At the end of February, our CTO, Shadi A. Razak, led a workshop at the Cyber FinTech Summit in The Hague, in collaboration with Marsh and Compumatica. The workshop, Proactively Manage Your Supply Chain Digital Risks, covered the various vulnerabilities associated with supply chains and encouraged participants to actively engage with new ideas surrounding risk management.
After, Shadi got the chance to catch up with several security professionals to get their take on the current cyber security landscape. Our first interviewee is a Senior Information Security Officer at a Financial Institution. He is an experienced Information Security Professional with a background in Project Management and Service Management. In recent years, his focus was on innovation, including security innovation as secure innovation. Nowadays, he coordinates a team of Information Security Officers with a focus on software development and operations.
SR: So, for someone with your experience in information security, working in a highly regulated industry, what are the most significant business concerns or risks that you focus on addressing while protecting the organisation? Is it business interruptions, information leaks, or the business not achieving its performance targets?
SISO: Well, from a security perspective, we are not really looking at targets. From a business perspective, it is the digitisation of our services. It’s the business strategy, which security should be aligned with. I mean, if the business wants to do business in a certain way, it’s our job to indicate what the risks are associated to those business strategies. And then having a discussion with the business, how to mitigate those to an acceptable level.
SR: From your experience in cybersecurity and the industry in The Netherlands and globally, do you see a wide gap between the information security department and senior management? We know the gap is closing, yet we still hear and read about the significant difference between the business management’s and security team’s perspectives of the risks. Is it improving at the right pace or are we still a little behind?
SISO: I think [it helps] being in a regulated environment. The regulator is asking basically the same questions to the business. So, I think we are in a fortunate position that we have a board that is really conscious and aware of the risks associated to the business strategies. On the other hand, business is there to do business and not so much looking forward in doing all kinds of security stuff, where instead they could do proper business innovation. So, it’s our job to see how we can help them in addressing the risks associated. And maybe if we are implementing the proper measures, we are actually helping them to do business in a safer way. People tend to say that the security is the ‘no’ department, but I think we are really supporting business and helping them in this digital transformation.
SR: Smaller organisations operating in less regulated industries and markets lose the compliance and regulation incentives to improve their business security posture. From your experience, what do you recommend new CISOs or information security professionals who are working in such organisations do to gain the right support from senior management and the business?
SISO: The key point will always be to align your security strategy and efforts with the business strategy. If you are looking for that alignment, you will more or less naturally have a discussion with the business to say, “Okay, but if you want to do this, these are the risks associated with it and how to mitigate those risks – or are they at an acceptable level for you?” If you come with a security solution just for the security solution, that doesn’t make sense. If you say, “Okay, but I’m helping you to do business and lowering the risks associated with it,” then I think you will have a good and better conversation.
SR: We discussed earlier the importance of digitalising business processes and making it safe and secure. Part of business incentives for digital transformation is to reduce cost and increase process efficiency by outsourcing, near-shoring and off-shoring number of business processes to third parties that offer such business functions and operations as a service. As a result, we end up losing visibility and control over that business process, which is a risk in and of itself! Do you see third-party risk becoming more of a core risk for the future of digital businesses?
SISO: Of course, there are different sides to that story. I think, in general, we’ll need to understand that you cannot outsource your accountability and responsibility. Whatever contract you have with an outsourced party, in the end, [your] organisations is accountable for whatever data breach or whatever, regardless of whether you have outsourced it or not. Because you didn’t do your homework [well enough] or just plain stupid stuff. On the other hand, I do think there is a gap that needs to be filled [by] the outsourcing partner – they need to step up. If you have a hosting provider, you would expect that [their] security is in order. And I think that’s not yet the case in general, so as a business you should be aware – if I’m outsourcing, really take good care in ensuring that the outsourcing party has the right security measures in place, that they are open about it and assuring you of that.
SR: What are the key risks businesses should monitor over the next couple of years?
SISO: I think, in essence, we are still too surprised by relatively easy security stuff not being done, or the basics. Security is fairly simple, but doing good security is very hard. So, people need to ensure that the basics are in order, vulnerability management, hardening systems and etcetera. And there you will see the challenges are that as we are becoming more connected, businesses want to outsource more, using various parties, different hardware, IoTs, etcetera. The whole complexity increases, and I think that’s one of the biggest challenges. And from a security [perspective], how do you keep an overview and control on the applications connected, the businesses connected to your organisation, and other organisations, all that kind of stuff. That will be the main challenge. With, taking into account a scarcity in resources, which means that we need to up on the automation side.
SR: An interesting point which leads to my next question – how do you see technology like robotics processes automation, AI, and machine learning helping us mitigate risks? We know the [bad guys] are already using such technology advancements to create new ransomware and malware. Can we trust these new technologies as security professionals, though we might lose visibility of specific actions they will take?
SISO: I’m a bit conscious with all the buzzwords, but on the other hand with the scarcity of resources, we need to automate our work as much as possible. You might use machine learning and you might call it AI, or whatever, but we need to make sure the resources that we [do] have are [working on] the important stuff that cannot be automated. And knowing that adversaries are using the same technologies to produce malware, we should definitely be able to use the same technologies to protect us against them. It’s the same with quantum computing – yes, it will break our current cryptographic algorithms, in the future. However, you can still use the same technology to protect yourself better. We need to be aware that from a security perspective, we are very good at providing point solutions – we have a particular risk or weakness and this is the fix – but in the end, it grows the complexity, which in essence then becomes a weakness.
SR: My last question – what are the three things that you would advise security professionals to adopt or implement in their business, from a security perspective?
SISO: First of all, align with your business – this is the most important. As soon as you lose alignment with your business, you’re basically out of business. Second, try to use – as much as possible – technologies that are out there to help you do your job. Avoid manual work or repetitive tasks that you can automate. And third, try to focus on a few areas at once – you cannot do it all, but on the other hand, you need to be in control. So, based on the business risks, decide what your top priorities are and fix those first.
As our interviewee noted, working within regulations can help to align business and security priorities, though there is still a gap between the two. As he notes, new tools, like CyDesk, can be helpful in managing these priorities, especially those that automate repetitive tasks.
This interview has been edited and condensed for clarity. For more information about tools that can help you manage your digital risk, check out CyDesk. This is the first in a series of industry interviews. For more updates on cyber security trends, follow us on Twitter!