CISO of the Week, Anyck Turgeon, Executive CISO & Global Cyber-Resiliency Evangelist, IBM
With more than 25 years of technology innovation and security expertise, Anyck Turgeon has served for the past 15 years as a Chief of Information (CIO), Execution (CEO), Marketing (CMO), Risk (CRO), Strategy (CSSO), Business Security (C-BISO & CISO) and management leader for public and private companies including IBM, M-CAT Enterprises, CoreClean Group, Crossroads Systems and Oracle Corporation.
Leveraging her global security experience in IBM C-BISO – CIO / CISO offices, Anyck ensured seamless and continuous availability of all digital resources for 500,000+ humans in over 194 geographies. In addition to protecting 6 Million devices at the #1 oldest high-tech company in the world (IBM) carrying the #1 largest amount of intellectual property (IP by number of filed patents) in the world, Anyck has been a true security leader generating over $3 Billion in revenues and resolving an excess of $3 Billion in crimes. She now acts as IBM’s new global chief cyber-resilience & security evangelist whereas she is designing and generating awareness about IBM’s latest suite of solutions to ensure the business resilience of customers worldwide.
After studies in music and international relations (economics and law), Anyck started her career at the heart of the Canadian financial industry – at the Ontario Securities Commission, the Toronto Stock Exchange and Toronto Dominion Bank / Visa Center. Her keen interest in enterprise solutions led Anyck her to acquire formal computer, security, corporate finance, data science and executive management training resulting in the development and deployment of $4.6+ Billion solutions in data management, security, privacy & analytics at Global 1000 & Fortune 500 (GM, Chevron, Nike, CIBC, CCPEDQ, Alcan, Docomo, UKHL, NASDAQ.) As an average, Anyck delivered innovative security solutions at 45 percent of competitive costs, resources and time estimates.
The recipient of more than 40 U.S. and international industry recognitions, Ms. Turgeon expanded her studies in corporate finance, management, data science and artificial intelligence at numerous leading schools including Harvard, UT, Berkeley, Stanford and York universities. She holds six licenses, 15 certifications and 16 IBM professional badges.
Most recently, Anyck has been developing new Agile Security & Risk Management training programs and solutions. She is now focused on Information Technology (IT) / Operational Technology (OT) / Industrial Internet of Things (IIoT) integrated solutions to ensure that critical infrastructure (including FSS, Oil & Gaz, Utilities & Energy, Manufacturing, Healthcare, Government, Communications) have the right amount of cyber security, business resilience, recovery, crisis management and continuity solutions. Her main objective is to empower businesses to strive while over-coming the upcoming tsunami of cyber-wars and cyber-attacks.
The job of CISO is never going to be an easy one, no matter what you do. The bad guys only have to be right once. How do you deal with that? It seems like an impossible challenge.
THE LATEST IMPOSSIBLE CHALLENGES & SOLUTIONS:
LETHAL OT/IoT EXPOSURE & PERVASIVE SECURITY – A new major trend that makes cyber-challenges more difficult than ever before is the pervasive and lethal cyber-exposure of operational environments and IoT devices – particularly Industrial Internet of Things (IIoT). Since these environments are either 15+ years old and never updated/patched or were not conceived with security-by-design, they are our weakest security links. This is particularly true upon dealing with more complex attacks (like the uprise in cocktail malware), trail-disposed wipeware and more politically-driven cyber-attacks (like from Nation-States). Organizations need now to think about end-to-end integrated security of all devices (not just traditional information technology environments) in an orchestrated, intelligent / cognitive and automated manner.
CYBER-HIRING PRACTICES & INSIDER THREAT COUNTER-MEASURES - Further, the practice of hiring new, foreign, lower-level tech security resources may appear great on quarterly financial reports at first, but, it carries a much greater longer-term penalizing cost. Did you know that analysts report that over 50% of staff are now willing to sell their current employment sign-in credentials (e.g. user id and password) for less than $1000 to cyber-criminals? As a result, we are now dealing with a massive silent up-rise in insider threats whereas it is currently more lucrative for employees to crypto-mine than work. Top cyber-security professionals are recruited now straight out of schools at cyber conferences and by organizations such as peer activists / ideological groups (like aggressive hedge-fund investors), dark market organizations (like dark web exchanges) as well as Nation-States.
