At the end of February, our CTO, Shadi A. Razak, led a workshop at the Cyber FinTech Summit in The Hague, in collaboration with Marsh and Compumatica. The workshop, Proactively Manage Your Supply Chain Digital Risks, covered the various vulnerabilities associated with supply chains and encouraged participants to actively engage with new ideas surrounding risk management.
After, Shadi got the chance to catch up with several security professionals to get their take on the current cyber security landscape. Our second interviewee is an Information Security & Data Privacy Officer at a media organisation.
Shadi A. Razak: Thank you very much for coming today. One of the main things that I’m interested in asking you, as the ISDP of a reputable online publishing organisation in the Netherlands, is what are the most significant business risks for your organisation? Is it business interruptions or information leaks or something else?
ISDP: Well, everything is critical and should be avoided, but in relation to the business risk and to information security, one of the most significant risks is now ransomware. Our neighbour was hacked last week – we always say, well, we hope to have a [security] threshold high enough so that hackers will go to our neighbours. We didn’t mean that they should actually go to our physical neighbours, but, yeah. But compliance is also a big issue in relation to privacy regulations and cookie policies, and we have all that from the Dutch authorities, so they’re all equally important… Everything can happen.
Small issues can happen – they all have an impact on our business and all have an impact on our compliance and should be avoided. But we are a relatively small company and our EBITA doesn’t allow us to invest a lot of money into heavy security measures. So that is also, for me, an issue.
SR: The lack of funding for security departments is a common phenomenon across different industries – why is that, in your opinion? Is it due to the lack of understanding of the positive and negative impacts information security can have on the business operation and strategic targets? And how would you suggest we help them realise the importance of cyber security for digital business survival?
ISDP: Well, we have to make them aware of the risks, and, fortunately, I’m on speaking terms with the C-level and management – that is not the issue. But cyber security and [cyber] risk are not the only risks a company face. We have a risk register and out of the top ten risks, I would say that more than half are related to cyber security. So, they know it’s important, but they also know that the business is also important. And they have to give the business enough focus and make sure our –
SR: Operations are running and shareholders are happy –
ISDP: Yeah, and that we achieve our business targets, [gain] new customers, keep customers – our CEO used to be a sales director, so that is at the top of his mind. But still, every few weeks I have the opportunity to speak to him and we speak about the risks associated with cyber, so that is really nice.
SR: Excellent. And from your experience in the industry, what do you think are the most significant new cyber risks we will see over the next couple of years? What will be their impact?
ISDP: Well, I think new risks will emerge, but we don’t know what new risks will be emerging. So that is hard to say. But I think that there are new technologies – and they are not only used in a legal way, but also hacker communities will use machine learning and artificial intelligence, and it will continue to be a fight. And then the hacker will win, and then the good guys will win. I think that will always be the case over the next couple of years.
SR: As an ISDP of an organisation, how much confidence and trust do you have in new technologies to help you manage the [security] process? Like artificial intelligence and machine learning – do you think they will have an impact on our profession?
ISDP: I hope they will have a positive impact. But we rely on suppliers that supply us with tools that will use those new technologies. You know? We won’t be doing it ourselves. That is impossible for us as a media company and is not our core business.
SR: Brilliant. As a security professional who has been in the industry for a while – what is the toughest thing that you believe security professionals face every day?
ISDP: It’s not the awareness, but I think the actual behaviour of people. People know they shouldn’t be clicking on phishing links but they still do. When it fits into the situation, then they will click on the phishing link. I think that will always be a problem, always stay the issue. And I think that they shouldn’t get [hit by] a stick on their head, but I think there should also be technical solutions to help them.
SR: Last question – for young CISOs and security professionals, what are the three things that you would advise them to remember or implement in their organisations, from a security side?
ISDP: Well, they should always know what the company’s business goals are and how the cyber security risks have an effect on the business goals. And that is also what the C-level people listen to. They’re not really interested in cyber security risks, but they are interested in what the cyber security risk will mean for the business (risks). I think that is most important to remember.
As our interviewee noted, it can be difficult to ensure that security needs align with business priorities and vice versa, but continued communication between the security team and organisation leaders is key to finding this balance. New tools, like CyDesk, can be helpful in managing these priorities, leveraging new and emerging technologies.
This interview has been edited and condensed for clarity. For more information about tools that can help you manage your digital risk, check out CyDesk. This is the second in a series of industry interviews; the first can be found here. For more updates on cyber security trends, follow us on Twitter!