Question 1 – Ben, your role as CISO for Thales Asia Pacific means you have a good sense of the threat landscape and the behaviours of staff. From your observation is this correlated?
What people perceive as the threat landscape, and what actual risk these threats pose to their organisations, can be an interesting perspective. I’ve heard of many cases where executives, or those responsible for mitigating security information security threats, will read about the latest breach or security threat being reported and jump straight to asking how do they protect themselves.
There is little or no consideration of the underlying motivations and failures of the reported threat, which would enable them to make a more informed decision regarding their organisational risk and the value of mitigating the threats.
Unfortunately, those who depend just on mainstream media reporting of new threats may be making decisions with summarised or paraphrased technical explanations that lead to the wrong assumptions on the underlying issues. This can directly affect the staff behaviours that either cause, or increase the likelihood, of that threat being realised.
There are some obvious behaviours of staff and business leaders that have led to an increase in threats like wire fraud and ransomware. If an organisation has strong financial processes and governances for approval of electronic transfers, and have business leadership that lead by example and do not try to bypass those processes, then why would wire fraud using simple email social engineering even be considered a real threat?
However, unfortunately there will always be a small population of any organisation that will open an unknown attachment in an email – even those who are well educated can still be fooled, or accidently open an attachment on a busy day. While this has always been the case, what has changed is with ransomware the business model of ensuring that if you pay up, there is a high confidence the criminals will provide the details required to unlock your files. To disrupt the ransomware threat you have to disrupt the confidence in paying to get your files back. By reducing the success of payment, then hopefully criminals will move away from the ransomware model.
Question 2 – Your colleague Bruno Nouzille at Thales have been in the media recently talking about Cyber Security in Avionics. What’s your view on such reports - do you think these are alarmist or do they serve an educational role for all of us??
As many traditional organisations look to gain operational efficiencies, create new customer value or undertake digital transformation strategies, we see complex systems and networks that were originally designed to be isolated now requiring connectivity to other systems and networks. In itself this connectivity is not a bad thing, especially if it is achieving the outcomes the organisation is hoping to reach.
However, since the connectivity was not a design consideration in systems that sometimes were baselined decades ago, the flexibility of how you can mitigate risks for interconnectivity is limited, and may be superficial. There is a need to revisit these systems and start considering at a design layer how security aspects of interconnectivity should be introduced into evolved solutions. In many cases the end result could be a human safety issue – avionics as is an obvious candidate for this. Therefore we need to ensure the security of systems and solutions that deliver the promised benefits without introducing new safety risks.
Question 3 – When you think about Cyber Security in Asia Pacific, where do you find the most issues in locating good staff? Why do think that is the case??
The question of finding good staff really depends on what you are looking for, and what you are willing to accept. If you are limiting yourself to only wanting technically experienced security professionals immediately, then realistically you will be competing against market value in most cases.
However, if you are able to grow and develop candidates into the type of capability you need, then the pool of potential candidates can be quite rich. This would include looking at gaining the benefit of new thinking through candidates with analytical experience in other non-traditional IT/IS fields.
The key aspect I want to see from candidates is a real passion for the security field. You need those people who are driven by the challenge of the field, and are excited about exploring new ideas. Thales offers a fantastic opportunity to such candidates given the breath of countries in which we are based and the technical fields we lead.
A candidate may start off in a more traditional information security role, and in the future find themselves on the other side of the world researching and designing security on platforms such as satellites, aircraft avionics or leading encryption products. It’s exciting where you may end up. Because of this opportunity, those who are passionate about security will also be excited about the challenges they may find working in an organisation such as Thales.
Question 4 – Considering the percentage of revenue that is spent on Cyber Security, what’s your opinion on what is a fair metric to be aiming for?
To be frank, I don’t believe taking a percentage of revenue makes a lot of sense. Every organisation has a different threat landscape that may impact them very differently. They have different risk appetites too. At the most, a high percentage compared to peer organisations may hint at an overspend issue, but that also depends whether you believe the investments you’re making are satisfactorily reducing the risks, or if the money is being managed with due care.
If you find you have to justify your security budget by using percentage spend on revenue compared to peer organisations, then I’d suggest there are deeper cultural issues you need to address first before even getting to technical mitigations.