As the financial benefits typically outweight potential penalties and since it is estimated that current tools only detect 13 percent of cyber-crimes, companies are infested with trusted and enabled resources that compensate themselves at the expense of the future of companies. As crypto-environments get patched, organizations should implement various preventive and corrective measures to much better deal with current and future insider threats.
CYBER-RESILIENCE NOW TO OVERCOME TODAY’S “WHEN” CYBER-ROULETTE – Not only are top-tier talents making more money crypto-mining organizations, these organizations often fail to even detect or remediate misuse of resources. In fact, 6 out of 7 cyber-attacks today go undetected according to Nuix. Failure to adequately invest in enterprise security, hire and compensate cyber talents, implement continuous cyber hygiene activities, convert cyber-risk to enterprise risks properly and the lack of sensible cyber-resources have successfully shifted the cyber-posture of organizations from “if” to “when” the official “cyber-boom” will take place.
Since current cyber-security measures do not suffice and budgets are limited, organizations like the World Economic Forum (WEF) and US Department of Homeland Security (US DHS) now recommend to corporate executives, board members and security staff to focus on cyber-resilience.
PASSIONATE CYBER LEADERS WANTED – What initially attracted me to the Chief Information Security Officer (CISO) role was the opportunity to deliver innovative solutions to attack-ready environments. Unless you are passionate about life, technology and pushing yourself daily towards making tomorrow’s world better, this career does not make sense: high-turnover rate, high ratio of heart attacks and 24/7 on-duty responsibilities. One needs to continuously learn and be passionate about doing the right thing for a better future for all parties globally.
EXCITING, NEW SECURITY INNOVATION FOR ENTIRE CYBER-BREACH LIFECYCLE – We are now entering an even more challenging stage of innovation that involves business resilience, quantum-computing, artificial intelligence, contextualization and by-design security. Today’s CISOs, C-level leaders, board members, security experts and organizations need to learn about, understand and become responsible for all activities that are part of an entire cyber-breach lifecycle (e.g. including resolution beyond recovery). All communities that are related to digitalized organizations need to start by prioritizing crown jewels and find ways to ensure zero-downtime orchestrated practices that will cover all stages of cyber-crimes. From the National Institute for Standards and Technology Cyber-Security Framework (NIST CSF) of Identify to Recovery 5 phases to the complete legal resolution and handling of persistent reputational damages, organizations need to arm themselves for the upcoming AI-powered cyber-wars to cover all stages of cyber-breaches lifecycle.
CONTINUOUS INNOVATION & RESEARCH – To make the impossible possible, one needs to be ready for all scenarios, continuously search for innovative approaches/solutions and dedicate time to learn about cyber-developments every day. The next generation of C-level executives will definitely have to be completely fluent in cyber-breaches and risks so they can render the proper decisions in times when corporations will have to deal with breaches daily – given the growing area of cyber-exposure.
THE NEW CROs: CHIEF RESILIENCY OFFICERS – Chief Risk Officers have raised to be predominantly important in the financial industry. Yet, as a larger spectrum of organizations will need to ensure business resilience at zero-downtime, one can anticipate that the new CRO will be the Chief Resiliency Officer.
While analysts reports that current tools can only predict 13 percent of cyber events, I am hoping that quantum-powered contextualization will eventually enable us to better approach and predict cyber events. With billions to trillions of attacks daily, we need automation, artificial intelligence and quantum-powered security so analytics can be performed against embedded forensics. Corporate executives in all roles needs to become fledged about their cyber-posture continuously, be held responsible and report quarterly about the organization’s cyber-risk tolerance as well as about key metrics like Recovery Point Objective (RPO), Recovery Time Objective (RTO), Mean Time to Containment (MTTC), Mean Time to Identification (MTTI), Mean Time To Response (MTTR), Mean Time to Recovery (MTTR+), etc.
