03 Jan IBM Global CISO Shamla Naidoo: Failure is Only One Click Away
Ask The CISO: Creating Security Awareness In Corporate Culture and Fighting the Good Fight Sponsored by Fortinet
– Georgia Reid
Northport, N.Y. – Jan. 3, 2019
On December 13, 2018, Cybercrime Magazine interviewed a handful of chief information security officers (CISOs) from Fortune 500 and Global 2000 companies at an exclusive holiday celebration and networking event, our first “CISO Convene.” The evening included exclusive one-on-one “Ask the CISO” interviews, talks from industry leaders, and thought leadership roundtable-style discussions.
As part of the “Ask the CISO” series, we sat down with Shamla Naidoo, global chief information security officer at IBM. Naidoo, who is also an attorney and legal professor, is a brilliant cybersecurity mind who is developing ways in which the latest technologies – from blockchain to machine learning – can aid in the process of protecting customers and employees from cyber threats. She says, “I feel so fortunate to be at a technology company because I really feel like I have the opportunity at IBM to change the world through cybersecurity practices, through cybersecurity innovation, and through really all kinds of innovation that we can consume and use in cybersecurity to solve the problems that have been hounding us for such a long time.”
Read the highlights from the interview below, and be sure to watch the full interview in the video:
GR: Some of the things that we talked about [before this podcast] were blockchain, quantum, artificial intelligence. Tell me more about these innovations and any digitization that you’re using at your role at IBM.
SN: Yes, I use all of the innovation that IBM actually creates, so I get the opportunity to be kind of user zero before the technologies even mature because it’s great for us. We are IBM’s largest customer. We consume all of the innovation and new technologies, and it gives us a unique opportunity to provide feedback, to tell them what works, to tell them what doesn’t work, and more importantly, I think, to bring new use cases to the table for the innovation and for the technology. I’m in a very, very fortunate position where I get to use, touch, play, and consume all of that great innovation.
GR: So, you’re also part of product development in a way?
SN: In a way. We give a lot of input. We work collaboratively with our research teams, so as they research new technologies, new solutions, new capability, we have a lot of collaboration.
On the Internet of Things, Operational Technology, and Managing Threats in a Supply Chain:
GR: There’s something I wanted to ask you about. I know the Internet of Things is a hot topic right now, the cloud, as well as operational technology, and since IBM is a manufacturer as well of product, a physical product, what can you tell us as a CISO what your role has to do with any kind of supply chain management, or making sure that in manufacturing there’s security, physical and Internet security?
SN: What’s interesting is that whether you manufacture or not, we all have supply chain providers and partners across the board, so partners and providers of services and technology can actually create a weak link in the chain. One of the things that I am a huge believer in is that these relationships are very important. The relationship itself is built on trust. Just like we trust everyone we work with and do business with, we also do have to validate though that the practices and the outcomes we expect are actually what we get.
So, from a supply chain perspective, I feel strongly about making sure we understand who our partners are and that we know we can trust them, and we want to do business with them. … It’s important that we don’t negotiate with providers to the point where they have to really struggle to make an investment in providing you good service. Because when they have to do that, they often will cut corners, and when they cut corners, they’re going to cut in places you don’t see.
GR: Security.
SN: Security is a place you’re not going to see immediately. You’ll see it at some point, but you don’t see it immediately. I think we have to start being more fair in our dealings with our providers, to trust them, work with them, collaborate, co-create, but you also have to validate, and you do have to govern and oversee.
GR: So, you have some control systems in place.
SN: Yeah. For a third party who is providing us services, we want to make sure that they are treating our data, our systems, and our assets the same way we would. I think if you look at that and you ask your provider to give you what you would give yourself, then you ought to make the investment to get that outcome.
GR: Cybersecurity is not just an Internet problem anymore. It’s way more; it goes down into every single part of every single product that you guys are creating at IBM, which is super interesting. I was wondering if you could talk a little bit more about the operational technology side of things and the industrial control side of things.
SN: Operational technology and information technology have converged to some large extent. A lot of the operational technology still is in a bubble, so my recommendation is to leverage as much of the information technology security practices that we have built, capabilities that we have, and to leverage those to protect those systems. For example, if an operational technology system has an IP address and is connected to the Internet and it is generating traffic, we have an opportunity there to treat that device the same way as we would treat a laptop or a server, for example, so the same kind of practices should apply. Now, in some cases, operational technology might actually be insulated from the Internet, so it’s not connected. We should make sure it’s not connected by accident, and we should try to isolate them to work only in the operational area that it’s intended to run. That would be something that we could do, is isolate them.
The other thing on operational technology is to know what the technology does. Often we would get operational technology that’s in a box. You really don’t know how it’s configured, you don’t know how it’s set up, and maybe you don’t need to know, but functionally you have to make sure that it does what it needs to do, and then we have to know where it is and we have to be able to track it and trace it. Sometimes operational technologies are so small and so prolific that you could lose track of them. It’s important as an asset to know where that piece of technology is and what it’s doing.
Defining the Role of CISO and Recruiting Cybersecurity Talent:
GR: You’re wearing a lot of hats as a CISO.
SN: Yes.
GR: What is your favorite hat?
