- Is fostering an enterprise-wide security culture a top priority for you?
Yes. One of the main objectives in our security programme is building human firewalls. We have an elaborate awareness campaign that focusses on engraining “security mentality” amongst our staff. Frequent phishing and other social engineering assessments, demonstrates the real dangers and susceptibility of cyber threats and helps staff to be more vigilant and get into the habit of reporting things that are out of the ordinary.
- How are you smoothing the road to secure digital transformation?
My view is that security must be an enabler, not just a bunch of controls (read stumble blocks). The user experience in utilising systems are key, especially when considering the radical changes brought about by digital transformation. We have moved visible security controls from the forefront to the background thus creating a smoother user experience but retaining a lot of controls and monitoring in the background. Creating awareness around the controls and changes to the IT and business environment is critical, as this demonstrates the value of digital transformation and the security layer implemented along with it.
- How are you bringing meaning to the terms “Security by Design” or ‘Secure DevOps’ in your organisation?
We have embedded security in all IT operational activities and programmes. The security team is involved with operations and projects from early onset. Creating awareness amongst staff and management forms a key element to the SecureByDesign principle. Our awareness programme deals with this issue head on and staff, management and Board is trained on the importance thereof. The success of the awareness campaigns is evident in that staff approach the security team before they embark on new projects.
- How Would You Describe a Strong Organization Information Security Program?
A security programme must cover all aspects of an organisation, not just IT. It must include the people and process elements a well. The programme must be risk based and must focus on organisational weaknesses. Understanding the security landscape and potential threats relevant to the organisation is fundamental. Engaging with top management and understanding / analysing security risk from their perspective gives significantly more depth to your programme. By having top management embedded in your programme ensures buy-in and support which is critical for the success of your programme.
- Our Organization Is Small. Do You Think Outsourcing Security Would Be a Wise Decision?
Yes, to a degree. In-house security teams are limited to exposure of threats that impact only their own environment. Outsourced security teams give have exposure to threats permutated from other environments, thus are in the position to provide a richer security service. However, I would not outsource the entire security function. I would still keep have an in-house seasoned security professional, who has the organisations best interest at heart, that oversees the outsourced security functions.
- How Important Are Emerging Risks to Your Information Security Vision?
Very important. Technology and threats changes constantly. Not understanding emerging threats and it’s potential impact to your organisation can in essence put you at greater risk. Your security programme should be dynamic enough to allow for rapid changes, and also directional changes in order to deal with emerging threats.
In My View…
- What personal achievement are you most proud of?
I have a strong IT technical background and worked my way up from a junior technician, to a network admin, to IT Manager over a course of 18 years. When our organisation experienced a breach in 2014, I had to face the harsh realities of a breach and had to learn a lot of things in a short space of time. Becoming the Information Security Officer of the same organisation made me proud as it was a testament to my achievements post the breach in the security space (developing and implementing a holistic security programme and ISMS, for the organisation), and by doing so, gaining the trust of business management and the board.
- What project that you have built are you most proud of?
Building a holistic security architecture that covers, cloud, endpoint, application and data security though innovative thinking in an effort to improve overall security posture, maximise on current investment and reducing overall security expenditure.
Implementing an outsourced SOC. Through constantly challenging SOC operations and deliverables we have a significantly better and stronger SOC service than when the project started.
- What is your opinion on hacktivist groups such as Anonymous?
In principle, I personally do not condone this kind of groups, and neither will I participate; however, I do believe that they are important to society in bringing “bad” things to the fore and exercising pressure on relevant parties to address societal issues.
- Why are internal threats oftentimes more successful than external threats?
People are very easily perceived with “trust”. In my view, security activities tend to focus on outward and inward activities, and often not on internal activities. Furthermore, human behaviour is difficult to monitor using technology, thus you have to rely on other people to recognise abnormal behaviour and then report it. This is a challenge as not many people seem to want to be “whistle blowers” due to distrust in confidentiality matters, i.e. keeping their identity a secret.
- How Important Are Emerging Risks to Your Information Security Vision?
Very important. Technology and threats change constantly. Not understanding emerging threats and it’s potential impact to your organisation can in essence put you at greater risk. Your security programme should be agile enough to allow for rapid changes, and also directional changes in order to deal with emerging threats.
- For Industry Peers who are considering a career move from IT General Management to Security; What skills do they need to move up the ladder?
- Be passionate about security – the entire security spectrum, not just IT security, i.e. physical and personal security.
- Detailed and analytical thinking
- Logical and out-of-the-box thinker
- Be an innovative and provocative thinker
- Understand the link between business and security and be able to address the gap that exist between business and security. You have to be able to translate technical security language to a language that management and board can understand – you have to be able to show value in what you do.
- Be a bit of a dreamer – in order to defend your organisation, you must be able to come up with various attack and threat scenarios that can be exploited.
- What advice can you offer on how to pick a security product?
- You have to fully understand the business requirements, and what issues or risks you are trying to address.
- Know and understand what you already have, i.e. current systems, and whether these current systems can meet your requirements. Often, through being innovative you can make things work with what you have.
- Does the new product fit into your ecosystem? If not, what changes would you have to make to your current environment to accommodate the new product? What are the real implications for doing so?
- The product must fit into your Security Strategy and add value to the organisation.
- With regards to IT security (or indeed your specific role in the business), what are your main day-to-day challenges? In addition, what do you see as macro challenges to business as a whole with regards to protecting assets, data, customers, reputation etc.
- Organisational culture is the biggest challenge. Traditionally, security was solely an IT thing. However, with changes in threat tactics, IT can no longer alone fight this battle. Insider threats alone are the single biggest threat to security and to fight this battle you need all the staff to be onboard.
- The fast pace of evolving technology driven by consumerism undoubtedly creates big challenges. People wanting to be mobile and work from anywhere securely forces the security team to find solutions to new problems / challenges / risk at a very fast and risky pace.
- Shadow IT is a huge challenge. I think in a big way it is the product of an IT environment that is too restrictive. People want ease of use and simplicity. IT Security should endeavour to provide security solutions that enables business functionality and improves efficiency. If users are provided with the right tools that are easy to use and flexible enough, and are secure, you have less chance of shadow IT occurring.
Don’t miss Henry’s case study presentation at CISO Africa 2020:
Case Study: How to Overcome a Data Breach