The CISO of Bombardier on Target, Sony and the changing nature of risk

As chief information security officer for the world’s third largest airplane manufacturer, Edward Kiledjian says his mission is to build a security model that is agile, nimble and cost effective. With more than 20 years of experience to back him up, he was a natural choice to become the first interview subject or the launch of CSO Digital.

Besides his work at Montreal-based Bombardier, Kiledjian has also helped support IT security and risk management efforts at Air Canada, Cathay Pacific Airlines, World Intellectual Property Organization, the United Nations and the Canadian government.

Kiledjian spoke by phone with CSO Digital earlier this year about his perspective on the state of IT security in Canada and the challenges large enterprises face. The interview has been edited and condensed.

What motivated you to take on the role you have today, and how did you get there? 

My career has been spent on both sides of the table. I’ve worked both on the consultant side and on the customer side. Almost 14-15 years ago, I was the security practice manager for a small Canadian company called Caron Systems that brought a lot of these big security vendors into Canada. I was already preaching security to a lot of our customers, whether it was intrusion detection, firewalls. It was much more basic technology. It was something I believed in then, and I believe in now, and I think all of the revelations we’ve had in 2014 shows it has become the de facto agenda items for most boards and executives, even outside of IT. Most CxO executives today are asking questions about security. The best way to describe it was that 2014 was the year of the breach. It’s become much easier to talk about security now than it was two years ago. Security used to be like selling life insurance. You had to convince somebody it was a worthwhile investment even though it was completely intangible. Now we can quantify it, we can measure it, and we can provide guidelines around it.

If last year was the year of the breach, what do you foresee as the next step to holistically approach the threats organizations face? 

The reality is, it’s going to get a lot worse before it gets a lot better. When I talk about security, we break it up into three distinct sections. There is the technology, which is the easiest part, because vendors sell technology. Then there is the people and the processes. I’ll give you an example. If you look at all the information that was leaked about the target breach, Target actually had a tool from a company called FireEye that alerted them to the fact that some of their equipment was infected or corrupt. The problem wasn’t the technology. The technology did its job. The problem was the fact they didn’t know what to do when the alerts happen. That’s the process piece. The first thing they need to do is take a step back, evaluate the products they already have, and figure out how to best use those before spending any additional money. They’ll need to buy additional tools as they develop their security maturity, but a lot of companies can be helped by properly implementing what they already have. When we look at all the breaches that happened on Windows, for instance, 80 percent of those could have been prevented if users had not been running with privileged accounts day to day, and if the machined had been patched probably. It’s not expensive, and fairly easy to do, but most organizations aren’t doing it.

What do you think needs to happen for more organizations to develop a “security-first” kind of culture? 

I think it’s already happening naturally given all the media attention given to breaches. We’re starting to see breaches become very tangible for the average user, and I think that’s going to drive a lot of the change we’re going to see in security. You could really isolate a few major trends. There’s cybercrime, which was extremely present in 2014 and now in 2015. This is organized crime that conducts espionage for the purposes of sheer theft, competitors who want to steal intellectual property, and people who do things for a political reason, like hacktivists.

The second thing that we’re seeing is privacy and regulation. As soon as major breaches are made public, lawmakers start discussing tougher regulations, bigger sanctions. We’re going to see governments regulate breaches a lot more, and I think Europe is taking the lead on that. I also think we’re going to start to see users be much more careful about their own data. If you look at the younger generation today, they’re not using Facebook as much, they’re using things like Snapchat. Why? Because I think they see those services as being a little more private, even though we know it’s not.

That really ties into the third piece that we’re seeing, which are threats from third-party providers. We see third parties as being the biggest attack vector touching both corporate and individual privacy. In other words, when you use your credit card at Target or Home Depot, and your number gets breached, not through any action of your own, but because it happened to the third party. And I think what you’re going to see are technologies like Apple Pay. This is a situation where you are the owner of your credit card number, and you actually would never give that number to a vendor. It’s the first time where we’re starting to see a consumer be responsible for their own privacy.

What’s your advice for your peers on making sure that security isn’t an inhibitor for adopting important technologies for business transformation, but enables change to happen? 

I think the first step is that the organization needs to understand that absolute security means you have no flexibility very little usability. Absolute flexibility and usability means you have no security. So each organization has to define their own risk appetite. How much risk is the organization willing to assume? How do you benchmark how much risk you’re going to take? It really comes down to that. Once you’ve done that, then you can decide how to protect your organization.

How do you think these challenges will change the way organizations hire IT security experts?

One of the realities of this new cyber threat landscape is that you’re not being attacked by a thing. You’re being attacked by a person. So at the other end of that attack is a human being trying to get something from you. The only way to defend against that is to have your own people working on your side to counterbalance that. There is definitely a skill set, and most organizations you’ll talk to, particularly in Canada, are having a tough time finding and recruiting these specialized skills. The reality is, it’s not just a security specialist that you need. It’s not just a firewall expert. It’s a technical expert for each of the spheres you’re operating in, whether it’s networking, operating systems, applications, application development. Plus, it also requires soft skills, such as people specializing in communication and change management. And I think it is this combination that people are having a difficulty finding. We’ve said it for many years, and it’s still true: The biggest risk to enterprises is their own users. And you look at some of the biggest breaches, and the fault was human. You need a new breed of risk specialists now, who can come and provide that estimate to these companies. Sony had no idea that they would lose everything. They didn’t impact it would impact their brand, that it would impact their ability to get employees, to get actors. I think that’s what typically happens when these breaches happen. Ultimately, who is responsible? In many organizations, you may have a CISO, but the CISO is just a tool. We’re there to provide support and guidance to the executives. But ultimately the responsibility for information security in an organization stops with the data owner, and the data owner for most organizations is the CEO.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Shane Schick
Shane Schick
Your guide to the ongoing story of how technology is changing the world

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now