What are the most important areas for a CISO to focus on? Speaking to Oman Sood, it is clear that the job of a CISO encompasses all aspects of the business. Aman is the head of cyber security Jimdo, a website building platform that helps small businesses start, grow and ultimately thrive online. Aman is also the chairman of the cyber security group ISITC Europe CIC, a nonprofit industry organization and catalyst for co-innovation in the capital markets. If ever there was anyone at the forefront of the cyber threat, it’s Oman.
Phillip Ingram: The role of the modern CISO is changing. Based on your experience, what are the necessary skills a CISO should possess now?
Oman Court: The role grew into becoming both art and science. Long gone are the days of security “textbooks” to justify decisions. Breadth and depth of domain expertise remain a given, but communication skills such as persuasive influence, proactive communication, and persuasive storytelling are essential to advance the security agenda. To become a truly recognized business enabler,
Today’s CISOs must be able to build effective partnerships across the business, balancing the needs of the organization with security goals.
PI: When looking to rejuvenate or create a new security program, what three or four areas would you tell organizations to focus on?
HOW: If I had to give a one-size-fits-all answer, I would suggest that one of the key areas of an enhanced security program is the accurate identification and management of corporate assets. Although this may sound simplistic, it is often a very complex responsibility.
In general terms – and this obviously varies a lot from organization to organization – I would suggest focusing more on the areas where you are weakest. Several factors may influence certain decisions; the nature of the business, the size of the team, experience, budget and compliance requirements all play a role. Ultimately, it comes down to risk appetite.
PI: What tips and tricks would you share with other CISOs when it comes to communicating security ROI to other stakeholders? How do they get buy-in?
HOW: Information security is only relevant if it affects the business, so CISOs should demonstrate value an offer in a business context. Different stakeholders have different needs, and not all executives will necessarily understand different types of security tools and techniques, but they will almost certainly understand the business impact, ROI, and cost-benefit analysis. Quantifying the potential risk in business language, coupled with any relevant metrics, will go a long way in getting executive buy-in. Finally, try to avoid using classic fear, uncertainty, and doubt (FUD) tactics. Saying “the sky is falling” every time you look for an investment can quickly make you lose credibility.
PI: How are cyber attacks changing at the moment? What are the biggest threats companies should focus on?
HOW: With the use of weapons, cybercriminals have become very artistic, inventive and opportunistic. Business Email Compromise (BEC), phishing and of course ransomware continue to dominate the headlines. What we are seeing today is a significant increase in the number of attacks on the topic of relevance.
At the start of the pandemic, several firms had to undergo major operational transformations. Virtually overnight, the world’s workforce was no more.”work from home”, but instead “working at home”. This has led to a significant increase in social engineering attacks and emails on the subject of Covid-19, such as cybercriminals saw opportunities people become more inclined to click on links or follow bad instructions.
Cybercriminals are now well-funded, extremely organized, and have very sophisticated tools at their disposal. It is prudent for us to continue to educate employees about such threats, update relevant policies and update processes to mitigate risks. Companies should also proactively test their incident response and business continuity plans – if you don’t test them, someone else will!
PI: What do you think of when you hear the word “integrity”? In particular, the integrity of the system. How important is it to security, compliance and operations?
HOW: Honesty is key! It is literally one of the core principles of information security, next to privacy and availability. Company systems and the data they access must be free from accidental or intentional interference to remain secure. The accuracy, completeness and validity of both systems and data are integral to successful business operations. Without it, you have very little.
PI: Safety framework are a vital part of any security program. Where would you advise organizations to invest most of their time?
HOW: The frames are very similar to a row of houses. From the outside, one house may look the same as the next, but inside, each is decorated and planned differently. The frame just provides the structure – without it you wouldn’t have a home. However, the methodologies applied are what make the home your own.
This is how I think about security frameworks. They are extremely useful, but they exist to help businesses implement the necessary controls subjectively, without binding themselves to a rigid axiom. For those starting out, I would advise CIS-18 and NIST CSF to help evaluate and build your information management system. In my experience, both provide the behaviors, procedures, and standards of uniformity that almost any business would like to promote.
PI: We know supply chain risk management this is a huge problem right now, how do companies usually manage this process? What best practices can you share?
HOW: There’s no party like the third party! Supply chain security is very important right now. So much of our data passes through countless vendors that it’s very difficult to track the full lifecycle. In this case, the task is not to eliminate the risk, but to minimize it. A long list of controls such as data inventory, classification, enhanced visibility, encryption and reporting are just a few of the practices companies need to consider to gain ongoing control.
In addition to the data aspect, suppliers in the supply chain must also be classified for operational resilience. Keeping an accurate inventory and carefully analyzing the impact on the business is essential. A true risk assessment should be carried out frequently, if necessary security control implemented and revised. This is especially necessary for any Tier 1 / Critical suppliers. Finally, interact with Legal, Compliance and Procurement teams to help identify and perform due diligence.
PI: What are the key threats in your sector right now? What are the main challenges facing CISOs?
HOW: The basics are still complicated. Gaining complete visibility into company assets, locking down administrative privileges, monitoring and responding to rich log data in a timely manner, even viewing policy exceptions are still daily struggles for most CISO functions.
Outside of the digital hurricane, finding AND retaining talented people remains a challenge. There is a noticeable shortage of really high performers. Individuals with a strong background combined with a true passion and drive for the profession continue to be in high demand. This could quickly turn into a corporate arms race.
Finally, to quote Peter Drucker, “culture eats strategy for breakfast” remains true.
If the current culture is an obstacle to good security and is unwilling to change, no matter how effective your strategy is, it will not succeed. Changing culture requires two things – top-down support and tons of patience. It is not easy and takes time, but if you have these two things, the result is positive.
Raising awareness, influencing behavior and strengthening culture are essential to greater safety. It takes a lot of time, but it’s worth it.
PI: Have you ever been directly involved in a data breach? What lessons have you learned?
HOW: Unfortunately, yes. I won’t comment on the specifics, but I can tell you in no uncertain terms, a major incident will increase the number of your gray hairs!
PI: Aman, absolutely fascinating, thank you so much for spending some of your valuable time to talk.
More in the CISO Interview Series:
About the author: Philip Ingram MBE a former colonel in British military intelligence and now a journalist and international commentator on all things security and cyber.
Editor’s note: The opinions expressed in this guest author article are solely those of the author and do not necessarily reflect the opinions of Tripwire, Inc.