SN: I think it’s about building strong, high-performing teams. One of the things I say to my teams all the time is I would be nothing without them. I would have no accomplishments without really strong teams who are willing to take risks to get the job done, to understand how to protect the company and our digital assets. It’s really important to me that we have people with the right skills, they have the right aptitude, they have the right attitude, but more importantly, that they take ownership for the outcomes.
GR: How do you go about finding people? We have a cybersecurity work shortage right now.
SN: By all indications, it looks like by the year 2020 we said there will be 1.5 million jobs that would go unfilled. I think by 2022 that number is going to get closer to 2 million.
GR: Cybersecurity Ventures predicts 3.5 million.
SN: That would not surprise me because if you think about how technology has grown, everything from your shoes to your refrigerator and your car is now a smart computer. What I think about that is these are not shoes anymore. This is a computer with a shoe built around it. My self-driving car is going to be a computer with a car around it.
Everything is getting digitized; everything is getting connected to the Internet. The more you have that, the bigger the threat is, the more you’re going to need people to kind of manage the threat, so I think we have to think about this in two different ways. One is how do we create more of the talent we want? I don’t think it’s easy enough to go buy it, because if we could buy it, all of us would have it.
GR: And you get into a bidding war with other companies over talent.
SN: Absolutely. The only thing we do is we outbid each other, but we’re not really making the world a safer place. The idea is for us to build more talent and to create more skills, so in addition to just the talent, we have to create more skills in the talent that we already have.
The way we’ve been thinking about this is twofold. One is we create new talent by training people who don’t otherwise have the skills. So, we teach them the skills, we give them the experience, and we give them the opportunities to build on those skills and experience. The other thing we’ve done is driving accountability to the people who are doing the work…
If you’re building a network, you have to build it securely. If you’re writing a piece of code, you have to write it securely. So, if you’re selling that dress in the store, you have to understand what the areas of issue are going to be in that transaction, and you have to take the steps to try and overcome those types of obstacles.
GR: And knowledge is power.
SN: Knowledge is power … One thing we have to do is teach the skills in the context of the job. If you are selling that dress in the store, then you should know and understand where the particular cybersecurity obstacles are going to be … If you are designing a global network, you have to know how to secure that global network, and we have to teach you how to do that in the hope that as you do your day-to-day job, you’re going to do the security for that job without it even becoming a separate exercise or a separate team.
GR: As naturally as breathing.
SN: Just naturally, it should be incorporated into what you do every day. I would encourage employers out there to think about how they allocate hours and time to different efforts … I think that we have to do that, drive accountability to the people who can avoid the bad outcomes, and then build more talent, build more skills. To do that we have to be inclusive; we have to be far more open than we are. If you show me a laundry list — I want 10 years’ experience, 5 years’ experience, 2 years’ experience, these skills, this technology…
GR: It’s going to be impossible to find that.
SN: Yes, it’s going to be impossible to find.
GR: I hear that from a lot of people. They’re willing to train someone if they have the right attitude and interest in it. I hope people that are listening answer that call, because we do need more cybersecurity workers — cybersecurity warriors, really.
SN: Absolutely, and we have to get creative about where we go source talent. You can’t always go source it in the universities or you’re not always going to go look for talent in other companies that are like you, your competitors. That’s not always going to be productive. We have to get much more creative. We have done a few things at IBM. We have these P-TECH programs that support schools — high school students will actually get an associate degree while still in school.
GR: That’s very, very good. That’s excellent.
On Recruiting More Women In Cyber:
SN: And then we go out, we reach out to women who are rejoining the workforce. They’ve taken time off; they’ve raised their families; they’ve done what they wanted to do at that point in their life. They want to reenter the workforce. Our objective is to give them those opportunities. A lot of people have come in from those nontraditional places, whether it’s veterans or women returning to the workforce, people coming from other verticals.
A lot of jobs are getting automated, there’s a lot of displacement, etc. This is a great opportunity for people to retrain, reskill, retool, and move into this field. This challenge is not going to get overcome with the people that we have today. We’re going to need more, no matter which way we look at it.
GR: It is inclusive because we need you no matter who you are, your gender, what you look like, absolutely. I want to get more women involved in cybersecurity. What would you say to women who are listening to get them involved or interested?
SN: I would say first we have to get rid of that notion that cybersecurity is about hackers behind a mask sitting behind a dark keyboard with a dark hoodie over their heads. That’s kind of the stereotype and we have to move beyond that. I think women have to see that there’s something that’s much bigger here. This is an entire career. In fact, I would argue that this is one of the only professions that has almost every job within it….
GR: Shamla, I can’t thank you enough for coming down here tonight. These words are going to reach a lot of ears. Is there anything that you want to say to other CISOs who are listening before we go?
SN: We’ve got to fight the good fight . . .We’re all the same team, and just remember, cybersecurity is not a competitive advantage. None of us are better or worse because somebody else failed . . . We just we just have to support each other.
GR: Share the knowledge.
SN: Yes, share the knowledge, and we have to recognize that failure is only one click away.
Download a Full Transcript of this Interview (PDF)
– Georgia Reid
SPONSORED BY FORTINET
From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.
We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.
Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.
The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.
Learn more at Fortinet.com.