Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related for a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Kicking off the CISO Chat is Quentyn Taylor, Director Information Security for Canon EMEA:
As a CISO, what is your objective?
To help the company manage its risks and also advise the company on upcoming risks and on the position on risk. Essentially, I am here to ensure that the company makes the right decisions in the right way. At least with its eyes open and understands what the impacts of those decisions from a cyber security realm, are.
What is the goal of information security within an organization?
I think the goal is really to help the company make better informed decisions. It’s to allow the organisation to understand where its risk tolerances are, its risk tolerance appetite and to help the company manage that risk appetite. It’s also to help set that risk appetite. To act as an advisor and sometimes the advisor needs to step in to say I would strongly recommend against that or are you aware of implications surrounding that course of action.
In your sector, what security challenges do you face? Are there any that are unique to your industry?
Canon is in so many sectors, I wouldn’t say there is a threat unique to us. We have many other sector specific vulnerabilities from protection of company information, consumer product information through to finance and business services. We are in all those areas so we have all those threats. The main challenges we face are the same that many other big corporates face, including compromise of credentials, keeping the outside perimeter secure, ensuring our users are doing the right thing – it’s all very standard, just at scale.
From what you have seen, how have things changed over the past 12 months in the realm of cyber?
I feel it has changed an awful lot in the past 12 months. I don’t think it has changed in a technical sense but instead in a perception sense. I think suddenly the world has woken up to the fact that governments are playing in cyber security and not from a protection point of view. Governments are playing in an offensive cybersecurity when you look at WannaCry, NotPetya and BadRabbit, people suddenly realised that nation state attacks are starting to affect that random PC that is in corner. So, I think it’s been a real eye opener this year for those people not involved in the industry to realise that cyberwar is currently happening and that those attacks are linked to nation states and they are occurring right here, right now. They have always been happening, but this year has been the year that it became mainstream knowledge.
Why do you think that is?
I think it was a combination elements. The exploit stockpile that got stolen from the NSA, by whom we do not know, then the usage of that particular exploit on the internet. I think they were the major reasons. It was that combination of an attack like ExternalBlue. Coalescing with the issues that are occurring at the moment in Ukraine so when you start pulling all of those things together, and the relaxation in places like Russia, which is more intolerant to the fact that an attack maybe accepted, that all these kinds of things came together, simultaneously aligned, and then suddenly we had NotPetya. So, I think it’s a combination of circumstances, tools, the ability and the current political climate. When you put all those things together then BadRabbit, WannaCry and NotPetya are the result.
Have hackers evolved?
No, I don’t feel the hackers have evolved this year. I think it’s been a slow evolution on the hacker ‘front’. However, this year was the first time we had seen nation states targeting ordinarily people’s computers as well as critical national infrastructure.
Cloud adoption is significantly on the rise, are there any special considerations for securing services in the cloud?
No there’s not. Whether you’re looking at 2Factor, single sign-on, encrypting the data, limiting the level of access, whatever controls you are putting in place, they are exactly the same controls, it’s just whoever is in control and the location of the data that has changed.
Is there a cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
I don’t believe there is a cyber skills gap. I think there is a perception on the gap between managers and recruiters as to the kind of staff they want coming through. I certainly think there is a large demand for people but I also think there are a lot people with unrealistic expectations as to what they want. If I can get the right candidates with the right attitude and the right kind of minds – cyber security skills can be taught, it’s the attitude that can’t be taught.
What would you advise candidates coming to interview for a security role at Canon
I would suggest prospective candidates read up on the industry. It sounds obvious but I have had candidates sat in front me that haven’t been able to talk about security incidents in the last 12 months and how it impacts corporates. Many questions that I ask in an interview don’t have a right or wrong answer, I am looking to see how candidates start to derive what might be the right or wrong answer.
Do they all have IT backgrounds?
It’s varied. A lot obviously do have IT backgrounds. I think especially when you are moving into information security, it really helps if you have worked in IT roles in the past. I am a great believer in people who have had experience in working in service desks, with help desks who have done first and second line support. I think that is a solid background to have. It gives you an understanding of what the users do and don’t do. It gives you an understanding of how you should interact with people in occasionally stressful situations, so coming from IT is a great start, but not the only start. Many roles in infosec do not need to have a technology focus so if you dont have a background in IT please don’t let it hold back your application as skills from other jobs easily transfer.
What do you see being the biggest threat for 2018?
Another state sponsored attack that will not be from one of the usual suspects. We are going to start to see smaller nation states starting to play in the global cyber attack sphere. I think we are also going to start to see more of NotPetya attacks, where there is no monetary gain, but instead just a desire to get into the headlines. The bar has been lowered. Remember though, attacks like WannaCry, NotPetya and BadRabbit needed stars to align for the attack to be effective. So, now that we know which stars need to be aligned, we can start to predict the future ones.
Besides there being a major cryptocurrency crash in the first quarter of 2018r, I believe we will also see another IoT botnet. With Mirai occurring, which seems to have not been state sponsored, I wouldn’t be surprised if we see something more targeted. It is effective but I don’t think we will see a sudden disaster. With IoT purchases taking place during Christmas and the January sales, it could take until April and May by the time people realise how much is out there on the internet to begin attacks against these products.
I feel that regulation will become mandatory with the IoT security mess a pertinent thing to fix which is why government led regulations, whether that comes from the EU or directly from the UK, is almost inevitable and coming to being essential. In Germany, there is legislation around IoT security in toys, because once the genie is out of the bottle it is extremely hard to stuff it back in again. I don’t think the industry can or will initiate a regulation change. It will be the populous/a big news story that will start to force it. The EU is coming along with IoT legislation with the UK government adopting it if it is sensible and may even come before 2019. But to instigate it, it will take another Mirai styled attack next year especially if it causes the same level of disruption as WannaCry which will force them to act.
Why is there a reactive stance to these attacks?
People did a lot of soul searching after WannaCry around people that said why didn’t the NHS update the software, why didn’t they do this or that. However, people were completely missing the fact that the money that was not spent on updates and upgrades was being spent on saving lives and being put into the health service. Security is a balance.