A Day in the Life of a CISO

Follow me

Meet Jane

Introducing Jane – Chief Information Security Officer

Welcome to my page! I am Jane, a newly recruited Chief Information Security Officer (CISO) and every month, I will talk about my job, the highs, the lows, and the innovations in between. And how all of this comes together to help keep my company safe, as well as grow my career.


Jane, Chief Information Security Officer


Uncovering the truth about fraud

My June Blog

How did I deal with the increased exposure to fraud while protecting my organization?

I recently attended a security conference in New York, where I listened to a couple of talks―one from the Head of Risk for a global bank and another from a consultant in Capgemini’s Financial Services unit.

It was thought-provoking content. And the challenges around how to deal with increased exposure to fraud were of particular interest. For example, customers obviously want faster and easier processing of transactions, but this is in direct conflict with fraud prevention solutions, which want to impose more security steps.

That’s just the start. I know that when it comes to fraud detection, most financial services organizations face similar challenges: disparate transaction systems, piecemeal fraud detection solutions and high operational costs. In specific fraud areas, such as money laundering, any shortcomings in a bank’s approach to proper controls can expose them to non-compliance with regulations and potentially significant fines.

So, what’s the solution? To help me embed what I learnt from the conference into my cybersecurity strategy, I turned to Capgemini.

Firstly, I wanted to know how Capgemini brings together fraud, cybersecurity, governance risk and compliance to provide a more integrated approach to security. Having a more coordinated approach to threats ― both legal and otherwise ― would significantly boost my company’s defenses.

The Capgemini consultant was happy to explain ― and provide a demo of their analytics capabilities too. This was an opportunity to see how a more cognitive approach to combating fraud could help reduce the risks I mentioned earlier, especially the challenge of balancing customer experience with added security.

He explained how the cognitive tools and skills embedded in Capgemini’s solution, along with cognitive analytics, has helped clients achieve highly effective detection rates, greatly reduce false positives, and significantly improve investigator efficiency with investigation time.

So, have I learned the truth about fraud? Well, certainly I’ve discovered that a key weapon in the fraud-busting arsenal is to take a more integrated approach to our fraud resilience ― one that incorporates a cognitive approach enabling us to pick out fraud patterns.

Interested in Capgemini’s integrated approach to fighting fraud? Find out more.

Share this article

Responding to the escalation in ransomware attacks

My Advice on #Ransomware

With the rise in ransomware attacks, I had to take necessary steps to limit the risk to my organization. This is my 7-step response plan.

As a CISO, I view the proliferation of ransomware attacks as one of the biggest cybersecurity threats we’re currently facing. They’re global. They’re costly. They threaten an organization’s ability to operate – and even to survive.

What’s clear is that no organization is 100 per cent immune. So, the key is how you respond to an attack.

You must act fast. This will boost your chances of stopping the attack spreading enterprise-wide. And the best way to achieve this? Unplug infected laptops from the network, but do not switch them off, otherwise you will lose all the information you need for a forensic investigation of the attack.

That’s the advice I received from my cybersecurity consultant. As an organization, we procure several cybersecurity services from Capgemini, but in this case I wanted something different. I wanted the reassurance that we could stop a ransomware attack doing untold damage (assuming my backup plan was proven to work well, and that I had good offline backup).

Together, we drew up an 7-step response plan. It doesn’t make us infallible, but it gives us a fighting chance.

Firstly, never consider paying the ransom. Very little ransomware is built in a way that it can restore your data. Also, by paying, you are doing exactly what the attacker wants, and you are creating the incentive for a real growth in ransomware attacks.

Here’s how the plan looks:

  • Step 1: Unplug affected laptops, PCs and other devices from the network – but DO NOT shut them down.
  • Step 2: Make a call. Don’t send an email alert about the attack (you need to be offline); rather phone your external cybersecurity support or responsible internal resource.
  • Step 3: Carry out a first-level forensic investigation to ascertain the extent of the threat. Which domain? What ransomware are you facing? What network elements are affected? This is why you need to keep your laptops running after you’ve unplugged them from the network.
  • Step 4: Protect what is still safe. It is a mistake to focus on restoration at this stage. Instead, you need to stop the ransomware propagating before you begin to restore your laptops. How? Shut down the network elements identified in Step 3.
  • Step 5: Clean your IT landscape. If you know what the ransomware is, where it entered your network, and who has been targeted, you can start to remove the threat. Don’t forget to correct your master images before doing a full restore of the laptops. If the ransomware was propagated through email or a file, think about people who are out of office: remove the mail, or files from servers, sharing services, laptops, etc.
  • Step 6: Begin restoration, ideally one laptop at a time – if you restore multiple laptops at once, you risk the ransomware trying again. This may be frustrating for your users, but it is an important step in the fight against ransomware.
  • Step 7: Learn from the attack. Where did the protection fail? What new protection measures should you take? Are there areas on your network that need isolating entirely? Do your data back-up and recovery measures need revamping?

