If a CISO were to make a wish today, it would most likely be a wish to be granted the power to always stay ahead of the cyber criminals in their game. Ever since we can remember, CISOs have been playing catch up to cyber criminals, who have always been a step ahead. Despite millions of dollars invested in security tools and controls year after year, organizations continue to feel vulnerable and inadequately protected.
So when Shipra Malhotra, Executive Editor, dynamicCISO caught up with global cybersecurity expert and influencer, Amar Singh, Founder, Cyber Management Alliance and Chair of ISACA’s UK Security Advisory Group, the question on top of her mind was whether CISOs will ever manage to get ahead of cyber criminals. Read the interview for Singh’s candid views on this and a myriad of areas such as AI/ML in cyber security, what CISOs must absolutely be doing in 2018 to strengthen their defenses and what attributes does the next generation CISO need.
Shipra Malhotra: Do you think CISOs can ever get ahead of cyber criminals or will they always end up playing catch up?
Amar Singh: The reality is that organizations can possibly never get ahead of cyber criminals. But, having said that, I would like to add that they can do the same things that cyber criminals do so that they don’t lose out in the game. This means focusing on the objective, start considering automation as cyber criminals love automation and focusing on how does the business recover from a cyber attack. Most important of all, the CISO and the business must acknowledge that there is no 100% security.
SM: Can new age technologies such as Artificial Intelligence (AI) and Machine Learning (ML) give the required edge that organizations are looking for?
AS: Sadly, cyber criminals are probably going to be the biggest innovators in AI because they, in my experience, love automation. While organizations and CISOs are going to be deploying AI, cyber criminals are also going to be doing it. In fact, cyber criminals are determined beyond belief and they have motivation. They are way ahead in the game flying super fast jets while organizations are flying really slow propeller planes, if I were to use an analogy. This is the reality even today. CISOs may be considering buying AI, but they have to first create a board presentation, have project meetings, get board’s approval on the investments, etc. By the time they buy the technology the cyber criminals have already gone much ahead as they have no board presentations and project documentations to do. They are living for the day. One of the reasons why we are always lagging behind is because we are stuck in significantly archaic approach to transactional kind of business strategy.
SM: So then, what strategy should the organizations adopt to counter cyber criminals?
AS: To me the best strategy has to be detection and response. Is your business ready to recover from an attack? Now, the only way you can recover is by not just having the techie to be ready to recover. The senior management and executives must also be able to understand what the business needs to do to become cyber resilient.
SM: What is your suggestion for businesses to become cyber resilient?
AS: The business must start by asking the following question – does my management understand cyber resilience? Because it is the non-technical senior executives who hold the budget and the strategy for the organization. If they can understand the threats, the threats vectors and the strategy required for the business to respond, detect and protect, then it’s a winning cyber resilience strategy. Right now almost every business is focusing only on the protection part and it is usually the technical folks who go and buy the protection tools. When the focus expands to resilience, then it should be the non-technical executives who understand what is the biggest risk to the bottomline, who should work with the technical people to make this investment into the resilience strategy.
SM: What is that one thing that you would CISOs to do in 2018?
AS: The one thing that CISOs must absolutely do in 2018 is start by asking the question who in your business has access to what. A very simple question, but the answer to this will show you who can access your files, who can make changes in your active directory, who can read your CEO’s emails, change your CEO’s email, delete emails, create users, etc. Who has access to what is one of the foundational cyber hygiene questions and often the most ignored one.
SM: What is your take on CISOs moving from being technical resources to becoming more business centric and moving to the board?
AS: I think it’s a good thing. However, I don’t think a CISO who is going to report to the board should be completely non-technical. The CISO doesn’t have to come from the trenches, so to say Its not a requirement that s/he must be in the trenches and then become a CISO. If I can use an analogy, s/he need not know how to fix the brake pads in a car but must absolutely be able to identify the brake pad in the car. In other words, s/he needs to have some basic technical understanding. To me that’s a minimum requirement. There’s no excuse for not to know the real minimum basics.
SM: In your opinion, what should be the attributes of a next generation CISO?
AS: Communication skills are very important. Even though the next generation of youngsters are going to be more technical, you still need to have the ability to communicate. With communication comes a lot of other requirements – vocabulary, the ability to talk, the ability to stop when you need to. A lot of those things are very important. Its almost like a psychological challenge. But, at the same time, if there’s a non-technical CISO who is very good at communication but doesn’t have knowledge of the basics in terms of technology, then there are major challenges because s/he may not understand the gravity of the situation. So, there has to be a balance. Another key attribute, the biggest and most important thing but not easy to identify, is passion.
SM: Where is the next big security threat going to come from?
AS: The reality is that the next threats are a bunch of threats. Criminals are getting smarter. There is more money in cyber than ever before. And, they are going to be looking at mass attacks for making money – crypto jacking, crypto mining, high jacking your browser, etc. The reality is that even half good cyber criminals are going to be looking at mass attacks rather than focusing on one individual. The early example of that is Sea Cleaner. This attack has set a very interesting precedent that you attack millions of people by attacking the source, or as some people call it the water holing attack. To use an analogy, why poison an individual animal when you can poison the water they drink from.