CISOs, cybersecurity, and COVID-19: Confabbing with a cybersecurity consultant

That’s when an opportunity to move internally within BDO presented itself. I immediately pursued it, and I now specialize in cybersecurity consulting and leading engagement teams to solve cybersecurity problems of clients across industries and sizes in Canada.

Can you tell us a bit more about your role? What does a cybersecurity consulting manager do?

I specialize in advising clients on cyber risk, strategy, and transformation.

• The first stage is to unpack the current state of the cybersecurity program at the client organization. This involves identifying technical, managerial, and process controls.
• Then, we work with them to envision their target operating model and plans to realize it. This includes creating an implementation roadmap along with cost, effort, and time estimates.
• The last step is to help them implement the identified objectives. Implementation can include creating operating procedures, deploying a data loss prevention tool, or setting up a security operations center.

Based on your experience so far, do you think companies in Canada are willing to invest in cybersecurity?

The focus on cybersecurity had been rising among clients in Canada even before the pandemic, thanks to the rising complexity of their technology footprints. COVID-19 accelerated this trend. In a short span of time, employees started working remotely; organizations had little visibility into how their digital assets were being used. High-profile cyberattacks further pushed organizations to prioritize cybersecurity over the last couple of years.

The cybersecurity regulatory landscape has also been evolving in Canada. Bills C-26 and C-27 have been tabled in the parliament; they are expected to become law. There are significant implications from a governance and regulatory perspective to set up a robust cybersecurity program, and make sure that each organization is safeguarding its critical assets.

Canadian organizations do identify [with the fact] that cybersecurity is a strategic priority. It was not that easy, say, five years ago. Things have changed dramatically.

Do CISOs have a larger role to play when it comes to making cybersecurity decisions now than before?

Organizations realize that security is a responsibility shared amongst all senior executives. The CISO will surely play an increasingly important role as a subject matter expert and the authority on technical and operational controls. However, the CISO will work in collaboration with other C-suite executives in making critical cybersecurity decisions.

Do you think if companies or governments had allocated better cybersecurity budgets right from the beginning, instead of waiting for a pandemic, it could have led to a better outcome? Even now, there are organizations and governments which are hesitant to invest a lot in cybersecurity. What is your opinion on that?

Indeed, cybersecurity should always be a top priority for organizations considering the complex and rapidly evolving threat landscape. Cybersecurity should be considered right from the beginning of any project. Such a security by design approach has two main benefits:

1. Cost savings: When cybersecurity is incorporated from the beginning, organizations can reap operational cost savings due to productivity improvements and by channelling people to do higher value work than mundane, routine work.

2. Future preparedness: Organizations can channel their security investments more effectively towards risk mitigation and compliance reporting. This will enable them to prepare better for the future.

Initially, companies used to invest in cybersecurity to avoid compliance penalties. Does that stand true after COVID-19?

Ensuring regulatory compliance is a still a key driver of cybersecurity investment today.

Data privacy and safeguarding of personally identifiable information are taken very seriously. Organizations also want to avoid penalties.

That said, other factors are also gaining importance as drivers of cybersecurity investment. For example, compliance can be looked at as a preventive measure. If something goes wrong, there can be significant damage; however, with compliance measures in place, there will be potential savings.

What are the typical challenges and pitfalls organizations face in cybersecurity?

These are the typical challenges and pitfalls organizations face:

• Taking a myopic view of cybersecurity: Organizations often believe that cybersecurity is an IT responsibility. They think that deploying sophisticated tools is the answer to their cyber woes. However, a holistic approach to cybersecurity that takes into consideration not only technology but also the processes, people, and operating model is critical for security.
• Failing to prioritize: Organizations often spread their cyber investments across all of their assets, which reduces the overall effectiveness of their cybersecurity program. Instead, organizations should prioritize their key assets (“crown jewels”) to maximize return on investment.
• Not tracking KPIs and KRAs: Organizations often do not track KPIs and KRAs, which makes it difficult to measure returns on cyber investments. They should track and report on these to make a stronger case for future investments.
• Underestimating the people risk: Every person in an organization has a role to play in keeping the cybersecurity posture strong. People are often the weakest link when it comes to cybersecurity. Organizations must make sure there is training and awareness. At the same time, they should monitor anomalous activities. For instance, if somebody logs in from a cafeteria without a secure connection, it can have a detrimental impact. Ensuring that such instances do not happen is where I focus a lot when talking to organizations. It is not just an IT responsibility but rather a collaborative and shared responsibility among everybody in the organization.

There is a dearth of skilled professionals in cybersecurity. What would you suggest organizations do?

Hiring is going to be a challenge over the next few years. Organizations can address these challenges in multiple ways.

1. Building talent organically: Train the talent you already have so that they can handle more complex cybersecurity roles.

2. Leveraging a variety of talent pools: For example, organizations can focus on capturing young talent, maybe from campuses or schools, that have focused cybersecurity programs.

3. Boosting adjacent capabilities: Say somebody is working in cloud operations; they can be considered for a role in cloud cybersecurity operations as well. Look for adjacencies within the company and bring them on board to the cyber-side of things.

4. Retaining star performers: Make sure you identify the star performers, retain them, and reward them appropriately based on their performance.

5. Poaching: A strategy that companies often follow is poaching or buying from competitors.

6. Automation: Organizations can automate some mundane, repetitive tasks so that people can focus on higher value things and become more productive.

There are various strategies that companies are adopting to solve the cybersecurity hiring issue.