COVER STORY
are you using Citrix where you control
the endpoint? Some organisations use
BYOD so they would allow people to use
their own device – how do you address
the privacy issues surrounding the
monitoring of personal devices? I help
them navigate these issues in maturing
their remote teleworking capability
in the development of policies and
understanding the trade-offs and risks.
How do you help companies to
manage security loopholes in
their systems?
The detection and mitigation of loopholes
are managed in the Security Operations
Centre (SOC) which correlate security
incidents and identify security problems
such as loopholes. One such example
is the tendency of privileged users to
access backend systems through VPNs
using an unsecured endpoint or personal
computer which are very vulnerable. To
mitigate this risk, policy and privileged
user remote access procedure must
be put in place along with training and
awareness by updating the privileged
user agreements to which the privileged
user has acknowledged. A second
example is privileged users should only
be using their privileged user accounts
to perform approved administrative tasks.
Whereas other tasks like checking email
or accessing the Internet should be done
on a non-privileged user account.
How can CISOs create a
strong security culture within
their organisation?
A great way of doing this is to build a
security community practice in which
there is a security champion for every
part of the business (accounting, sales,
marketing, engineering, etc.). As a
valued member of the team, the security
champion communicates the security
challenges, issues, ideas and successes
from their group to the larger community.
The objective is to bring the business
along and make them part of the decision
process because the business needs
to own the risk. Security needs to be
seen as a business enabler. The first of
the two examples is that security can
increase the organisation’s productivity
by implementing a scalable remote
teleworking service. The second is
security’s ability to demonstrate that the
organisation’s IT systems meet regulatory
requirements. Thereby, increasing
the confidence with a customer to do
business with the organisation.
Are there any particular
challenges you find difficult to
manage within your role?
A big focus of my work is the
transformation to the cloud. CIOs are
announcing that they want to move
to the cloud for various cost-efficient
reasons but doing this securely is part
of the challenge. It truly is a C-suite
role that needs reporting through
the CFO or CEO – you can’t have
the fox watching the hen house. By
burying it under the CIO means that
sometimes you get a lot of tension, so
that’s a challenge within itself. From a
technology standpoint, the two key areas
are DevSecOps – implementing the
‘Sec’ in a DevOps transformation. You
Embrace IT
transformation
and build a strong
risk management
programme.
get a lot of developers who know how to
do ‘Dev’ and they’re capable of pushing
it to operations, but they’re not doing it
securely. So, how do you integrate that
into the life cycle?
It’s got to be an integrated approach
and it’s a concept of rugged DevOps
also called DevSecOps. It’s really
about making sure the developer
owns security and risk management
of the code and is doing the static
code analysis, dynamic code analysis,
penetration testing and other security
testing as part of the tool chaining in
the DevSecOps pipeline. Furthermore,
guidance or policies need to be
established that allow the DevSecOps
team to release to production base on
a risk score calculated from the results
of the toolchain. Thereby removing the
release approval blocker inherent in the
traditional Configuration Control board
(CCB) SDLC control gate.
Establishing a data governance
programme is also a challenge. When
you look at all of that data and where
it is on the information layer – who has
control of that? There is the emergence
of a Chief Data Officer who manages
the information layer and the business
informational assets. However, this is
a shared responsibility with the CISO
who has implemented the Information
Access controls like the ones outlined
in the NIST AC family. The AC-4
control manages how the systems
control the flow of information. Thus,
the C-suite coordination between
the CIO, CISO and CDO becomes
critical. This is especially true when
building a data lake and the data is
aggregated together in one location.
This aggregation can impose added
regulatory requirements across the
data especially with the introduction of
Personally Identifiable Information (PII),
financial or European Union data. The
mitigation would require the encryption
of the data to meet regulatory
compliance requirements.
What advice would you offer to
other CISOs?
I would say embrace IT transformation
and build a strong risk management
programme. To be able to communicate
with the business, you need to
communicate on the level of risk, so you
need to be able to understand where
your risks are. This requires calculating
in real-time what your risk posture is
and carrying out continuous monitoring.
Understand how to communicate to the
board, understand how to calculate risk
and understand how to do it in real-time.
The other piece of advice I would offer is
embrace DevSecOps. It is an avenue in
which you could build a partnership with
the CIO and the Chief Data Officer or
the Chief Digital Officer who is leading
that Digital Transformation. There are a
lot of risks there and you need to insert
yourself into that process. u
www.intelligentciso.com | Issue 25
53