What was at the heart of the BA, Marriott, Equifax, Capital One and Travelex breaches?
Basic error, says Greg Van Der Gaast, Head of Information, University of Salford. Greg, explains that these breaches could have been “completely preventable” at a small cost. And yet, these companies chose to spend vast amounts of money on technology in lieu of a holistic application of the basics.
Greg, recently told us on the teissPodcast, that “simple asset management” is at the root of many of these overlooked basics – most people have assets that they are not aware of, so it’s essential for security teams “to know the business and to engage people in the business.”
What’s the key to achieving that level of visibility in an organisation?
Greg says that he contacts every single person in each part of their business and asks to have a cup of coffee with them.
He’ll ask them questions such as, “Where are you based? What do you do? What systems do you use? What kind of data is that? How does it all connect?” He says he does this, “so I become aware of what’s actually out there instead of just looking at what my tools are telling me on a screen.”
Taking the time to sit with people in your company and asking them what you can do to help them – will pay you back multifold and their perception of you will change completely, he explains.
“Then you need to build relationships with your management to give you the capability to proactively solve those issues,” he adds.
Embracing leadership skills as a CISO
Greg considers CISOs to be far too technical, although progress is being made, “There is still a huge amount of indoctrination of how we do things – and that tends to be built on a very technical foundation, and so that natural curiosity is missing. We tend to make things worse for ourselves by layering all of these frameworks and these best practices and compliance.”
Greg adds that a lot of people are still building security according to standards they’ve downloaded off the internet, “as opposed to for the business they have in front of their face.”
“We use the fact that people don’t understand us to our advantage. There are a lot of great CISOs but a lot of bad CISOs too who are just fleecing their companies. Lots of budget, lots of people, lots of spending but delivering little value,” he stresses.
Greg says a level of “altruism” is currently missing from the role: to be a successful security leader – it’s essential to look at things holistically, care about people and be a business enabler.
Listen to the full interview on our podcast where Greg talks about how he avoids metrics, how to engage the business and how a bit of altruism can get you a long way in preventing breaches and helping you achieve your security goals.