Amar, as chair of ISACA Security, and that broader perspective what would you like to see changed about the degree of cyber security international cooperation between countries and companies?
We are nowhere close to the ideal intelligence sharing and international cooperation. That does not mean that nothing is being shared. To the contrary, Interpol and other agencies are taking the threat of cyber very seriously and are constantly working on improving collaboration and intelligence sharing. This collaboration has resulted in the takedown of several cyber criminal outfits.
Some other initiatives in the UK and US include CISP from CERT UK, the CISA act in the US and several commercial threat exchange outfits. In addition, we have several industry specific ISACs or Information Sharing and Analysis Centres such as the FS-ISAC or financial industry ISAC.
However, overall, corporations, locally and globally, have a long way to go when it comes to international cyber corporation.
I am a strong advocate for simplicity and a step towards global cyber cooperation would be to:
- Increase the education around cyber and threat intelligence sharing, at the board level.
- Create an “idiot” proof sharing platform that would allow the timely sharing of threat intelligence.
- Make is accessible to as many as possible.
This may appear as an easy task but making an easy to use sharing platform is, on its own, a massive undertaking. Well, let’s assume you achieve that you then have to convince companies to actually start sharing. (That’s a topic for another day)
You are about to be granted an audience with the Prime Minister of Australia, Mr Malcolm Turnbull who is strongly driving this country into a digital future. What 5 items of advice around Cyber Security would you offer?
My advice to Mr Turnbull, in no particular order:
- Ridiculous laws will be circumvented – let’s make them practical.
- Increase the nation’s true cyber capability (in all areas of tech including programming, hacking, telecommunications, encryption etc)
- Recognise that cyber attacks may cripple the nation - and prepare for that eventuality with deep focus.
- Incentivise all companies to increase cyber awareness within all their own staff
- Encourage and create an intelligence sharing community with government commercial partnership - involve everyone company not just the big corporations.
- Stop trying to weaken encryption technologies like the rest of the countries. Criminals are smart enough to develop their own strong (or stronger) encryption. Instead, promote the use of strong encryption and set an example globally.
In your career you have held CISO roles at large multinationals. What was the hardest assignment that you have ever had and why?
Another good question but client confidentiality comes first. However, with my ISACA turban and my practitioner experience: Organisations face some big challenges in their cyber endeavours including:
Security is almost always a cost centre. Consequently the cyber budget is the first to be squeezed when times are tough.
Protection, Detection or Response: Companies continue to focus on protection in the false belief that the higher and stronger the “castle walls” the better their chance of never being hacked.
Considering the percentage of revenue that is spent on Cyber Security, what do you think is the appropriate range of investment?
The range depends on the organisation’s sector and the specific contextual threats facing its business. There isn’t much evidence available that correlates with increased budgetary spend to increased security. To the contrary, many large organisations (mainly banks) which spend a stupendous amount of money on cyber and have still been hacked.
Deciding on investment can be made simpler if organisations consider the following:
- Before allocating further budgets to Cyber, I ask my clients to carefully consider and answer the following “How would you destroy your business?” If the business owner or C-Level executive is unable to answer this question then we have a problem. Why? Because the cyber criminals know the answer.
- Adopt a practical, risk-based approach to cyber. (No, this does not equate to “start a spreadsheet and dump some half baked useless risk statements in there)
- Focus the spending on detection and response: companies need to stop focusing purely on protection and starting focusing on detection and more importantly their ability to respond. On balance, this often involves increasing the education and awareness on cyber incident planning and response within a company.
Once you consider the above you should be able to spend your dollars more effectively and efficiently.
When you are hiring new staff from straight from university levels, what are your thoughts around how long it takes you to get them to be fully trained? Are there any secrets to accelerating cyber security staff development?
I look for passion more than anything else. Why? Without passion we might as well be inanimate objects. With passion I have seen graduates become cyber ready within a year sometimes much less.
In addition, it is important to provide the new starters with industry specific hands on training as soon as possible to help in rapid learning. Finally, where possible, assign a mentor to the new starter. Good mentors can make a huge positive impact on learning and instilling a passion for the job.
As a person who is deeply involved in Cyber Security, how do you stay fresh and not get jaded?
Simple - I strongly believe in networking and constant learning. There is simply no way to know everything in today’s world. I use the following methods
- Twitter - follow the right people
- LinkedIn - for me almost all my relevant news is shared by network of friends and acquaintances and saves me from scouring the Internet.
- One to one and one to many face to face discussions.
I’m interested in what Cyber Security startups are you tracking?
I have been trying to track startups related to blockchain, true AI type security analytics, companies focusing on the perennial problem of detection and response.
When giving advice to companies on Cyber Security and you have more demand than supply of resources and funds. How do you decide and prioritise?
It's quite simple.
First stop wasting your efforts on “protection” in cyberspace. Protection is a dangerous concept as it simply is impossible to protect an asset from compromise. Instead, focus on detection and response.
Education and awareness for all: Information security (or the security of confidential information, personal information and other importantly data) is the responsibility of all and thus everybody in an organisation, including the senior executives and the board, must be educated in cyber security and privacy essentials.
I ask my clients to carefully consider and answer the following “How would you destroy your business?” If the business owner or C-Level executive is unable to answer this question then we have a problem. Why? As the cyber criminals already know the answer.
Another way to look at this is focus on the top 5/10 processes and technology systems that can make or break a business)
What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?
Again, Education and awareness are the biggest single gaps at the board level. Most boards are simply clueless about the intricacies around cyberspace and it’s positive and negative impacts on business bottom-line. Furthermore, boards are not grasping the importance of getting right the response element when it comes to building cyber capabilities. In summary:
Cyberspace, cyber security and data privacy cannot remain in the IT dungeons and must become a board issue. For that to happen, every single board member must, without excuse, get to grips with the essentials of cyber security and privacy.
Cyber Incident Planning & Response: Boards and executives need to acknowledge that their organisation will be attacked and compromised. Consequently, they need to focus their efforts on increasing their organisations detection and response capabilities.
More of a message for the CISO and his/her teams. The world does not revolve around cyber security. To that extent, the cyber security function should become a regular BAU and strategic partner rather than a “special requirements” team.
Cyber Security is hardly a fun and jovial place. How do you keep your sense of humour when there is always pressure on?
LOL :) I think the challenge is how do you decouple or disengage from a profession that is always predicting gloom. Couple of points to be honest:
I am a very positive person and I carry that positivity about cyberspace too.
Also I think cyberspace, the Internet, call it what you may, provides us humans with an unprecedented opportunity to improve communication, build relationships and share knowledge and ideas.
We all need to stop selling cyber security as “the end of the world” saviour and rather make it a, boring, business as usual activity (good luck with that)