November 2023
cybermagazine.com
CYBER SECURITY OPENSOURCE INTELLIGENCE PIVOTAL TO DEFENCE STRATEGIES OPERATIONS DEVSECOPS A PROACTIVE APPROACH TO CYBER
CISOs
FEATURING CLAROTY OKADA MANILA FUJITSU
MFA
SECURING THE ONLINE WORLD
How MFA will help to eradicate fraud and increase security
FEATURING:
3,000+ IN-PERSON & VIRTUAL ATTENDEES
60+ INTERNATIONALLY ACCLAIMED SPEAKERS
Adam Read Chief Sustainability Officer
Jenny Wassenaar Chief Sustainability Officer
2-DAY NETWORKING, CONFERENCE & EXHIBITION EVENT
Sandeep Chandna Chief Sustainability Officer
A BizClik Event
EXPO • CONFERENECE • WORKSHOPS • NETWORKING •
rd r Bi ffe rly t O 95 Ea ke £2 c Ti 95 £4
Connect with The World’s ESG Leaders 6 - 7 MARCH 2024 QEII CENTRE, LONDON
Virginie Helias Chief Sustainability Officer
Ulrike Sapiro Sean Jones
Chief Sustainability Officer
Chief Sustainability Officer
EARLY BIRD TICKETS
BECOME A SPONSOR IN 2024
EXPO • CONFERENECE • WORKSHOPS • NETWORKING
The Digital Platform for Cyber Leaders
JOIN THE COMMUNITY
MAGAZINE | WEBSITE | NEWSLETTER + MORE
Ways to Work With us Cyber Magazine is an established and trusted voice with an engaged and highly targeted audience of 45,000 global executives Digital Magazine Website Newsletters Industry Data & Demand Generation Webinars: Creation & Promotion White Papers & Research Reports Lists: Top 10s & Top 100s Events: Virtual & In-Person
WORK WITH US
Never miss an issue!
+ Discover the latest news and insights about Global Cyber...
JOIN THE COMMUNITY
The Cyber Team EDITOR-IN-CHIEF
MARCUS LAW
CHIEF CONTENT OFFICER
SCOTT BIRCH
MANAGING EDITOR
NEIL PERRY
CHIEF DESIGN OFFICER
MATT JOHNSON HEAD OF DESIGN
ANDY WOOLLACOTT LEAD DESIGNER
REBEKAH BIRLESON
SENIOR DESIGNERS
REBEKAH BIRLESON SAM HUBBARD FEATURE DESIGNERS
JULIA WAINWRIGHT VICTORIA CASEY EMMA WALLER ADVERT DESIGNERS
DANILO CARDOSO CALLUM HOOD ADRIAN SERBAN VIDEO PRODUCTION MANAGER
KIERAN WAITE
DIGITAL VIDEO PRODUCERS
ERNEST DE NEVE THOMAS EASTERFORD DREW HARDMAN SALLY MOUSTAFA PRODUCTION DIRECTORS
GEORGIA ALLEN DANIELA KIANICKOVÁ PRODUCTION MANAGERS
JANE ARNETA MARIA GONZALEZ YEVHENIIA SUBBOTINA KENDRA LAU
MARKETING MANAGER
DAISY SLATER
PROJECT DIRECTORS
TOM VENTURO TOM LIVERMORE
MEDIA SALES DIRECTOR
JASON WESTGATE MANAGING DIRECTOR
LEWIS VAUGHAN PRESIDENT & CEO
GLEN WHITE
FOREWORD
Preparing for the cyber frontier As the defence industry becomes increasingly reliant on advanced technologies, keeping pace with advancements and securing these technologies is crucial
“As defence systems become increasingly reliant on advanced technologies, the attack surface for cyber threats also expands”
At a time where the lines between the digital realm and physical warfare are becoming increasingly blurred, the role of cybersecurity in the defence sector has never been more critical. The defence industry is responsible for developing and maintaining critical military systems, infrastructure and communication networks, which are essential for national security, and any breach or compromise could have devastating consequences. But as defence systems become increasingly reliant on advanced technologies, such as AI, IoT, and autonomous systems, the attack surface for cyber threats also expands. Keeping pace with technological advancements and securing these technologies is crucial. This month Cyber Magazine speaks with experts to discuss the complex challenges and strategies in safeguarding the defence sector against cyber threats.
MARCUS LAW CYBER MAGAZINE IS PUBLISHED BY
marcus.law@bizclikmedia.com
© 2023 | ALL RIGHTS RESERVED
cybermagazine.com
7
CONTENTS UP FRONT
14
12 BIG PICTURE NATO documents leaked in attack
14 LIFETIME OF ACHIEVEMENT IN CYBER
18
Poppy Gustafsson, CEO at Darktrace
18 THE CYBER INTERVIEW
Andersen Cheng, CEO at Post-Quantum
12
24 PEOPLE MOVES
The latest executive moves in the world of cyber
26 THE MONTH THAT WAS
Daily coverage of global cyber developments
30 8
November 2023
NOVEMBER 2023
72
FEATURES 30 TOP 10
42
Chief Information Security Officers
42 CYBER SECURITY
Open Source Intelligence pivotal to defence strategies
50 OKADA MANILA
How Okada Manila is taking full advantage of the AI boom
72 NETWORK & APPLICATIONS
50
How MFA will help to eradicate fraud and increase security
80 CLAROTY
Procurement at Claroty at the forefront of business success
80 cybermagazine.com
9
Knowledge Partners
THE TOP 100 COMPANIES IN TECHNOLOGY READ NOW
NOVEMBER 2023 102 OPERATIONS
Shifting left: DevSecOps a proactive approach to cyber
110
110 FUJITSU
Leading digital transformation in fintech
130 TECHNOLOGY
Cybersecurity’s crucial role in the modern defence industry
140 OEC
Digital resilience through cybersecurity governance
130
140 cybermagazine.com
11
BIG PICTURE
CREDIT: Getty image of NATO HQ
12
November 2023
NATO documents leaked in attack Brussels, Belgium
NATO said it was addressing an apparent cyberattack in October 2023 after strategy documents were reportedly posted online. The documents covered topics such as hypersonic weapons, threats from drones and testing procedures for radioactive waste. “NATO is facing persistent cyber threats and takes cyber security seriously,” a NATO official told CNN. “There has been no impact on NATO missions, operations and military deployments.” cybermagazine.com
13
LIFETIME OF ACHIEVEMENT IN CYBER
Poppy Gustafsson We honour Poppy Gustafsson, CEO at Darktrace, for her dedication to improving the cyber threat landscape and her work to create global security solutions
T
WRITTEN BY: AMBER JACKSON
en years ago, Darktrace was founded in the UK with the goal of using AI to detect and neutralise cyber threats. Since then, under Poppy Gustafsson’s leadership, the company has experienced huge growth and global expansion, resulting in it being listed on the London Stock Exchange from 2021. A mathematician and cyber defence expert, she was named CEO of the Year at the 2021 Digital Masters Awards and Tech CEO of the Year at the UK Tech Awards 2021. In 2019, she — along with Darktrace CTO Jack Stockdale — was awarded an Order of the British Empire (OBE) for services to cybersecurity. Building a global cybersecurity company in the UK Gustafsson has led Darktrace to achieve a wide variety of accolades, such as being named Europe’s 9th ‘Fastest Growing European Company’ by The Financial Times, as well as ‘Fastest Growing Super Scale-up’ by Tech Tour. The company works to deliver cybersecurity AI by delivering complete AI-powered solutions in its mission to rid the world of cyber disruption. Currently, its software protects thousands of customers worldwide from threats including ransomware, cloud 14
November 2023
vulnerabilities and software-as -a-service (SaaS) attacks. The cybersecurity sector has become increasingly important, particularly in the wake of the COVID-19 pandemic, which sparked an unprecedented number of cyber attacks. Remote and hybrid workers continue to be targeted by elaborate scams and hacks as ‘bad actors’ work to steal and compromise value information. Viewing AI as one of the most powerful tools available to modern businesses, Gustafsson has worked hard with her team to ensure that Darktrace’s self-learning
POPPY GUSTAFSSON TITLE: CEO COMPANY: DARKTRACE LOCATION: UNITED KINGDOM Poppy Gustafsson OBE is CEO of Darktrace and was part of its founding team in 2013. She is a qualified chartered accountant and holds a BSc in Mathematics from the University of Sheffield, where she was also awarded an honorary doctorate for her outstanding achievements in cybersecurity in 2022.
cybermagazine.com
15
Why this CEO thinks experience can be overrated WATCH NOW
16
November 2023
LIFETIME OF ACHIEVEMENT IN CYBER
AI is more than capable of detecting, responding to and investigating cyber threats. However, she recognises that the cyber landscape now calls for more – with proactive defence strategies that ensure that threats are limited before they even reach an organisation’s desk. Darktrace has expanded its R&D team in recent years and doubled its development team so that the company could work on multiple projects simultaneously. Gustafsson told The Times: “We believe there are over 150,000 companies that could benefit from our AI – and we have the right team and skills in place to ensure we can go after the market opportunity that they represent.” Protecting the world from increased digital threat Darktrace is a world leader in autonomous cyber AI, having created one of the first, at-scale deployments of AI for enterprises. Developed by mathematicians Gustafsson, Stockdale and fellow founders Dave Palmer, Emily Orton and Nicole Eagan, the company uses self-learning AI algorithms to detect and neutralise cyber threats across the cloud, IoT and industrial control systems and requires minimal set-up. Darktrace AI also protects against previously-unknown vulnerabilities including ransomware, data loss and insider threats. Headquartered in Cambridge, UK, the company has more than 4,700 customers worldwide. Speaking at the Royal United Services Institute in 2022, Gustafsson herself called for a dedicated cyber task force designed to enforce accountability, citing Russia’s invasion of Ukraine as a turning point in cyber warfare and the
global cyber threat landscape. She shared valuable Darktrace data that showed a huge uptick in global attacks on critical national infrastructure, with a 90% increase in high priority security incidents in Europe during the week of the invasion. During her speech, she emphasised the importance of a “whole of society approach” to cyber security, stating: “There is a shocking tolerance for cyber attacks and that has to change. Organisations that are custodians of valuable, private data can not be allowed to let that data fall into criminal hands through negligence and face no consequences.” Darktrace has since released Darktrace HEAL, which launched in July 2023, and aims to use AI to understand business data to ensure readiness to recover from an active cyberattack. It works closely with organisations to ensure that their technology is as prepared as it can be and also help them to recover quickly to limit business impact. With Gustafsson at the helm, it looks as though the company will be prepared to tackle future cyber threats whenever they arise.
cybermagazine.com
17
THE CYBER INTERVIEW
ANDERSEN CHENG:
PREPARING FOR A POST-QUANTUM WORLD We speak with Andersen Cheng, CEO at Post-Quantum, on the steps organisations should be taking to prepare for a post-quantum world
A
ndersen Cheng is the CEO of Post-Quantum, a cyber security company focusing on quantumsafe security and identity solutions. He was previously COO of the Carlyle Group’s European venture fund and a founding member of LabMorgan, the Fintech1.0 investment unit of JP Morgan. Prior to that, Cheng was JP Morgan’s European Head of Credit Risk Management and was involved in many system implementations and risk management projects connected to credit risk, derivatives trading, EMU and Y2K. We speak with Cheng about the role quantum technology will have on data security, the steps organisations should be taking and his predictions for the next decade.
Q. HOW COULD QUANTUM COMPUTERS CHANGE THE LANDSCAPE OF DATA SECURITY?
» Today, the world relies on two primary
public-key cryptography (PKC) standards for the secure communication of data: ‘RSA’ and ‘Elliptic Curve’. For example, the security of RSA relies on the principle 18
November 2023
that ‘factorising’ very large integers is so difficult it is impractical – deducing the factors of 15 to be three and five is easy, but deducing the factors of a 2048-bit number isn’t practical with a classical computer. However, quantum machines have already been theoretically proven to be able to conduct the factorisation necessary to crack RSA. Peter Shor, an American mathematician, devised an algorithm in 1994 that, when paired with a sufficiently developed quantum computer, would render even very large RSA and Elliptic Curve keys vulnerable. To boil it down, quantum computers are not superior to classical computers in every area – classical machines will continue to be used for the majority of tasks we undertake today. However, quantum computers are vastly superior when performing analysis on small amounts of data – precisely the quality needed to break encryption. The issue is that, when existing encryption standards are broken, everything becomes vulnerable. PKC is used everywhere in our daily digital
ANDERSEN CHENG TITLE: CEO COMPANY: POST-QUANTUM LOCATION: UNITED KINGDOM Andersen Cheng is the CEO of Post-Quantum, a cyber security company focusing on quantum-safe security and identity solutions. He was previously COO of the Carlyle Group’s European venture fund and a founding member of LabMorgan, the Fintech 1.0 investment unit of JP Morgan.
cybermagazine.com
19
THE CYBER INTERVIEW
interactions and everything we do over the internet. Imagine not being able to trust your bank to make a transfer to your family, or send an email to your colleague that includes highly sensitive information – the world will just stop if the security, and therefore trust, that our world is built on, disappears.
Q. WHY IS IT SO IMPORTANT FOR ORGANISATIONS TO BE AWARE OF THREATS POSED BY QUATUM COMPUTING?
» Organisations need to be aware of the threat of quantum computing because the advent of a quantum computer is not a matter of ‘if’ but ‘when’. Research suggests that within three years, there 20
November 2023
is a one in seven chance that quantum computers will break the most used computer encryption systems – this number goes as high as 50% by 2031. Therefore, failing to secure your digital infrastructure against the threat of quantum computing leaves your data and systems vulnerable to attack. But most important for organisations is not the sheer code-breaking capabilities these machines will usher in, it’s the threat they are already posing today in the form harvest now, decrypt later (HNDL) attacks. That is, any data with a multi-year lifespan, such as government secrets, R&D innovation, asset ownership data in financial services and strategic plans, could be collected today and decrypted in the
future. No matter what industry you are in – the private keys of utilities providers or the cardholder’s information held by big banks – all data is vulnerable. This HNDL threat is backed-up by numerous pieces of research, which find that nation-state adversaries are already collecting encrypted data with long-term utility. In fact, we are already seeing instances where internet traffic has been routed on unusual global paths for no apparent reason before returning to normal, which are indicative of such attacks occurring. Organisations that fail to recognise this threat and secure their data today, particularly those holding highly sensitive data with a long shelf life, are potentially putting themselves and the wider economy at huge risk in the future.
