CISO Interview Series: Vladimir Petranovic, CISO , Atlantis Healthcare

​“create your long, medium and short term plans and then you work on them.”

David Gee (CSO Online) on 21 December, 2015

Healthcare I would assume has a low risk profile as it is an organisation focused on wellbeing and good health. Is this a naïve assumption and in fact your organisation is targeted as much as others?
 
This is very naïve assumption but unfortunately prevalent not only in general public, but also within healthcare IT and senior management. This is especially visible with small healthcare providers that don’t have enough resources to dedicate to security and risk management. And risks are huge; there are privacy issues related to patients data, governmental restrictions and standards required for holding and processing patients data and sovereignty issues if the organisation is multi-national where each nation has different rules and regulations.

I’m interested in understanding how you engage with the business folks in healthcare? Assuming many of them are doctors and administrators do they understand the importance of cyber security?

Most of them support security initiatives, but when it comes to execution there is not enough will and determination to invest in security. However the same people hit the quite high hurdle when they start to negotiate with government organisations and customers that require certain levels of security posture.

On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?

Obviously it should be 5, simply because most of healthcare organisations are significantly lagging behind security requirements and regulations, so they will need to catch up in order to survive.

Could you describe your average day as CISO? Do you have a particular routine for the start and end of day??

Every day is different, but I usually start working at 6 AM so I’m well prepared for the next day. I don’t like surprises so my first activity is to check security news and statuses.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

You need to create your long, medium and short term plans and then you work on them. Then you need to create your priorities and make decision where are you going to channel your energy in that moment. It all depends on priorities.

I’ve heard that “information that healthcare organisations his anywhere from 50 to 250 times more valuable than other personal information”

So if I was a hacker, then there is some really interesting personal information that would be stored by Atlantis Health. How do you secure these ‘crown jewels’?

I can’t put the monetary value on personal information. If breached it could mean big reputational hit
to an organisation and even the end of that organisation. The governmental organisations are very strict and conservative when it comes to personal information leakage and breaches usually end up on TV news with health minister having several microphones under his(hers) nose.

To protect private information you need to make sure you follow all the health standards, rules and regulations in the first place, then you need to assess your specific risks and devise countermeasures to eliminate them.

What percentage of your records are digitized and how much are scanned documents? Do you apply the same security framework to both media?

Most of records are in digitized form, only the small proportion of records are in physical form. Security of the information in the physical form is also under the realm of CISOs and sometimes it is easier to explain security issues of physical documentation then electronic documentation. You simply cannot allow the situations like the one where private documents were floating down the road just because nobody expected flooding risk.


For Best Practices where do you look to understand this in both general terms and more specifically around your own domain?

For me best practices are for general type of organisations like textile factory, forestry etc. Healthcare is under strict regulation from the government and has to satisfy the same requirements as the other governmental organisations (internal affairs, police, military).


Are you more concerned about the internal technology vulnerabilities or of rogue insiders?

These days if you say that you are concerned about rogue employees you will probably be on the aim of internal politically correct watch keepers. So you don’t say it. You run security awareness programs where each presentation starts with the slide that specifies the percentage of internal breaches in other organisations.


When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent?

Personally I look at the completely opposite attributes than typical HR and the rest of CxO team. I look at the quality, expertise and similar categories. Everything else is less relevant.

How do you keep up to date with developments in Cyber Security? I heard another CISO who ensures that his staff are all accredited to be able to ‘hack’, thus they understand vulnerabilities and can ‘defend’

Personally, I like to work on several fronts simultaneously. You need to be member of professional bodies and follow their activities, you need to follow industry developments and you need to follow academic developments and research. If possible you should do academic research by yourself.

Finally, what keeps you awake at night?

A good sports event or movie.

CISO Interview Series: Manoj Tewari, Sr. Manager, Group Information Security, International SOS

"The most difficult part of the job is to stay on top of advanced threats, remediation and persuade other teams to remediate"

David Gee (CSO Online) on 18 December, 2015

International SOS has a unique position of being a provider of services for organisations that are trying to assess Security & Operational, Cyber risks etc. You also have to secure your own organisation. What’s the most difficult part of your job at International SOS ?

The most difficult part of the job of my team is to stay on top of advanced threats, associated remediation of vulnerabilities and persuade other teams to remediate the vulnerabilities prior someone else (hackers, enemies, or competitors) exploiting these potential vulnerabilities.

Could you describe your average day as CISO at International SOS ? Do you have a particular routine for the start and end of day?


Manoj Tewari: Every day is unique and full of opportunities to learn, share and lead. On a daily basis with a few exceptional days, I get involved in:

• Negotiating in matrix structure on financial approvals closely coupled with organisation change management related to implementation of new security technologies.
• Describing and advocating the security posture of organisation to clients and help sales & marketing to achieve their objectives by building trust with clients.
• Risk based discussions with general managers and technical discussions with security analysts and engineers.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??

Manoj Tewari: I’m very confident that our budget will increase over next 3 to 5 years as we have been able to plan and deliver upon the security strategy that we decided 2 years ago.
In last three years Global IT Security has built the trust with several stakeholders by delivering on plans that helped the organisation to achieve a much better security posture. Over the next few years, we will focus on implementation of advance solutions, operational aspects of fundamental security services and certifications. Surely, this journey towards excellence will continue.

How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?

Manoj Tewari: Today’s agenda always get the first priority however strategic actions are always considered. We have a security operations team that works 24x7x365 to take care of operational issues and a dedicated team of experts and project managers working on new security solutions.

There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?

Manoj Tewari: We are highly focussed on top security service providers with credibility and capability to execute. For almost all decisions on new service providers, two key parameters that we don’t compromise are ‘excellence in execution’ and ‘excellent support structure’.
We treat our service providers as our key partners because they bring capabilities that are necessary for the organisation to concur the cyber game. It works best when we partner with the best in the industry.

 

What do you regard as the crown jewels within International SOS that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??

Manoj Tewari: For all companies and so for the International SOS , there are critical IT systems that are considered as crown jewels. Due to confidentiality reasons, I cannot document those systems here however I can assure you that we integrate security in business requirements, application build and infrastructure layer for the keys systems. We implement administrative, technical and physical security controls to build the layered security around these key solutions.

We test our incident management and data breach notification procedure by mock test every six months so that our team is prepared and aware of their role and responsibility on security incident and data breach notification procedure.


For your clients I assume that there are specific guidelines that you provide for securing their travel to certain countries and locations. Does this specifically cover IT and Information Security – could you provide a flavour of the value of this?

Manoj Tewari: Yes, it covers specific requirements of our clients related to information security. While we provide emergency medical and travel information services to our clients, we also provide an assurance on information security of the data that we collect from our clients. The information assurance is an integral part of our services.


Within the International SOS environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?


