An educated and aware workforce is wildly important — whether it is about the basics like weak password management, bad online surfing habits or using public wi-fi, or about data privacy, cybersecurity or ethical standards for artificial intelligence ethics. Just like we foster diversity and inclusion programs, we need to use our collective power to protect the most vulnerable to cyber and privacy threats — citizens, residents and small businesses. Invest in training, certifications, awareness and professional communities.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Simona Rollinson, ISACA’s Chief Technology Officer (CTO),
Simona leads ISACA’s technology team, driving the organization’s continuing digital transformation, and exploring new opportunities for harnessing technology to elevate the educational and professional development experiences for ISACA’s members and enterprise customers. She plays a key role in transforming ISACA’s learning technology platform to support the professional community at all levels and stages, from individual development to enterprise solutions.
Throughout her executive career, Simona has led successful complex digital transformational change and evolution through roles as software engineer and developer, president of Follett Software Company, CIO for Cook County Government in Chicago, Illinois, and CIO for Clayco. The hallmarks of her recent tenure are establishing an enterprise architecture capability, modernizing many foundational systems and legacy platforms and a focus on improved vendor and project management.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I come from a family of engineers. My father is an engineer, my mother is an engineer, my brother is an engineer, my uncle is an engineer, my aunt is an engineer. Engineering is in the family. Growing up, other kids would relax watching TV, and I would relax solving differential equations. I would be in front of the TV, watching it in the background, but relax through solving problems. The first seven years are so formative in the way you are taught to think, to value curiosity, and I was born in the right family. There’s the saying, “Give me a child until he is seven, and I will show you the man.” We only go as far in life as far as we are curious. We never go any further. Our curiosity is the boundary of our journey.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I think your personality and DNA play a role in the career you choose. My father was a professor in electrical engineering and a chairman of a very large university, so I was surrounded by academia. Everybody around us taught us the value of scientific research and learning. When we would go on vacation, there would be seven professors with us, playing card games together and talking about different scientific problems, history, or philosophy. My environment was permeated with academia, especially in line of technology and engineering, so I never thought of being in any other type of career. I ended up becoming classically trained and received a master’s degree in computer science and electrical engineering, and then I went back and forth several times to get my Ph.D., which I didn’t finish. I began my career as a developer and 17 years later was president of a 100 million dollars software company (Follett Software) developing K-12 library automation and learning management systems. I was then CIO of Cook County for four-and-a-half years, and then CIO of a construction and architecture company. And now I’m in a global nonprofit association as CTO, so I’ve been in different verticals, but all related to technology. By training and my career, I am more of a technology generalist, but cybersecurity is in the center of technology, so has always been part and parcel of the domain. Moreover, ISACA is a mid-size company so it is inherently agile and flat, and I am a “working manager” involved in strategic and tactical decisions.
Can you share the most interesting story that happened to you since you began this fascinating career?
Like most people I have had many great experiences in my life and my career. In 2011 I was invited to lunch by my then boss (who was elevated to be president of Follett). I was a junior vice president for customer services. I had less than two years of seniority with solid results. He asked me to become a president of one of the companies — a 100-million-dollar software company. It changed the trajectory of my career. Overnight I had to think strategy and marketing on a much different level, and I had to embrace sales management. I learned that you can’t win them all, but you can win most as long as you have a clearly defined North Star and communicate often, consistently and candidly.
Many of the stories I recall are stories of failure, redemption, and agency. Apparently, this is common. I was a newly promoted president of a software company and was at the crossroads of recommending pivoting or divesting a previous acquisition. It was an incredibly hard decision because the team on the ground was strong, bright, and incredibly hard working. I recommended exiting the acquisition but keeping and reassigning the team to new projects/verticals. I remember my short presentation to the board telling them they needed to write off millions of dollars because I was not going to be able to “right” the ship. Though the chair of the board looked disappointed and advised me to bring this up sooner next time, she supported me, and I did not lose my job. It helped me understand the meaning of “fail faster.” Decisiveness is essential in leadership and for radical innovation.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are many people who I am grateful for. There’s a saying, “When the student is ready, the teacher will appear.” I have been fortunate to meet incredible role models throughout my journey — my mother, my boss at Cook County Government, who was a woman of color, several of my peers and leaders at Clayco, and my current boss at ISACA who is an executive with an amazing creative side. I had much to learn. The person I want to highlight is Matthew Porter, Chief Executive Officer at Invisibly and previously Chief Innovation Officer at Clayco — and husband, father, entrepreneur, geek, Multiple Sclerosis warrior, and ultramarathoner. One time he ran for 30 hours with a broken foot for 35 miles of the race. I remember wondering what I was in for with a boss like that! I learned so much from Matthew — from his love for his family, to practicing tough love. He never gave me an easy answer. In the few instances he disagreed with my assessment or approach, he would take the time to talk through it with me. Generally, by the next morning I would have self-corrected. He would challenge the logic behind my thought process and expose the logic fallacies — such as not being a good listener, diverting from the specific issue at hand, or oversimplifying. When I would not let go of an issue that had happened, he would tell me I was repeating myself, which was important for me to realize.
