CybeReady’s Hi-5 brings together InfoSec leaders for peer-to-peer sharing via five short questions and insights.
Dmitriy Sokolovskiy has been working in the cybersecurity space for over 14 years in dedicated security roles, in addition to 9 more years working in various IT areas. He held information security positions in CyberArk for 11 years, and 3 years ago he was appointed as VP and CSO/CISO at Avid Technology.
What is the biggest challenge security leaders face today and how are you looking to tackle it?
The biggest challenge is instilling security awareness-driven culture among employees. No security policy or technology is effective if the culture doesn’t support it. To achieve that, we combine 5 different approaches: first, there is the old-fashioned computer-based training (CBT) with short videos every 3 months. Second, we run 6 to 9 free-form live events per month, where we go over the latest InfoSec news and answer any questions employees bring to the table. Third, we run phishing simulation campaigns using the latest attack scenarios from the field against our employees. Fourth, there is an Information Security Champion program, where we publicly recognize employees that show aptitude or even eagerness towards security. Finally, we continuously communicate security improvements to the company and aim to tie them with productivity improvements.
In your view, how important are security awareness programs, and what’s a CISO’s main role in making them effective?
Security awareness programs are the most important and effective tool in the CISO’s toolbox. People are the first and the last line of defense, and InfoSec programs would live or die, depending on how effective these programs are. The most important thing when considering such programs is the ability to tell a positive, yet engaging story, and to do so consistently and continuously. CISO’s primary role is to either be the main storyteller, if they are capable, or to find the right people to become those storytellers, and support them with tools and guidance. These people may not be the most technically capable individuals, but if they can drive the storytelling aspect well, the program will flourish.
What’s the one thing you’ll never tell an employee who’s made a security error, and how would you suggest handling the situation instead?
It’s a split between “Why did you do this?” or “You should not have done this”. If it’s a clear violation, we simply explain why it’s a risk, and make sure the user gets all his questions answered. If there are remnants, like a Torrent download for example, we ask for them to be removed. If the error was in an area where legitimate business needs were involved, we ask to describe the business need that led to the action in question, then explain why this approach was risky, and finally offer possible alternatives that are safer.
When it comes to recruitment – what approach do you take to attract and keep the best talent, and what would be your best tip for a new hire?
If, when considering budgets, you are choosing between people and tools, always pick people first. It’s always harder to get in a pinch and harder to justify, but massively more impactful to the company. When looking for new team members, look for a broad set of experiences, ability to learn and adapt quickly. I’ve hired more social science majors and even musicians to the InfoSec field than those that studied InfoSec in college. Those that have mental agility and the capacity to learn different things can be easily taught the necessary aspects of InfoSec. Once hired, stay engaged and mentor them, respect them and recognize their successes publicly, send them to classes (at least yearly), and pay them appropriately.
Finally (just for fun): if you could have dinner with any renowned figure (dead or alive), who would you choose and why?
Mikhail Gorbachev. He is the symbol of the new era for me personally, but I was never sure how much of it was by design, and how much of it was circumstance.
Avid Technology is a computer software company that helps media visionaries to create art that enriches our culture. They make innovative technology and collaborative tools that inspire and spark joy so creators can entertain, inform, educate and enlighten the world.