and architecture, you've worn a lot of different hats. I'm sure that with all those different hats have come lots of different regulations that you've had to kind of muddle through and manage over the years. I know I personally just kind of get a headache thinking about the growing number of compliance acronyms, for example, that seem to be increasing. I know they're set in place for good reason, but they're causing a little bit of pain point for security teams like yourself. So maybe walk me through, what are some of those top global regulations that you really are kind of muddling through right now?
0:02:14.1 Dan Whittingham: Yeah, I totally agree with that statement about giving a headache, it's definitely different every day. So for myself working in a defence organisation, it's very challenging. And what I mean by challenging is that I work in a global organisation, we work with different governments, which means we have different local and regional laws, as well as working towards accreditations to ensure that we can bid for future work. And obviously, the end goal is to ensure that we're a growing sustainable business for years to come. So we're just going back to your question regarding the key regulations that we're looking at and we're tackling now. For the UK, we've got Cyber Essentials Plus, that's UK government, we've got NIST 2, ERSA, CMMC, so that's a cyber security maturity model certification, and there's three levels to that which I can talk about that later. But for the CMMC framework, it's based off the NIST 800-171 standard. So it's a good set of guidelines anyway, and they're just building off that. And then you've got three levels, level one, level two, level three. And for ourselves, we're working towards level three, sorry, level two, which is all around controlled and identified information because we do operate and do work with the US Army and the US Defense.
0:03:27.1 Bailey Harmon: Yeah. Speaking of CMMC, you attended a pretty heavy, intense workshop the other week, right? Tell me a little bit about that. How did that kind of play into what you're doing right now and also maybe help build some of the team morale as you are working through these regulations?
0:03:42.7 Dan Whittingham: There are many, many challenges, but to pick out a couple of examples, I'd say we're trying to meet the compliance requirements. So we've got existing solutions. We've already got a big presence in the US and Indianapolis, but because we've got existing solutions, we're having to really reassess of how we operate and what works. And also what works for one government might not work for the other. And that's what we're finding. And so it's that balance and understanding of what do we actually need to meet from a requirements perspective, as I mentioned, we, CMMC level two. And also what, what's the compromise. We've got to segregate systems. We've got extra support in place. We've got further costs. In some cases, we've got new products and solutions coming on, which need further investment. And then we need to have those conversations with the IT leadership, with the investment boards. So yeah, it is a fine balance and it is very challenging. And like I say, going back to your analogy about a headache, there is weeks when you just, just glad to put the phone down and go on to something else, because if it was easy, everyone would be doing it, clearly. But obviously this has a knock on effect on operational costs and his IT execs are wanting to gain more financial benefits than that. Obviously, the IT investment is needed to make sure that we've got that future growth.
0:05:00.5 Bailey Harmon: Yeah, it's always a balance. And I love that you say compromise because I know personally compromise is really hard to do in my own life and it's even harder in the professional world. So you have to have a lot of the technical chops like you're talking about, but you also have to have kind of that empathy and also strategic mindset for what the business needs. So I think on that note, you know, from being on the inside, what maybe is one piece of advice that you would give to another security lead who's on this global compliance journey at like you are?
0:05:30.0 Dan Whittingham: I find it very hard to keep it at one piece, but I can provide three points which have helped me in my career and in the programmes of work like we've discussed today around CMMC. So the first one I'd say is knowledge is power. You've got to really understand what you're working towards and what you're working with. So I mentioned NIST 800-171, read it. You've got to understand the interpretation of it because your interpretation and someone else's interpretation but might be miles apart. So understand what you're working with and what you're working towards and the scope of, of how big the actual project is that you're working with. And number two, it kind of leads on to this. I've got to say, equip yourself with the facts. And the confidence that you get from understanding it yourself and talking to your peers and talking to colleagues and just saying, what do you think of this? Is this correct? Or just bouncing ideas off. Again, it's just building yourself with that confidence that when you can walk into a room or you're walking with assessors or any other peers that you've got the confidence of what you're saying is actually factual and correct.
0:06:33.2 Dan Whittingham: And the third one I'd say is surround yourself with the right people in your organization, like-minded, but people who you can be honest with. A lot of people and a lot of organizations are going through the CMMC level two or the whole accreditation process. So there's going to be mistakes made. So if we can talk to like-minded businesses and just table some ideas of how have you approached this and just to get a bit of a sense check of are we trying to borrow the ocean here or should we take a different approach? It just gives you that I guess reassurance that actually we're all on the other end it might be actually we're far ahead or more ahead than what we actually initially thought and it's definitely helpful just getting the people around you to support you in that. But if we just break down the knowledge is power, and just go a bit further into the three points I've just said. So I've said read the frameworks. So how do you interpret the requirements? And there'll be portions in their document they don't fully understand. And that's where you have to rely on 0.2, which is around, equip yourself with the facts and also 0.3 in surrounding yourself with the right people.