Manoj Tewari: Most of the time we are busy with internal technology vulnerabilities. The technical vulnerabilities get the priorities however also have documented procedures to respond to rogue employee. Thankfully, we haven’t faced rogue employee issues in our organisation leading to information security incidents or data privacy breach so far.



When you are recruiting new talent into your team, what key attributes do you look for when selecting a new staff member? I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??


Manoj Tewari: There is surely a shortage of right talent pool in security industry. It is very difficult to get people with right mix of technical and soft skills. It generally takes 3 months to find people with right skill set. Key technical skills such as security analysis, penetration testing, and security architecture are rare skills.

Finally what keeps you awake at night?


The idea of hackers have to be successful only once, while we have a challenge to remediate every single vulnerability keeps me awake at night.

CISO Interview Series: Hai Tran, CISO, WA Police

"With government moving to cloud services ……understanding the security capabilities is important"

David Gee (CSO Online) on 16 December, 2015 08:33

Could you describe your average day as CISO at WA Police? Do you have a particular routine for the start and end of day??
As I am involved throughout the lifecycle of a project, the typical day includes meetings with a diverse group of stakeholders, committees and technical briefings. I don’t have a particularly daily routine except for keeping my eye on the news.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
Organisations have become increasingly aware that information is a key business asset potentially thanks to increased media coverage of security breaches. Over time information security professionals have matured, focusing their skills towards improving business performance through governance, risk and compliance activities. The increasing level of maturity of security professionals has meant that business do see value in investing more into information security.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
I expect a moderate uplift in spending on Cybersecurity over the coming years. This is part of ensuring security is inherent in every project and service across the agency. There is also an ongoing effort to reprioritise existing spend on those initiatives that will produce the most significant outcomes.

How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?
Targeting longer term security initiatives such as providing security architecture services and risk management services during the conceptual stages of a new information system project is an investment that delivers an ongoing business benefit. Getting some of those initiatives rolling before dealing with the tactical issues of today means that there are less tactical issues going forward. Establishing documented, repeatable processes and procedures is more often than not, a priority than dealing with short term issues.

I’m interested in understanding the degree of engagement that you have with the average policeman? I assume that you are a specialised unit operating within WA Police.
I am fortunate enough to be able to work closely the deputy CIO and his staff officer, both are sworn members. This allows me to socialise ideas and initiatives with them and to obtain feedback from them as to how this might affect frontline policing. The sworn officers help ensure that any communications and engagement with frontline officers are effective. My primary aim is to ensure that frontline officers have access to reliable and accurate information when and where they need it.

There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I have seen an increase in cloud services security assessment offerings. The general trend in government moving to cloud services means that getting visibility across the agency on the use of cloud services and understanding the security capabilities is important.

WA Police would clearly be a target for hackers. How do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
The agency conducts regular vulnerability assessments and penetration tests conducted by both agency staff and external contractors.

I would expect that there is more and more data forensics work that WA Police have to perform in their role. How does these shifts change your cyber security stance that you need to adopt?
The Data forensics is function that is performed by the Technology Crime Unit. Conversely I’m focused on prevention, detection and stopping any security breaches ASAP. Identification of the offender and subsequent prosecution isn’t my focus.
If there is a significant security incident I refer that matter to the technology crime unit. They are appropriately resourced to conduct forensics and investigation.

When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent, is this especially hard in WA??
Traditional security functions have been devolved as technical security controls have become pervasive within the network and server teams, or have been moved cloud services. The key skills I look for in an information security processionals are:

• The ability to communicate technical information with a diverse group of non-technical stakeholders.
• Able to build good working relationships across the entire organisation.
• Research and report writing skills.
• Being able to objectively look at risk vs reward
• Have a “can do” attitude
• Being a trusted advisor instead of a road block

Building a good team can be challenging in WA because many of the experienced security professionals are based on the East coast.

Finally what keeps you awake at night?
It’s pointless worrying about when an attack will occur. I try to focus on ensuring that when one does occur, we have the right process and procedures in place to minimise any damage and be able to restore from backups.

How businesses can make more of their existing security infrastructure

David Gee (CSO Online) on 11 December, 2015 09:21

There is never going to be enough budget funds for all the security risks that exist in any enterprise. This leaves you in a tricky and most likely precarious position that you as leader have to address.
In most organisations, just ensuring that this funding gap is understood is critical but it doesn’t get you off the hook.

So what can you do about this?

Most of these are measures to fortify your enterprise, that don’t require big investment dollars.

Build Security into Digital efforts

Be on the front foot and get yourself along with your team into the game. Let’s not wait for new digital initiatives to be launched, I would suggest that members of the Security Team get involved early in the new developments and attend the standup meetings of groups that are building these new digital tools.

It is often these changes to the environment can introduce new vulnerabilities and risks. This partnership between the CDO \ CMO and CISO is one that is going to be critical for all enterprises that are moving towards a digital future – so in reality that means everyone.


Challenge how Tools are already used


Is it the tool or how your team uses it? From what I have witnessed we implement a bunch of tools over a period of time and also have legacy that installed that we frankly don’t always understand. I’ve seen instances where firewall rules can be the 1000’s and I would challenge any single person to be able to rationalise if these are actually as a totality effective.

Having your team, challenge how the tools have been implemented and optimising this will add confidence to the degree of certainty around understanding your actual strengths and weakness.

By having a hard look at your Security Architecture, you will find opportunities that will point to legacy technology that is superfluous. In speaking to Rob Lentz the retired CISO for US Department of Defence, he commented to that “in his experience 80% of all security systems are legacy”.

This provides an incredible opportunity to reshape and challenge the status quo.

 

Treat Security as a Portfolio


Understand how all the components you have complement each other. This is somewhat of using Design Thinking approach and looking at the issue at the broadest possible perspective.
This means that you understand how security affects the customer experience and ensure where there are interventions that this is both appropriate and measured.

We want our users both internal and external to be an effective ‘1^st line of defence’ and this can’t be enabled unless their roles are designed correctly. By treating security as a portfolio of change we can get some advantage.

Strengthen your Partnering


Both with the vendor, internally and with others that you can benchmark with outside of your own organisation.

First your Security vendor, who is a great source of knowledge and often utilized enough to provide you with updated intel. They (vendors) can provide you good benchmark data, and perhaps more importantly some suggested updates on recommended configuration changes.

Internally with IT Infrastructure – are you partnering to work together on security? For many enterprises there is a somewhat adversarial element to this relationship and there is not alwys shared goals and measures. As the leader you have to drive the alignment of the teams, starting with regular joint team meetings.

Externally you can never over doing the degree of networking that can be done. By selecting others in the ecosystem to share information with and especially when you both use similar security components.


Be Disciplined


Patching, patching, patching…..sorry to be boring but this will keep the existing capability that you have in place operating at the maximum level possible.

This has to be measured and remeasured, along with strong accountability within the team to ensure your security infrastructure and IT infrastructure is kept up-to-date.

Just by being ‘disciplined’ we can make more from our existing security infrastructure.


