Q & A Round with Les Correia (Global Head of Application Security, The Estee Lauder Companies)

What is the hot topic of the year in the current cyber landscape?

ocial engineering-type attacks continue to be the bane of many breaches today. Phishing is an example of a common type of social engineering cyberattack, mainly because it is effective. We compound this issue further as we tend to focus on email, leaving out conferencing, collaboration, and other mobile software.

What are some of the biggest threats, that are not being talked about enough?

Several threats are not addressed adequately:
• The pace of cloud, mobile, social media, BYOD, IoT adoption and changes outpace an organization's security.
• Lack of asset knowledge that includes more than just devices, i.e., social media accounts, cloud storage objects, credentials, private keys, websites, APIs, code repositories, intellectual property, etc.
• Lack of security skills, specifically practitioners.
• Traditional methods/technology to protect newer emerging application approaches.

How do you react to constantly changing threats in the market?

• Strive to raise security awareness as Security is everyone's business. We are all capable and have different insights and experiences. For example, thoughtless awareness is in internet behaviors that we tend to have heightened awareness of accessing banking institutions that are already better secured and leave social networks with laxer defaults with postings, relationships, etc.
• Prioritize protection around critical business processes and related data. Then work on improving cyber hygiene regardless of regulations/standards compliance.
• Embed security in all aspects as a default. Today, mobile, social media, cloud, websites, BYOD, and IoT have expanded the cyber threat landscape. We interact with interconnected platforms/applications in our personal and business lives.
• Introduce automation to assist with speeding assessments and protection. We often see that organizations lag due to the sheer speed of changes.

How do you quantify risk?

There are many methods yet seldom practiced. A good starting situation for quantifying risk is collecting and recording appropriate data based on the results of a business impact analysis for critical business processes. This collected data will help relate risks and tie them to business objectives. You may have to break down these risks further to be quantified. Use good simulation tools to run analysis as part of the process at a regular cadence. Specifically, perform risk quantification as an iterative process. It often helps to get expert feedback before risk quantification matures in your organization.

In the event of a data breach, what is your response plan?

Our stance is implementing techniques to detect breaches quickly and limit the damage. Resilience and recovery are critical expectations. This facet entails the development of a comprehensive crisis management plan(s) (i.e., develop breach preparedness planning and testing).

What are some of your favorite "new" technologies or tools?

The advent of maturing Artificial Intelligence maturity uses in technology to support machine and deep learning in our analysis and thinking.

What are some of the key components to succeeding as a CISO in today's business environment?

CISOs must be business enablers, which often entails having strong business and risk insight – rather than a technical focus. I would highlight that they must possess high emotional and cultural intelligence and the skill set to excel. It is critical to have strong communications skills and continually align their strategic objectives with the business.

If you had a time machine, what advice would you give yourself at the beginning of your career in cyber?

I started my cyber career self-taught, allowing me to grow without direct biases. The downside was that I had no mentor to guide me in this space – perhaps those early lessons learned were a guiding light through errors made along the way.

You are set to the stage at Black Hat MEA this November, what can our audience expect from your session, and what are you most excited about?

I hope to share my thoughts and global experience on 'How Retail Cybersecurity is Changing.' We will cover the ever-evolving threat landscape, technologies, retail touch points, and how security leaders safeguard the industry. We have a lot to share and learn from each other.