CISO of the Week, Syed Shah, Head Information Security & Privacy Claims Consortium Group
Syed Shah has been Head of Information Security and Privacy for Claims Consortium Group in United Kingdom since January 2016. He has a career of more than 14 years of experience in IT, Information Security, Cybersecurity, Data Protection and Compliance.
Claims Consortium Group is a UK leading provider of property claims handling and claims workflow technologies. Claims Consortium Group was the first, and remains the only company of its kind to provide an online communication tool accessible by all parties involved in a claim.
Degrees and Certifications:
- MS Computer Security and Audit, MSc Computer Science, MBA
- IAPP Fellow of Information Privacy, CIPP/E, CIPM, CIPT, CISA, CISM, C|EH, C|HFI, ISO 27001 LA, CISMP, CCNA, CWNA, CCNA (Security), ITIL V3, Prince 2, AMBCS.
If I gave you an extra Pound, how would you spend it on cybersecurity?
I would certainly spend that extra Pound on ‘user education and awareness’. I believe that users are the first line of defence and If they do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, you not only risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but also risk being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities.
You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable. To achieve accountability, the information security and privacy training and awareness program must be well organized, support business goals, and clearly supported by executive leaders to ensure participation.
How important is it to have a CEO thinking that security matters?
The CEOs are the front figure of the organisation and the consumers expect and demand protection of their personal data and they want answers from the CEO whenever a data breach occurs.
It is very important to have a CEO thinking that security matters because, he can take the lead and establish a culture of trust among stakeholders and employees. If a cause is important to the CEO, it is important to those down the hierarchy too.
What advice do you have for security leaders?
Security is not simply a CIO, CISO, or IT department issue. Breaches, leaked documents, and cybersecurity attacks impact organisation’s bottom line, operations and its competitive edge. It is a responsibility that must be shared amongst all employees so, the CISOs must actively engage and collaborate with all stakeholders to mitigate constantly evolving cyber challenges.
Threats are everywhere and always changing. How to address this difficult reality?
IT security risks take many shapes and forms nowadays. But none of them are impossible to defend against (or in the very least mitigate). By investing in the right people, processes, and technology, organizations can block some of the most persistent threats facing them today. Among those three pillars of cyber security, People are the most important element against ever changing cyber threats.
To be effective, we not only educate users regarding good security practices in the work place but also, work to provide additional value to the users and promote an “always aware” attitude.
How do you predict the future of authentication in online banking?
Technological advances are giving banks the opportunity to begin moving beyond passwords. Given the poor user experience associated with passwords, rising costs, and the security weaknesses, banks are considering migrating to new digital authentication systems that meet the twin objectives of tightening protection and improving user experience i.e. Behavioural Biometrics.
Could you offer advice on how CISOs and CIOs can work together?
The threat landscape may have propelled the CISO into the limelight but the ultimate responsibility for IT rests with the CIO.
My relationship with the CIO (my boss) is very strong and we both work together towards the same goals of accessibility, security and organisational resilience. As information security has increased in importance, the roles of the CISO and CIO have certainly become more collaborative.
It is also critical for the CIOs to have an effectively engagement with their CISOs because, they need more and more support and expertise of their CISOs at a board level that’s why a better communication between the two exec is crucial.
The biggest challenge for the CISOs is to explore ways to become better influencers within their organisations and instead of impeding innovation for fear of cyberthreats, the CISOs should seek to be instrumental in aiding organisations to achieve their goal.
While the CISO position has evolved into a more strategic role, so has that of the CIO. So, it is critical that CISOs and CIOs should work together and help business achieve its strategic objectives.