Dimitri Chichlo holds an Executive MBA from INSEAD. He currently works for Union Bancaire Privée in Geneva as Senior IT Security Advisor. He was formerly VP Information Security & Business Continuity Management at Edmond de Rothschild in Geneva where he was responsible for developing and implementing the Information Security and Business Continuity governance, consulting on IT projects from the InfoSec side as well as spreading InfoSec awareness in the Bank.
Prior to this position, he worked for ING as Head of Risk Management in Geneva, where he was responsible for all aspects of non-financial risks in a commercial bank, successfully enforcing Information Security risk framework aswell as leading related projects. From 2004 to 2009, he spent 5 years in the Ukraine and was involved in various international greenfield industrial and banking projects with different French companies. He is a regular speaker at Information Security conferences. Dimitri is also a successful trail runner and a PADI scuba diving instructor.
Where do you see the difference between Information Security, IT Security and Cybersecurity?
I recently attended a conference where one of the speakers discussed the results of a study which showed that as a CISO, you get more funding when you present yourself dealing with Cybersecurity rather than with Information Security or IT Security. You are an Information Security manager? You deal with boring stuff. You are a Cybersecurity manager? You are the real one. Today, the hype is undoubtedly in speaking about cybersecurity: cyber-this, cyber-that; cyber is everywhere. The word cyber opens credibility and funding. But I am not sure that everybody knows what they are talking about.
Information Security is a holistic concept that includes the protection of the confidentiality, integrity and availability of data in the broad sense of this term. The topic includes very technical elements – identification of assets, threats, vulnerabilities, controlling measures – but also more organisational and process-driven ones, like SDLC, DLP as a whole, awareness, education and training and encompasses physical security measures, business continuity and disaster recovery.
IT Security focuses on the protection of internal computer systems (hardware and software) with an almost purely technical aspect.
Cybersecurity is more about ensuring that everything that is connected online is secure and focuses more on dangers that appear on networks. It includes elements like cyberwarfare.
As words have meanings, I prefer talking about Information Security because it implies much broader risk management aspects. The issue when speaking of, or focusing on, Cybersecurity, is that people might infer that only the connected portion of information systems is of importance, whereas everything actually has an impact on your global security posture – think about the unencrypted USB stick lost in 2017 on public transport with all the security plans of Heathrow Airport.
So, as a CISO, you deal with Information Security Risk, period, and this is an incredibly enjoyable but also difficult role. You never stop learning and thinking.
How can security executives get that buy-in from the top?
Information Security is a non-financial risk management job. The difficulty lies in the fact that you can barely quantify a loss. Credit risk is simpler: you lend that amount of money. If you get this percentage of default, you lose this amount of money. Above a certain level of default, your company goes bankrupt. Think of the 2008 mortgage subprime crisis.
But what is the cost of not dealing with backups? Maybe you will never need them. Maybe everything is going to be fine, and you spent money for nothing. This is similar to a defense job: the army needs to be able to convince politicians that spending this amount money on defending the country is worth the expense, especially in a time of (relative) peace. Same applies for secret services that defend the country against terrorism. You are always cleverer post-factum.
The first thing a C-function should ask his colleagues is: “What can I do for you?” If you are able to achieve this, the natural answer from your colleagues will be: “And what can I do for you?” As a CISO, I would forget about considering thinking in silos and rather cooperate with other departments to find side projects where Information Security will add its value. It is a cleverer way to sell your job instead of just using FUD.
A first example: virtualisation. If you try to sell virtualisation in terms of disaster recovery only, then you face the risk of explaining why you want to brace for a risk that has never materialized. Rather than selling the project solo, get IT, procurement, finance and sustainable development on board and present a project which has many benefits with a business case. Replacing physical servers by virtual ones means less maintenance costs for IT, less square meters rented in a data centre, less electricity consumed, reduced replacement costs, less IT equipment to put in the trash every 3 to 5 years, and it has an impact on availability and the disaster recovery preparedness.
