Introducing Jane – Chief Information Security Officer
Welcome to my page! I am Jane, a newly recruited Chief Information Security Officer (CISO) and every month, I will talk about my job, the highs, the lows, and the innovations in between. And how all of this comes together to help keep my company safe, as well as grow my career.
Jane, Chief Information Security Officer
Before moving on from my previous role, I commissioned Threat Hunting from Capgemini. Why? A sense of responsibility. I wanted to make sure I wasn’t leaving behind any hidden threats or data that had already been compromised. Cyber-attacks are serious business. And protecting customer records was high on our agenda.
I was the Chief Information Security Officer (CISO). We had hundreds of customers, and it was extremely difficult to detect threats internally and we were often too late. I’d already put some fundamental measures in place, but I was still concerned. I wanted to make sure as a cyber-attack could hurt a lot of our customers personally and materially. It could punch a hole in our future profitability, too. Not to mention the damage to our reputation!
Cyber-attacks were getting more sophisticated and more frequent. Big names like Yahoo and Tesco Bank were being attacked. The board was nervous. My impending departure from the company didn’t help either.
So, I met with my Capgemini consultant. I wanted to know more about their new Threat Hunting service, which I’d heard about while they were implementing our Identity and Access-as-a-Service (IDaaS) and Security Operations Center (SOC).
He told me that the service was about unifying in-depth human analysis with automated threat data processing. While SOCs look for the lateral movement and the exfiltration of data, Threat Hunting sets out to hunt down the malicious activity your security controls have failed to detect, or that were there before the SOC was put in place. The key word here is ‘Hunting.’
Without disclosing any details on the outcome, for obvious reasons, the service revealed that some unknown vulnerabilities had been exploited, fortunately without serious consequences. We were able to rectify the problem before our data was compromised. Essentially, Threat Hunting brings a proactive element to more traditional reactive cyber-breach detection tools.
It’s a crucial difference.
So here I am at my new placement with a new company, which I think would benefit from Capgemini Threat Hunting too. And my former colleagues? With effective cybersecurity in place, they can live without me now. So they say…
Check out Threat Hunting from Capgemini here. And think proactive.
A new company, a new challenge, and some new priorities. But just like all CISOs, I have one consistent focus: to be as rigorous as possible when it comes to cybersecurity.
So, when I was told about a whole raft of new apps the company was launching next quarter, I knew I had to get to work quickly to ensure robust testing was part of the process.
That’s when I met with Philippa. She heads up Quality Assurance in the ‘New Digital Product Launches’ division. She was under pressure to get the suite of new apps ready and launched as soon as possible.
We teamed up to review the current arrangements, and I advised her that security testing had to be high on her priority list, despite the time pressures.
App security is not something that can be compromised. I’ll be frank ― I was a little concerned. While the testing environment appeared generally good, like most companies, it was still reliant on pen testing. This often occurs too late in the process to pick up security issues. So it can’t solely be relied on to protect new apps against dynamic modern cyber-threats.
I’d worked with Capgemini successfully in the past, so knew about its Application Security Testing Service. I got back in touch to set up a discussion.
It can be tough to test multiple apps against changing cyber-threats thoroughly, especially when you’re against the clock ― and on a budget. But that’s what Capgemini’s service is set up to do.
Let’s just say Capgemini’s Application Security Testing Service delivered.
Find out more about Capgemini’s game-changing service here.
I’ve been talking about the challenges of how to secure enterprise assets and data since taking up my new role as CISO. My next task in my new role was to look at IAM (Information Access Management) within the business.
I was inclined to put more stringent information access controls in place, and to place a greater onus on user verification. But more barriers can have a negative impact on the customer experience.
So, I spoke with Peter, my Head of Compliance. Peter sets the access and governance policies for the company. With ultimate accountability for IAM, Peter’s responsibilities have become more complex recently. In fact, the increasing number of ways that people can access information as a result of device proliferation and trends like BYOD have made Peter’s life extremely challenging.
Following an internal policy review, Peter and I mapped out ways to give the right people the right access to the right information quickly and securely. The quality of the end-user experience was a priority.
We liked the idea of deploying an onsite IAM solution. But Peter felt this would be costly and challenging from an HR perspective. The ROI would also be difficult to prove. We needed a completely new approach.
That’s when I introduced Peter to Capgemini. They were speaking at a compliance event, and we attended a session on their Identity and Access Management as a Service (IDaaS) offer. Peter was impressed by the deployment speed of this service. He was also attracted by its scalability, which he felt would be cost-effective and help diminish risk. So we commissioned IDaaS soon afterward.
For the first time in a long time, Peter now feels like his job might actually be getting simpler!
Learn more about Capgemini’s IDaaS here.
One of our competitors recently suffered a major data breach. This ― and the emergence of new market players prompted me to consider what cybersecurity strategy would best protect our own digital assets.
My starting point was our business needs. What security should we have in place to ensure the company’s growth and competitiveness going forward ― especially the level at which we combined digital transformation with acceptable risks? And, crucially, how could I ensure that our security plans were given the senior-level attention required from decision-makers and other stakeholders to ensure top-down buy-in to the whole subject of cybersecurity?
It was a strategically important challenge. I needed to ask the right questions to enable me to build an appropriate cybersecurity strategy for our organization ― one that would ensure regulatory compliance and business resilience. These questions had two focus areas: how to achieve our cybersecurity objectives, and how to align those objectives with the business.
A critical starting point to protecting your digital assets
Here’s what I came up with ― and I believe these four questions would be a good starting point for any CISO or IT leader developing their security strategy:
- • How do we evolve our traditional security model so that there is a focus on data, people and risks?
- • What should we focus our investment on now, given that security operations no longer rely solely on IT protection?
- • How can we embed the new cybersecurity vision as part of the wider business transformation journey, in order to deliver deep changes in the security function?
- • How can we avoid employees being the weak link and move toward a more people-centric approach to security?
So, I was asking the right questions, now I needed to put in place my strategic security plan. I set up a meeting with the Capgemini Cybersecurity team to help me map out a bespoke strategy for our business and then bring it to fruition.
What I liked about Capgemini’s proposal was their offer to manage both strategy and implementation ― no one else was able to paint (and deliver) this complete picture. I was also comfortable with their vendor-agnosticism because I knew I wouldn’t be pressured to buy any particular technology, or be tied into an expensive license deal.
Based on a clear, shared vision of our maturity and practices, Capgemini helped implement our cybersecurity transformation program in just 12 weeks. I now feel confident that we’ve got the cybersecurity we need to take our business forward ― securely. \
Want to see how Capgemini Cybersecurity strategies can protect your digital assets? Mouse here.