by: Eleanor Dallaway
Amar Singh, CISO at News International, met Eleanor Dallaway in Miami, Florida, and explained how to handle a data breach, how to win buy-in from the board, and why CISOs need more respect…
Amar Singh is the interim chief information security officer at News International, a job which he depicts as being focused around “driving the information security strategy for the organization, including the whole gamut of the ISO 27001 domains”.
Singh began his contract with the publishing group in February 2012 and describes himself as being “fully dedicated to this one customer right now”. Why only interim, I ask him? “Because of all the change happening at [News International]. Besides, I prefer an interim role as it allows me to get up every day and start afresh with a new challenge”.
At present, there is no ‘typical day’ for Singh, but if he was forced to try and paint a picture, it would look something like this: understanding the risks and threat landscape, keep on top of what’s happening in the information security and business worlds, and then addressing regular day-to-day political endeavors.
“I’m trying to be modest here, but I’m doing such a great job that it’s practically a permanent role”, he tells me. This far-from-modest comment comes within a few moments of sitting down with Singh, at which point I could have easily mistaken him for being arrogant. But there’s something about his easy-going attitude, kind eyes and hearty laugh that convince me that he’s not arrogant, he’s just self-assured and honest.
We’re sat on a bench on the sea-front in Miami, where we’re both attending Hacker Halted and the Global CISO forum. Throughout our interview, Singh places a huge emphasis on the importance of communication skills and his ability to make a point with clarity and precision.
Speaking five languages – Japanese, Thai, English, Hindi, and his mother tongue, Punjabi – is to thank for his excellent communication skills, believes Singh, who argues that the “biggest headache with technical people is they don’t like communicating. You can see at Hacker Halted – they’re happy doing what they’re doing until you put them on a podium, and a lot of them just start shivering and shaking”.
Navigating a Career without a Degree
His interest in information security derived from “being a geek”, I’m told, as Singh’s academic qualifications ended at ‘O levels’. “I’m an on-the-job kind of experienced person”, he says, admitting that, at first, not having a degree did act as a barrier, but that using the right language in the right circumstances allowed him to “climb a lot of challenges”.
Bridging the gap between technology and business strategy is crucial to win management buy-in, Singh explains. “My presentations are very management-focused, so that the guys in my organization start to realize I’m talking at their level.”
Singh considers himself able to make friends with both hackers and CISOs, and credits this to his “ability to get on their wavelength”. Management and C-level buy-in is still an issue in every organization, he argues, and solving the communication problem is half the battle.
At the beginning of his contract Singh describes “understandable resistance” to him, with people perceiving the typical CISO to be “a tecchie chosen by default”. Having said that, he doesn’t deny the importance of technical knowledge. “I still keep my fingers in the pie of technology, it’s a constant battle. I read up – I read your magazine, for example”, he says, earning himself some brownie points.
|“Information security should have its own kind of input, authority and value into it”|
“At the end of the day, the future belongs to technology whichever way you look at it, and you can’t deliver a technical project without understanding the technology.” The real battle, however, Singh insists, is getting management to understand it too. “If they don’t understand it, you’ll get ripped off”, he explains, using the example of an automobile inspection. “If you get it just a little bit, you can challenge your mechanic.” Understanding information security challenges means understanding the basics, he told me.
Singh thanks his “business family” for giving him the perspective that “it all boils down to the bottom line”. It’s this understanding that has allowed him to transition into roles that are not purely technical. At News International, for example, Singh “does not talk technology because technology and management don’t necessarily always fit together”. And Singh should know, having worked at Gala Bingo, Siemens (on the BBC account), BP and Cable & Wireless.
Risk, Risk, Risk
A CISO’s biggest information security challenge, says Singh without hesitation, is “to understand what is important to the organization”. Determining what your crown jewels are, and increasing security around them, is the most important job. “You need to understand the risk appetite that the organization has”, he relays. “Work out what’s critical and secure that first.”
Understanding what your crown jewels are is not always an easy task, Singh argues. “Most organizations don’t appear to have a risk management framework, which is very important.” As a result, security budgets are being spent in the wrong places. A robust risk framework would “help in making sure you only talk about what really matters.
“When management thinks about reducing risk, they think about buying insurance. It’s my challenge to talk about reputation – how can you insure and quantify reputation?” Putting a financial value on an attack, Singh asserts, is almost impossible. “Sure, you can look at the Ponemon approach and management might say ‘£5m in damage – we can live with that’, but it’s important to explain the potential impact on reputation and good will.”
