Could you describe your average day as CISO at Wynyard Group? Do you have a particular routine for the start and end of day??
I love that my role is broad and varied. Each day is potentially very different and I expect the work I do day-to-day to change over time. Right now I’m spending time helping the IT team to design security into the foundation of some work we have underway. In the longer term my focus will be much more on process, assurance, and engaging with people about security.
Do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
Yes, anecdotal evidence of companies making substantial new investments in security is increasing. Top management and boards are aware that security is a strategic business issue. However, few companies have sufficient awareness of risks and appropriate controls at all levels. Many are still not investing in enough of the right things. Security budgets in some organisations need to increase and that money needs to be carefully spent.
On a scale 1-5 do you expect that your own investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
To put a number on it, I’d say 4 out of 5. As a company operating in the crime fighting and security software industry, we invest substantially in cyber and information security and our investment is sure to increase. Our growth, products, markets and the rigorous security requirements of our customers will all drive demand for ongoing improvements in information security.
How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?
I put priority on the longer term security agenda as much as possible because comprehensive, cost-effective security is only arrived at through careful and elegant design.
There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I track many vendors and products including a few new companies. Entire classes of controls like application whitelisting, threat emulation (sandboxing), and advanced analytics look set to become baseline features of high-security infrastructures.
Existing, as well as new, vendors are moving to claim this territory. For example, firewall veteran Check Point has sandboxing and mobile security solutions and I am watching the move by network vulnerability scanning vendors to incorporate scanning on the endpoint.
I also have my eye on the next generation of endpoint security approaches. Bit9 (application whitelisting) and Bromium (micro-virtualisation) are examples of how approaches to endpoint security are evolving. In large environments where consistent deployment of endpoint technologies is challenging, CISOs can look to advancing security analytics capabilities. One thing that is for sure, though, is that deploying traditional anti-virus is no longer doing enough.
What do you regard as the crown jewels within Wynyard Group that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
The “crown jewels” of an organisation can often be simply defined. For us what is really important is having a complete understanding of what is valuable data, who has access to that data, where it is located, who is protecting it and how well it is protected. For me our company’s intellectual property is one type of information that is most important for me to defend.
I have had the greatest success with mock incidents that have a realistic premise. Fabricating a good incident can be a lot of work. I recommend taking inspiration from real incidents (plenty are in the public domain) and encouraging users to consider routine issues—like a computer crashing unexpectedly—as a potential security event and to follow the incident notification and handling process so that it is well drilled.
Mike, given that trust is such a key part of why others work with your organisation. Have you put in place any additional measures for your senior management around Spear Phising etc?
Operating in the crime fighting and security software industry means that security is very much on the radar of key senior managers and those people take a keen interest in keeping up to date with new malicious attacks. With most large companies being bombarded with cyber-attacks all the time it is important to remember that senior management are just one type of privileged user—IT administrators are also risky users, for example.
When you yourself choose partners to work with – what’s the key criteria that you use to select and then also retain them as a partner?
Security is obviously my first consideration but I often observe that other important things like quality, design and user experience, functionality, support, and even value-for-money go in the same direction. It is difficult to get security right if your business is a shambles so I think of security as alluding to the canary in a coal mine. I also put a lot of stock in genuine partnerships and a frank exchange of ideas. A portfolio of security products is infinitely complex and there is sometimes a lot of vendor puff to bust through.
What key attributes that you look for when selecting a new staff member?I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??
I always look for experience—at whatever level—and engagement with the security community. Security is a broad, deep, and rapidly moving discipline so a person has to be a passionate self-starter to have a chance of keeping up.
We need more talent in security but we also need to make better use of our people. Better technology is one part of that. Some organisations struggle more than others to recruit—it’s not unusual for recruits to have multiple offers—but I don’t think we are seeing the full impact of this yet. The very small number of practitioners with more than ten years’ experience and up-to-date skills is a concern. Keeping current is a challenge with so much to get done.
Finally what keeps you awake at night?
Worrying is not an effective control so I try not to lose sleep over things. The two challenges I am thinking most about at the moment are: (1) telling the security story succinctly without making it sound like the sky is always falling; and (2) job satisfaction and burnout amongst experienced security professionals. Every day a multitude of new cyber-attacks are launched so finding ways to stay cheerful when you are in charge of an unsolvable problem is something we need to master if we are to retain our most experienced people.