In this interview we talk to Maldar Ali, Information Security Risk Leader of EMEA at a leading financial services firm in the United Kingdom.
1. Maldar, welcome and thank you for participating in this interview. What do you believe is the biggest threat to information security today?
There are many threats, such as APTs, but I would say that the insider threat is the most significant one. Some attacks, whether from criminals, terrorists or competitors seeking a business advantage, may rely upon the co-operation of an insider. This could be an employee, a contractor or agency staff (e.g. cleaners, security guard) who have authorised access to gain entry to systems and premises. A big risk is when an employee moves from one department to the next and the access control roles still remain the same, such as in the instance when an employee moves from HR to finance.
Spending thousands on firewalls and network security means very little if an employee happens to click on a phishing link. People are usually the weakest link! That’s why staff awareness training is crucial.
At a former employer, we conducted social engineering tests, and we were shocked by the number of employees that willingly reveal their user names and passwords when asked.
I believe that a compulsory cyber security module should be introduced in our schools, which will raise awareness of cyber security from an early age.
View the IT Governance ‘Employee Vulnerability Assessment’ service. A partial ‘Employee Vulnerability Assessment’ is currently available for free to those who purchase a ‘Combined Infrastructure and Web Application Penetration Test‘ in November.
2. Why did you decide to embark on a career in information security?
I have always had a keen interest in security, and started out in my career as a technologist, working with firewalls, anti-virus, intrusion detection systems, etc. And from there it was a natural progression to the world of information security. A unit within our business had to achieve ISO27001 certification, and we were given the responsibility to deliver and maintain the ISMS. This entailed creating policies, developing a standard procedure for departments, understanding business requirements etc. I realised then that security is such a broad field, and isn’t limited to technology alone.
I was later responsible for implementing an ISMS from scratch, in a greenfield site at another employer. Here I was exposed to creating the business case for specific projects, managing the budget aspects of the project and providing feedback in non-technical terms on the progress of the project.
3. What kind of advice do you offer clients that are just starting out with the implementation of a formal information security intervention?
I would tell them that they would need to undertake a detailed assessment of their information security risks. Start by reviewing the organisation’s objectives, and establish what would happen to the business as a consequence of any of the identified risks. It is important to have a very good understanding of the impact of these threats, such as what would happen in the event of a cyber attack, or a data breach due to non-compliance with a specific piece of legislation, such as the Data Protection Act.
4. What personal attributes do you believe client-facing information security professionals should possess?
It is essential to have a head for business. Being able to translate any technical jargon into business terms, and the ability to manage budgets, costs and constraints, are all part of the job. It is important to develop a relationship with key individuals in the business, in order to help you identify the potential risks, consequences and actions that need to be taken. Being knowledgeable about threats and vulnerabilities is also naturally important. The person should have a flair to sell security as a business enabler, and demonstrate the potential return on investment that information security will provide.
5. What are some of the challenges you have experienced personally in your career, and how were you able to overcome them?
At a previous employer I was responsible for implementing an ISMS from scratch. The company had grown from a staff complement of 1,500 to 4,000 in only one year, and held a large volume of sensitive and personal data. The head of security appointed me as the information security analyst, and my role involved aligning the ISMS to ISO27001. As part of this process, I attended an IT Governance ISO27001 Lead Implementer training course, and IT Governance also provided the organisation with data protection staff awareness training.
We were able to use the information gained from the staff awareness training to build additional staff awareness interventions across the organisation. The role required me to work closely with key individuals in the organisation, in order to identify the specific threats, risks and vulnerabilities each department is exposed to.
My biggest challenge was to build relationships with key stakeholders in the business, because ultimately, this was a business project, and not related to information security alone. It took some time to win over their confidence and trust, but eventually I managed to make this happen, and developed a good working relationship with key business partners. The project also required implementing a change management programme, and I was responsible for managing a team tasked with new initiatives, such as BOYD, Cloud computing, etc.
By the time I had left the organisation, I had been responsible for achieving numerous objectives, such as facilitating staff cultural and behavioural changes, developing information security training programmes, developing policies and procedures, setting standards of information security for the use of controls in each division, and recreating the employee handbook for improved information security awareness.
6. Do you think that small, medium and large businesses are investing enough in information security?
Unfortunately, many companies tend to take the ‘just enough’ security approach for compliance purposes, following a ‘tick the box’ approach. But compliance doesn’t mean that your employees are aware of the security risks. Companies that have been hacked or have experienced a big data leak, tend to invest a little more, since they understand the potential consequences. It really depends on the type of company.
Some companies may have only a few policies but have not implemented a full ISMS, and believe that this is sufficient. In the financial services sector, there is certainly a huge focus on investing in information security. It is sometimes difficult to decide how much to spend, and to prioritise budget for key infosec activities. For instance, how do you know that all the laptops in your company are fully encrypted, or that all your systems have the latest anti-virus installed? In most businesses, there aren’t sufficient governance structures in place to manage information security effectively. The lack of information security governance is a big cause for concern. This is where information security audits play such an important role.
7. What do you believe are the biggest reasons for the executive team/the board/the CFO often not prioritising sufficient budget for improving the organisation’s information security posture?
I believe that often those tasked with information security are afraid to tell the business exactly what the problem is, and being asked difficult questions. That’s why it is critical for the security team to have the appropriate business acumen, especially if they have a technical background. That’s also the reason why large organisations tend to use consultancy firms, and often prefer to use a third party who can speak their language.
I believe having an information security audit should be compulsory for organisations of any shape and size.
8. What do you look for when sourcing penetration testing services?
I would look at the company’s reputation as a penetration testing provider, and the clients the company has worked with. The range of services they offer, and whether they are CREST or CHECK approved. I would also look at the reports they provide, and ask them for a sample report. A report that is easy to follow, without too much detail is ideal. The report should also explain the vulnerabilities in clear and simple terms, and provide solutions to the identified problems. Lastly, cost-effectiveness will also be an important consideration. Conducting a follow-up test after three months, to establish whether everything is working effectively, is quite a good value-add.
View IT Governance’s Combined Web Application and Infrastructure Penetration Testing service
9. Why do you think there are so few women in information security jobs?
I believe this is an evolving area and the picture is definitely changing. Information security has always been seen as a very technical field that has traditionally been occupied by men. But as more positions are opening up, and the field of information security has become more diverse, there is an increasing trend for women to enter the market and take up information security jobs. This is especially true for positions related to policy development, standards, training, stakeholder management and change management, to name a few.
Maldar, thank you for your time and this informative interview!