0:07:43.9 Dan Whittingham: An example, sorry, of this is you don't want to be walking into a meeting and being told something and you get in the wool pulled over your eyes. That's not good for anyone. You need to be understanding and clear on what your objectives are in that meeting so you can pull people up if it's incorrect. And then just going back to the 0.2, equip yourself with the facts. I've said read, read, read. Unfortunately, there's no way of getting around this. You have just got to read, read, read and to understand it. And if someone could make, if someone's listening to this and they can make it into an audio book, I'm sure there's a niche for the market in this. Because it's not entertaining reading, it is quite boring. But in all seriousness, you've got to know the material, understand it back to front, as it provides you with the confidence to talk about it as I've previously mentioned. And then the third one, as I just wrap up on this is that surround yourself with the right people.
0:08:43.5 Dan Whittingham: And sometimes I think we take it for granted because I've been really lucky in my career to have managers and peers that have believed in myself and also push me to reach my new levels, but also not let me become stagnant in what I'm doing. So at the beginning of the call, I mentioned the titles and the roles I played within Rolls-Royce over the last 12 years. And that's just because of the people around me and pushing me to make sure that I'm not just delivering what I'm employed to do, but also I'm chasing my career goals and everything. So I know some people will not have that luxury in their careers, but having the right support people and the system around you is key, I'd say, to success.
0:09:28.1 Bailey Harmon: I completely agree with you on the mentorship angle. I think it makes a world of a difference when you can have a support system or even for as long as you've been at the company, kind of a family that helps support your goals, that helps support the business, but also enable you to fail and fail fast and learn and empower you to get back up and again and try new things. We could probably do a whole segment on that. I feel very strongly to also have had leaders that have empowered me. So I love to hear that. It's tough though when you are trying to kind of communicate to the C level what you're doing, that the progress that you're making, all of the compliance standards that you're working with across the globe, what are some important conversations you think folks in your role should be having or maybe are currently having with their C-suite?
0:10:16.6 Dan Whittingham: As I say, a lot of organizations the size of Rolls-Royce are going through the same thing. So as organizations are investing in these large tech companies to provide security solutions, we're not talking about pennies or thousands of dollars or it's literally hundreds of thousands of dollars. And for me, the conversation is all around the products value. So what is that return of investment? Is it value for money? So as an architect, this is your bread and butter. This is what you're employed to do, to speak to vendors, understand the product back to front and basically rinse it for everything. It's got all the features and everything. Because I have just on a personal note, I've seen a shift in the approach to some vendors where it's not always about the next sale. It is literally the focus on, you've got this investment and how can we help yourselves get the most out of the product? And so it is speaking to the likes of Netskope and others and doing the research and understanding what the roadmap is.
0:11:15.7 Dan Whittingham: And for myself and other architects, it's that horizon scanning of what's coming down the pipeline of for the business, any investments or any, anything new that they're working on AI. Sorry, we couldn't go through a podcast without mentioning AI. So it's the end thing at the minute, but to that point, it is literally understanding what, what is out there and you just got to get yourself out there and build those relationships. I think relationships is key in any business, but the customer-vendor relationship is definitely instrumental in this.
0:11:49.0 Bailey Harmon: Yeah, I absolutely agree. That relationship is as mission critical.
0:11:53.2 Dan Whittingham: Yeah, definitely. Secondly, I'd say that, does the solution meet the business requirements and satisfies the compliance needs to pass? We're talking a lot about the CMMC. So we're talking around third party accreditation. So the question is, does it? You've done all the legwork and the groundwork to understand what the actual business is wanting, what the actual requirements are. What is the bigger picture? What are the business objectives short term and long term? And we really need to understand what the business aspirations are. So there's no point in delivering a solution, which the vendor has no desire to go to cloud, but the business is wanting to go to cloud in the next next year or whatever.
0:12:31.8 Bailey Harmon: It's like going to the grocery store and if you want to buy apples, but the salesperson comes up to you and says, oh, we have the oranges on sale. It's not the same thing. You need someone that's giving you what you're looking for. I also loved what you said about, you know, being an advocate for yourself and your program too, to make sure that you are mapping the right solutions to what the business really needs and being that expert in your specific role so that you can walk back to the business and say, this is how we're driving the value. And you're able to communicate, as we mentioned earlier, you know, back to your leadership team. When you're in that room, what are some tips that you have, or maybe a story of how you have been able to successfully show all of the great work that you're doing, but in a digestible way? Because it's a lot.
0:13:18.3 Dan Whittingham: Yeah, it is a lot. And my answer to that is keep it simple. So I've got a story for you. So I went to an apprentice open day two years ago, which I was asked to speak at, which it was the first for me. So nerves were high, but it was amazing. I really enjoyed it. It really took me out again, out of my comfort zone and pushed me in that area. So I started off talking a bit similar to this. I opened up and talked about my career in IT security. And it was good. It was really good. The people in the room were very receptive. They've got quite a few questions, but it wasn't necessarily the questions that I was getting asked. It was when I was sat back down listening to the other speakers and one of the other speakers, I can't remember the guy's name. But I've learned an awful lot in that couple of hour session just by observing. And that's how we presented. It was to the point, it provided clarity, the graphics painted a thousand words, but it was really simple. After that day, I set out to be better how I communicated the solution or a scenario that I had to report back up to the leadership.
