How to be a successful CISO and come back home satisfied?
according to Matthew Sciberras
Insightful talk between Nazar Tymoshyk, CEO of UnderDefense, and Matthew Sciberras, a Chief Information Security Officer at one of the largest igaming companies that exist right now – Betsson Group. They discussed the everyday CISO challenges. More and more sophisticated cyber attacks progress due to attack surfaces expanding and complex cloud security environments. New regulations appear more often than CISOs would like. And moreover, the limited budget doesn’t stimulate the safety of digital transformation. Matthew Sciberras shared his experience in dealing with CISO challenges and gave advice for beginners on how to become a successful CISO.
We know you as a very experienced CISO. We would be happy if you could share your background.
Information security is a passion of mine. It is exciting itself, and it is exciting because it brings value to the organization. I say value because a company cannot be sure of the consequences of its decisions if it does not know what the risks might be and whether those particular risks can be mitigated. So information security itself is what kinds of cyber risks the company is able to take. And that is my job and something that has been an interest of mine for the past 12 years.
I remember you used to work for top consulting companies, right?
I was a pentester for top firms such as PWC, etc. I was also a tutor who teaches certified ethical hacking. So for me, security from an operation level – that is how all have started. It always was interesting for me to understand how things work. And then, obviously, I moved on. I was the ISMS manager for 6 years. And now I’m a director of information security at Betsson Group.
What are the main CISO challenges you and other cybersecurity professionals are facing?
According to my experience and the CISO surveys, top challenge CISOs face is buying from the company. Because if the company sees information security as insurance, then CISO would have many challenges over there. However, if information security in the company is perceived as an enabler, a way to take calculated risks, it is exhilarating. That means you can provide value to the organization. So I think that will be the topmost CISO challenge, and that is what would make you go home happy or not. Because if you have the senior executives who don’t really care about the security, then you just pick off policies and procedures to adhere with legislators, and that’s it.
I spoke with my Swedish friend and asked how cybersecurity is in Sweden. He told me that security is not so popular here because people believe that no one needs to attack them. You guys have no enemies like Russia or China and others. They don’t realize that cyber attacks are not about the location, it’s about the Internet.
Exactly. The Internet is not in Sweden or the UK, or anywhere else. Wherever money is involved, there might be sabotage or even a simple defacement of a website. Information security is about how to absorb risks and how to mitigate them. And that is what people don’t understand sometimes. Unfortunately, these companies realize that security is important only when the problem is there. It is something which we don’t have in Betsson. We believe that security is an enabler. And that is why for me it is a really good place to work. Because I go home, and I feel that I accomplished this.
One of the key CISO challenges of young CISOs is to get a budget from top management. How do you approach your management with cybersecurity budget questions?
What I do and find works is that I first look at a company statement. The company’s statement has to reflect the company’s information security strategy. So, if the company’s statement is to make their customers happy, then the question you should ask is how information security can provide value in making customers happy.
Based on that, you will have a complete security strategy; I like to call it a North Star. Focusing on that North Star strategy, you will have key initiatives to arrive at the aim, and that is how I make things work. And the most important thing is you don’t ever go to an executive team and tell them problems. You go there with solutions and value so they can drive the business further. That is how you can bring value to the organization.
What qualities a professional security engineer must have?
To be honest with you, I would rather have someone who is still learning but can integrate within the company’s culture. I feel that understanding the company’s culture and having the person fit in the company’s culture is important. That is what drives the person; that is how he\she can learn because he\she would be a part of that culture and can step up and provide more value. So if I have to choose between someone who is very technical and a people person who is a bit less specialized, I would go to the last one. That’s all about strategy, right? So, I tend to use an 80\20 rule. It means someone who is 80% focused on governance is giving 20% on operation security. And if someone is doing 80% operation security and then 20% focusing on governance. I believe as well that people do not leave the company, but they leave their managers. And you are accountable for those people who leave. It means that you were not successful in keeping those people. The way I try to provide it is that I try to make myself redundant – in the sense that I try to teach and advocate and be a leader in my team but to be sure that things are going on just the same whether I am there or not. It’s essential to look at things from a technical perspective as well as from a business perspective. And sometimes, you have to look at things from a helicopter view to see what the company needs.
Also, you have to look from the employees’ perspective: is there a career path for this person? Are you sure he\she is enjoying his\her job? That’s why I ask people what they would like to do. Is it operational security or is it governance, or is it both?
What if you can’t provide a person with the job according to the exact interest?
Employing people, I look for that kind of interest I need according to unfilled cybersecurity roles in the team. Otherwise, I would have no one in operational security, and all of the employees would be doing governance. It might be a little bit of a problem. In this case, the 80\20 rule has to become a 50\50 rule. And then you could start employing people to do operational security.
How do you see the European market and demand for cybersecurity engineers?
I think it’s on the rise because information security has been here for ages. But with the start of GDPR (General Data Protection Regulation), people and companies have somehow realized that InfoSec could be a pillar in the organization. And it is definitely increasing. The biggest asset of companies is the data, let’s face it. Having data of someone, it is extremely important to ensure that data is kept safe.
Quick question about security monitoring: have it or not? Invest in it or not? What maturity level should they have to start security monitoring in place?
How can you detect cyber threats without security monitoring?
If you buy antivirus software, it’s already doing some kind of automated security monitoring for you.
Yes, but it is a big difference. I believe that there is nothing like having analysts in place, looking at the data, correlating the data to understand whether it is a false positive or if it is indeed a threat. We do have AI systems in place, but human interaction is extremely important. Yes, artificial intelligence is getting better and better. And nowadays, if we mentioned antivirus, there are conventional antivirus solutions and others, such as sandbox AI. Yes, they are all good tools. But they are tools. It is the human mind that beholds what anything is. I believe in that.
Matthew Sciberras and UnderDefense team recommend you not to underestimate the impact of the security environment on your business. In the era of global digitalization, cybersecurity is worth considering as one of the key pillars in business sustainability and growth. vCISO team of UnderDefense is here to deal with your cybersecurity challenges and help you create the cybersecurity roadmap synchronized with the business strategy and goals.
Get the Help You Need
Adapt Cyber Resiliency Framework to maintain Business Continuity and Financial Sustainability in the face of unrelenting cyber-attacks
Log4Shell: How to Mitigate Log4j Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104)by Iryna Yamborska1. What is Log4Shell? 2. What makes Log4j uniquely dangerous even though you seem protected 3. Which Version is not affected? 4. How to Mitigate the...
Average Penetration Testing Cost. The Real Value of Security Test1. Do I Really Need Penetration Testing? 2. Why, When, and How Often to Perform a Penetration Test? 3. What is Penetration Testing? 4. Which Type of Penetration Test Should I Choose? 5. How Much Does...
3 key critical vulnerabilities and mitigation flows that brought 97% success rate during the last 70 internal pentestsZerologon, LLMNR,NTLM RELAY and Print Spooler RCE By UnderDefenseHow to Protect Against LLMNR / NBT-NS Attacks, Zerologon, LLMNR,NTLM...