Are you working on any exciting new projects now? How do you think that will help people?
Yes — at ISACA we are implementing a new learning experience platform. Most learning platforms lack understanding of the learner and the organizational needs. We are veering away from traditional learning management systems, which tend to be more transactional into the world of micro-learning and various modalities including simulation and gamification. I am optimistic this will be quite useful for the next generation of audit, cyber and risk professionals worldwide.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Pace yourselves. Working from home, we actually work harder. Leave white space in your calendar: finish meetings five minutes before the end of the hour, or schedule 15-minute meetings as opposed to 30 minutes. In the past, there was sometimes a fear that remote work would cause people to slack off, but it’s actually the opposite. Everyone is putting in ten-hour days. The biggest challenge is setting boundaries — the hard boundary of leaving the office and commuting home has gone away.
Allow yourself to fail a little bit more because we don’t just have one job — a lot of us are working but also helping our children with online learning, myself included. The world has changed, and we have to adapt. Humans have a great ability to adapt, but it takes time. Change is difficult, and it’s going to be stressful, so you have to be your own self-advocate and watch out for yourself.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First, cybersecurity is a very dynamic industry. The exponential growth development is amazing. Second, the new people entering the workforce excite me tremendously, because that’s the promise of growth and development. I am a strong believer in the new generation bringing new and valuable ideas. Digital natives will not only be more proactive about embracing emerging tech at their companies, respondents of ISACA’s Next Decade of Tech survey said, but they will also be more concerned with privacy by design and security by design. It will no longer be the newest and coolest apps that get the most attention, but the safest tech, the tech that protects its users from breaches and hacks. Thirdly, I’m excited about the intersection between cybersecurity operations and privacy. The two are converging, and the whole industry is maturing so that cybersecurity is not an isolated discipline but permeating into software development, operations, privacy, and various programs. Security has touchpoints everywhere, it’s not just a technology. It relates to privacy and legal, but it’s also on the business side of things — whether it’s awareness education within the organization itself, or it’s a driver of business needs as well as technology needs. You get exposure to many different things across the board. Many interesting developments happen on the boundaries between cybersecurity and other disciplines.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The biggest impact to security right now is the seismic shift from in-office to remote work. Previously, remote work was a small use case in organizations, especially SMBs, primarily supporting short term work from home or a portion of the workforce that was on the road. Now, because of COVID-19 restrictions, organizations are finding themselves with the majority of their employee base working remotely. Because of the fast spread of COVID-19 throughout the country, many organizations made this transition in a very short period of time with little opportunity for proper planning and risk assessment. Although organizations were able to make this transition successfully and without major business impact, there is significant risk, as well as gaps from an information security point of view. At the same time, threat actors were very quick to pivot and take advantage of the opportunities opened to them by the impact of COVID-19. Now that we are months into the COVID-19 lockdown, and remote work has become an operational norm, information security teams need to be vigilant in understanding the new vulnerabilities and attack surface exposed by the “new normal” of remote work. This includes a review of foundational security hygiene and how those practices and controls are impacted by a majority work from home workforce. User security awareness education review and refresh is a must since those remote users constitute the last line of defense against some of the most common threats such as phishing. ISACA offers a number of resources related to this topic in our COVID-19 Resource Center.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
In May 2017 I was CIO of Cook County, and the WannaCry ransomware attack was very significant in our environment with 22,000 employees, a hospital, and the biggest jail in the U.S. We had a plethora of technologies — it was a complex environment residing under different jurisdictions. For example, hospital equipment is very different from court systems which is very different from office workers’ end-user computing. I was in the middle of this attack and thankfully we were able to avoid the serious repercussions, but we did have some vulnerable workstations that had to be isolated and taken out.
There were lessons we learned around segmenting the network. We basically put a wall of segmentation between our medical devices and our end-user computing, so we could partition the networks. One takeaway is that misconfigured security products like endpoint protection platforms and firewalls are often the culprit. You must conduct basic security hygiene tasks, including patching and configuration management. It was a wakeup call for me. Another takeaway is that it is important to expand backup to endpoints in business and IT disaster recovery plans. A third takeaway is to proactively invest in more advanced capabilities, such as network segmentation — for example, separating hospital and courts — so they do not cross-contaminate each other.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The tools supporting foundational security hygiene are the tools used most frequently, including vulnerability management, endpoint protection, intrusion detection, security incident and event monitoring (SIEM), security awareness education (SAE), identity management, and data loss prevention (DLP).