Risk registers get so complicated that few people give them the time of day, Singh explains. “At News International, I’ve created risk statements which look at the likelihood of things happening and then the impact.” Singh supports the concept of a risk committee sponsoring the risk management framework and adoption at every level and business function. “Information security should have its own kind of input, authority and value into it”, he says.
The Ivory Tower
Singh, a member of the ISACA London Chapter Security Action Group, calls for a greater relationship and better understanding between CEOs and CISOs and suggests that a combined industry event would help. “At a CISO event, it’s full of people with different bodies and the same brains and thought processes”, he contends. “Get a room of CIOs and CFOs and throw in a CISO, that composition would be far more interesting.”
The ‘folks in the ivory’ tower, as Singh refers to C-level executives and senior management, can be too-easily won over by industry peers having advertised a new technology they have deployed. “They’ll be on a jolly and they’ll hear about a recent threat and a technology that counteracts it. They’ll come back and insist their CISO spends hours looking into a product they may never need.”
While Singh considers himself the kind of CISO who “has the audacity to just say no”, he argues that some are so used to saying yes, “they’ll just say yes. If the technology costs £50,000 or £100,000, [they] will sit within the budget and get signed off. It then becomes another product that only some people use, and after three years, they won’t renew the subscription.”
Invest in Your People
Humans, Singh contends, are inherently trustworthy. “I believe in awareness rather than training. With training, you do it for X days and then you get a certificate. Are you going to be aware of how to use that knowledge?”, he asks.
Sound-bites, he argues, are an effective awareness technique. “Think before you click”, he uses as an example. “That’s stuck in my head forever.” Singh believes the government and society should take information security more seriously and dedicate the same awareness messages to online safety as they do to speeding and alcohol abuse. “It needs to be visible and fun”, he says.
Many CISOs place too much emphasis on policy, Singh tells me, “which would be great if people actually read the policy”, he says with a laugh. “I do believe in having a policy to cover all the bases, no doubt”, but he also advises a one-paragraph summary that would portray the gist of the message.
|“At the end of the day, the future belongs to technology whichever way you look at it”|
Singh believes in transferring the responsibility and trust to the user, “because even if you restrict everything, they will still tweet if they want to. If you restrict it on their phone, they’ll get another phone and tweet it.” As an alternative, Singh suggests saying: “Here’s the phone, tweet however much you want, we love what you’re doing. Please just be aware, if you tweet [inappropriate] things, you may be out of a job, because we will be out of a job”.
His concern is around the use and “over-sharing” that people do on social networking sites. “It’s a challenge of the future and is only going to get bigger”, he predicts. We agree that children and teenagers are more tech-savvy than adults which, Singh says, means “making them security-aware should be easier because they ‘get it’, even if they don’t agree with the security approach”.
The future of information security, he says, has to be usability. “Until recently, security has been in your face, asking you to do this or that. People like Apple because it’s usable, not because it’s the most super-duper, ultra-secure operating system on the planet.” The information security industry, he says, should take a page out of Apple’s book.
Sorry is the Hardest Word
While Singh was unwilling to discuss specific News International information security breaches, he was willing to share what he believes to be best practice in the aftermath of a breach.
“When I talk, I’m happy to talk openly about my mistakes – I’m not infallible, I’m not super-human.” Admit that you’ve messed up, explain what lessons have been learned and what has been done as a result, and give your customers confidence it won’t happen again, advises Singh. “Customers are way more mature these days and understand that actually, everyone’s been breached already”.
If you’re breached, he suggests four simple actions: Put your hands up, have an incident response plan in place, work with PR teams, and say you’re sorry. All excellent advice, coming from someone who has been through the motions more than once.
I finish the interview, as I always do, by asking about any unfulfilled ambitions. Singh’s answer surprises me. “I’d like to see the CISO title being pronounced as a CEO or CTO is, with each letter of the acronym individually pronounced”. It’s a tiny change, he admits, but one that he believes would give “the role more importance”. This technicality fits into his wider objective, which is to empower the CISO. “You need the mandate, you need empowerment right from the top in order to drive”, he says.
“If you have to fight every battle, and beg on your feet for people to agree on a Twitter policy, there’s something wrong. In my world, a CISO should be able to present a policy, ask for input, but insist it be approved within two weeks.” The CEO should support this, Singh insists, by asking his staff to ‘back the CISO’.
With that, our interview draws to an end. Amar Singh, it was a pleasure.
