Hazel McPherson is the CISO at ALD Automotive (UK), part of the Societe Generale group. Hazel has more than 20 years of technical and leadership experience across the financial services, retail, manufacturing and health-care industries. She has a Masters degree in Cyber Security and is an active member of the British Computer Society and her local OWASP chapter. Hazel is also a volunteer Chartered membership assessor for the British Computer Society, having been awarded Chartered membership herself in 2009.
Where do you see the difference between Information Security, IT Security and Cybersecurity?
This is a great question and one that crops up all too often. The terms are often used interchangeably and this leads to a great deal of confusion on who does what, and why there are so many different names. For me, Information Security is where you should find the holistic view of governance, assurance, risk, audit, etc. Cybersecurity is a subset of specialist skills and includes red teams (e.g. pen testing, vulnerability management, threat hunting) and blue teams (e.g. cyber defence, security operations, incident response).
The term IT security actually really annoys me. Securing IT is just something that the people responsible for the IT systems and assets should be doing as part of the day to day job. Security should no longer be added on afterwards by a separate team, it should be an essential part of being a responsible IT professional in 2019.
How do you convey to the board the message that – with regards to cybersecurity – you can minimize the risk but you are never going to be 100 percent secure?
Having a good relationship with your board makes conversations about cybersecurity a lot easier. Working on that relationship before you need to have a serious conversation about a security incident can only help. It is sometimes easy for people to assume that because you have the word security in your job title, they can breathe a sigh of relief and relax because “we’re covered”.
Having insurance on your car, doesn’t mean you will never have an accident! Whenever I talk to people about security, I try to explain things in terms of making it more difficult to get in, or giving us more time to detect an attack. If a burglar is faced with deadbolts, an alarm, a large barking dog, and CCTV – they are likely to pass you by and try the neighbour’s door first. Layered security makes it more difficult for cyber-criminals, but I am yet to see anything that is completely secure. If someone is desperate enough to break into your network and steal your data, they will find a way eventually.
How do you assess the responsibility of the CISO for educating the workforce?
Awareness and education are such important topics at the moment and almost everyone is talking about having a “culture of security”. A culture isn’t something that grows overnight though, it takes consistent and prolonged investment, and re-enforcement at all levels.
Whilst the CISO may have the deeper subject knowledge and be pursuing education as part of their strategy, getting people around the business talking about security subjects that interest them often results in greater educational outcomes than sitting people in a classroom, or having them take e-learning modules. Of course, awareness and education doesn’t always equal behavioural change either!
In the future I hope that we will have changed the culture in organisations enough so that it isn’t the responsibility of the CISO to educate the workforce on security matters, and that everyone will embrace it as their day to day responsibility.
Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should companies mitigate these risks and what has worked for you?
Having lived through a ransomware attack I’m thankful that I can say the damage was minimal in my case, because we had put good security measures in. Phishing and ransomware often go hand in hand and certainly in my experience of ransomware, phishing has been the route in.
Continue to educate staff and simulate phishing emails so that people know what to look out for. Invest in good email security systems, or a sandbox for email attachments. Block auto-run of files, flag emails from external sources, include disclaimers for staff to remain vigilant, and above all give staff an easy way to ask for help if they are unsure about something they have received. Oftentimes people will know something doesn’t look quite right but due to actual, or perceived, time pressures will proceed anyway if no-one is available to ask for help.
With ransomware, it is really important to have good backups, and a good containment strategy. Ransomware is like water and it will flow into all areas of your network that it can. So look at your network logically and decide how you can segregate areas. If you are using shared file storage, make sure this is also segregated logically too.
If the infected computer has access to shared file locations that are mapped as drives locally then those areas are going to be encrypted with the ransomware too, and the problem becomes bigger. Have a policy of not saving information locally to computers, unless those locations are explicitly part of your backup strategy. Ensure that backups are kept well away from any active areas of the network that ransomware could get to so that the backups don’t become encrypted by the ransomware too.
If you are actively replicating data, think about whether this would be impacted by ransomware too. If you are replicating all your data in real time to a secondary or backup site and that data becomes compromised by ransomware, you are likely to be replicating the compromised data too. There are some good security products available now to help with tackling the risk of ransomware and whilst it hasn’t gone away, ransomware is reported to be declining. Phishing, however, is as popular a method of attack as ever so you should invest in mitigating controls for both.
How can CISOs balance security and innovation?
This is an interesting question because it leaves me feeling that somehow there can’t be both security AND innovation? Or that innovation can’t be secure? In fact, I think that the world of security is one of the most innovative spaces to be in at the moment.
What the CISO can do is spend time understanding the aspirations and direction of the company and then work with teams to create some foundational building blocks on which to be innovative. Simple things can often be forgotten in the excitement of innovation, so have those guidelines documented, clear, and available for people to refer to. I don’t mean endless lengthy policies of “do’s and don’ts”.
Be part of the innovation! Create flow diagrams, web content, videos, whatever is easiest for people to consume that gets the message across. Then give them safe spaces to create in, away from your live environment and data. Always look for new ways to ensure you are as secure as you can be, within the risk appetite of the company. Use technology to help you, especially around breach detection and response. Employ experts in the security team to work alongside the innovators and build a foundation of trust.
How might we address the perception of cybersecurity holding back the business?
It’s difficult to find a balance in an ever-changing world of security. There are constantly moving boundaries and new threats in almost everything we do in technology. There are, however, the security ‘basics’ or ‘foundations’ that I previously spoke of, that we should all be doing as part of being a responsible technology user. If the business thinks that security is holding it back by implementing the foundations, well then the future of that company may very well be short lived anyway.
Where the CISO can help further is to work within a clearly defined risk management process. Agree what does, and does not, fall within the interests of any regulations, laws, and contractual requirements. Understand what threats are relevant to the business and communicate these through the risk management process so that the business decides what is acceptable to them, or not.
It is really important for the security team to spend time explaining the concerns, or risks, in language that is understood by the business.
If non-technical examples can be used to explain security issues then the business is likely have a greater understanding of the importance, and a greater level of patience whilst these issues are addressed.
Having spoken to a lot of people in the security industry there are very few who don’t have the ability to see security from multiple view points, and simultaneously understand the business needs, and support its development and growth. Good cybersecurity can be a business enabler, so anyone who isn’t embracing it is probably missing out!
Security is a really interesting space to be in at the moment, and I can only imagine that it will become much more interesting.
The rate at which we continue to adopt new technologies, and the rate at which cyber-criminals continue to find new ways to exploit them, drives innovation at a rate that I have not previously seen. Many organisations now recognise the importance of good cybersecurity and embrace this with their investment in skilled people and new technologies.
Cybersecurity needs to be on everyone’s roadmap, regardless of the size of the business, and needs a voice at the top, where strategy is decided and budgets are agreed. There is no silver bullet though – security needs long term strategic planning and control, and ongoing investment in people, process, and technologies. If you still think that investing in security is expensive, then take a look at some of the news headlines recently and consider how expensive the alternative could be for your business.