Cyber-resilience is a new practice that requires the involvement of all hired resources in a company (e.g. corporate communications, operations / infrastructure, physical security, development, sales, information technology, finance, risk management, etc.) Starting by focusing on the readiness of corporate executives is important but, all parties should be involved in cyber-event practices on a frequencly basis to ensure the cyber-survival of a company. Just like companies spend time and energy preparing for physical events (e.g. fire drills), organizations need to know what to do in case of pervasive cyber-attacks.
Appointing a Chief Resilience Officer (CRO) is going to be most important as this is the person responsible for the management of all internal and external activities (including communications) upon cyber to physical threats that can impair the continuity and survival of organizations.
In supplement to Chief Information Security Officers (CISOs) that are responsible for the security of all information, organizations now need a new type of C-level executive that sits at the executive boardroom, participates in board committees, is fledged in delivering quantitative data about the cyber-posture of organizations externally as part of financial reporting and that is equipped to deal with cyber-Armageddons. The implementation of cyber resiliency offices in corporations is the first step towards a successful future.
If I gave you an extra Dollar, how would you spend it on cybersecurity?
Quantum AI-powered contextual cyber resilience.
As a result of protecting the assets of technology and financial organizations, I have had the privilege of working with more than 1,500 products. Analysts report that CISO organizations typically use 30-40 products from at least 6-10 different vendors. So, when a cyber-breach take place, it is also important to coordinate with 3rd party software and consulting partners. Given the increasing amount of complexity, orchestration is now becoming a key requirement as part of all organizations. In addition to ensuring to CISOs focusing on identification, prevention and detection tools, organizations now need ways to ensure coordinated response, recovery and full resolution.
At this point, did you know that analysts are reporting that 66 percent of organizations are allegedly not prepared to respond to cyber incidents? How many organizations are able to provide evidence of cyber-resiliency to their investors and partners on a quarterly basis for their entire digital portfolio? Did you know that according to the Association of Certified Fraud Examiners (ACFE), less than 25 percent of cyber fraud cases reach any form of recovery? Cyber-recovery being a much more challenging environment to deal with given hacker’s common practice of deleting trails, investing in cyber-prevention is very wise, yet, will not necessarily suffice to ensure full cyber-resolution (which can also lead to corporate destruction.) Investment in orchestrated cyber-resilience is going to be key to corporate survival.
Because executive decision-makers and high-tech security professionals are often fired as a result of a major cyber-incident or mishandling of a breach, organizations will benefit from the power of intelligent orchestration technologies. According to recent Recorded Future as well as white hat Dark Web professionals, it appears that hackers are certified professionals that operate as trusted time-bombs that have already penetrated most organizations. Insider threat is live and doing well. In fact, most cyber-hacking monitoring organizations report that organizations are plagued today with insider threats performing crypto-mining as a secondary source of revenue while working at corporations.
It is only a matter of time before unsuccessful professional crypto-miners resort to ransomware as a means of paying their bills. Therefore, Chief Information Security Officers, Chief Risk Officers and Chief Resiliency Officers will be wise to prepare for the predicted rise in ransom-based cocktail malware and more lethal cyber-attacks.
Simple cyber-crimes are disappearing as millions are being spent by Nation-States in digital attacks. Our latest wave of cyber-attacks, AI-based cyber-destruction, require organizations to equip their IT, infrastructure, compliance and security departments to continuously prepare and coordinate efforts. Get ready today to deal with cyber-attacks with runbooks, forensic-based recovery tools, trained communities and orchestrated workflows.
To accomplish this goal, ensure that your team goes to reputable 3rd party cyber ranges at least twice to four times a year. Investing any extra money into these cyber-response efforts will generate great return-on-investment (ROI) as well as save jobs and, potentially, ensure corporate survivals (of your organization and all other associated members of your community.) Several years ago, I met with a Tibetian monk that advised me to develop compassion as a key skill towards my successful future. Who knew that he anticipated that I would become a CISO / CRO?
How important is it to have the CEO thinking that security matters?
