“Cybersecurity in any organization, no matter what the purposes, needs everyone’s involvement.” – John N. Stewart, SVP and Chief Security and Trust Officer at Cisco Systems
Security is a topic of much interest today at all levels of an organization. Already in 2015, more CIOs and chief information security officers along with governance, risk, & compliance professionals are being brought into the boardroom and questioned about their organization’s level of risk. A heightened awareness in Canada among senior executives has moved the discussion near the top of the priority list.
Many technology domains evolve over time and new leadership roles emerge within organizations – from the chief digital officer to the chief people officer. In the technology domain of security we are seeing the rise of the chief trust officer that appropriately captures the essence of what is trying to be achieved to protect an organization’s customers, employees and shareholders.
In British Columbia, the 2015 Privacy and Security Conference will address many issues facing organizations today as digital business forever changes how security and risk strategies are crafted.
The way in which people work today is increasingly mobile, more collaborative and leverages cloud computing for improving individual and team productivity. This brings opportunities for leaders to innovate, but risks as well if not approached with a holistic view. Speaking at the conference is Cisco Systems’ Chief Security and Trust Officer, John N. Stewart, one of the leading authorities on cybersecurity. Given the changing landscape of today’s business environment, I was interested to learn Stewart’s insight on a variety of topics including what should be top of mind for many business and IT leaders alike.
Brian Clendenin: You talk often about trust … why is that an important theme for you?
John N. Stewart: “Trust is everything to a relationship, right? Security and privacy are critical to our customers today and the theme of trust captures critical areas that are largely missing from those discussions. Trust is about the act of being trustworthy, transparent, and accountable–something where candidly, the IT industry needs to change the entire approach. I’m pushing for our customers to ask that security be baked into solutions. I urge them to ask for a secure development lifecycle and ask for proof that how vendors build, assemble, and operate is top notch. This is trust. The relationship needs to move from assumed trustworthiness to verifiable, so we can all build resilient infrastructures to run tomorrow’s economy.”
Clendenin: With the acceleration in adoption of cloud computing and mobile computing, what should be top of mind from a security perspective?
Stewart: “Governance and insight are the two key issues. Providers and subscribers need to ensure that their organizational governance is up to date to support these changes. Specifically, they need to update their related policies, procedures, and standards. Subscribers need to review information offered by their cloud provider to ensure that they help achieve compliance, trust, and privacy. They should demand transparency so that they can gain insight on how providers manage application development, infrastructure design, security architecture, and implementation, as well as monitoring and auditing security incident response processes. Subscribers should also insist on strong service-level agreements that specify requirements for data confidentiality, integrity, and availability. In addition, they should also discuss their rights to audit and validation. Security is not a responsibility for cloud providers only. If a subscriber does not have sound governance and a strong security posture to start with, moving to the cloud will not solve their security challenges.”
Clendenin: Security breaches are appearing in the news more frequently, what approach should be taken today to protect an organization now and in the future?
Stewart: “Every single company is an IT company these days, and every single company requires effective security as a result. I know it sounds simple, but this isn’t. Developing and driving a solid and thorough strategy is the first and most important step. This isn’t just a piece of paper. It’s your chartered course top to bottom, from business and economic goals to integrated effective practices that are tested each day. That strategy best address three phases – before, during and after an event. The before part is about constant vigilance, eliminating vulnerability to reduce the chance an attack will succeed, and having someone watch out for you from the “outside” of your organization. During an incident, time is of the essence. You must be able to identify and understand your attacks and how to mitigate them quickly to minimize impact. After the incident, it’s all about what happened and how contain and recover from what occurred.”
Clendenin: What will your core message revolve around at the Privacy & Security Conference?
Stewart: “Cisco just released its 2015 Annual Security Report. The data and research in this report, while underscoring the macro trends, highlights how rapidly attackers can innovate malicious activity to exploit new gaps in defenses. When you look at findings in reports like this against high profile breaches reported in the media, it consistently provides stark reminders that more needs be done to achieve effective cyber security. Leaders of organizations everywhere are watching, listening, and planning how they can prevent attacks from happening, and minimizing impacts when they do. One of my key mantras this year is “all hands on deck” and I will talk about how boards of directors now need to approach cybersecurity as a separate risk area—and approach it with this mantra in mind. I will address specific trends and challenges I see in operations, threats, and exploits. Ultimately, we must change the balance of power towards the good through cooperation and information superiority over attackers. We can’t just keep going the way we are. You’ll hear me talk about headlines, bylines, and trend lines and which ones I really care about.”
In British Columbia, a consortium of security minded stakeholders led by ISACA are coming together to elevate the dialogue over a 10-day period with events scheduled throughout the province. The BC AWARE Campaign 2015 which runs from February 4th -13th is an example of how government, education, and industry can work collectively to take action for raising awareness around privacy and security concerns. Organizations like Cisco, Coast Capital Savings, and Telus are sponsoring the campaign across British Columbia.
2014 was a year in which we saw a significant security related challenges for many organizations … 2015 looks to be the year we will see increased investment and action taken to protect corporate information in a meaningful way.