“ Imagine not being able to trust your bank to make a transfer to your family, or send an email to your colleague that includes highly sensitive information”
Q. WHAT STEPS SHOULD ORGANISATIONS BE TAKING TODAY TO PREPARE FOR A POST-QUANTUM WORLD IN TERMS OF DATA SECURITY?
» If you’re a critical enterprise, it’s time to
create your own end-to-end infrastructure that’s quantum-safe by design, where everything from your business processes to day-to-day communications is protected. This means thinking about everything from quantum-proofing your identity access management system, to using a quantum-safe VPN to protect communications across your business. For example, the Internet and Engineering Taskforce (IETF) recently created a new VPN standard that helps specify how VPNs can exchange communications securely in the quantum age. The novel approach prioritises interoperability by making it possible cybermagazine.com
21
THE CYBER INTERVIEW
for multiple post-quantum and classical encryption algorithms to be incorporated into VPNs, ensuring no disruption to the functioning of existing IT systems, and protecting data from attack by both classical and quantum computers. At-risk organisations might also consider establishing secure end-to-end messaging infrastructures that they control and can quantum-proof today. Such an approach allows different business processes to be created within an end-to-end secure environment so critical data is verifiably quantum-safe throughout its lifecycle.
Speaking more generally, anyone looking to migrate to post-quantum cryptography (PQC) should have three things front of mind at the very least when discussing solutions: crypto-agility, backward compatibility and hybridisation. The use cases where encryption is needed vary across industries and sectors, so adopting a crypto-agile approach – where different algorithms can be used and combined within encryption solutions –will give you a greater level of flexibility. Crypto-agility means it is easy to swap in and out of any algorithms, without the need to modify protocols, as well as ensuring backward compatibility with existing systems. If you want to move quickly, a hybridised approach is also vital. Hybridisation means today’s algorithms can be combined with quantum-safe cryptography in a single solution. Taking this approach means that it’s possible to keep the tried and tested classical cryptography we use today, like RSA or Elliptic Curve, alongside one or more post-quantum algorithms, while also helping security teams to prioritise the adjustments they tackle first when entering the migration phase. As standardisation of PQC algorithms is still being finalised over the next two years, it is a sensible risk and efficiency management approach to take by combining pre and post-quantum cryptographic primitives.
Q. WHERE DO YOU SEE THE FIELD OF QUANTUM DATA SECURITY HEADING IN THE NEXT DECADE, ESPECIALLY AS QUANTUM COMPUTERS BECOME MORE ACCESSIBLE?
» Quantum security has not received as much attention as the development of quantum computers, especially when you look at funding. But this is starting
22
November 2023
Making the switch to quantum-safe cryptography WATCH NOW
to change, particularly when you look at government action. Despite a slow start, the US has now firmly taken the lead following a series of orders and legislation from the Biden government. This includes the Quantum Computing Cybersecurity Preparedness Act, which was passed in 2022 and details the migration to secure government information with postquantum cryptography. More recently in 2023, US National Cybersecurity Strategy has outlined a roadmap to replace all vulnerable hardware, software and applications that could be compromised. This recent movement follows the foundation set by the National Institute
of Technology (NIST), which launched a global competition to develop new algorithms that will withstand the quantum threat back in 2016. This year, four have been shortlisted and are on track to be standardised – which is seen by many as the catalyst for the post-quantum migration to truly begin. We’ve been very encouraged by this significant uptick in movement, but the truth is that post-quantum migration can and should have begun earlier. Especially with the threat of HNDL, everyone is playing catch-up. It’s not too late, but the next few years are crucial for the future of data and information security. cybermagazine.com
23
PEOPLE MOVES
THE LATEST EXECUTIVE MOVES IN THE WORLD OF CYBER Cyber Magazine highlights the latest executive appointments and departures that are set to help organisations achieve their security goals
“ I am thrilled to be stepping into this role to support Entrust’s strategy and assist our clients in realising their cybersecurity objectives”
24
November 2023
JORDAN AVNAIM JOB FROM: V P INFORMATION SECURITY & TECH RISK MANAGEMENT, CAPITAL GROUP JOB TO: C ISO, ENTRUST Entrust, a global leader in trusted payments, identities, and data, has announced that it named Jordan Avnaim as its CISO. With more than 20 years of experience leading information security functions and influencing change and enterprise digital transformation, Avnaim will help scale and mature Entrust’s information security program for both corporate and commercial portfolios. Avnaim joins Entrust with experience in a variety of information security and risk leadership roles including most recently at The Capital Group Companies, where he was responsible for leading various information security, technology risk and technology audit functions over his tenure.
CJ MOSES JOB FROM: C ISO, VP SECURITY ENGINEERING AWS JOB TO: C ISO, VP SECURITY ENGINEERING AMAZON Former AWS Chief Information Security Officer CJ Moses has taken on a new role as CISO and VP of Security Engineering at Amazon, according to his LinkedIn profile.
NATHAN MILLS
PATRICE WILMOT
JOB FROM: H EAD OF PHYSICAL SECURITY, ZOOM
JOB FROM: DIRECTOR, IDENTITY AND ACCESS MANAGEMENT, IRS
JOB TO: HEAD OF GLOBAL SECURITY, ZOOM Zoom has named Nathan Mills as its new Head of Global Security. Mills, who was previously Zoom’s head of physical security, will be responsible for the company’s converged cyber and physical security organisation.
HEATHER GANTT-EVANS JOB FROM: C ISO, SAILPOINT JOB TO: CISO, MARQETA Payment and card issuing platform Marqeta has named Heather Gantt-Evans as its new CISO. Gantt-Evans has previously held senior positions as a security and risk management leader at SailPoint, The Home Depot and EY.
MICHAEL FORD JOB FROM: C VP, GLOBAL WORK PLACE SERVICES, MICROSOFT JOB TO: S VP OF GLOBA REAL-ESTATE & SECURITY, AT&T Having spent 18 years at Microsoft, Michael Ford joined AT&T in September as its SVP of Real Estate and Security Operations, where he leads the Real Estate and Security Operations teams.
JOB TO: D EPUTY CISO, IRS The US Internal Revenue Service has named Patrice Wilmot as its new Deputy CISO. Wilmot was formerly the Director of IAM at the IRS and spent 33 years at the US Defense Information Systems Agency.
JORDAN AVNAIM CISO, ENTRUST
THE MONTH THAT WAS
THE MONTH THAT WAS: HIGHLIGHTS FROM OCTOBER
The cyber challenges of remote IT, Palo Alto Networks’ new UK headquarters and the threat of staff burnout as cyber threats increase
CHECKMARX UNCOVER ATTACK IMPERSONATING GITHUB DEPENDABOT
75% OF ORGANISATIONS STRUGGLING WITH REMOTE IT CHALLENGES A Forrester study has found shifting to remote and hybrid working models has magnified IT challenges for 75% of organisations. The study uncovered that only 42% conduct annual firmware updates, 23% update every two years or less, and 12% only update “when essential”. READ NOW
26
November 2023
A Checkmarx report found that threat actors were operating to impersonate a GitHub Dependabot in order to carry out malicious activities. The research shows how victims had their GitHub personal access token stolen, which was used by attackers to contribute malicious code contributions. READ NOW
WRITTEN BY A CHATBOT? 71% OF AI DETECTORS ARE UNABLE TO TELL 71% of AI detectors cannot tell if a phishing email has been written by a chatbot, according to a study conducted by Egress. This story highlights the need for cybersecurity professionals to have greater insight into sophisticated cyberattacks so that they can better identify threats like phishing emails. READ NOW
PALO ALTO NETWORKS OPENS NEW UK HEADQUARTERS IN LONDON
BUSINESSES ARE FACING BURNOUT AS CYBER THREATS RISE
CYBERSECURITY SKILLS GAP LEAVING BUSINESSES VULNERABLE
A huge announcement in the cybersecurity sector was Palo Alto Networks announcing the opening of its new City of London UK headquarters. The move is set to create 485 new cybersecurity jobs over the next five years, as it invests to support the company’s expanding customer base across the UK.
A report conducted by iomart and Oxford Economics, found that 30% of cybersecurity staff that are currently battling rising cyber threats are facing burnout. It highlights that, in addition to the sector needing to support a growing skills gap, staff mental health and support is crucial to business transformation.
In our commitment to raising awareness of the cybersecurity skills gap across the industry, this research conducted by ISACA indicates that nearly 62% of businesses currently face staffing issues within their cybersecurity teams. This has led to a failure in regularly assessing cyber risks, exposing organisations to greater threats.
READ NOW
READ NOW
READ NOW
cybermagazine.com
27
The Portfolio
WORK WITH US
TOP 10
CHIEF INFORMATION SECURITY OFFICERS Cyber Magazine features 10 global CISOs who are leading the charge in cybersecurity innovation, governance, and resilience WRITTEN BY: MARCUS LAW 30
November 2023
cybermagazine.com
31
TOP 10
09
Brent Conran Title: CISO Company: Intel
10
Kevin Cross
Title: SVP, CISO Company: Dell Technologies
Kevin Cross serves as SVP and CISO for Dell Technologies’ Security and Resiliency Organisation. Cross has extensive experience leading incident analysis and response, threat intelligence, threat hunting, ethical hacking, forensics and e-discovery, penetration testing and vulnerability management functions for large organisations in both the public and private sectors. Prior to joining Dell, Cross served as VP and Deputy CISO at Sony. He also founded and developed world-class security operations centres at Sony, the US Counterintelligence Field Activity (CIFA), the Pentagon and the Defense Intelligence Agency. 32
November 2023
Brent Conran, Intel CISO, has a background in executive leadership as CIO, CISO and CSO, in a variety of infosec, operations, infrastructure architecture and engineering roles. A specialist in business transformation, strategic planning, continuous process improvement, organisational change management, leadership, customer-focused business, budget planning, development and control, Conran has driven initiatives involving organisational change in both public and private sector organisations. Previously, Conran was CSO at McAfee, CIO and CISO for the US House of Representatives and a Security Architect at Merrill Lynch and J.P. Morgan.
TOP 10
07
Michael McNeil Title: Global CISO Company: McKesson
08
Gary Harbison
Title: Global CISO Company: Johnson & Johnson
A proven security leader with more than 19 years of experience in the infosec domain, including roles at multiple global Fortune 500 companies and public sector experience with the US Department of Defense, Gary Harbison’s background includes technical experience, strategy and architecture focused roles, cyber and threat experience and various leadership roles. With a track record of developing security and risk management programs built to evolve with changing business needs and evolving threats, he also serves as an advisor to several cyber security startups, sits on multiple Executive Advisory Boards for Cybersecurity companies, and is a frequent speaker at industry events.
As Global CISO, Michael McNeil is responsible for enhancing and overseeing McKesson’s information and operational technology security strategy program, as well managing information security governance. McNeil has an extensive background in cybersecurity and significant experience in the healthcare industry. Most recently, he served as the Global Product and Security Officer for Royal Philips, where he deployed consistent processes across its entire portfolio of healthcare products and services. He has also held senior leadership positions at Medtronic, Liberty Mutual Group, Pitney Bowes, and Reynolds & Reynolds.
cybermagazine.com
33
Security Operations Center as-a-service (SOCaaS) provider Quzara Cybertorch™ enables robust Cyber Threat Management Quzara Cybertorch™, the first FedRAMP HIGH Ready SOC-as-a-Service, provides the following security capabilities to Materion’s ecosystem: • 24/7/365 Security Monitoring • Managed Extended Detection and Response (MXDR) to cyber threats • Adhere to multiple security compliance frameworks • Detecting, preventing, and investigating suspicious activities • Vulnerability management and Threat Remediation
Learn More
TOP 10
05
Phil Venables
Title: CISO Company: Google Cloud
06
George Stathakopoulos
Title: VP Corporate InfoSec Company: Apple
Vice President of Corporate Information Security at Apple, George Stathakopoulos is an experienced executive with a demonstrated history of working in the consumer electronics industry. Skilled in scalability, enterprise software, culture change, online services, and vulnerability assessment, he is a strong military and protective services professional with a Bachelor’s degree focused in Computer Science from Portland State University. Before joining Apple in 2016, he held roles including Vice President of Information Security at Amazon, and General Manager of Product Security at Microsoft.
Phil Venables is the CISO of Google Cloud, where he leads the risk, security, compliance and privacy teams. He joined Google in 2020, after spending more than 25 years as a CISO at multiple financial services companies. Before joining Google, he was a Partner at Goldman Sachs where he held multiple roles over a long career, initially as their first CISO. Venables is a specialist in information and cyber security, cloud services, enterprise risk, technology risk and business resilience with significant experience in multiple industries and multiple geographies — from in-depth engineering to board-level management.
cybermagazine.com
35
TOP 10
04
Bret Arsenault Title: CISO Company: Microsoft
As the Chief Information Security Officer for Microsoft, Bret Arsenault is responsible for enterprise-wide information security, compliance and business continuity efforts and leads a global team of security professionals with a strategic focus on information protection, assessment, awareness, governance and enterprise business continuity. Arsenault currently serves as the Chairman of Microsoft’s Information Risk Management Council, and hosts Microsoft’s Security Council, a forum with enterprise customers that drives product direction and operational best practices.
36
November 2023
03
Chandra McMahon Title: SVP & CISO Company: CVS Health
With more than 30 years of experience in senior leadership managing large and complex security programmes, Chandra McMahon leads CVS Health’s Global Security organisation, and is responsible for protecting the enterprise from cyber threats and driving its mission to help people on their path to better health. Previously, McMahon served as Senior Vice President and Chief Information Security Officer for Verizon, and before that, she held numerous leadership roles at Lockheed Martin, including as Vice President and Chief Information Security Officer.
TOP 10
02
CJ Moses
Title: CISO & VP of Security Engineering Company: Amazon
CJ Moses leads security engineering and operations across Amazon, enabling Amazon businesses by making the path of least resistance the most secure one. Before joining AWS in 2007, Moses had an extensive career within the US Federal Government, most recently with the Federal Bureau of Investigation (FBI). Prior to this, he was an US Air Force Office of
Special Investigations (AFOSI) Special Agent, where he served as the lead case agent on pioneering computer intrusion investigations, building the foundation for the current cybersecurity industry. He served as the deputy CISO at AWS before succeeding former AWS CISO Stephen Schmidt in 2022. He became the CISO of Amazon in October 2023.
AWS re:Inforce 2023 – Keynote with CJ Moses WATCH NOW
cybermagazine.com
37
TOP 10
TOP 10
In Association with:
CSO s THE TOP 100
OUT NOW Championing CSOs from global organisations, celebrate those who elevate the industry day in, day out.
