S2E08: About CISO, and IT Security Part 2/2

Is this something which is prevalent in Malaysia only recently?Because like, maybe it's undergoing a transition?Because some of the roles which you mentioned actually,they seem to be relatively new?Is that what's happening?[Music]Ladies and gentlemen, welcome to SecurityLah podcast.Season 2.[Music]No, I think it's across the board.We're seeing that across Asia.You know, it's not just Malaysia per se.It's, I don't know, Sky, you might take this one on,but to me, what I see is it's the progression of the organization as far as maturity is concerned.So they go through this maturity process where they start off with a one man security guy who is from IT, who's just like,okay, I assign you, you do everything security.And usually organizations go through this process where they get hit really bad.And suddenly the boss says, how come you guys haven't focused on security?So you get all the head counts and everything gets approved.So first the team builds, oh, we need an IT security team.Okay, I get one manager in, get a few guys under him.Now you guys run the show.And then IT operations are going to say, hmm,I have all this infrastructure, which is not IT core,but security core, so let me push it to them.So then you have like firewalls, IDS, IPS, SIEM and all that kind of stuff.Let's push to IT security operations.They're like, wow, I thought I'm just doing security.No, I have to handle this operations as well.So they're going to start doing parallel stuff to what IT ops going to do.They're going to do things like backup, recovery for the security devices,configuration management, patch management for security devices.Then they realize, hmm, we're doing all this,but then the business is now shouting, hey, I got this project going through.How come no one is helping me?IT ops is going to say, look, I no longer handle all these devices.You want help on this area?You go to the security ops, the sec ops guys,and security ops will say, oh, I got to do this also.Okay, what do you want me to do?I got 250 firewall requests all staggered over.It's due yesterday, so you better get on it and do it within one hour.So you have security ops guys scratching their heads.Suddenly you say, hey, I got this whole new function I have to do,but I only got three persons late and three persons going to start struggling.Project gets delayed.Then go to IT staring com or board.They start bank table.Project get delayed or all security fault.Then security hands say, boss, I don't got three person only boss.I have to manage security.You prioritize, you make sure you prioritize your work.They won't give extra accounts.You prioritize your work.You're not managing the team properly.So guess what?Wait, wait, wait, story doesn't end yet.This is the best part.Then they're like pro business. Okay.We pro business do all the business requests.Guess what?Somebody hacks system goes down.They go back up to IT staring com and the board.Hey, what's in your title?Security.That way you never do security.You guys are not doing your job.You know what?I wish I wish that you could perform a live drama.Yeah.Yeah.Yeah.This doesn't just happen in one organization.I see this all over the place.Just repeating, repeating, repeating.You know, it's all over the place.Like what Sky said.Yeah.Sky you've been around in a lot of places.And frankly, the story still doesn't end there because then bank comes in in 2019 and they say, Hey, you need to comply to this new set of guidelines.I think they say, who's doing it?Is it a CIO or the IT security head?Yeah.So Doc actually just perfectly dramatized the evolution of the IT and security roles in Malaysian organizations.I can bet you all those who are hearing this podcast, they're going to be nodding their heads.Some going to be tearing and say, so true.Finally somebody says it.Finally someone understands me.I think what we need to do is, what we need to do is after all the discussions, what would be the ideal structure or org structure for the entire IT operation, including compliance, security?Remember we talked about who reports to who and all that.What do we think would be the ideal reporting structure?Firstly, CISO must have a purview at the board.And a lot of things, if you ask me, should be board driven rather than management driven.I'll tell you why.When it's management driven, management is focused on delivering what the company wants to go ahead from that stance.So board will start looking at it and say, we shouldn't just look at the organization doing all these 10,000 things.We also need to make sure while we're doing these 10,000 things, the environment must continue to be secure.Besides just supporting the business to grow, which means that you must have resources.And resources can be in the form of people, process and technology.Our favorite catchphrase.You must have enough people to do the work.If you don't have enough people to do the work, guess what's going to happen?That work that needs to get done is going to eat up all the other functions that the team will need to do.So instead of someone looking at the firewall logs, the person is going to sit down and do firewall rule set because look, I got people shouting at me to do this.So I'm going to do that.So you're going to start sacrificing things.An organization needs to grow organically from people perspective.If you have 10,000 projects you want to get done in a year, the first thing that everyone should look at is, do we have enough people or resources for us to deliver this 10,000 things?Or if you want it to be more agile, faster, then can we invest on some level of automation?So for example, you do have certain tools that allows you to automate firewall rule set deployments.Maybe that's something that you can do.I'm just using firewall as an example because in large organizations or for example, financial institution, that's one of the big things that the security teams do or firewall rule set.Almost every week got some changes.Let me cut you there, Doc.So are you saying this responsibility of rules set and management in the