1. How are you strategically allocating your budget/resources to deal with the growing scourge of hacks and data breaches?
The intensity of these events is growing, but these are all simply examples of threats against your business. An effective security management program (ISMS) allocates budget and resources to existing and new threats as they become or are predicted to become relevant to the specific business model that is being protected.
- What would you suggest to an incoming CISO on how to lay the foundation for a sound security program?
First understand the key commercial objectives of the business, and then ensure that you have a solid position on cyber and information security threats to the achievement of those objectives. There will always be a technical element to information security management, but if you cannot be heard as a proponent of business risk reduction, then you risk becoming just another IT stream. Effective security program delivery can prove that security risk has been reduced, and that security event and incident recovery will minimise impact and effects of any actual impact should an incident occur. Informing business of this objective requires communication and partnership. It also requires a separate but very similar partnership with IT.
- A renown industry commentator once referred to addressing cloud security to navigating a bowl of spaghetti? Do you agree with this statement and what would be your starting point when developing a cloud security strategy?
I disagree. Cloud security offers an opportunity to re-assess a majority of the technical and procedural controls that have become almost mandatory for effective security delivery over the past ten years. If these are seen as spaghetti requirements, then it is very likely that existing ‘data centre delivered’ security controls may not be delivering what was expected. Understanding who needs and who has access to your information systems, their role and behaviour is not a new concept, it is however a minimum basic cloud control. This in addition to identifying the business and regulatory aspects to the protection of all information that will be located within cloud environments. Lessons from cloud security information architecture and processes always offer benefit to legacy internal controls, both simplifying and strengthening them.
- How can CISO’s reconcile cyber budgets with the priorities of non-technical executives – is this possible? And if so, how?
If the principles described within the response to (9) are followed there is a foundation for a value based dialogue with the non-technical executives. This is probably the most critical lesson to take forward. Non-IT executives have little or no interest in the technicalities of IT, or indeed any cost that does not represent a nett benefit. Profit/Loss/risk indicators define your direction.
- How can CISO’s aligns their strategic priorities with C-Suite executives?
Security priorities must always align with those of the business itself. Any information security strategy must be based on measured reduction of identified business risks. If you are unable to express how security systems and resources will both enable rapid progress and help protect and retain profits then you are simply offering another type of IT deployment, but practically one with little direct visible return.
- Our Organization Is Small. Do You Think Outsourcing Security Would Be a Wise Decision?
To effectively and successfully outsource information security management requires the same level of understanding as building it yourself. To be successful any security outsource must measurably protect a business against threats to its core business objectives. This is not simply buying IT security systems, it is an active delivery of risk reduction. If that risk reduction is not recognised as the primary driver then security outsource is rarely effective, and often more expensive than initially anticipated.
- What Do You Consider to Be Key Attributes of a CISO?
Resilience, Patience, Understanding, Competence, Stubbornness, and Persuasion. In combination with an open willingness to listen, explain, re-explain and to repeat the communication of these attributes to business.
- How Important Are Emerging Risks to Your Information Security Vision?
Emerging risk identification is part of any conventional ISMS. Any security program that does not recognise that security is a continually evolving process, and not just a set of technology deployments, has probably failed.
- For CISO’s who talk to their Boards, what subjects should they mention and which ones should they avoid?
As long as communication to the board is based around opportunity and risk any topic is valid. Avoid any non-risk tactical discussion that is just about technology and metrics.
- Does including security teams in product roadmap discussions lead to more secure products? Only if the inclusion is made at a business recognisable risk recognition and threat management level. Simply adding security tech to a new product rarely adds value, often adds complexity, but always adds cost. Getting to market faster by reducing risk exposure, reducing lifecycle costs and helping to retain profits from any incident are positive benefits that once seen can lead to a demand from business to always include security.
In My View…
- What personal achievement are you most proud of?
Defining, creating and implementing a full business risk aligned information security strategy that both supports business and offers protection and risk reduction.
- What project that you have built are you most proud of?
There are many, but probably the most significant in terms of proven value and achievement of objectives have been the deployment and operation of Access Governance platforms that are both accepted by business and deliver ongoing practical and tangible benefits that greatly exceed their annual cost to deliver.
- What is your opinion on hacktivist groups such as Anonymous?
Just another threat to be evaluated and placed in a risk context appropriate to our business.
- Why are internal threats oftentimes more successful than external threats?
Traditional IT Security always focussed on perimeter protection, and was often infrastructure based. Contemporary Information security focusses on protecting the value of information. Internal actors often have a greater perception of that value, and significantly greater opportunity and visibility to exploit vulnerabilities in its protection.
- How Important Are Emerging Risks to Your Information Security Vision?
Emerging risk identification is part of any conventional ISMS. Any security program that does not recognise that security is a continually evolving process, and not just a set of technology deployments, has probably failed.
- For Industry Peers who are considering a career move from IT General Management to Security; What skills do they need to move up the ladder?
An active awareness of what can go wrong, and how and when it will go wrong. Effective information security management requires a solid understanding of risk, as well as a good understanding of both technology and human nature. An ability to express and communicate these is critical to a successful career in security.
- What advice can you offer on how to pick a security product?
First understand what you are trying to protect, and how it needs protection. Any security product must deliver recognised and measured reduction against risks that are real for YOUR organisation. Ideally this discussion should not be controlled by the company that is trying to sell you a product.
- With regards to IT security (or indeed your specific role in the business), what are your main day-to-day challenges? In addition, what do you see as macro challenges to business as a whole with regards to protecting assets, data, customers, reputation etc.
Explaining that simply having IT security platforms deployed is not a solution on its own is the greatest challenge. Although Information security will inevitably require a significant investment in security IT, just having those tools does not deliver security risk reduction unless they are used within a monitored and managed ISMS framework.
Steve Jump will deliver a keynote on Cyber Risk Ontology at CISO Africa, 18-20 February, Maslow Hotel, Johannesburg.