Start by enabling the built-in data loss prevention features that you’re already paying for, particularly if you’re a Microsoft Office 365 or Google Suite customer. This will help to reduce the risk of inadvertent breaches by ensuring employees aren’t sending out sensitive or confidential information outside of the organization.
Understand where your data lives and who has access to it. By mapping this out carefully, you’ll be able to ensure you put the right protocols and parameters in place to safeguard your data systems.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jason Hicks, a veteran information security and risk management executive with deep technical and risk management expertise, bringing more than 17 years of global information risk experience into his current roles. As the chief information security officer (CISO) for the Kudelski Group he is responsible for client members’ global security programs. Jason also provides virtual CISO services to multiple, multi-billion-dollar organizations. Prior to Kudelski Security, he served as global CISO at Ares Management LLP, a multi-national alternative asset manager, with more than $140 billion in assets under management.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up? Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I wouldn’t say there was one story in particular that got me into cybersecurity, but I spent some time working in law enforcement and based on my IT skills, spent most of that time working on cyber cases. Back in those days there were very few people with IT skills, so it was a high demand skill set.
Can you share the most interesting story that happened to you since you began this fascinating career?
All the interesting stories are still classified, so there’s not much I can disclose at this moment.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’d have to credit an uncle for me getting into tech. My uncle is one of those self-taught network wizards, back in the day when companies were mystified by what they did since very few people understood the technology. He’d tell us stories about how an entire manufacturing line that employed thousands of people and cost millions was shut down until he could fix some technology issue. I wanted to learn how to do that, and he took the time to get me started on my road to learning.
Are you working on any exciting new projects now? How do you think that will help people?
I’ve been working closely with CISOs globally to navigate the unprecedented environment that we are all currently operating within and coming up with new ways to deliver the correct level of security for their organizations. Automation is another exciting area of focus for me; there’s all kinds of low-level activity that can be automated to help security professionals do their jobs more effectively. Often times you’ll hear concerns about automation replacing employees, but I don’t see it that way. Automation can be extremely useful in helping to advance security programs because it frees up teams from having to focus on mundane and repetitive tasks and they can instead focus on the more interesting work that delivers a higher value to the organization.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I recommend people set realistic goals and have a plan to achieve them. You have to hold yourself accountable for your career, no one is going to plan it out for you. You also have to be very realistic in how fast you’re going to achieve them and decide how far you’re willing to go to get there. For instance, if you’re willing to move across the county every couple of years you will find more opportunities for advancement, but you trade off being close to family, friends, etc.
To thrive, you also need to be cognizant of the political realities that exist in your workplace, especially as CISOs become more integrated with the rest of the C-suite. Change at the top will often lead to change at other levels so have a career plan and be ready to pivot if need be. It’s also a good idea to find a CISO to serve as your mentor, ideally one at the size company and industry vertical where you aspire to work.
Cybersecurity can be an extremely fast paced and demanding profession, and when it comes to burnout a lot of it can come down to the type of security role you’re in and the organization you’re working for. For instance, if you’re in an operational CISO role say compared to a virtual CISO role, that’s going to result in drastically different levels of responsibilities and therefore different levels of stress. From an organization standpoint, if security is well supported and funded, you are less likely to burnout because you’ll consistently have the right level of support and resources you need to do the job effectively. Conversely, if security does not receive either the organizational support and/or funding it needs you are likely to have a much higher stress level.
For me, its always been about finding a way to compartmentalize any negative stimuli of the job so that I can focus on the day-to-day activity. It’s easier said than done, but it’s an important skill to learn.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
One of the things that excites me the most about working in cybersecurity is that you never get bored because things change constantly. There’s a lot of variety in the challenges you face, and it requires constant learning. Related to that, there’s always some kind of problem for you to solve. There’s a level of high intensity and critical thinking that gives you that adrenaline rush and requires you to stay sharp and on your toes. The other aspect that I really enjoy about working in the industry is that at the end of the day our goal is to have a positive impact on people and organizations. If we do our job right, it means organizations are able to function the way they need to, and people are able to do their jobs.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Organizations should be paying greater attention to end-user breach fatigue. For the past few years, individuals and organizations have been inundated with news reports around password breaches and it seems like every day there is another story about a company’s user accounts being compromised or sold on the dark web. As breaches and threats become more common, individuals get numb to the risks and let their guard down. This lack of attention to overall cybersecurity hygiene can lead to an increase in breach activity overtime. It also has the potential to make the CISO’s job more difficult as the Board and other C-suite members start to see breaches as the new normal and something that cannot be avoided. It could even lead to a reduction in the support for security spending, which would only lead to more breaches.
Also, mobile connectivity, especially as it relates to the Internet of Things (IoT) and Operational Technology (OT), will become much more complex over the next few years. On the OT side, many production systems such as PLCs are not running modern code and are not regularly updated, which poses a greater risk of downtime due to breach of failure in the system. With 5G on the horizon, there will be a new push to bring these OT systems into the connected world, and if not done right, it could result in some very serious scenarios like critical infrastructure and utility outages.
