Connect with us


Interview: News International’s Amar Singh




by: Eleanor Dallaway

Amar Singh, CISO at News International, met Eleanor Dallaway in Miami, Florida, and explained how to handle a data breach, how to win buy-in from the board, and why CISOs need more respect…

Amar Singh is the interim chief information security officer at News International, a job which he depicts as being focused around “driving the information security strategy for the organization, including the whole gamut of the ISO 27001 domains”.

Singh began his contract with the publishing group in February 2012 and describes himself as being “fully dedicated to this one customer right now”. Why only interim, I ask him? “Because of all the change happening at [News International]. Besides, I prefer an interim role as it allows me to get up every day and start afresh with a new challenge”.

At present, there is no ‘typical day’ for Singh, but if he was forced to try and paint a picture, it would look something like this: understanding the risks and threat landscape, keep on top of what’s happening in the information security and business worlds, and then addressing regular day-to-day political endeavors.

“I’m trying to be modest here, but I’m doing such a great job that it’s practically a permanent role”, he tells me. This far-from-modest comment comes within a few moments of sitting down with Singh, at which point I could have easily mistaken him for being arrogant. But there’s something about his easy-going attitude, kind eyes and hearty laugh that convince me that he’s not arrogant, he’s just self-assured and honest.

We’re sat on a bench on the sea-front in Miami, where we’re both attending Hacker Halted and the Global CISO forum. Throughout our interview, Singh places a huge emphasis on the importance of communication skills and his ability to make a point with clarity and precision.

Speaking five languages – Japanese, Thai, English, Hindi, and his mother tongue, Punjabi – is to thank for his excellent communication skills, believes Singh, who argues that the “biggest headache with technical people is they don’t like communicating. You can see at Hacker Halted – they’re happy doing what they’re doing until you put them on a podium, and a lot of them just start shivering and shaking”.

Navigating a Career without a Degree

His interest in information security derived from “being a geek”, I’m told, as Singh’s academic qualifications ended at ‘O levels’. “I’m an on-the-job kind of experienced person”, he says, admitting that, at first, not having a degree did act as a barrier, but that using the right language in the right circumstances allowed him to “climb a lot of challenges”.

Bridging the gap between technology and business strategy is crucial to win management buy-in, Singh explains. “My presentations are very management-focused, so that the guys in my organization start to realize I’m talking at their level.”

Singh considers himself able to make friends with both hackers and CISOs, and credits this to his “ability to get on their wavelength”. Management and C-level buy-in is still an issue in every organization, he argues, and solving the communication problem is half the battle.

At the beginning of his contract Singh describes “understandable resistance” to him, with people perceiving the typical CISO to be “a tecchie chosen by default”. Having said that, he doesn’t deny the importance of technical knowledge. “I still keep my fingers in the pie of technology, it’s a constant battle. I read up – I read your magazine, for example”, he says, earning himself some brownie points.

“Information security should have its own kind of input, authority and value into it”

“At the end of the day, the future belongs to technology whichever way you look at it, and you can’t deliver a technical project without understanding the technology.” The real battle, however, Singh insists, is getting management to understand it too. “If they don’t understand it, you’ll get ripped off”, he explains, using the example of an automobile inspection. “If you get it just a little bit, you can challenge your mechanic.” Understanding information security challenges means understanding the basics, he told me.

Singh thanks his “business family” for giving him the perspective that “it all boils down to the bottom line”. It’s this understanding that has allowed him to transition into roles that are not purely technical. At News International, for example, Singh “does not talk technology because technology and management don’t necessarily always fit together”. And Singh should know, having worked at Gala Bingo, Siemens (on the BBC account), BP and Cable & Wireless.

Risk, Risk, Risk

A CISO’s biggest information security challenge, says Singh without hesitation, is “to understand what is important to the organization”. Determining what your crown jewels are, and increasing security around them, is the most important job. “You need to understand the risk appetite that the organization has”, he relays. “Work out what’s critical and secure that first.”

Understanding what your crown jewels are is not always an easy task, Singh argues. “Most organizations don’t appear to have a risk management framework, which is very important.” As a result, security budgets are being spent in the wrong places. A robust risk framework would “help in making sure you only talk about what really matters.

“When management thinks about reducing risk, they think about buying insurance. It’s my challenge to talk about reputation – how can you insure and quantify reputation?” Putting a financial value on an attack, Singh asserts, is almost impossible. “Sure, you can look at the Ponemon approach and management might say ‘£5m in damage – we can live with that’, but it’s important to explain the potential impact on reputation and good will.”

Risk registers get so complicated that few people give them the time of day, Singh explains. “At News International, I’ve created risk statements which look at the likelihood of things happening and then the impact.” Singh supports the concept of a risk committee sponsoring the risk management framework and adoption at every level and business function. “Information security should have its own kind of input, authority and value into it”, he says.

