Organizations need the right internal personnel like a CISO to keep their systems and data secure. But what kind of skills do these leaders need? And how should they guide their employers in a way that doesn’t overlook the evolving threat landscape?
To find out, I decided to speak with Goher Mohammad. Goher is the Group Head of Information Security (CSO) for L&Q. He has held that position there for just under three years.
Joe: Tell us about your journey in cybersecurity and ultimately how you became a CSO.
Goher: Basically, my background is doing more technical IT in its traditional form. I started as a first- and second-line support analyst at a major bank. That was a really good platform for me, working in a large organization where security is of utmost importance. Technical support in that environment was very controlled, meaning that there are a lot of processes that must be followed to make sure that the organization is protected. It was both a great, and sometimes frustrating, experience, as well, because you want to get stuff done quickly but it can't be done quickly. So, you're slowed down, but it gave me a good foundation.
Eventually, my position became redundant, and I ended up in a new position as a third-line support for a media agency. That job evolved into a management position, and I was still quite a young age. I was 25 at the time. I was responsible for 50 people, and it was my job to strategically examine and look after the entire infrastructure as IT Manager. All aspects of the job were interesting. They opened my eyes at that time, as well. When the Sarbanes-Oxley governance kicked in for all the companies on the U.S. stock market, we had to adhere to that, so it gave me the opportunity to learn more about privacy and security. It also offered me the opportunity to really drive that forward as well as to look at technology.
That all gave me the foundations of security and the ability to say that we have got to do things in the right way. For example, we should make sure that we are not just allowing people access for the sake of it. If someone leaves, we need to make sure that we follow the right process so that they no longer have access to the systems. We need to ensure governance and best practice are wrapped around financial systems to make sure they are protected.
In the process, I discovered a real passion to do the right thing because that's what we should be doing. I took it for granted that all companies were doing the same, but it turns out that we were a bit ahead of it, and it gave me that solid baseline to drive forward. So, I continued. I evolved my role, evolved from IT manager to a regional manager. I then went to a FinTech company as their Head of IT for EMEA in 2017, where the focus was on ISO 27001, security, and governance.
When I left the FinTech space, I landed my first entirely security-focused role. Before that, I was doing security as a key part of my job, but it wasn't the primary focus. That's when I ended up helping to facilitate a PCI audit, which we completed in a month. I was there as the interim head of governance, risk, and compliance for the group security team. It was fantastic working with a fantastic CISO with a great team. They were very agile. This really helped me hone my skills into that kind of cybersecurity focus.
I was looking for roles in cybersecurity, and there was quite a bit of friction trying to get fully into infosec because my job title didn’t specifically say “infosec.” That brought a real passion about how we could change that mindset, for infosec and cybersecurity were then a relatively new discipline. When I landed my current job as head of information security, part of the passion was how to get more people to encourage it. We shouldn't be excluding people just because they don't have the word “security” in their title. They may be great security analysts, but just because they haven't done security for five years or one year or two years as a true role doesn’t mean we should be dismissing their application. it doesn't mean they can't do the job. That’s the story of how I got to where I am today.
Essential Skills for a CSO
Joe: Great overview. You have seen the role of the CSO change over the years, as well. Would you agree that traditionally it was all about technology? You had to be technical to be a CSO, but now that’s changing because we're constantly seeing data breaches and ransomware attacks. As that role changes, based on your experience, what do you think are those essential skills that CSO should have now?
Goher: I think that traditionally being a CSO meant being able to talk the language of the business as well as understanding the technical concepts. For me, the biggest aspect was being the translator, being able to translate technology and technical know-how as well as the workings of all the technology. Not just technology in its traditional form, but looking at all aspects of it from the application side to third-party solutions, SaaS, and more. It’s translating that as well as looking at the business. What is the business interested in? What is the business doing? If the CSO doesn't understand the business, and if the information security and cybersecurity teams don't understand the business, they will likely make bad decisions which cause friction.
