Arun DeSouza is currently Chief Information Security & Privacy Officer at Nexteer Automotive Corporation. Arun has extensive global IT and security leadership experience. His interests include the Internet of Things (IoT), security analytics, blockchain and quantum computing.
Arun’s areas of expertise include strategic planning, risk management, identity management, cloud computing and privacy.
Arun earned M.S. and PhD degrees from Vanderbilt University and is a Certified Information Systems Security professional (CISSP). He has won multiple industry honors: CSO50 Award, Computerworld Premier 100 IT Leaders Award, CIO Ones to Watch Award, Network World Enterprise All Star Award.
Can you tell us a little bit about Nexteer Automotive?
Nexteer Automotive – a global leader in intuitive motion control – is a multibillion-dollar global steering and driveline business delivering electric and hydraulic power steering systems, steering columns and driveline systems, as well as ADAS and automated driving enabling technologies for OEMs around the world.
Nexteer has more than 110 years of automotive experience, and today, we serve more than 60 customers in every major region of the world. Our global workforce of more than 13,000 is a rich tapestry of people of diverse cultures filled with a collaborative spirit and passion for relentless innovation.
Why did the role of CISO appeal to you?
The CISO role is a real challenge, especially in my case, where leadership of an integrated information security and privacy program (IS&P) is in scope. IS&P is now a strategic business responsibility in this modern digital era fueled by macro trends such as the Internet of Things (IoT), global privacy regulations, etc. IS&P has major financial implications (e.g. upper limit fines for the Global Data Protection Regulation = 4% of global revenue). The CISO role must transcend the technical dimension and integrated People, Process & Technology, as well as leverage envisioning, story-telling and change management skills to develop and communicate the business value of IS&P, minimize risk and enable business objectives.
How can security executives get buy-in from the top?
Security executives can get buy-in from the top through a process which relies on the following guiding principles:
- Develop and build relationships and earn trust
- Communicate with business leaders in layman’s terms
- Align cybersecurity goals to business mission and objectives
- Identify key initiatives to mitigate business risk
- Leverage simple visual dashboards to illustrate progress and opportunities
- Use storytelling to illustrate cybersecurity business value and positive outcomes
In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of cyber security awareness training?
According to ETC Tech Solutions, around 90-95% of security incidents are caused by human error. Enlisting workforce members as the first line of defense is critical. Cyber security awareness training can be a game changer by providing workforce members with the knowledge and skills required to protect themselves and the enterprise from rapidly evolving threats such as social engineering, phishing and malicious e-mails.
Cyber security awareness training can reinforce the benefits of a layered security architecture by empowering the workforce and helping promote a security first culture and a sense of ownership.
Your business is only as strong as your weakest partner. Can you trust that your partners are keeping your data safe from attackers? What are the key strategies to address this challenge?
The following guidelines can help enhance business partner security:
- Provide a standard screening checklist before contracts are signed and review it
- Request and review Service Organization Control reports from independent third parties
- Include appropriate security constructs in the contracts, including right to audit
- Conduct a risk assessment during the due diligence process prior to engaging a partner
- Ensure partners have proper administrative, technical and physical safeguards in place
- Include security and usage expectations in contracts (e.g., compliance with company security policy, reporting incidents, safeguards for systems and data protection)
- Require individual accounts for access and prohibit shared accounts
- Use strong authentication schemes and Multi-Factor Authentication (MFA)
- Use encrypted connections for data in transit log all access and activities
- Review access logs for suspicious activities (e.g., multiple failed logins)
- Implement onboarding and offboarding processes (authorize & deactivate users)
- Complete periodic user access reviews and foster governance
How can CISOs balance security and innovation?
The following guiding principles can help CISOs balance security and innovation:
Business Partnership: work with the business and the CIO to pro-actively align priorities, assess risk and implement appropriate administrative, physical and technical safeguards.
Convergence: deploy a layered security architecture integrating data and applications. Unify data management with identity and access management to foster innovation and protect security and privacy.
Change Management: drive and manage change in concert with IT and business leaders to leverage synergy and avoid gaps in stakeholder expectation. Adopt a proactive approach to IT change to foster innovation while balancing security and privacy.
Strategic Planning: build a cybersecurity strategic plan with clear targets and strategic goals supporting business objectives.
Could you offer advice on how CISOs and CIOs can work together?
- Build a trusted partnership centered on mutual support and collaboration
- Develop and execute priorities jointly
- Enable the business, develop a shared vision and support the business together
- Establish and respect scope and boundaries for each role while working in synergy
- Foster a culture of respect and trust across organizations
- Leverage constant communication to build a strong relationship and minimize conflict
Cyber security and privacy management is the new frontier in this era of the 4th Industrial Revolution. The following are key themes which are relevant today:
Leverage Security as a Business Enabler: foster innovation and value; minimize risk.
Reengineer Business Processes: drive transversal change and enhance business efficiency.
Transform Security Culture: integrate People, Process & Technology across the enterprise.
Use Identity as the Digital Perimeter: Use identity as a cornerstone for Anytime, Anywhere, Authorized Access to applications and data using Zero Trust and Software Defined Perimeter