A Day in the Life of a CISO

Follow me



 


 



Introducing Jane – Chief Information Security Officer

Welcome to my page! I am Jane, a newly recruited Chief Information Security Officer (CISO) and every month, I will talk about my job, the highs, the lows, and the innovations in between. And how all of this comes together to help keep my company safe, as well as grow my career.


Jane, Chief Information Security Officer


Time to prepare for GDPR

My May Blog

With the new EU General Data Protection Regulation (GDPR) coming into force in May 2018, time was ticking to get our data protection and privacy policies up to scratch.

I’m a firm believer that GDPR shouldn’t be viewed as the only data protection end game, but more as a complement to existing policies that companies have in place to safeguard personal data. That said, GDPR will bring more governance requirements, more rights for individuals and a need for more consistent practices. Stringent penalties will be applied if we fall short of the new standards. As a company, we knew we needed specialist help to prepare.

So, I set up a meeting with the Capgemini Cybersecurity and Data Protection team asap.

They talked through the need for a holistic view of data privacy and protection, and how personal data must be managed, protected and controlled. While the main emphasis would fall on the first phase of this ― getting data properly organised ― all three elements would have to work together to provide ongoing consistency.

I was already aware of Capgemini’s cybersecurity portfolio. I’d long been an advocate of their consulting and managed services ― which actually are a great fit for GDPR’s emphasis on detecting and notifying breaches and leaks proactively.

After the meeting, the Capgemini team laid out a gap analysis to establish a roadmap for reviewing our security and privacy processes, improving data protection all along the lifecycle and moving forward our GDPR compliance. This roadmap included all the necessary mechanisms, technology solutions and controls that would enable us to respond to data and privacy threats appropriately. Implementation is now under way ― and we’re well on schedule for when the GDPR kicks in.

Find out all about Capgemini’s data protection services here.

Share this article

Asking the right questions about Cybersecurity

My April Blog

How do I ensure that my business is resilient enough? Is my organisation compliant with security regulations and corporate policy? Is it possible to combine digital transformation with acceptable risks?

One of our competitors recently suffered a major data breach. This ― and the emergence of new market players prompted me to consider what cybersecurity strategy would best protect our own digital assets.

My starting point was our business needs. What security should we have in place to ensure the company’s growth and competitiveness going forward ― especially the level at which we combined digital transformation with acceptable risks? And, crucially, how could I ensure that our security plans were given the senior-level attention required from decision-makers and other stakeholders to ensure top-down buy-in to the whole subject of cybersecurity?

It was a strategically important challenge. I needed to ask the right questions to enable me to build an appropriate cybersecurity strategy for our organisation ― one that would ensure regulatory compliance and business resilience. These questions had two focus areas: how to achieve our cybersecurity objectives, and how to align those objectives with the business.
 

A critical starting point to protecting your digital assets

Here’s what I came up with ― and I believe these four questions would be a good starting point for any CISO or IT leader developing their security strategy:

  • How do we evolve our traditional security model so that there is a focus on data, people and risks?
  • What should we focus our investment on now, given that security operations no longer rely solely on IT protection? 
  • How can we embed the new cybersecurity vision as part of the wider business transformation journey, in order to deliver deep changes in the security function?
  • How can we avoid employees being the weak link and move toward a more people-centric approach to security?

 

So, I was asking the right questions, now I needed to put in place my strategic security plan. I set up a meeting with the Capgemini Cybersecurity team to help me map out a bespoke strategy for our business and then bring it to fruition.

What I liked about Capgemini’s proposal was their offer to manage both strategy and implementation ― no one else was able to paint (and deliver) this complete picture. I was also comfortable with their vendor-agnosticism because I knew I wouldn’t be pressured to buy any particular technology, or be tied into an expensive license deal.

Based on a clear, shared vision of our maturity and practices, Capgemini helped implement our cybersecurity transformation program in just 12 weeks. I now feel confident that we’ve got the cybersecurity we need to take our business forward ― securely. 

Want to see how Capgemini Cybersecurity strategies can protect your digital assets? Mouse here.

Share this article

Bright IDAAS from Capgemini

My March Blog

It is very important that the right person connects to the right data at the right time. How do I ensure that the employees of my organisation are accessing the right resource with the right level of security?

I’ve been talking about the challenges of how to secure enterprise assets and data since taking up my new role as CISO. My next task in my new role was to look at IAM (Information Access Management) within the business.

I was inclined to put more stringent information access controls in place, and to place a greater onus on user verification. But more barriers can have a negative impact on the customer experience.

