On the back of what was a fantastic first round of questioning with insightful responses from leading figures in the IT security industry, the CISO Chat segment on the IT Security Guru has returned for the second round of questioning. We have caught up with a host of CISO’s and senior security experts to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Kicking off this next segment is Quentyn Taylor, Director Information Security for Canon EMEA, who offered some fantastic insight into the most rewarding aspects of his role as well as what he thought of blockchain technology.
With the development of blockchain technology, what industries do you think will benefit most from its introduction and why?
Unfortunately, I do think there’s an element of hype that surrounds blockchain, but if there was to be one industry that would benefit from its introduction, it would be marketing.
The ledger component of the technology would be the most beneficial element from a security perspective; however, I am yet to come across a security company that offers blockchain in its security services. What I see (specifically in the security industry ) it’s being used as a marketing spiel just like the term quantum. I think that blockchain technology doesn’t have a lot to offer at this moment in time in infosec. This could change rapidly but I haven’t seen anything at least that I’m interested in where I’d say that’s a product I want to watch.
At RSA 2018, Facebook, Microsoft and 32 other technology and cybersecurity organisations formed a cyber consortium with the objective to work together and increase cybersecurity awareness. How beneficial do you see this move and should it be open for others to join?
This is a move in right direction for the industry as there needs to be more focus on information security and information security risk. Thankfully, steps are being taken to raise awareness among organisations and we have seen examples firsthand in the UK. For instance, Barclays has a digital legal campaign about the risk of posting public information and highlighting cybersecurity in general.
Schemes like this should be applauded and anything that we can do to raise more awareness of the risks and the benefits is fantastic.
Security should be a top priority for any business. How true is this statement and do you believe organisations treat it as such?
There is a lot of truth in this statement; however, I do not believe many organisations treat it as such. The top priority for any organisation should be achieving its core mission goals, which involves making revenue for shareholders or generating money. However, doing this in a manner which is sustainable and secure is just as important.
Security should be understood by the key business stakeholders and it needs to be part of the core responsibilities that the organisation offers to its customers. We have seen in the past with certain breaches that businesses were happy to operate with a nonchalant attitude towards security and suffered as a result. With critical information being processed and stored, organisations need to be truthful to their customers regarding the management of risk and security.
To give people insight, what are the most rewarding and challenging aspects of the CISO position and how do you think it has evolved over the past couple of years?
Having the ability to influence change for the better is the most rewarding for me and this, I believe, is what keeps a lot of people involved with security. Even though there are problems and issues, I still look at how both the industry and the profession has evolved in recent years and we have reached a stage whereby the importance of security is now being appreciated, both in and out of the boardroom.
If you have one gripe about the cybersecurity industry what is it and how would you address it?
I have a gripe with the power marketing has, especially when it involves new technology. Instead of focusing their attention on the foundations of security, like patching known vulnerabilities, organisations are attracted to the brand-new solutions on the block that can supposedly detect and protect against every malware known to man. What they don’t realise is the best form of security is following the basics of security.
In your opinion, how should the effectiveness of a cybersecurity program be measured?
Security systems are built to detect security incidents, so it would be wrong to measure its effectiveness based solely on the number of events identified.
The best way to measure a security program would be to look at how quickly the organisation can detect and react when a security incident goes wrong. If the time taken to get the organisation back to normal operation is small, then you have an effective program.
Having the ability to detect, react and respond in a timely manner could make all the difference to your organisation suffering a breach or avoiding it.
