CISO of the Week, Magda Lilia Chelly, Managing Director & CISO OD, Responsible Cyber
Magda Lilia Chelly, is the Managing Director of Responsible Cyber Pte. by day, and a cyber feminist hacker by night. As part of Magda’s company services, CISO On Demand is the most popular. Magda spends most of her time supporting chief information security officers in their cyber security strategy and roadmap. She reviews technical architectures, cloud migrations, and digital transformations. Magda with her expertise, and technical background provides a 360 degrees cyber security support for companies; from governance to incident management, she coordinates and builds resilience businesses aligning best teams in order to provide the most suitable solutions for her clients. She is continuously raising cyber security awareness & diversity at a global scale. Her clients vary from Fortune 500 companies to Medium Size Local Businesses, to high tech innovative start-ups.
She is currently based in Singapore, with a global reach. She speaks five languages fluently and has a PhD in Telecommunication Engineering with a subsequent specialization in cyber security. She also was recently nominated as global leader of the year at the Women in IT Awards 2017, and TOP 50 cyber security influencer globally, as well as TOP 58 Women In Cyber Security to Follow on Twitter and TOP Cyber Security Experts alongside with Kevin Mitnick, and Brian Krebs.
Magda’s achievements are various, and international:
1) She has been awarded TOP 50 International cyber security influencer:
2) She is the official RSAC APJ Ambassador for 2018:
3) She is a trainer with Singapore Business Federation
4) She is an official contributor and brand ambassador on one of the major worldwide known cyber security platforms peerlyst.com.
5) She founded a diversity platform “Woman In Cyber”: http://woman-in-cyber.com, where she encourages diversity and inclusion Woman In Cyber: woman-in-cyber.com
The CISO’s role is a very high-pressure, high-stakes role. What is the right profile for the job?
The role of CISO is not only very high-stakes role but can also greatly differ from one company to another. A CISO for a small to medium enterprise will not require the same skills and qualities as a CISO for a Fortune 500 company. That said, the role must have undeniably elementary necessary skills, including strong technical skills with great management and adaptable personality. I consider the CISO position very challenging to fill with its different facets. Thus, just applying frameworks without understanding the business cyber risks can be called ‘’insanity’’, as per doing the same thing and expecting different results.
Let’s start from the basics and describe what in my opinion are the undeniably necessary skills for a CISO. A CISO is a manager with important responsibilities in the first place. He or she is responsible for the overall cyber security of the business and its resiliency.
In order to achieve successfully his/her goal, the CISO needs to have clarity about the business maturity and its overall cyber security approach, including the business understanding of the threat landscape. The CISO must then adapt to the particular business, relying on a team of IT security experts, and/or external partners and deploy an effective cyber security program, based on clearly defined metrics. Building collaborative relationships and transparency with the business and the other departments, including legal, compliance, and operations will represent a key success factor for a CISO.
What about CISO’s Reporting? It’s key to understand the differences and impact for a CISO, when the reporting structure changes across organizations. Theoretically, we could assume that the CISO role should report directly to the CEO, and/or the board. In reality, this is not the case for many organizations. When a CISO is allocated 30 minutes every quarter within the board meeting, he or she needs to prove key points within that short timeframe without disruption, and with clear aligned business focus. That is the main challenge for CISOs nowadays. Adapted communication with business stakeholders, depending on the reporting structure is incontestably a very important skill that all CISO must adapt, learn, and practice.
What about innovation and threats? I often use the term tsunami of technologies within my articles, as we currently experience an immense rise of innovations. In fact, a CISO role today, does not specifically requires 30 years of technical experience, as the new technologies did not even exist 30 years ago. Flexibility and an open-mindset are important and crucial to effectively prioritize and allocate security resources correctly with the right technical understanding.
What about business language? As I mentioned above, clear communication is critical. Without clear ROI for cyber security investment, the businesses struggle most of the time with the budget and the importance of a cyber security strategy. This is indeed very true, when we are analysing a non-regulated financial market. Communication skills are to be considered for all businesses. Defining simple and clear communication strategy helps the CISO to have the right support from the business, and the TOP management, including the board.
How important it is to have the CEO thinking that security matters?
According to Verizon’s Mobile Security Index 2018, only 14% of the responding organizations said they had implemented even the most basic cybersecurity practices. With those statistics, it is obvious that the business owners do not take the right decisions regarding cyber security, and they do not consider the cyber threat as a business threat. This is mainly due to the fact that cyber security professionals and business owners do not see things in the same manner and do not describe their goals in the same manner. Cyber security experts will engage discussions with vocabulary involving DDoS attacks, malware, SQL injection attack, etc. This vocabulary is totally unfamiliar for business owners. I have been discussing recently with technological start-ups and their main priority was to prepare an MVP in order to ensure the next level of investments. Does cyber security count at that point for them? It does not because it does not present the solutions with the right vocabulary.
Building a business with a privacy and security by design approach is a tremendous business advantage. This relates not only to the cyber security constantly evolving threats but also to the extremely complex regulatory landscape for privacy and security across the world. For start-ups, those concepts can present a good differentiator to secure the next round of cashflow. For MNCs and Fortune 500, those concepts will enable a smoother expansion, and an important reduction of costs, related to change management, IPR protection, compliance, and legal requirements.
How does the CEO think? This is the question that every CISO should ask himself and project himself as business owner before being a cyber security expert.
