As the chief information security officer of publishing giant News International, as well as having a pivotal role at ISACA, Amar Singh has a lot on his plate. He tells Dan Raywood about his personal philosophy of managing security in a large organisation, and why he wants to see former soldiers join the industry.
No matter how it travels or the device it's on, data – along with the soundness of fortifications put in place to safeguard it – impel the endeavours undertaken by hard-working CISOs everywhere.
Whether sussing out ways to enable the use of personal mobile devices in the corporate environment, encouraging employee engagement in risk management plans or establishing sound techniques to employee-qualified IT security pros, the ultimate aim underpinning any information security leader's efforts always is data's safekeeping.
For Amar Singh, CISO of the publishing giant News International, the job – especially given all that must be overseen – sometimes can be all-consuming and certainly, he has found, requires a strong will. Too, his hard work, just like the availability of data, must travel.
Recently attending a conference in Miami, Singh proved that the challenge of working remotely is something that affects not only employees, but security professionals too. Just as with other organisations, the mobile platforms he must manage are numerous and, while this alone can be a challenge, the bigger problems arise with how data stored on them is secured. Enter the bring-your-own-device (BYOD) movement and further complications arise.
“As much as it is a technical challenge, it is a cultural-thinking process and I think addressing it using the best approach for your organisation is very critical,” he explains. “If you have 10,000 users and they all have four devices, then that is 40,000 devices you have to manage.”
Singh explains further that while already there are a legion of devices to oversee in the average organisation, it's likely to get worse – and sooner than many might expect. The premise of up-and-coming technologies, such as Google Glass or smart watches, will present evermore data security, cost and policy struggles. Compounding the current high numbers of devices used with the rise in the types that potentially will hit in the future is quickly transforming BYOD into a “manage-any-device” (MAD) process, which involves the oversight and security of anything that shows up on a network, he says.
“However, with BYOD, there is huge opportunity as it allows you to retain employees, to a certain extent,” he says. “As long as I can protect my data, then you can bring any device. It may be a very simplistic view, but you have got to know what you are trying to protect.”
Yet, it's not about the mobile devices themselves, but rather how they are being used. That is, although the ‘access anywhere' issue is worrisome, the security of data stored on the devices equally is concerning. To help address some of the challenges here, Singh says that a likely future scenario will involve tagging a document to maintain a link to it and its identity throughout its lifetime.
“That document belongs to me,” he says. “Even if it is copied a thousand times, it is really critical for me to know about it, and that...allows me to protect my intellectual property – whatever I create.”
Questions of personal data ownership can be confounding, but some organisations have established policies to directly address these. Steve Wright, global privacy officer at Unilever, cites Mozilla's concept that individuals themselves own the rights. And, his is not the only company whose executives think this way: CookieQ allows individuals to control how a website tracks or monitors their movements around the various sites they visit.
“Both concepts lend themselves well to supporting the over-arching theme of making us responsible for our own personal data,” Wright explains. “This concept is applicable in both the workplace and home scenarios, so it lends itself well to Singh's point about tagging documents to an individual for life. This also tackles the problem of piracy, copyright, intellectual property ownership (IPO) infringement and legal data protection cross border challenges.”
Still, complications arise over the actual ownership of the data. For instance, if an intellectual property “owner” is working on research or a design for an organisation that has paid them for their services would the data belong to the company or the individual who created it? “It is for essentially this reason why we can't resolve the problem of digital rights management,” Wright says.
Singh believes that staff represent the biggest opportunity for a business – and engaging and sharing information with them, as well as making them a part of what the business is doing, helps everyone.
“One thing I have gained a lot of traction on is if I can help [employees] with their personal [lives] – let's call it cyber life – it makes life easier as we are all online,” he says.
Today's employees have evolved to work flexibly and independently as members of global business teams, says Tim Burnett, information security manager at Atos. Because of this change, engaging them to better understand cyber threats and the various IT security mechanisms used by their companies to address such problems, along with the roles they play in helping to thwart online attacks, can reap some business benefits.
“Security officers need to become more visible, more approachable and more able to discuss issues in terms of risk to the business, so that organisations move away from the culture of ‘security always says no, so I'll keep quiet' towards a more inclusive, open view on information security,” says Burnett.
Still, the problem of approachability doesn't just sit with the security department, says Burnett. Employees looking to take on a project might complain bitterly when a proposal is rejected by CISOs because they failed to meet even basic security requirements, he says. Such problems can be circumvented with staff simply taking time to meet with IT security pros at the start to explain project parameters and ask for help on the security mechanisms needed to make it work. Demonstrating that information security is being considered early on, with the CISO providing constructive input at the start, is key.