A second example: MFPs replacing desktop tools with Follow Me Printing. By installing MFPs and enabling FMP, you replace many printers, scanners and fax machines, you reduce printing costs and paper consumption, you reduce maintenance costs (one model to maintain only and one model of toner to buy), you reduce waste of desktop tools and you increase confidentiality (prints do not get out automatically), you can monitor the content of your prints in a DLP solution and increase business continuity readiness if you have to work from another office. All in all, you increase daily user experience and flexibility.
You will also have to find real cases from real life. The NotPetya attack from 2017 provides great practical examples for large corporations. When it comes to Information Security, we insist a lot on confidentiality and data protection. However, availability is very often forgotten, though key for a business: if a system is down, how much does the company lose? This is something a CISO must be able to calculate in order to convince a CFO for instance.
If your management committee is not convinced by what you are telling them, you might want to use a penetration test to demonstrate what can happen in real life if attackers want to penetrate your network, or if current employees want to steal data, but this is a tricky tool, because by doing this, the report will inevitably point all deficiencies of your IT department. So, use it carefully and with IT on your side. Do not alienate the CIO.
What soft skills can help security executives collaborate better?
Information Security is a question of culture. You might have all the policies and processes in place: if the CISO is not influential enough to convince C-functions, management committees as well as regular employees of the importance of the topic, and if the tone is not given at the top, the chances of success are scarce. I would say that a CISO job is 60% people, 30% processes and 10% technology.
First, the CISO must possess a sound business and strategic vision. She must understand what the strategy of the company is and how her job can contribute to this strategy. Similarly, she must have a strategic vision of her job and understand how she will articulate it in collaboration with the CIO. Working in a silo is the worst possible approach.
Second, a CISO must be a good influencer. He must understand how to convince and influence people in his company – from C-functions to simple employees. He must have a strong sense of how power is exercised and who is key. At some point, unfortunately, it is all about funding and support from the key players.
The CISO must also be a good communicator. Management Committees and Boards have very little time to dedicate to each of the topics discussed during their meetings. If you lose your executive audience from the beginning of your presentation because you used technical terms, or because your tone is boring, your chances of getting attention and gaining credibility are minimal. Similarly, you must be a good communicator towards the end-users and the IT teams, speaking both business and technical language and being able to explain what is at stake with simple and understandable words. Use storytelling and analogies from everyday life which everybody can understand.
The biggest threat to your institution is already inside the building. Studies show that 60 percent of cyber attacks come from inside the company. What are the key strategies to address this challenge?
Cyber attacks are one aspect of the challenge, but human error is another one – the chair/keyboard interface. I come back to my example of the lost USB stick from Heathrow Airport – this is a perfect case of human error combined with bad practices leading to dramatic consequences, although basic solutions do exist.
When it comes to elaborating a strategy, I would divide tactical plans between wilful and unwitting actions. And I would also separate IT staff and end-users, because they have different damage powers.
First, I insist on having sound user access management procedures and practices. Role-Based Access Control is powerful for that. We have heard of numerous cases where abuse of authorizations led to frauds, sometimes for huge amounts. So, apply thorough need to know/need to have principles with regular reviews. Privilege Identity Management of IT staff is extremely important, one of the most important aspects of Information Security risk management. Ensure you carefully control privileged, service and non-personal accounts.
A second axis is to reduce leakage channels and the technical possibility to exfiltrate data, as well as provide end-users and IT with the tools to protect mass data that are stored on external supports. Be careful with file and Exchange servers’ administrators, too: use file encryption tools.
A third vector of action is to monitor suspect behaviours and be able to identify them as early as possible.
A fourth action channel is awareness, education and training, for everyone, including C-functions and IT. Surprisingly studies show that the latter are often the least aware. Human error can be reduced through those channels, though not completely eliminated. Train users on how to handle data. Train users on how identify phishing, social engineering, CEO fraud, etc. For instance, train your IT team on how to securely code and develop applications. A backdoor might be exploited by a future internal employee.