IOS APPS ON MACS? GEE, THAT FEELS FAMILIAR…
Well, gang, it’s official: Cross-platform convergence is now both magical and revolutionary.
Apple, in case you haven’t heard, is taking a serious step toward bringing its mobile and desktop platforms together: At its annual Worldwide Developers Conference adjective-shouting extravaganza this week, the company announced a plan to let developers bring iOS apps onto MacOSstarting next year. So, yes: That means the Apple faithful will soon be able to run iPhone-like software on their regular ol’ keyboard-packin’ computers.
Pretty spiffy idea, right? Mobile software, on the desktop! Just think of the possibilities. But wait: Why does something about this seem so eerily familiar?
Oh, right — because it’s exactly what we’ve been watching take shape with Android and Chrome OS over the past several years.
Now, before you grab the nearest suit of armor and novelty foam sword, hang on: I’m not here to play a game of “Who Did It First?” Let’s be honest: That kind of talk is pretty tired at this point. Some years, Apple borrows heavily from Google; some years, Google borrows heavily from Apple. Sometimes, the inspiration-lifting is for the better, and sometimes, it’s for the worse. I’m not an intellectual rights attorney (thank goodness) — and from a normal user’s perspective, the arguments over who copied whom are equal parts boring and irrelevant.
What I do want to discuss is how much Apple’s move validates the approach Google’s been pursuing for some time now — and, at the same time, how its implementation of the idea is both similar and simultaneously different.
Let’s jump in, shall we?
Apple, Google, and the tale of converging platforms
We’ll start with Google. The move to bring Android apps to Chrome OS began in earnest in 2016. (Yes, the work technically started two years earlier, with the beta-wearing “App Runtime” project — but that was basically just a test, with significant limitations and nothing even close to a polished or mainstream-ready experience.)
For Google, the notion of bringing two platforms together was nothing short of transformational. Chromebooks had traditionally been cloud-centric computers — a model that provided some enticing advantagesover traditional PCs but required you to rely mostly on web-based software like Google Docs and Office Online. Realistically, that sort of setup was more than sufficient for the vast majority of modern-day computer users, but it also left a fair number of gaps in what a Chromebook was able to do.
By allowing anyone to install and run almost any Android app while still maintaining Chrome OS’s security, simplicity, and speed-related advantages, Google accomplished several significant things: First, it redefined a Chromebook’s possibilities and limitations, making the devices more compelling and feature-complete for an even broader array of users. (On a smaller and much more specifically targeted scale, the current move to allow Linux apps on Chrome OS serves a similar purpose.)
Beyond that, it essentially created a whole new category of device — the Chromebook/Android mashup. That’s something we’ve seen progress considerably over the past couple years, as the hardware has slowly caught up with the software and convertible Chromebooks have effectively become the new Android tablets.
And last but not least, it created an ecosystem like no other. Developers could build and publish a single app and have it be available to the world’s largest mobile platform and the world’s increasingly dominant desktop computing environment. As long as the apps are built with responsive design and with a handful of form-specific optimizations in mind, it’s a single, streamlined process with minimal extra effort involved.
Significant as those first two points may be, we can’t underestimate the value of that last one — the ecosystem expansion. Remember, Chromebooks are hugely popular, particularly in schools. And developers tend to go where the users are. For the first time, Google could actually overcome its chicken-and-egg problem and have an existing audience that’d entice developers to craft large-screen-optimized apps — apps that, by their very definition, would straddle the lines of two overlapping ecosystems and benefit Android and Chrome OS alike.
Apple’s approach is a bit different. Unlike Chromebooks, Macs already run traditional desktop software. Unlike Google, Apple already has a successful tablet platform. And unlike Google, Apple doesn’t currently offer touch-enabled Macs — another one of those classic “it doesn’t work” declarations from Steve Jobs, way back when — and even if the company does eventually come around to rethinking that stance, it doesn’t seem likely that it’d look to phase out or de-emphasize the iPad anytime soon.
What Apple does share with Google, however, is the ecosystem part of the equation. Apple is all about the ecosystem, in fact, and it has been for a very long time. Google is the relative newcomer to that kind of focus.
So Apple, like Google, stands to benefit by aligning its platforms (a familiar phrase, no?) and making them more similar from a user’s perspective. It’s no secret that people adore their iPhones and the apps associated with them. Making MacOS follow iOS’s lead in some ways and allowing users to run familiar mobile apps within it will make the Mac feel more consistent and connected with the iPhone — and thus could make it more appealing both to current users and also perhaps to those who don’t presently own a traditional laptop or desktop computer.