“Information security professionals need to be seen as part of the process and part of the solution, not simply a hurdle to be overcome,” Burnett says. “End-users who understand this enhance the security culture of the organisation, becoming the solution, rather than the problem. Security that is built in [at the beginning of the process] is far better than attempting to bolt it on at the end.”
Even with such education and awareness for both business units and security teams, organisational leaders must make clear that there will be times when projects will be stopped without the integration of proper security. “The security policy must be enforced and end-users will be disgruntled,” he says. “Dealing with that in a professional, appropriate manner is important so that users will understand the reasons and still approach the security team in future.”
Indeed, failing to be viewed as approachable by fellow members of staff should be a concern for CISOs, agrees Singh. For a long time, IT security divisions were seen as impediments to business getting done, he says, which often resulted in business units avoiding them altogether.
“Now, CISOs are transitioning to the ivory tower, but the concept of management on the floor is not there. In my organisation, I make it a point to receive calls and get on the floor with [News International] journalists, and I am happy to do that,” he explains.
Even if an organisation comprises thousands of employees, their engagement with C-level executives should be encouraged and facilitated, including with the CEO. Such an approach can have huge positive impacts for any company – large or small.
“I am sick and tired of the ivory-tower approach I see with many executives,” Singh adds. “One of the reasons why Apple and Google are successful is that people could get to the top of [those companies].”
An untapped resource
Singh, like many other CISOs, engages in any number of industry bodies to both enhance his own knowledge and network with other security pros. Just recently he took on the job of heading up the UK security group at the long-standing nonprofit Information Systems Audit and Control Association (ISACA). In this role, he is paying particular attention to the oft-discussed skills gap still lingering in the information security industry.
The specific campaign he plans to spearhead aims to devise ways to get qualified professionals currently searching for gigs back into the workforce. As well, he would like to develop cyber education programs to help teenagers and schoolchildren to hone skills in IT and IT security areas.
Another component is to establish some assistance to help former soldiers and army intelligence officers take up careers in information security. To achieve this, he envisions offering educational events that provide advice to make former military personnel aware of various job and training opportunities.
“I want to give them the assurance that when they leave [the armed forces], it is not the end of the world, and to offer them a route into the corporate world,” he explains. “I don't think they are getting that help.”
Singh believes that the main issue is that servicemen and women are not really given decent career guidance once they leave their posts.
“Soldiers are actually very good information assurance, security and audit people,” he says. “The whole IT arena is a great place for soldiers to be in, in my opinion, and in information security they would have a lot of discipline, but they are not being given guidance on that. I don't know why this is. They don't have commercially based skills...[or] any certifications...If [they] make the wrong choice or do not get the right certification that is not in demand, what are [they] going to do?”
Terry Neal, CEO of training firm Infosec Skills, agrees and says that more work should be done with former military intelligence officers as they have transferable skills that are relevant. For example, they are adept at dealing with obstacles and crises, pay close attention to visual detail and offer sound research and written/oral presentation skills.
“If they also have IT skills, all they need is the right training and they could be valuable members of the information assurance community,” he says. “If they have no existing IT skills, then an academic qualification should be sought first so they have a foundation upon which information assurance skills can be taught.”
Sarb Sembhi, chair of the ISACA government and regulatory advisory sub-committee for Europe and Africa, and a former president of the London chapter, adds that it's all about taking good people with good skills and retraining them.
“There are two sides to things: On one hand we have more data breaches than we have ever had, we have hackers succeeding where they had not before and reports of malware that doesn't get detected for years, so it's worse than it ever has been,” he says.
The second side proves a bit more complicated. Although there are plenty of security professionals that have been in the industry providing thought leadership, others who also have been around for some time and may hold a few industry certifications may lack requisite leadership and even technical skills. As a result, multiple levels of skills gaps exist that need addressing, he says.
Particular skills, such as privacy know-how, understanding of how to leverage analytics, and the need to understand how the Big Data phenomenon actually can enhance existing security and risk management plans are wanting, adds Singh. CISOs alone are far from helpful if they don't have a good team, after all, he says.
ISACA's Sembhi adds that ultimately the continuous evolution of the information security industry will be dependent on guidance from already well-established and experienced pros like Singh. ISACA, he notes, leverages help from such practitioners to guide stronger career development opportunities.
Such moves are proving critically important, as industry leaders hailing from different backgrounds can reveal to those interested in this space that information security can be non-technical too.
“The human face of security is what ISACA offers, and when new people come into the field, they see that...the people we have...are experienced, great mentors and advocates of what ISACA has to offer,” he concludes.
With Amar Singh at the helm of the organisation's UK chapter, many up-and-comers in the field today will likely be influenced.