How do you make sure you know what new projects are on the road map and that security is baked in from the process side?
Risk management exists to drive decisions: do I acquire this business? Do I launch this new product? Do I launch this investment project? What do the risk functions have to say against the legitimate ambition of the business functions? Which value can they bring that will drive decisions?
Information Security, and risk management more globally, is first and foremost a question of culture and it will depend on the ability of the CISO to convince other C-functions of the rationale of on-boarding risk functions on various projects in order to ensure that risk is properly assessed and addressed from the very beginning. If a carmaker issues a new model, it does not consider the option of installing ABS, ESP, Airbag or other security features on the day before the launch is approved.
First, the company must possess policies and procedures that clearly state that all risk functions must be on-boarded on a project committee when a project is launched – and the same must apply for new products: Information Security of course, but also compliance, legal, credit risk, physical security, fraud risk. It is vital to break the silos when it comes to risk management.
Second, tone should be given at the top: it must be made very clear from the CEO and the Management Committee that the presence of risk functions and a thorough risk analysis is a compulsory requirement from the very beginning, and not just a sign-off required on the day before a project is approved to ensure that Information Security will bear the risk if something goes wrong.
Third, the CISO should understand that the InfoSec function is a business enabler and not only a no-sayer or a bad cop. She/He should find solutions instead of forbidding initiatives, but also be very clear about the risks so as decisions can be taken in full awareness.
Fourth, the sign-off of all risk functions should be made compulsory at the closing of the project phase, just before the launch, so everybody is clear about the risks and the appropriate decision can be taken, including risk mitigating measures.
Again – it will depend on the ability of the CISO to be influential enough to convince her peers to get InfoSec embarked on the projects, and at the same time be able to find solutions to mitigate risks. Only in that way will the CISO gain credibility and be considered a valued business partner.
Are there any key phrases or terms that security executives should use when talking to the C-suite about the business?
Do not forget that the purpose of a business is about creating value for the shareholders, in the broad sense of this term – the shareholder can be the sole owner of her business or an individual owning shares of a publicly traded company. So, value creation is one of the terms security executives must use when they talk to the C-suite, especially to the CFO.
Generally speaking, a CISO must be able to speak a language familiar to the business. You will lose attention and credibility if you use too many technical terms that business executives, management committees or boards do not understand. What sounds obvious to you is not to others.
Let me give you one example. We all know the principles of a sound password policy: lengthy, complex, different for each system and all those passwords should be known by heart. And of course, they should be different in the private and in the business sphere. Let’s be honest: these principles make it impossible to comply with a password policy. So, what a CISO can do, is to ask the CFO funds to acquire password managers and show by how much it will add value to the business: one password to remember to unlock a password vault means that the users will not call the helpdesk to reset the password(s) they forgot when they come back from vacation and spend less time typing them.
Alternatively, a Single Sign-On project could do the same, but much better. Only one password to remember to log in to the Windows session, and others managed automatically by the software: less time for the helpdesk, less time for IT teams and increased productivity for the end-users who spend less time managing their passwords. And by solving end-user’s usability issues, they start considering you differently, and you build allies.
When requesting funds for such projects, a CISO must be able to show that the Net Present Value (NPV) of a project is positive, which is a financial proof that it creates value for the company. So NPV is another term that the security executives should use, and they should also know how to calculate an NPV when presenting an Information Security project.
My principle is to go back to the basics: a CMDB with a complete inventory of assets, proper user access management processes, including management of privileged accounts, network segregation, sound data encryption, endpoint protection, patching, configuration management, backups and disaster recovery procedures. Achieve this and you will have achieved a lot. Do not focus only on the detection and reaction side. Identify assets and protect them. Think defense in depth.