Read now
TOP 10
40
November 2023
01
TOP 10
Jerry Geisler
Title: Senior VP & CISO Company: Walmart
Jerry Geisler serves as the Senior Vice President and CISO of Walmart’s global infosec department. His responsibilities encompass data security for millions of customers and associates. Walmart’s Information Security program, under Geisler’s leadership, is considered a forward-thinking industry-leader focused on emerging best-in-class information security practices, innovation and business enablement broadly engaged across IT, OT, cloud, platform and product security domains.
CISO Fireside Chat with Jerry Geisler and Adam Ely WATCH NOW
cybermagazine.com
41
OPEN SOURCE INTELLIGENCE PIVOTAL TO DEFENCE STRATE With roots dating back to the Second World War, Open Source Intelligence – or OSINT – can be a powerful tool in enterprise cyber defence strategies WRITTEN BY: MARCUS LAW
42
November 2023
EGIES
CYBER SECURITY
B
y the year 2027, research suggests that almost six billion people globally will use social media. With the vast amount of data created by this alone, open-source intelligence (OSINT) has become an increasingly valuable tool. With history spanning back to the Second World War involving the collection of information from publicly available sources like newspapers, radio broadcasts and even conversations among people to gain insights about the enemy’s activities and intentions, OSINT provides a way to collect and analyse publicly available data which can then be used to make informed decisions. “Open Source Intelligence is where cybersecurity experts, as well as cybercriminals, try and gather as much information as is publicly available about an organisation, asset or individual as they can, so as to use the information gathered to their advantage,” explains Ed Williams, Regional VP, Penetration Testing, EMEA at MDR leader Trustwave. OSINT augmenting enterprise security As Williams asserts, it is crucial to have an understanding of what OSINT is and how it can be used against an enterprise, asset or individual. “A good example of this, and one that has yielded results in the past, is job descriptions and the details they offer,” he says. “This detail can and has played an important role in creating pinpointed cyber-attacks that target specific individuals, thereby making them all the more susceptible and vulnerable to these attacks. “With this in mind, OSINT can enable companies to understand the threats that are most likely to affect their organisation; it can help experts in understanding an organisation’s attack surface and exposed cybermagazine.com
43
150+
Speakers
30 November - 1 December 2023 Olympia, London The Cyber Security & Cloud Expo will host two days of top-level content and thought leadership discussions around Cyber Security & Cloud, and the impact they are having on industries including government, energy, financial services, healthcare and more.
200+
Exhibitors
6
Co-located Events
Explore the critical technologies and approaches needed to improve customer engagement and drive your organisation’s digital culture. 6,000
Register Here:
www.cybersecuritycloudexpo.com/global
Attendees
56%
Director Level +
Cyber Security & Cloud Expo is part of TechEx Events
Contact: www.techexevent.com enquiries@techexevent.com
CYBER SECURITY
“ OSINT can enable companies to understand the threats that are most likely to affect their organisation” ED WILLIAMS
RVP, PENETRATION TESTING EMEA, TRUSTWAVE
assets; and most importantly, OSINT deepens the knowledge pool of broader cybersecurity trends, making it all the more easier to keep on top of new threats and mitigation tactics within the space.” As Michael Skelton, Vice President, Security Operations and Researcher Success at crowdsourced security pioneer Bugcrowd comments, OSINT can significantly enhance enterprise security by providing actionable insights about potential threats.
ED WILLIAMS TITLE: RVP, PENETRATION TESTING, EMEA COMPANY: TRUSTWAVE LOCATION: UNITED KINGDOM
A subject matter expert on pentesting and red teaming, Williams joined Trustwave in 2017 as EMEA Director of SpiderLabs: Trustwave’s elite team of ethical hackers, forensic investigators and researchers. He is a spokesperson for SpiderLabs and for the wider company.
cybermagazine.com
45
of YouTube video HowTitle the AttackSurfaceMapper oftenTool goes over Pen two Testers lines OSINT Helps WATCH WATCH NOW NOW
“For example, it can be used to monitor Dark-Web and hacker forums to identify whether a company’s information is being discussed or sold,” says Skelton. “Similarly, OSINT can be used to identify loose ends in the digital footprint of a company, such as unprotected servers or employees sharing sensitive info online. This could be the company’s own infrastructure, or over services that a company uses. A great example of this, is monitoring GitHub to ensure that contractors, and employees alike, haven’t inadvertently disclosed company secrets, or passwords.” 46
November 2023
OSINT increasingly a pivotal aspect of cyber defence strategies Describing it as a ‘force multiplier’ in traditional cybersecurity practices Skelton explains how OSINT can enable a more proactive approach. “Traditionally, cybersecurity focused mainly on protecting internal systems and reacting to network-based attacks,” he says. “With the proliferation of OSINT, security professionals now can proactively gather information about potential threats and attackers, and take a more proactive approach to security.
CYBER SECURITY
The more intelligence we have about potential threats and threat actors the better we can defend against them.” However, as Williams stresses, it is important to consider that while OSINT is a powerful tool for security professionals, it can also be leveraged by cybercriminals to identify and attack vulnerable and misconfigured systems. Therefore, minimising the external footprint of an organisation to only what’s required should be a top priority for all CISOs. “OSINT is a key practice in any modern cybersecurity strategy, alongside vulnerability testing and patch management,” he adds. “All practices that whilst unable to guarantee 100% security all of the time, given the evolving threat landscape, do help keep businesses up to date with all the threats and tools to protect from them.”
“ OSINT could be misused to collect information about private social media activities of employees and their surroundings” AMIR SADDON
DIRECTOR OF IR RESEARCH, SYGNIA
The ethical considerations when collecting and using OSINT OSINT is, by its very nature, available to all on the internet. Because of this, Williams explains, it becomes important for organisations to ensure that the collection and use of OSINT data complies with all relevant laws and regulations, including data protection laws such as the EU’s GDPR. “Whenever possible, obtaining consent from the individuals whose data is being collected can help ensure that the collection process is both legal and ethical,” he says. “Overall, it’s important for professionals to keep ethics at the top of mind when conducting OSINT investigations. While there are clear laws around computer misuse, the main feature of OSINT is the ability to gain an edge over an organisation, asset or individual. The key component of OSINT is how this information is used by both attackers and defenders.” cybermagazine.com
47
CYBER SECURITY
This viewpoint is reflected by Amir Saddon, Director of IR Research at Sygnia. “Although OSINT relies on publicly available data, the use of this data can affect people, both in the organisation and outside of it,” he describes. “When collecting this data, organisations should not only consider their investigative needs but also the ethical and regulatory impact of the data. For example, OSINT could be misused to collect information about private social media activities of employees and their surroundings.” One of the biggest considerations to OSINT is privacy, Skelton asserts. “Just because information is publicly available doesn’t mean it’s ethical to collect and use. There must be a clear well-defined purpose, and care must be taken to only use the information in line with that purpose. Additionally, there can be challenges in ensuring accuracy and validity of data collected. Misinterpretation or misuse of information can lead to harmful decisions. It’s important for professionals to maintain a clear ethical guideline of what data to collect, how to use it, and, importantly, what not to do.” To help tackle these risks, Saddon explains that data collection should be limited to a minimum and only necessary to help meet investigation goals without violating the rights of employees or others. “Allowing or enabling technology to collect data or scan systems “on autopilot” will often result in unethical or illegal data collection, and therefore a key part of ethical OSINT is to ensure data collection is controlled by humans who fully understand privacy issues and ethical concerns.” 48
November 2023
cybermagazine.com
49
HOW OKADA TAKING FULL OF THE A
50
November 2023
OKADA MANILA
DA MANILA IS ADVANTAGE AI BOOM WRITTEN BY: TOM CHAPMAN
PRODUCED BY: STUART IRVING
cybermagazine.com
51
OKADA MANILA
Through its groundbreaking use of AI and video analytics, Okada Manila is leading the charge when it comes to security and surveillance innovation
S
ince opening in 2016, Okada Manila has quickly established a reputation as a premier entertainment resort – and not just in the Philippines, but on the world stage. Such was the scale of this US$2.4 billion development that more than 18,000 workers were employed during the first phase of construction alone, and the results were spectacular. As its location in the Entertainment City district of Manila suggests, Okada Manila and its people are in the business of providing unforgettable experiences for their guests. In addition to the dazzling casino and luxurious hotel, this vast, integrated resort boasts an endless array of world-class amenities, meaning there truly is something for everyone whether they are looking to shop, dine or relax. One major hotspot is The Fountain, a US$30 million attraction designed by the same team responsible for similarly iconic water features in Las Vegas and Dubai. Then there’s Cove Manila, Southeast Asia’s biggest indoor beach club and nightclub, capable of hosting up to 3,000 partygoers. “What Okada aims to do is provide entertainment that’s safe, fun and has that wow factor,” explains Ashley Lorraway, the organisation’s Director of Security Infrastructure, Research and Development.
52
November 2023
cybermagazine.com
53
Modern Storage Infrastructure is Critical for Safety and Security Data Safety and security data isn’t just important, it is critical, and each organisation has unique needs when it comes to storing, managing, and retaining these assets. Dell Technologies offers modern, scalable, and flexible storage solutions that meet evolving demands while reducing risk and cost of ownership.
Learn more
Safeguarding security data is mission-critical and demands a robust storage strategy. Maintaining continuous access to recorded videos and seamless operation of recording and archiving equipment is crucial. Storage solutions must provide continuity while addressing other end-user concerns like compliance, cybersecurity, and AI. After all, a storage strategy is not “robust” if it doesn’t implore a holistic and multi-faceted approach. Maximise Uptime In environments like airports and casinos, operations must persist during storage maintenance to remain compliant. Adopting a node-based NAS storage solution, with erasure coding, can enable non-disruptive maintenance. Cybersecurity breaches are another contributor to downtime. Storage architecture must include an offline cyber recovery vault, disconnected from the production cluster, to expedite recovery and minimise downtime. Optimise Cloud and Space Mounting network access and egress costs combined with security concerns have many companies rethinking the cloud first approach. Organisations are shifting to a cloud-smart strategy by segregating on-prem and cloud-stored data to harness
cloud benefits while maintaining data control. Storage solutions that scale-out seamlessly into the petabyte range while minimising rack space are the best choice to drive efficiency and performance on-prem. Harness AI As companies aggressively adopt Generative AI, optimised storage infrastructure is the key to harnessing improved outcomes. Storage platforms must align with the emerging needs of GenAI and offer solutions that make the data easier to manage, process and analyse. Catering to AI’s specific requirements and vast, diverse data sets is accomplished by employing cutting-edge technologies like distributed storage, data compression and efficient data indexing. The world’s most flexible1, efficient2, and secure3 scale-out NAS solution When it comes to deploying a robust storage architecture that effectively stores, protects and manages mission-critical security data and offers unmatched performance for workloads like AI, Dell PowerScale storage is the clear choice. With critical assets at stake, you need a high-performance and scalable solution to help protect what matters most. Learn more at: www.Dell.com/PowerScale
1
Based on internal analysis of publicly available information sources, February 2023. [ ↑ ]
2
Based on Dell analysis comparing efficiency-related features: data reduction, storage capacity, data protection, hardware, space, lifecycle management efficiency, and ENERGY STAR certified configurations, June 2023. [ ↑ ]
3
Based on Dell analysis comparing cyber-security software capabilities offered for Dell PowerScale vs. competitive products, September 2022. [ ↑ ]
OKADA MANILA
EXECUTIVE BIO
“We throw absolutely everything at providing an extraordinary experience; that’s the number one thing Okada tries to achieve and we succeed every time.” Okada Manila has certainly lived up to the hype that existed during the planning and construction phase, receiving Five-Star accreditation from the Forbes Travel Guide and becoming a true icon of the Philippines. “Integrated resorts can be a dime a dozen; if you walk into one, you’ve walked into them all,” adds Lorraway. “But Okada Manila is not like any other place you’ve walked into. There’s no other resort that has the same feel, the same aura or the same
ASHLEY LORRAWAY TITLE: DIRECTOR OF SECURITY INFRASTRUCTURE, RESEARCH AND DEVELOPMENT COMPANY: OKADA MANILA LOCATION: PHILIPPINES Ashley Lorraway, the vigilant guardian of Okada Manila’s security and surveillance technology platforms, is a seasoned IT professional with 20 years of experience managing projects for corporate, government and mining sectors, and over a decade-long specialisation in intricate security and surveillance systems such as CCTV, access control and facial recognition. Hired as the Senior Manager of Surveillance Technical Services for Okada Manila in 2016, he has since been promoted to Director of Technology and then promoted again in 2022 to be named the Director of Security Infrastructure, Research & Development, and is a serving member of the Security Executive Committee.
cybermagazine.com
57
Hanwha Vision: Global Vision Solution Provider
Hanwha Vision offers a comprehensive line of security and video surveillance solutions which include IP cameras that support up to 8K resolution, a video management system, video and audio analytics, multi-sensor technologies and device integration with a host of 3rd party application providers. The company’s intelligent surveillance solutions are used globally, securing people, property and data across a range of industries including retail, transportation, education, banking, healthcare, hospitality, airports and more.
Contact us
OKADA MANILA
atmosphere. You can find all the usual avenues of entertainment that you get in most integrated resorts, but there is just something extra special at Okada Manila. People will say that I’m biased but it’s absolutely true.” Overcoming security and surveillance challenges While he is keen to sing the praises of Okada Manila’s entertainment pedigree, Lorraway’s day-to-day concern – as his job title suggests – is how best to protect the resort from security threats.
As a seasoned technology expert, he heads up all the technological infrastructure for the security and surveillance platforms – supported by two data centres and around 200 server rooms – while training up the next generation of talented technicians and engineers. Lorraway is also in charge of Okada’s barring and exclusion committee, whose prerogative it is to prohibit a small but potentially dangerous minority of visitors from entering the casino and wider resort. cybermagazine.com
59
OKADA MANILA
Ashley Lorraway, Okada Manila’s Director of Security Infrastructure, on Harnessing AI’s Power WATCH NOW
Countless colleagues within the industry will be able to relate to the kinds of obstacles being faced by Lorraway and his team on a daily basis. Traditional challenges like budgeting are up there with the toughest, but luck has often been on their side. “When you’re dealing with a board of directors, 9.9 times out of 10 they’re not technically sound,” says Lorraway. “You have to convince these businesspeople that a certain technology is going to improve 60
November 2023
operations so they will give you the money to do just that. “I’m extremely lucky, though, that part of Okada’s mission is to be an innovative global leader. I’m also lucky that we have one of the best CTOs on the planet and a Chief Security Officer who is very technologically-minded and supportive.” Undoubtedly, however, the biggest ongoing challenge for the Okada Manila tech team is prioritisation.