Apple, like Google, could also benefit from energizing its desktop software ecosystem and giving developers added incentive to focus on that form. It may not be entirely comparable to Google’s Chrome OS situation, but the idea that development on the desktop side of Apple’s ecosystem is stagnating compared to the mobile side is a pretty common theme of discussion these days. Bringing iOS-like apps onto Macs could go a long way in reversing that view.
Perhaps most critically, aligning the ecosystems provides yet another piece of ammo for the famous “lock-in” weapon: You’ve got the environment you know and love and the apps you know and love on your iPhone and/or iPad — and now on your Mac, too. Just like Google is aiming to accomplish with Android phones and Chromebooks, our investments in these ecosystems are more expansive than ever — which, of course, means we’re more likely than ever to stick with whichever ecosystem we choose and continue to buy its associated products year after year.
Interestingly, Apple and Google also share the same persistent view from pundits that “the two platforms must be combined!” — a view that no level of adamant denial or ongoing evidence to the contrary seems able to extinguish.
Converging platforms, diverging paths
One thing the two companies don’t fully share is the specific approach to bringing mobile apps onto the desktop. Google, fitting with its general ethos, has established a bit of a free-for-all with Android apps on Chrome OS: By default (unless a developer explicitly disallows it or an app is inherently incompatible due to hardware requirements), most any Android app can be installed on a Chromebook. The Play Store you get on a Chromebook is quite literally the same Play Store you get on a phone.
So everyone is in, more or less — and it’s then up to each developer to optimize an app and make it excel in the large-screen, keyboard-and-trackpad-using form. Or not. Most apps work well enough on a Chromebook out of the box, and in some scenarios, it’s clear a developer went the extra mile to really make the experience shine. Either way, you can find plenty of useful titles that add meaningful value to the Chrome OS environment.
But you can also find plenty of apps that clearly weren’t made to run on that type of hardware — where even the most minimal amount of effort is painfully lacking — and those apps, while technically compatible with a Chromebook, are incredibly awkward and unpleasant to use. (Hi, Instagram!)
From the sounds of it, Apple is taking the exact opposite approach: The door will be closed by default — and the MacOS-iOS collection will consist only of apps optimized for the traditional computer form. That’s why Apple is releasing only its own iOS apps for the Mac to start and will be working with developers to optimize their apps for the desktop over the months ahead.
“There are millions of iOS apps out there, and some of them would be great on the Mac,” Apple Chief Shirt Unbuttoner Craig Federighi noted during yesterday’s announcement. The emphasis there is mine, but the message is clear: The entire App Store won’t — and, in Apple’s view, shouldn’t — be coming to the desktop.
Apples and oranges
So which approach is better — Apple’s or Google’s? The reality is that each seems to have its own set of pros and cons, and it’s tough to label either one as a definitive “winner.” Google’s implementation brings a massive number of new applications into the desktop environment and then puts the onus on the developers to make the experiences shine. The result, as we’ve established, is a bit of a mixed bag: You have tons of possibilities, many of which are valuable (with or sometimes even without form-specific optimizations) — but you also have apps that are just plain clumsy and out of place.
Apple appears poised to offer a more strictly curated selection of apps, allowing only those with form-specific optimizations into the mix. That should create a more consistent level of quality and experience, which is obviously a good thing, but it’ll also mean some apps that might be more mobile-specific and not likely to be optimized probably won’t become available.
Who cares? Well, consider one example: Apps like Netflix and YouTube are readily available via the web and don’t seem like the types of titles that’d receive the full desktop optimization effort or the Apple stamp of “great on the Mac” approval. But running the mobile apps on the desktop gives you the unique advantage of being able to download videos from those respective services for offline viewing — a handy little loophole crafty Chromebook users have certainly come to appreciate.
When you stop and think about it, the differences here are very much analogous to the differences in the two companies’ broader approaches to mobile app distribution: With Apple, you get a more closely controlled selection, which forces developers to comply more closely with guidelines and (in theory, at least) creates a more consistent experience. With Android, the less closely controlled gates mean more variance in the level of experience within — but that also means the door is open to more advanced and interesting types of creations that wouldn’t make their way past Apple’s gatekeepers.
I think most reasonable people would agree that Google could stand to gain some of Apple’s quality control and ability to get developers to follow its lead, while Apple could stand to loosen things up at least a little and allow some different types of tools into its closely walled garden.
