CybeReady’s Hi-5 brings together InfoSec leaders for peer-to-peer sharing via five short questions and insights.
Ben Rothke is a cybersecurity expert with 20 years of experience in the cyberspace industry, 3 years ago he was appointed as the Senior Information Security Manager at Tapad.
What is the biggest challenge security leaders face today and how are you looking to tackle it?
In the IT industry as a whole, I think supply chain attacks are a massive challenge. Every company has loads of third-party vendors and suppliers they do business with, each of which can introduce significant risks and threats.
Cloud services are now a significant target, and we have put much effort into securing our cloud infrastructure. Each of the prominent three cloud vendors (Amazon, Google, Microsoft) has core security tools for their platforms. But you have to find third-party tools to enhance things to ensure maximum security is in place.
In your view, how important are security awareness programs, and what’s a CISO’s main role in making them effective?
It is essential. But it is also important to know that if a user makes an honest mistake, they should not necessarily have the book thrown at them. CIOs need to ensure their systems are resilient enough to withstand end-user errors.
In the same way, the head of human resources is responsible for ensuring employees follow HR rules; the CISO must provide an effective security awareness program is in place.
What’s the one thing you’ll never tell an employee who’s made a security error, and how would you suggest handling the situation instead?
Don’t tell an employee that they will be fired. If an employee makes an honest mistake, encourage them to be transparent and quickly report it to the incident response team.
Systems should be designed with significant security resilience, such that a single user error will not bring it down or cause catastrophic consequences. If a user error can be that devastating, the problem is generally much greater than the user. But they are always the easy scapegoat.
When it comes to recruitment – what approach do you take to attract and keep the best talent, and what would be your best tip for a new hire?
As I wrote in The continued fallacy of the information security skill shortage, the way to get good people is to pay them what they deserve.
As to keeping good security pros, ensure they are on projects they find rewarding. Managers need to have a good relationship with their direct reports to ensure they are happy, not overworked, and are on projects that lend to their skillsets.
Finally (just for fun): if you could have dinner with any renowned figure (dead or alive), who would you choose and why?
Maimonides – a man of infinite knowledge and wisdom. But it would have to be a really long dinner.