Interview with Marlany Naidoo, Head: Information Security & IT GRC, Mercantile Bank

1. How are you strategically allocating your budget/resources to deal with the growing scourge of hacks and data breaches?

Spend has to be against your risk appetite and not against every threat. We will never have enough money to close all the gaps. Investment is channelled towards quick detection and skilled teams to eradicate the breach

2. Gartner analysts also predicted that security services will account for 50 percent of cybersecurity budgets by 2020. – With this in mind; where are you investing your company resources?

Our primary function is to ensure customer safety when transacting on the banks platforms that will be our continued focus. Once again, towards quick detection and skilled teams to eradicate a breach.

3. How are you dealing with growing spectre of privacy regulations?

Collapsing the silo’s between compliance, legal and business requirements in favour of collaboration and understanding the data is a step in the right direction. Privacy regulations fundamentally relies on what data you have, how are you transmitting it and where is it stored. Building those concepts upfront into the business processes and supporting systems means an automated way of dealing with regulations.

4. Is fostering an enterprise-wide security culture a top priority for you?

Yes, security is not an IT function, it’s an organisation function, from the end-users who act as the first line of defence to the assurance providers who seek to understand the risks an enterprise faces, to the executives who set the tone and priorities for the implementation of a security culture.

The easiest way to start this process is to focus on the human component and make security personal to each stakeholder via a security awareness program. The program needs to provide all stakeholders with two things – what’s in it for me and what is required from me.

5. How are you aligning security operations with IT? - Is automation and orchestration high on the agenda?

Definitely, with the advent of the fourth industrial revolution, incorporation of AI, machine learning and robotics the digital age demands that IT implementations consider security inherently.

My relationship with IT Operations and understanding the projects and type of technologies being implemented help me leverage the correct value propositions that meet a security objective. Automation and orchestration is the only way to ensure that value is extracted in the least resource intense way.

6. How are you addressing insider threats and risk in your organisation?

We have a history of focusing on perimeter defence, also internal threats such as trust abuses are typically not caught by your traditional "signature-based" defences. How does traditional intrusion detection systems and anti- virus systems protect you in this case?

The threat is about psychology, behaviour patterns and intelligence. Given these are human behaviour patterns it is a difficult risk to monitor and control. However, some basic controls should be considered: 

• Understand identities in your organisation and understand what that identity is capable of.
• Build analytics around simple behaviour patterns and educate response teams on how to deal with anomalous activity.
• Educate the organisation on the concept of the insider – and provide a means of reporting anonymously.
• Ensure your organisation policies around investigations and consequences is known and execute

7. How Important Are Emerging Risks to Your Information Security Vision?

The recent results of the brainstorm survey state that 38% of CIOs are expected to drive innovation within their businesses. Without innovation, the business cannot survive.  Organisations are expecting IT to optimise and automate in order to help save money, to better the customer experience, therefore, attracting more customers.  However, the world’s best technologies mean very little if it cannot be trusted, i.e. secure. The CISO vision needs to consider the threat landscape in light of robotic processing, artificial intelligence, cloud adoption and so forth and allow IT innovate with Eyes wide open – know the risks and be adaptive enough to either decrease the risk or accept it.

8. For CISO’s who talk to their Boards, what subjects should they mention and which ones should they avoid?

Outside of the traditional, budget and resource discussions consider:

• Speaking about security has a trusted partner to Innovation and digital transformation. Bring in its commercial value – for example: how it will assist the customer experience – safe customers mean trust in the institute, how it can save re-development costs if considered upfront during development (DevSecOps)
• Get the board involved – education via gamification – means the board will understand the kind of decisions that need to be made on the ground without getting into technical detail.
• Local example of what is going on in the cyber world business and personal makes the security speak real.
  
  Avoid fear mongering, after all the perception of what can go wrong and its impact means different things to different people. Base your comparisons on statistical evidence where possible show the risk in context of your own risks.
  
  Whilst some concepts have to be explained technically – keep the GB and analytics conversations out of the boardroom.

In My View…

What personal achievement are you most proud of?

• Self-publishing my book with Partridge Africa, under an author-name. The content is focused on empowerment of one’s self in the face of diversity.
• I formed part of the woman's coaching program when I was employed at Absa and had the privilege of guiding young women in their first year of working. The learnings for myself and watching the growth of the ladies humbled me. Two of the ladies are now coached by Senior members of PWC.

Why are internal threats oftentimes more successful than external threats?

• Insiders have knowledge on the type of controls, monitoring and the business process that institutes follow, coupled with credentials, an insider processing a transaction in a normal cause of business or downloading malicious content is going to be difficult to identify unless behaviour analytics, operational controls like the 3 eye principle are in place.
• the crime costs less money in this instance.

How Important Are Emerging Risks to Your Information Security Vision?

• The recent results of the brainstorm survey state that 38% of CIOs are expected to drive innovation within their businesses. Without innovation, the business cannot survive.  Organisations are expecting IT to optimise and automate in order to help save money, to better the customer experience, therefore, attracting more customers.  However, the worlds best technologies mean very little if it cannot be trusted, i.e. secure. The CISO vision needs to consider the threat landscape in light of robotic processing, artificial intelligence, cloud adoption and so forth.
  Marlany Naidoo will participate in the discussion group - Developing an IAM Programme at CISO Africa, 18-20 February, Maslow Hotel, Johannesburg.

• This post is an extract from Corinium's Next-Gen InfoSec: Navigating the Data Breach eBook. Click the image below now to download the full eBook and discover even more exclusive insights from InfoSec Leaders who will speak at this year's CISO Africa Conference in Johannesburg, South Africa.