Ransomware attacks are receiving global news coverage – with good reason. But at least I know that, as CISO, I’m doing all I can to limit the risk to my organization.

Learn more about Capgemini’s multi-faceted approach to cybersecurity here.

Share this article

Time to prepare for GDPR

My May Blog

With the new EU General Data Protection Regulation (GDPR) coming into force in May 2018, time was ticking to get our data protection and privacy policies up to scratch.

I’m a firm believer that GDPR shouldn’t be viewed as the only data protection end game, but more as a complement to existing policies that companies have in place to safeguard personal data. That said, GDPR will bring more governance requirements, more rights for individuals and a need for more consistent practices. Stringent penalties will be applied if we fall short of the new standards. As a company, we knew we needed specialist help to prepare.

So, I set up a meeting with the Capgemini Cybersecurity and Data Protection team asap.

They talked through the need for a holistic view of data privacy and protection, and how personal data must be managed, protected and controlled. While the main emphasis would fall on the first phase of this ― getting data properly organized ― all three elements would have to work together to provide ongoing consistency.

I was already aware of Capgemini’s cybersecurity portfolio. I’d long been an advocate of their consulting and managed services ― which actually are a great fit for GDPR’s emphasis on detecting and notifying breaches and leaks proactively.

After the meeting, the Capgemini team laid out a gap analysis to establish a roadmap for reviewing our security and privacy processes, improving data protection all along the lifecycle and moving forward our GDPR compliance. This roadmap included all the necessary mechanisms, technology solutions and controls that would enable us to respond to data and privacy threats appropriately. Implementation is now under way ― and we’re well on schedule for when the GDPR kicks in.

Find out all about Capgemini’s data protection services here.

Share this article

Asking the right questions about Cybersecurity

My April Blog

How do I ensure that my business is resilient enough? Is my organization compliant with security regulations and corporate policy? Is it possible to combine digital transformation with acceptable risks?

One of our competitors recently suffered a major data breach. This ― and the emergence of new market players prompted me to consider what cybersecurity strategy would best protect our own digital assets.

My starting point was our business needs. What security should we have in place to ensure the company’s growth and competitiveness going forward ― especially the level at which we combined digital transformation with acceptable risks? And, crucially, how could I ensure that our security plans were given the senior-level attention required from decision-makers and other stakeholders to ensure top-down buy-in to the whole subject of cybersecurity?

It was a strategically important challenge. I needed to ask the right questions to enable me to build an appropriate cybersecurity strategy for our organization ― one that would ensure regulatory compliance and business resilience. These questions had two focus areas: how to achieve our cybersecurity objectives, and how to align those objectives with the business.
 

A critical starting point to protecting your digital assets

Here’s what I came up with ― and I believe these four questions would be a good starting point for any CISO or IT leader developing their security strategy:

  • • How do we evolve our traditional security model so that there is a focus on data, people and risks?
  • • What should we focus our investment on now, given that security operations no longer rely solely on IT protection? 
  • • How can we embed the new cybersecurity vision as part of the wider business transformation journey, in order to deliver deep changes in the security function?
  • • How can we avoid employees being the weak link and move toward a more people-centric approach to security?

 

So, I was asking the right questions, now I needed to put in place my strategic security plan. I set up a meeting with the Capgemini Cybersecurity team to help me map out a bespoke strategy for our business and then bring it to fruition.

What I liked about Capgemini’s proposal was their offer to manage both strategy and implementation ― no one else was able to paint (and deliver) this complete picture. I was also comfortable with their vendor-agnosticism because I knew I wouldn’t be pressured to buy any particular technology, or be tied into an expensive license deal.

Based on a clear, shared vision of our maturity and practices, Capgemini helped implement our cybersecurity transformation program in just 12 weeks. I now feel confident that we’ve got the cybersecurity we need to take our business forward ― securely. \

Want to see how Capgemini Cybersecurity strategies can protect your digital assets? Mouse here.

Share this article

Bright IDAAS from Capgemini

My March Blog

It is very important that the right person connects to the right data at the right time. How do I ensure that the employees of my organization are accessing the right resource with the right level of security?

I’ve been talking about the challenges of how to secure enterprise assets and data since taking up my new role as CISO. My next task in my new role was to look at IAM (Information Access Management) within the business.