The artificial intelligence (AI) explosion and the way emerging technologies are being applied to video analytics and facial recognition means there is seemingly a limitless number of pathways when it comes to innovation, research and development. The big question is which path to choose. Lorraway continues: “There are only so many hours in a day and the question we have to ask ourselves is, ‘which mind-
blowing technology advancement are we going to implement first?’. It sounds arrogant, but we have so many ideas and we’re working on so many projects.” Okada Manila: Constantly evolving Okada Manila has, as Lorraway puts it, been very good at “rolling with the punches” during its short history. Evidently, the pandemic was a significant trigger, forcing the business to evolve with cybermagazine.com
61
YOUR SAFETY, OUR PRIORITY Experience unmatched protection with our top-tier private security agencies in the Philippines. Our highly trained professionals employ state-of-the-art technology and industry expertise to safeguard your peace of mind. Your safety is our mission.
Kenichi Security Agency +63 96084 25725
Northern Eye +63 91599 19664
Advanced Shield +63 97065 95842
Sniffer K9 +63 91730 55969
JKKK +63 92737 50781
8 Arms +63 91763 37847
All private security agencies powered by the Okada Manila Security & Safety Division
OKADA MANILA
“ With AI, what would usually take weeks now takes a matter of seconds” ASHLEY LORRAWAY
DIRECTOR OF SECURITY INFRASTRUCTURE, RESEARCH AND DEVELOPMENT, OKADA MANILA
ABOUT THE RESORT • Okada Manila’s casino features the country’s most expansive gaming floor, with around 500 tables and more than 3,000 electronic machines • The Fountain at Okada Manila cost US$30m and was designed by WET, the same company behind similarly iconic water features in Las Vegas and Dubai
DID YOU KNOW...
the launch of an online casino, while also considering practical measures at the resort itself such as the installation of contactless technology. So far, the online casino has proved a roaring success and an excellent revenue stream which looks set to continue growing. Another major evolution has involved the use of facial recognition which, a few decades ago, was being examined but was something of a pipedream given the necessary AI algorithms were not yet powerful enough. But now, the technology has reached the point where it has the potential to replace pretty much any authentication that exists within a casino environment, such as ID passes and reward cards, and can even be used to record player ratings. “We have dramatically expanded our use of facial recognition, to the point where we are testing with a view to using it in other areas beyond security,” Lorraway adds. Introducing new technology to combat fire risk is another example of Okada Manila refusing to rest on its laurels. Fire is the single biggest threat to a venue of this size, regardless of the industry, and
• Altogether, the planning, design and development project to turn Okada Manila from an idea into reality took nine years • Cove Manila, Southeast Asia’s biggest indoor beach club and nightclub, is enclosed in a glass dome which is 100 metres in diameter and 30m in height • The club is capable of hosting up to 3,000 partygoers
cybermagazine.com
63
64
November 2023
OKADA MANILA
it is essential to have the best alarm and suppression systems installed. The tech director continues: “We’re innovative here; we’re always looking for new ways to protect life, especially when you’re such a big site and you can’t monitor every little area. “We’ve evolved when it comes to tackling fire, right from the notification and alarms to state-of-the-art suppression systems.”
“All of the greatest leaps forward that anybody makes in the next decade or two are going to be AI-relevant” ASHLEY LORRAWAY
DIRECTOR OF SECURITY INFRASTRUCTURE, RESEARCH AND DEVELOPMENT, OKADA MANILA
A hotbed for innovation The aforementioned boost that AI has given to facial recognition and similar processes cannot be celebrated enough by Lorraway. “AI is everything,” he proclaims. “All of the greatest leaps forward that anybody makes in the next decade or two are going to be AI-relevant.” In the security and surveillance technology space, in conjunction with gaming protection, use of video analytics powered by AI is the direction in which Okada Manila is already heading. “Say you’ve got a 12-man cheating syndicate which is meeting up on site,” Lorraway adds, providing a hypothetical example. “Traditionally, surveillance people would look at their activities over a cybermagazine.com
65
DON’T LET THREATS GO UNRECOGNIZED. Turn any camera into an active security system with no additional infrastructure. Get instant alerts and track watchlisted individuals in real-time with advanced face and body recognition. Proudly Partnering with Sync4U Oosto’s Local System Integrator
I WANT A DEMO
Looking for unparalleled video surveillance? Since 1996, Intelligent Security Systems leads with SecurOS® Video Intelligence, operating globally with native analytics, customized solutions, and hardware-software complexes. Elevate your security today!
66
November 2023
OKADA MANILA
period of time and try to denote all the members of that syndicate. “With AI, what would usually take weeks now takes a matter of seconds, depending on the processing power. We can tell the AI that we’ve already confirmed one of the members and we want to know everybody he’s had contact with.” Then there’s behavioural recognition and the prospect of teaching AI tools how to recognise the type of behaviour seen among those who are cheating or looking to steal, including pickpockets. “Casinos are rife with pickpockets,” Lorraway goes on. “So, we’re in the midst of teaching the AI to recognise them
“ Vendors used to be very siloed but, these days, you need versatile partners that can cover a multitude of areas” ASHLEY LORRAWAY
DIRECTOR OF SECURITY INFRASTRUCTURE, RESEARCH AND DEVELOPMENT, OKADA MANILA cybermagazine.com
67
68
November 2023
OKADA MANILA
before they’ve even picked a single pocket. “It’s the kind of stuff where, if I told you 25 years ago, you wouldn’t even believe it. But we’re working on it, we’re proving it and we’re implementing it.” Okada Manila is already benefitting from facial recognition when it comes to detecting banned patrons on its premises. Whether they are a prolific criminal, terrorism suspect or a responsible gaming risk, relevant individuals who are spotted by the facial recognition system will trigger an alert before security personnel escort them away. However, like in all innovative technology departments, the team is constantly asking how they can go one step further; in this case, how can they reduce the time it takes for a banned patron to be recognised and security personnel dispatched? The answer is facial recognition sunglasses which, granted, sounds a bit James Bond when you first hear it, but the technology is available. Lorraway explains: “Security personnel will wear the sunglasses attached to the facial recognition system and get an immediate alert when a wanted person approaches. Banned patrons won’t even get in the building. “It sounds like pie in the sky stuff, but we’ve already done it. We’ve tested the prototype, it works and we’re going to implement it – end of story. That’s another incredible thing in the pipeline.” Licence plate recognition, vehicle IED scanning and privacy screening, which sees innocent parties automatically blurred out when incident footage is exported and viewed for legal purposes, are just some of the other processes being made substantially easier by AI and analytics. cybermagazine.com
69
OKADA MANILA
70
November 2023
Use more image captions as often as possible
The importance of vendor management Clearly, Okada Manila’s tech team and the wider business cannot go it entirely alone and frequently enlist the help of a trusted selection of key partners. “Vendor management is one of the most important aspects of a technology professional’s job,” Lorraway says. “When there’s a force majeure event like the pandemic, you want to have the kind of relationship where there’s flexibility and you can work together to create a winning scenario. “Vendors used to be very siloed but, these days, you need versatile partners that can cover a multitude of areas.”
One example Lorraway gives is Sync4U, a local provider of facial recognition capabilities, as well as a host of other innovative technology for fire protection and security purposes. Another partner, Andaman Sea and Earth, offers some of the best video analytics and management systems on the market. “Having the kind of relationship where your partner is well connected, and can help you find the right people for a specific purpose, is exactly what you want.”
cybermagazine.com
71
NETWORK & APPLICATIONS
HOW MFA WILL HE ERADICATE FRAU INCREASE SECURI Technology is evolving faster than adoption, and there needs to be a shift toward more advanced and secure authentication methods, such as MFA WRITTEN BY: KATY ALLAN
t goes without saying that the world of online shopping and banking, for the most part, has made our lives so much easier. With everything being readily available at the click of a button, perhaps the most significant advantage of the e-commerce world has been the convenience that it offers to consumers. Online shopping and banking platforms nowadays offer such an extensive range of products, shoppers can access almost anything from the comfort of their own home. 72
November 2023
Consumers can browse and purchase products anytime, anywhere, eliminating the need to travel to physical stores. This convenience is particularly valuable for people with mobility and health issues, those who live in remote areas or simply those with exceptionally busy schedules. According to the Census Bureau’s Annual Retail Trade Survey (ARTS), due to the pandemic e-commerce sales increased by US$244.2bn or 42% in 2020, rising from US$571.2bn in 2019 to US$815.4bn in 2020.
ELP TO UD AND ITY
The substantial increase in online users has also increased the possibility of fraud, which is an inevitable risk of online shopping for anyone. Additionally, research recently published by the specialised payments platform Paysafe, 49% of consumers in the UK are now more apprehensive about falling prey to fraud, compared to their level of concern in 2021. This suggests that UK consumers are placing a higher emphasis on security rather than convenience when conducting online transactions.
Cyber criminals’ key targets “Payment security has always been a key target for cyber criminals,” says Ed Williams, Regional VP, Penetration Testing, EMEA, Trustwave. “This isn’t likely to change anytime soon, in fact, it is likely that the current threat around ageing infrastructure, technology and the need for faster and more stable technology is only going to increase.” As it stands, the payment technology currently available is keeping up with the threats that it faces, however if this were cybermagazine.com
73
WEBINAR
The Practical Approach to Integrating SOC Capabilities Across IT and OT Discover how to breakdown IT and OT silos, integrate security operations and the technology-related challenges in doing so.
Watch On-Demand
NETWORK & APPLICATIONS
ANDREW DOYLE TITLE: CEO COMPANY: NORTHROW LOCATION: UNITED KINGDOM
Doyle has more than 30 years experience as a C-Level executive and entrepreneur in the global technology sector, focussing on global business growth and execution excellence. Nowadays, Doyle enjoys actively assisting early and growth stage companies.
to change, threat levels would undoubtedly rise. For example, through the increased development of AI, it seems highly likely that new threats will arise in the future. “The recent major developments around AI from an attackers’ perspective, cannot and should not be underestimated,” explains Williams. “AI will increase the sophistication and accuracy of attacks, which in turn would require more stringent mitigation tactics. This will also make the importance of
a behavioural-science lead cybersecurity plan going forward that counteracts the thought processes of cyber criminals.” How traditional authentication is becoming outdated Traditional authentication, such as usernames and passwords, are quickly becoming outdated due to their corruptibility. Some of the ways in which both passwords and usernames are being intercepted or stolen, is due to passwords being static, meaning that they aren’t usually changed unless manually done so by the user. cybermagazine.com
75
JON HORDDAL TITLE: GROUP CHIEF PRODUCT OFFICER COMPANY: EMERCHANTPAY LOCATION: MALTA
Horddal has over 20 years of experience in creating and leading technology companies, from startups to global technology leaders. A dynamic and highly adaptable leader, Horddal has a passion for building businesses and challenging the status quo.
This therefore makes them vulnerable to replay attacks if intercepted. Additionally, keylogging and spyware can record passwords secretly on compromised devices, and once stolen, passwords can be used until changed. Another major issue surrounding passwords is users tending to choose weak and easy-to-remember combinations of words and numbers that can be cracked through dictionary attacks. Nowadays, enforcing password complexity policies helps towards eradicating this problem, but is not foolproof. In addition, there are many phishing schemes that trick users into revealing usernames and passwords, with social engineering attacks exploiting human vulnerabilities rather than technical weaknesses. And lastly, database 76
November 2023
NETWORK & APPLICATIONS
breaches which expose password hashes can be cracked through brute force attacks with modern computing power. “It is clear that more secure and efficient methods of authentication are required. An example of this is Multifactor Authentication (MFA) as it increases the complexity for attackers, which mitigates many of the weaknesses of standalone passwords or Bio-security which utilises the users fingerprint or face ID,” explains Williams. Hackers are becoming more sophisticated Today, hackers have grown increasingly more sophisticated, with the ability to launch attacks from a number of different countries. Employing multiple attack methods, hackers threaten the victim’s security strengths, exploiting their vulnerabilities. In these types of attacks, cyber criminals enjoy an unfair advantage and can remain undetected for extended periods of time, often proving impossible to identify. Furthermore, it’s usually not a single attacker orchestrating the assault; but rather a collective effort involving multiple individuals targeting an infrastructure through numerous entry points.
“ While new payment apps and online-only banks offer convenience to customers, they also introduce major vulnerabilities if not properly secured” ANDREW DOYLE CEO, NORTHROW
cybermagazine.com
77
NETWORK & APPLICATIONS
“While new payment apps and online-only banks offer huge convenience to customers, they also introduce major vulnerabilities if not properly secured. This is especially true as hackers are becoming more sophisticated by the day in targeting payment systems to access funds or manipulate individuals into revealing passwords or payment credentials.” Andrew Doyle, CEO of NorthRow comments. Jon Horddal, Group Chief Product Officer, emerchantpay explains: “Two of the most impactful cybersecurity threats facing businesses today are card data breaches and phishing attacks, where sensitive data is obtained through increasingly sophisticated fraudulent emails or websites. Also, with the advent of AI, we’re seeing tools that are being exploited by criminals, such as technology that can mimic people’s voices, so people think they are speaking to a trusted source and hand over their details.” So, with the world continuing to become increasingly digital and the development of AI, what sort of measures can we expect to see in the future regarding the payment security landscape? Doyle believes: “We’ll see the widespread adoption of biometrics – whether it’s fingerprints, face scans or voice recognition, biometrics will be used as proof of identity and an added layer of security when accessing financial products and services. “Technologies such as MFA and biometric authentication provide enhanced security compared to traditional methods. As these new technologies become more accessible and accepted among consumers, security will improve.” How MFA will benefit organisations One of the major benefits of MFA is how it will enhance an organisation’s security, 78
November 2023
requiring users to identify themselves by more than just a username and password. Whilst of course an important aspect to security, usernames and passwords are vulnerable to brute force attacks, and can be easily obtained by third parties. Through the enforcement of thumbprints or voice recognition, organisations can help remain safe from cyber criminals. “Technology is evolving faster than adoption. We live in an increasingly connected world where technology and consumer behaviours evolve at lightning speed; at the same time, consumers may not realise that more of their private
“ The future of payment security will be driven by the global adoption of network tokenisation and robust end-to-end encryption methods” JON HORDDAL
GROUP CHIEF PRODUCT OFFICER, EMERCHANTPAY
information can be accessible to fraudsters and bad actors trying to gain unauthorised access. There needs to be a shift toward more advanced and secure authentication methods, such as MFA,” comments Horddal. “By requiring multiple factors for authentication, MFA makes it significantly more challenging for cyber criminals to gain unauthorised access to accounts.” When we look to the future, although MFA cannot guarantee entirely foolproof security or prevent all cyberattacks from happening, it will add additional layers of authentication to protect systems and combat many types of attacks. cybermagazine.com
79
PROCUREMENT AT CLAROTY AT THE FOREFRONT OF BUSINESS SUCCESS WRITTEN BY: NEIL PERRY PRODUCED BY: STUART IRVING
80
November 2023
CLAROTY
CLAROTY
Noga Sharabani, Director of Global Procurement at Claroty, discusses putting procurement at the forefront of business strategy
C
laroty’s goal is to secure the cyber-physical systems (CPS) that are used to run critical infrastructure every day. Its technology protects systems used to run oil pipelines, health facilities, power grids, water utilities and many other essential services. When Noga Sharabani made her first steps into the procurement sector, it was to protect against a very different type of threat. “It was mid-1999, I was working in a bank and studying for my Master’s degree in Marketing & Finance when a friend called me saying that the high-tech company she was working for, Gilat Satellite Networks, was looking for someone to join the procurement team for a temporary role to oversee suppliers’ compliance for the Y2K bug,” she says. “At the beginning of 2000, when the Y2K panic ended, I was asked to take the role of direct buyer and started to learn everything about the procurement world. Working for nearly 22 years at Gilat gave me the opportunity to develop my skills and gain experience in almost every category of purchasing – direct and indirect – and managing OEMs and suppliers in a multicultural environment, which kept my career very challenging but interesting. “I had excellent mentors over the years who taught me about supplier relationship management, and this is what I am focused on teaching my team today.”
