LIFARS recently met with Keith Bowie, a cybersecurity professional with a prestigious career spanning over thirty years.
Some of his roles have included U.S CIO Scotiabank, consultant and an advisory board member. His phenomenal industry experience and expertise intrigued LIFARS, we decided to ask questions to gain better insight. Take a look!
- Where do you think cybersecurity will go in the next five years and what would you recommend to executives to prepare?
My main advice to executives is to take Cybersecurity seriously and invest as required to protect your organization. There are still organizations out there who believe “it won’t happen to them”. Well, it will, and you should be prepared.
Preparation, protective measure (patching, penetration testing, etc.) staff awareness are key. Having a comprehensive, tried and tested incident response plan is paramount.
The areas that I see of prospective importance are:
- Nation state attacks becoming more frequent and sophisticated.
- Cybersecurity skills gap continues to grow
- AI becoming more prevalent in offense and defense.
- IoT attacks becoming more frequent and sophisticated.
- Continuing rise in social engineering attacks (ransomware, malware, phishing)
- We’ve seen new compliance regulations emerge recently like GDPR and CCPA. Given your experience as US CIO at Scotiabank, how do you think these regulations play a role in privacy and security in today’s world?
In short, they play a huge part in shaping the cybersecurity and data privacy strategy of an organization.
We need to address different types of regulation.
This will be issued by a regulatory body outlining cybersecurity requirements to which all regulated entities must adhere. An example of this is the New York State of Financial Services 23 NYCRR 500 cybersecurity regulation. This is a principles-based legislation that dictates what steps an organization needs to implement to demonstrate good cyber hygiene. It is predicated on the regulated entity performing a risk assessment.
Given that it is principles-based, there is no “you must do this”, rather, “the regulated body should”. Therefore, ensuring that the principles are met, and evidence to that effect is readily available for regulator consumption is paramount.
For larger global organizations, a typical approach has been to review all cyber legislation and adopt global policies and procedures that comply with the strictest legislation.
I’d also say, that although historically cybersecurity teams have been ‘part of IT’, it’s now clear that they should be divorced from the IT team to avoid potential bias. It is becoming more common for cybersecurity to be part of the risk function, reporting to the Chief Risk Officer, or in some cases, the CISO reports straight to the CEO.
Data Privacy Regulation
Data privacy goes beyond the cybersecurity team. Organizations now tend to have Data Privacy officers, aligned with the legal and/or compliance teams. Data Privacy and other regulatory demands has led to organizations getting more serious about understanding their data and their data strategy. This has led to the creation of data governance functions under the command of a Chief Data Officer.
As with the above, organizations now need to ensure that they are compliant with different legislations from different geographies, such as state-led regulation in the US – California Consumer Protection Act, New York Privacy Act (and others), and GDPR in Europe. This type of legislation is a huge shift in mindset from the regulatory bodies and requires a huge shift in mindset from vendors and organizations to ensure compliance. The legal effort, data governance policies, and procedures, cybersecurity implementation and technology required is significant to ensure compliance.
Data Privacy is still an evolving topic. No sooner does an organization believe it’s compliant than another law pops up and shifts the goalposts. This will be playing out for some time to come.
- With new trends impacting security and risk, how will it affect organizations and what are some measures they can take?
An organization needs to determine and understand its overall risk appetite. This applies to all risk categories, not just cybersecurity. Therefore, a comprehensive risk assessment needs to be executed. Ideally, the assessment should be verified by an independent external organization.
From a cybersecurity perspective, the risk assessment will identify things like the regulatory compliance needs; physical environment and associated threats and vulnerabilities; software landscape and associated threats and vulnerabilities; the personnel and organizational structure required; policies and procedures required; where the most critical data resides; and, a prioritized list of acceptable risks.
Once this has been executed, the organization can best assign resources and budget to address the most important risks. Inevitably, regulatory compliance will take precedence over all else. Look on this as an opportunity for improvement, not a burden.
The cybersecurity team needs to keep abreast of new threats and threat actors. However, as we know, most cyber incidents occur due to internal personnel failings. It is imperative that a strong cyber awareness and training regimen is practiced within any organization. Where possible, the three lines of defense capabilities should be implemented.
There are some simple but effective practices that can be carried out like regular software/firmware patching and penetration testing.
I’d also suggest in investing in tools that can reduce cyber incident detection false positives. SOCs are invariably overworked. Allowing them to focus on the critical incidents will benefit the organization no end.
Lastly, make sure that your Incident Response, BCP and DR plans are up to date and regularly tested. Incidents will happen. Responding efficiently and recovering are key to any organization’s wellbeing.
- With new technologies, like cloud quickly get implemented with organizations, the risk exposure is increasing. How can organizations answer this problem?
As mentioned above, an organization should be aware of its risk appetite. As new technologies or services are introduced, a stringent onboarding process should be applied to the technology/service and the vendor. This could be a threat assessment on software, service or physical facility; and/or a comprehensive third-party risk management program to onboard new vendors and continually assess existing vendors. The outcome of this process will be a measure of the additional risk being assumed by the organization. A decision can then be made on whether this is within acceptable parameters. Whilst following a stringent process can be time-consuming, it will end up becoming standard operating procedure and minimize any prospective risk.
- Seeing that you’re a seasoned vet in the industry, what are your recommendations to anyone looking to start their career in security or someone just emerging out in the workforce?
Seasoned vet – Love it! I’ll get my walker!
There is no one size fits all answer here.
There will be those who want to join a vendor/startup to develop and deliver security solutions and functions to customers, and those who want to join an organization to protect from within.
Regardless of this personal desire, it’s worth pointing out that a lot of employers are typically looking for resources who have professional qualifications (CISSP, CISM, etc.). Whilst this may not be required for entry level positions, it is certainly beneficial and, in most cases, required as you pursue more senior opportunities. Joining a company that will sponsor and support you obtaining these qualifications, would be a great first step.
Additionally, getting a good practical grounding in all aspects of cybersecurity (operations, forensics, policy, etc.) is also extremely beneficial. That will allow the individual to not only gauge what area(s) in which desire to further their career, but also understand the overall impact/dependency of area(s) on the others.
Lastly, I’d highly recommend enrolling in a mentoring/coaching program. I’d recommend this regardless of the industry for new professionals. Larger companies may have their own, but there are independent programs available. Not only will this help with regards to the subject matter, but more importantly will help coach life skills to deal with practical situations, some difficult, that you don’t get in textbooks.