Over the past two years the role of the CISO has transitioned from a manager of IT security technologies to a risk management decision-maker. Martin Gomberg, author of CISO Redefined, explores this topic.
What is the biggest information security threat to your industry?
We often focus too much on technology in information security. Threats live where the business lives. There are no threats to technology, only to the business, and the greatest threat to business is not recognizing this.
As CISOs we share common threats and exposures. Our roles are changing to reflect this. There aren’t enough tools or appliances that you can lay onto a business to protect it if basic cleanliness, controls, and sensible operations fall short. Technical capabilities are now table stakes skills. Architecture, policy, compliance, continuity and business integrity controls along with communication, presentation and the confidence of leadership are the new currency of CISO. And with that the language is business, and measured business risk, not technology.
Business is changing. It has become more globalized, cloud based, virtualized and service oriented, and policy and contracts now manage data no longer under our direct control, but for which we are accountable.
Changing business, digital transformation, new markets, and new consumers, have produced a voracious demand for the collection, aggregation, and consumption of data. How we manage this creates privacy challenges and new global and digital marketing risk. Executives and operating boards recognize that disruption and innovation will be the incubators of market success but are challenged as to how to achieve a path to disruption without damage, and without excessive risk. They recognize that the opportunities to participate in new markets and adopt transformational approaches, or to be ‘disruptive’, is not possible without a secure operating environment, and without a risk management strategy that enables new opportunity. They also recognize that it is difficult to find the skills and competencies to provide a mature response to risk in our changing environment.
And the markets we serve are changing. Virtual space and digital communities expand our risk surface. Smart phones, tablets and devices, have become the portal to our day to day lives, and each provide unlimited access, reach and capabilities often to an unprepared community with limited understanding of risk. Security and privacy are in a tug of war. Privacy demands security, but also impinges on its application. Mandates for regulatory, legal, and ethical compliance have become increasingly complex. Laws impose a new level of accountability on executive leadership for responsible data stewardship. And it is the CISO that is being called on to provide the assurance behind the signatory responsibility of executives, and of the board, to regulators, financiers, and investors. This is not just by choice. For many, and increasingly, it is by order of law. A new CISO, a more mature and business aligned CISO is emerging.
What can delegates expect to learn and hear about during your session on the Keynote Stage?
The role is in transition, but it will not be the same for all of us. I will share the stage with several established CISOs, compliance and Infosec specialists, from different industries, with different challenges, each with different backgrounds, and each taking differing paths toward mitigating the risk to their business. Some may be dealing with the challenges of the new NYDFS Cyber Security Regulation, others the EU General Data Protection Regulation, and others concerned for the new California Consumer Privacy Act which will be enacted by 2020. Each will have different approaches to emerging digital markets and transitions to cloud, IoT (Internet of Things), and other emerging environments. Each will be facing different challenges with budgets, staffing, role positioning and reporting lines within their organization, and will be interfacing with executive leadership to different degrees, and in different ways. Some may be internally focused, others externally, working with peers in their industry and across others, through industry advisory councils, and with law enforcement to develop a posture of awareness and defense as a professional community.
I hope to engage this panel to discuss their challenges, goals, successes and difficulties as they work their way through the dynamics of a changing role.
The key theme for this year’s Infosecurity North America is Strengthening Cyber Defenses Against Tomorrow’s Threats. What advice do you have for practitioners building a strategy to defend against the threats of today and tomorrow?
I can largely answer this with an excerpt from my book. ‘We don’t do business alone. We have markets and consumers on which we depend and competitors that help define our value. Each component of our value chain in turn participates with others in a chain of dependencies. It is all a relationship based on assumption, hope and trust, minimally visible to us, and even less so secured by contract. That which we describe as a value chain is at best a loosely structured web constructed of trust and dependency. We build indemnification in contracts as an insurance, but in fact it is an acknowledgement of the dirt in the system. There are things we cannot know.’
We depend on technology, but technology alone will not protect us. Hardened technology is our first defense, but process controls, awareness, vigilance, and operation hygiene are and will remain our best defense. We are a system with others and share their risk. We need to work with partners, technology providers, specialists and the public sector for a defense in common. But mostly, we need to know what data we have, where we have it, if we need it, and how we are protecting it, whether we hold it, our partners, or we rely on shared services as infrastructure tenants in the cloud. We need to understand our risk and differentiate our controls to focus our greatest investments on that which is most consequential to our business, a maturity approach.
Infosecurity North America will take place on 14 – 15 November at Javits Convention Center, New York. Register today!
In your opinion what are the hot trends/topics right now? And what will be the biggest trends in 2019?
It’s not about systems, or cloud, or containers and other micro services although each remain extremely important to our architectural profile. It’s not about security tools, forensics, analytics and AI, although we will all depend on these for continued success. It’s all about data, but not just big data, consequential data, and mostly personal data, understanding it, classifying it and stewarding it in a balance of the privacy interests of individuals and the leverage interests of business. We see it in emerging law and data protection regulation across the globe. It will be front and center through 2019 and our success as businesses will depend on our effectiveness in protecting the rights and interests of our consumers, employees, and markets, and in specific, their personal information.
What are your thoughts on whether the USA should implement a general data protection regulation at a federal level (similar to the EU GDPR)?
The world is going that way. It’s not just the EU and the European Economic Area, it is much of Africa, Latin America, Australia, Russia, China, Singapore, Israel, UK, and countries on every continent across the globe. The laws differ, but for the most part, a governing omnibus law that reflects the privacy rights of individuals, not the federated, state by state and federal agency model is the path forward and will be needed for the free and trusted exchange of information, respect for the rights of individuals, and for businesses to participate and succeed in a global market. The California Consumer Protection Act is a glimpse of what is to come. Other states will emulate. But this is the wrong path forward. We as a country, at the federal level, need to get on board with the rest of the world in protecting the interests of individuals as a natural right.
Do you feel that by being compliant your company is therefore secure? Does compliance equal security?
Compliance does not equal security, but absence of conformance to regulation demanding the development of an ecosystem of ethics, integrity, security, privacy and continuity of business, all the governing elements we want from the CIA triad of confidentiality, integrity and availability and more, assures breakdown of the common system, our value chain, and failure. There isn’t a one-size-fits all and every business is unique. Compliance assures we meet the price of entry for a secured or controlled environment, but we need to each understand our risk in terms of our business, comply with that required by the law, and also our specific risk concerns. Investing enough to meet compliance objectives, but less than we need to adequately protect our business, from a regulatory position may be sufficient, but from a protective posture leaves the business exposed, and makes the entire spend wasted.
What regulations effect you the most?
My focus as an advisor and consultant is on helping businesses with emerging cyber regulations and global data protection regulation, in specific NYDFS Cybersecurity Regulations 23 NYCRR 500, and the EU General Data Protection Regulation, or GDPR, but also HIPAA and other global data protection regulation. Although, by trajectory, I have been a CIO, and CISO, my personal interests are in privacy and using technical and operational governance effectively to assure it.
What are we, as an industry, doing right?
The technology we are building, deploying and investing in is exceptional, and continually getting better. But we are not immune, deficiencies are a certainty and so is compromise, and that keeps us focused.
What one piece of advice would you give to someone who is entering the information security profession?
Focus on the business and define, address and communicate about your risk in business terms. It is more relevant to the business to know that the investments being made and the issues that you are responding to are to assure they can accept online orders, and meet manufacturing objectives, than to understand the workings of DDOS attacks and how a worm propagates.