Question 5 – When you are hiring new staff from straight from university levels, what’s your thoughts around how long it takes you to get them to be fully trained? Are there any secrets to accelerating cyber security staff development??
We’ve been very successful at finding employees that had developed an interest in information security, then fostering that as it became a passion. So as opportunities became available, those same people became ideal candidates that we could provide with more direct training and experience to fill the required roles. Having this opportunity to nurture employees through career enhancements is always rewarding and preferable.
In general terms, one trend I’ve noticed for graduates first entering security positions is the time it takes for them to adjust to a balanced risk approach, and realising that understanding security is just one risk a business needs to balance. However this is just a matter of experience.
As an industry, I think it would be interesting to see university degrees link to some form of mandatory work experience/internship to bring some practical thinking to decision making, rather than pure security theory.
Question 6 – A few years ago Thales created a Critical Information Systems and Cyber Security business line. There is clearly deep expertise in Cyber Security.
As mentioned earlier, the opportunities for cyber security practitioners are already impressive, and under the Cyber Secured by Thales initiative it will become even more interesting. In regards to our Critical Information Systems and Cyber Security business line, it brings great opportunities to support my role. At the broadest level the business lines provide a better path to understanding the various solutions and products we offer in the cyber arena, and therefore which of those may be a solution to my needs. At another level it gives me an opportunity to provide direct feedback on their product development, helping them generate solutions and features that are more desirable by their customers, of which I may be one. Finally, it provides a talent pool that can be used if required in different ways – potentially recruited for my needs for example. The business line also represents a place for my staff to move to if they are looking for new challenges.
Question 7 – eSecurity is another division of your enterprise that is specifically focussed on data protection. Do your colleagues eat their own dog food?
A unique and interesting thing, is that we do not just have one division focused on data protection. As an example, we have three different business units that research and develop encryption technology. Each of those business units is developing products that fit into specific geo-political/regulatory environments.
Because of the same environmental conditions and the key customers in those regions, we do find that those data protection products used to protect Thales's network. In regards to e-Security we utilise the datacryptor extensively through the network. Looking into the future with the acquisition of Vormetric, it will be interesting to see what opportunities there are to utilise this product line for the protection of our intellectual property, and what unique propositions may come from tightly integrating the existing e-Security product offerings.
Question 8 – Looking at an enterprise risk appetite, does it make you uncomfortable or just validated, when you see that Cyber Security is listed amongst the top risks?
Cyber security has always been a top priority - in fact, cyber security is treated as an integral part of the total security risk environment, which includes personal, physical, information, cyber and export control. We’ve always worked closely and transparently between each of the security areas so that any threat is considered from all potential vectors.
For those people who are more recently experiencing this exposure as a top risk, it’s important to not overstate the cyber risk. A balanced discussion needs to be had that does not just talk about tactical short-term investments to shore up key cyber risks, but also includes looking at how the same risks fit into a longer term stable risk mitigation strategy. You do not want to be seen as the shepherd who cried wolf too many times.
Question 9 – What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?
I’m fortunate because I’ve reported directly to the Board in Australia every quarter for almost 10 years. This opportunity has enabled me to develop my understanding of the way directors consider topics such as security in the broader business context, as well as how we can utilise the skills within security to enable the business to safely pursue new opportunities. I have also seen our directors gain a much deeper understanding of cyber issues and how they can impact the organisation.
These Board meetings have actually become one of the meetings I look forward to and enjoy attending the most. In regard to Boards having CISOs advising them for the first time, then my advice would be understand that any CISO will not automatically know what’s important to the Board. They will naturally talk about risks and threats, and may initially speak using technical terms. Directors should consider their engagement with CISOs as a long term journey to gain the most benefit, and try to meet them halfway. Provide some mentoring or coaching so the CISO can grow and adjust their advice to a level and tone that gives the Board appropriate direction and enables their decision making. As a director, if you’re able to build strong value from a CISO's advice, then your growing understanding of cyber issues can also be utilised across any other Boards you may sit on.
Question 10 – Finally when are you able to exhale at work? When do those moments occur regularly or is that just after a long week??
My work is my passion and my hobby, so I’m one of those lucky people who really enjoys what they do for a living. If I am not being challenged, or if the workload cadence has slowed down, then I’d be bored. There are times when the work tempo is very challenging, but as long as it’s not for an extended period, I’ll keep thriving and having fun.