Neither scenario is perfect, but both serve to accomplish the same goal — one that, in this wild new cross-platform world, seems both sensible and inevitable, regardless of which ecosystem you prefer.
Source: Computer World
WHY THESE 9 CEOS BELONG ON THE WORLD’S GREATEST LEADERS LIST
In our current culture, CEOs arguably command more power than respect. You can blame that in part on the light-speed exchange of information in the digital era. As Fortune‘s Geoff Colvin writes in the introduction to this year’s World’s Greatest Leaders list, “Easier access to information for customers, competitors, and others causes industry dominance to change more quickly, corporate life spans to decline, and executive tenures to shorten.” What’s more, unflattering news goes viral in an instant.
Nonetheless, year after year there are chief executives whose impact, not just on their own companies but on the world around them, is so significant that they deserve to rank among the greats. Our annual leader list spans politics, the arts, activism, sports and the nonprofit world, but each year, many business figures shine in this particular galaxy. Amazon CEO Jeff Bezos is one of only two people who have made all four editions of our list. (The other is Pope Francis.)
Here are nine private-sector CEOs who made Fortune‘s 2017 list. (For the rest of the list, click here.)
Founder and CEO, Amazon
Rank on 2017 list: No. 5
Rank on 2017 list: No. 20
CEO, Haier Group
Rank on 2017 list: No. 24
CEO, Last Mile Health
Rank on 2017 list: No. 28
CEO, Tesla and Space X
Rank on 2017 list: No. 30
CEO, Advanced Micro Devices
Rank on 2017 list: No. 50
CEO, J.P. Morgan
Rank on 2017 list: No. 39
CEO and Chairman, Salesforce
Rank on 2017 list: No. 43
JOSE MOURINHO DISMISSES CONCERNS OVER MARCUS RASHFORD’S DEVELOPMENT
Jose Mourinho has played down concerns over Marcus Rashford’s lack of game-time at Manchester United as the World Cup approaches.
Rashford has not started a league match for United, who face Crystal Palace on MNF, live on Sky Sports Premier League, since Boxing Day and has found his first-team opportunities limited following the arrival of Alexis Sanchez.
However, Mourinho insists Rashford remains firmly part of his plans at Old Trafford and he expects the 20-year-old to be part of Gareth Southgate’s squad in Russia.
“No, I don’t reassure anyone,” Mourinho said. “The main reassurance for him is that he is always selected.
Mourinho insists Rashford is a key part of his squad at Old Trafford
Mourinho insists Rashford is a key part of his squad at Old Trafford
“There is not one single match when Marcus is not selected to start or to be on the bench. When I see you sometimes put in doubt if he is going to be selected for the World Cup or not be selected.
“You know, if the national coach trusts him, he selects him. It doesn’t matter if he plays or doesn’t play.
“There are many examples of players who don’t play for their clubs at all and they go to the national teams.
Gary Neville insists Marcus Rashford is firmly in Jose Mourinho’s plans at Man Utd and that it is normal for a young player to come in and out of the side.
“You have the example of (Sergio) Romero, who is the second goalkeeper at Manchester United and the first goalkeeper for such an amazing football country like Argentina.
“In your own country, you have examples of players who play even without scoring a goal in the Premier League.
“So, it’s up to Gareth Southgate. If he trusts him, he selects him. It doesn’t matter if he plays or if he doesn’t play for Manchester United.”
Rashford burst onto the scene with a series of crucial goals during the 2015-16 season under Louis van Gaal, and the England international cemented his place in the United first-team with a solid campaign last season in which he scored 11 goals for the club.
“At his age, what he’s doing is more than enough and the experience he’s getting at every level is more than enough for us to be happy with what we think is going to be his future,” Mourinho said. “It’s as simple as that.
“But because he had such an impact at the beginning, probably people expect him to play even more than he does and score even more than he does and perform even more than what he does but it is not so simple.
The 20-year-old is expected to be part of England’s squad for the upcoming World Cup in Russia
The 20-year-old is expected to be part of England’s squad for the upcoming World Cup in Russia
“What I see makes me really happy, to see the same boy. When you ask me about (Scott) McTominay, I spoke about McTominay as a boy before he was a player and Marcus is the same.
“What will keep them in the right direction, what will make them have that stability to improve is what they are as boys. And Marcus is a fantastic boy,b also very grounded.
“For sure, we love him, and we believe in him, and he’s going to have the chances.”