So, I spoke with Peter, my Head of Compliance. Peter sets the access and governance policies for the company. With ultimate accountability for IAM, Peter’s responsibilities have become more complex recently. In fact, the increasing number of ways that people can access information as a result of device proliferation and trends like BYOD have made Peter’s life extremely challenging.

Following an internal policy review, Peter and I mapped out ways to give the right people the right access to the right information quickly and securely. The quality of the end-user experience was a priority.

We liked the idea of deploying an onsite IAM solution. But Peter felt this would be costly and challenging from an HR perspective. The ROI would also be difficult to prove. We needed a completely new approach.

That’s when I introduced Peter to Capgemini. They were speaking at a compliance event, and we attended a session on their Identity and Access Management as a Service (IDaaS) offer. Peter was impressed by the deployment speed of this service. He was also attracted by its scalability, which he felt would be cost-effective and help diminish risk. So we commissioned IDaaS soon afterward.

For the first time in a long time, Peter now feels like his job might actually be getting simpler!

Learn more about Capgemini’s IDaaS here.

Share this article

Putting new apps to the security test

My February Blog

How I ensured that the apps were tested for vulnerabilities without impacting time to market?

A new company, a new challenge, and some new priorities. But just like all CISOs, I have one consistent focus: to be as rigorous as possible when it comes to cybersecurity.

So, when I was told about a whole raft of new apps the company was launching next quarter, I knew I had to get to work quickly to ensure robust testing was part of the process.

That’s when I met with Philippa. She heads up Quality Assurance in the ‘New Digital Product Launches’ division. She was under pressure to get the suite of new apps ready and launched as soon as possible.

We teamed up to review the current arrangements, and I advised her that security testing had to be high on her priority list, despite the time pressures.

App security is not something that can be compromised. I’ll be frank ― I was a little concerned. While the testing environment appeared generally good, like most companies, it was still reliant on pen testing. This often occurs too late in the process to pick up security issues. So it can’t solely be relied on to protect new apps against dynamic modern cyber-threats.

I’d worked with Capgemini successfully in the past, so knew about its Application Security Testing Service. I got back in touch to set up a discussion.

It can be tough to test multiple apps against changing cyber-threats thoroughly, especially when you’re against the clock ― and on a budget. But that’s what Capgemini’s service is set up to do.

Let’s just say Capgemini’s Application Security Testing Service delivered.

Find out more about Capgemini’s game-changing service here.

Share this article

Threat Hunting: Capgemini's proactive approach to cyber-breaches

My January Blog

Even when I have deployed effective cybersecurity controls and tools, should I assume 100% security? Am I protecting data that has already been compromised?

Before moving on from my previous role, I commissioned Threat Hunting from Capgemini. Why? A sense of responsibility. I wanted to make sure I wasn’t leaving behind any hidden threats or data that had already been compromised. Cyber-attacks are serious business. And protecting customer records was high on our agenda.

I was the Chief Information Security Officer (CISO). We had hundreds of customers, and it was extremely difficult to detect threats internally and we were often too late. I’d already put some fundamental measures in place, but I was still concerned. I wanted to make sure as a cyber-attack could hurt a lot of our customers personally and materially. It could punch a hole in our future profitability, too. Not to mention the damage to our reputation!

Cyber-attacks were getting more sophisticated and more frequent. Big names like Yahoo and Tesco Bank were being attacked. The board was nervous. My impending departure from the company didn’t help either.

So, I met with my Capgemini consultant. I wanted to know more about their new Threat Hunting service, which I’d heard about while they were implementing our Identity and Access-as-a-Service (IDaaS) and Security Operations Center (SOC).

He told me that the service was about unifying in-depth human analysis with automated threat data processing. While SOCs look for the lateral movement and the exfiltration of data, Threat Hunting sets out to hunt down the malicious activity your security controls have failed to detect, or that were there before the SOC was put in place. The key word here is ‘Hunting.’

Without disclosing any details on the outcome, for obvious reasons, the service revealed that some unknown vulnerabilities had been exploited, fortunately without serious consequences. We were able to rectify the problem before our data was compromised. Essentially, Threat Hunting brings a proactive element to more traditional reactive cyber-breach detection tools.

It’s a crucial difference.

So here I am at my new placement with a new company, which I think would benefit from Capgemini Threat Hunting too. And my former colleagues? With effective cybersecurity in place, they can live without me now. So they say…

Check out Threat Hunting from Capgemini here. And think proactive.

Share this article
Share this edition