We conducted a Q&A interview with Jean-Christophe Gaillard, Leading Security influencer and Managing Director at Corix Partners, regarding cybersecurity in an age of COVID.
Could you introduce yourself and what you do?
I am the Founder and Managing Director of Corix Partners.
I have been living and working permanently in the UK since 1993, and I have been involved with cybersecurity since the late 90s. I became the Chief Security Officer at Rabobank International in 2000 and built that practice from the ground up across a decade, eventually setting up Corix Partners in its current form in 2011.
At Corix Partners, we have been working mostly with large organisations, helping them build or rebuild security organisations and operating models that create real and lasting value to their business.
Cybersecurity is integral to businesses today, but not all businesses are making it as high priority as it should be, can you explain why it’s so important?
Simply because cyberattacks are in the news every week and cybercriminals are targeting all organisations, irrespective of size or sector.
This is no longer strictly about risk anymore for many executives. Risk is about uncertainty. Cyber attacks are increasingly becoming a matter of “when, not if”, and that creates fundamentally different dynamics in the boardroom.
Cyber risk has been on the map for most organisations for a while, but the boardroom is now expecting execution around cybersecurity programmes, in exchange of massive investments for many firms (at least pre-COVID).
The COVID crisis is changing the game, but cybersecurity has certainly not gone off the radar. Resources are going to be scarcer across the board as budgets tighten, and security leaders must learn to focus the resources they have where they will have the greatest impact.
Many organisations have departments that look at risk, but it seems that they don’t necessarily cover cybersecurity risks too. So where does or should this sit?
I don’t think it is quite true to say that cyber risks are not on the map, at least in large organisations.
Surveys after surveys are highlighting otherwise, from the World Economic Forum to leading strategy consultants such as Kearney or McKinsey, and it has been the case for a few years.
The actual depth of the board commitment is something else. It is one thing to have cyber risk on your heat map, and another to address it proactively and over the mid to long-term, in particular, if a profound transformation is required around security practices. Change takes the time it takes, but many senior executives still struggle when it comes to looking beyond the short-term.
What is the level of risk for organisations that don’t have the right level of cybersecurity?
As I said before, I am not sure this is entirely about risk anymore. Once again, risk is uncertainty. Cyber attacks are increasingly a matter of “when, not if”. That means: If you’re not well protected, you will be breached and suffer damage.
It is key to think about protection in layers i.e. in terms of preventative, mitigative and reactive measures. It has been the spirit of information security good practices from the day they were first drafted over 20 years ago.
Those principles remain more valuable today than ever before. We hear a lot about “cyber resilience” these days. Defence in layers – defence in depth – is at the heart of what cyber resilience is all about. There is no silver bullet or magic solution, technical or otherwise.
What are the areas that are the highest cybersecurity risk for organisations at the moment and in the near future?
Since the beginning of the COVID lockdown, remote working at scale has been the area of greatest concern for many cybersecurity professionals.
It definitely introduces a number of new attack surfaces for most organisations, which come with new operating models and different levels of controls. And for what we can see at the minute, it is likely to remain a component of the “new normal” for a while.
What can organisations do to best protect themselves from these and predict the future levels of risk within the technological space?
As I said before, I really think that more than ever, the key – now – is to focus on established good practices and think defence in layers; there is no magical silver bullet out there, in spite of what many tech vendors would like you to believe. If you take ransomware as an example, you would typically need to act at three levels to build up protection:
- Educating your staff around phishing emails and the handling of attachments, and why it matters – that’s primarily about “people”
- Deploying security patches in a timely fashion across your entire IT estate – that’s primarily about “process”
- Filtering emails upstream as much as realistically possible to discard spam and identifiable malware – that’s primarily about “technology”
Acting on one layer alone will not protect you… Actual, lasting, effective and efficient protection can only come from concerted action at people, process and technology levels.
What can businesses do to ensure that they are using the correct cybersecurity techniques and software?
Security tools are rarely a solution by themselves to many cybersecurity challenges.
They need to be seen as enabling and supporting security processes, as part of a structured security operating model. You do not build a security strategy around tools; you look for tools to support your strategy.
Doing this the wrong way round has led to a genuine product proliferation problem in many large organisations: Many of those tools only address a point-problem; or they were simply bought to close down an audit observation; or they only get partly deployed, because business orientations change or because the CISO leaves half-way though: The 2020 CISO Benchmark Report by CISCO, released earlier this year, highlights that the average company is now using 20 security technologies.
This cannot carry on, and it comes with serious operational overheads which are going to be difficult to justify for many CISOs in post-COVID budgets; the time has come to declutter and consolidate security estates, not to buy more tools.
What would be your main recommendation for our readers when it comes to cybersecurity, risk assessment, pre-empting future issues and the precautions that they can take moving forward?
The worse of the COVID economic impact is ahead of us; budgets will tighten for most organisations and some industries will be totally transformed.
But cybersecurity will be a pillar of the “new normal” – whether it is in support of remote working, e-commerce or digitalised supply chains.
The key is to keep things simple, identify key business assets and focus security resources on those, and think defence in layers. That’s the essence of security good practice and it does work. Now is not the time to look for magical solutions – technical or otherwise – which would make the problem disappear; they simply don’t exist.
This Q&A interview is exclusive to The Business Transformation Network.
