Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Continuing the CISO Chat after the Easter break is David Smith, CISO for Nuix who feels the skills gap is not only a question of organisational ownership, but individual application. The security industry is spreading in multiple directions of expertise, and recognition of that allows for focussed learning.
As a CISO, what is your objective?
My primary objective as a CISO is to design, implement, and maintain an effective information security plan. I begin by considering the three primary information security objectives: confidentiality, integrity, and availability. With those three objectives in mind, I next consider the risk picture: what are the threats and vulnerabilities my company faces? Once I have considered the main objectives and the risk landscape, I follow a ‘Defence in Depth’ strategy to build a comprehensive information security plan.
What is the goal of information security within your organisation?
Of course as the CISO I want to protect our information and information systems at all levels, regardless of sensitivity. I want Nuix to be more than just compliant with a given governance framework; I want Nuix to be a model of information security for other organisations.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
In general an organisation has more ability to reduce vulnerabilities compared with threats. But threats and vulnerabilities are both important parts of your risk equation. An organisation can reduce its overall risk by reducing threats, vulnerabilities, or both. Threats can be difficult to avoid – there will always be hackers, disgruntled employees, and natural disasters.
What do you see being the biggest threats for 2018?
External attacks? Insider Threats?
I have been in the CISO field for 18 years, and very often I see people focusing on “what’s new” with threats without realizing that some of the traditional threats are still with us, and are the most dangerous. So, for 2018, I would begin with a few of the classic threats: poorly trained and informed employees; missing or inappropriate log files and other forms of forensic readiness; and inadequate contingency planning.
As for newer threats for 2018, I do think we are seeing an enormous surge of problems related to 3rd party cloud storage. It seems like every day a security researcher finds a significant amount of sensitive information sitting in a poorly secured AWS bucket.
How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
The best way to improve the cyber skills gap is for each organisation to take responsibility for their employees, students, or other users. I think many organisations assume that users have a baseline knowledge of information security, which is rarely the case. Moreover, many information security best practices need constant reinforcement, especially those in the areas of social engineering and operational security. An organisation should provide as much training and as much reinforcement as possible.
For those getting started in cyber security, one recommendation I would give is for individuals to recognize that ours is a field that is not only growing quickly, but also rapidly spreading in multiple directions (e.g. critical infrastructure and industrial controls; information governance frameworks; new and expanding areas of forensics, and of course newer technologies). I would begin by learning as much as you can within multiple fields, but start thinking about specific areas where you want to be a subject matter expert.
Today, IoT and AI have become real big focus’ for organisations with almost every device, toy and appliance created has this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?
This is not a new problem – most of the original, core Internet protocols had or have no security built in, because the designers never thought that people would use them in unintended ways to cause harm. That problem is still with us, though the issue is magnified due to the rapid proliferation of IoT in toys, home automation devices, vehicles, medical equipment, and more. This is mostly due to the fact that product designers and engineers don’t think about security as they develop these products. Until security is an integral part of the product life cycle this problem will never go away.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
At Nuix we have a very solid and comprehensive GDPR preparedness plan. My main concern with GDPR is the lack of consistency we will undoubtedly see from one organisation to another. I have seen this with the NIST Risk Management Framework/800-53 model, and that has significantly more guidance on how an organisation is supposed to go from Step A to Step B and so forth.
What’s your worst security nightmare? What would be your plan to prevent and mitigate it?
I don’t really have a worst security nightmare; I look at all security incidents, threats, and vulnerabilities as sort of a combined monster that we have to deal with. The best plan is to have an organized security plan rooted in a Defence in Depth approach.
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding for the work you and your team do?
I am fortunate that at Nuix our executive leaders are very security conscious and are very supportive of our information security plan.
Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?
As a security issue, it depends on what kind of workplace we are talking about. Honestly, I think some organisations that forbid social media do so for productivity reasons more than anything. Since we are talking about social media in general, my primary security concern is operational security; are employee posting information that could cause some kind of harm to themselves or the organisation?
What would be your no.1 piece of cyber security advice as we begin 2018?
Information security training and awareness, at your own personal level and at the organisational level, is always the single best information security investment one can make.