Intelligent CISO Issue 28 | Page 53

COVER STORY will require evidence that you have this securely covered and will become an integral part of your strategy and overall posture. Zalando is addressing this with increased investment into Identity and Access Management, technical asset and device management, additional logging and more efficient vulnerability management. Zalando offers excellent personal development training, resources and budget support for training on specific cyberskills and certifications ‘we are going to protect our customer data at all costs’. Then, 1) build policies based on any sound security framework (there are many), 2) build core controls as strong as required for your regulatory and risk appetite, and 3) build towards meeting those controls relentlessly. If you know what you are trying to solve and your measurement of success, you can solve the problem. As an industry, we must move away from ad hoc reactive security to more control and process-based, measurable and proactive security implementations. Moving forward, where do you look to invest as a company? There’s been a big push to automate some things that we do manually. Even though we’re 12 years old, we’re a very young company and we are investing and working hard to add new automation and more robust processes. We’re conducting POCs AI-focused anomaly detection, digital footprint and facilitates an apprentice programme where we can teach basic security topics and functions to people as part of their curriculum, with an option to hire at the end of the programme. How do you predict the cybersecurity industry will evolve over the next five years? It’s quite hard to predict – I think you have to look at it differently now as our ways of working have suddenly changed. It was already heading this way, with many companies offering work-from-home options, but now we’ve fast-forwarded at least five years. This way of working shift makes Zero Trust environments and identity governance very important as you control how you manage access to and by whom data is processed to be able to meet ethical data use and GDPR requirements. Whether we are ready or not, we have lost the protected confines of the corporate network; data can go to any device, anywhere, at any time. These create difficult operational challenges that will need to be solved and auditors What advice would you offer other CISOs when it comes to bolstering cyberdefences? A strategy should be principle-based – you have to have something in mind like scanning, third-party risk assessment automation and additional support to enable security and privacy early in the development cycle. With all of these, automation is key and we will continue down this path. u www.intelligentciso.com | Issue 28 53