firewalls should go under CISO?What I'm saying is the CISO should have purview of operations.That means he should be able to control because again, I go back to my earlier point, people process technology.You must have enough resources for you to be able to do the work you need to do, which means you need to be able to keep the organization secure against all the new threats, the APTs, the nation states, the gangsters and everyone else.And you should also be able to support the business because end of the day for me, CISO is still a business leader, but within being a business leader, you have that portfolio.That's why you carry an S in the title.There's a security there.So you cannot just say, I'm just pro business all the time.You have to play that governance role.So you have operations, you have risk management, you have governance.You need to balance it out.And some people might say, oh, you know, we should split it, put it in two primary roles.You can have head of IT operations, head of IT security operations,and you have the CISO.Then the question is, can the CISO control security?If he, she, they can't, then you have a problem because then security will go in one tangent.CISO will go in another tangent.And end of the day, you create this hostile environment where the CISO is constantly picking on the IT security operations and the security operations is really upset because the CISO is supposed to be an ally,but instead he's just poking holes and finding fault with them.So let's be bold here.I've typed into the chat.Should we go out there and say, hey, we are going to suggest that there should be only two pillars in IT.The CIO takes care of all the IT operations like database, network connectivity, cloud, digital applications, and blah, blah, blah.And then there is another pillar that it is headed by CISO, which is pro business, which is risk and governance, and also IT security operations should fall under the CISO purview.I completely agree.Then the CISO cannot say I'm not responsible for security.That's my view.That's also my view.But the question rings in my head, then who is going to do the check and balance?Because currently, you know, CISO is doing the check and balance on IT, right?Not so.You still have compliance.Okay, let's use FI or a financial institution for an example.You have compliance team that does compliance check.You have audit that audits you.You have regulator that also looks at you.And you have your external auditors who also look at you.So if you ask me, you're pretty much looked at by everyone.So do you need another person to look at?Not going to help.Okay.If I'm not, if I'm not cleaning my IDs on time, all these five people are going to find that I'm not cleaning my IDs on time.Period.It's not going to change.The only thing is one person may look at one area, another person may look at another area, but the outcome is still the same.That's the other thing.Do security organizations even have resource to do compliance and governance work?For example, an auditor comes to you bang table.I want the list of all the active IDs by today.And then you have the CDO and come and whispers to you.Make sure you finish my firewall deployment.Otherwise I'm going to bring it up to the CEO.So who does this guy do?What does he do?Right.I have a comment here.I think maybe what we have been discussing all this while, large organizations would do better.If you look at what we have just discussed, actually before we started.The CISOs in reality, CISOs are doing anything but strategic stuff.For most of the organizations, do we have the capability to, to implement what was just discussed then?Or are we still talking at a very far fetched ideal situations?What's the incentive for organizations to divert their resources for this away from those that deliver near term returns?Because the reality is that at this point in time, most of the CISOs are doing anything but strategic work.Enjoying the show so far?Subscribe now so that you don't miss out on the latest episode.We are available on Spotify, Apple Podcasts, Google Podcasts, and many other platforms.Visit podcast.securitylah.asia to get the links to subscribe.You're absolutely right.I go back to my earlier point about maturity and maturity comes in when an organization gets hit.Suddenly they become more mature than where they were five, six years ago.For example, I give you a non-IT example.We know about Malaysian Airports Berhad.They replaced their call switch after 12 years.And the reason was very simple.If it doesn't break, don't fix it.Leave it running.And it broke.And it broke.So you have incurred a huge technology debt, which now you now have to service the interest and the principle.And that's what happens.Then security is always on a reactive approach.So if that's the case, then is cybersecurity actually worse off than before?In most organizations, it is.If you look at all the news about organizations getting hacked, it's not because they don't know that they need to do cybersecurity.It's just an option that they feel is not going to happen to me.Nobody's interested in me.I'm just business X.Nobody cares about me.Until they get hit, that's when they realize, oh, we have to do something about it.That's the part where the board wakes up and says, oh, we cannot look at numbers anymore.We have to do something about it.Which is why in Malaysia, the central bank mandates that they have a board IT committee, which specifically looks at IT as well as security.And you also have a board risk committee, which looks at the overall organization risk.And the reason is because you have one board that looks at from the risk perspective, the monetary aspect of things.Now you have another board committee that specifically looks at IT because traditionally, if you look at board of directors, they are usually financially centric.They're not, you don't see CIOs sitting on boards unless if they are tech companies, startups, then you see CIOs, CTOs or techies sitting in the board.You will always see financially focused people sitting on board.And as a result, a lot of the decisions