Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
The next instalment of CISO Chat is with OneLogin‘s CISO, Alvaro Hoyos, who has highlighted a few threats to look out for in 2018:
As a CISO, what is your objective?
Simply put, my objective is to safeguard the confidentiality, integrity, and availability of data. However, how I go about achieving that objective, is a much more complex answer.
What is the goal of information security within your organization?
The goal of information security within OneLogin echoes my own mission of safeguarding the confidentiality, integrity, and availability of OneLogin. To expand on that, this includes safeguarding OneLogin customer data due to compromise, misuse, loss, or damage, and just as importantly, in line with legal and regulatory requirements. By doing so, we aim to build and maintain customer trust.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
Vulnerability management, as a process, focuses on discovering and addressing existing vulnerabilities in addition to potential threats. Cybersecurity professionals simply can’t focus on one and ignore the other. Countless security incidents in the last few years have demonstrated that either of these areas cannot be ignored.
What do you see being the biggest threats for 2018?
The biggest threats I see for 2018 are:
AI – AI is poised to be the biggest innovation for mankind, however with ‘great power comes great responsibility’. Businesses of all sizes and sector have the ability to greatly benefit from the use of AI to improve business processes and alleviate employees from mundane time-consuming admin tasks, freeing up time for high-ticket items that can free-up margin or areas of untapped profit. However, in the wrong hands, AI can also be used as a tool by cybercriminals to target vulnerable businesses on a widespread scale.
GDPR – In a rush to ensure compliance ahead of the European General Data Protection Regulation, businesses need to be careful not to shift their attention away from cyber security practises in general.
APIs – Threat vectors and surfaces have skyrocketed in the past few year, mostly down to open application programme interfaces, also known as APIs. The nature of web-based APIs are constantly access by a high-volume of devices, from desktops, mobile devices, tablets, smart TVs and more connected appliances you can even imagine with the advent of the Internet of Things (IoT). With more interfaces, comes more points of entry for cybercriminals to manipulate and data for them to get their hands on.
How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
The cyber-skills gap, in the short term, can only be addressed by providing training opportunities to existing personnel. Interest in cybersecurity is at an all time high; not just for those entering or about to enter the workforce, but also for professionals across a wide variety of sectors. In the long term, the growth of cybersecurity programs in curriculums for children and young adults of all ages will help resolve the issue, but it will take some time for us to see a return on investment at a business level. The number one advice I would give to those starting out in the industry is to focus on an area of security you truly feel passionate about. Cybersecurity is a demanding and ever evolving field, and if you are only in it for a paycheck, you will be quickly burned out by the demanding nature.
Today, IoT and AI have become real big focus’ for organisations with almost every device, toy and appliance created has this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?
Home appliance manufacturers are working at lightning fast speed to get the latest product to market and the reality is cybersecurity is the last thing they think about in the rush against competitors. Eventually, consumers will be the ones that have to pay the ultimate price when a hacker finds an ‘open back door’ into the consumer home through an unsecured device. To tackle this issue head on, there needs to be a change of attitude across the manufacturing sector that makes cybersecurity part of the conversation from the very moment an idea from the latest connected product is conceived.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
We are actively working on the various angles of compliance we need to address. As a global company with global customers, we are both a data controller and a data processor, which means we need to make sure we are addressing all applicable angles. Unfortunately, like any new regulation, there are always grey areas which tend to not resolve until enforcement begins. Meaning, once fines start being assessed, interpretations of the framework will start crystallising more than they are now.
What’s your worst security nightmare? What would be your plan to prevent and mitigate it?
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding for the work you and your team do?
Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?
Social media is a security risk companies can no longer ignore, especially when companies have been founded just to deal with the risk social media poses. For us, social media, even more than a security risk, is a brand risk. As a security service provider, we cannot afford to have a social media account hijacked. There is the risk that it could be used for a social engineering attack, but we typically do not use these accounts for operational purposes, so the risk is lower.
What would be your no.1 piece of cyber security advice as we begin 2018?
Don’t plan on throwing more security tools and technology at the problem, plan on maximizing current tools and fine-tune processes and controls.
Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.
