On the back of what was a fantastic first round of questioning with insightful responses from leading figures in the IT security industry, the CISO Chat segment on the IT Security Guru has returned for the second round of questioning. We have caught up with a host of CISO’s and senior security experts to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Our next guest is Jason Hart, CTO, Data Protection at Gemalto who believes the focus for the industry needs to be on encouraging businesses to do the basics right.
With the development of Blockchain technology, what industries do you think will benefit most from its introduction and why?
Blockchain is not a one trick pony. It’s a multi-headed beast that takes many forms. If you see it as a technology then you will implement as a technology. If it’s a looked up on as business change enabler then you will think about the business process. View it as a blank piece of paper for designing new possibilities, then the opportunity to be creative is endless. There’s no doubt Blockchain will start to impact all industries in the coming years and we have yet to see the real impact that it is going to have.
As an example, modern agriculture is increasingly dependent on connected devices to measure everything from crop yield to soil PH, and this information determines which seeds are planted, when, and at what time of year the crops should be harvested. If the data in these IoT devices was tampered with, however, there would be hugely damaging implications for farming. With Blockchain enablement, farmers will be able to trust this data, as there will be an auditable log which can show if data has been tampered with or changed, and by whom.
Security should be a top priority for any business. How true is this statement and do you believe organisations treat it as such?
It’s fundamental that security is a top priority for businesses. However, this is still not the case for many, as evidenced by the rise in data breaches globally. Businesses need to realise that focusing on perimeter security – instead of the thing hackers are after – data – is simply not effective. With the threat of fines (from GDPR) and reputational damage in the event of a breach, businesses must implement a security by design approach. This involves protecting data the moment it enters or is created on the system. Encryption, two-factor authentication and key management will help protect the data at its core – and ultimately render it useless should it be stolen it. Security has been low on business agendas for too long, and that must change now.
To give people insight, what are the most rewarding and challenging aspects of the CISO position and how do you think it has evolved over the past couple of years?
No two days are ever the same when it comes to cybersecurity – the rate at which technology and the industry changes is phenomenal. The challenge is to stay one step ahead of hackers, who are always trying to think of creative ways to attack businesses. They only need to be successful once, whereas we must create protections that work every time. The most rewarding aspect of the job is creating the solutions that help businesses protect their valuable data.
As the issue of security has gained more prominence, the role of the CISO has become important for raising awareness of these threats to a business’ board. In addition to understanding threats, they must be able to recognise the business challenges the board is facing, and balance that with the need to protect. While more businesses have hired a CISO recently, they will not truly be able to make an impact unless they are on the board. Today, a CISO needs to be situational aware and look at the risks across technology, people and process.
If you have one gripe about the cybersecurity industry what is it and how would you address it?
The focus for the industry needs to be on encouraging businesses to do the basics right. There’s a lot of talk about the impact that things like AI are going to have in the future, but if businesses are still focused on protecting their perimeters and not their data, then it won’t matter. Businesses need to be taught about the value their data has and why that’s the real target for hackers. Once that mindset changes, we should start to see businesses fight back against the hackers.
In your opinion, how should the effectiveness of a cybersecurity program be measured?
Effectiveness should be measured on whether the goals that were set out have been achieved. In the case of cybersecurity, the goal should be to protect the most sensitive information a business has. Make no mistake, businesses will be breached, but if the right protocols are in place, the data should be protected – it’s what’s known in the industry as a secure breach.
Jason Hart, CTO, Data Protection at Gemalto
Jason is a global award-winning cyber security expert and chief technology officer for Gemalto’s data protection solutions. He is a former ethical hacker with 20 years’ experience in the information security industry and has created technologies to keep organizations one step ahead of evolving cyber threats, including the world’s leading cloud-based authentication platform. He is also deeply interested in reducing and researching the risk of password theft, and is globally known for exposing a large number of major password vulnerabilities. You might even find him popping up on the BBC and CNBC, and reading his regular contributions to publications such as the Financial Times, The Guardian and Times.