Chris Hodson is the CISO, EMEA at Tanium. Chris is an information security, data privacy and risk management leader with an SME background in strategy, architecture and design. He possesses 18 years’ professional experience obtained across the financial, retail, energy and media industry sectors. In early 2016, Chris made the move from end-user into the vendor space with Zscaler, where he operated as CISO, EMEA and Data Protection Officer. As a CISO, Chris is a trusted advisor to executives, board members and other stakeholders, helping them define well-balanced strategies for managing risk and improving business outcomes. Chris holds an MSc in Cybersecurity from Royal Holloway University London and retains an active role in the Infosec industry through directorship of the IISP and membership of CompTIA’s Cyber Security Committee.
You recently published ‘Cyber Risk Management’ – what is the book about and what drove you to embark on this adventure?
Simply put, I think we often misappropriate cyber security nomenclature. We speak of vulnerabilities when we mean threats, or we consider the theoretical in isolation of the exploitation necessary to cause business disruption. ‘Cyber Risk Management’ was somewhat of a cathartic exercise for me, an opportunity to document the constituent components of the cyber risk equation and present each within a specific chapter.
- How many endpoints do I have?
- Where do these endpoints reside?
- What applications are running on my workstations?
- Which applications have vulnerabilities?
- What is my Mean Time to Patch (MTtP)?
- What is my Mean Time to Detection (MTtD) of malicious activity?
Once a security function feels comfortable with their baseline security posture, that’s the time to focus on specific threats based on myriad factors such as industry vertical and organisational risk appetite. In my opinion, too many organisations forget the basics such as patching vulnerabilities in favour of shiny tooling. We must go back to basics; a cybersecurity house of cards provides a false sense of security and leaves an organisation unnecessarily vulnerable.
How do you foster an image of information security being there to support the business rather than just being about raw technology?
Infosec needs to remain relevant in a world of continuous integration, Agile and digital transformation. Business units have access to Software as a Service (SaaS) solutions which allow instantaneous provisioning and a low friction engagement model. The IT and cybersecurity teams are often no longer the custodians of endpoints, nor the provisioner of applications that a user is accessing.
To support modern business, the infosec team needs to provide tools and guidance to empower the workforce. Waterfall-based security engagements have historically included verbose design documentation and protracted penetration testing cycles.
These time-consuming processes don’t align with the organisation which needs to exploit first-mover advantage and DevOps based models for software development.
Many of the information security teams I work with are exploring the concept of a ‘business information security officer’ (BISO) – a security leader who familiarises themselves with a specific business unit, understanding the critical assets, information stores and stakeholders to serve their needs better. This approach provides a better context for risk management and information protection.
How do you assess the responsibility of the CISO for educating the workforce?
How many times have you heard that ‘security is everyone’s responsibility’? It is, but the CISO and team have real skin in the game when it comes to cybersecurity education and awareness. Any organisation with a progressive cybersecurity education programme ensures that the ‘why’ of cybersecurity is disseminated from the very top – company executives need to adhere to the same practices as anyone else throughout the company.
The requirements for cybersecurity education need to be an initiative which fosters a culture of openness and transparency. Users are going to make mistakes – they’re human! It is important that staff know what to do when they encounter a suspicious-looking email, or accidentally open a file which causes their machine to behave erratically.
Whereas awareness should be a systemic organisational initiative, much like health & safety, education can be focused on specific areas of the business. Software developers, for example, require targeted training on how to develop code with security baked in. Helpdesk and reception staff need training and education which covers methods of social engineering.
The CISO is ultimately responsible for ensuring that staff members understand their responsibilities for information protection and cybersecurity, although each member of staff is ultimately accountable for acting responsibly and adopting a health caution when interacting with technology.
How do you communicate information security issues to the board?
CISOs have the difficult job of delivering meaningful metrics to a board of directors that is not comprised of security professionals. In order for them to communicate security and risk effectively, they need to meet board members where they “live” – meaning they need to be talking about the same objectives if the metrics are to make sense.
CISOs need to understand a company’s business objectives – what makes the company tick and which objectives are being measured by the c-suite? Some organisations are looking to shorten the time for onboarding acquired companies; others are looking to decrease operational expenditure.
Some businesses are focusing on improving user experience and customer satisfaction.