82
November 2023
Unified Intake. Intelligent Orchestration. Learn more
ProcurementWorks gives procurement teams what they need to build buying experiences that are personalized and intelligent. Now, procurement can automate the intake of all kinds of procurement requests and orchestrate complex resolutions. Sagi Eliyahu, co-founder and CEO, Tonkean
Tonkean: Business process automation to maximise adoption To understand the mission of Tonkean, you need to understand that compliance requires high adoption, and adoption requires a great experience Sagi Eliyahu is CEO at Tonkean and was one of the founders just under a decade ago. Tonkean is a first-ofits-kind experience platform with the purpose of developing internal processes that employees actually follow.
Partnership with Claroty Tonkean has been working with Claroty to modernise the way internal teams engage with the company’s processes and systems, with the aim of increasing adoption, compliance and satisfaction. Ultimately, organisations like Claroty work with Tonkean to increase the value their procurement teams are able to create as partners to the business.
“We started the company with a very simple goal in theory, but very hard in practice, which is empowering companies to leverage software better,” he says.
“They were a great partner to work with, and we are very excited to see the results and the value they’ve been getting through the platform,” Eliyahu adds.
Maximising compliance through process improvement The key to empowering companies in that way is helping them optimise their internal processes so that following those processes is both easier and more valuable than circumventing them.
The influence of AI is also something that excites Eliyahu, as he believes it will inspire people to rethink their approach..
“Everyone knows that if you go on a website and there are twenty fields for you to fill in versus one, the conversion rate is going to be poor. Why do we expect people within the company to fill in a twenty-step process?” he says.
“One thing that is very clear, is that it has reinvigorated the minds and the imagination of people into asking ‘why do I do it manually?’,” Eliyahu concludes. “They will ask why is this something that I need to take 10 clicks to do? Why can’t this be smarter? Why can’t this be more intelligent?”
Learn more
CLAROTY
“ I am passionate about driving innovation in procurement and staying up to date on industry trends and best practices” NOGA SHARABANI
DIRECTOR OF GLOBAL PROCUREMENT, CLAROTY
86
November 2023
Nearly 25 years later, Sharabani is a passionate advocate of procurement operations taking a leading role within business, being central to the strategy of organisations going forward, and brought that mindset to Claroty since establishing its procurement operation in 2020. After leaving her career in banking, she embraced procurement at Gilat Satellite Engineering, before making the step to Claroty, where she enjoyed the opportunity presented by helping a young cyber company implement a growth strategy. Driving innovation through procurement Claroty was founded in 2015 and has grown to be a trusted provider and advisor for
NOGA SHARABANI TITLE: DIRECTOR OF GLOBAL PROCUREMENT COMPANY: CLAROTY INDUSTRY: CYBER SECURITY LOCATION: ISRAEL Noga Sharabani is the Director of Global Procurement at Claroty, and has 25 years of experience in the procurement sector and a Master’s Degree in Business Management from Ben-Gurion University in Israel. She spent two decades at Gilat Satellite Networks, working her way from Procurement Buyer to Strategic Procurement Manager, before moving to Claroty in 2020. She is passionate about professional development, embracing the latest technological trends, and moving procurement operations to the forefront of business.
hundreds of businesses with thousands of locations around the world. Its platform is a crucial tool that integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection, and secure remote access. “I am passionate about driving innovation in procurement and staying up to date on industry trends and best practices,” says Sharabani. “I believe that collaboration and building strong relationships with suppliers are essential for achieving successful procurement outcomes.” Driving that innovation has become ever more crucial after the expansion of
Claroty Ensures Safe SaaS Usage With Wing Security Wing provides peace of mind by leveraging in-product remediation and automation to secure organizations' SaaS usage at an affordable price
Click for Free SaaS Discovery
Regaining control over SaaS usage with Wing Security Claroty turned to SaaS security posture management (SSPM) leader Wing Security, to ensure its SaaS usage is secure. Claroty secures the Extended Internet of Things (XIoT) to achieve unmatched visibility, protection, and threat detection across all cyber-physical systems. When it came to securing their employees’ SaaS usage, they turned to Wing Security to ensure they have full control over their SaaS layer. “Wing provides us with the visibility and the detail we need to protect our (SaaS) environment and make sure that our employees are safe and secure when they’re dealing with SaaS applications,” says Tim Hillyard, Senior Director of Security Operations at Claroty. SaaS onboarding is decentralised and often doesn’t go through IT or Security approvals. This creates a massive Shadow IT problem, as well as a serious security concern Hillyard adds: “We need Wing because many SaaS applications are actually vulnerable to certain types of attacks, and in some cases these SaaS applications are malicious. “They are created
by bad actors whose intention is to compromise your end systems, or gain access to your personal data. So we need visibility on bad applications so that we can protect our employees.” Wing Security is the only SSPM provider to deliver SaaS visibility completely for free. More info on that here It is unique in that it doesn’t only lay out the problem for you by showing you all the SaaS applications, users who use them and the data that is shared in and between SaaS applications, it also automatically remediates SaaS security issues from within the system, taking the load off of the security teams. For other companies looking for similar SaaS peace of mind, Hillyard has this advice: “Find a company like Wing, that can change quickly and adapt to the ever-changing SaaS threat landscape. “You need a tool that can also adapt quickly to the environment and protect your users and your data.”
Learn more
CLAROTY
“ Procurement teams must establish robust data governance practices, clear policies, data quality controls, and data integration strategies to leverage AI effectively” NOGA SHARABANI
DIRECTOR OF GLOBAL PROCUREMENT, CLAROTY
the Claroty team and portfolio with the acquisition of the healthcare IoT security company Medigate in January 2022. This represented a quantum change in the company, expanding its focus beyond operational technology (OT) to protect all CPS across industrial, healthcare, and
commercial environments: the Extended Internet of Things (XIoT). Procurement at the forefront of business strategy This expansion, combined with the everchanging roster of cyber threats, means it is imperative that the company remains at the forefront of technology innovation while maintaining fast, efficient, and sustained growth. “In my experience, putting procurement at the forefront of business strategy is essential in driving efficient growth for any organisation. At Claroty, the procurement function is fully aligned with the company’s growth objectives, which empowers our team to not only source and manage resources more effectively, but also to proactively identify cost-saving cybermagazine.com
91
CLAROTY
Claroty WATCH NOW
“ By leveraging cutting-edge solutions, emerging technologies, and strategic partnerships, I am able to secure the most innovative and robust technologies offerings for our organisation” NOGA SHARABANI
DIRECTOR OF GLOBAL PROCUREMENT, CLAROTY
92
November 2023
opportunities, adopt a culture of innovation, and foster supplier partnerships.” One of the biggest challenges Sharabani faced in this role was managing cloud spend. “After the Medigate acquisition, we had to bring two very different cloud spend strategies together. The Claroty platform at the time was on-prem with very little cloud spend, while the Medigate platform was fully SaaS and drove high cloud spend.” Within a few months of the acquisition, Claroty had developed a new SaaS product called xDome, which further increased its cloud spend. “To address this challenge, I asked Eli Mansoor, the owner of OskaQ Consulting, to help us develop a cloud spend management plan,” Sharabani describes. “This plan included setting clear goals, identifying cost-
saving opportunities, and implementing best practices for cloud procurement. As a result of this plan, Claroty as a team – including Procurement, Product, DevOps, R&D, and Chief Architect – is working in full sync and we were able to reduce the cloud spending substantially, while still supporting the growth of our business.” It is by adopting this mindset for the procurement function that Sharabani believes she can make the greatest impact on the future success of the business and the customers who rely on its technology to secure their most critical operations. “I am committed to staying at the forefront of technological advancements and industry best practices,” she argues. “By leveraging cutting-edge solutions, emerging technologies, and strategic
partnerships, I am able to secure the most innovative and robust technology offerings for our organisation. I meticulously evaluate and select suppliers with proven expertise, track records of excellence, and a strong commitment to data protection and privacy.” By building strong communication channels with other business functions, Sharabani has helped to add value to Claroty and support the revenue side through proactive engagement with key departments such as Business Development, Product, DevOps, and Finance. I’ve been able to identify and capitalize on numerous opportunities for cost optimization and value enhancement that directly contribute to revenue growth. My team and I work closely with the Product team to define and track our COGS (Cost Of cybermagazine.com
93
Your partner for
optimizing cloud spend “ With OskaQ Consulting I feel confident that Claroty’s cloud spend is optimized, in control, and we have the agreements we need in order to accelerate Claroty’s business growth” Noga Sharabani, Director of Global Procurement, Claroty
OskaQ Consulting services: • On-going FinOps-as-a-service • Negotiate cloud discount agreements • FinOps maturity assessment • Build a cost aware organization culture • Accelerate business collaboration with your cloud vendors
LEARN MORE
Co-authored by OskaQ-Consulting Founder and CEO
CLAROTY
Goods Sold) and cloud infrastructure, driven innovation and continuous ensuring we are getting the best value improvement throughout the for our investments but also maintaining organisation,” Sharabani says. “I take scalability. great pride in my ability to establish Year In collaboration with the Finance and nurture these relationships and founded department, we’ve successfully communication channels, as they optimized payment terms, reduced have been instrumental in driving supplier duplication, and streamlined critical success and positively impacting the processes. For instance, we’ve implemented procurement function at Claroty.” an efficient vendor onboarding process through automation using the Tonkean AI Embracing emerging technologies platform, which not only saves time but also Sharabani believes that the future of ensures compliance and cost efficiency. procurement is going to be fundamentally Moreover, a strategic partnership with the linked to, and influenced by, emerging Business Development team has resulted technologies and digital transformation and in the optimization of AWS agreements, that procurement leads need to embrace further boosting revenue for Claroty. This automation, AI and data-driven decisions. collaborative approach across functions “By leveraging technology effectively, underscores how procurement can have a procurement leads can enhance efficiency, direct and positive impact on the bottom line. reduce costs, and improve decision-making,” “These examples reflect how the strong she says. “So, in the next 12 to 18 months, relationships and effective communication we’ll continue to adopt automation and AI.” channels established in procurement have This mentality, Sharabani explains, will help
2015
cybermagazine.com
95
“I wake up each morning eager to learn something new and experience the impact it has on procurement” NOGA SHARABANI
DIRECTOR OF GLOBAL PROCUREMENT, CLAROTY
96
November 2023
CLAROTY
build the foundations for the next decade of progress at Claroty. “By successfully establishing a scalable procurement organisation, we are helping to position Claroty as a trusted partner for securing critical infrastructure and enabling the adoption of CPS. This will create new opportunities for growth and expansion, allowing us to play a pivotal role in securing the XIoT ecosystem.” Although AI presents many positive possibilities, she emphasises that it needs to be used carefully and with intelligence to get the most useful results. “AI relies heavily on high-quality data and we – as the data source – need to ensure data accuracy and integrity. Procurement teams must establish robust data governance practices, clear policies, data quality controls, and data integration strategies to leverage AI effectively.” Best-in-class partnerships The quality of the partnerships formed between the procurement team at Claroty and both internal and external colleagues is something Sharabani is particularly proud of, as it has allowed her to align with business objectives and drive successful outcomes. “Collaborating closely with strategic suppliers has allowed for deeper, stronger partnerships, resulting in achieving company targets like opening local fulfilment centres in the US and Germany to support our customers locally,” Sharabani says. “By maintaining strong connections with stakeholders, I have been able to align procurement strategies with organisational goals, ensuring seamless integration and driving mutual success like cost optimisation and risk mitigations.” cybermagazine.com
97
CLAROTY
Sharabani emphasises the importance Another key partnership Sharabani of some of Claroty’s external partners, as references is Wing Security, which gives identifying best-in-class partners helps the full visibility into Claroty’s environment and company achieve its objectives. enforces security controls and policy. She highlights the partnership with OskaQ “We have monthly meetings with the which has become a key partner in cloud partner to discuss issues, features, new management strategy. requests and mutually understand the “They have expertise in optimising evolving threat landscape to ensure we are cloud expenditure and work closely with aligned,” Sharabani says, emphasising the me and the company to identify areas of importance of close communication. improvement,” she says. “Through their “The partnership with Wing Security guidance and recommendations, we have has been essential,” she adds, “allowing been able to make strategic adjustments that Claroty to effectively manage our security increase profitability and optimise programme and meet our projected our cloud spending.” target goals to protect Claroty and This has helped fulfil a highultimately our customers from everpriority project focused on cloud changing threats.” cost management and optimisation, Another partner is Snyk, Amount of which is essential for improving the which helps Claroty’s software countries Claroty company’s gross margin. development team develop fast and serves in
50+
100
November 2023
CLAROTY
stay secure, using AI and automation from their first lines of code to their running cloud. Sharabani also highlights the value of the Tonkean partnership, as a comprehensive solution to handling the entire procurement process. “By leveraging Tonkean, we can save time and resources for my team while ensuring a seamless and efficient procurement process, from intake to resolution,” she says. Sharabani continuously links the importance of the procurement operation to wider business and customer goals, whether that be in terms of finance, environment, or security, and the input of partners is critical to that success. “Overall, these partnerships have been invaluable in helping us achieve our aims. They bring expertise, technological capabilities, and streamlined processes that contribute to cost savings, efficiency, and a positive user experience,” she emphasises. “By collaborating with these partners, we can drive success in our procurement function and support the overall growth and success of the company.” When Claroty acquired Medigate, Sharabani says this presented an opportunity to increase value from procurement synergies. “I implemented a new SaaS management platform called Zluri for visibility into all the software within Claroty and Medigate’s respective technology stacks and was able to manage renewal effectively. This way I could better manage the integration, and identify similar or duplicate SaaS platforms, which not only saved a significant amount of money but also enhanced overall efficiency.”