I was inclined to put more stringent information access controls in place, and to place a greater onus on user verification. But more barriers can have a negative impact on the customer experience.

So, I spoke with Peter, my Head of Compliance. Peter sets the access and governance policies for the company. With ultimate accountability for IAM, Peter’s responsibilities have become more complex recently. In fact, the increasing number of ways that people can access information as a result of device proliferation and trends like BYOD have made Peter’s life extremely challenging.

Following an internal policy review, Peter and I mapped out ways to give the right people the right access to the right information quickly and securely. The quality of the end-user experience was a priority.

We liked the idea of deploying an onsite IAM solution. But Peter felt this would be costly and challenging from an HR perspective. The ROI would also be difficult to prove. We needed a completely new approach.

That’s when I introduced Peter to Capgemini. They were speaking at a compliance event, and we attended a session on their Identity and Access Management as a Service (IDaaS) offer. Peter was impressed by the deployment speed of this service. He was also attracted by its scalability, which he felt would be cost-effective and help diminish risk. So we commissioned IDaaS soon afterward.

For the first time in a long time, Peter now feels like his job might actually be getting simpler!

Learn more about Capgemini’s IDaaS here.

Share this article

Putting new apps to the security test

My February Blog

How I ensured that the apps were tested for vulnerabilities without impacting time to market?

A new company, a new challenge, and some new priorities. But just like all CISOs, I have one consistent focus: to be as rigorous as possible when it comes to cybersecurity.

So, when I was told about a whole raft of new apps the company was launching next quarter, I knew I had to get to work quickly to ensure robust testing was part of the process.

That’s when I met with Philippa. She heads up Quality Assurance in the ‘New Digital Product Launches’ division. She was under pressure to get the suite of new apps ready and launched as soon as possible.

We teamed up to review the current arrangements, and I advised her that security testing had to be high on her priority list, despite the time pressures.

App security is not something that can be compromised. I’ll be frank ― I was a little concerned. While the testing environment appeared generally good, like most companies, it was still reliant on pen testing. This often occurs too late in the process to pick up security issues. So it can’t solely be relied on to protect new apps against dynamic modern cyber-threats.

I’d worked with Capgemini successfully in the past, so knew about its Application Security Testing Service. I got back in touch to set up a discussion.

It can be tough to test multiple apps against changing cyber-threats thoroughly, especially when you’re against the clock ― and on a budget. But that’s what Capgemini’s service is set up to do.

Let’s just say Capgemini’s Application Security Testing Service delivered.

Find out more about Capgemini’s game-changing service here.

Share this article

Threat Hunting: Capgemini's proactive approach to cyber-breaches

My January Blog

Even when I have deployed effective cybersecurity controls and tools, should I assume 100% security? Am I protecting data that has already been compromised?

Before moving on from my previous role, I commissioned Threat Hunting from Capgemini. Why? A sense of responsibility. I wanted to make sure I wasn’t leaving behind any hidden threats or data that had already been compromised. Cyber-attacks are serious business. And protecting customer records was high on our agenda.

I was the Chief Information Security Officer (CISO). We had hundreds of customers, and it was extremely difficult to detect threats internally and we were often too late. I’d already put some fundamental measures in place, but I was still concerned. I wanted to make sure as a cyber-attack could hurt a lot of our customers personally and materially. It could punch a hole in our future profitability, too. Not to mention the damage to our reputation!

Cyber-attacks were getting more sophisticated and more frequent. Big names like Yahoo and Tesco Bank were being attacked. The board was nervous. My impending departure from the company didn’t help either.

So, I met with my Capgemini consultant. I wanted to know more about their new Threat Hunting service, which I’d heard about while they were implementing our Identity and Access-as-a-Service (IDaaS) and Security Operations Center (SOC).

He told me that the service was about unifying in-depth human analysis with automated threat data processing. While SOCs look for the lateral movement and the exfiltration of data, Threat Hunting sets out to hunt down the malicious activity your security controls have failed to detect, or that were there before the SOC was put in place. The key word here is ‘Hunting.’

Without disclosing any details on the outcome, for obvious reasons, the service revealed that some unknown vulnerabilities had been exploited, fortunately without serious consequences. We were able to rectify the problem before our data was compromised. Essentially, Threat Hunting brings a proactive element to more traditional reactive cyber-breach detection tools.

It’s a crucial difference.

So here I am at my new placement with a new company, which I think would benefit from Capgemini Threat Hunting too. And my former colleagues? With effective cybersecurity in place, they can live without me now. So they say…

Check out Threat Hunting from Capgemini here. And think proactive.

Share this article
Share this edition