Milen is a result driven and resourceful Chief Information Security Officer with more than 10 years executive leadership in the financial and commercial sectors. He holds a master’s degree in Information Security and Risk Management.
He started his career as a hardware engineer and held various roles in the information technology, security, audit and assurance fields. With a strong technical background and experience as internal auditor, Milen has developed an admirable mixture of skills from business, technology and security.
Currently, Milen is leading security and technology initiatives as the Chief Information Security Officer at MyPOS Europe, an innovative fintech company specialising in e-money and payments solutions for micro and small businesses.
What is your overall approach to information security?
The common response to this question is “a risk-based approach that is aligned to international best practices and frameworks”.
I have learnt from experience that information security must be part of company culture. It is imbedded in the core of the institution and cannot exist on its own. The successful approach must meet the following principles:
- Aligned with the organisation’s strategy and business objectives
- Aligned with the regulatory framework the organisation operates within
- Supported by senior management.
Without aligning the information security to the business strategy and objectives security will become a blocker and often colleagues will have to circumvent security controls in order to achieve what senior management expects from them.
This is likely to result in an alienation of the security function from the rest of the business. Therefore, security will lose its value to the organisation.
Without aligning with the regulatory framework and requirements there is a material risk, which can cause a regulatory breach and, in many circumstances, lead to reputational loss or even loss of the business. Consumers, regardless of the sector or the industry, are looking at different information sources and peer networks to make decisions before they purchase a service or a product. Non-compliance to regulatory requirements is no longer measured only by the financial impact as a result of a fine but also by the reputational damage it might cause.
Without senior management support it would be very difficult for the information security management to secure required resources to implement the approach, but it would also be very difficult to deliver the cultural change in the organisation. One of the easiest wins for implementing security and security culture is to use senior managers as role models.
This is a “free service” every Chief Information Security Officer should use for adoption, as well as limiting and tackling the change resistance at the operational level.
For security executives who don’t have a strong relationship with their board, how can they improve it?
Learn to speak their language and then talk to them. Identify their needs and priorities Talk to board members individually as well as in meetings. Find the answer to the question for each individual board member’s “what’s in it for me?” and use that. Board members are appointed to ensure that the company is profitable, to increase company value and to deliver return on investment for the shareholders.
Use this and ensure that every time you deliver a message to the board and individual members it is clear what the value is to the organisation, whether it be the savings, the financial loss reduction or the financial value added.
“Some people call for daily security drills and exercises at all levels of an organisation to help reinforce defensive strategies. What are your thoughts on this?”
“It really depends”.
What is right for one organisation will certainly not be for another one. Security, as well as all the other support functions, should enable the business to achieve its goals and objectives. In security, there isn’t a one size fits all model or approach.
In order to mandate and to be able to defend such an approach, I would expect the organisation to have a very broad attack surface that is subject to various attacks. Otherwise the content for these drills would be repetitive and attendees will quickly lose focus and the initiative will not be productive.
If we take as an example a department store, daily security drills and exercises cannot be justified, which can be easily evidenced in a simple risk assessment and most likely will likely have a negative financial impact. The reduced time employees spend with customers and supporting customers with their purchases at the end will likely lead to failure, not just for the security education and awareness approach but perhaps the entire information security strategy.
On the other hand, if we take as an example a company which is offering security as a service, this approach can be acceptable and likely to increase the value added to the organisation. The daily drills and exercises can be used to prepare consultants to deal with various scenarios and to prepare them to react faster and with better quality when dealing with a customer incident – a strong marketing point that can be used as an advantage against competitors.
Threats are everywhere and always changing. How to address this difficult reality?
Invest in your team and colleagues to enhance awareness within your organisation with general and tailored security trainings and awareness exercises. Your team and employees are the most valuable assets. Motivate them, challenge them and show them that you, and the other senior managers value them and their work. Make them ready for the upcoming changes.
This will enhance the quality of work, improve productivity and response time and will minimise/eliminate the effect of any material threats or events.
We would never be able to operate with the budget available to the bad guys out there and if you add the changes in the processes and technologies it would make it almost impossible for the security function in any organisation to keep up to speed.
Investing in employees training and education is the key because the design, the implementation and the operation of every process and technology all come down to an individual, who designed, implemented and operated the process or the technology. Even with the latest processes and technologies, in the end it all comes down to individuals making the right decisions and taking the right action.
“When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?”
The ideal situation is when the Information Security function is considered a trusted partner and as a partner it is involved from the very beginning for any new product or service. To achieve this, the Chief Information Security Officer must have built a strong relationship with the company’s senior managers. It is vital the security agenda and approach to be based and fully aligned with the business strategy and objectives, only then will the security function step outside of the “No” shadows and will no longer be seen as the blocker of innovation.
If the organisation has not achieved this level of maturity, my advice would be to focus on building this relationship as a priority and on the background work, the business on the next products and services as early as possible. Approach everyone with a “Yes” approach, rather than “No”. Focus on minimum controls required in the organisation’s control framework and use your SME knowledge to allow you to say “Yes”. If this is not possible, be flexible and think about compensating controls that reduce the risk to an acceptable level and when you do the risk assessment take into consideration the cost of lost business opportunity because of product/ service delay.
How important is being able to communicate with your colleagues?
I personally think that communication, ability to lead conversation and pass message is one of the most, if not the most important ability of a modern Chief Information Security Officer (CISO). Without communication, there can’t be a relationship with the team.
There is a very interesting and powerful TED talk from John O’Leary, “The importance of good conversation – and how to have it”. The closing statement “great achievements come only after great conversations”, still resonates with me and I think it summarises the importance of quality communication.
If I had to apply the information security lens to this TED talk, I would say a CISO should be able to listen and adapt to different conversations. A CISO should be a great listener and influencer, in order to be able to sell his ideas and to obtain the buy-in from the board and senior managers.
To do that, it is vital for the CISO to be able to translate technical and security information into a business language, one that his senior managers and colleagues can understand. They should be able to convey messages and quickly switch from high level overview to details and vice versa based on who is in the audience.
A modern CISO should be able to communicate not only with security employees, but should also be able to communicate downwards, upwards, sideways and externally with regulators, vendors and others CISOs across the industry.
CISO should be able to engage at all levels within the organisation with both technical and non-technical SMEs in order to be able to influence and to drive the security culture because security is everyone’s responsibility.
A CISO should be able to engage successfully with regulators, especially for regulation-heavy sectors such as banking and finance.
“Great achievements come only after great conversations”. I will use John’s closing statement again with a hope that this will resonate with other CISO colleagues and senior managers across the different organisations.
My advice to all CISOs who have not built relationships with their board members and peers – initiate the dialogue and listen. Use tools like the Board toolkit: five questions for your board’s agenda published by NCSC, if needed.
Engage with industry peers and utilise ecosystems like the Cyber Startup Observatory because together we are strong and we might have a chance against the bad guys out there.
I would also like to appeal to board members and senior managers who don’t have great relationships with their CISOs – give them a hand and bring them on the journey with you. It is not important who takes the first step, but rather it is important to walk together in the same direction.