Here at the RSA Conference blog, we've noticed a clear trend: cybersecurity professionals are generally interested in what CISOs have to say. With that in mind, we've decided to post occasional Q&As with CISOs on the topics of the day.
To kick off our "CISO Speaks" series, Roland Cloutier, CISO of payroll processor and human resources software firm ADP, agreed to share his thoughts on how cybersecurity teams can meet the challenges presented by technology innovation. What follows is a lightly edited transcript of my email interview with him:
TK: Disruptive emerging technologies such as artificial intelligence, the Internet of Things and multi-cloud environments have been changing the security landscape. What emerging technologies are raising the biggest fresh security concerns for ADP, and why?
RC: I think it all comes back to data. The advanced technologies that create incredible opportunities for our clients and for our company also introduce unique risks. Our data defense team was created solely to focus on the implications of advanced threats against new data technologies, such as machine learning and AI. The basic mission requirements around confidentiality, integrity, and availability still apply, and the advancing regulatory background of data privacy considerations is only getting more complex. This is an area we are spending a lot of time on to ensure we get it right.
TK: What specific security risks are these advanced data technologies creating and/or exposing? Can you share any examples?
RC: I think a clear indicator of the complexity of data defense with regards to emerging technologies continues to be the understanding ofhow data is actually being used.For instance, to do a single transaction you may have to cross 11 different subsystems that have to forward the controls required by the data elements in use, and provide validation and verification of the authorizations assigned to those data assets. You may have used APIs or advanced data management platforms, but either way your requirements didn't change, and in that lies the difficulty in this space. Add to that continuing efforts to deliver end-to-end encryption, and you soon learn why architecting for security-by-design is as involved and as difficult as it can be to design a product in the first place.
TK: How have you been adapting your security strategy to most effectively contend with the risks raised by these new and expansive data flows? What tools and/or methods are proving most effective?
RC: Just like anything else, it all starts with your people, process and technology. You truly have to have an informed and well-skilled workforce to understand the business, technology, and security risks that come with any disruptive technology. We focus on adapting our global job families to be future-focused and to migrate older work skills to the newer required skill sets. Another thing that people often fail to think about is identifying and getting deep transparency into the total threat surface. Although often this can be time-consuming and laborious, getting a good understanding of your baseline is critically important before making any good business decisions. Finally, the addition of new control sets, whether policy, process, or technology, need to be done in concert with your existing security strategy rather than changing your strategy every time something new comes along.
TK: With organizations still struggling to contend with the data they get from established technologies, how do you put your customers at ease that their increasingly sensitive and voluminous data will be safe as emerging technologies push the limits further?
RC: I think before organizations get their customers comfortable, they need to get themselves comfortable with the efforts they have made to reasonably protect their clients' information. When an organization understands at a very detailed level how it is protecting this information, has clear visibility into its risks and control gaps, and can demonstrate a clear level of capability to reduce risk, that often leads to trust in its information, which then becomes transparent to its customers. Organizations mature enough to deliver transparency to their end-users not only on how they're protecting information, but also how well they're doing it, tend to be the ones that are doing a good job.
TK: Are the benefits of emerging technologies worth the new risks they introduce? And does that even matter? Do CISOs have any choice, or is it their job to accept such tradeoffs and keep security humming along regardless?
RC: My perspective is that a CISO is a business leader, and as such, helping in the support of the design strategy that enables the future focus of your organization is critically important. It's not about the technology stacks we use or the cool new tool that a developer wants; it's about the enablement of ideas to deliver future strategies and products that clients need and want. Technology is simply a means to deliver that product or is actually the product itself. But either way our job as security experts and business leaders is to truly understand the risk in the context of what the organization is trying to accomplish, develop and support mechanisms to reduce that risk, and tackle hard problems within our area of responsibility so the business can go focus on what it has to deliver. Every business, every business unit, and every executive deals in trade-offs every day. The really smart and successful ones are those that know how to use contextual information to make the right decisions. As a security executive, we need to help our business partners get that good information.
TK: If you could wish for one thing you don't have that would help you protect against these emerging data risks, what would it be?
RC: Two areas that seem to always support advanced emerging risks are security development program support, and a formalized R&D and program management portfolio. As technology and control operators, many times our engineering and operations teams tend to get appropriately focused on protecting the as-is environment. The more resources and funding we can throw at over-the-horizon threat modeling and controls development earlier in the risk lifecycle, the better we will be at accelerated implementation of controls to support the business at its time of need.