by: Eleanor Dallaway
Amar Singh, CISO at News International, met Eleanor Dallaway in Miami, Florida, and explained how to handle a data breach, how to win buy-in from the board, and why CISOs need more respect…
Amar Singh is the interim chief information security officer at News International, a job which he depicts as being focused around “driving the information security strategy for the organization, including the whole gamut of the ISO 27001 domains”.
Singh began his contract with the publishing group in February 2012 and describes himself as being “fully dedicated to this one customer right now”. Why only interim, I ask him? “Because of all the change happening at [News International]. Besides, I prefer an interim role as it allows me to get up every day and start afresh with a new challenge”.
At present, there is no ‘typical day’ for Singh, but if he was forced to try and paint a picture, it would look something like this: understanding the risks and threat landscape, keep on top of what’s happening in the information security and business worlds, and then addressing regular day-to-day political endeavors.
“I’m trying to be modest here, but I’m doing such a great job that it’s practically a permanent role”, he tells me. This far-from-modest comment comes within a few moments of sitting down with Singh, at which point I could have easily mistaken him for being arrogant. But there’s something about his easy-going attitude, kind eyes and hearty laugh that convince me that he’s not arrogant, he’s just self-assured and honest.
We’re sat on a bench on the sea-front in Miami, where we’re both attending Hacker Halted and the Global CISO forum. Throughout our interview, Singh places a huge emphasis on the importance of communication skills and his ability to make a point with clarity and precision.
Speaking five languages – Japanese, Thai, English, Hindi, and his mother tongue, Punjabi – is to thank for his excellent communication skills, believes Singh, who argues that the “biggest headache with technical people is they don’t like communicating. You can see at Hacker Halted – they’re happy doing what they’re doing until you put them on a podium, and a lot of them just start shivering and shaking”.
Navigating a Career without a Degree
His interest in information security derived from “being a geek”, I’m told, as Singh’s academic qualifications ended at ‘O levels’. “I’m an on-the-job kind of experienced person”, he says, admitting that, at first, not having a degree did act as a barrier, but that using the right language in the right circumstances allowed him to “climb a lot of challenges”.
Bridging the gap between technology and business strategy is crucial to win management buy-in, Singh explains. “My presentations are very management-focused, so that the guys in my organization start to realize I’m talking at their level.”
Singh considers himself able to make friends with both hackers and CISOs, and credits this to his “ability to get on their wavelength”. Management and C-level buy-in is still an issue in every organization, he argues, and solving the communication problem is half the battle.
At the beginning of his contract Singh describes “understandable resistance” to him, with people perceiving the typical CISO to be “a tecchie chosen by default”. Having said that, he doesn’t deny the importance of technical knowledge. “I still keep my fingers in the pie of technology, it’s a constant battle. I read up – I read your magazine, for example”, he says, earning himself some brownie points.
|“Information security should have its own kind of input, authority and value into it”
“At the end of the day, the future belongs to technology whichever way you look at it, and you can’t deliver a technical project without understanding the technology.” The real battle, however, Singh insists, is getting management to understand it too. “If they don’t understand it, you’ll get ripped off”, he explains, using the example of an automobile inspection. “If you get it just a little bit, you can challenge your mechanic.” Understanding information security challenges means understanding the basics, he told me.
Singh thanks his “business family” for giving him the perspective that “it all boils down to the bottom line”. It’s this understanding that has allowed him to transition into roles that are not purely technical. At News International, for example, Singh “does not talk technology because technology and management don’t necessarily always fit together”. And Singh should know, having worked at Gala Bingo, Siemens (on the BBC account), BP and Cable & Wireless.
Risk, Risk, Risk
A CISO’s biggest information security challenge, says Singh without hesitation, is “to understand what is important to the organization”. Determining what your crown jewels are, and increasing security around them, is the most important job. “You need to understand the risk appetite that the organization has”, he relays. “Work out what’s critical and secure that first.”
Understanding what your crown jewels are is not always an easy task, Singh argues. “Most organizations don’t appear to have a risk management framework, which is very important.” As a result, security budgets are being spent in the wrong places. A robust risk framework would “help in making sure you only talk about what really matters.
“When management thinks about reducing risk, they think about buying insurance. It’s my challenge to talk about reputation – how can you insure and quantify reputation?” Putting a financial value on an attack, Singh asserts, is almost impossible. “Sure, you can look at the Ponemon approach and management might say ‘£5m in damage – we can live with that’, but it’s important to explain the potential impact on reputation and good will.”
