Eugene Roman to a C-level at the cross-roads: choosing security vs. usability

Sep 26, 2019

Max 10min read




Eugene Roman short bio: 

Eugene won the 2015 Canadian CIO of the Year award (Private Sector) for having created a strategic plan to transform the Canadian Tire Corporation into an innovator in digital and overseen the development of new digital centers, including the Cloud Nine Digital Innovation Centre in Winnipeg and the Digital Garage in Kitchener-Waterloo, Ontario.

Mr. Roman began his career in telecommunications and has worked for Nortel Networks Corporation, Bell Canada Enterprises Inc., Open Text Corporation and Canadian Tire Corporation. Over the years, Mr. Roman has been responsible for integrating critical technology and business processes to deliver innovative programs. Eugene Roman is a frequent speaker on “The Future of Digital Content”.

Why companies need cybersecurity?

Cyber defense or cyber security, the purpose of it is not to get in a way of delivering business results. The problem is the cybersecurity specialists tend to take a narrow arrow view of that and the business people tend to take a more relaxed view and then you have this conflict. They too often ask, “Why do I need this?”. This is why so many companies get hacked – because their decision makers, typically senior executives, haven’t taken time to fully understand the risk. This is all OUR risk.

Companies today are sensitive to enterprise risk. This always becomes top of mind once you’ve been attacked. It’s taken years to convince senior leaders (that are not trained in this) that it is important. It is not their specialty. And part of it is that too often the security industry is its own worst enemy. You overprotect and people say, “Well, it gets in a way, we shouldn’t use it”. Then they move it to less protected mode or disable it.

What is the right level of security?

At the right time, when needed, as needed. Defense in depth is now much more understood in 2019 than ever has been. However, there are still those who argue both sides of that equation. Don’t put it in proper controls or put in too many controls when it’s really a balance of common sense. Black and white decisions on e-security are never helpful. Businesses have to run yet they have to be protected, so I’ve always argued that proper protection is a good investment.  

Company decision-makers still struggle with that too often saying “I’d rather spend a dollar on my website or other things. When by the end of the day if you are hacked or you lose critical customer data the impact is quite serious.” We’ve seen hack after hack after hack across various industries and I can go on and on. Our Canadian Revenue Agency recently had to shut down because someone hacked into the system and they were not able to collect taxes and the tax reporting was delayed by a number of days.

You have to think it through, talk to people like UnderDefense and say: “How do you protect? How can you protect us?” You have to be proactive, in fact, forward looking. If financial executives or business executives can’t see the need for critical infrastructure, that’s their problem. The negative brand impact will impact your company, so negatively you may have great difficulty recovering.

What happens with companies that lack security?

A lot of companies have the IT-security team reporting to the internal audit group. This is problematic, internal audit leaders, heads of internal audit are typically not trained to guide the work. It’s a technology function. So the CIO, CTO is where it should report. Let’s face it, this is about experience and expertise. Experience matters, training matters, Expertise matters!

Companies that get hacked suddenly go: “I have lost everything, I lost this, I lost that”. Better safe and sorry but if you are too safe you can’t run your business, so there must be a balance. Understanding WHAT the issues are is where you need people who are EXPERTS.But the young minds today, who are born digital, think hard about how to do these things. They are the future, but they typically lack experience. 

There are smart tools that can help you. By the way, if you think that all the tools you have will help you solve these problems, you’re kidding yourself again. The tools have limitations. If your cyber defense is an unlocked door, be aware you are going to get hacked. It’s not an IF question, it’s a WHEN question. It’s like a virus protection. 

I had a business executive a number of years ago who said “We don’t need virus protection on our PCs in our call center. It’s too expensive. I said ”Are you kidding me?”. This is a true story. And he had 150 seats in a call center. I just said “Send me an email where you refuse” and he sent me an email where he refuses because it was too expensive. That call center went off to the air for 5 days. We lost machines that we could not recover. After this incident, a proper e-security was the standard, no debate.

If you are gonna be dumb you, are gonna suffer the consequences and we still have that “I didn’t know”, “I didn’t understand that” attitude in too many places. Not understanding the law, doesn’t give you an excuse to break the law. The same applies here.

How to respond to cybersecurity challenges?

There is always a lot of patching, a lot of fixing. Prioritizing patches is the key. Eight months after heart bleed surfaced a Canadian hospital suffered a major meltdown. They hadn’t patched for it. The alert came out. Read the alert, respond to the alert. If you respond quickly you can protect yourself. It’s all in the speed of response. They lost healthcare records, they lost this, they lost that.

What is better in-house security or to get help from outside?

Reliance on trusted providers is a managed service. It can be well managed or poorly managed. I think that many small, medium size companies tend to really struggle with that. You can’t go to the government and ask for help, they won’t be able to help you. 

You can go to the industry and pay the price. There is a market problem in terms of affordability. Every digital company needs a level of protection of their assets and we haven’t quite figured that out as a society. I think it’s up to companies like UnderDefense and others to help. To help the companies to do the job that has to be done. And it has to be well managed.

So the question is if you go to a business classroom and say: “Let’s study the principal of being well managed.” The students and professors will look at you and say: “What are you talking about? We know the business case, what’s the model of well managed?. We really don’t have one – yet.”

That’s where I spent a lot of time. That’s why I am teaching now in my semi-retirement. “Is it well managed or is it not well managed?”. They typical reply – “Is it insourced or outsourced?”. That’s not the question. It can be outside the company and well managed or it can be inside the company and well managed. Or it can be outside the company and poorly managed, or inside the company and poorly managed. So this is clearly an area where deep expertise is required. It’s also always good to have a second opinion, to have trusted third parties who can assist you.

Read more

Download MDR Datasheet

Read more about our Incident Response Service