Continuous improvement With nearly 25 years of experience in the procurement sector, Noga Sharabani has seen significant changes in technology that have fundamentally transformed the way procurement business is conducted, and she says it motivates her to stay on top of industry trends and best practice. She believes seeking continuous improvement is the way she gets constant fulfilment from her profession. “Besides the joy of raising my five children, I wake up each morning eager to learn something new and experience the impact it has on procurement,” she says enthusiastically. “I actively engage in professional networks, participate in continuous learning opportunities, and find inspiration in podcasts and webinars. It is incredibly exciting to witness how AI, for example, can elevate the field of procurement.” Her advice to other professionals earlier in their procurement careers is to embrace change, as the environment is constantly evolving because of technological advancements, market dynamics and global factors, but by staying adaptable you can thrive. “What I find most fulfilling about working in my role is the opportunity to shape the future of my organisation in today’s rapidly changing business landscape,” Sharabani concludes. “By embracing innovation, collaboration, and continuous improvement, I can contribute to creating a resilient and sustainable procurement and supply chain that drives business success.”
cybermagazine.com
101
OPERATIONS
SHIFTING LEFT: DEVSECOPS A PROACTIVE APPROACH TO CYBER Cyber Magazine speaks with experts around embedding DevSecOps in software development, focusing on ‘shifting left,’ challenges and recommendations WRITTEN BY: MARCUS LAW
S
hort for development, security and operations, DevSecOps automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment and software delivery. The core principles and practices of DevSecOps revolve around the idea of ‘shifting security left,’ meaning that security considerations are introduced as early as possible in the software development lifecycle (SDLC). This proactive stance ensures that security is not an afterthought but an integral part of the entire process. This month, experts in the field share their perspectives with Cyber Magazine on why DevSecOps is essential, the concept
102
November 2023
of ‘shifting left’, the challenges organisations face, and recommendations for a smooth transition to a DevSecOps culture. Integrating security into the DevOps lifecycle As explained by Amit Tailor, Director, System Engineering at Palo Alto Networks, one of the reasons for the urgency to integrate security in the DevOps lifecycle is reinforced by the escalating threats targeting Continuous Integration/Continuous Delivery (CI/CD) environments. “These pipelines are intrinsic to cloud-native software development, housing sensitive data and credentials,” he says. “Unfortunately, they often remain unnoticed by traditional AppSec teams, posing a considerable risk.”
cybermagazine.com
103
OPERATIONS
“ THIS IS NOT JUST ABOUT CATCHING ISSUES EARLY, IT IS ABOUT BUILDING A CULTURE WHERE SECURITY IS A HABIT, NOT AN AFTERTHOUGHT” AMIT TAILOR
DIRECTOR, SYSTEM ENGINEERING PALO ALTO NETWORKS
According to a threat report by Palo Alto’s Unit 42 team, the cloud is the dominant attack surface, with 80% of security exposures present in cloud environments compared to on-premise at 19%. “It also found that cloud-based IT infrastructure is always in a state of flux, changing by more than 20% across every industry every month, and as such, nearly 50% of high-risk, cloud-hosted exposures each month were a result of the constant change in cloud-hosted new services going online and old ones being replaced.” To mitigate these risks, DevSecOps addresses this need by embedding security protocols directly within the DevOps
AMIT TAILOR TITLE: DIRECTOR, SYSTEM ENGINEERING COMPANY: PALO ALTO NETWORKS LOCATION: UNITED KINGDOM
Tailor is a Director of System Engineering at Palo Alto Networks. He joined Palo Alto in 2011, having held roles at McAfee and CyberGuard.
cybermagazine.com
105
OPERATIONS
process, rather than it being a separate entity handled at the end of the development cycle. “This,” Tailor explains, “ensures a proactive approach to security, where vulnerabilities can be detected and rectified early on, reducing the risk of security breaches and promoting faster, safer delivery of code.” DevSecOps ensures that security remains a prominent consideration across the entire software development lifecycle, explains Paul Baird, Chief Technical Security Officer EMEA at Qualys, spanning from the initial development and testing phases to the final live deployment. “This approach involves facilitating the integration of secure software development processes, conducting thorough assessments of deployment environments to identify potential issues,
PAUL BAIRD TITLE: CHIEF TECHNICAL SECURITY OFFICER EMEA COMPANY: QUALYS LOCATION: UNITED KINGDOM
A 25-year IT veteran, Baird joined Qualys in 2021 as its UK and North EMEA Chief Technical Security Officer and today is helping to drive the company’s vision at C-Level across customers and partners.
106
November 2023
SEAN ROTH TITLE: DIRECTOR, DEVOPS SOLUTIONS COMPANY: HARNESS LOCATION: CALIFORNIA
Roth is a full-stack product marketing leader with experience bringing disruptive enterprise IT products to market across cloudnative technology, infrastructure, and cybersecurity categories.
and preemptively addressing these concerns before they can affect production,” he describes. “In essence, it promotes seamless cooperation among developers, IT operations, and security teams.” The mantra of shifting security left A fundamental principle of DevSecOps, the idea of ‘shifting left’ is the practice of moving security checks as early and often as possible. “This is different to the traditional approach of developers building an application and then handing it off to operations and security teams, who are responsible for keeping it secure,” comments Sean Roth, Director, DevOps Solutions at Harness. “Instead, embracing shift left sees both security and development teams working together from the start to develop a product or application that is secure. cybermagazine.com
107
This is crucial to avoid security being overlooked or forgotten about as the pace of development continues to accelerate.” However, as Roth warns, this ‘shift left’ approach can create more work for developers if they aren’t given the right tools and support. “That’s because shifting left demands that developers learn security on top of everything they are already doing, which creates an unfair burden. Companies can alleviate this by ensuring development teams have solutions that automate security processes for them and ensure they have 108
November 2023
“ IN ESSENCE, DEVSECOPS PROMOTES SEAMLESS COOPERATION AMONG DEVELOPERS, IT OPERATIONS, AND SECURITY TEAMS” PAUL BAIRD
CHIEF TECHNICAL SECURITY OFFICER EMEA, QAULYS
OPERATIONS
driver’s success depends on the grit of his entire team, from the constructors to the pit-crew mechanics. It’s everyone’s business and demands everyone’s participation and coordination.”
access to the right information at the right time, to prevent a breach of any protocols.” Shifting left, Tailor explains, is about a change in culture, explaining that it’s about ensuring that security teams ‘are dotting the i’s and crossing the t’s from day one’. “This is not just about catching issues early. It is about building a culture where security is a habit, not an afterthought,” he adds. “It fosters a sense of responsibility and ownership – a realisation that security is not someone else’s job but a collective effort. It’s similar to an F1 racing team where the
Ensuring a smooth and effective shift left With the clear benefits of a move to adopting DevSecOps, it is imperative for businesses to understand how to ensure a seamless and effective shift. This belief, Baird explains, is shared by security teams. “Security teams don’t want to be blockers,” he explains. “They know how important new services or applications are to the business. At the same time, they are responsible for securing company data or ensuring compliance with regulations. So, they want to make sure that they don’t get in the way, but that rules are being followed.” To make this shift work, it’s not about new tools. Instead, businesses should look at integrating security and best practices into existing tools that developers use every day. “This helps avoid that perception that security is in the way of developers moving quickly and building things,” he says. “Instead, we in security want to provide guide rails and best practices around that work, so that developers can build while being secure by default.” As Tailor concludes, transitioning to a DevSecOps model should be a carefully planned and executed strategy. Fostering a collaborative culture that encourages open dialogue and shared responsibility between the development and security teams is key. The ‘shift left’ approach should be embraced, wherein security is integrated into the early stages of the development lifecycle, fostering a proactive security mindset,” he says. cybermagazine.com
109
LEADING DIGIT TRANSFORMAT IN FINTECH WRITTEN BY: LOUIS THOMPSETT PRODUCED BY: JACK MITCHELL
110
November 2023
FUJITSU
TAL TION
cybermagazine.com
111
FUJITSU
Fujitsu’s Krista Griggs discusses how the IT tech giant is driving digital innovation in the banking, financial services and insurance sectors
K
rista Griggs is the Head of Banking, Financial Services and Insurance Sector for Fujitsu UK. As her title implies, Griggs’ role comes with big responsibilities; she is charged with leading revenue, profit and the growth of the sector. Managing executive customer relationships, Griggs sets the vision and strategy for her department, leading a team of industry specialists and account executives and orchestrating from the wider organisation to bring the best of Fujitsu to its customers. An influential leader in the makeup of Fujitsu’s UK division, it’s no wonder Griggs made FinTech Magazine’s Top 100 Women of 2022. “Phenomenally proud and honoured to be featured,” Griggs takes inspiration from the women represented working to disrupt “what is still a male-dominated industry.” As a pioneering woman in the predominantly male fintech industry, how did Krista carve out her own path to leadership? Krista Griggs: The making of Admitting she never had a clear ambition to take up a particular role, the position she finds herself at now ‘is well beyond’ a point in her career she imagined after graduating as a software developer in her native Netherlands. 112
November 2023
“ Fujitsu has the expertise in all those deep pockets to help with the complex integration of fintech systems at banks and other financial organisations” KRISTA GRIGGS
HEAD OF BANKING, FINANCIAL SERVICES & INSURANCE, FUJITSU UK
Krista Griggs of Fujitsu UK
FUJITSU
“By constantly striving for more and being entrepreneurial, we will achieve further growth and success in the future”
Not that she back into financial didn’t have an idea services because it of what she wanted, is a hugely dynamic it’s more that roles domain, where rapid in the technology change is the norm.” space have grown Fujitsu was more and evolved so of an infrastructuremuch over the years managed services – the professional company when capabilities she has Griggs joined, with a now exceed what mission to become a her formative career digital transformation could ever teach her. company – KRISTA GRIGGS “I started out in something Griggs HEAD OF BANKING, FINANCIAL financial services; I implemented the SERVICES & INSURANCE, studied banking and strategy for in the FUJITSU UK finance,” says Griggs. “So it’s finance division. not a surprise I’ve come back to that.” It was the success of this strategy that saw Griggs has returned to her roots after Griggs become head of the sector just two previously working in identity management, years after joining Fujitsu. “I’m really proud which saw her take up roles in government of what I’ve achieved there,” adds Griggs. and defence sectors. “When I joined Fujitsu we were not But working in a vast array of industries progressing in the finance sector. We are now and sectors has only served to sharpen her growing rapidly and doing really well. We’ve skills today. “Working across different sectors got a great team now that is connecting with has given me a real understanding of what our customers and building partnerships – impacts those business domains, what helping clients to navigate industry change challenges there are and how technology and deliver better outcomes for them.” can help to make that better,” Griggs says. It is this success that has seen Griggs fall “From software developer to enterprise back in love with the industry she started out architect, I’ve always been leading on how in. “I love being able to have a real ambitious you design that change. How does digital vision for the future – to try and break the transformation actually work and what’s the boundaries of what can be done. That is impact it can have on user journeys across where the industry is really exciting and the ecosystem?” Fujitsu is firmly behind that,” she reflects. These skills enabled Griggs to make an “Change is always challenging, though. immediate impact when she joined Fujitsu It has been quite a big culture shift for Fujitsu UK five years ago, becoming Chief Architect and our customers, particularly larger banks. for its Financial Services sector. There can be real inertia and complications in Frustrated with the constraints working terms of getting things done when it comes in defence entailed, Griggs explains: “I came to fintech innovation. 114
November 2023
KRISTA GRIGGS TITLE: HEAD OF BANKING, FINANCIAL SERVICES & INSURANCE COMPANY: FUJITSU UK
“So keeping pace with the rate of innovation can be a challenge. In many ways, my job isn’t necessarily delivering that change, but rather moving blockers out of the way.” Fujitsu: A tech giant ready to run Constantly striving to overcome these challenges, Griggs has helped awaken the sleeping giant of Fujitsu’s Financial Services division and get it to run. But, just as Griggs touches on, Fujitsu is far more than financial technology alone. Today, Fujitsu’s reach extends to five core technology areas: computing, network, AI, data & security and converging technologies.
Krista Griggs is Head of Banking, Financial Services and Insurance at Fujitsu UK. With over 20 years’ of experience in designing and implementing digital transformations across various business domains, Krista is changing the way Fujitsu helps its customers transform their business. She’s built a strong team of consultants who bring deep business and technical expertise. With their support, Krista is constantly looking for innovative ways to help Fujitsu’s customers succeed and grow. In recognition of her ongoing commitment to financial services and technology, she was a finalist for Role Model of the Year in the Women in Tech Excellence Awards 2022, Top 100 Women in FinTech 2022 and Transformation Leader of the Year in the Women in Tech Excellence Awards 2021.
Griggs expands: “Our computing division focuses on quantum and high-performance computing. Today, we have one of the fastest supercomputers in the world with the most intricate networks, so we do a lot of work around 6G and look at what that could bring to society. AI is a big part of that too, as is data & security which is a fundamental necessity both in financial services and in our public sector space. Converging technologies is where all of this comes together to deliver new capabilities.” These core pillars of technological innovation run alongside the company’s 118
November 2023
ambition to make the world more sustainable by building trust in society through innovation. Admitting this is a lofty goal, Griggs explains that “fundamentally, this goal comes down to the fact that we (Fujitsu) embed sustainability into everything we do.” Fujitsu: Building an entrepreneurial culture The company is in the midst of a transition from an infrastructure-managed services company to a digital transformation company. This transition hasn’t just required a change of strategy, but a change in culture too.
