In the run-up to CISO Africa 2020 I had the great pleasure to sit down with Sandro Bucchianeri, the Group Chief Security Officer with Absa to talk about security culture, communicating to the board and handling internal threats.
How are you strategically allocating your budget/resources to deal with the growing scourge of hacks and data breaches?
An important part of the solution is to invest in digital and cyber security skills development, particularly in Africa. Absa is addressing skills shortages in the area of financial services security through several initiatives, including the the Absa Cybersecurity Academy, launched a partnership with the Maharishi Institute in March 2019. The academy provides accredited cyber security training and financial support, among other things, for students.
How are you creating a better-integrated security ecosystem in your organisation?
At Absa, we take a pragmatic approach to security, bringing together the physical and digital aspects of security in a single converged security office in order to better analyse, prepare for, and deal with the threat landscape.
What would your advice be to a new CISO when seeking to establish a foundational personal brand of credibility and leadership?
- Collaboration is key to achieving your goals.
- Security is not an individual sport; it is a team sport.
- Use the strength of the people around you.
- Coffee is important in building relationships.
- Be decisive, as time is of the essence.
- Know when to say when you are wrong.
How can CISO’s aligns their strategic priorities with C-Suite executives?
Building relationships with other executives is important, also to understand their risk appetite. Once this is clear, it is easier to align security-portfolio priorities accordingly and glean the necessary support.
How / Are you collaborating with other C-Suite Executives to execute enterprise-wide security measures?
Dual accountability is critical as, ultimately, we’re talking about one share price, one brand. Effective collaboration requires each executive to understand the challenges of the other in order to execute effectively on the company’s strategy and goals.
For CISO’s who talk to their Boards, what subjects should they mention and which ones should they avoid?
The conversation is all about security. It is important to have an honest conversation with the board and to be transparent, so as to allow and enable board members to appreciate the size and scope of the challenge in securing the organisation. This opens the way to garnering the required support, including budget.
Technical concepts must be conveyed and contextualised effectively, so that their relevance in supporting the business to deliver against its strategy is clear.
With regards to IT security (or indeed your specific role in the business), what are your main day-to-day challenges? In addition, what do you see as macro challenges to business as a whole with regards to protecting assets, data, customers, reputation etc.
The main day to day challenge would be protecting what you don’t know. A big challenge is making sure your data is accurate. If I have five assets and I only know about four of them, I can only protect the four assets; I can’t protect the fifth. So it’s about trying to understand what’s in the macro environment so that you can ensure the data of your customers and the organisation is kept safe and so that, reputationally, the organisation is not impacted in any way or form from a breach perspective.
Where would you place organisational culture in that?
It definitely features right at the top of the list of strategic priorities, simply because, from a security culture perspective, if everybody did what they needed to do, it would make the role of protecting the organisation so much better. You have to make security awareness programmes current and relevant to employees. We talk about how to protect your wifi at home, how to protect your kids from cyber bullying, why you need to change your password for all your multiple accounts whether its social media or online banking. When you start making security relevant to employees and personal to them; then you start to see the shift from a security culture perspective.
In My View…
What personal achievement are you most proud of?
My Masters in Information Security as I did that quite late in my adult life; that was achieved in 2013 to 2015 whilst travelling to over 50 countries and raising a young family with my wife – we’d just had a baby in 2013; and trying to juggle work, study and family time – that’s what I’m most proud of.
What project that you have built are you most proud of?
In conjunction with a few people at Absa; that would probably be the Absa cyber security academy, which aims to take impoverished and marginalised youth out of abject poverty and giving them a hot skill in cyber security, ultimately giving them a job at the end of the programme.
Why are internal threats oftentimes more successful than external threats?
People who work in any organisation are typically trusted, as they should be. They automatically have access to systems that external threats do not have access to. They already have administrator rights to databases and systems, so it is easier for them to circumvent the controls that we have in place versus an external threat.
Sandro Bucchianeri will be giving the opening keynote address at CISO Africa 2020.