With Cybersecurity Awareness Month taking place this October, we decided to speak to an expert on the many data protection careers and roles cropping up worldwide. Research from IAPP shows an estimated 500,000 organizations have registered data protection officers across Europe under the GDPR. Meanwhile, a CloudFathers report reveals that 62 per cent of companies have a CISO (Chief Information Security Officer). With statistics from GetAstra showing nearly 4,000 new cyber attacks occur daily and that a company falls victim to a ransomware attack every 14 seconds, data protection has become top of the business agenda.
To find out more about what CISO actually does and to gain insights into cyberattacks, we spoke with Niamh Vianney Muldoon. As Chief Information Security Officer with Fenergo, Niamh will speak at Dublin SASIG (The Security Awareness Special Interest Group) on the 28th of September.
Can you tell us exactly what being Chief Information Security Officer entails?
Firstly, being a Chief Information Security Officer entails protecting your organization from a security breach, incident and/or event. Secondly, it’s about supporting your business to scale and grow, working with every department across the organization to ensure organizational and technical controls are in place. This is mainly to help protect data and technology systems. Lastly, it involves setting and delivering the security strategy, along with being flexible and able to pivot as the business changes and grows.
Let’s talk about emerging cybersecurity threats. In your opinion, what are the most common?
Well, I believe human error will continue to be the biggest cyber threat for many years to come. Mistakes will be made — we are only human, but the key is learning from them. When diving into cybersecurity, I am often asked about human error, which is frequently seen as the weakest point of security protocols and is the number one cause of cyber breaches.
Depending on which report you read, it is currently the cause of 80-90 per cent of all security breaches. People are our biggest asset, so to create, foster and grow a security culture, you need everyone in the organization, from the CEO down, not only to think with a security-first mindset but to act with one. I have witnessed firsthand the ever-growing number of cyber threats. So, I think it’s important for executives to realize an essential portion of comprehensive security investment includes human consciousness security tooling.
In your opinion, how can consumers and companies become more cyber-aware?
From working with the industry for over 22 years, there has yet to be one model or silver bullet to keeping cyber aware. It all comes down to the individual and/or culture in the company. What I have learned is that constant communication is critical, along with the fact that individuals consume data and/or information differently. As a result, it’s essential to know your audience and tailor your cyber security training, awareness and consciousness communications. Make sure to keep your message simple. Use multiple communication mechanisms to get your message across and stay visible through voice, text, images and logos.
One key piece to my success in the cyber Security training and awareness space is that I deliberately hire my training and awareness leader from outside the industry – individuals who do not know anything about the subject matter. I did this during my time working at DocuSign and also at Fenergo.
How can someone become a Chief Information Security Officer, what qualifications do they need, and do you have any advice for breaking into the industry?
With the recent SEC (Securities and Exchange Commission) ruling in the US requiring the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy, and governance by public companies, I believe the road to becoming a CISO will all change regarding qualifications and experience. Organizations have more stringent requirements, including more governance and structure over qualifications and expertise. With 23 years of experience, here are the five tips I used to support my journey to becoming a CISO.
Tip one is to take your passion and make it happen – build a career in what you love to do and not what you should do. Number two is to find a Mentor, someone you trust to provide you with positive, objective, and constructive feedback. Three would be to set your career goal but remain flexible in your approach. Balance your career goal-setting with educational and hands-on delivery experiences. Four is to build your network, and five is to have Ambassadors. To ensure your leadership voice is heard in a consistent and constant fashion, I recommend establishing an ambassador community throughout your global operating environment to support you and your team’s overall function.
Which privacy-enhanced technologies should consumers and companies use to ensure online safety?
Firstly, I find many people struggle with the difference between cybersecurity and privacy. I like to summarise it as ‘cybersecurity keeps data from unlawful and/or unauthorised access and use where privacy keeps authorised access to data specific to authorised purposes’. Some Irish-founded companies making a real difference include QueryLayer, which offers an easy-to-use and deploy privacy-specific product offering that supports organisations to meet privacy compliance requirements and manage privacy risk. Payslip, a streamlining employee payroll sensitive data into a single platform reducing both cybersecurity and privacy risks, is another, along with Tines, an automation platform used across organisations to automate business processes.