FUJITSU
“Keeping pace with the rate of innovation can be a challenge… my job isn’t necessarily delivering that change, but rather moving blockers out of the way” KRISTA GRIGGS
HEAD OF BANKING, FINANCIAL SERVICES & INSURANCE, FUJITSU UK
Today, the company is working towards building an entrepreneurial culture to fuel its shift to a digital transformation proposition. Griggs says: “That’s very much a change we are continuing to go through, focusing on the verticals we serve rather than just on our technology capabilities. “As an infrastructure-managed service company, culture was built around risk and was focused on the public sector. Now we are pivoting to achieve strategic growth in the private sector, which means we need to be much more entrepreneurial. We have to understand the business imperatives that
our customers are dealing with. Now it’s very much about co-creation, working with our customers in lockstep to create some of those innovative solutions.” This culture shift is perhaps most pertinent in Grigg’s division – innovation in financial services. This is because “financial services is often the early adopter of new technologies and disruptive innovations. The pace of change is really difficult to navigate for financial services providers,” notes Griggs. “We have to be at the forefront of entrepreneurialism and we are making cybermagazine.com
119
Deliver a Superior Digital Experience for Users Everywhere 95% of leaders say a seamless digital employee experience (DEX) is important to remain competitive. However, it’s easier said, than done. Now there’s a solution to deliver DEX and business performance.
LEARN MORE
Delivering a better digital experience is getting harder, not easier. The shift to hybrid work, higher employee expectations and IT and data complexity have all put tremendous pressure on organisations as they strive to meet user’s digital needs. Today, there’s a unified observability suite to help manage through this complexity. Alluvio by Riverbed unifies data, actions and insights across ITto enhance the digital experience, improve productivity and even reduce unnecessary IT spend.
Alluvio is a SaaS-based, open and AI-powered suite that captures full-fidelity user experience, application, and network performance data on every transaction across the digital enterprise. It applies AI and ML to contextually correlate data streams and alerts to provide actionable insights and automate the investigative workflowsof IT experts. With Alluvio, now your entire IT staff can solve problems, fast. Get ready to Empower the Digital Experience with Alluvio by Riverbed.
Build Trust in Your App Give your operation teams the freedom to focus on infrastructure and leave your developers free to deploy code the way they want. Take advantage of secure, open source technologies, supported by experts who care about sustainable transformation for your business.
Get a free guide to securing Kubernetes environments
FUJITSU
progress, helping customers solve some of the biggest challenges they face. Overcoming those challenges is paying off for our customers and it’s paying off for our business.” Fujitsu: Leveraging data, AI & machine learning the right way Building an entrepreneurial culture is also vital in driving the development of new financial products for the financial services sector. Innovation is ripe – and the ability
to implement cloud systems and leverage data pools through AI & machine learning is at the forefront of growth plans for many financial players. Griggs says: “Ever since the pandemic, we’ve seen rapid acceleration in the adoption of digital services across industries, particularly financial services and insurance. “There’s cloud services, third-party SaaS services and open data sources, which in financial services are really big drivers for change. Open finance too has come to the cybermagazine.com
123
FUJITSU
WATCH NOW
“ At Fujitsu, we embed sustainability into everything we do” KRISTA GRIGGS
HEAD OF BANKING, FINANCIAL SERVICES & INSURANCE, FUJITSU UK
124
November 2023
fore and all these new technologies are exacerbated by a diverse set of infrastructure in use. “People connect from home, the office, they are on mobile devices – they can be on the other side of the world – and you still have to maintain those services and manage things correctly.” Of course, with new technologies comes an increase in the rate of innovation, something Griggs feels complicates service continuity management. She adds: “Customers expect a personalised, safe and
convenient service. The last thing a company wants is to be in the newspapers about a data leak which can damage its reputation. Furthermore, transparency is demanded by the regulators especially around sustainability commitments but also around data privacy. “From the comprehensive datasets you’ve collated, it’s essential to distill actionable insights. So, what’s the next step you need to take? What do your customers need? What do your colleagues need? What do the regulators need?
It is important to leverage abundant ecosystems to gain insights into making better and faster decisions to deliver desired outcomes.” One area Griggs feels financial services providers and banks must take caution is in their application of Generative AI, to meet all the above requirements. While its potential is evident, “a lot of banks have clamped down on it because it’s really difficult to maintain trust in the data if you don’t know where or how it’s being used.” cybermagazine.com
125
FUJITSU
For Griggs, banks need to put the right controls in place before taking steps toward AI adoption or risk losing client trust. This is even truer for data because if data quality coming into the fabric of operations is poor, utilising this data with AI & machine learning is bound to be ineffective. “The key is to embed the right data fabric,” says Griggs. “Make sure that the data is curated in the right way so that you can trust it. “It is so important to any bank or financial institution so that they can generate those insights to make decisions quickly, allowing business leaders to have confidence in the insights when they prioritise where they spend their resources.” Fujitsu: Mitigating fraud, promoting decarbonisation While open data, or third-party data sharing, is reaping many benefits for banks and associated partners in an ecosystem – it has also led to a rise in data breaches and consequently, fraud. This is something Griggs calls “a real concern for the industry and for governments.” She adds: “Cyber criminals have access to new technology as well, and we are seeing an increase in fraud and cybercrime in the industry.” “The key is to make sure that we keep up with that pace of change, that we embrace that technology in a responsible way so that we can counteract those malicious actors. “Social reach is important here. Having reach through open data allows banks and financial services to see what’s happening with vulnerable customers. It has multiple other benefits, including 126
November 2023
helping organisations like banks enable the decarbonisation of finance too. “That’s where we’re seeing partnerships in other industries deliver value to shift financial services from the role of the financier alone, to deliver better outcomes and boost sustainability, like we do with Landmark.” Fujitsu: Partnerships taking fintech to the next generation The partnerships Fujitsu strikes also help it boost the offerings it provides to its clients. Just as the industry at large is doing, Fujitsu is embracing the impact and benefits of fintechs by integrating these platforms and services into its broader ecosystem.
Use more image captions as often as possible
FUJITSU: LEVERAGING TECH TO IMPROVE WORKPLACE WELLBEING
Griggs says: “We don’t just need collaboration with fintechs, but we also need big tech and other tech vendors. For example, we work with cyber companies like Thales and CrowdStrike to support data management companies. “To manage data and workloads efficiently and effectively, we work with Delphix, Suse and Nuix. Even for AI ethics, we work with a company called 2021.AI, which looks at AI governance and how you make sure that you embed that in the way that you work. “We also work with workplace technology partners like Riverbed, which understands how the services we provide our colleagues can be used to best effect. With Riverbed, we can identify where things aren’t working
The returns on implementing technology to maximum effect don’t just extend to operations and boosting customer experiences, they can have a significant impact on employee wellbeing. This is all the more important in financial services, with research conducted by Solidatus revealing that 71% of global data leaders in financial services are on the brink of quitting. It doesn’t need to be this way, though and Fujitsu’s workforce is starting to see the benefits of using tech to improve workplace wellbeing. As put by Griggs: “We are seeing some of these AI-driven technologies taking a lot of the mundane, repeatable tasks out of workers’ intrays. “These technologies provide the right information at the right time and at Fujitsu, help our team to deliver the right personalised service to our customers. This in turn helps our customers to provide a better service to their consumers. “Of course, privacy should be taken seriously here and it’s important to find the right balance between consumer data and respecting privacy laws.”
cybermagazine.com
127
FUJITSU: SUSTAINABILITY FRONT OF MIND Amid Fujitsu’s cultural shift, sustainability has become a key pillar in Fujitsu’s financial services sector when looking at providing the best new fintech innovations to its clients. “We are now seeing a new pillar when weighing our business growth and that is around sustainability and the continued drive to net zero. “Managing our carbon footprint is one thing, but our ESG strategies and considerations are much broader than that. Today, our entire product portfolio is aligned with the United Nations Sustainable Development Goals.” “So we ensure the technology that we’re providing to our customers is contributing to delivering a better society and is achieving some of those Sustainable Development Goals. “We hold our partners to quite high standards around that as well, and it’s very much part of our onboarding process. If we are representing certain ethics and standards, we must demand the same from them, and this has helped us to develop a great ecosystem.”
128
November 2023
and correct them even before they go wrong sometimes. “Whilst banks have real technology capability in these areas, as a technology company with multiple partners, Fujitsu has the expertise in all those deep pockets to help with the complex integration of fintech systems at banks and other financial organisations.” The future of Fujitsu Armed with a history of innovation and technological insight, a true consultative perspective and strategic partners, Fujitsu is truly primed to complete its shift from an
FUJITSU
infrastructure-managed services company to a digital transformation company. This shift is already in full swing, and it’s reshaping the company with unstoppable momentum. Griggs concludes: “I’m very much behind and passionate about the changes that we are making. We need to continue what we are doing to move faster at bringing in the right people and technology to grow the partnerships we have with our customers. “That represents our path to growth and certainty for me, I’m very happy to grow as my sector grows.
“We must continue to ask ourselves the pertinent questions: How can we be even more data-driven? How can we integrate our systems more? How can we use intelligent solutions in the way that we bring products and services to our market? How can we align the full global force of our business to help our customers achieve their outcomes? “By constantly striving for more and being entrepreneurial, we will achieve further growth and success in the future. That is our path forward.”
cybermagazine.com
129
CYBER SECURITY’S CRUCIAL ROLE IN THE MODERN DEFENCE INDUSTRY
130
November 2023
TECHNOLOGY
Cyber Magazine speaks with experts to discuss the complex challenges and strategies in safeguarding the defence sector against cyber threats WRITTEN BY: MARCUS LAW
A
t a time where the lines between the digital realm and physical warfare are becoming increasingly blurred, the role of cybersecurity in the defence sector has never been more critical. This month Cyber Magazine speaks with a number of industry experts – Bernard Montel of Tenable, Mark Hughes from DXC Technology, Lauri Almann of CybExer Technologies and Elliott Wilkes at Advanced Cyber Defence Systems — each of whom offer an in-depth exploration of the multifaceted challenges and evolving strategies in fortifying the defence sector against cyber threats. The need for cybersecurity in defence “The defence industry is not the image of the armed forces that comes to mind,” begins Bernard Montel, Technical Director of EMEA for Tenable, emphasising that today’s defence landscape is a far cry from traditional warfare. “Today our on-the-ground troops deployment is backed with high-tech technologies such as drones, used for surveillance, communications systems that allow data to be shared securely, satellites powering these channels and more.” Montel’s words serve as a stark reminder that the defence industry has evolved into a complex technological ecosystem. “It’s akin to a house of cards. Any weakness can and will bring it all tumbling down,” he warns. cybermagazine.com
131
Secure Your Federal Software Supply Chain with the Sonatype Nexus Platform A better way to build software and manage open source security risk.
Control.
Automate.
Define open source component policies by organization, team, and application type.
Automatically and contextually enforce policies across your entire software development lifecycle.
Secure.
Integrate.
Decrease false positives and negatives and reduce gaps in security and quality assurance
Continuously visualize component intelligence within your favorite tools.
TECHNOLOGY
“ It’s akin to a house of cards; any weakness can and will bring it all tumbling dow” BERNARD MONTEL
TECHNICAL DIRECTOR, EMEA TENABLE
Mark Hughes, President of Security at DXC Technology, echoes this sentiment, adding a layer of urgency and outlining four pillars of cybersecurity in defence: maintaining operational integrity, protecting classified information, supply chain security, and deterring industrial espionage. “The defence industry is responsible for developing and maintaining critical military systems, infrastructure and communication networks. These systems are essential for national
BERNARD MONTEL TITLE: TECHNICAL DIRECTOR, EMEA COMPANY: TENABLE LOCATION: FRANCE
As Technical Director EMEA, Montel helps Tenable customers reduce their cyber exposure. As a security strategist, he evangelises and positions Tenable’s solutions in EMEA, working closely with product management and sales to help customers.
cybermagazine.com
133
Title of YouTube video often goes over two lines WATCH NOW
LAURI ALMANN TITLE: CO-FOUNDER COMPANY: CYBEXER TECHNOLOGIES LOCATION: UNITED KINGDOM
Prior to his work in the private sector, Almann served in various top-level civil service positions, including as the Permanent Secretary of the Estonian Ministry of Defence between 2004 and 2008. He was a member of the Government Delegation for Estonia’s accession talks with NATO, and has served as a diplomat in Brussels, St Petersburg and Kyiv.
134
November 2023
security, and any breach or compromise could have devastating consequences, including the potential for espionage, sabotage or theft of sensitive military information. “A strong cybersecurity posture can serve as a deterrent against cyberattacks,” Hughes describes. “Knowing that a defence organisation has robust defences and the capability to retaliate in cyberspace can discourage potential adversaries from launching attacks. As defence systems become increasingly reliant on advanced technologies, such as artificial
TECHNOLOGY
MARK HUGHES TITLE: PRESIDENT OF SECURITY COMPANY: DXC TECHNOLOGIES LOCATION: UNITED KINGDOM
President of Security at Fortune 500 technology firm DXC Technologies since 2021, Hughes is a former CEO of BT Security and served in the military.
“ A strong cybersecurity posture can serve as a deterrent against cyberattacks” MARK HUGHES
PRESIDENT OF SECURITY, DXC TECHNOLOGIES
intelligence, IoT, and autonomous systems, the attack surface for cyber threats also expands. Keeping pace with technological
advancements and securing these technologies is crucial.” Lauri Almann, Co-founder of CybExer Technologies, brings another dimension to the conversation. “A tank, for example, is no longer just an armoured vehicle; it’s also an intricate information system,” he notes. Almann underscores the need for heightened cybersecurity measures, especially in cloud solutions and electronic warfare systems. “Several threat vectors underscore the crucial role that cybersecurity plays, including command and control systems, remotely piloted systems and various electronic warfare systems, all of which are pivotal on the modern battlefield. “Moreover, cloud solutions are a critical consideration in defence operations, demanding heightened cybersecurity measures.” Elliott Wilkes, Chief Technology Officer at Advanced Cyber Defence Systems, meanwhile offers a sobering perspective cybermagazine.com
135
TECHNOLOGY
DXC Technology: Cyber arms race and geopolitically motivated cyberattacks set to increase in 2023 WATCH NOW
which sums up the levels of criticality in cybersecurity in defence. Quoting a senior US General, he says: “The next war won’t be won with cyber investments but if we don’t invest, the next war will absolutely be lost due to cyber.” The dangers of insider threats As Montel cautions, when we talk about insider threats we automatically think of rogue employees, but the danger is far more sinister, with external threat actors often exploiting privileged positions within organisations. “It’s imperative organisations understand the threat from privileged user accounts and take steps to identify the potential attack path routes through the environment attackers could use to successfully infiltrate critical systems and steal sensitive data. “By combining risk-based vulnerability management and active directory security, security teams can eliminate attack paths, 136
November 2023
ensuring attackers struggle to find a foothold and have no next step if they do.” Hughes discusses the multi-pronged strategies employed to mitigate insider threats. “Organisations across the defence industry are using a diverse strategy to strengthen their defences against insider threats. Some of these strategies include implementing strong access controls, such as multi-factor authentication, rolebased access control, and the principle of least privilege.” Hughes also mentions the importance of monitoring employee activity, supported by user behaviour analytics (UBA) systems.
