Governance, Risk & Compliance: GRC
CISO in the Hot Seat
We talk with our very own cyber guardian about the world of the modern CISO.
Being on the front line of organizational cybersecurity may seem like a constant game of whack-a-mole, with security teams trying to keep pace and defend against increasingly sophisticated hackers and other nefarious threats. And as today's climate of high-profile data breaches continues, the pressure is mounting for the teams to fend off these faceless antagonists. Leading the charge from the front is the Chief Information Security Officer (CISO).
With the spotlight shining on CISOs, we invited a group of leading information security professionals to take part in The Most Non-Annoying Survey for Chief Information Security Officers Survey. We also had a chat with our very own CISO, Peter Macarthur-King, a veteran IT security professional with over three decades of experience, on a number of cyber-related issues.
Q. The news has recently featured many data breaches related to third-party vendors. At what point does an organization need to step up their game and help protect a brand's reputation?
Peter: There isn't a point where you should think, “When do I start?” It's something you need to do from the get-go. If you wait, it could be too late when you find out, as we've already seen in 2018. It has its own tipping point as such, and for many, it's already tipped. Do not waste time. If you're not checking your vendors now, start now. And if you have new vendors? Start when you get them. From day one. Current events need not be a reminder to suggest what to do or not to do. The threats and attacks are growing in size and frequency. The direction is clear: instill a culture of safety and protection as soon as you can.
Q. Do you agree with the way some large enterprises like Apple, Facebook and Google are strengthening their defenses by hiring 'white hat' hackers to find system vulnerabilities and fix them?
Peter: It's a hotly debated topic whether an organization should hire a hacker and however bizarre and potentially unethical it may seem, 'white hat' hackers have become more well-known because of security-savvy organizations like Apple and Google.
The thing to remember is, technology is moving faster than our ability to secure it. In a world that is built on mobility and openness, tapping the collective wisdom of the hacker community can be an important tool in the security arsenal. So using white hat hackers may just work for your business, but you should seriously consider the pros and cons of hiring former hackers before making the leap of faith because it could literally be 'a leap of faith'.
That said, by embracing the diverse community of hackers and tapping into their passion, you can significantly reduce your risk profile, just as savvy Google, Apple and Facebook have.
Ultimately though, what I learned from companies hiring hackers is embrace the hacker mindset. Hackers probe and test with things to the point of breaking and question how operations work. By doing so, your security team can develop a stronger defense strategy that combines culture, process, and technology.
Q. What experiences in your professional life have changed the way you handle your own business as an individual?
Peter: As a security person, it's common to get paranoid as you progress through your career. What I see today is less trust in cold calls. Now, when someone rings me up and says, "Hi, this is so-and-so," I simply don't believe them. I don't speak to anybody. I would never give any information to somebody who's cold-called.
And anecdotally, my bank is doing it. They say, “Hi, this is your bank. Could you please identify yourself?” And I used to do that. And then one day, I started saying, “No, you identify yourself. Why should I tell you who I am? You tell me who you are.” I was belligerent for some time. Then one day, my bank rang me, and said, “Hi, this is the month you were born. This is where you live. Tell me the date of the month and the year, and we've identified each other.”
And I thought, bingo, you've changed the behavior of the vendor – in my case, my bank – to react to my fears. Behavior needs to change all around. We can't simply rely on the ways we used to do things.
Q. Who are your friends in the operation? Who is your ally to get things done to maintain protection over the organization?
Peter: The guy who gets my coffee! Seriously though, it's management who is invested in what you're doing and is supportive in what you're attempting to achieve that makes a huge difference. A CISO can walk around and start poking at people, saying "Do this, do that, here's the policy …” And people will go, “yeah, yeah, yeah.” But if you've got management to whom you can escalate issues, who actually act, who respond to the requirement – one reminder is often enough.
So, constructive support and active support by management is very important, and that will be the number one path. Moreover, it's not a specific title. In ISO 27001 and in the SOC world, executive management plays a key role. These standards bodies have realized that one person running in the organization at mid-level management level doesn't really have the [full] authority to run the business. That's why top management needs to have some accountability.
"There isn't a point where you should think, 'When do I start?' It's something you need to do from the get-go."
SAI Global's Chief Information Security Officer
Learn more about our solutions to support CISOs.