Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
On the back of what was a fantastic first round of questioning with insightful responses from leading figures in the IT security industry, the CISO Chat segment on the IT Security Guru has returned for the second round of questioning.
Leading the second round of the CISO Chat is Shaan Mulchandani, Chief Global Security Strategy Officer at Aricent:
At RSA 2018, Facebook, Microsoft and 32 other technology and cybersecurity organizations formed a cyber consortium with the objective to work together and increase cybersecurity awareness. How beneficial do you see this move and should it be open for others to join?
It’s a move in the right direction, and appears well-timed given RSA as a backdrop for the announcement, the past year has been witness to some of the largest security breaches, the fallout from the Facebook Cambridge Analytica scandal, and the onset of GDPR.
The presence of certain cloud vendors (e.g. Microsoft, Oracle), social media networks (Facebook, LinkedIn), chip companies (e.g. ARM), networking technology vendors (e.g. Cisco, Juniper), and various security firms amongst others coming together makes for a good, complementary mix. Given increased cloud-adoption, expansive social media presences, richer edge devices, developments in software-defined networking, and the wealth in the choice of security technologies – consumers and businesses alike are increasingly anxious about security. The consortium’s pledge to not only embed security in their technologies but also promote awareness of how to leverage native security capabilities is important in two ways:
- Consumers can leverage technology more securely, and utilize it to boost productivity
- Businesses can capitalize on the ‘security by configuration’ trend that is soon becoming prevalent as we migrate to cloud environments, subscribe to more ‘as a service’ offerings, and scale in a distributed, heterogeneous economy.
Regarding benefits and efficacy – the consortium, as indicated, appears to be a well-timed, positive step. It may not yet be to anyone’s benefit for additional firms to join just yet – as any output beyond verbal declarations remains to be seen, and the foundation for best practices to be laid. Perhaps the success of such an alliance contrasted with how regulation (e.g. GDPR) mandates firms to boost security or actions stemming from firms’ reactions to fallout from future publicly-known breaches is worth studying as we move forward to find optimal solutions.
Security should be a top priority for any business. How true is this statement and do you believe organizations treat it as such?
Cloud adoption, migration, and acceleration are at record highs. Containers, microservices, serverless computing, and distributed architectures are all redefining infrastructure and we have smaller, decentralized compute/store units that require a security rethink. Adversaries (including nation states) are leveraging offensive/weaponized AI. Taking all these into consideration – security should absolutely be a 100% top priority for every business.
I believe organizations are increasingly treating it as such, as they become aware (first-hand or otherwise) of the reputational damage and loss of consumer trust that breaches can instil. The impact of how security impacts top and bottom lines is being understood – that it isn’t an overhead, rather an enabler and a value creator. Moreover, security isn’t an afterthought – it is finally a boardroom issue.
An interesting personal takeaway from the RSA 2018 Expo was the apparent increase in number of phishing prevention and security education firms over previous years. The trend appears to indicate an influx of capital into the security education and awareness sector.
To give people insight, what are the most rewarding and challenging aspects of the CISO position and how do you think it has evolved over the past couple of years?
Objectively describing what’s most rewarding as a CISO can be challenging; subjectively. It can be based on a need to succeed in an extremely challenging environment, master a role that’s often more about collaboration (with executives, partners, vendors, occasionally law enforcement, and even clients) than technology.
As organizations increasingly become aware of threats, cyber risks and malicious actors pose, the CISO position has fortunately evolved in many cases to report to CEOs, CROs, and on occasion CFOs (often in parallel to a CIO). While it empowers CISOs to be more effective, this change also stems from CISOs being perceived as overhead and necessary for the business (particularly in the wake of GDPR-like regulation that fines revenue). Organizational evolution aside, three broad yet closely-related factors to consider are budgets, people, and technology.
CISOs must also contend with how to advance their AI/ML capabilities to combat weaponized AI (which brings about its own threats of spear-phishing, ransomware, etc.), while ‘holding down the fort’ and laying process-based groundwork for such advances. Technology-wise, the CISO role has also grown to encompass more in-house capabilities – especially when leveraging AI-based security capabilities needs careful evaluation and tools; when decentralized architectures demands a revaluation of security mechanisms.
If you have one gripe about the cybersecurity industry what is it and how would you address it?
There are far too many vendors billing products as “the best in ___” or “the only ___” without explicitly clarifying their focus or acknowledging the competition out there. There is no silver bullet in cybersecurity, and if there was – it certainly isn’t a product! Most vendors now pitch how they can “orchestrate remediation” or “launch adaptive honeypots.” This may be exacerbated by how rapidly people understand the importance of security, and liquidity in investment markets over the last few years. Knowledgeable professionals get what these vendors are trying to say, but how much of it is feature overload coupled with marketing buzzwords and jargon vs. addressing business-related security challenges? That’s my gripe!
Perhaps the best way to address this is to simply ignore all of it. CISOs should focus on identifying what their business needs vs. what stringing together certain tools can provide, and come out emphasizing this fact.
With the development of Blockchain technology, what industries do you think will benefit most from its introduction and why?
Blockchain, and distributed ledger technologies at large, have profound implications on several industry verticals – Finance, Supply Chain, Manufacturing, and Energy amongst many others. Perhaps the first two show the most promise. We recently conducted a proof of concept on blockchain-enabled DevSecOps.
Blockchains, known for distributed ledgers, smart contracts, and reconciliations present themselves as a natural fit for an industry which is not only the intended target of more attacks or fraud attempts than other sectors, but continues to be reliant on a slew of intermediaries. Several use cases relating to trading platforms, know your customer policies, inter/intra bank or cross-border payment reconciliation, trade finance, and others lend themselves to implementation with potential efficiency gains (and cost savings!) should appropriate implementations be realized.
Democratic, fast, and collaborative are the words that come to mind in the context of blockchain and supply chains – wherein facilitation of automated workflows or data provenance are key requirements that blockchain-based solutions can streamline. Consider the simple examples of how the IBM/Maersk shipping container pilot can be extended to include additional parties such as port authorities, government immigration and customs bureaus, and regional freight networks. All currently store same/similar information, albeit with large paper trails, and have high-degrees of inefficiency or manually-induced bottlenecks. Blockchain streamlines this.
Walmart’s ability to track the origin of food in as little as 2 seconds due to a blockchain-based implementation – and its impact when massive amounts of food/produce are to be recalled or the enablement of food exports from one country to others due to food safety standards is now trackable. Certain blockchain benefits in the field of smart manufacturing and supply chain analytics also appear incredibly promising.