The consequences and costs related to cyber breaches (like the US IRS, Equifax and Target) clearly demand security be a top priority for all C-level decision-makers. In fact, all organizations hiring executive decision-makers should require and test the IT-literacy of all executive and board member prospects. All C-level decision makers and board members should now be fluent in cyber-security, privacy, governance/risk management/compliance as well as resiliency. The reason why such higher-level of literacy is required is that when breaches take place, executives must already know the consequences of all approaches and render immediate decisions that will greatly impact the present and future of their organizations as well as all related parties.
Newer regulatory requirements (like Safe Harbor – Appendix J) are emerging daily and, now include air-gapped cyber resilience, and security-related requirements. Such concepts as pseudonymization, encryption, security zoning and recovery metrics should well be understood by all corporate decision-maker as evolving laws.
The conversion of current cyber-risk by management gets often lost in translation (e.g. cyber-risks are very under-evaluated). Due to the level of current executive computer low-literacy, cyber-risks are in majority evaluated as medium to low enterprise risks. As corporate decision makers get to understand the full-spectrum of the cyber-challenges they deal with and eventually have to report quarterly on their cyber-posture more closely as part of earning calls, we should see a shift in approaches to cyber challenges towards quantum-powered contextual security and orchestrated resiliency.
As I have been a CISO for 15+ years, I understand the high-turnaround of my peers with an average of 1 year per CISO position. My personal average has been a defying choice-based engagement of 5 years so, I strongly recommend being strategic and futuristic as part of any future CISO/CRO’s professional success. As numerous organizations have not learnt yet how to prioritize or assess properly the extent of their cyber-liabilities, the CISOs and CROs of tomorrow will need to embrace tomorrow’s technologies at a faster paste than ever. This means faster cycles of engagement, continuous learning and new cyber-mitigative approaches. Cyber-insurance coverage has also been slow in offering solutions that can properly protect organizations so, this is an area with great room for improvements which will also be fascinating for all corporate decision makers.
As one of the few security professionals that has been both a Chief Information Security Officer (CISO) and a successful Chief Executive Officer (CEO) at several organizations, I can attest that knowing about security has been a strategic differentiator which is gong to become critical for striving corporations. We all know of examples of CEOs that recently had to quickly learn about security and privacy such as Facebook Mark Zuckerberg.
Several universities, C-level associations and organizations are now requiring upcoming C-level executives to become fledged in discussing and managing all kinds of cyber-security challenges. Yet, there is abundant room for growth in executive cyber-training. Skills like global communications (including on the Dark Web), financial e-valuation assessments and multi-tier community execution management are essential for executives and other resources that need to learn about best activities for their organzations throughout the entire lifecycle of cyber-incidents – particularly, on how to deal with educating the media. A new level of maturity about cyber-incidents need to take place as recovery is not the final step but remains a critical phase towards full cyber-resolution management.
It is critical for corporate decision makers and CISOs/CROs to focus extra time on the more lethal threats and vulnerabilities – such as the increasing Operation Technology (OT) cyber security challenges. For example, while the Evil Twin / Triton attack was not designed to shut down Saudi Aramco petroleum manufacturing plants, it opened the door to incredibly much more challenging areas of new vulnerabilities. As the safety & controller systems were attacked simultaneously, this attack allegedly had the potential of killing millions of people as well as starting a cyber-World War III.
As seen with Triton as well as the Ukraine shutdown, Nation-State attacks are on the rise. With the new era of AI-powered attacks and vulnerable IoT devices, organizations can no longer address all threats. They need to focus on economically-motivated cyber-challenges by order of priority starting with corporately destructive ones. Access by corporate executives to real-time dashboards about their cyber posture is necessary to ensure risk evaluations are elevated in a timely matter through intelligent analysis. Further, as cognitive cyber-analysis becomes necessary, all cyber-risks analysis should go beyond the standard 2-level dimensions (e.g. typically impact and probability). I have witnessed that organizations performing a 5 priority levels by 9 dimensions (instead of the standard 3*2) analysis are better positioned to ensure business resiliency.
Also, given the digital transformation that is taking place inside most organizations, CEOs have to enable their entire organizations to convert faster development and enhancement – using tools like the Agile Security & Risk Management (ASRM) practices and SASSies (Scripted Agile Security Stories – conceived by the brilliant IBMer Peggy Mayfield.