We saw another organization where the security team did a phishing test against their staff without any business sensitivity, for example. What they were trying to achieve was absolutely the right thing to do, but the way they did it wasn't the best approach to do it. In the case I am describing, it caused a bigger problem because a trade union was involved, and they wanted to take the business to court over something like that. That's just one example of what happens if you have leaders that don't fully understand what's happening in the organization. It’s important to have that human skill, the ability to problem-solve and to interact, not just a hyper-technical sense. Hyper technicality is great, but you need to couple that with the people skills and being able to have a conversation from the CEO all the way down to your frontline worker. What matters is the ability to able to communicate at all levels, to ensure the message hits home on why we're trying to do what we do.
Joe: When you're looking to build a new security program or when you’re even maybe looking at rejuvenating an existing program, what three or four areas would you tell organizations to specifically focus on?
Goher: Visibility is key to understanding your landscape, to understanding what ‘your organizational landscape’ and world looks like. The capability I would invest in is looking at your cyber risk profile, ensuring that you understand your risks. If you understand your risks, then you can help translate that across the business. Or it doesn't need to be translated. It's already done for you because you've got it in a risk profile that the business understands because the business will essentially dictate that.
Once you understand your risk profile, that gives you actions you can work towards. Even if you're using a risk framework, without a good risk assessment, you can be working on stuff that doesn't really add value or isn't a problem. Understanding your landscape is what gives the visibility. Focus on your basics and get your policies and processes in place so that there is structure that everyone can work from.
As an example, we work to four area: governance, risk, and compliance (GRC); security operations center; secure architecture; and secure infrastructure. They acre the four pillars we align to. What that means is your secure infrastructure is critical. If your basics are wrong, your foundation is weak. If you've got your basics in a good place, then increment to the next best standard and work out what that means depending on the organization you work for. Each organization is going to be different.
Buy-in for a Secure Business
Joe: Those are important points. You've spoken a little bit about connecting security to the business. What advice and tips would you share with other CSOs when it comes to communicating a return on investment for security investments to other stakeholders? How do people get buy-in?
Goher: One thing that's important is to deal with facts, not with hypotheses. If you deal with facts, the business will understand that there is something they need to make a decision about. If you deal with hypotheses, it's always about what might happen. They are not or are very unlikely to worry about something that hasn't happened for the last 10 years. But, if the facts say, “We have this vulnerability, and it is going to cost us a certain amount to fix it,” then it becomes a decision they can make. Being factual is very important.
The next thing they'll ask you is what needs to be done about this? If you don't have a solution straight away, you will lose them, or if you don't move quickly enough, you will lose them, and that investment will go because it's not that important as far as they're concerned. That's the way a lot of stakeholders often see things, as they have many things they need to prioritize. The good thing with risk is if someone says they are not going to do anything about it, that person will ultimately need to accept the risk. That's where the magic happens, because all of a sudden, they either accept the risks with the right facts, or they ask you to do it, or they escalate it to someone that can do something about it.
Joe: That's really fascinating to hear, and there are some good tips in there, as well. We've seen so many different attacks all around the world, and they're just getting bigger and bigger. What are the biggest threats that you see companies focusing on right now?
Goher: It's easy to say that people are the problem, but there are two elements at work. As subject matter experts in this industry, we need to make security as easy as possible, almost invisible. Bad practice or bad implementation leads to bad behavior. If we put the barriers too high, people run in the other direction, or they'll get around it. If you make it so hard that you can't do anything on your computer, someone's going to take a picture of sensitive data on their personal phone and share it that way to a personal account.
You want to discourage bad behavior by enabling them to do their jobs. That's why it's important to enable and work alongside the business. We need to keep users as safe as possible without them having to worry about it. Then you add the education, which is important, but also add the education in a way that you reward people for good behavior rather than punish them for bad behavior. Make sure the tone is always, “We're here to work with you.” Be collaborative. If you create a bad culture, your risk is probably higher inside than it is outside. Or there might be lots of bad people trying to get at you. You must address those by getting your basics right.
