"Cost-effective security is only arrived at through careful and elegant design"

CISO Interview Series: Michael Wallmannsberger, CISO, Wynyard Group

Could you describe your average day as CISO at Wynyard Group? Do you have a particular routine for the start and end of day??

I love that my role is broad and varied. Each day is potentially very different and I expect the work I do day-to-day to change over time. Right now I’m spending time helping the IT team to design security into the foundation of some work we have underway. In the longer term my focus will be much more on process, assurance, and engaging with people about security.

Do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?

Yes, anecdotal evidence of companies making substantial new investments in security is increasing. Top management and boards are aware that security is a strategic business issue. However, few companies have sufficient awareness of risks and appropriate controls at all levels. Many are still not investing in enough of the right things. Security budgets in some organisations need to increase and that money needs to be carefully spent.

On a scale 1-5 do you expect that your own investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??

To put a number on it, I’d say 4 out of 5. As a company operating in the crime fighting and security software industry, we invest substantially in cyber and information security and our investment is sure to increase. Our growth, products, markets and the rigorous security requirements of our customers will all drive demand for ongoing improvements in information security.

How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?

I put priority on the longer term security agenda as much as possible because comprehensive, cost-effective security is only arrived at through careful and elegant design.

There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?

I track many vendors and products including a few new companies. Entire classes of controls like application whitelisting, threat emulation (sandboxing), and advanced analytics look set to become baseline features of high-security infrastructures.

Existing, as well as new, vendors are moving to claim this territory. For example, firewall veteran Check Point has sandboxing and mobile security solutions and I am watching the move by network vulnerability scanning vendors to incorporate scanning on the endpoint.

I also have my eye on the next generation of endpoint security approaches. Bit9 (application whitelisting) and Bromium (micro-virtualisation) are examples of how approaches to endpoint security are evolving. In large environments where consistent deployment of endpoint technologies is challenging, CISOs can look to advancing security analytics capabilities. One thing that is for sure, though, is that deploying traditional anti-virus is no longer doing enough.

What do you regard as the crown jewels within Wynyard Group that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??

The “crown jewels” of an organisation can often be simply defined. For us what is really important is having a complete understanding of what is valuable data, who has access to that data, where it is located, who is protecting it and how well it is protected. For me our company’s intellectual property is one type of information that is most important for me to defend.

I have had the greatest success with mock incidents that have a realistic premise. Fabricating a good incident can be a lot of work. I recommend taking inspiration from real incidents (plenty are in the public domain) and encouraging users to consider routine issues—like a computer crashing unexpectedly—as a potential security event and to follow the incident notification and handling process so that it is well drilled.

Mike, given that trust is such a key part of why others work with your organisation. Have you put in place any additional measures for your senior management around Spear Phising etc?

Operating in the crime fighting and security software industry means that security is very much on the radar of key senior managers and those people take a keen interest in keeping up to date with new malicious attacks. With most large companies being bombarded with cyber-attacks all the time it is important to remember that senior management are just one type of privileged user—IT administrators are also risky users, for example.

When you yourself choose partners to work with – what’s the key criteria that you use to select and then also retain them as a partner?

Security is obviously my first consideration but I often observe that other important things like quality, design and user experience, functionality, support, and even value-for-money go in the same direction. It is difficult to get security right if your business is a shambles so I think of security as alluding to the canary in a coal mine. I also put a lot of stock in genuine partnerships and a frank exchange of ideas. A portfolio of security products is infinitely complex and there is sometimes a lot of vendor puff to bust through.

What key attributes that you look for when selecting a new staff member?I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??

I always look for experience—at whatever level—and engagement with the security community. Security is a broad, deep, and rapidly moving discipline so a person has to be a passionate self-starter to have a chance of keeping up.

We need more talent in security but we also need to make better use of our people. Better technology is one part of that. Some organisations struggle more than others to recruit—it’s not unusual for recruits to have multiple offers—but I don’t think we are seeing the full impact of this yet. The very small number of practitioners with more than ten years’ experience and up-to-date skills is a concern. Keeping current is a challenge with so much to get done.

Finally what keeps you awake at night?

Worrying is not an effective control so I try not to lose sleep over things. The two challenges I am thinking most about at the moment are: (1) telling the security story succinctly without making it sound like the sky is always falling; and (2) job satisfaction and burnout amongst experienced security professionals. Every day a multitude of new cyber-attacks are launched so finding ways to stay cheerful when you are in charge of an unsolvable problem is something we need to master if we are to retain our most experienced people.

Join the CSO newsletter!

Error: Please check your email address.

Tags strategic discussionsWynyard Groupcyber activitiessolving customerCISOMichael WallmannsbergerDavid GeeCISO Leaders

More about Bit9Check PointEntireWynyard Group

Show Comments

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place