Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Leading this week’s CISO Chat is Rick Orloff, Chief Security Officer at Code42 who believes the biggest concern related to GDPR going into effect in May is that it’s untested.
As a CISO, what is your objective? What is the goal of information security within your organisation?
As a CXO, you must have a clear view of the entire business, including technology, operations and data flow. The ability to detect and mitigate risk as well as comply with government and industry regulations also is essential. While it’s impossible to completely eliminate risk from any organisation, CISOs must constantly assess and quantify their attack surface and understand how hackers might try to exploit their environments. This includes addressing human behaviors as part of the attack surface and enabling employees so they can operate freely in a secure environment. Knowing how to support and empower employees to perform their roles in the best way possible is a major factor in successfully safeguarding a business.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
The answer is vulnerabilities. You need to focus on process and framework to manage vulnerabilities. If you successfully manage and remediate vulnerabilities, you may not have to worry about the threats. That said, situational awareness is key to a good program. Knowing what new threats are emerging is very important.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
We embraced and prepared for GDPR early on.
I believe the biggest concern related to GDPR going into effect in May is that it’s untested. We will need to wait and see how regulators will hold companies accountable and respond when a breach is reported. Most businesses, particularly public companies, have embraced the need to comply with the regulation, so the open question now is: what will happen if they violate it?
Social media is everywhere. So how much of it is a security issue in the workplace?
Social media is not going away, ever. It’s part of the DNA of the modern-day employee base. Employees use it professionally and personally. Employees and kids concerned about their futures need to understand the risks of integrating social media with their careers. It’s mostly a security and training issue related to defining its boundaries and compartmentalising the accounts and the data being shared. Offering training programs that engage pen-testers who employ social engineering, running spoof phishing attacks and more, all can be smart ways to educate employees about the importance of adequate data protection.
What would your no.1 piece of cyber security advice be as we begin 2018?
As it relates to the software development lifecycle, we need to make sure our organisations design with security in mind – and we need to make it a top priority. A meaningful software security program works to eliminate technical debt, holds firm on software security standards and remains current on patch management. If you do this, you can significantly reduce your vulnerabilities.
Today, IoT and AI have become a real big focus for organisations with almost every device, toy and appliance created having technology built in. Worryingly, security seems to be an afterthought in IoT. Why is this the case and how can this be changed?
IoT devices – along with endpoints like laptops and computers – are adding to an already dispersed attack surface. With laptops, tablets and mobile phones, we upgrade the operating systems and receive patches regularly. On the other hand, once deployed, IoT devices are largely unmanaged. Most IoT devices don’t provide a mechanism for their owners to upgrade the firmware or otherwise mitigate security risks as they become known or anticipated. So, if you have a home firewall and have an IoT connected refrigerator, oven or saltshaker, these devices are behind your firewall with a connection to the outside world and there’s little management. That means, an attacker can try to compromise your oven in order to gain lateral movement to the other devices connected inside the house, i.e., baby monitor, computer, webcam, etc.
Lack of management isn’t the only factor driving a lack of IoT security. There are a couple of other reasons why security for IoT devices seems to be an afterthought. One is that the most popular IoT devices today are designed to deliver an experience or service and tend to have low cost and essentially disposable components. Ensuring the security of these devices would drive the cost up for consumers. Another reason is there aren’t defined security requirements for IoT devices. Until these basic conditions change, it is unlikely that IoT devices will become secure.
How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
High tech companies need to provide a lucrative path for employees to develop cyber skills and opportunities to grow organically. To become a next-gen cybersecurity professional, you must work your way up the ladder and be well-versed in multiple domains. You must have enough knowledge about general infrastructure, data correlation, actionable intelligence, networks, incident response and risk models to lead a team.
What’s your worst security nightmare? What would be your plan to prevent and mitigate it?
My worst security nightmare is the same as it was in 2001 – that is, a bad actor would take encryption software and point it not just at endpoints, but also at corporate data on the servers or in the cloud. To prevent this type of scenario, you must have a meaningful recovery program that extends beyond backup. While backup is a requirement for recovery, it does no good if it takes you ninety days to recover.
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding of the work you and your team do?
Even two years ago, boardroom conversations about security weren’t as meaningful as they are today. It was not unusual for CSOs/CISOs to get 10 minutes on a board agenda once a year. In some cases, they might not even attend the meeting. Instead, a CIO might present one or two security slides on their behalf.
With the rise of cyberattacks, however, security’s role in the boardroom has changed. CXOs/CIOs together with their boards are mutually engaged in security discussions. Boards want to understand how security programs are being measured and whether CEOs are supporting them. In fact, many boards are seeking to fill positions with security executives in order to help advance their understanding of security.
Rick Orloff, Chief Security Officer at Code42
Rick brings to Code42 more than 20 years of deep information security experience. Prior to joining Code42, Rick was Vice President and Chief Information Security Officer at eBay, led and built a variety of global security programs at Apple (AAPL), and directed global security at Lam Research (LRCX). Rick is currently an active member of several advisory boards focused on new and emerging security technology companies.
Throughout his career, Rick has driven meaningful and actionable results across a range of security areas, including global threat management, cyber intelligence, geospatial correlation of data and security operations centres.