Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
We caught up with Christian Vezina, Chief Information Security Officer at VASCO Data Security, who feels Crime-as-a-service will be one of the biggest threats for 2018:
As a CISO, what is your objective?
As a CISO you need to identify the top security and privacy-related risks to the organization, and limit their adverse effect in the most efficient way. Since the security landscape is constantly changing, you can’t afford to drop the ball, and have to be confident about all the decisions you make.
What is the goal of information security within your organization?
One of our main goals is to ensure that security risks (exposure to the company’s assets) are kept at the lowest possible level. Obviously, this is a broad goal, and requires the support from everyone in the organization. It will require analysing threats, vulnerabilities, likelihood, compliance requirements, etc., and implementing the appropriate controls.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
Obviously, it’s important to consider both, as the two are very much interlinked. Anything could potentially be a threat to a company, whereas vulnerabilities refer to weaknesses in the company that can be damaging if exposed. So if there were no vulnerabilities to be exploited, we wouldn’t have to worry about threats. Instead of focusing on one or the other, it’s best to get a complete picture of what the risks are, and find a good balance to address them.
What do you see being the biggest threats for 2018?
Crime-as-a-service is one of the biggest threats for 2018. There have been so many new vulnerabilities in recent months, that the bad guys are starting to spot and leverage every vulnerability, offering crime-as-a-service tools, and making it easier for anyone to commit cybercrime. The days of hackers being skilled IT professionals are behind us.
We’ll also see an increase in IoT and the proliferation of insecure connected devices. According to Gartner, there will be 20 billion devices by 2020 so organisations offering connected products should start investing in providing adequate security for the IoT experience. If they don’t, we’re going to see more large scale Distributed Denial of Service (DDos) and Destruction of Service (DEoS) attacks. Even more worryingly, the motivation is shifting from getting money, to destroying systems. Malware will also be more mischievous as it looks to see what it can destroy and break the ability to restore by looking up an organization or consumers’ backup capabilities and erasing data.
How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
Although the demand for IT security employees is increasing, unfortunately we’re seeing less and less people going into the sector. This will result in a fierce, frenzied competition, with companies fighting to get decent candidates, pushing up salaries to ridiculous heights. We can probably compensate this by trying to cross-train people in operations and development, so that the number of people with knowledge of cybersecurity increases by proxy.
Today, IoT and AI have become really big focus’ for organisations with almost every device, toy and appliance created having this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?
When it comes to identifying why there’s such a lack of security in IoT, we can point the finger at money. The main focus of gadget vendors is to get products to market as quickly as possible, at the lowest price. This often results in a shorter development and production lifecycle, cheaper components that often can’t be updated retrospectively, and no post production support.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
VASCO has a plan in place, and at this point, we’re confident in our ability to address the biggest risk items in time. GDPR is new and requires a lot of technological and organizational changes, so I’d be inclined to agree with Gartner’s estimations that only around 50 per cent of companies will be compliant by the due date. It will have organisations scrambling for a while, but most will have the top items addressed with time.
What’s your worst security nightmare? What would be your plan to prevent and mitigate it?
As a company offering SaaS services, protecting our customers’ information is vital. In order to limit our exposure, we’re continuously reviewing and improving the security of our processes and technology.
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding of the work you and your team do?
Cybersecurity risk and posture is on the regular board agenda, and at VASCO we’re fortunate to have board members who have a good understanding of cybersecurity issues. I do see a lot of peers struggling to get their messages across to the board, and as everyone knows, if the board isn’t behind you, it can be harder to get something done.
Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?
Social media is one of the main entry points for cybercriminals trying to attack your organisation. LinkedIn and Facebook, for example, are leveraged through social engineering to trick people and make them click on links. We are regularly communicating with employees on social engineering and social media issues, and are blocking malicious traffic. While our systems help, it’s also important to educate employees on best practices too.
What would be your no.1 piece of cyber security advice as we begin 2018?
Keep your systems patched. Next to social engineering being leveraged, unpatched systems are one of the ways bad guys can come in. If you protect yourself, you’ll minimize the exposure. Unfortunately, many organizations are still neglectful but by no.1 advice is to patch the systems before someone can get to you.
Christian Vezina, Chief Information Security Officer at VASCO Data Security– Christian leads the overall VASCO corporate information security strategy. He has 30 years of IT experience in government, financial, manufacturing, engineering and technology environments, with 15 of those years dedicated to information security.