GISEC: How to Guard the EnterpriseKeynote Speaker Lohrmann on Setting Clear Priorities
What will it take for the security leaders of 2020 to be the true guardians of their enterprises?
See Also: The Global State of Online Digital Trust
They must have sufficient understanding of their enterprise, always be alert and in the forefront in guarding it. This is the prescription from U.S CISO Daniel J. Lohrmann in his keynote address at the Gulf Information Security conference in Dubai, sharing insights on how to prepare to deal with cybersecurity, cyber war, privacy, politics, protection and compliance.
"As a priority, CISOs must work with the team and management to have clear goals with clear deliverables," says Lohrmann, former chief Security Officer, State of Michigan and currently Chief Security Officer at Security Mentor Inc.
"CISOs must ensure security is built into non-traditional computing environments, which is critical infrastructure with embedded technology," he told the audience. "Besides, a cyber-disruption strategy to respond to cyber-attacks against these critical systems we rely on and prepare for events will secure enterprises."
In an exclusive interview with Information Security Media Group, during his visit to Dubai as a speaker at the GISEC event organized and hosted by Dubai World Trade Centre, Lohrmann throws light on CISOs' preparedness in defending against cyber-threats.
In his keynote: 'CISO 2020: Are you ready to be the guardian of your enterprise?' Lohrmann spoke on cyber-defense strategies, compliance, data privacy and protection. In this interview, he also discusses:
- Security challenges of CISOs;
- How to build a vigilant security culture;
- Successful security models.
Lohrmann is a cybersecurity leader, technologist, author and brain behind securing Michigan's cybersecurity and critical infrastructure. He's served global organizations in the public and private sectors as CIO, CTO, CSO, and has been mentoring security professionals.
Today's Security Challenges
GEETHA NANDIKOTKUR: What security challenges confront CISOs and security practitioners in APAC and Middle East regions?
DAN LOHRMANN: Finding the right cybersecurity talent and sustaining it is the top one. Secondly, getting the right level of management support for resources in handling cloud security, mobile malware, critical infrastructure protection, spear-phishing, among others, are concerns.
Nandikotkur: Security reports indicate that CISOs are weighed down by the technology sprawl, impacting effectiveness and efficiency. What are your recommendations?
Lohrmann: One needs good planning and laying down clear priorities. Work with your team and management towards clear goals with clear deliverables. Here's an example from Michigan State which worked with public, private and government partners to raise awareness and implement solutions for complex cybersecurity issues
Technology, the foundation of the online revolution, is a force multiplier and enabler. It must be used to ensure the data and critical systems we rely on are available to support the cybersecurity ecosystem, which depends on confidentiality, integrity and availability.
Be the Guardian
Nandikotkur: Are CISOs geared up to be guardians of their enterprise? What must they do?
Lohrmann: There are five steps they should accept as their agenda in guarding enterprises:
- First, cloud computing data must be encrypted at rest and in transit. They must find the right balance between blind trust and control with cloud companies as they address data ownership, security, legal issues, hosting locations and service level agreements. Enterprises must survey networks and learn where data truly goes.
- Second, CISOs must ensure security is built into non-traditional computing environments like critical infrastructure with embedded technology. Governments should work with the private sector, developing cyber-disruption strategies to respond to cyber-attacks against these critical systems and prepare for events like power outages.
- Third, we must make employees aware of ever-emerging cyber-threats, train them not to click on phishing scams and watch against online fraud and social engineering attacks.
- Fourth, we must enforce policies with mobile device management programs, lock devices automatically, have the ability to remotely wipe data and encrypt sensitive data on mobile devices.
- Fifth, regarding malware and zero-day threats, we must be able to answer questions: do you know what systems you have, their compliance and patch status? How do you respond to cyber incidents? What data is at risk during an incident?
What's Next for CISOs?
Nandikotkur: Are CISOs on the right track? What's next for them?
Lohrmann: CISOs' importance will only grow over the next five years. They must be champions for getting things done, build appropriate executive buy-in, funding, resources and awareness of key projects. CISOs must be the security liaison across departments.
As career growth, CSOs have opportunities to become CIOs and digital risk officers. Some will become CEOs, as they begin taking decisions for business.
Nandikotkur: What key measures must CISOs take to secure buy-in from the business/board on security investments?
Lohrmann: First, they must be enablers to business, offering workable solutions, not creating deterrents. Build trust with key decision-makers and not just scare executives with breach headlines. Generate good ideas. Look for organizational needs not being met.
Discuss these and low-cost solutions with your management. Think partnerships beyond your own organization. Create the framework to measure training of staff, key project deliverables, threat-response capability and testing of plans aligned with stakeholders.
Building a Vigilant Culture
Nandikotkur: How does one build a vigilant and 'hygienic' security culture?
Lohrmann: Changing culture is hard, but starts with executives prioritizing this and leading by example.
Another aspect is end-user training that's brief, frequent, focused and engaging, educating employees with content that's memorable and changes behaviours; with interactive training, employees will realize the hygiene factor.
We must train staff in new ways, not expect old methods to be effective, if failing now.
For instance, UK-based Government Communications Headquarters is trying to get more young people, using open competitions to find the best and brightest talent, through a series of national competitions: learning programs and networking initiatives to identify, inspire and enable more EU citizens in the UK to become cybersecurity professionals. This is a good model for hiring skilled individuals which helps create a vigilant culture.
One practical way is to encourage two-factor authentication, which provides another layer of security to the transaction through login approvals, multifactor authentication.