At #BHMEA22, a panel of CISOs discussed issues around data protection, privacy, and disinformation campaigns – with a focus on the risk of insider threats. Jaya Baloo (CISO at Avast) asked each of them to share the most important lessons CISOs should consider if they want to do a better job of information protection and incident response.
Here’s what they said.
Flavio Aggio (CISO at World Health Organisation): Aim for clarity across your organisation
“I think transparency, compliance, ethical rules, and risks should be well documented and well known,” Aggio said. And the critical points he suggested all CISOs should keep in mind are:
- Have a clear policy and a clear principle.
- Have clear segregation of duty – so that you, as a CISO, are not held responsible for actions or decisions that should be undertaken by someone else (the legal team, for example).
- Make sure every department in the business understands what governance is in place, and how that guides decision-making.
“Because privacy is a major nightmare,” he added. And after an attack, the integrity and reputation of your brand might be among your most valuable assets, and there’s real potential for a data breach to cause real destruction to that reputation.
You need to ensure that “rules are clear, expectations are clear, policy is clear as well.”
And finally, build a really robust awareness campaign across your organisation: “Make sure that you have training and awareness that is embedded in the day-to-day work — not a one-off checklist.”
Zaki Abbas (CISO at Brookfield Asset Management): Be proactive, and get clear on the regulatory expectations around incident response
“One, it’s very important to be proactive and not reactive as regards to keeping up with privacy regulations. All these regulations have due dates, so you need to give yourself enough time to make sure that your program evolves to make sure it is compliant with any changes to privacy regulations.”
“Two, utilise third party law firms as much as possible, so they can clearly explain to you what needs to be done and whether you’re impacted by any regulatory changes.”
“And lastly, cyber incident response when there is a data breach. Every regulator has different notification time periods when there is a breach. So you need to be well aware of that in the regions you’re operating in, and make sure that you’re updating your incident response plan to highlight any nuances between each region.”
Jon Staniforth (CISO at Royal Mail): Protect yourself by building a mutually supportive network around your role as CISO
“For me it always comes back to why are you there – what’s the business about? It sounds very trite, but that’s the reality – you’re only there for one reason so you’ve got to figure out for each of those senior stakeholders what they actually care about. They’ll then become your champions for you, and actually they’ll start to take risks with you.”
“If you look at the rest of your management team, they’re already mutually supporting each other – the COO, the CMO, the CEO – and so how do you emulate that behaviour?” For Staniforth, this is a key aspect of your role as a CISO; and as a result of the rapid transition to digital over the last few years, it’s more important than ever. Because CISOs are more important than ever; and increasingly, the work of the CISO has a direct impact on business operations and success.
Alongside that growing importance of the CISO role, the role itself is also shifting, and becoming more intertwined with broader business operations. Staniforth added, “Always be prepared to do something you don’t think is a traditional CISO role. I’ve run procurement teams, finance teams, facilities – all as the CISO. Because you’re there to be part of that team.”
And finally: practise your incident response plan. “I’ve been involved in three or four major breaches. It never goes right. And it’s about understanding who your key partners are; and understanding why you’ve made decisions (even if they’re bad ones) during that investigation.”
Vikas Yadav (CISO at NYKAA): Build a high-performing team
“Every CISO should also focus on building a good team, training them well, and empowering them to work. Because there’s only so much a CISO can do alone.”
It was a brief but critical final point: your team really matters. And that means the broader team across your organisation, too – part of your job as CISO is to empower other departments to engage in security practices, and to embed security champions in different departments.
Clarity, collaboration, and incident response practice
Baloo summed the discussion up like this:
“Keep it transparent, make sure you keep it well documented, align with the rest of the company; practise practise practise; and finally train up your team so that you have excellence in the people that are actually supporting you during such work.”
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!