If forecasts are remotely accurate that 50 percent of the Global 100 will be out of business by 2020 due to inappropriate handling of cyber-attacks, CEOs and other executive decision makers can no longer ignore cyber-threats and the need to prepare for business resiliency. CISOs and Chief Resiliency Officers should sit on executive boards and provide tools as well as education to all C-level executives, board members and corporate staff so all know how to handle the upcoming cyber-storms.
Learning by example – such as prepping to testify in front of US Congress, dealing with cyber-inquiries by the media, knowing how to best handle ransom demands, collaborating critical cyber-details upon cyber-threats with federal law enforcement communities and participating in on-going cyber-hygiene efforts – are some of the activities that decision-makers as well as entire corporate communities need to train for together, on a regular basis.
What advice do you have for security leaders?
Build comprehensive real-time dashboards with alerts that you can access from any location, 24/7. Also, increase your knowledge and stay informed by dedicating at least one hour per day learning about new resiliency methodologies and technologies – including a minimum of 15-30 minutes daily to review the latest cyber threats and legal/regulatory developments.
Acquiring university credentials and a few industry certifications is no longer sufficient. Get prepared to deal with today’s and tomorrow’s threats by empowering your entire organizations with the best of cyber-skills. Ensure that your learning focus includes automated counter-threats solutions (for example, against IMSIs), business resiliency and find ways to implement more modern technologies such as blockchain, quantum computing and augmented reality.
Participating in activities like hackathons, hacking conferences (like Black Hat) and volunteering to help protect charities against cyber-attacks are some of the ways in which security leaders can use to upkeep their hands-on cyber-skills.
The biggest threat to your institution is already inside the building. Studies show that 60 percent of cyber-attacks come from inside the company. What are the key strategies to address this challenge?
During this era of globalization, staffing and outsourcing trends (to lower compensation levels) have made organizations more susceptible to criminal activities.
As cyber-crime has been becoming more appealing, exciting, opportunistic, rewarding and lucrative, it is no surprise that insider threat is on the up-rise and 6 out of 7 hackers claim that their illegal cyber activities are never detected due to extensive usage of cyber-trail deleting tools. So, as it is common knowledge that insider threat is already pervasive and very active within most organizations, it is surprising that corporate executives still believe that serious cyber-threats are only threatening other companies (like their competitors). Not only is it immature to make such uneducated assumptions about the current level of cyber-risks, it is also irresponsible for organizations to have their internal security departments go through cyber-readiness assessments. In times of cyber-attacks, all jobs are on the line so, cyber-preparation should be pervasive – especially against insider threats.
Cyber-reporting & rewarding programs (like bug bounty) should be deployed (even via physical anonymous recommendation boxes.) On-going internal investigations should be completed by professional cyber-investigators as few organizations are able to properly address cyber-resolution.
It is also important to enhance anomalistic behavioral detection, capture & maintain metadata for 7+ years, employ forensics cyber-investigator fledged on dark web searches and enhance corporate controls. These are few practices amongst many – to assist organizations improve their cyber-posture. Hiring a proven CISO and a knowledgeable Chief Resiliency Officer will help strive while deterring unwanted threats. Gaining a much better understanding of one’s enterprise risk posture is critical and the more background is available, the more automation and orchestration will be beneficial.
Upon a recent SINET Innovation event, it was reported that Artificial Intelligence (AI)-automated immune systems were able to complete over 6 times more analysis and come down to 84 percent of the same decisions as humans. It was also reported that humans encountered a 14 percent error rate in cyber-analysis over the remaining 16% of cases whereas machines reached 3 percent (at the SOC 1&2 analysis layer). As we progress to cognitive security, we should also see the composition of security organizations change with time.