Step Change versus Continous Improvement

 
Security is like all other domains there are times for large scale transformation and there is always going to be scope and value in continuous improvement. All businesses can make more of their existing infrastructure all it takes is a mindset of tackling the issue.

CISO Interview Series: Jeff Jacobs, CISO, IAG

"Exploring ways to build security into DevOps to ensure new digital services are ‘secure by design"

David Gee (CSO Online) on 10 December, 2015 08:20

Could you describe your average day as CISO at IAG? Do you have a particular routine for the start and end of day??
It's hard to describe an average day at IAG. So far no two days have been alike. My days are a combination of setting strategy, making various choices, engaging with my team and colleagues and making things happen.
I like to start my day by getting up to speed on what I need to focus on for the day over breakfast and a coffee. I then usually finish the day with a list. I love lists. They keep me focused.


Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
For many of the larger players like IAG there has always been a focus on cyber security in some form. However the growing sophistication of adversaries and the magnitude of the losses experienced by some high profile organisations has likely led to cyber security becoming more front of mind.

Also, many of the global consulting and research firms have confirmed cyber security as one of the top priorities for the next few years.
Boards are acutely aware of the new and emerging risks in this space and this is certainly having an impact. Progressive companies are tending to invest more in this area and I expect this will be the norm for some time to come.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
IAG takes the security of its information very seriously. As such, we would rate our plans to invest as a “5” on the scale. The evolving threat landscape and our own transformation to a digital enterprise are the key drivers for an increased focus in cyber security investment.


How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
It’s just one of those things that you have to do as a senior leader. It’s not specific to Cyber Security. All leaders have to balance between longer term strategy and day to day issues. From my perspective, its what keeps my job interesting. As I said earlier, no two days are alike in IAG.





I’m really curious on how your job is measured, would you mind sharing your key performance objectives (just the headings not the details)?
As an IAG executive I am measured on the same KPIs as the other executives. Our scorecards cover the usual shared areas of customer, culture, financials and business outcomes. I also have a number of personal objectives around building the new cyber security function and uplifting our capability across the globe.

There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I am looking at a number of start-ups in the cyber security space. There are so many areas that are of interest ranging from new forms of encryption, innovative ways to think of passwords, identity and access management to name a few. There are also organisations that are looking at novel ways to protect the Internet of Things against new threats. All of these are catching my eye.

What do you regard as the crown jewels within IAG that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
I am pretty sure that this is the one question that most CISOs would be too paranoid to respond to in too much depth.

Certainly we put a lot of emphasis on protecting our data and a key focus for us is on responding and recovering when required.
Only recently we ran a very successful exercise with our executive and broader teams in a mock cyber exercise. Although it went very well, we did learn a lot.


I’m aware that for IAG, Digital is a major strategic driver and clearly on the radar of your new CEO. How much attention have you paid to this online channel in your tenure sofar?
This is one of the core drivers of our enhanced focus on cyber security and it’s not just about our online channels. For us Digital and digitisation permeate everything we do. There are a range of new challenges that enterprises face when ‘going digital’. One area of focus right now are ways to safely expose our information and services via APIs. We are also exploring ways to build security into DevOps to ensure new digital services are ‘secure by design’.

Personally I have been very close to this because in my previous life I was consulting in this space to IAG.



Within the IAG environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?
I don't make a distinction. We are focusing our efforts on detecting and responding to all threats.
Certainly internal technology vulnerabilities are an area that we do need to focus on. Also, addressing this reduces our exposure from both internal and external threats (both deliberate and accidental).

I've noted that you are in the process of recruiting new talent into your team. What key attributes that you look for when selecting a new staff member?
I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??

Yes, I am recruiting. I am trying to assemble one of the best cyber security teams in the country and I always expected that this would be a challenge. Having said that, anyone who has worked with me will know that I am persistent and confident. Finding new talent is part planning, part timing and part luck. I am confident I will find the expertise I need.

How do you keep up to date with developments in Digital innovation and Cyber Security, this is clearly a dynamic area and it must be challenging?

It certainly is a constantly changing area. Fortunately I am genuinely passionate about this topic and always have been. So for me, keeping up to date is not tiresome because I love the topic. I keep up to date through a combination of endless reading, listening to industry experts and vendors and collaborating with peers. One thing I have learned is that the more you share you more you get back.


Finally what keeps you awake at night?
Lately it’s been Cyber Security webinars scheduled at very unfriendly times!

CISO Interview Series: Silas Barnes, CISO, Virgin Australia

​“There's not yet any evidence that remote control access of an aircrafts' avionics system via an in-flight wifi network is possible”

David Gee (CSO Online) on 02 December, 2015 07:39

Could you describe your average day as CISO at Virgin Australia? Do you have a particular routine for the start and end of day?
An average day includes a variety of meetings, project reviews, steering committees, strategy sessions, presentations and briefings. Each day is different, but I try to kick them off in the same way - spending the first 30 minutes going through emails, catching up on
global infosec developments over the last 12 hours, logging into monitoring consoles and going through the list of notable events identified by our various security systems. I try to reserve the late afternoon and evening for tool development, coding and other technical work.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
Information security is a hot topic, and increasingly an item on the agenda at company board meetings. Computer-based threats are experienced across all sectors, and businesses are looking to build a stronger leadership capability by creating a senior security role at the top level of the business. While the ability to procure modern security technology is quite easy, obtaining experienced information security leaders remains a challenge here in Australia.

At Virgin Australia the CISO role reports directly to the Group CEO, John Borghetti. The positioning of this role in the organisational structure reflects both its importance to the business and the acknowledgement that information security is not an IT challenge – it’s a business challenge.

On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?
Further investment is planned, and the key driver is the change in investment strategy that a modern approach to information security requires. We call it the Stop:Response Ratio - the level of investment put into stopping attacks before they breach the network versus that put into detection, response and recovery after a successful attack.

While baseline investment in solutions to stop attackers at the gate remains
essential, successful penetration of networks by attackers is inevitable. Companies must place more focus, and investment, on early detection, response and recovery.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
Like most prioritisation challenges, a risk-based approach is key. Flexibility is also important, as is a good understanding of the pipeline of projects and initiatives that the business has planned - across all business functions, not just information technology.

I’m interested in understanding the degree of engagement that you have with the business folks in Virgin Australia? How is cyber security viewed from their perspective?
One of the first points I make to new staff is that security is a support service - we're here to help the business achieve its strategic aims by contributing in the area of information security. Engagement with all parts of the business is crucial, and we've put increased focus on growing our enterprise security awareness to ensure it covers all areas of Virgin Australia.

Like most businesses, we have a diverse workforce when it comes to security awareness and experience. Building a strong information security culture is one of the harder challenges, but approaching awareness training from a personal angle rather than a business perspective helps make it "real" for staff.

