Credit: Richard Gerdis, Delphix
How did you end up in your current role, and what attracted you to the industry?
Earlier in my career, I was running a large DevOps practice across APAC, and this involved helping customers with continuous improvement and continuous delivery around their go to market strategies. For example, looking at core business applications, organisations wanted to know how they could speed up delivery times, but not sacrifice on the quality of those applications.
One focus area that continued to appear was data. At the time, there was a huge influx of very data centric thinking, and businesses started to appoint new roles like Chief Data Officers, Data Architects, Data Analysts – and the list goes on.
When talking to customers around DevOps, data was always an afterthought and yet, it is integral to the success of delivering business outcomes. When I heard about Delphix, I was immediately interested as the company seemed to fill this gap in market that I had witnessed first-hand so many times.
When seeking out new opportunities, I typically look for three things: People, Technology and the Market opportunity. Delphix has an amazing leadership team, incredible technology and fulfils a huge market opportunity. I’m now coming up to two years with Delphix, and the level of interest in what we do continues to grow.
What do you see as the biggest threat we currently face?
Data has grown exponentially, and as a result so has its power. The most significant threat we face is therefore around the accessibility of that data – and it being used for destructive and malicious purposes. The protection of data is an issue that penetrates all elements of our lives – whether we are a business owner that is liable, a consumer that is concerned about our privacy being invaded or a Government that is concerned with intellectual property.
Data is concurrently our biggest opportunity, and our biggest threat, and therefore should remain our greatest priority.
What are we doing wrong that means we’re unable to stop it?
It’s a real Catch-22. In order for data to be used for good, or for the betterment of business operations and enablement of innovation and digital transformation, it needs to be free flowing. And yet, there is a perception that when data is free flowing, it poses a greater risk to security, and greater opportunity to be used for malicious reasons.
Businesses are at a standstill. They want to protect themselves without stifling innovation but are not sure how. They want to drive competitive advantage and improve revenue streams; they need to innovate at the rate that consumers are now demanding. So, while security is of the utmost importance, it cannot come at the cost of innovation as organisations cannot afford to lie still in wait.
There is a real education gap here. Businesses are not aware that there are solutions – like data masking – that can easily solve this conundrum. Data masking is a method of creating inauthentic data that looks and behaves like the real thing but doesn’t have any real bearing on the actual data it is meant to represent. This means that any data that is accessed for ‘evil’, cannot be used in any meaningful way - it becomes powerless. However, when the data is used for good, it retains all of its power. We need to address this gap in knowledge if organisations are to harness innovation without pause.
What security-related behaviour or policy have you changed the most in the past year?
Over the last year, the number of data breaches has increased significantly, in fact there was a 712% increase in notifications since the introduction of the Notifiable Data Breaches scheme in Australia 12 months ago. Recent breaches including that of airlines, hotels, and government agencies serve as a timely reminder to reflect on my own behavior when it comes to protecting my digital self.
When handing over my data to any organisation – I now look closely at that company’s history and credentials, as well as data and security policies. And this is something that applies broadly to consumers and industry as well – there is a demand for greater transparency not just around data leaks but data usage.
Looking at the behavior of businesses – thankfully, this is driving a shift away from ‘secretive’ security practices and removing some of the stigma previously associated with cyber security. Organisations are now being more open about their security practices in order to attract new customers and retain customer loyalty and is even becoming a point of differentiation.
What makes a CISO most effective, and what typically prevents them from achieving that?
Put simply, a successful CISO is aligned to the needs of the broader business. They understand the business imperative for innovation, but at the same time they know how to meet growing security requirements and counteract threats.
Often CISOs feel they must choose between effective security and digital transformation. If they’re to overcome this and be truly successful, they need to kill this mindset that security will inhibit innovation – it should not and does not need to.
How has the increasing climate of governance and compliance changed your approach to security, and changed your engagement with board members and executives?
When I first joined Delphix several years ago, the focus was on freeing up access to data for those who needed it. The aim for organisations at this point was to empower consumers by enabling greater self-service, while at the same time still providing a management capability to data operators. This was front and centre in the minds of senior executives - to move quickly and lower costs to drive greater outcomes for the business.
Today, when driving C-level conversations, the focus has shifted to data security. Due to its prevalence, data security is no longer a technical discussion – we’ve seen a shift away from this being confined to administrators and data operators. This level of board involvement is also being driven by the increasing government of governance and compliance we’re seeing around the world.
C-Suite executives now want to know - how can we continue to work in increasingly complex ecosystems, with third party vendors and partners, and deliver them the data they need to develop the applications we need, while still ensuring our customers are secure? They are now seeing that accelerating data applications, enabling fast cloud migration and ensuring the security of data are all intertwined and must be addressed in unison.
What is the best way to win over users so they help cybersecurity efforts rather than hinder them?
Again, here I’ll go back to the need for free-flowing data. If data users, including third party partners, are to use an organisation’s data to best effect – they need real-time access to that data, at all times. With data masking, we can allow this, but do so securely. We take the risk out of data sharing, meaning that users can be enabled to execute on digital innovation imperatives.
Is the security industry getting better at using tools like threat intelligence and collaboration policies to work together against a common threat?
Yes, absolutely. Threat intelligence is being shared more widely now than ever before – and this is largely being driven by increased regulation and compliance. Comprehensive global regulations like the GDPR are allowing access to industry leading security standards, which is driving greater transparency of and involvement in cyber security discussions.
Interestingly, we’ve also seen governing bodies shift away from a policing role, and more toward one of an educator. They want to work with organisations and understand how they can best mitigate risks, collaboratively, and ultimately deliver the security and protection of consumers. Reports such as that from the European Data Protection Supervisor (EDPS) and OAIC are great examples of how governing organisations are sharing knowledge and insights. We are also seeing more analyst and private sector organisations commissioning their own research around threat trends.
What do you see as the biggest gaps in the functionality of current cybersecurity technologies?
For me, this biggest gap is in the protection of an organisation’s entire estate, and the ability to provide relevant data to where it is needed, securely. It’s no longer ok to just protect the perimeter. While perimeter security technology itself may be sound, it will never be able to effectively protect against all threats.
There are several reasons for this. Firstly, threats no longer just come from outside the organisation – with 35 percent of reported data breaches over the last 12 months resulting from human error. Secondly, the concept of ‘internal’ and ‘external’ data has become increasingly blurred. Developers, testers, analysts, third party systems integrators and more often have access to an organisation’s production data for example, but they don’t necessarily follow the same security protocols as said organisation.
Another issue is with the public cloud. While the public cloud presents a greater attack surface and therefore a greater risk, organisations have needed to move more workloads to the cloud for innovation and efficiency reasons. Because of the mentality that we need to segregate our data internally in order to protect it from outside threats, has meant that many organisations have been slow to move to the public cloud and have suffered losses, whether to income or innovation, as a result.
If you could change one thing about your organisation’s cybersecurity defence, what would it be and what would you do?
In conversations with organisations of all sizes, the common thread is a fear of the unknown – where will the next threat come from, and given I cannot possibly know, how can I effectively defend against it? Senior executives are not confident that they can.
Malicious intent can happen anywhere, but so can mistakes. Only 60% of reported data breaches in Australia over the last 12 months were from malicious or criminal attacks. While many security breaches aren’t due to the world’s most advanced hackers penetrating your security system – many happen simply due to human error. A staff member may leave a hard drive somewhere or leave a laptop open too long at the airport – these things happen, and unfortunately there is no real way of preventing this.
For me this issue goes back to a need to defend the entire landscape, not just the perimeter.