Foundational security hygiene is something that is critically important during this time of transition to majority remote work. All the cool tools and capabilities in the world will do you no good if you do not have basic hygiene in place. Many of these tools also overlap and complement each other. For example, vulnerability management is important because unpatched software vulnerabilities are the cause of a significant amount of breaches, and security awareness education is essential because poor security awareness at the user level drives success in the phishing campaigns that look to take advantage of those vulnerabilities. All of these tools are part of a solid security hygiene program that helps establish a strong security foundation at an organization — enabling the organization to assess, protect and monitor its data; software, appliances and managed services; physical assets and technology resources so that threats, data leaks and attacks can be prevented and/or mitigated.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Regardless of the size of the organization, you must have someone at a leadership level who has a formal responsibility for security. It cannot be something that they do in their spare time or something that the infrastructure director works on when they get the chance. You must have someone who is formally responsible. You also need to have buy-in from senior leadership. If you have senior leadership who don’t care, then you’ll have problems. You need a commitment to security within the organization.
Also, the more resources a cybersecurity team has, the better, but there are a lot of organizations out there and third-party vendors or partners that you can work with to help take the load off, and in some cases, are more cost efficient. A great example of this is 24/7 coverage of monitoring.
ISACA is a great example. We are a small to medium sized enterprise. and we had only one cybersecurity employee when I joined last year. We now have a dedicated cybersecurity team, and while it is small, it has a great mixture of internal resources and outsources, like commercial vendors and managed security service providers that help us set up some parameters to help us with our general framework.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Often, signs of a breach or hack are subtle; you won’t always get a call from the FBI. Some signs include receiving a significant number of customers complaining that the credit card information that you have on hand is being used for fraudulent activity. You may also have business partners say they are receiving a slew of emails that appear to be coming from your organization, but your team is not sending them. Usually, when it’s obvious to someone who is not a security or tech person, it’s a major event.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First, you invoke your cybersecurity team’s incident response plan, which all organizations should have. The response plan should be rehearsed and exercised, and should involve the entire organization — legal, communications, marketing, sales, etc. Everyone in your organization needs to have a stake in it because once you do get notified of a breach, each person needs to be able to fall into the well-rehearsed plan.
Without a well-rehearsed plan, major issues can occur. If you look at case studies of previous security breaches, especially large ones, the organizations may have had a plan, but because no one really knew about it and no one played their role once it came time to execute it, chaos ensued. To ensure a strong incident response plan, organizations must also ensure they do not have misaligned prioritization around level of response or a lack of detail. This calibration and the level of detail on incident response plans must in place when the waters are coming, not when you’re in the midst of a storm.
Be serious about preparations. Make sure people are engaged and know what their responsibilities are, and how the items they spend time on now will help protect the organization in the future. They should be made to understand that it’s not just a “technology thing.”
Recent privacy measures have had a tremendous impact. For me, privacy is what cybersecurity was for me ten years ago, and what cloud was for me 20 years ago. It takes some time for an idea to get momentum and then it becomes the new norm. However, as a next frontier, privacy laws are coming exponentially everywhere — whether it is Nevada, California, or Turkey.
However, one challenge is that there is not a lot of consistency across these laws just yet. One piece of data on a single customer can go ten different directions based on where they live and a whole bunch of other aspects. We are also still building up the experience base. There’s history with privacy, but it was previously a niche world and now it is opening up and becoming something of interest to a lot more people. There has been a lot of news about CCPA and GDPR, but legislation and regulatory agencies are still playing catch up. Some companies take advantage of these black holes.
Privacy and cybersecurity have a nice point of convergence. For example, with data classification, data assets need to be protected from a cybersecurity standpoint, as well as understood from a privacy standpoint. Also, the same bad actors who are using ransomware and stealing credit cards are also the ones dipping their toes in privacy fraud because it’s all about the data in the end. They want to get their hands on the information. This is where this confluence is happening and we’re starting to see privacy and cybersecurity teams work together.
However, with privacy, there’s a gray area. The data that an organization uses, the customer data — is it theirs, ours, can it be used with sponsors? Organizations are deciding where to draw the line.
Historically ISACA was an association for auditing, risk, and cybersecurity, but privacy is a natural extension of our portfolio. Earlier this year, ISACA launched a new privacy certification, Certified Data Privacy Solutions Engineer (CDPSE).
What are the most common data security and cybersecurity mistakes you have seen companies make?
One of the big mistakes I’ve seen consistently is organizations not having leadership support of their security programs. If you don’t have leadership backing the security program, then no one backs the security program. By leadership support, I don’t mean just the CEO or VP. Support should come from many levels and be communicated throughout the organization.
