Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Our second instalment of CISO Chat is with Thom Langford, Chief Information Security Officer for Publicis Groupe and he reveals his biggest worry regarding GDPR:
As a CISO, what is your objective?
I have actually been asked this a lot recently, so I will give you the same answer; it is NOT about making my organisation as secure as possible. If I did that then business, agility, innovation etc would stop. My objective is to help the organisation sell more stuff, be it widgets, services, expertise or whatever. I can best do that by the judicious use and application of security to create an advantage, and allow greater risks to be taken more securely.
What is the goal of information security within an organization?
As above, it is to support it. A security team is not a “special flower” that that means organisations need to do as we tell them or else, we are one of many inputs into the business decision making process.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
I imagine there would be a 50/50 split on this, but to my mind threats exploit vulnerabilities, so therefore focus initially on vulnerabilities. Additionally, understand what it is you are protecting (so you can subsequently protect it) and then keep an eye on new and emerging threats that you didn’t even know you were vulnerable against.
What do you see being the biggest threats for 2018?
The same as every year so far, but our inability to properly engage a business or an individual and help them to understand what they are vulnerable to and what they can do about it. People aren’t the weak link in good security, they are the only link, be that as end users or even creators of technology. Address this and 80% of security issues would go away.
How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
What cyber skills gap? We don’t have a gap in skills, we have a gap in willingness to hire people with a long-term view to their development and the contribution they make to our organisations. The Army doesn’t hire snipers or tank drivers from the street, they hire motivated people and encourage and invest in their development. Our industry needs to do the same and start looking at what values and passions someone has and invest in that. Skills are easily taught, passion is not.
Today, IoT and AI have become really big focus’ for organisations with almost every device, toy and appliance created installed with this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?
I don’t honestly think this is any different to any other technological innovation or project; security is regularly left as an afterthought. It goes back to my point about sufficiently engaging people in the first place to want to understand security and its implications.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
My biggest worry is that we continue to spread fear, uncertainty and doubt about it, and not actually start addressing it. Much of it is common sense, much of it should be covered by either a security programme or even a sense of morality, and the legal framework should be addressed by the legal profession and not security teams. Any organisation who has a strong working relationship with their legal counterparts should be in a good position on GDPR (especially, if like me, the legal team own it!).
What’s your worst security nightmare? What would be your plan to prevent and mitigate it?
A vulnerability that affected every single modern CPU in every device that has one, going back decades and without a solid hardware fix on the roadmap for 1-2 years. Or has that already happened?
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding of the work you and your team do?
Regularly, but also as needed. This has ranged from every few weeks to every quarter. There are a variety of factors that have allowed us to communicate more frequently and effectively ranging from what has been reported in the press through to the questions we have asked. Despite everything I have said above, it is getting better for us as an industry!
Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?
Social media is like any other medium of sharing information and should be addressed accordingly. In some organisations, a kind of use of social media, email, internet browsing etc is not allowed, and in others, it is wide open. The approach needs to be appropriate for the environment and culture, and then training and awareness given in line with the approach.
What would be your no.1 piece of cyber security advice as we begin 2018?
Don’t click anything, and if in doubt report it!