There are many new cyber security start-ups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
There are a lot of new players on the market, which is not surprising given the explosive growth being experienced in the sector. We use a small number of specialised providers to support us when it comes to security services – the relationship we have with these companies is very important as we take a no-holds-barred approach to penetration testing and attack simulation.

I’ve found in the past that some of the larger security service providers experience challenges in keeping quality consistently high during periods of fast growth. At the end of the day it depends on what you, as an organisation, want to get out of your security services. We’re not just after a compliance tick – we want to know how all parts of our security supply-chain are performing.

What do you regard as the crown jewels within Virgin Australia that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
For us, keeping our planes flying safely and protecting customer data are our top priorities. As an airline, we have always had a strong focus on business resilience, and our information security incident simulations are now run as part of the business resilience team’s annual program.

More and more we are hearing about Airlines adding WiFi to their
offering. What’s your view of this and how this changes the risk profile of an air service – is this positive or negative?
In-flight internet services have been around for many years, as have discussions around any associated risks. While it's a headline-grabbing concept, there's not yet any evidence that remote control access of an aircrafts' avionics system via an in-flight WiFi network is possible. Aerospace companies make use of one-way network interfaces for sending selected flight data to in-flight entertainment systems, along with a host of other controls to maintain the integrity of the on-board avionics control system.

Virgin Australia takes all potential information security threats seriously, and the risk in this regard is extremely low. I believe in-flight internet access in Australia will be a great connectivity option for travellers when it does eventually arrive.

Within the Virgin Australia environment, are you more concerned about the internal technology vulnerabilities or of rogue insiders?
Like most security teams, we're concerned about a range of threats to the business, which also include emerging vulnerabilities and malicious insiders. At some point, you will have to provide high-level access to individuals in order for them to perform their role - ensuring you have the right spread of both preventative and detective controls in place increases your chances of catching malicious behaviour early.

Internal vulnerabilities will always present a challenge, particularly when exploit code is made widely available before vendors have released security patches. A flexible approach to vulnerability management coupled with the ability to move quickly means that even if the temporary solution isn't clean, it will tide you over until an official security patch becomes available.

When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent?
Passion for all things security is critical. We also look for people with great customer service skills, an eye for detail and a flexible approach to problem solving.
Part of the onboarding process for all new infosec team members at Virgin Australia (including the CISO) is the requirement to gain certification as an Offensive Security Certified Professional.

Knowing how to attack improves your understanding of how to defend, and the training provided by Offensive Security also arms staff with the foundational skills to meaningfully contribute to internal penetration tests. Because we expect a lot from our staff, we choose them pretty carefully.
Acquiring senior talent is probably the most difficult task - it took almost 12 months to find one of our recent hires.

How do you keep up to date with developments in Digital innovation and Cyber Security, this is clearly a dynamic area and it must be challenging?
It can be. Being an active member of the local information security community definitely gives you an advantage in this space - building strong connections with likeminded security folk across all sectors helps keep you in tune with the local and regional threat landscape.

I'm lucky enough to be part of a fantastic community team that participates in various “Capture The Flag” competitions a few times a year, which is a great way to keep the technical part of the brain moving. There are some great local, regional and international conferences such as Def Con in Las Vegas and RuxCon in Melbourne but at the end of the day, keeping up to date means committing hours outside of work.

Finally, what keeps you awake at night?
A combination of my two-month-old baby and knowing that no organisation can completely mitigate the risk of successful attack, but having a great team who work tirelessly to protect our digital assets does help me get some shut-eye.

CISO Interview Series: Kevin Shaw, Head of Security, Foxtel

  "Incident response plans are ‘war gamed’, and are done so on a regular basis"

David Gee (CSO Online) on 26 November, 2015 14:05

Could you describe your average day as Head of Security at Foxtel? Do you have a particular routine for the start and end of day??
I try not to settle into predictable routines, but there are a number of tactical priorities I like to address at the start of the day. Things like reviewing threat intelligence, checking over the managed security service dashboard, and checking in with the security team for status updates.
Generally my day is split between operational security matters, supported by our Operational Security Manager, responding to requests for advice from business units and project teams, and driving our strategic security agenda.

Something that is a continual focus and almost daily activity is finding ways of ensuring that security is front of mind with our executives so we can continue to maintain a good security culture throughout all levels of the organisation. A good chunk of time is spent looking at how to generate meaningful security metrics and communications for the executive from the ever growing pool of operational data.

Like most security professionals, there is no clearly defined ‘end of the day’, but I do tend to focus more on reading security news and trends and networking with others in the security community.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
There is certainly a heightened awareness at the executive and board level, which has led to changes in security leadership and the size and mix of security teams. These organisations are realising that traditional security approaches and technologies are no longer adequate on their own and are looking to security leaders who can build capability in the areas of detection and response, rather than classic defend/deflect capabilities. They are looking for individuals who are well connected to the global security community, which keeps them informed of emerging threats, interesting new technologies and players, and who can leverage their professional networks to the advantage of the organisation.

  

Change such as this takes time to wash through the system, and while I am seeing early indicators of change such as fewer and fewer security leaders with IT or IS in their titles, the vast majority are still reporting into a CIO or similar function, which indicates that to some degree security continues to be perceived as an IT issue to be ‘fixed’ rather than a business issue to be continually “managed”.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
I won’t give a scale rating but I do see investment increasing over the next 3-5 years largely driven by changes in how we do business, such as cloud adoption, outsourcing business processes, and data management, impacting on traditional security models. These changes to security architectures and adoption of new technologies and services come on top of the existing security costs of maintaining ‘good hygiene’

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
It’s a juggling act but I am fortunate to be part of a team of good technical security professionals, ably supported by an operations security manager, that take the initial response to issues arising. Having an incident response plan and a third party cyber security incident response service certainly allows me to spend more time on our longer term security agenda.

My assumption is that for your line of business a “Man in the Middle” attack, with a 3^rd party hacking onto your live broadcast is a serious threat. Is this the worse thing that could occur to Foxtel?
I take it you are referring to something like the TV5 Monde attack? While there is no arguing that that was a very serious incident, like most incidents lessons are learnt and shared, and procedures and measures are updated and we all benefit from this.

That incident was a great example of the need to change from a mainly defensive model into a more detect and response posture. These days it is becoming difficult to prevent or even predict all attacks so organisations are being judged by the public and the regulators on how well they identify attacks and how effective their response is. I am not advocating losing defensive capability, which is basic security hygiene, but being better equipped to discover and deal with the ‘worst thing that could happen’ when it happens.

I have to assume that the crown jewels within Foxtel is this the content such as prime time new series shows that have the highest level of security? Is that close to the truth?? How do you conduct ‘mock’ incidents so that the team is prepared for such potential data breaches?
Content security is important to Foxtel and we do have, and do execute, a duty of care to protect this on behalf of the content creators and owners. Our crown jewels are no different than that of other organisations, being customer data, financial information such as credit cards, intellectual property, and so on.

