- How are you dealing with growing spectre of privacy regulations?
By implementing an ongoing program with a multi-pronged approach involving business (as a first line of defence), Data Protection, Cyber and Information Security and Operational Risk to ensure that we meet the requirements from a regulatory as well as from a best practice standards point of view.
- What would you suggest to an incoming CISO on how to lay the foundation for a sound security program?
My advice would be for the new CISO to understand the existing business landscape and structures, to build relationships and get the necessary buy-in from key-stakeholders. This will greatly assist in obtaining the necessary support and confidence in their vision and future road-map. It will also greatly assist when there is purchasing and prioritisation that needs to be done, specifically where it involves purchasing of expensive systems or hardware.
- How Would You Describe a Strong Organization Information Security Program?
I would describe a Strong Organisation Information Security Program to be one that constantly assesses risk, methods to mitigate those risks identified while keeping company data secure both across the company’s environment and that of third parties. This relies heavily on the pillars of the CIA triad (commonly known as the pillars of information security); Confidentiality, Integrity and Availability.
- Our Organization Is Small. Do You Think Outsourcing Security Would Be a Wise Decision?
Yes. Proper data protection and security can be quite costly yet is very necessary. By outsourcing to a good third party you would be able to leverage off their skills and knowledge framework and have access to a broader community of experience.
- Does including security teams in product roadmap discussions lead to more secure products?
Absolutely. I believe that it is best to involve your security teams upfront as this enables better buy-in from them and their input during the various stages of the product roadmap lifecycle.
In My View…
- What personal achievement are you most proud of?
I am most proud of having had the opportunity to re-invent myself from being the Operational Head of an area to being a Data Privacy Manager. I am incredibly passionate about data protection and the holistic approach needed which involves both the cyber and information security aspects. I love enhancing my learning on the subject by continually researching and staying on top of new developments that impact this space, as well as ongoing involvement and opinion seeking from relevant security partners.
- What project that you have built are you most proud of?
The implementation of the ability to share data and information across the various divisions within a large organisation, through safe and secure mechanisms whilst ensuring compliance with the necessary global regulations.
- Why are internal threats oftentimes more successful than external threats?
I see one of the greatest internal threats, at the moment, being data loss prevention. An organisation’s biggest threat is often from their own employees or approved third parties causing/committing data breaches via leakage to unauthorised parties. They have easier access to the data on demand, and that is why it is essential to have robust security safeguards in place, which ensures that the relevant access is given for the relevant purpose, and that continuous monitoring of this is in place.