How did you end up in your current role, and what attracted you to the industry?
I was hired at ELMO over a year ago as the resident security architect with responsibility for technical security and oversight across the whole business. I’ve been in IT security for over 20 years and during my time at Yahoo as Chief Architect for the Asia region, I performed the aptly named dual role of “Paranoid”. This gave me a unique perspective of how security can be enacted both at the architecture level and in day-to-day development, as the objectives of both are mutually supportive. To me, cybersecurity is a fascinating field because it combines technology, people, and most importantly, managing evolving risks in a constantly changing environment. It certainly never stops!
What security-related behaviour or policy have you changed the most in the past year?
ELMO achieved ISO 27001:2013 Certification this year. This required the establishment of an ELMO in-house Security Team (myself & Carmen Nunez, Information Security Manager) to work across all aspects of the business over a period of nine months, embedding the Information Security Management System (ISMS) and other supporting procedures into our day-to-day business activities. In essence, we needed to ‘boot strap’ ISO 27001:2013 into ELMO as a corporate entity by creating a whole raft of business-specific policies and procedures – related to everything from BYOD devices to storing, processing and managing sensitive data.
Everyone in the business was directly involved and committed to this goal, and we succeeded in achieving Certification with no non-conformances. The auditor was impressed by the fact that we involved all teams directly in the audit process. Instead of sitting down with a small number of carefully selected individuals, twenty-two ELMO team members walked the auditor through their areas of responsibility, demonstrating a business-wide understanding of and commitment to security. Our view is that security is everyone’s responsibility.
How has the availability of cloud-based services changed the way you deliver your solutions? And what security issues (if any) has this presented?
From the get-go, ELMO has been a cloud-based offering so we understand the cloud. However, the ways in which one can implement cloud-based solutions have changed and will continue to change. In the early days, you would write your application and push it directly to servers ‘as is’. Now, the move is towards a more containerised way of managing deployments and this has shifted the balance on security. On the one hand, this approach improves isolation and repeatable deployment, but it also results in more container ‘baggage’ in terms of additional external dependencies. Essentially, a business’ exposure to potentially unknown third parties increases as a result. At ELMO, we have introduced additional scanning and monitoring to manage and counteract this specific risk.
What is the best way to win over users so they help cybersecurity efforts rather than hinder them?
I believe security teams in SaaS businesses like ours have two sets of stakeholders or users: employees and external clients. With internal staff, we aim to foster a collaborative, open environment around security. We also want our staff to know that there are no negative consequences to being honest and transparent about security matters. I like to make security topics fun in a practical way! For instance, I use memes and share horror stories with my team that have been cited in the media as a way to change and influence internal behaviours.
As for external clients, we want security to be visible and to be something that helps their business rather than being seen as an additional burden. In a similar way to how we manage our employees, clients can also be guided and educated on how to be more secure. We consider our clients a part of the larger security sphere we have an influence over which means their involvement is absolutely critical.
Is the security industry getting better at using tools like threat intelligence and collaboration policies to work together against a common threat?
This is slowly getting better but old security siloes are still very apparent across businesses today. I take the approach that security is everybody’s concern and that we need to be proactive in helping one another to improve security controls over time. Part of this involves opening up lines of direct communication between security teams as well as the Australian and New Zealand security industries.
What kind of security response plan do you maintain at ELMO, and how is this tested and updated?
As part of ISO 27001:2013 and privacy legislation requirements, ELMO has a mature security incident response plan. If an incident does occur (which could have at its root cause either confidentiality, availability or integrity), this response process will be enacted and the relevant parties will be involved throughout the whole process through to resolution.
The plan is regularly reviewed to ensure it is up to date and covers the systematic landscape correctly. ELMO spends a great amount of time and energy in training its security incident response teams to be prepared. We believe that having the right level of security controls, training and preventive measures are key to minimising the impact of security-related incidents.
How has increasing regulation changed your security priorities and those of your customers?
ELMO, as a Cloud HR & Payroll solution provider, cuts across many different types of organisations and industries. As a result, I have seen a shift in how security is impacting customers along two main vectors in particular, GDPR and CPS-234. This is most evident during the tender response stage where we are called upon to answer increasingly detailed and probing security questions - some running to up to 1,000 individual questions - with an increased focus on privacy, data sovereignty, data encryption, data lifecycles, supplier management, etc. We are well aware of the regulatory demands on our customers and, given that we are now ISO 27001:2013 certified, we are able to confidently provide details of our compliance.
How has availability of skills affected your ability to implement new security initiatives at ELMO?
A lot of people think they know what security involves but in actual fact, they have only ever been exposed to a small slice of the larger security-pie. For us, achieving ISO 27001:2013 Certification was a driver to the larger business’ understanding of what security really is and I think this provided a right-of-passage mindset for employees to improve their own security skills. We have also been very proactive in providing training and support for those who want to gain specific security skills. In fact, we are in the process of creating ELMO “Paranoids” like me!
What impact do you think intensive skills-training programs will have on closing the current cybersecurity skills gap?
Of course they will have some impact, but I’m concerned that they will end up creating individuals who are too ‘narrow’ in their knowledge set. By this I mean, these individuals will have strong, security-specific subject area skills but will have a total gap in others which can be extremely dangerous. It’s a bit like saying you know how to drive a car when in fact all you know is how to steer the vehicle and have no awareness whatsoever of the accelerator or the brake pedals. The danger here is that an individual will see the security surface based only on their specific knowledge set, but a competent hacker will see the whole security surface and will not hesitate to exploit those gaps. There is often little training on the human aspects of security with respect to computer systems and design for instance, hence why social engineering techniques are often so effective.
From my perspective, I would prefer for basic security awareness training to be provided as soon as possible to all students, regardless of whether they are thinking of pursuing a career in IT or not. Security is everybody’s concern and every organisation utilises IT meaning that everybody will end up having some form of security responsibility in the future. I would like everyone to have sufficient baseline security knowledge in order to recognise and follow their ‘hunch’ wherever they suspect something isn’t quite right and feel comfortable in escalating security-related issues.