How do you see the global threat landscape changing?
IT security is undoubtedly a global problem. Whatever happens in this realm is ubiquitous, and no longer locally confined. Certain countries have developed huge offensive cyber capabilities, while nation states are going after private corporations. There is a huge disconnect between motives and capabilities – a lot of countries have assembled such an arsenal that they have the power to take down targets at will.
What are a CISO’s top concerns?
Resources. It’s the same everywhere, there’s a great disparity between the resources of attackers and defenders. For so long, IT security has been a cost centre, where IT has to get the maximum benefit from minimal resources; ‘If we can pass the test with 70 percent, why bother aiming for 100?’ CISOs are becoming more skilled with tools, processes and technology. They’re becoming better at stretching budgets. Nonetheless, the fact remains that in the U.S there is a shortage of 300,000 IT security professionals, and the number is as much as 800,000 worldwide. This gap further necessitates more innovative tools and processes, which can’t be created overnight. People need to understand that IT security is a necessity for success.
What strategies are now most important for CISOs around the world?
They’re looking at automating processes that can be done by machines, so that man hours can be spent on analysis. The word ‘automation’ has a bad scent to it; inadvertently blocking the CEO’s email is the fastest way to get fired.
Another key issue is that of compliance. An increasing number of governments are now moving to pass laws for compliance. The UAE government is a prime example; IT security has been prominent in a number of their discussions. Countries are taking a strategic approach, finding a functional way to achieve their goals. In the midst of this CISOs are caught up with laws and regulations, but are lagging on the technology front. Take cloud. It’s operationally sound, but the customer is often left worrying if they’re at the mercy of foreign laws. If I’m an Emirati, do I want my data residing in the U.S or Ireland whilst knowing it has to meet local laws and regulations?
How do CISOs go about combatting threats in in real time whilst detecting other potential vulnerabilities that can be exploited?
It’s important to think about processes. Software and machines can do things very well, so if you can use the right tools for faster detection, you have a better chance of containing and then eradicating a problem. When you buy a laptop, within 19 seconds there will be an attempted hack against it. IT security programmes stop the vast majority of attacks, but they’re not very good at telling you how effective your security is.
Does being a CISO of an IT security company bring an extra element of pressure?
It’s quite often a case of ‘dubious cause, dubious outcome’. Some days you can keep on top of things, but on others you don’t stand a chance. On those days, your team will be working around the clock, sometimes for 70 hours straight, and they are nightmarish. It’s always interesting to watch the IT security subculture of dealing with incidents, but I don’t feel any pressure of being in the CISO seat.
In the face of a breach, there are three main parties that the CISO has to juggle: the executive, the regulator and the team working on rectifying the damage. The exec always asks “why did you fail?” the regulator says “we’ll take it from here’” and at the same time you have your team who is feverishly analysing terabytes of data.
Is automated threat response different from automated incident response?
Yes. One of the main challenges CISOs now face is that of language. We can build all sorts of dashboards, but the problem we face is that we are drowning in data.
It’s important that we can take action on data, and react to a threat; a faster reaction will lead to a better outcome in that respect. In the past, when security teams conducted forensic analyses, if there was an indication of a problem, resources weren’t optimised to deal with it, they got buried in other false indicators.
Automation and orchestration needs to take on a greater importance. Let’s say it takes five or six processes before a ticket is issued, you lose 25 minutes just waiting for that to happen. A machine could pull that information together in one place, then a human can create the ticket. This increases your capacity to find the ‘poison needle’. If an IT team has 1,000 threats to deal with every day, they are always behind. If you can bring this number down to 100, they at least have a chance of beating them.
People, processes and technology are all key elements in thorough IT security. Which of the three do you regard as most important?
Undoubtedly people. Technology can provide data but humans can interpret it in a way that machines can’t. What’s important is to ensure people have actionable data at their fingertips. The sad reality is that most IT security professionals are immensely talented people who are being burned out by the futility of their jobs. I could have security professionals who have the intelligence of a grandmaster chess player or a brilliant scientist, but if they are stuck in front of a screen without the right tools then they will eventually walk away. The average tenure for a CISO is 18 months, which sends out the message of ‘you’re a failure’ to the team, and that lack of stability is also a deterrent to working in the industry.