Having a CEO with the right support for cyber security is enabler for more budget and definitely a support from the board. However, a recent report by F5 Networks found a grave disconnect between CISOs and the C-suite or board. In fact, most often CISO are only present in the boardroom to report a crisis. Critically, the report also found that only 35 percent of CISOs do not report data breaches to the board.
There is a massive requirement across industries for all CISOs to more efficiently communicate security risks to the C-Suite. This would preserve and increase the business resiliency and cyber readiness.
How can CISOs best understand business’ needs?
A CISO must comprehend the business and communicate with an understandable vocabulary with the other stakeholders. Effective communication for CISOs allows them to share with people who aren’t security professionals in a more comprehensive way.
This will allow faster adoption, and better acknowledgement of the importance of cyber security for the business. It is not a simple task to adapt and understand business priorities, and decisions especially when we are not a business owner. It always comes down to two factors:
- How can we generate more revenue?
- How can we reduce costs?
Building a common ground between security and business will probably stay one of the CISO’s main challenges. The increase of interest around cyber security, as well the current demand for cyber security professionals shows that organizations are starting to recognize the importance of information security. The issue is that CISOs don’t understand the board and C-suite position and views most of the time. To connect with the business and understand its needs, CISOs need to learn the business language through concepts like: risk, revenue, productivity, efficiency, cost, etc.
Promoting privacy and security by design as business enablers is a key factor for the CISO, and if presented in the right way proves the CISO’s point. He or she must provide clear arguments on how both concepts will provide the business clearly more business opportunities, and additional revenue, as well as reduce the cost of operations, for example.
CISOs need to earn the trust and respect of the C-suite and the board by getting cyber security in alignment with business operations and goals. Security should no longer be done for the sake of security. Cyber security MUST support the business.
Let’s discuss how security and privacy by design are business enablers. With the rising complexity of the privacy and security regulatory landscape, a change of regulation can cost the business millions of dollars, in order to be compliant. The recent GDPR enforcement is a very good example. That said, the first step towards compliance relies on understanding the business assets, including the data, and therefore PII ‘’Personally Identifiable Information’’. This is one of the main pillars of cyber security. A good hygiene will provide visibility and control, key factors for a business success, and a critical competitive advantage. This particular example brings up another importance topic: the interaction between the DPO and the CISO. Those roles are crucial for the organization and require continuous collaboration to reach business goals.
What are the biggest challenges you face in the year ahead?
In the years to come, I am still expecting challenges within organizations to enable security and privacy by design for business enablement, and not only for compliance requirements. When businesses rely mainly on compliance and certifications, like ISO 27001:2013, CISOs face a real challenge to enable real ‘’secure’’ practices.
An example that I would like to share relates to access control. Having a username and a 6-character password makes the business compliant, however does not secure your users. Often, communications as per above will bring more discussions on the table and define the right direction towards resiliency rather than compliancy.
Said that, my main focus will stay into raising awareness about the new threats related to Internet of Things, and their incorporation into existing ecosystems without visibility and transparency from the manufacturers.
How do you predict the future of authentication in online banking?
My career in cyber security is evolving into a holistic path where innovation crosses security on every corner. The above question relates immediately for me to data control, and digital identities trends in particular the self-sovereign identity. Authentication in the banking system is one of the most expensive features, where we are seeing a lot of innovation and solutions. The whole online banking system relies on the security and assurance of the authentication. Authentication would provide the assurance that the user is the user who must then be authorized/denied services and/or access. There is as well a need for a digital identity to power the digital economy and enable seamless payments. And of course, authentication is strictly related to identity. Identity has evolved from a centralized one -owned and controlled by a single entity, such as eCommerce websites or social networks to self-sovereign one, controlled by the individual himself/herself.
Thus, the solution to this problem and the future of authentication, in my opinion, will be a self-sovereign identity where the user has total control of its own data, and decides with who and when to share. New ways to increase trust and privacy like ZERO Knowledge proofs are rising every day and we are seeing new authentication methods being adopted by organizations in the financial space.
Payments and online banking need to be seamless and easy, especially in an ecosystem where physical access to branches tends to decrease rapidly. This defines additional requirements and security principles for the consumers and the following ,must be considered for the solution:
- Establishing trust digitally
- Identifying people globally
- Interacting with connected devices
I am addressing this topic during RSAC APJ 2018, where I speak about the decentralised identity and how the distributed ledgers are the future of identity and authentication, for all industries includes.
How important is being able to communicate with your colleagues?
The CISO’s position within the organization must be perceived as a leader in the eyes of his/her own team and the whole organization. Personal branding can definitely help achieve the above and build a diversified connection with the various stakeholders.
A CISO works with a team and relies on the team, delegating most of the time critical tasks. Transparency, trust and support are key factors to a successful collaboration. Defining expectations from both sides is as well an important factor, I, myself, expand the communication to other departments, creating additional buzz and interest around cyber security. A good example, of a very positive communication strategy would be lunch and talk events, where colleagues from different departments can attend, and understand CISOs priorities, and the responsibility of each team member. Cyber security is everyone’s responsibility, but it is also a TOP-DOWN approach with C-level executives being role models, and enabler for a better resilience across all departments. One of the most effective ways to communicate as well is to record short videos explaining complex topics in a simplistic way, maybe even with some humour. I skip the articles, as I consider in my own opinion that corporate newsletters are not effective anymore. The CISO’s messages presented in a continuous way will slowly raise awareness and create interest within the organization. This becomes only beneficial for any CISO’s mission.
Cyber Security is the responsibility of each and every one. We CISOs, need to build a cyber responsible ecosystem to enable businesses’ resilience in an era where innovation is the fastest.