CISO Interview Series: Thinking at the cyber threat landscape front end
What are the most important areas for a CISO to focus on? When speaking to Aman Sood, it becomes clear that the job of a CISO encompasses every aspect of a business. Aman is the Head of Cyber Security with Jimdo, a website building platform that helps small businesses start, grow, and ultimately thrive online. Aman is also the Cyber Security Group Chairman for ISITC Europe CIC, a non-profit industry body and a catalyst for collaborative innovation within the capital markets. If ever there was someone at the front end of the cyber threat, it is Aman.
Philip Ingram: The role of the modern CISO is changing. Based on your experience, what are the essential skills a CISO should have now?
Aman Sood: The role has evolved into becoming both an art and a science. Long gone are the days of “textbook” security to justify decisions. The breadth and depth of domain expertise remains a given, however, soft skills such as persuasive influence, active communication and compelling storytelling are essential to help drive the security agenda. To become truly recognised as a business enabler,
CISOs of today must be able to forge effective partnerships across the business, balancing the organisation’s needs with security goals.
PI: When looking to rejuvenate, or build a new security program, what three or four areas would you tell organisations to focus on?
AS: If I had to provide a ‘one-size-fits-all’ answer, I’d suggest one key area of a fortified security program is the accurate identification and management of enterprise assets. Although this may sound simplistic, it is often an extremely challenging responsibility.
Broadly speaking – and this obviously varies greatly for different organisations – I’d suggest increasing the focus on the areas in which are the weakest. Several factors can influence certain decisions; the nature of the business, team size, expertise, budget, and compliance requirements, all play a vital role. Ultimately, it comes down to the risk appetite.
PI: What advice and tips would you share with other CISOs when it comes to communicating the ROI on security investments to other stakeholders? How do they get buy-in?
AS: Information security is only relevant if it impacts the business, therefore, CISOs must demonstrate the value proposition in a business context. Different stakeholders have differing needs, and not all execs will necessarily understand the various types of security tools and techniques, however, they will almost certainly understand business impact, ROI, and Cost-Benefit analyses. Quantifying the potential risk in business language, combined with any relevant metrics will go a long way towards obtaining executive sign-off. Finally, try to avoid using the classic Fear, Uncertainty, and Doubt (FUD) tactics. Saying “the sky is falling” every time you’re seeking investment can quickly lose credibility.
PI: How are cyberattacks changing at the moment? What are the biggest threats companies need to focus on?
AS: Cybercriminals have become highly artistic, inventive, and opportunistic with weaponization. Business Email Compromise (BEC), Phishing, and of course Ransomware continue to dominate the headlines. What we see today is a significant increase in relevancy-themed attacks.
At the beginning of the pandemic, several firms were required to undertake major operational transformations. Almost overnight, global workforces were no longer “working-from-home” but instead “working-AT-home”. This led to a huge increase in social engineering attacks and Covid-19 themed emails, as cyber criminals saw the possibilities of people becoming more inclined to click through links or follow bad instructions.
Cybercriminals are now well-funded, extremely organised, with highly sophisticated tooling at their disposal. It is prudent that we continue to educate the workforce on such threats, refresh relevant policies, and update processes to help mitigate the risks. Companies should also proactively test Incident Response and Business Continuity plans – if you don’t test them, someone else will!
PI: What do you think about when you hear the word “integrity?” Particularly, system integrity. How important is that in security, compliance, and operations?
AS: Integrity is key! It literally is one of the core information security principles, right next to Confidentiality, and Availability. Company systems and the data they access must remain free from accidental or intentional tampering to remain trustworthy. The accuracy, completeness and validity of both systems and data is integral to successful business operations. Without that, you have very little.
PI: Security frameworks are a vital part of any security program. Where would you advise organisations to invest most of their time?
AS: Frameworks are a lot like a row of houses. From the outside, one house may look identical to the next, but on the inside, each is decorated and laid out differently. The framework simply provides a structure – without one, you have no house. However, the methodologies applied are what make the house your own.
This is how I think about security frameworks. They are immensely beneficial, but they exist to help guide the business to implement the necessary controls in a subjective way, without being handcuffed to a rigid axiom. For anyone starting off, I would suggest CIS-18 and the NIST CSF to help assess and build your infosec management system. In my experience, both provide the behaviours, procedures, and unification standards that almost any business would wish to promote.
PI: We know supply chain risk management is a huge issue right now, how do businesses typically manage this process? What best practices can you share?
AS: There’s no party like a third-party! Supply Chain security is such a hot topic right now. So much of our data traverses through countless vendors, it’s very difficult to keep track of the complete lifecycle. The challenge is then not to eliminate the risk, but to minimise it. The long list of controls such as data inventory, classification, enhanced visibility, encryption, and reporting, are just some of the practices companies need to consider gaining perpetual control.
Beyond the data aspect, vendors in the supply chain must also be classified for operational resilience. Maintenance of an accurate inventory and thorough business-impact-analysis are essential. Truthful risk assessments should be frequently performed, with any necessary security controls implemented and reviewed. This is especially necessary for any tier-1 / critical vendors. Finally, engage with the Legal, Compliance, and Procurement teams to help define and perform repeatable due diligence.
PI: What are the key threats in your sector right now? What are the main challenges CISOs are facing?
AS: The basics are still tough. Gaining full visibility of company assets, locking down administrative privileges, timely monitoring and response of enriched log data, even reviewing policy exceptions – all continue to be daily battles for most CISO functions.
Outside of the digital hurricane, obtaining AND retaining talented people remains challenging. There is a notable shortage of real high performers. Individuals who possess sound experience, combined with a genuine passion and zest for the profession continue to be in high demand. It’s can quickly become a corporate arms race.
Finally, to quote Peter Drucker, “culture eats strategy for breakfast” remains a truism.
If the current culture is an impediment to good security, and remains unwilling to change, it doesn’t matter how effective your strategy is, it will not be successful. Changing culture requires two things – top-down support and a tonne of patience. It’s not easy and takes time, but if you have those two things, the yield is positive.
Raising awareness, influencing behaviour, and strengthening culture are pivotal for a greater security posture. Very time consuming, but totally worth it.
PI: Have you ever been involved directly in a data breach? What lessons did you learn?
AS: Sadly, yes. I will not comment on specifics but I can tell you without equivocation, a major incident will increase your number of grey hairs!
PI: Aman, absolutely fascinating, many thanks for giving up some of your valuable time to talk.
More in the CISO Interview Series:
CISO Interview Series: The challenges of being the CISO for the University of Oxford.
CISO Interview Series: Cybersecurity at a Global Scale
CISO Interview Series: Investing in Frameworks, Humans, and Your Technical Skills
CISO Interview Series: How Aiming for the Sky Can Help Keep Your Organization Secure
About the Author: Philip Ingram MBE is a former colonel in British military intelligence and is now a journalist and international commentator on all matters security and cyber.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.