I certainly advocate that incident response plans are ‘war gamed’, and are done so on a regular basis. They tend to knock out the kinks in the plan and provide ‘muscle memory’ so when people are acting in a high pressure environment the right actions are taken, it’s something the military have recognised for a very long time that is taking root in the corporate world.

 

There are many new cyber security start-ups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
Certainly are a few that I am keeping a watch on and ‘kicking the tires’, for example: Elastica in the CASB (Cloud Security Access Broker) sector, HIVINT in the security community portal space, Soltra in the threat intelligence arena.

Within the Foxtel environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?
It’s a very much contextual answer in that securely designed, configured, and patched technologies change over time, and circumstances can cause individuals to occasionally behave in less than acceptable ways. So I would say they are only two of the many risk indicators we look at on a continual basis, and manage through a continuous compliance monitoring regime underpinned by a focus on security culture.


What key attributes that you look for when selecting a new staff member?I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??
Given there is a shortage of talent in the industry and we are competing with the financial services sector and consulting worlds for resources, I look for individuals who embrace and thrive on change, are willing to learn, able to accept accountability, are straight talkers, and are self-managing. Often to end up with good capable professionals it is a case of focusing their enthusiasm, giving clear expectations, providing the right training and career path, and recognising their contribution.

On the same note, given that it is hard to find talent. How successful have you been in training to other IT professionals into a Security career?
Over my time at Foxtel the majority of our security team have come from other areas of the business and IT department and most have stayed in the team. Not everyone enjoys the unpredictability and pressure that comes with a security career but when you come across those who do you need to hold onto them. It helps if you have a strong strategic plan that you can articulate well, where you can clearly lay out their role and development opportunities.

Finally what keeps you awake at night?
Many and varied things can keep me awake from time to time and sometimes do, but worry is a wasted and debilitating emotion. It’s better to be able to go to sleep knowing that you have the support of the executive, are further along your security journey each day, you have better detection and response capabilities than in the past, are supported by effective third party security services, and have a capable security team maintaining a good security hygiene level. Then if something happens you will at least be fresh when you come to invoke your incident response plan.


http://www.cso.com.au/article/589753/incident-response-plans-war-gamed-done-regular-basis/

CISO Interview Series: Michael Wallmannsberger, CISO, Wynyard Group

"Cost-effective security is only arrived at through careful and elegant design"

CISO Interview Series: Michael Wallmannsberger, CISO, Wynyard Group

David Gee (CSO Online) on 26 November, 2015 13:13

Could you describe your average day as CISO at Wynyard Group? Do you have a particular routine for the start and end of day??
I love that my role is broad and varied. Each day is potentially very different and I expect the work I do day-to-day to change over time. Right now I’m spending time helping the IT team to design security into the foundation of some work we have underway. In the longer term my focus will be much more on process, assurance, and engaging with people about security.

Do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
Yes, anecdotal evidence of companies making substantial new investments in security is increasing. Top management and boards are aware that security is a strategic business issue. However, few companies have sufficient awareness of risks and appropriate controls at all levels. Many are still not investing in enough of the right things. Security budgets in some organisations need to increase and that money needs to be carefully spent.

 

On a scale 1-5 do you expect that your own investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
To put a number on it, I’d say 4 out of 5. As a company operating in the crime fighting and security software industry, we invest substantially in cyber and information security and our investment is sure to increase. Our growth, products, markets and the rigorous security requirements of our customers will all drive demand for ongoing improvements in information security.

How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?
I put priority on the longer term security agenda as much as possible because comprehensive, cost-effective security is only arrived at through careful and elegant design.


There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I track many vendors and products including a few new companies. Entire classes of controls like application whitelisting, threat emulation (sandboxing), and advanced analytics look set to become baseline features of high-security infrastructures.

Existing, as well as new, vendors are moving to claim this territory. For example, firewall veteran Check Point has sandboxing and mobile security solutions and I am watching the move by network vulnerability scanning vendors to incorporate scanning on the endpoint.
I also have my eye on the next generation of endpoint security approaches. Bit9 (application whitelisting) and Bromium (micro-virtualisation) are examples of how approaches to endpoint security are evolving. In large environments where consistent deployment of endpoint technologies is challenging, CISOs can look to advancing security analytics capabilities. One thing that is for sure, though, is that deploying traditional anti-virus is no longer doing enough.

What do you regard as the crown jewels within Wynyard Group that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
The “crown jewels” of an organisation can often be simply defined. For us what is really important is having a complete understanding of what is valuable data, who has access to that data, where it is located, who is protecting it and how well it is protected. For me our company’s intellectual property is one type of information that is most important for me to defend.

I have had the greatest success with mock incidents that have a realistic premise. Fabricating a good incident can be a lot of work. I recommend taking inspiration from real incidents (plenty are in the public domain) and encouraging users to consider routine issues—like a computer crashing unexpectedly—as a potential security event and to follow the incident notification and handling process so that it is well drilled.

Mike, given that trust is such a key part of why others work with your organisation. Have you put in place any additional measures for your senior management around Spear Phising etc?
Operating in the crime fighting and security software industry means that security is very much on the radar of key senior managers and those people take a keen interest in keeping up to date with new malicious attacks. With most large companies being bombarded with cyber-attacks all the time it is important to remember that senior management are just one type of privileged user—IT administrators are also risky users, for example.

 

When you yourself choose partners to work with – what’s the key criteria that you use to select and then also retain them as a partner?
Security is obviously my first consideration but I often observe that other important things like quality, design and user experience, functionality, support, and even value-for-money go in the same direction. It is difficult to get security right if your business is a shambles so I think of security as alluding to the canary in a coal mine. I also put a lot of stock in genuine partnerships and a frank exchange of ideas. A portfolio of security products is infinitely complex and there is sometimes a lot of vendor puff to bust through.

What key attributes that you look for when selecting a new staff member?I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??
I always look for experience—at whatever level—and engagement with the security community. Security is a broad, deep, and rapidly moving discipline so a person has to be a passionate self-starter to have a chance of keeping up.

We need more talent in security but we also need to make better use of our people. Better technology is one part of that. Some organisations struggle more than others to recruit—it’s not unusual for recruits to have multiple offers—but I don’t think we are seeing the full impact of this yet. The very small number of practitioners with more than ten years’ experience and up-to-date skills is a concern. Keeping current is a challenge with so much to get done.

Finally what keeps you awake at night?
 Worrying is not an effective control so I try not to lose sleep over things. The two challenges I am thinking most about at the moment are: (1) telling the security story succinctly without making it sound like the sky is always falling; and (2) job satisfaction and burnout amongst experienced security professionals. Every day a multitude of new cyber-attacks are launched so finding ways to stay cheerful when you are in charge of an unsolvable problem is something we need to master if we are to retain our most experienced people.

CISO Interview Series: Troy Braban, CISO, Australia Post

"Our approach when recruiting is based on culture, leadership and communications first"

CISO Interview Series: Troy Braban, CISO, Australia Post

David Gee (CSO Online)

Troy would you please describe your average day as CISO at Australia Post? Do you have a particular routine for the start and end of day??