made for the organization will always be financially centric.Okay, who has a higher risk tolerance?The board or the CEO, let's just say.It really depends on what their goal is.So if there's a mandate to the CEO as part of his KPI to say, I need to make sure I reduce whatever cybersecurity risk I have, or it goes back to the basic discussion of what is the risk appetite for the organization.And if the organization is very bold and they say, I have zero tolerance to any cybersecurity risk, then they must be able to put their money on it.Just coming up with a statement is that, or we view security very seriously,we know you don't.And that's usually the first line that they put in any news article for companies that get hacked.Yes, that's what I said in the first place also, but in actual fact, it's anything but that.Definitely.But what we see now is you see we are creating, it becomes very fragmented.There are a division of functional units as Kat brought up earlier, and we have a lot more different sea levels dividing into different units.So, but then we are still going around the point where the CISO is not given the board seat.So what would be the right way?To allocate a seat at the board for the CISO or to make the CEO responsible for security as well and be liable for security.The CEO by default, the CEO is responsible.Anything happens to the organization, it is the CEO.The CEO then delegates that function based on different portfolios.So for finance, you have CFO, for IT you have CIO.So that's a general view.Where it becomes effective is when it starts hitting their bottom line.So bottom line meaning are their bonuses, their performance indicated based on how good they perform in cybersecurity?If that is a given, that's given a certain percentage.That's what you see in financial institution.Compliance is given a set percentage across the board.So which means that for you to hit that say 10% or 15% or 20% KPI,you must meet your compliance targets.So you must get all your compliance ready.You must make sure all your team, all the mandatory training and whatever that they need to get done.So in that same tone, how do you ensure that security gets a focus?You make that as part of everyone's target and you say, let's do this.And there has to be a shift in the mindset of a CISO from a very punitive kind of approach into maybe a reward based approach.So for example, you can organize like a game.They catch the fish.So the person who catches the fish or the fishing email that is done internally, the first person may get a reward.So you might give us a, okay, fine.So the first person for this month, we are giving Apple, Apple pro.And the person who first caught this fishing email was this person who reported it to it security or it help desk.You have like a nice little gift giving ceremony and the small speech.That motivates people to see cyber security in a positive light, rather than in a manner where, oops, I feel fishing.So I have to sit through this boring training.You know, I have to do all this 10,000 things.So that shift has to happen in order for people to say, Hey, cyber security is actually fun.We should know this.We should do this because it affects everyone's lives.You know, then you get that by it.But for that, all that things to happen, CISO has to be in the board.That's the, that's, that's the challenge that you have.So the right reporting structure, like what a sky mentioned earlier,feed in the bot, making sure that this person actually has control on all the moving parts that's required to make the organization secure.And then having a roadmap to ensure that all the stakeholders have sufficient attention and resource so that their respective things get done rather than just pulling people out from different, different sections.Yeah. So I think one of the, one of the key things will be, maybe I should start, go start going around, you know, blowing the trumpet of having just two C levels, CIO taking care of IT operations and CISO taking care of IT security. Completely agree.And I think we've wrapped up this topic in a very elaborate and interesting manner.And dramatic, like what Kat said.Yeah. I mean, it's, it's also a subject that frankly, whenever I go to the bot, this is also brought up very key because they always ask, you know,should I have the CIO or the CISO in the bot?Because now when we present the, like, for example, the recent Compromise Assessment Reporting, you know, those days I can, I only need to present to a BOD. Now, like Doc said, I need to present to the BOD Risk Committee, no sorry, IT Risk Committee, and then only the BOD.So I have to go there two times instead of one, because two different groups of people are going to be listening. And the question was always if you suggest the CISO to be in board, what about IT? What about the IT head? Isn't the CISO a lower level rank than the IT? Why should a lower rank officer be in board? So these are things that keeps ringing in the minds of the people in the market today.I guess that's something that organizations have to get that level of maturity before they understand why this thing is required. Because otherwise we can only say this is the best thing that you could do. But having to go through that maturity is when organizations will realize this is the right thing to do.Maybe we can all do a closing statement of what we have discussed today.So there's a lot of interesting discussions that centered around where the CISO should be, what he should be doing. And of course, please make sure you hire and pay the person in the right manner. Again, you pay peanuts,you know what you get. And that's one of the things that you would want to avoid in such a critical role in the organization. So if you're willing to pay good bucks for a good CEO, then you should do the same for a CISO.So this is a PSA from SecurityLah brought to you this evening.Thanks for joining us this week on SecurityLah. Make sure to visit our website at securitylah.asia where you can subscribe to the show in iTunes,Spotify or via RSS so you'll never miss a show.[music][ Silence ]