Interview with Itumeleng Makgati, Group CISO, SASOL

• What would your advice be to a new CISO when seeking to establish a foundational personal brand of credibility and leadership?

Bring both technical and business leadership skills. I believe that skillsets that are a combination of a broad technical foundation with some depth combined with strong business leadership and communications skills are a must to succeed in security. The ability to translate the technical conversation into a business risk conversation at all levels of the organisation is a winner.

• What would you suggest to an incoming CISO on how to lay the foundation for a sound security program?

• A clear vision that conveys the objectives of the program.
• Obtain business input into security policies to ensure buy-in and relevance and
• Linking the security program to business imperatives, - business, technology and environmental drivers should guide the security program definition and objectives

• Why are internal threats oftentimes more successful than external threats?

Internal threat actors are more successful because they have been cleared for some level of access in the network and have established a level of trust with the organisation based on the employment contract or engagement agreement if they are a service provider and also because security monitoring mainly focuses on threats that are coming from outside the organisation instead of looking inward. There needs to be a balance in monitoring internal and external network activity.

• Is fostering an enterprise-wide security culture a top priority for you?

Totally, you might have an amazingly talented, diverse group of professionals at your organisation. But cybersecurity’s dirty little secret is that no matter how skilled your employees are, they still usually represent your biggest risk. Research shows that human error ranks even higher for cyber risk than software flaws and vulnerabilities. Consequently, there is a case for running an intense cyber-security awareness programme as part of risk mitigation.

• What KPIs or Metrics Do You Use to Measure the Effectiveness of an Information Security Program?

It has become very clear for us that the metrics used in the past will not help in the future. Whether you are “low, medium, or high” on compliance scores does not tell you enough about the risk to the business. We do not present the board project plans on encryption. We present the board with metrics on data protection for the customer. And we don’t have metrics around patching. We have metrics around maintaining the integrity of our production environments.

• In other words, we provide a business-relevant scorecard on security; and the explanation of the metrics must address business critical questions, such as:

• Can we protect our most important assets—contracts, pricing sheets, M&A data?
• Can we prevent employees from stealing from the company?
• Can we protect our intellectual property?

This approach makes the conversation simpler with Business unit leaders and the board.

In My View…

• What personal achievement are you most proud of?

Running an infrastructure transformation strategy globally for Sasol. In the past Sasol had multiple data centres and data storage capacity and abilities; coming into the environment – I then defined a global strategy where the business will be able to consistently manage infrastructure across the globe on cloud as well on premise-and that gave us significant cost-savings.

• What is your opinion on hacktivist groups such as Anonymous?

My view would be that these hacktivist groups are starting to be more organised and are continuously innovating; they are very patient in taking time to understand the organisation that they want to get into – they know exactly which areas to target; where it’s going to hurt the most. It’s no longer about that person sitting in a garage somewhere in a dark corner; playing around just for the thrill of it – it’s a bigger agenda being driven by these hacktivists groups.