CIOs should focus on using new tools, ‘not just adopting them’

11 Jun 2021

Jason Hicks. Image: Kudelski Group

Kudelski Group’s Jason Hicks discusses what CIOs need to think about to ensure secure digital transformation and why automation is not to be feared.

Jason Hicks, Kudelski Group’s chief information security officer (CISO), is a veteran information security and risk management executive with more than 17 years of global information risk experience, including deep technical and risk management expertise.

Prior to Kudelski, Hicks served as global CISO at Ares Management, a multinational alternative asset manager with more than $140bn in assets under management.

‘As breaches and threats become more common, individuals can get numb to the risks’

Describe your role and your responsibilities in driving tech strategy.

As the global CISO for the Kudelski Group, I am responsible for our global security programme for all group companies. I also serve as a virtual CISO advising many of our clients, which are multibillion-dollar organisations, around how to advance their cybersecurity posture.

Are you spearheading any major product or initiatives you can tell us about?

This past year, I’ve been focused on helping CISOs navigate the unprecedented environment that we are all currently operating within and coming up with new ways to deliver the optimal level of security for their organisations.

One specific area of focus for me is automation. There are all kinds of repetitive activities that can be automated to help security professionals do their jobs more efficiently. I’ve heard some concerns about automation replacing employees, but I don’t see it that way. In fact, it can be extremely useful in helping to advance security programmes because it frees up teams from having to focus on mundane and repetitive tasks to instead focus on the work that requires higher order thinking, delivering better security and higher value to an organisation.

How big is your team?

I have a core security team within the Kudelski Group, our corporate parent company. However, I also have additional teams at each business unit – digital television, cybersecurity, internet of things and public access.

The core team focuses on the shared security services that all of our member companies need, while the business units’ teams are focused on services that are unique to their own businesses, typically the products or services they provide to clients.

With Kudelski Security, as one of those business units, we are in a unique situation when it comes to outsourcing. I’m able to leverage Kudelski Security’s managed services to cover the needs around security operations centre-related activities for the rest of the group.

I’m also able to leverage consulting resources for specific projects where I need specialised expertise. This also extends to the security assessments we perform on products for multiple business units.

In a way, we are outsourcing within our own capabilities as I can bring in very specialised talent when needed, for example embedded systems penetration testers. This allows me to better optimise our group-wide information security spend by not needing to staff some of these roles full-time in a non-revenue-generating part of the organisation.

What are your thoughts on digital transformation?

As I work with CISOs and security leaders across industries, there is one thing I always like to address when we talk about digital transformation and how it impacts their cybersecurity posture: focus on what you do with new tools, not just adopting them.

Digital transformation drastically advanced over the past year primarily due to the shift to remote work, and organisations needed to quickly adopt new technologies.

It’s important for CISOs and CIOs to not just adopt the right tools but ensure their policies, processes and workforce are also in line with the new normal, understanding that there will be some degree of remote work even once the pandemic is over.

To realise secure digital transformation, CISOs should develop a remote access strategy as part of their security programme and review it through the lens of this new normal.

Specifically, I recommend that organisations implement tools and services like threat hunting and monitoring, endpoint detection and response, vulnerability scanning and managed attacker deception to ensure they have a mature cybersecurity programme.

What big tech trends do you believe are changing the world and your industry specifically?

Automation is one of the biggest trends that is changing most industries around the world. Building on the digital transformation momentum of the past year, many organisations are accelerating the roll-out of low-code or no-code application development platforms. These platforms democratise software development by putting business process automation into the hands of end users.

However, this creates a number of security challenges. Without appropriate safeguards end users can inadvertently leak sensitive data through misconfigured and over-permissioned third-party cloud integrations.

When it comes to cybersecurity, many organisations are not entirely comfortable with the idea of fully, or even partially, automating activities. They fear that something may go wrong without a human in the loop to provide a sanity check against automated actions, which could potentially disrupt business operations.

However, integrating security technologies in the environment for the purposes of data sharing is a good way to begin exploring automation and orchestration.

We’ve found that vulnerability and penetration testing are also good candidates for automation. This enables organisations to continuously test critical infrastructure to identify weaknesses that could be leveraged by an attacker and address them proactively before an attack has the opportunity to occur.

In terms of security, what are your thoughts on how we can better protect data?

As breaches and threats become more common, individuals can get numb to the risks and let their guard down. To address this, security and IT leaders should pay greater attention to end-user breach fatigue and adapt programmes to maintain focus on good cyber practices. To tighten up data security, I recommend following five key steps:

  • Enable the built-in data loss prevention features that you’re already paying for, particularly if you’re a Microsoft Office 365 or Google Suite customer – this will help to reduce the risk of inadvertent breaches by ensuring sensitive or confidential information isn’t outside of the organisation
  • Understand where your data lives and who has access to it – by mapping this out carefully, you’ll be able to ensure you put the right protocols and parameters in place to safeguard your data systems
  • Make sure you have good anti-malware and end-point detection and response (EDR) software in place
  • Revise your BYOD policy to accurately reflect the way in which employees are currently working, especially if your company is operating either fully or partially remote
  • Don’t overlook the human factor in security – a large majority of breaches are due to human error, so ensure that all employees clearly understand your security policy and have the right tools, support and guidance to implement it

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.