In terms of the IoT landscape, we can expect to see a multitude of devices coming packaged with 5G radios, which will greatly increase the attack surface. With Wi-Fi, the majority of end users have at least a rudimentary firewall built into their home network systems, while with 5G it’s likely to be more akin for devices that are directly connected to the internet to have a built-in firewall. Given the low barrier to entry, the high-level of risk tolerance and lack of awareness on the consumer side, we can expect to see a multitude of privacy issues.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
While I can’t divulge the specifics of any particular breach I’ve helped fix or stop, from my experience I will say that most problems that occur because of a breach are due to a of lack of preparation. Meaning, the proper leg work that needed to be done upfront to ensure the right tooling, staff and access were in place wasn’t fully executed. This also extends to individuals having clearly defined roles and scopes of responsibilities. Many organizations don’t spend time training their staff on their incident response, disaster recovery or business continuity plans. All of this becomes a major issue when folks are expected to execute a plan they have not seen since the last annual review. The level of organizational and financial support a program receives has a direct correlation to this preparation being done, as it’s time consuming to do it right, until you have it all properly implemented. Then you still need to maintain and adjust as your risk environment changes.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The basis of a good security program starts with a mindset that it’s not about the tools, it’s what you do with them. That said, it’s important that organizations have tools and services like threat hunting and monitoring, endpoint detection and response, vulnerability scanning and managed attacker deception at their disposal to build a mature cybersecurity program using a multifaceted, risk-based approach.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Almost everyone is using over the counter software these days, so it’s more of matter of how you’re managing those systems and tools on an ongoing basis. If you don’t have the in-house staff to manage them, then working with a managed security services provider (MSSP) will be key. That said, you still need someone internally who owns and oversees the security function to help manage incident response and internal escalation. Plus, you will need people internally to respond to the incidents your MSSP sends you, if you don’t have an in-house security operations center (SOC).
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Some of the obvious signs that you’ve been breached are if you’ve experienced an unplanned outage or your services are spotty and if any company property such as your website and social media have been defaced. Some of the less obvious signs are an increase in spam emails to user accounts and also strange log in requests. You may also find confidential company information such as an internal presentation posted to public websites where they shouldn’t be.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first stage is to triage and confirm what actually happened. What initially may appear like a breach may not always be, so it’s important to dissect the issue first before taking action. From there, you’ll need to determine how severe the incident is and invoke your incident response plan as appropriate.
Once the incident is contained, you’ll want to make sure your after-action report and lessons learned are well documented. This part of the process can sometimes fall to the wayside after a breach, especially when teams and resources are exhausted, but it is super important to ensure you’re making the necessary changes to your security strategy to prevent the root cause of the issue in the future. In some instances, root cause analysis isn’t possible because you don’t have the data or the tooling available, and that in itself is a critical finding that should be noted for future remediation planning.
It’s often too difficult for organizations to put in place privacy or security controls for individual states or territories; because of that many will set the bar to fit the most restrictive law or regulation. The CCPA has set that bar in the U.S., and many have started to utilize its requirements as their compliance threshold, assuming they are not operating internationally.
Adequate protections are not being provided by all enterprises. While many provision sufficient privacy and security protections, not all security programs have the same level of commitment. Each company is different, and their needs and challenges differ so from a compliance perspective, a regulation that subjects all organizations to the same rules might be the right approach to level the playing field, so to speak.
In the short term, we will continue to see a growing compliance burden for organizations, and the situation will create opportunities for service providers and software manufacturers who can help make things easier to manage. In the absence of a unifying federal law, we will continue to see the proliferation of privacy laws and initiatives from multiple states.
What are the most common data security and cybersecurity mistakes you have seen companies make?
One of the most common mistakes we see is not using multi-factor authentication (MFA), which requires a user to provide two or more credentials in order to authenticate their identity. In my opinion, you shouldn’t be accessing anything sensitive externally without MFA, if you want to avoid security issues. Another common mistake is not having basic email security hygiene controls in place such next generation spam filtering or data loss prevention (DLP) which helps to prevent attacks and detect sensitive information before it leaves your outbox.
Also, you see companies spending millions on digital security but overlooking physical security. You want to ensure you have the right physical security protocols in place so that unauthorized persons can’t access the building or specific areas where sensitive information is stored and potentially plug into a computer to steal information or walk off with the device itself.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Generally, I think we’re just seeing people be less thorough and not adhering to some of the traditional security procedures and controls that are in place. For instance, using a personal or non-secure device to access company information or an unclean home network causing a malware infection. I don’t think employees are acting this way out of maleficence; it’s just indicative of the situation that many of us find ourselves in working from home and perhaps a bit more stressed with all that’s happening in the world. When people have to adjust to a new environment or way of working it can be stressful and that can at times lead them to be less cautious than they normally would be.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Start by enabling the built-in data loss prevention features that you’re already paying for, particularly if you’re a Microsoft Office 365 or Google Suite customer. This will help to reduce the risk of inadvertent breaches by ensuring employees aren’t sending out sensitive or confidential information outside of the organization.
- Understand where your data lives and who has access to it. By mapping this out carefully, you’ll be able to ensure you put the right protocols and parameters in place to safeguard your data systems.
- Make sure you have good anti-malware and end-point detection and response (EDR) software in place, and that it’s managed centrally either on-premise or in the cloud.
- Revise your BYOD policy to accurately reflect the way in which employees are currently working, especially if your company is operating either fully or partially remote. For instance, instead of pretending that employees aren’t accessing company information on their personal devices, adjust the policy and tools in a way that they can do it securely.
- Don’t overlook the human factor in security. This is so important as a large number of breaches are due to human error. Ensure that all employees clearly understand your security policy and have the right tools, support and guidance to implement it.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Finding a way to make workplace wellness truly effective. I read somewhere that we spend 90,000 hours of our lifetime at work, so it naturally seems like a good place to start. Yet, some studies suggest that these employee wellness initiatives yield unimpressive results in the short-term and don’t deliver on their promise. But imagine if you’re able to build an environment where employees truly feel like they are able to achieve the best, healthiest and most productive version of themselves, the kind of trickle effect and positive impact it can have on the rest of their lives and the people in it.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!