This article marks the beginning of a new series for entitled “The Voice of the CISO.” By conducting interviews with prominent individuals in the field, we hope to gain detailed insight into the mind of a CISO in an attempt to better understand their role within an organization.
For our first article, we interview Amar Singh, an information security expert who is currently acting interim CISO at a number of enterprises, including SABMiller, News International and Gala Coral Group.
What are your business priorities, and how do you relate them to your efforts in cyber security?
We have to remember that for most organizations, businesses still define success as “we have not been attacked.” The fact is that this is not realistic when it comes to any business that operates in cyber security. CISOs and enterprises need to realize that at some point they will fall victim to a cyber attack, and they need to reframe their understanding of success as their ability to bounce back.
As to priorities, very few businesses demand cyber readiness as part of their business priorities.
I see. Now besides CISOs, I assume you interact with a variety of other business units, correct?
Indeed, I spend a lot of time working with IT, Legal, HR and in some instances Marketing. Each and every department plays a part in shaping a business’s success.
From your comments, it is clear that success is an important concept with respect to companies’ security policies. In your opinion, what is the single most important component in cyber security success?
It really depends on who our subject is. For the information security professional, success in cyber security means his or her ability to stand up in front of the business and say “I understand today’s cyber threats and am able to offer a layer of protection to our business processes on an ongoing basis.”
For the cyber executive, success takes on the meaning of cyber management knowledge and preparedness, that is, having management understand how cyberspace and the “real” world intersect so that they can make effective business decisions.
This includes a full understanding of the business processes, an awareness of the risks that, under those processes, affect the business (such as web facing attacks). Finally, cyber management must have full visibility into the entire security eco-system (policies, business processes, people, and technology) that underpins its operations. For the CISO to be successful in this context, access to all transactional data that support the business, including networks, IDS, and AV and others, must be made available.
Some of the mistakes that CISOs and security professionals make includes chasing the technology rather than addressing those risks and threats that affect the business and its processes.
Your response is very instructive. It helps reveal the many vectors along which cybersecurity can align to a business. Let’s go a little deeper. How does one effectively go about to align cybersecurity with business?
Excuse me for saying so, but I don’t think you can ever align cybersecurity with a business. Enterprises need to acknowledge cyber security as another vital business function that supports an enterprise’s overall operations. The phrase ‘aligns with the business,’ to me, implies that cybersecurity is a tangential business interest—something dispensable or optional.
Interesting. Keeping this in mind, do you find that your executives are adequately literate about cyber security? How does it affect how you communicate and develop security strategies with them?
Well it’s a two-way street. Today, cyber ignorance is not only prolific. It is acceptable insofar as most business can operate with their upper echelons not understanding the difference between an apple and an orange.Then again, a lot of what we are seeing today is also a generational thing.
Without a doubt, younger executives have a better overall, albeit minuscular, grasp of cyber security. I do not, however, see this current situation lasting indefinitely. In the near future, cyber executives are going to have to understand a basic level of technology, coding and cyber security.
We certainly do. Now, both from your executives and professionals in the field, are there any questions that you seem to get asked on a continuous basis? And how confident do you feel in responding to them?
Oh, where do I start? There are loads. If I had to choose one, I’d say most questions always seem to ask, “Is nation state ‘X’ really after everybody? Why would someone want to target us?”
The first question is, of course, a classic example of FUD, which I try to dispel quickly. But no one can know about the second question. Who dares speculate into the motivations behind hackers and cybercriminals? The question is actually a very good one because knowing who your adversaries are helps form protection and response strategies. However, people need to stop focusing on nation states as the only actor. Seriously consider your internal privileged insider and or the cyber hacktivists.
Your referencing nation-states brings up an interesting point. Before we end our discussion, do you think anyone in particular is doing cyber security right in today’s world and why?
That is a very open-ended question! Many countries and organisations are doing a lot of things rights. In particular, the UK and other governments are definitely making the right noises in encouraging small business to take cyber security seriously.
About the Author: Amar is Industry Influencer & Leader, Chair of ISACA UK Security Advisory Group, Judge for SC Magazine Awards 3rd year, Guest Lecturer, Analyst, Critic & Reviewer for Publishing houses, Mentor to CISO in FTSE 100 and the founder of a not-for-profit organisation, Give01Day.com and the Cyber Management Alliance.
Amar is engaged as a trusted business and cyber security advisor and interim C level executive by organisations who need to reduce their risk exposure, deploy post incident remediation, build security teams, increase cyber resiliency and mature their information security and data privacy posture. Amar’s client profile includes News International (now News UK), Siemens, the BBC, Reuters, BP, ATOS, Gala Coral, Cable & Wireless, SABMiller and many more.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Back by popular demand…
Hey, InfoSec Pros! We’re giving away dozens of these awesome ‘Breaching Bad’ T-shirts to some lucky Twitter followers. Make sure to follow us @TripwireInc and RT to be entered for a chance to win! Contest ends Dec. 18, 2014. Click here for Terms & Conditions.
Title image courtesy of ShutterStock.