Intelligent CISO Issue 11 | Page 53

COVER STORY understanding of security and some of our board members have got a lot of experience in that space. “So having that conversation with the board is great. You can talk about maturity of the organisation, our security stance, the areas we are looking to make investment of time, people and resources, talk about risk in a structured and mature way. “I would say from my perspective as CISO the communication skills are one of the most important parts of the job. If you can’t get your message across then how are you going to convince the board, gain their support? How will you negotiate with heads of business units to improve their security posture? Those things are really critically important and talking to the board is one of the most important things I do on a quarterly basis.” On the biggest global threats “Globally, there are many to choose from,” Webber says. “But my biggest concern is really the explosion of IoT devices that have poor security. “So the demands of managing secure, reliable infrastructure, have increased in line with the connected enterprise endpoints being added.” He highlights predictions from Gartner stating that IoT is expected to grow 32% a year through to 2021, with up to about 25 billion connected devices. “Those devices produce enormous amounts of valuable data, both personal and corporate, and obviously that data has to be protected and secured. “And as that IoT, or what we call EoT, that’s our focus for Enterprise of Things, as that expands, so does the attack surface for the hackers and they are getting more and more sophisticated.” BlackBerry is working on an end-to- end EoT platform that secures the communication and collaboration between the endpoints, addressing the need for hyperconnectivity alongside ultra security and data privacy. www.intelligentciso.com | Issue 11 My biggest concern is really the explosion of IoT devices that have poor security. see the lightbulb go off, they get it and I find those messages stick much better with people. “We are applying our expertise in key areas like mobility and encryption and embedded software and applying that to a range of endpoints like cars and drones and medical devices and other areas. “Tailoring the message and then getting somebody – or some people – on board who knows how it works and will then be your champion within it, I find that to be very effective.” “So for me, if I look at that threat profile globally, this is really the explosive area in the industry, in IoT and BlackBerry as a company is taking that very seriously and I as a CISO of course am looking to protect our customers’ data and our own data and our infrastructure from those threats.” Planning for the year ahead How can CISOs build a strong security culture within the business? “We’ve started to use people who are particularly interested within different units and made them security champions within their own organisation. So starting to use the wider organisation to spread the message in the language of that particular business use. “I take a very structured approach to planning. We use a number of industry standard frameworks like NIST and increasingly the MITRE attack MITRE ATT&CK Framework, we assess ourselves and have external parties come and assess us against our maturity in many aspects of those frameworks,” Webber says. It all comes down to targeted messages and having security champions. “We’ll look at threat intelligence for the year ahead and try to understand where the criminal industry is going and look at those threat profiles. “You have to be out there talking to the business leaders and the people within the organisations you’re trying to secure. Building strong relationships with both the peer group in the rest of the c-suite and also within engineering organisations, HR functions, finance etc. “And then we pull those two things together so we can assess the areas we would like to strengthen because intelligence says this particular thing is going to increase.” “What I’ve found to be effective is to try and target those messages to the specific groups you are trying to improve the security for. “Wherever possible I try to use real world examples just because they make it real for people. If you talk in esoteric terms about the way something happens I find people are much less engaged and much less likely to get it. “Whereas if you take people through a real incident, something that’s been in the press for example, I find that you get people very interested, because you One example he uses is cryptojacking, with reports stating it was set to be on the rise. “That gave us a little bit of a head-start in terms of ‘OK, what do we need to do, are we ready for that kind of threat, how would we detect it and protect ourselves against that kind of thing?’. “So there’s that structured approach to planning for the year. Obviously you have to be ready for the unexpected, if that’s not a contradiction in terms, but there’s still a lot of rigorous planning and structure needed to make sure you’re as prepared as you possibly can be.” u 53