If your security is invisible, that internal bit is going to be blocking anything bad that may happen. It may be instigated by someone from the outside as a phishing scam, but if you've got good controls in place, that phish will not get anywhere. So, it's not just a people problem. If you've got good controls in place, security is invisible. You're not having to worry about whoever is clicking on a bad link because you've already got the measures in place to detect, respond, and recover.
Joe: It's frustrating when we hear that humans are the weakest link because they can't be the strongest without the right tools. We often hear in the security world about “checkbox compliance” where people are ticking boxes to be compliant, but just because you're compliant doesn't mean you are secure. What advice would you give to security teams or companies out there that are looking to do just enough to pass their audits to be compliant?
Goher: I'm not an advocate of the tick box exercise. I've been there, and most of the time, it doesn't work. What I would recommend is to look at your alerts, your metrics, your red flags, and your triggers. What things are raising the alarms? If you're seeing that 90% of your alerts across your monitoring is phishing-related, then you know you must focus on phishing prevention. If the other alerts you're seeing are rogue activity or active logons from countries that you don't recognize, then you focus on that. If you're seeing process breakdowns that lead to problems with rollouts, then you look at your processes. It's looking at your triggers, making sure incidents are coming in, and treating all the alerts as incidents. From there, triage and prioritize what you need to get on top of. When you go down that route, it really helps. The thing is, when you get that right, then all of a sudden, the tick boxes start ticking themselves.
Responding to a Data Breach
Joe: That is a great insight. If you do that in the right manner, hopefully you won't be the victim of a data breach. What advice could you give to a company in the event of a breach?
Goher: Communication is extremely important. Make sure you know who to speak to and how to speak to them. You can plan for these things, but when it comes down to it, if something happens, you need to get on the phone to your directors and everyone else all the way up to the CEO. You need to know your communication plan. How are you dealing with it internally and externally? The other thing is making sure you can track everything as it's happening so that you understand your artifacts. In particular, make sure that you have an agile system that you can plug all of the information into that builds the report. Don’t just scribble it on a piece of paper and hope that it can get pulled together. You're going to have many people all working on this; you need some way to bring it together.
If you can't bring it together, you won't know where to start or where to move forward. Being able to quantify the impact is important, too. You must find out what was impacted. It could be that everything was impacted or nothing was impacted. For example, my team once worked on an incident where it ended up not being related to us at all. It turned out it was our Internet Service Provider, but we ended up doing full triage and everything in order to come to that conclusion. If you don't have a way to bring it all together and then have that report, you could end up trying to work through things for days when the problem might actually be elsewhere.
Another important point is to make sure that everyone's included. Everyone needs to be involved—not just senior people, the InfoSec team, or the technology team. This means that you need to make sure that you plan ahead, plan for a worst-case scenario to know how to keep the business running. That is basic disaster recovery. Think about ransomware. Planning for that is going to involve some conversations that only the CEO can answer. It loops back into the whole risk profile. Not all businesses have the money or the funds to be able to address every single thing, but they look to us to guide them on that journey. But if they're willing to accept something that's a high risk, they know it's a high risk, but they've accepted it, and we've had a good discussion about it.
Joe: That leads on to the next question in terms of security frameworks. What sort of advice would you share with organizations on where they should invest their time?
Goher: Aim as high as you can. In my current role, we aligned to NIST, which is as stringent as it gets. If we can get close to it or achieve it, I'm confident we're in as good a place as we can be. Aim for the sky, and if you don't make it, you land on the roof, which is still better than being on the floor, if that makes sense. Then you will give yourself a fighting chance in the event of an incident to be able to turn around and say, "We did everything we could." Not to make excuses. I don't think that's ever the case. But be as best prepared and secure as possible.
Joe: Yes, and that goes back to the need for visibility. Thank you for your time today. It's been great to hear your insight. What parting thoughts would you like to add?
Goher: Remember that there isn't a one-size-fits-all approach. It's also important to be agile, not only in methodology but also agile in thinking. Be very adaptable and changeable. If the business doesn't exist, you and your team won't exist. That's not just from a security angle but also from a business angle. We should also be mindful that we need to share security in the right way.