The second mistake, even if you have leadership support, is not making security an independent organization. Often, security gets rolled up under IT, infrastructure, or finance. The bottom line is that it is an issue to not have a dedicated owner at a leadership level for security that’s high enough to make a difference.
Not having a coherent, long-term security strategy is also a big mistake. If your security strategy is to just react to things and do the bare minimum, that’s not a strategy, just a tactic.
Another mistake is doing too much and pushing too many priorities, because then you’re really not accomplishing anything. It has to be a journey. People want to fix everything, but you can’t get maturity very quickly. You can’t go from level 1 maturity to level 4 maturity in just six months. It’s like maturing through elementary school — you can’t jump from second grade to seventh grade, you need to actually learn your material in a certain order.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Definitely. The footprint is increasing. The traditional 90–10, with 90 percent employees in an office, has now changed to 90 percent working from home. This extends the whole infrastructure, so it has to be protected in different ways.
We need to revisit how we do things and rearchitect on the fly. One of the biggest problems with COVID-19 is that it wasn’t something we could plan for a year in advance. One day we were in the office, and the next, many of us were home. This rush to work remotely caused many companies to react to issues as they found them, as opposed to proactively planning to cover them. According to ISACA’s COVID-19 Study, 87% of respondents said the rapid shift to work from home increased the risk of data privacy and protection issues. There’s now a significantly enlarged cybersecurity threat landscape, and threat actors are constantly innovating themselves. They are taking advantage of new opportunities, and it seems like we’re always one step behind them, no matter what we do. It’s a challenging situation.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Data is the new gold standard. Data is not only an asset, but a highly valued form of currency in the world of online marketing and advertising. While the world is on pause due to COVID, bad actors and sophisticated cyberattacks are on the rise, especially amidst the rapidly growing digital landscape. At the same time, the proliferation of country and state complex and nuanced privacy laws is astounding. As privacy regulations mature, they develop rigor and become more detailed in defining stricter requirements that come with violations. This is the crucial battleground — between transparency (protection of privacy) and defense of data and assets (cybersecurity) — in this new data-driven economy and world. However, from a company preparedness standpoint, security and privacy, while distinct, are tightly connected and share common traits.
Here are the top six key things I recommend that IT teams do to tighten cybersecurity and privacy programs at the same time:
- Take care of your people — The best of anything is always in demand and your teams are under a lot of pressure to pivot and implement work processes in a new “formation.” It is our #1 priority to not only create a safe workplace, but also create an environment in which employees feel valued and supported with what they need to get their jobs done. Team members are fatigued by the high pace of change in the last several months, distracted by the day to day needs of a sheltered in place family and they may also be scared of potential loss of income and the unknowns in the future of their businesses, so it is important to reduce stress and burnout on the job as much as possible. Resist the temptation to use technology to keep track of employees — it lowers workplace morale and infringes privacy.
- An educated and aware workforce is wildly important — whether it is about the basics like weak password management, bad online surfing habits or using public wi-fi, or about data privacy, cybersecurity or ethical standards for artificial intelligence ethics. Just like we foster diversity and inclusion programs, we need to use our collective power to protect the most vulnerable to cyber and privacy threats — citizens, residents and small businesses. Invest in training, certifications, awareness and professional communities.
- Take it seriously — The intensified global regulatory activity is real and is driving radical change. Educated customers and users are likely to switch to the competition if they believe their personal data is not handled well.
- Focus on your “crown jewels” — Know what your most precious assets and processes are. This is your elevator pitch in 2020 same as it was in 2019. Prepare to defend and ensure resiliency. Ignorance is not bliss.
- Get back to the basics, which includes:
- patching and looking at average days to patch critical systems with critical patches; backup and restore
- monitoring all external access events
- monitoring user access privileges on Active Directory and critical applications
- keeping VPN/RDP servers up to date
- enforcing MFA where possible
Bonus: Leverage third party MSSPs (managed security service providers) more than ever — Spend more time with MSSPs so they can learn your business. MSSPs and SOCs know a lot about technology but they do not know you well. Now is the time to fine-tune your relationship so they understand the business use cases, risks and expected outcomes. Plan for functions beyond reactive incident monitoring. Many times, MSSPs are your lifeline. Take a part-time employee from a MSSP/SOC and ask them to do proactive threat hunting. Offense is the best defense.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I am fortunate to have been a socially aware person from as early as I remember. I support many social, human, and technological causes. I’d love to start an “eye to eye” movement — look a stranger in the eyes and smile. I am seeing such a pervasive dehumanization of strangers in society today and it bothers me deeply.
How can our readers further follow your work online?
Readers can follow me on LinkedIn at www.linkedin.com/in/simonarollinson, on Twitter at @simonarollinson and follow the ISACA Now Blog at www.isaca.org/resources/news-and-trends/isaca-now-blog.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!