What keeps CISOs up at night?

At Black Hat MEA , a panel of CISOs in the retail sector – chaired by David Cross (CISO at Oracle SaaS Cloud) – discussed the challenges of threat intelligence and security awareness. 

When Cross asked how valuable the panellists were finding threat intelligence, and whether they think it needs to be more tailored to their specific industry, Alex Attumalil (Global CISO at Under Armour) said: 

“Threat intelligence…you don’t buy it anymore. It just becomes part of the system that you deploy. But the intelligence really is in what happens in the background.” 

“A lot of systems that we have in the cloud, in SaaS based environments — you have a shared security requirement. So you can protect your piece of it; the authentication, authorisation, data piece of it; but the infrastructure really belongs to the cloud operator.” 

So intelligence, then, isn’t just insights into potential threat activity; it’s also information that corresponds with gaps in visibility over your supply chain, enabling you to build a clearer picture of the threats that exist in and around your attack surface. 

Threat intelligence must lead to action

Lee Whatford (CISO at Domino’s Pizza) added that “threat intelligence has to be relevant and it has to be actionable. If it’s not then it’s not intelligence – it’s just a feed of stuff that is happening.” 

And understanding that is key to leveraging intelligence in a genuinely useful way. If you can’t differentiate between relevant intelligence and irrelevant intelligence, then you’ll get lost in the noise. 

And Whatford also takes a threat-specific approach to intelligence – working to understand known enemies and their behaviour. His company takes a high volume of credit card payments, for example, and although those card details aren’t actually stored or processed by Domino’s directly, to an outsider it looks like they do. “So that puts us within a certain target range of some crime groups,” Whatford said, “so we very much focus on them.” 

His team looks at how those groups operate, and the behaviours that might indicate they were operating within a network. 

“We need to understand that world. If we don’t understand our enemy, if we don’t understand the opposition, then we’re going to stay where we’ve been — giving a lot of money to those guys with the shiny marketing campaign outside — but we don’t actually know if we’re more secure.”

There’s no one-size-fits-all cyber awareness training

The conversation shifted into security awareness; because as Attumalil put it, “Cyber awareness shouldn’t be a check mark. It should be continuous. We know that people aren’t trying to do bad things, they’re trying to do the right things, but they may not know what the right thing is.”

So it’s important to make sure they are aware of the right things. 

Cross asked whether the same awareness training can be relevant across all departments of an organisation, and Les Correia (Executive Director - Global Head of Application Security at The Estée Lauder Companies) said no – “People work differently. You have to think about social engineering, and context. Like here [in Saudi Arabia], people are really warm for example — [a threat actor] could use that to get more information.” 

At Estée Lauder, he’s working to place cybersecurity champions within different departments, who can educate team members about security threats and best practices in a way that is relevant to the work they do. 

And Whatford agreed;

“Culture is a big one for me. We talk about security culture, we talk about business culture. But ultimately, it’s got to come down to different groups of individuals. Developers — great. But very unique mindset, a very unique way of doing their work, with a very unique output and very unique risks associated with the work that they do. The boardroom — could not be any more different.” 

“And then lots of other groups of individuals throughout the business. So it has to be tailored. And that’s where the context comes into it, using those security champions, embedding them into the business.” 

In short, cybersecurity awareness programs shouldn’t be expected to be effective for everyone. Different training scenarios should be developed to provide relevant, useful, engaging programs for different groups within an organisation – because it’s when training feels tailored to you that you’re really able to learn. 

And then Cross asked a probing question: What’s keeping you awake at night? 

“This whole migration to the cloud and SaaS-based technologies,” said Attumalil, because “you’re essentially relying on a second person to protect your environment. It’s a shared responsibility model.”

And that means that as the leader of an organisation, “you're actually losing control over some of the responsibilities or some of the security measures you’ve put in place. That’s a hard one to tackle. And that whole environment is nascent, you don’t have good visibility there.”

Correia pointed out that another layer of concern on top of this is that even if you don’t have control or visibility over supply chain security, you’re still the one who’s going to be held accountable by your customers if something goes wrong. “There’s a key differentiator between responsibility and accountability,” he said, “if you are the company, you are accountable.” 

And for Whatford, “one of the big things for me is the articulation of risk to the business.”

“When I look at the organisation and I look at risk, I don’t see that as my risk. I’m not there to be the fall guy. My top level biggest worry is that I haven’t actually found the exposure points across the business. Because if I’ve found them, I understand them, we’ve assessed them, we’ve articulated that risk, and I’ve helped the business make an intelligent decision as to what to do with that risk. So it’s kind of their risk. But at least they understand that exposure and I’ve articulated it to them correctly.” 

“If I don’t know that risk I don’t know what those exposure points are.”