ELLIOTT WILKES TITLE: CTO COMPANY: ADVANCE CYBER DEFENCE SYSTEMS LOCATION: UNITED KINGDOM
Wilkes worked as a lead technologist for the Defense Digital Service within the Office of the Secretary at the Pentagon, and later as a liaison from the US Department of Defense to the UK Ministry of Defence, working with the MOD CIO and CISO, and NATO on technology and digital services. He now heads cyber startup Advanced Cyber Defence Systems, focused on bringing some of the best elements of national security cyber to the private sector.
cybermagazine.com
137
TECHNOLOGY
“Additionally,” he adds, “frequent security awareness training for army personnel is becoming more common, equipping them with the skills to recognise and report suspicious conduct as well as grasp the intricacies of insider threats. Beyond training, organisations across the defence industry are establishing a security culture in which staff are encouraged and empowered to report any abnormalities and security is embedded as a top organisational priority.” Almann adds that the defence industry employs a spectrum of strategies to safeguard against insider threats, from traditional IT solutions like data leak prevention to more complex counterintelligence operations. Global collaboration: The new norm As Almann notes, in the context of global cyber threats, defence agencies worldwide are increasingly collaborating and sharing intelligence to counteract shared threats. Improvements in global intelligence sharing are clear, for example in the case of initiatives like the European Defence Agency’s MilCERTs exercise. “The exchange of information has improved, and initiatives are actively addressing information-sharing challenges, working toward greater efficiency in this crucial aspect of cybersecurity.” Wilkes discusses the surge in multilateral organisations like NATO. “An interesting result of Russia’s invasion and the war in Ukraine is that multilateral organisations like NATO have had a surge in interest, energy, and funding, in the past two years,” he observes. “What is also interesting is looking towards the US and UK partnerships in Asia, as the West looks to bolster relationships 138
November 2023
with countries in the region, to provide a counterbalance to China.” As Wilkes explains, the great majority of intelligence sharing, by its very nature, won’t be public. “That said, there are more and more instances of multilateral attribution notices in which a variety of cyber security organisations, across a number of countries, jointly call out criminal or malicious behaviour in cyberspace. We saw this a few months ago with efforts by China to infiltrate critical
systems in Guam and elsewhere, publicly named and called out by five countries.” Preparing for the cyber frontier Almann concludes that the defence industry is preparing for potential large-scale cyber conflicts through extensive exercises, meticulous planning, and the implementation of innovative solutions like cyber ranges and digital twins.
“Exercising is a critical aspect, and it’s crucial to understand that throwing money at the problem won’t suffice,” he says. “Instead, smart solutions like cyber ranges, digital twins, and capability development are being employed. Cyber ranges, in particular, enable realistic simulations of cyberattacks, providing invaluable experience to enhance readiness when real cyber threats arise. cybermagazine.com
139
OEC
140
November 2023
DIGITAL RESILIENCE THROUGH CYBERSECURITY GOVERNANCE WRITTEN BY: MARCUS LAW PRODUCED BY: TOM VENTURO
cybermagazine.com
141
OEC
Jad Elsohemy, VP of Technology & Innovation at OEC, discusses the importance of effective cybersecurity governance when protecting critical infrastructure
D
elivering energy and infrastructure services to customers throughout Canada, OEC offers innovative products and services across the infrastructure, energy, gas and electricity distribution and telecommunications sectors. With over 2,500 employees, insightful and reliable energy and infrastructure solutions are provided to clients coast-to-coast. As Jad Elsohemy, OEC’s Vice President of Technology and Innovation, explains, protecting all of this critical infrastructure and ensuring the safety of communities has become a paramount concern. His role today encompasses a wide range of responsibilities, including the operations, maintenance, planning, prototyping, and development of many technology systems integral to OEC’s operations. “My enthusiasm lies in harnessing the transformative capabilities of technology to empower our organisation to achieve its greatest potential,” he describes. “I am deeply appreciative of the opportunity to play a pivotal role in realising this vision.” Another aspect of Elsohemy’s role, he explains, revolves around fostering innovation. “Throughout my career, I’ve been fortunate to be part of organisations that wholeheartedly embrace innovation, and OEC is no exception. At OEC we aim to weave innovation into the very fabric of our daily operations.”
142
November 2023
Jad Elsohemy, VP of Technology & Innovation at OEC
cybermagazine.com
143
“ At OEC we aim to weave innovation into the very fabric of our daily operations” JAD ELSOHEMY
VP OF TECHNOLOGY & INNOVATION AT OEC
An engineer by training, it was during the first role of his career at ExxonMobil that Elsohemy began to appreciate the critical importance of cybersecurity. “My tenure at ExxonMobil afforded me the opportunity to work in diverse roles, allowing me to develop strong foundational knowledge across various technology domains,” he comments. 144
November 2023
“During this time, I also came to appreciate the critical importance of cybersecurity, motivating me to seek roles where I could develop expertise in this vital area.” With this pursuit culminating in his appointment as the Security Design Lead at ExxonMobil, at this time, Elsohemy would venture into the realm of operational
OEC
JAD ELSOHEMY TITLE: VP OF TECHNOLOGY & INNOVATION INDUSTRY: CYBER SECURITY LOCATION: CANADA
EXECUTIVE BIO
technology cybersecurity while it was still in its infancy. Elsohemy’s next role would see him join Thales, where he assumed responsibility for the cybersecurity of the company’s urban rail system division. “This role exposed me to the development and deployment of safety-critical train systems, underscoring the pivotal role of cybersecurity in safeguarding critical infrastructure,” he describes. “It also enabled me to delve into emerging technologies, including 5G, and the bringing together of various sensory technologies, communications, and cybersecurity for autonomous train control.”
Jad Elsohemy is the Vice President of Technology and Innovation at OEC, boasting over 15 years of experience in the technology domain. With an Engineering degree and an MBA, Jad’s career has thrived in the Energy, Transportation, and Utilities industries. His passion lies in harnessing technology’s transformative potential, be it in automation, digitization, decisionmaking, efficiency improvements, or pioneering new service opportunities to help businesses achieve their full potential. Throughout his journey, Jad has consistently recognized the critical importance of cybersecurity, honing his skills in information technology (IT) and operational technology (OT) to complement his already impressive tech expertise.
cybermagazine.com
145
OEC
In March 2022, Elsohemy joined OEC. “My current role has allowed me to further leverage and expand my expertise in cybersecurity, particularly in relation to the interplay between safety and cybersecurity. It has afforded me the opportunity to use my expertise within the energy and infrastructure services, utilities and construction industries and has served as a true opportunity rich area.” OEC: Empowering communities through comprehensive solutions OEC consists of a group of companies dedicated to delivering end-to-end solutions for a wide range of sectors, including infrastructure, energy, renewable generation, electricity, and gas distribution. With a workforce of over 2,500 employees and a
SECaaS can help to solve the security challenge while bending the cost curve associated with best-in-class security Stratejm’s SECaaS offers 24/7/365 Managed Detection & Response. Built on a Cybersecurity Mesh Architecture, SECaaS can solve the security challenge while bending the cost curve.
IGNITE YOUR CYBERSECURITY TRANSFORMATION E-BOOK
“ Establishing and maintaining a robust cybersecurity programme is not merely a choice but a paramount responsibility” JAD ELSOHEMY
VP OF TECHNOLOGY & INNOVATION AT OEC
client base spanning across Canada, OEC has grown into a trusted name within the industry. The Company continues to invest heavily in cutting edge technology to deliver innovative solutions, including Geographic Information System (GIS) data management, and GIS-as-a-Service, use of mobile LiDAR technology for 3D scanning and analysis of assets, and location intelligence services. One of OECs standout features is its unwavering commitment to harnessing the power of technology and cybersecurity to keep communities safe while protecting
critical underground infrastructure. “We view technology and cybersecurity as one of the means for keeping communities and people safe while protecting critical utility/underground infrastructure,” Elsohemy explains. The crucial role of cybersecurity at OEC In the digital age, cybersecurity is a top priority for any organisation, but for OEC, it takes on even greater significance. “The gravity of a cybersecurity breach or incident cannot be overstated, especially cybermagazine.com
147
OEC: Digital resilience through cybersecurity governance WATCH NOW
“ Our commitment to cybersecurity extends beyond corporate duty; it’s a moral and ethical obligation” JAD ELSOHEMY
VP OF TECHNOLOGY & INNOVATION AT OEC
148
November 2023
when considering the critical infrastructure we operate and service,” Elsohemy describes. “Establishing and maintaining a robust cybersecurity programme is not merely a choice but a paramount responsibility.” Establishing this programme acts as a first line of defence, positioning OEC to prevent, identify, respond, and recover from potential cybersecurity attacks. “It’s our proactive shield against threats that could jeopardise the integrity of our services and the safety of our stakeholders.” “Furthermore, our commitment to cybersecurity extends beyond corporate
OEC
duty; it’s a moral and ethical obligation. Safeguarding the privacy of our customers’ sensitive information and upholding the resilience of the electricity grid are fundamental principles.” OEC’s cybersecurity programme is rooted in the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), a risk-based approach that focuses on technology, people, and processes. Elsohemy explains, “While technology solutions are undoubtedly crucial, our cybersecurity programme places equal emphasis on the other two vital pillars of a
successful cybersecurity strategy: people and processes.” On the people front, Elsohemy’s team has established a robust cybersecurity awareness training programme, incorporating phishing simulation tests. “Recognising the diversity of roles within our organisation, we’ve tailored training to suit specific job functions. For instance, field users may receive distinct training compared to their office counterparts. “The process pillar can be the most challenging,” he adds. “This encompasses not only the creation of cyber-specific cybermagazine.com
149
The OEC group of companies includes: Planview Utility Services, DPM Energy, QSP Geographics, EMB Management, UTS Consultants, Trans Power, Teraflex, El-Con Construction, PVS Contractors, GTel, Oakville Hydro, OEC Geo-Exchange, OEC Generation, and Golden Horseshoe Metering Services
OEC
processes like governance and access reviews but also the integration of cybersecurity into existing workflows, such as the procurement process, to safeguard against supply chain attacks. “Our holistic approach ensures that all facets of our organisation are fortified against cyber threats, recognising the importance of bringing technology, people, and processes together within the programme.”
Innovative cybersecurity governance at OEC Establishing robust cybersecurity governance is a cornerstone of OEC’s cybersecurity programme. Cybersecurity governance defines accountability, responsibility, and oversight to ensure that cybersecurity risks are known and adequately mitigated. OEC’s approach to cybersecurity governance includes four elements: • Establishment of Owners: Ownership of cybersecurity aligns with the operational accountability of each company within OEC, ensuring a tailored approach to cybersecurity risk management. • Risk-Based Decision Making: OEC makes cybersecurity decisions based on risk assessment, ensuring resources are allocated to address the most critical risks effectively. • Well-Defined Roles and Responsibilities: Clear roles and responsibilities for cybersecurity are defined and assigned, leaving no room for ambiguity. • Measuring and Reporting on Cybersecurity Risk: OEC continuously monitors and reports on cybersecurity risk, allowing for proactive adjustments to their cybersecurity posture. These measures are indicative of OEC’s commitment to maintaining a high level of cybersecurity governance across its diverse range of companies and industries. “Given that OEC consists of a group of 16 operating companies in a variety of industries, an adaptive cybersecurity governance approach was established to address the unique needs and risks of each company,” Elsohemy explains. Challenges in cybersecurity and their solutions Like many organisations today, OEC faces its fair share of challenges when it comes cybermagazine.com
151
OEC
to cybersecurity. Prioritising cybersecurity investments in the face of an everexpanding list of needs is always a challenge, so to overcome this, OEC relies on rigorous risk assessments. “These risk assessments evaluate the potential threats and consider their likelihood of occurrence and the impact they could have on various aspects of the business, including safety, finances, regulations, privacy, and operations,” Elsohemy describes. “Investments are then prioritised based on their ability to mitigate the identified intolerable risks, with higher priority given to those that address higher risks.” Another challenge is instilling a culture of cybersecurity where every employee understands their responsibility in safeguarding the organisation. OEC addresses this by implementing a comprehensive cybersecurity awareness training programme, which is tailored to specific job functions. This targeted training approach ensures that employees are equipped to protect against cyber threats effectively: for example, establishing Operations Technology (OT) specific cybersecurity training for those employees operating OT systems. He adds: “Cybersecurity needs to be embedded into existing processes where possible, from procurement to human resources, so that it becomes recognised as not something that is external to day-to-day job functions.” Stratejm: A trusted partner in cybersecurity As a provider of critical infrastructure and services, OEC has a responsibility to monitor, identify and rapidly react to potential cybersecurity incidents 24/7. 152
November 2023
To help make this happen, OEC has found a reliable partner in Stratejm a recognised industry leader in cyber and data security. Stratejm plays a crucial role in OEC’s cybersecurity strategy by providing monitoring, response, and incident assistance across various asset classes, including endpoints, servers, operational technology, and cloud-based applications and data.
that we have managed to achieve with Stratejm,” Elsohemy says. “There is fluid communication, with a relationship built on trust.”
For a partnership to succeed in the realm of cybersecurity, communication and trust are paramount. OEC and Stratejm have built a relationship that functions as an extension of OEC’s internal cybersecurity team. “When looking for a cybersecurity partner, it is important to ensure that they function as an extension of your existing cybersecurity team, and this is something
The road ahead: Technology and cybersecurity innovations and trends Looking to the future, Elsohemy explains that OEC has its sights set on several key trends and innovations in the technology and cybersecurity landscape. “In the area of cybersecurity, we are moving to a zero-trust security model whereby every asset or user, whether inside or outside the network, needs to be authenticated and authorised,” he explains. “We are also looking at methods to achieve this, including compensating controls with increased network visibility to achieve this on our operational technology side.” OEC is also delving into the world of AI and machine learning, with the ultimate goal to develop trained models that can solve classification and prediction problems. By capturing visual images of infrastructure and using AI to analyse these images, OEC aims to enhance processes and innovate further. Elsohemy concludes: “The idea is to capture visual images of infrastructure, for example, and then have the software analyse the images and perform predictive analysis on the health or to help triage and identify areas of focus for manual inspection.” As OEC advances its cybersecurity measures, the organisation is looking forward to a safer and more resilient digital world, where safety and innovation go hand in hand.
cybermagazine.com
153
The Digital Platform for Technology Leaders JOIN THE COMMUNITY
MAGAZINE | WEBSITE | NEWSLETTER + MORE