As another example of how humans can fail whereas machines have currently been trained to process in an unbiais mamner (without by-passing controls), one needs to site the current challenge of lack of proper cyber-segregation. In most corporations today, separation of duties (SOD) is not properly implemented – whereas access controls and architectural zoning are poorly and loosely implemented. Worst, these areas of cyber-weakness are also rarely updated. As employees are provided with new roles and responsibilities, least-access privileges are rarely implemented (like revoking rights that no longer serve the employees in their new roles.) Even if one becomes familiar with their colleagues and is expected to trust them, it is important for security professionals to understand that we are all human and that erring is to be expected. It is therefore more difficult to implement these changes as often poorly managed.
As no emotions are involved with computers (at least not for now), it is easier to ensure cyber-segregation and have decisions based on untampered facts. It has already been proven that much better solutions at a faster rate can be rendered as contextualization gets to be implemented. With the assistance of quantum computing, prevention and deterrence against internal threats may become a problem of the past as we train SOC decision-making systems. Today’s SOC analysts will therefore be able to get elevated to much more important roles that will then offer much more excitement and intellectual stimulus.
In the meantime, implementing mandatory interactive cyber-ethics training (from law abiding resources without criminal backgrounds) and implementing common insider threat deterrence practices (like encryption, mobile device management (MDM), employee & device monitoring, data leak prevention (DLP), timed centralized logging/reporting, transition from BYOD to IT-managed devices, centralized account management, automated inventory management, enforced mandatory & frequent backup/archiving practices and anonymous reporting programs) are all important steps towards a better business resilience and longevity.
How can CISOs balance security and innovation? And How could we address the perception of cybersecurity holding back the business?
Dealing with billions of daily cyber-attacks with increasing rates of new variations and types of threats and vulnerabilities requires continuous innovation. Analysts are predicting that given today’s poor cyber-postures, and, given the poor capture rate (1 in 7) of cyber-criminal activities, small to large businesses now need to prepare for trillion of cyber-attacks daily. Did you know that analysts report that 50% of small businesses experiencing cyber-breaches are likely not to be able to survive? Organizations embracing security innovation like Agile Security & Risk Management and new resilience solutions, will gain such business resilience differentiation that it will soon be possible to predict the industry leaders of tomorrow.
Cybersecurity staff needs to become enablers to all corporate community members (including bloggers, partners, reporting law enforcement agencies and suppliers) so all can be aligned to jointly respond to cyber-incidents. By providing new approaches and tools that enable customers to focus on their key business activities while the new solutions automate the larger portion of deterrence, detection, response and recovery. The perception that cybersecurity is holding back businesses is an old adage that is the result of failing to continuously learn, implement new solutions, share cyber-responsibilities and cyber-innovate.
As companies are dealing with much more complex and overwhelmingly frequent cyber challenges, executives, security professionals and business teams need to re-evaluate risks with 8 to 10 dimensions at a minimum of five levels of risk evaluation. Further, they need to protect their organizations by proactively testing and practicing post cyber-attack response, recovery and resolution.
Executives need to gain access to real-time cybersecurity dashboards and be fluent on how to best communicate about different types of cyber challenges to employees, investors and financial/business press plus analysts.
The new generation of cyber professionals also needs to maintain very technical skills – including coding and data science analytics while all decision makers and members of the entire corporate community need to become cyber-resiliency literate. Employees at all levels need to learn to detect cyber-criminals and executives need to be continuously preparing for critical cyber-challenges and focus on ensuring business resiliency.
I have been privileged to work with some of the brightest minds in the industry over the past decades and be pushed to continually learn so I can keep up with the latest generations of cyber-challenges. I strongly recommend learning about all aspects of cyber-breaches for all employees (particularly C-level executives) – including cyber-insurance, cyber-lawsuits, cyber-deterrence, counter cyber-attacks and, most importantly, cyber-resilience.
Developing communities of cyber-allies (starting with law enforcement but extending with all other parties – including competitors) and expanding cyber-attack communications to trusted outside entities is a very critical task that all cyber professionals need to implement.
Never trust; rather, always start from a limited access position. To meet today’s latest challenges, top executives to employees, partners, suppliers, board members, etc. should start with cyber-resilience as their first order of priorities since keeping business going and striving against cyber-threats must now be everyone’s top priority. Share your passion daily against cyber-criminals!