Risk registers get so complicated that few people give them the time of day, Singh explains. “At News International, I’ve created risk statements which look at the likelihood of things happening and then the impact.” Singh supports the concept of a risk committee sponsoring the risk management framework and adoption at every level and business function. “Information security should have its own kind of input, authority and value into it”, he says.
The Ivory Tower
Singh, a member of the ISACA London Chapter Security Action Group, calls for a greater relationship and better understanding between CEOs and CISOs and suggests that a combined industry event would help. “At a CISO event, it’s full of people with different bodies and the same brains and thought processes”, he contends. “Get a room of CIOs and CFOs and throw in a CISO, that composition would be far more interesting.”
The ‘folks in the ivory’ tower, as Singh refers to C-level executives and senior management, can be too-easily won over by industry peers having advertised a new technology they have deployed. “They’ll be on a jolly and they’ll hear about a recent threat and a technology that counteracts it. They’ll come back and insist their CISO spends hours looking into a product they may never need.”
While Singh considers himself the kind of CISO who “has the audacity to just say no”, he argues that some are so used to saying yes, “they’ll just say yes. If the technology costs £50,000 or £100,000, [they] will sit within the budget and get signed off. It then becomes another product that only some people use, and after three years, they won’t renew the subscription.”
Invest in Your People
Humans, Singh contends, are inherently trustworthy. “I believe in awareness rather than training. With training, you do it for X days and then you get a certificate. Are you going to be aware of how to use that knowledge?”, he asks.
Sound-bites, he argues, are an effective awareness technique. “Think before you click”, he uses as an example. “That’s stuck in my head forever.” Singh believes the government and society should take information security more seriously and dedicate the same awareness messages to online safety as they do to speeding and alcohol abuse. “It needs to be visible and fun”, he says.
Many CISOs place too much emphasis on policy, Singh tells me, “which would be great if people actually read the policy”, he says with a laugh. “I do believe in having a policy to cover all the bases, no doubt”, but he also advises a one-paragraph summary that would portray the gist of the message.
|“At the end of the day, the future belongs to technology whichever way you look at it”
Singh believes in transferring the responsibility and trust to the user, “because even if you restrict everything, they will still tweet if they want to. If you restrict it on their phone, they’ll get another phone and tweet it.” As an alternative, Singh suggests saying: “Here’s the phone, tweet however much you want, we love what you’re doing. Please just be aware, if you tweet [inappropriate] things, you may be out of a job, because we will be out of a job”.
His concern is around the use and “over-sharing” that people do on social networking sites. “It’s a challenge of the future and is only going to get bigger”, he predicts. We agree that children and teenagers are more tech-savvy than adults which, Singh says, means “making them security-aware should be easier because they ‘get it’, even if they don’t agree with the security approach”.
The future of information security, he says, has to be usability. “Until recently, security has been in your face, asking you to do this or that. People like Apple because it’s usable, not because it’s the most super-duper, ultra-secure operating system on the planet.” The information security industry, he says, should take a page out of Apple’s book.
Sorry is the Hardest Word
While Singh was unwilling to discuss specific News International information security breaches, he was willing to share what he believes to be best practice in the aftermath of a breach.
“When I talk, I’m happy to talk openly about my mistakes – I’m not infallible, I’m not super-human.” Admit that you’ve messed up, explain what lessons have been learned and what has been done as a result, and give your customers confidence it won’t happen again, advises Singh. “Customers are way more mature these days and understand that actually, everyone’s been breached already”.
If you’re breached, he suggests four simple actions: Put your hands up, have an incident response plan in place, work with PR teams, and say you’re sorry. All excellent advice, coming from someone who has been through the motions more than once.
I finish the interview, as I always do, by asking about any unfulfilled ambitions. Singh’s answer surprises me. “I’d like to see the CISO title being pronounced as a CEO or CTO is, with each letter of the acronym individually pronounced”. It’s a tiny change, he admits, but one that he believes would give “the role more importance”. This technicality fits into his wider objective, which is to empower the CISO. “You need the mandate, you need empowerment right from the top in order to drive”, he says.
“If you have to fight every battle, and beg on your feet for people to agree on a Twitter policy, there’s something wrong. In my world, a CISO should be able to present a policy, ask for input, but insist it be approved within two weeks.” The CEO should support this, Singh insists, by asking his staff to ‘back the CISO’.
With that, our interview draws to an end. Amar Singh, it was a pleasure.