<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=306561&amp;fmt=gif">

Interview with Marlany Naidoo, Head: Information Security & IT GRC, Mercantile Bank

Interview with Marlany Naidoo, Head: Information Security & IT GRC, Mercantile Bank

Written by Sebastian Gazi on Nov 19, 2019 10:20:19 AM

CISO Africa Insights Information Security

  1. How are you strategically allocating your budget/resources to deal with the growing scourge of hacks and data breaches?

Spend has to be against your business appetite and not against every threat. We will never have enough money to close all the gaps. Investment is channelled towards quick detection and skilled teams to eradicate the breach

  1. Gartner analysts also predicted that security services will account for 50 percent of cybersecurity budgets by 2020. – With this in mind; where are you investing your company resources?

Our primary function is to ensure customer safety when transacting on the banks platforms that will be our continued focus. Once again, towards quick detection and skilled teams to eradicate a breach.

  1. How are you dealing with growing spectre of privacy regulations?

Collapsing the silo’s between compliance, legal and business requirements in favour of collaboration and understanding the data is a step in the right direction. Privacy regulations fundamentally relies on what data you have, how are you transmitting it and where is it stored. Building those concepts upfront into the processes and systems means an automated way of dealing with regulations.

  1. Is fostering an enterprise-wide security culture a top priority for you?

Yes, security is not an IT function, it’s an organisation function, from the end-users who act has the first line of defence to the assurance providers who seek to understand the risks an enterprise faces, to the executives who set the tone and priorities for the implementation of a security culture.

The easiest way to start this process is to focus on the human component and make security personal via awareness, the conversation up the line needs to provide the different stakeholders with two things – what’s in it for you and what we need from you.

  1. How are you aligning security operations with IT? - Is automation and orchestration high on the agenda?

Definitely, with the advent of the fourth industrial revolution, incorporation of AI, machine learning and robotics the digital age demands that IT implementations consider security inherently.

My relationship with IT Operations and understanding the projects and type of technologies being implemented help me leverage the correct value propositions that meet a security objective. Automation and orchestration is the only way to ensure that value is extracted in the least resource intense way.

  1. How are you addressing insider threats and risk in your organisation?

The insider threat is something I am passionate about. The threat is about psychology and behaviour patterns and intelligence. Given these a human patterns it is a difficult risk to monitor and control. However some basic logical things can be put in place.

  • Know the identity in your organisation and understand what that identity does
  • Build analytics around simple behaviour patterns and educate response teams on how to deal with out of norm patterns.
  • Educate the organisation of the insider – and provide a means of reporting these like whistle blowing hotlines etc. Your first line of defence plays an important role here.
  • Ensure your organisation policies around investigations and consequences is known and executed.
  1. How Important Are Emerging Risks to Your Information Security Vision?

The recent results of the brainstorm survey state that 38% of CIOs are expected to drive innovation within their businesses. Without innovation, the business cannot survive.  Organisations are expecting IT to optimise and automate in order to help save money, to better the customer experience, therefore, attracting more customers.  However, the world’s best technologies mean very little if it cannot be trusted, i.e. secure. The CISO vision needs to consider the threat landscape in light of robotic processing, artificial intelligence, cloud adoption and so forth and allow IT innovate with Eyes wide open – know the risks and be adaptive enough to either decrease the risk or accept it.

  1. For CISO’s who talk to their Boards, what subjects should they mention and which ones should they avoid?

Outside of the traditional, budget and resource discussions consider:

  • Speaking about security has a trusted partner to Innovation and digital transformation. Bring in its commercial value – for example: how it will assist the customer experience – safe customers mean trust in the institute, how it can save re-development costs if considered upfront during development (DevSecOps)
  • Get the board involved – education via gamification – means the board will understand the kind of decisions that need to be made on the ground without getting into technical detail.
  • Local example of what is going on in the cyber world business and personal makes the security speak real.

Avoid fear mongering, after all the perception of what can go wrong and its impact means different things to different people. Base your comparisons on statistical evidence where possible show the risk in context of your own risks.

Whilst some concepts have to be explained technically – keep the GB and analytics conversations out of the boardroom.

In My View…

What personal achievement are you most proud of?

  • Self-publishing my book with Partridge Africa, obviously under an author-name and focused on empowerment one's self in the face of diversity.
  • Being apart of the coaching program for woman, when I worked at Absa and guiding young graduates in their first year of working. Two of the ladies are coached are now Senior members of PWC.

Why are internal threats oftentimes more successful than external threats?

  • Insiders have knowledge on the type of controls, monitoring and the business process that institutes follow, coupled with credentials, an insider processing a transaction in a normal cause of business or downloading malicious content is going to be difficult to identify unless behaviour analytics, operational controls like the 3 eye principle are in place.
  • the crime costs less money in this instance.

How Important Are Emerging Risks to Your Information Security Vision?

  • The recent results of the brainstorm survey state that 38% of CIOs are expected to drive innovation within their businesses. Without innovation, the business cannot survive.  Organisations are expecting IT to optimise and automate in order to help save money, to better the customer experience, therefore, attracting more customers.  However, the worlds best technologies mean very little if it cannot be trusted, i.e. secure. The CISO vision needs to consider the threat landscape in light of robotic processing, artificial intelligence, cloud adoption and so forth.

Related posts