"Incident response plans are ‘war gamed’, and are done so on a regular basis"

CISO Interview Series: Kevin Shaw, Head of Security, Foxtel

Could you describe your average day as Head of Security at Foxtel? Do you have a particular routine for the start and end of day??

I try not to settle into predictable routines, but there are a number of tactical priorities I like to address at the start of the day. Things like reviewing threat intelligence, checking over the managed security service dashboard, and checking in with the security team for status updates.

Generally my day is split between operational security matters, supported by our Operational Security Manager, responding to requests for advice from business units and project teams, and driving our strategic security agenda.

Something that is a continual focus and almost daily activity is finding ways of ensuring that security is front of mind with our executives so we can continue to maintain a good security culture throughout all levels of the organisation. A good chunk of time is spent looking at how to generate meaningful security metrics and communications for the executive from the ever growing pool of operational data.

Like most security professionals, there is no clearly defined ‘end of the day’, but I do tend to focus more on reading security news and trends and networking with others in the security community.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?

There is certainly a heightened awareness at the executive and board level, which has led to changes in security leadership and the size and mix of security teams. These organisations are realising that traditional security approaches and technologies are no longer adequate on their own and are looking to security leaders who can build capability in the areas of detection and response, rather than classic defend/deflect capabilities. They are looking for individuals who are well connected to the global security community, which keeps them informed of emerging threats, interesting new technologies and players, and who can leverage their professional networks to the advantage of the organisation.

Change such as this takes time to wash through the system, and while I am seeing early indicators of change such as fewer and fewer security leaders with IT or IS in their titles, the vast majority are still reporting into a CIO or similar function, which indicates that to some degree security continues to be perceived as an IT issue to be ‘fixed’ rather than a business issue to be continually “managed”.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??

I won’t give a scale rating but I do see investment increasing over the next 3-5 years largely driven by changes in how we do business, such as cloud adoption, outsourcing business processes, and data management, impacting on traditional security models. These changes to security architectures and adoption of new technologies and services come on top of the existing security costs of maintaining ‘good hygiene’

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

It’s a juggling act but I am fortunate to be part of a team of good technical security professionals, ably supported by an operations security manager, that take the initial response to issues arising. Having an incident response plan and a third party cyber security incident response service certainly allows me to spend more time on our longer term security agenda.

My assumption is that for your line of business a “Man in the Middle” attack, with a 3rd party hacking onto your live broadcast is a serious threat. Is this the worse thing that could occur to Foxtel?

I take it you are referring to something like the TV5 Monde attack? While there is no arguing that that was a very serious incident, like most incidents lessons are learnt and shared, and procedures and measures are updated and we all benefit from this.

That incident was a great example of the need to change from a mainly defensive model into a more detect and response posture. These days it is becoming difficult to prevent or even predict all attacks so organisations are being judged by the public and the regulators on how well they identify attacks and how effective their response is. I am not advocating losing defensive capability, which is basic security hygiene, but being better equipped to discover and deal with the ‘worst thing that could happen’ when it happens.

I have to assume that the crown jewels within Foxtel is this the content such as prime time new series shows that have the highest level of security? Is that close to the truth?? How do you conduct ‘mock’ incidents so that the team is prepared for such potential data breaches?

Content security is important to Foxtel and we do have, and do execute, a duty of care to protect this on behalf of the content creators and owners. Our crown jewels are no different than that of other organisations, being customer data, financial information such as credit cards, intellectual property, and so on.

I certainly advocate that incident response plans are ‘war gamed’, and are done so on a regular basis. They tend to knock out the kinks in the plan and provide ‘muscle memory’ so when people are acting in a high pressure environment the right actions are taken, it’s something the military have recognised for a very long time that is taking root in the corporate world.

There are many new cyber security start-ups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?

Certainly are a few that I am keeping a watch on and ‘kicking the tires’, for example: Elastica in the CASB (Cloud Security Access Broker) sector, HIVINT in the security community portal space, Soltra in the threat intelligence arena.

Within the Foxtel environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?

It’s a very much contextual answer in that securely designed, configured, and patched technologies change over time, and circumstances can cause individuals to occasionally behave in less than acceptable ways. So I would say they are only two of the many risk indicators we look at on a continual basis, and manage through a continuous compliance monitoring regime underpinned by a focus on security culture.

What key attributes that you look for when selecting a new staff member?I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??

Given there is a shortage of talent in the industry and we are competing with the financial services sector and consulting worlds for resources, I look for individuals who embrace and thrive on change, are willing to learn, able to accept accountability, are straight talkers, and are self-managing. Often to end up with good capable professionals it is a case of focusing their enthusiasm, giving clear expectations, providing the right training and career path, and recognising their contribution.

On the same note, given that it is hard to find talent. How successful have you been in training to other IT professionals into a Security career?

Over my time at Foxtel the majority of our security team have come from other areas of the business and IT department and most have stayed in the team. Not everyone enjoys the unpredictability and pressure that comes with a security career but when you come across those who do you need to hold onto them. It helps if you have a strong strategic plan that you can articulate well, where you can clearly lay out their role and development opportunities.

Finally what keeps you awake at night?

Many and varied things can keep me awake from time to time and sometimes do, but worry is a wasted and debilitating emotion. It’s better to be able to go to sleep knowing that you have the support of the executive, are further along your security journey each day, you have better detection and response capabilities than in the past, are supported by effective third party security services, and have a capable security team maintaining a good security hygiene level. Then if something happens you will at least be fresh when you come to invoke your incident response plan.

Tags CISOfoxtelKevin ShawDavid Geesolving customerCISO Leaderscyber activitiesstrategic discussions

Show Comments