This reduces the need for human access to data and technology systems directly. EdgeScan, another Irish company, provides a single view of how vulnerabilities at a technical level can be exploited easily, resulting in a privacy and/or security breach. Finally, the Centripedal Centre of Excellence in Galway for threat operations patents on threat patterns and utilisation of automation and AI. Circit is currently making significant traction in the market, providing a single platform for audit assurance data, again reducing privacy and security risk. I am keen to see how they continue to mature their product offering over the next 12-24 months.
I’m very proud to be Irish and part of the CyberSecurity community here in Ireland as an industry expert, leader and now a recent company founder. Lastly I am looking forward to launching SASIG Ireland later this month and know the Irish Security community will benefit greatly.
‘Cyber Hygiene’ is a term used frequently. What tips can you give consumers and companies to help them increase their online safety?
Cyber Hygiene is the new buzzword! My five top tips would be to secure home Wi-Fi, enable multi-factor authentication (MFA) on all your networks, communications and apps and stay on top by updating to the latest security software, web browsers, and operating systems. You can also keep connected to keep protected. By this, I mean that a mobile application supports most connected appliances, toys, and devices. This means your mobile device could be filled with suspicious apps running in the background or using default permissions you never realised you approved.
Don’t forget to check your app permissions and use the “rule of least privilege” to delete what you don’t need or no longer use. Learn to say “no” to privilege requests that don’t make sense—only download apps from trusted vendors and sources. Last but not least, less is more – limit what information you post on social media, from personal addresses to where you like to grab coffee. We are all in this together, and every single security action taken helps in the fight against cybercrime.
What advice would you have for companies who feel their company’s security and trust have been compromised?
My famous tagline is ‘If in doubt – have it checked – out!!’ A business response indeed reduces business impact and consequence. Times of uncertainty are an ideal time for malicious attackers to target our human response vulnerabilities with the spread of false data/information and social engineering hooks, too, like social engineering. We are all learning new ways of working and learning to use new technology tooling for the first time. As we use these new technology toolings, websites and data, it’s harder for us to determine legitimate sources of truth for data/information.
If you do not have expertise in-house, reach out to a recognised CyberSecurity company to support you and address your concerns. Two Irish companies that I would recommend in this space that offer bespoke services that can be tailored to your company size/industry are Waystone and Intercept. I worked with both at Fenergo and was impressed with how they constantly went the extra mile to support me as the CISO in my role there.
What would your advice be when it comes to helping consumers and companies shift their mindsets when it comes to being more cyber-aware?
Trust is established and maintained when your customers believe that your security, privacy and compliance protection controls are appropriate. So, having these disciplines represented at the strategy business decision-making level as well as program operational level will ensure the organisation culture transforms. This can be through a security, privacy and compliance mindset. It demonstrates trust to customers as they see the controls to protect their data being executed first-hand by employees in your organisation.
If you had one piece of advice for businesses who are looking to improve their current cybersecurity strategy, what would it be?
Business leaders who do not understand that cybersecurity is a true business differentiator will likely impact their brand and business over the next couple of years if they haven’t already experienced it. I believe this problem must be addressed at every level of the organisation, including boardroom and executive management teams. In addition, business leaders need to think of the operational controls that can be executed as part of day-to-day operations and how they can use these control sets to create a high-performing team working with security and privacy organisations. Marketing roles are changing, and leaders in space have moved to a global privacy operating model to support their business, incentivising individuals for their personal data, marketer behaviours and insights.
And finally, in your opinion, what cybersecurity trends should we look out for in 2024?
Keeping individuals conscious of cybersecurity threats will remain critical in 2024 and over the next 3-5 years. I think that through the use of Artificial Intelligence (AI) Cyber Security consciousness, tooling leaders in this field will have successfully modelled human behaviour actions around cybersecurity and privacy risk. Using these models, AI will be able to anticipate and prevent risky action execution, reducing human cyber security social engineering exploitations we see happening today, like clicking on a phishing link. I have been impressed by CybSafe and the product and feature offerings they have on offer supporting CISOs to keep their Cyber Security consciousness alive.
I envision that, in future, we will have dedicated cybersecurity assistants helping us keep our identity, personal identifiable information (PII) and all our other data secure, protected and safe. Cybersecurity virtual assistants similar to ‘Alexa’ and/or “Siri” will become the norm. Lastly, human behaviour and social engineering exploitations will continue to evolve. This means that security and privacy by design and analysis of human behaviour for model normalisation will remain the base for reducing the threat landscape.