One of the things that I love most about this industry and this job is that there is no “average day”. Each day is different because of the variety in our work. This can include strategic discussions, solving customer problems, investing in our great people and of course keeping a careful watch on attacks, threats and our cyber activities. I have no fixed routine other than getting into the office as early as I can, which is typically around 6am, to get as much done as possible so I can spend time with my family at the end of the working day.

It is clear to me that “trust” is a key critical component of the Australia Post brand. Does “maintaining trust and the brand” appear on your own personal performance accountabilities that you are judged on?

This is definitely one of the great strengths of Australia Post and something that everyone, right across the company, takes seriously. It is not just my job or my team. Not just our Enterprise risk teams or brand and marketing teams. It really is everyone that cares about our customers, our brand and reputation. As such we are all accountable and measured on a range of brand and trust related aspects.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?

I personally believe there are two main reasons why large organisations have done this. The first is clearly in response to threats, breaches and media attention. The second however is where more mature organisations have understood early, ahead of all of this recent media attention, just how critical cyber security is to customer trust, brand and to new products and services that take advantage of software and technology. To the credit of our Executive Leadership team and Board, Australia Post is squarely in the second category. As an organisation we have been rapidly building a strong capability right across the business over a number of years.


On a scale of 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??

The answer to this is very much a 5 – though I’ll expand on the definition of “investment’ to mean more than just money. Our business strategy is very clearly focused on providing eCommerce products and services for our customers. This includes helping consumers transact and shop online, enabling small businesses to sell online and partnering with larger businesses and government in their digital transformation.

As such Cyber and Information Security plays a critical role in our business strategy so we will continue to invest in the security of our customers, people and the community. Our spend profile will fluctuate – as it should. We’ll dial it up and down depending on our customers’ needs and business strategy, the threats and attacks that we face and also our risk appetite.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

One of my primary responsibilities is to build and maintain a great team and culture. And then invest in their personal growth in leadership, soft skills and security capability. I have a great team who look after much of the day to day. This enables me to spend as much time as possible with our businesses, helping deliver great products and services for our customers, helping enable our business strategy and steering the security strategy. I am a strong believer in leading by getting out of the way and giving great people opportunities – but being there when they need me.

There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?

 

I think the most interesting battle ground at the moment is on the end point. The old generation of anti-virus vendors are struggling to reinvent themselves and move at pace while a range of smart, well-funded startups have entered with a very different approach and value proposition.

What do you regard as the crown jewels within Australia Post that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??

Our crown jewels are easy to find in our business strategy. We are an eCommerce company with a growth vehicle in trusted services that wants to deliver more and more value for our customers.

Clearly that translates for my team into protecting and helping our customers use the services that we provide to them. We have a good understanding of this and over the years have done a range of incident and breach response preparation. Every time we do something we learn more and certainly have taken lessons from others in the industry.

Digital and online is clearly a key strategic part of where Australia Post is repositioning. How do you personally stay in touch with this digital channel which is exploding with developments?

There is no way I can, or should, do everything myself. I am a strong believer that great people solve hard problems so for me, leadership and culture is the answer to just about everything. From a digital and online perspective we have some exceptional people that have chosen to work at Australia Post and deliver great results. As an example we took the build of a new infrastructure environment down from over 20 days to less than 10 minutes – with a range of security patterns and tools pre built into the environment. I learn constantly from our teams and from immersing myself in what we do. I also learn from my peers in the industry whenever I can. Cyber Security is a team sport and the sharing network within Australia, and in some areas internationally is exceptional. I know that I can ring a whole range of CISOs and they’ll answer and happily share – which I will also do for them.

Within the Australia Post environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?

Honestly both of these and more. There are so many ways, both malicious and accidental, that an organisation could suffer an incident or breach. By the same token I am also worried about “too much” security that leads to driving away customers through poor experiences or in slowing down our business so much that we can’t compete. Our approach is to align our security program against our business strategy – with a non-negotiable on protecting our customers.

What key attributes do you look for when selecting a new staff member? I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??

From an industry perspective I say that we have a glut of people in certain areas and a massive shortfall in others. I can easily hire for a security operations role or to work in risk or compliance. However finding great agile security engineers or customer security leaders is a massive challenge.

Our approach when recruiting is based on culture, leadership and communication skills first. Then we look at security and technology skills. It is far easier to teach someone security content knowledge than to teach a positive mindset, a collaborative personality profile or a customer centric pragmatism. As a result our recruitment timing varies. Some roles are a matter of days while others can take months. We’ll wait for the right person rather than recruit someone with the wrong culture or leadership attributes.

When you choose partners to work with are there gaps in the Australian marketplace that you can’t find capabilities that you have demand for? (Could you provide some examples)

Yes definitely. I have found over the years that our partnership model tends to follow people rather than companies. Having said that there are still gaps. Finding a partner to do old world penetration testing is easy. Finding a partner to do secure software development in agile teams is a major challenge.

Finally what keeps you awake at night?

My 2 boys under 3!
And from a work perspective “coverage”. We have great executive support, leadership and I am lucky to have a wonderful team. We have built some exceptional capability and have done some really innovative things such as our agile security development and our customer cyber security services.

The coverage issue though is that despite all of that “good” it only takes one gap, one mistake or one unknown that could lead to that customer data breach or material security incident. As such I worry about covering everything that we need. Are we enabling all parts of our business effectively? Are we protecting all customers? Have we looked at every piece of code? Do we understand every partner? Can we cover every threat and every risk? Trusting in great people and taking a threat and risk approach is critical.

What is your Cyber Security Risk Profile?

Have I taken all the necessary steps to protect my enterprise against all current and potential future cyber threats? That’s the question that you will be asking yourself and savvy board members will be asking you.

Taking comfort from mitigating the risk, as per Marsh Insurance Brokers there has been rapid uptake of cyber insurance with 25% increase during 2015. As we can see from the analysis from World Economic Forum, there is high likelihood of Cyber Attacks and there is also a Data Fraud or Theft risk.

(Source – UK Cyber Security Report)

Large Companies Risk Profile

From that UK report, when we evaluate the risk profile for larger businesses – it is alarming to see that the cluster of risks that exist towards the upper and right of this 3x3 grid.

(Source: UK Cyber Security Report)

My read is that for most organisation’s that this would be a good indication of the enterprise risks that are in play. One could argue that the relative severity may vary according to the industry and sector.
Further that the probability will also adjust with how mature are your risk management practices.


A simple way to Rate yourself

 

The USA National Institute of Standards and Technology issued a Framework for improving Critical Infrastructure Cybersecurity. In there approach that have
four levels of cybersecurity risk management sophistication:

Tier 1 (Partial) this describes organisations where cyber risk management processes are not formalised and for whom risk is managed in an ad hoc fashion.
For Tier 1 organisations, cybersecurity risk is an IT issue. This is tackled by an internal team with little to no external collaboration.

