COVER STORY
understanding of security and some of
our board members have got a lot of
experience in that space.
“So having that conversation with the
board is great. You can talk about
maturity of the organisation, our security
stance, the areas we are looking to
make investment of time, people and
resources, talk about risk in a structured
and mature way.
“I would say from my perspective as
CISO the communication skills are one of
the most important parts of the job. If you
can’t get your message across then how
are you going to convince the board, gain
their support? How will you negotiate with
heads of business units to improve their
security posture? Those things are really
critically important and talking to the
board is one of the most important things
I do on a quarterly basis.”
On the biggest global threats
“Globally, there are many to choose
from,” Webber says. “But my biggest
concern is really the explosion of IoT
devices that have poor security.
“So the demands of managing secure,
reliable infrastructure, have increased
in line with the connected enterprise
endpoints being added.”
He highlights predictions from Gartner
stating that IoT is expected to grow 32%
a year through to 2021, with up to about
25 billion connected devices.
“Those devices produce enormous
amounts of valuable data, both personal
and corporate, and obviously that data
has to be protected and secured.
“And as that IoT, or what we call EoT,
that’s our focus for Enterprise of Things,
as that expands, so does the attack
surface for the hackers and they are
getting more and more sophisticated.”
BlackBerry is working on an end-to-
end EoT platform that secures the
communication and collaboration
between the endpoints, addressing the
need for hyperconnectivity alongside
ultra security and data privacy.
www.intelligentciso.com
|
Issue 11
My biggest concern
is really the
explosion of IoT
devices that have
poor security. see the lightbulb go off, they get it and I
find those messages stick much better
with people.
“We are applying our expertise in key
areas like mobility and encryption and
embedded software and applying that to
a range of endpoints like cars and drones
and medical devices and other areas. “Tailoring the message and then getting
somebody – or some people – on
board who knows how it works and will
then be your champion within it, I find
that to be very effective.”
“So for me, if I look at that threat profile
globally, this is really the explosive area
in the industry, in IoT and BlackBerry as
a company is taking that very seriously
and I as a CISO of course am looking
to protect our customers’ data and our
own data and our infrastructure from
those threats.” Planning for the year ahead
How can CISOs build a
strong security culture within
the business?
“We’ve started to use people who are
particularly interested within different
units and made them security champions
within their own organisation. So starting
to use the wider organisation to spread
the message in the language of that
particular business use.
“I take a very structured approach to
planning. We use a number of industry
standard frameworks like NIST and
increasingly the MITRE attack MITRE
ATT&CK Framework, we assess
ourselves and have external parties
come and assess us against our maturity
in many aspects of those frameworks,”
Webber says.
It all comes down to targeted messages
and having security champions. “We’ll look at threat intelligence for the
year ahead and try to understand where
the criminal industry is going and look at
those threat profiles.
“You have to be out there talking to
the business leaders and the people
within the organisations you’re trying
to secure. Building strong relationships
with both the peer group in the rest of
the c-suite and also within engineering
organisations, HR functions, finance etc. “And then we pull those two things
together so we can assess the areas
we would like to strengthen because
intelligence says this particular thing is
going to increase.”
“What I’ve found to be effective is to
try and target those messages to the
specific groups you are trying to improve
the security for.
“Wherever possible I try to use real
world examples just because they make
it real for people. If you talk in esoteric
terms about the way something happens
I find people are much less engaged and
much less likely to get it.
“Whereas if you take people through a
real incident, something that’s been in
the press for example, I find that you
get people very interested, because you
One example he uses is cryptojacking,
with reports stating it was set to be on
the rise.
“That gave us a little bit of a head-start
in terms of ‘OK, what do we need to do,
are we ready for that kind of threat, how
would we detect it and protect ourselves
against that kind of thing?’.
“So there’s that structured approach
to planning for the year. Obviously you
have to be ready for the unexpected, if
that’s not a contradiction in terms, but
there’s still a lot of rigorous planning and
structure needed to make sure you’re as
prepared as you possibly can be.” u
53