Q & A Round with Alex Attumalil (Global CISO, Under Armour)

What is the hot topic of the year in the current cyber landscape?

Resiliency: As a business enabler, Cyber teams should not only think about Secure Engineering, Detection and Response, but also recovering from a Geopolitical, Environmental or Cyber incident. This is the next step in Cyber program maturity, working together with your Compute/Storage services team to ensure organizations have a reliable backup and recovery program in place to ensure survivability.

What are some of the biggest threats, that are not being talked about enough?

Critical Security Vendor/Partner disruption: Attackers, especially Nation States, have scalable resources to identify and exploit vulnerabilities. If they can target solutions used by many customers, the return on investment is well worth the effort. We are starting to see that trend with CodeCov, SolarWinds, Okta, etc. Have we planned for a scenario where your EDR is no longer reliable, or worse, multiple layers of defences are managed by the same vendor?

Critical Services Disruption: It gets worse if this is a critical service disruption that the business relies on, like Payroll or Medical insurance. With many of us moving towards a SaaS based consumption model, we are heavily relying on the 3rd Party to ensure their services have near 100% uptime. If disruption is combined with sensitive data loss, we are now looking at legal concerns on top of the already chaotic service disruption.

What are some of the key components to succeeding as a CISO in today’s business environment?

Setup your Cyber Organization as a business enabler. It starts with a good understanding of your business, revenue sources and mapping them to exposures and its associated risk. As the business priorities change, you should be able to stay ahead of the new risks being introduced. Don't secure in a vacuum. Understand the business direction, identify exposures, and build your program to mitigate risk to revenue, financials and the brand.

Earn trust - engage your business leaders and learn what they care about the most. Do this early and often. Business leaders need to understand cyber risk is a factor they need to consider, and you are helping them mitigate that risk, so they can deliver on their P&L promises.

What are the three things that you as CISO look at first to assess an organization’s cybersecurity readiness?

It starts with Risk Management, policies and standards that support a cyber culture and user awareness/training program that makes employees into stakeholders.
a.    A well-established Architecture/Engineering review program to ensure systems being deployed are well architected and secure.
b.    A mature Vulnerability Management program with near 100% visibility, control and monitoring that keeps track of systems in play.
c.    A business Resiliency program with tiered service recovery plans, clearly defined RTO and RPO and well tested recovery program.

You are set to take the stage at Black Hat MEA this November, what can our audience expect from your session, and what are you most excited about?

I am super excited to share my experience in deploying Behavior Analytics and how it can augment Signature based detection in detecting and reducing the amount of time an attacker is in an environment. The goal is to travel down a logical path to think about the goals of the attacker and how we can reduce the amount of time they get to stick around in our networks.

I am also looking forward to hearing from my peers, learning about their experiences and their ideas. We are in this together and it would be great to learn about threats as well as new mitigating capabilities.