Tier 2 (Risk Informed) this is where cybersecurity risk management is acknowledged and a concern. However this is still in the main managed by IT, there is a policy in place and there is some movement to working with others at an industry level.

Tier 3 (Repeatable) when there is a comprehensive risk management policies and practices that are understood and implemented across the organisation. Also there are broader industry connections to address cybersecurity risk and sharing of information.


Tier 4 (Adaptive) This is the maturity level of organisations whose cybersecurity risk management is in a continuous improvement loop with lessons learned from personal and third-party experiences. These companies have made cybersecurity risk management part of their corporate culture and they actively contribute risk information to larger industry efforts.


So where did you land?


For most of us, we are at best in the middle a Tier 2 or 3.

The challenge for many organisation’s is then taking this framework and putting this into a practical action plan to improve and move the dial forward. Let me share with you what I believe are 10 commonsense tips.

Here goes:

10 practical tips

1. Identify the real risks (don’t get caught up with any hype)
2. Work with your Management Committee to refine the overall risk appetite and where this fits.
3. Understand most important information and who really needs access.
4. Look at the broader threat landscape to understand where you are most vulnerable
5. Protect the crown jewels
6. Make everyone accountable and role model this

7. Ensure that cyber security remains an ongoing board-level priority.

8. Establish Enterprise Cyber Security objectives and metrics
9. Action at a Portfolio level and not by silos. Hence you have to consolidate the requirements for all aspects of security (PCI, Audit, SOX, information, privacy, physical and BCP)
10. Partner when it makes sense and you need to add capability.

http://www.cso.com.au/article/588781/what-your-cyber-security-risk-profile/

10 Cyber Security Startups to note

Should you have time to wander through some of the myriad of startups that are listed on Angel List or any similar sites, you will find that a growing number of new players.

Each has picked a niche that the incumbent security players are not addressing adequately. As a result the variety of offerings is immense and this is itself educational to how broad the problems are facing CISO’s today.


Enjoy a stroll with these 10.


1. Cyber Security Simulation


Vthreat - this is a startup that provides a SaaS for testing your security. In essence provides a simulation of an attack. What I like about this product is that it allows you to exercise your company’s incident response. At the same time will allow you to validate your team and the controls that are in place.

 

Clearly any simulation tool can never provide 100% assurance, but this is a reasonable starting point.

2. Cloud Endpoint

Thin Air – the ideas of a Cloud SaaS doesn’t sound that interesting. However this is all about smart storage systems that understand corporate policies. What this means is that information that is sensitive such as personal info or credit card information is managed automatically by the platform.
Where I should not have access to credit card information then this masked and redacted. Moreover changes to this access is controlled with mobility enabled functionality to press “1” to allow access or “2” to deny.


3. Gamify (Cyber Security Education)

Apozy – is all about educating your team on what is right and wrong. Based on the common sense understanding that people are the weakest link, how do you educate them on threats and hackers.
The Gamification approach hides the fact that this provides some real value to bringing your team to the right level of awareness.

 

4. Machine Learning for Data Loss Prevention


Check Recipient – This about avoiding the oops, I didn’t mean to send that to that competitor. Despite the reference to AI it is not scary or complex, the machine learning operates in the background to prevent you sending email to the wrong person(s).

 

The message is analysed against the social network and your normal inbox with textual analytics.

5. Secure Office 365 Documents

 

Vera – this has been described as “Snapchat for files and documents”, but forgetting that connotation this allows a user to apply security to any file for Office 365 users.

Simply right click on the file to choose encrypt and this is then sent to a 3^rd party with the security policy, which is de-encrypted on arrival as an email. Also 365 office files can be protected in Sharepoint or Onedrive.

Any usage of this file is tracked and you can stop access with a recall button, this can be revoked on your mobile phone.

6. Malops - Detection of Attacks
Cybereason – we can never be 100% sure that we are able to detect any attack. This startup was started by former Israeli intelligence officers and it is all about being able to detecting attacks as the happen, what they have termed as Malops (Malicious Ops)

The assumption is that you can’t prevent the hackers but you want to be able to identify malicious activity. Cybereason profiles everything in the environment and cross compare, but it does require an installation on every device.

7. and 8. Document Security


Doc Send and Doc Tracker – there are two new startups with similar offerings. As we are aware that most data (85%) is still stored in documents we need to have stronger security on this once it leaves our premises.

These solutions allow you to track: who opened, who read, how long on each page and was it forwarded to others.

 

 

Doc Tracker has the same functionality but also allows you to remotely destroy the document.

9. IP Protection 


Shield Square and Distill Networks – For some CISOs, there is also the ancillary responsibility for managing brand trust.

   

Distill Network is a startup works to protect websites from BOT attacks, it runs on a virtual cloud or a private enterprise server. It is able to detect and stop, competitors from price scraping your websites. Also will allows you to protect your brand logos and images from scraping.

Shield Square provides similar functionality to protect your IP from malicious bot traffic. The value proposition for using such products is that it stops competitors in eCommerce space from copying your prices, with the tool providing ‘fake’ prices to the bots.

10 . Uber for Security People

SleathWorker.com – there is a shortage of IT Security staff in Australia and I have been asked nearly every month to recommend for a role. When you can’t find a resource or your team is short staffed then you will need to be able to find some suitable resources.

The alternative is to engage a 3^rd party managed service, which will come at a cost. What we need is a Uber offering of skilled resources that are able to provide this as a service.

 

http://www.cso.com.au/article/588082/10-cyber-security-startups-note/

My Performance Review the CISO

How to write performance management plan for my CISO?

The end of year is approaching and you that time of the year is around for you to evaluate your CISO. As this is an article for CSO magazine, this is probably an article that you have to decide for yourself is it one that you share with your boss.

This is always a conversation that you approach with a degree of confidence but also with a sense of uncertainty. What your boss rates you for your efforts over the last year may be aligned with your own thinking, but this is the only time that you find out.

For me, a performance review plan is a combination of “Hard Things and Soft Things”. These are “hard” tangible deliverables, which include team-based outcomes. Plus the “softer” aspects which includes how the CISO has driven a positive culture within the enterprise.


Hard Things

1. Accountable for Information Security Portfolio

The CISO is tasked primarily with delivering timely projects, increasing efficiency and (above all) reducing costs. Some CIOs like to take short cuts, and perhaps take on more risk than is prudent. The CISO can influence the CIO and help him realise that security wants to help him get to his objectives as quick as possible, while also maintaining management's preferred risk profile.


In this regards you are accountable for the whole portfolio, of delivering on efforts to improve the risk position of the enterprise. Being able to achieve, the deliverables while looking for synergies across these projects is the key.

What you need to do is to convince your boss that you have been a professional CISO is who is prepared to take information security risk management judgements on the basis of in-depth business and technology knowledge. Indeed you are managing business risks as a overall portfolio.


