Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
On the back of what was a fantastic first round of questioning with insightful responses from leading figures in the IT security industry, the CISO Chat segment on the IT Security Guru has returned for the second round of questioning.
Allan Alford, CISO at Forcepoint was available next to give his expert opinion.
With the development of Blockchain technology, what industries do you think will benefit most from its introduction and why?
Blockchain is essentially a decentralised encryption schema with an eye towards encrypting an ever-growing data stream. This technology underpins the transaction ledgers used by most cryptocurrencies, but it’s not the only use of blockchains. Many people tend to confuse blockchains and digital currencies. That’s a mistake, as it’s a bit like confusing a cog with a watch: most watches contain cogs, but they are not the same thing.
With cryptocurrencies and other trust-based asset tracking systems based upon blockchain technology, I can see any industry requiring a foundational trust mechanism for digital transactions benefiting from the technology. Those introducing smart contracts, or transferred ownership of valuable assets – think legal contracts for property, or even jewel ownership – where trust in the authenticity of the transaction is critical – can use blockchain.
Blockchains provide a shared, immutable ledger that solves what we call the “double spending” problem. For example, with cryptocurrency without some protections there’s nothing to stop an attacker from copying a crypto-coin and spending it with you and also with someone else.
At the end of 2017 we made a prediction focused on cryptocurrencies, however our concern centered around the systems which support cryptocurrencies or other trusted transactions and the ways those systems could be manipulated for criminal gain.
As the aforementioned data stream continues to grow, applications for this technology could exist that have not yet been explored. Any field of technology where the final product grows through organic accretion could leverage blockchain for its security interests. Despite the unquestionable promise of blockchaining as a basis for multiparty trust, the overall value in any particular application is limited by the systemic risk. Even when the blockchain itself works perfectly, the underlying value is – or should be – capped by the end-to-end strength.
At RSA 2018, Facebook, Microsoft and 32 other technology and cybersecurity organisations formed a cyber consortium with the objective to work together and increase cybersecurity awareness. How beneficial do you see this move and should it be open for others to join?
I would welcome any initiative which increases cybersecurity awareness. Despite growing investments in defensive technologies, cyber breaches continue to proliferate. The threat landscape becomes even more complex as perimeters effectively evaporate thanks to ever-increasing systems (e.g., cloud, mobile) over which an enterprise has limited, if any, control.
The one thing I think enterprises must do in order to improve their cybersecurity posture is become increasingly aware of who is accessing their data, and invest in systems such as risk-adaptive protection that spot unusual activities on the network. This way you can prevent the wrong people from accessing and exploiting your personal information.
Looking at today’s security landscape, it’s clear: The time has come for vendors and security professionals to shift paradigms – from an “outside-in,” technology-led approach to an “inside-out,” people focused approach, which is better suited to the new era of mobility and cloud. It really comes down to businesses understanding the rhythm of the people as they interact with the associated flow of their data.
Security should be a top priority for any business. How true is this statement and do you believe organisations treat it as such?
Cybersecurity is a global, high profile challenge and I do believe that it is a top priority, and being treated as such. The perception of security has changed: it’s no longer a box-ticking compliance exercise, but is now fundamental to the successful running of a business. The risks are so high. This has changed both the landscape and the perception of the security industry, for example opening up the career ladder for security professionals in a range of roles.
To give people insight, what are the most rewarding and challenging aspects of the CISO position and how do you think it has evolved over the past couple of years?
I think ‘bring your own device’ BYOD and SaaS have combined to really destroy any notions we’ve had about the boundaries of our data jurisdiction. Facing that reality was not easy at first. Tackling that problem head-on has been an adventure. Traditional network tools aren’t enough, and even solutions such as DLP and CASB don’t work well unless they can talk to each other. I’m currently overseeing a revolution of sorts in my shop where we are tying UEBA analytics to DLP (and later CASB) that will transform how we address this dissolution of jurisdiction.
If you have one gripe about the cybersecurity industry what is it and how would you address it?
We have been threat-centric and network-centric, and in fact we believe we need to be human-centric. Our Chief Scientist offers an interesting analogy: it’s as if the industry has built security systems like a six-fingered glove, and then required that the user grow another finger to fit. Rather, we should be designing security systems that work around the person.
We can become responsible custodians and stewards of our data: both as individuals and as cybersecurity professionals. The last two years have seen the steady erosion of the clean line between the personal and public sphere – even ISPs have the legal right to sell customer data. Furthermore, continued geopolitical uncertainty, and threats both foreign and domestic, have continued to highlight the perceived tension between individual rights and security for all.
Back in November we made a prediction based upon what we saw as the perfect storm between the following four drivers: legal, technological, societal and political. We said the confluence of these factors will cause a tectonic shift in the privacy landscape: and it has.
Finally, GDPR came into force on Friday 25th May. While some companies will see the new regulation as something of a headache as they work to get their data management procedures in order, the threat of serious sanctions for those failing to comply gives a new perspective on the importance of data security. Those who want to see the bright side of this situation will view the upcoming regulation as a chance to get their data in order.
If you don’t have a gripe, what positive things in the cybersecurity industry have you seen over the past 12 months that has given you optimism for the future?
The recent privacy debate has sharpened everyone’s focus. We are going to see a closer focus on how much data is gathered and where and how long it is stored for. Data breaches or loss of intellectual property cause financial and reputational impact (damaging trust still further) and can result in litigation or even product withdrawal. This is a topic businesses are now taking much more seriously.
The good news is that security and privacy don’t have to be at odds with each other. Protection of companies as well as its employees, vendors and partners, can be performed without violation of privacy if a risk-adaptive view of security is kept in mind. Protecting data means protecting ALL data – both personal and corporate. Risk-adaptive means the rapid ability to uncover when a user’s credentials have been compromised, a situation that has negative impact for both the employer and the employee.
In your opinion, how should the effectiveness of a cybersecurity program be measured?
Any measurement that does not speak in terms of the enterprise’s outcomes lacks value. I say ‘enterprise’ instead of ‘business’ because a government agency, for example, should also measure the efficacy of its cyber program in terms of how cyber positively impacts the agency’s core mission, without hampering its ability to fulfil that mission. Did you protect the critical data of the enterprise? Did you stop the bad thing from happening while freeing the good things to happen? Did you minimise both the count and duration of breaches and incidents? Did you do all this without saying “No!” to your stakeholders? These should be the goals of a good program.
Allan Alford, CISO at Forcepoint
Allan Alford is Chief Information Security Officer (CISO) at Forcepoint. In this role he leads Forcepoint’s corporate security and governance program, including the implementation of the company’s internal user and data protection program for 2,700 employees worldwide. As Forcepoint’s CISO, Allan plays a key role in leading the compliance and certification efforts for Forcepoint’s security offerings and partners with engineering teams to drive best practices and real-world learnings into security product development.
With more than 25 years of IT and security experience, Alford joined Forcepoint from Pearson, where he was product and business information security officer. Prior to that, Alford held various IT and security positions at Polycom, where he built and managed the product security program and served most recently as CISO. He is currently pursuing a master’s degree in information systems and security from Our Lady of the Lake University and received a bachelor’s degree with a focus on leadership from DePaul University.