“It is well known that our adversaries share intelligence, so we are at a disadvantage if we aren't sharing information too.”
Gram Ludlow (SVP, CISO at Marriott Vacations Worldwide) has built information security programs and managed global security teams – as well as mentoring the next generation of industry professionals. He takes a wide view of his own role in defending organisations right now, and enabling the teams who’ll defend them in the future.
He’ll be sharing his wisdom at Black Hat 2023. So we asked what types of threat he’s seeing a lot of right now, and why information sharing between CISOs is crucial to resilience.
What drew you to information security?
“Since a young age I have been fascinated with puzzles of all types. As I matured, I also gained a strong sense of right/wrong and wanted to do something creative and beneficial for the world.
“But everything really came together for me as a young adult when an early mentor of mine gave me a nudge in the security direction. Everything clicked! The combination of challenge (technical, human, organisation) with the chance to protect people drew me quickly in and led me to where I am today.”
Are there any particular forms of threat that you're seeing a lot of at the moment?
“For-profit hacking is definitely the biggest threat I see. There has been a proliferation of organised, but ‘basic’ spam-type threats that broadly target huge groups, and only need a small chance of success to be profitable. They are targeting individuals, businesses, governments, really anyone or anything where they can monetize. With automation and scale, it is relatively easy to carry out these attacks at low cost.”
In terms of developing security infrastructure for a large organisation, are there any key steps/processes you'd always recommend - or does it really depend on the organisation?
“While there are some basic security capabilities every company needs, my perspective is that each company is unique, and needs its own, customer security infrastructure.
“Based on industry, threat levels, and even specific technology platforms, different approaches and supporting technologies are needed to adequately protect a company.
“This is why security architecture, as a function, is so important for a complex entity.”
How important is it that CISOs and other industry professionals share information and experiences as openly as possible?
“It is well known that our adversaries share intelligence, so we are at a disadvantage if we aren't sharing information too.
“Sharing security best practices, threat intelligence, and other, non-proprietary information between companies and industries lifts us all up and helps individual organisations and economies grow and prosper.
“Respecting confidential information is important in this sharing, but there are many mechanisms now to be able to share for security while maintaining confidentiality.”
Finally, why is Black Hat MEA valuable to you?
“Keeping up with the dynamic landscape of security is a challenge for all security professionals. As a CISO, I seek out opportunities to hear from thought leaders and security practitioners so that I can bring a fresh perspective into my own security program.
“Black Hat MEA gathers so many industry experts, security visionaries, and experts into one place with extraordinary content and collaboration. Attending Black Hat MEA will help me better guide my security program and enable my company to best manage cyber security risk.”
Thanks to Gram Ludlow. Learn more from him at Black Hat MEA 2023.