2. Responsibility for Enterprise Information Security

It is likely that despite whatever efforts you have made that there have been incidents and perhaps breaches. The CISO owns all the problems with the position.

You have to actively manage staff, external resources, culture and performance. Importantly, be held responsible for security incidents and all the fun challenges that arise. Invariably you the CISO would have been involved in responding to a major security incident, and then developing strategies and plans to minimise the risk of that type of incident from happening again.

 

How you have managed external bodies is critical and your diligence in closing external or internal audit issues relating to information security will be examined.

As the person ultimately responsible then you will also be judged as to how comphensive has the Enterprise Information Security Strategy been articulated and bought in by the Board. The key will be has this taken the enterprise beyond just compliance to establishing a security risk profile appropriate and aligned with the risk appetite of senior stakeholders.


3. Managing Information Security Budget

There are two parts, the first is the simpler aspect of meeting budget – despite all the challenges and unplanned crisis that occur. A greater degree of difficulty is that the CISO needs to be the advocate for the security strategy and get funding from the CFO and all stakeholders in the C-Suite, audit committee etc. This is never a easy task to gain funds, when there is only a negative ‘stick’ argument.

As the CISO you will need to have an "elevator pitch" ready and tailored for each stakeholder, usually with a small select number of detailed funding proposals for each financial year.


Soft Things

  

In this regards your behaviour as a Leader and how you operate are in the broader context is what your boss will be looking to evaluate. Most critical is that at all times your integrity and ethics are unquestionable.


4. Managing Trust and Reputation

You are in the business of trust and reputation. This means that within the enterprise that you are seen and heard in that context, Furthermore that you are operating in the external domain in networking with others to further the cause of Information Security.

Having visibility and a good reputation within the information security community, also means that you are a thought leader who understands the latest trends and threats. Your boss wants a leader that has good self awareness and not a recluse.


5. Crisis (Noise) Management

While major visible security incidents don't happen that often, you will have a key role in managing these during and after the event. It is true that such incidents can cause major disruption, brand damage and financial loss, and likely all of the above.

Your role will be to ensure that there is good crisis communication to both internal and external parties. This is not an easy position and often the standby statements, will just not be sufficient.


6. Strategic Partnering

During the year it is likely that you are making key strategic corporate purchasing and partnering decisions. As the strength of your own security is greatly effected by these decisions then you should be demonstrating how this provides enhancement of the risk profile, while also showing that you are removing legacy solutions.

As the CISO, you will have made these decisions using a good transparent process and your friends in Procurement will be singing your praises.

Summary for the Year 2015

Now that wasn’t too hard was it? Good luck with your conversations.

It would be interesting to hear from you how many of these Hard and Soft measurements are actually in your Performance Review??


http://www.cso.com.au/article/589801/my-performance-review-ciso/

What warranty protection does my anti virus provide ?

CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT BEFORE YOU START USING THE SOFTWARE

Now, honestly who has read these statements?

There is an implied warranty that if you are buying an Antivirus that you get a level of protection and updates for new threats. Conversely if you have chosen the freemium offering then you take your own chances with regards to new virus and malware risks.

But what is your real protection that you get and how do you know if you are protected?

Wait, I’m not sure that I accept those conditions? Sorry it is too late as by clicking or installing the software that is already a past event.

CLICKING THE “I AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.


A Real Case Example
 
Let’s take an example of these clauses and without naming the software company. This protection is quite limited, in this case I would have paid $49.95 plus GST and that would be the extent of what I could recover.

YOU AGREE THAT IN THE EVENT THE RIGHTHOLDER AND/OR ITS PARTNERS ARE FOUND LIABLE, THE LIABILITY OF THE RIGHTHOLDER AND/OR ITS PARTNERS SHALL BE LIMITED BY THE COSTS OF THE SOFTWARE. IN NO CASE SHALL THE LIABILITY OF THE RIGHTHOLDER AND/OR ITS PARTNERS EXCEED THE FEES PAID FOR THE SOFTWARE TO THE RIGHTHOLDER OR THE PARTNER (AS MAY BE APPLICABLE).

 

Not that attractive or worthwhile to pursue this particular organisation. To double check this I examined another major anti virus contract terms and found them to be amazing consistent. Here is another example:

IN NO CASE SHALL ABC OR ITS LICENSORS’ LIABILITY EXCEED THE PURCHASE PRICE WHICH YOU PAID FOR THE APPLICABLE SERVICE PERIOD

 
You also need to Act Fast


This is also the case that the time window is working against you to discover an issue with the average elapsed time to discover a breach being 200+ days.

For these Anti Virus Warranties there is also a limitation of 1 year to make any claim against the warranty:

No action, regardless of form, arising out of the transactions under this Agreement may be brought by either party hereto more than one (1) year after the cause of action has occurred, or was discovered to have occurred, except that an action for infringement of intellectual property rights may be brought within the maximum applicable statutory period.


No coverage for Terrorists?

It is somewhat hard to believe but there is also an exclusion that relates to being a terrorist. But also if you happen to be Sir Richard Branson and involved in a rocket launch then you also are excluded by warranty terms from using such anti virus software:
 

USE OR FACILITATION OF ABC PRODUCT IN CONNECTION WITH ANY ACTIVITY INCLUDING, BUT NOT LIMITED TO, THE DESIGN, DEVELOPMENT, FABRICATION, TRAINING, OR TESTING OF CHEMICAL, BIOLOGICAL, OR NUCLEAR MATERIALS, OR MISSILES, DRONES, OR SPACE LAUNCH VEHICLES CAPABLE OF DELIVERING WEAPONS OF MASS DESTRUCTION IS PROHIBITED


What about Updates?

 

You may recall that I noted the implied warranty that if you are buying an Antivirus that you get a level of protection and updates for new threats. I really struggled to find any reference in the warranty documents that talked to service level and that updates to new viruses would be provided within any time window.
Clearly these Anti Virus companies would get significant flak from their customers and lose creditability fast, if they are not able to act quickly.
But this is not part of the standard warranty protection at least at an expressed level.


I want out, so how can I do this?

Now that I’m aware of the terms and conditions, actually I’m not sure that I want to accept this. So what can I do?

IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “CANCEL” OR “NO” OR “CLOSE WINDOW” BUTTON OR OTHERWISE INDICATE REFUSAL, MAKE NO FURTHER USE OF THE SOFTWARE, AND CONTACT YOUR VENDOR OR CUSTOMER SERVICE, USING THE CONTACT DETAILS IN SECTION 11 OF THIS LICENSE AGREEMENT

Whoa, I have to do what again?……it is easy to click agree but there is a complicated process if you don’t agree and then it’s likely that you won’t get any joy around changing the T&C’s.

That fabulous expression “Caveat Emptor” really applies.

http://www.cso.com.au/article/590994/what-warranty-protection-does-my-anti-virus-provide/