0:14:24.1 Dan Whittingham: So I spoke to my peers and we set out a bit of a, not like an acting show, that sounds a bit weird, but a bit of a scenario of I've come to present this, can you give me some feedback? And that's as weird as it sounds, but as productive as it were, it was really beneficial in just going through the steps of making some tweets and critique some areas of don't say this or add this in. And if you're speaking to face to face, where do you put your hands and stuff like that? So it's going back to the point again, it's just, it's good to be uncomfortable, especially in this business because IT security, everything just moves at such a fast pace. So it's very difficult to keep on top of everything and get that. But never stop learning.
0:15:11.9 Bailey Harmon: Never stop learning. And it's kind of like you're on the football field and you've got that iPad in front of you and you're watching tape back to figure out kind of how you're going to present or how you're going to do this or how you're going to communicate the story. And it seems like it's a small kind of tactic that you're working on in the back, but then when it comes to presenting the full picture, it really makes a difference in how that lands. And I just, I can't emphasize enough that never stop learning. I love that point. You obviously have huge business demand at Rolls-Royce that you're tasked with, but some of these requirements that we're talking about are pretty muddy. So not only do you have to focus about the requirements, but you're also thinking about your overall data protection strategy. What do you wish more regulators kind of understood about the position that you're in with the balance of all of these different aspects?
0:16:00.5 Dan Whittingham: Yeah, with me living and breathing this global compliance work, I'd say for the past 18 months, I do wish regulators demonstrated their understanding better. And an example being in specific cases of what are they actually asking for is not really feasible because it's down to the environment and the context of how the control is being applied. So it's not, not to be obvious overly stringent, such as putting a square peg in a round hole. So the second point I'd say is terminology. So as you read through the frameworks, I find myself feeling quite under qualified. Just reading them. It's like you've got to literally be a lawyer or someone with some high degree to actually understand how and interpreting to, I guess, the common language of what does it actually mean? So I'm not saying to write it out in a UK Midlands accent, but it feels like they're hiding behind some text inviting those different interpretations and not being 100% clear on what they're actually asking. And because as I said earlier on, depending on who reads it, they might get a different interpretation. And I think that's where we get into the gray areas of what does it actually mean. Because, yeah, one business might say, well, we've interpreted this way and this is how we've done it.
0:17:14.5 Dan Whittingham: And for a defense organization like ourselves, our risk is really high. So we go the opposite way and say, well, yeah, we've put extra firewalls in or whatever it may be. As we go on this journey, I think it would be good for regulators to get out in the real world. And I'm not on here to upset anybody, but it's just from my personal experience of actually getting out there and use that as opportunity to talk to businesses like ourselves and we're going through these compliance processes. I personally think that it would help the business and the governing bodies and the whole relationship which in turn provides that confidence to business that not to be fearful as we're going through this, because obviously there's a fear of failing and actual accreditation, but also losing business. So it's not, it's not minute, this issue. I'd say it's really large just due to like non-compliance. But just help businesses and reassure on that. Okay, it's not great, but this is a path and this is your plan to remediate what you need to do. Obviously the end state for everyone is to operate securely and be successful.
0:18:19.8 Bailey Harmon: Definitely. I don't know, you were talking about writing it out in a UK Midlands accent, but that goes back to the audio book. You could put it all together. You brought up an interesting point though earlier that I wanted to touch back on. You were talking about AI and it made me think, how do you balance the need for compliance, but also make sure that you're innovating with tools like GenAI?
0:18:43.3 Dan Whittingham: Yeah. So AI is difficult. Obviously it's a buzzword and it's here, it's now, everyone wants to use it. So the pressure's on. I'll use the analogy of it's to shut us down, lock the doors, close the gates until we get familiar with it and understand it for what it actually is. Businesses obviously clearly wanting to engage in and use this because there is benefit. There's obviously there's the good benefit and there's the bad benefit from the threat actor's perspective. From our standpoint it's all around the data and that's where the risk is and that's where we've got a high end risk around where our data is going because it's yeah, engine schematics and stuff like that. So just going back to the question, it's a challenge because it's not as simple as yes, you can have it. Here you go. Fill your boots. We've got to be really careful with this and understand it for actually what it is and where the data is going.
0:19:37.9 Bailey Harmon: Yeah. I mean, end with that. Understand what it is and where the data is going, and then you'll be able to operate successfully and securely to go back to your other point. So I think that was a wrap on the questions that I had for the day. Dan, thank you so much for joining us and sharing your perspectives and your stories. We really appreciate having you. You've been listening to the Security Visionaries podcast. I've been your host, Bailey Harmon. If you like this episode, go ahead and share it with a friend and subscribe so you never miss another. See you next time.
Why Netskope 
){kind=icon}