The Ivory Tower

Singh, a member of the ISACA London Chapter Security Action Group, calls for a greater relationship and better understanding between CEOs and CISOs and suggests that a combined industry event would help. “At a CISO event, it’s full of people with different bodies and the same brains and thought processes”, he contends. “Get a room of CIOs and CFOs and throw in a CISO, that composition would be far more interesting.”

The ‘folks in the ivory’ tower, as Singh refers to C-level executives and senior management, can be too-easily won over by industry peers having advertised a new technology they have deployed. “They’ll be on a jolly and they’ll hear about a recent threat and a technology that counteracts it. They’ll come back and insist their CISO spends hours looking into a product they may never need.”

While Singh considers himself the kind of CISO who “has the audacity to just say no”, he argues that some are so used to saying yes, “they’ll just say yes. If the technology costs £50,000 or £100,000, [they] will sit within the budget and get signed off. It then becomes another product that only some people use, and after three years, they won’t renew the subscription.”

Invest in Your People

Humans, Singh contends, are inherently trustworthy. “I believe in awareness rather than training. With training, you do it for X days and then you get a certificate. Are you going to be aware of how to use that knowledge?”, he asks.

Sound-bites, he argues, are an effective awareness technique. “Think before you click”, he uses as an example. “That’s stuck in my head forever.” Singh believes the government and society should take information security more seriously and dedicate the same awareness messages to online safety as they do to speeding and alcohol abuse. “It needs to be visible and fun”, he says.

Many CISOs place too much emphasis on policy, Singh tells me, “which would be great if people actually read the policy”, he says with a laugh. “I do believe in having a policy to cover all the bases, no doubt”, but he also advises a one-paragraph summary that would portray the gist of the message.

“At the end of the day, the future belongs to technology whichever way you look at it”

Singh believes in transferring the responsibility and trust to the user, “because even if you restrict everything, they will still tweet if they want to. If you restrict it on their phone, they’ll get another phone and tweet it.” As an alternative, Singh suggests saying: “Here’s the phone, tweet however much you want, we love what you’re doing. Please just be aware, if you tweet [inappropriate] things, you may be out of a job, because we will be out of a job”.

His concern is around the use and “over-sharing” that people do on social networking sites. “It’s a challenge of the future and is only going to get bigger”, he predicts. We agree that children and teenagers are more tech-savvy than adults which, Singh says, means “making them security-aware should be easier because they ‘get it’, even if they don’t agree with the security approach”.

The future of information security, he says, has to be usability. “Until recently, security has been in your face, asking you to do this or that. People like Apple because it’s usable, not because it’s the most super-duper, ultra-secure operating system on the planet.” The information security industry, he says, should take a page out of Apple’s book.

Sorry is the Hardest Word

While Singh was unwilling to discuss specific News International information security breaches, he was willing to share what he believes to be best practice in the aftermath of a breach.

“When I talk, I’m happy to talk openly about my mistakes – I’m not infallible, I’m not super-human.” Admit that you’ve messed up, explain what lessons have been learned and what has been done as a result, and give your customers confidence it won’t happen again, advises Singh. “Customers are way more mature these days and understand that actually, everyone’s been breached already”.

If you’re breached, he suggests four simple actions: Put your hands up, have an incident response plan in place, work with PR teams, and say you’re sorry. All excellent advice, coming from someone who has been through the motions more than once.

I finish the interview, as I always do, by asking about any unfulfilled ambitions. Singh’s answer surprises me. “I’d like to see the CISO title being pronounced as a CEO or CTO is, with each letter of the acronym individually pronounced”. It’s a tiny change, he admits, but one that he believes would give “the role more importance”. This technicality fits into his wider objective, which is to empower the CISO. “You need the mandate, you need empowerment right from the top in order to drive”, he says.

“If you have to fight every battle, and beg on your feet for people to agree on a Twitter policy, there’s something wrong. In my world, a CISO should be able to present a policy, ask for input, but insist it be approved within two weeks.” The CEO should support this, Singh insists, by asking his staff to ‘back the CISO’.

With that, our interview draws to an end. Amar Singh, it was a pleasure.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech News


SAMSUNG WATCH ACTIVE 2 SPECS IS ONLINE, While Samsung is gearing up to launch the Galaxy Note 10 series on August 7,




While Samsung is gearing up to launch the Galaxy Note 10 series on August 7, there are reports about the arrival of a Galaxy Watch Active 2. It’s unclear if whether the company will launch the wearable with the new smartphone series, or if its launch will be moved forward. Despite this, more and more leaks are surfacing and revealing details about the Watch Active 2.

A couple of pictures were revealed today by the popular leakster, Evan Blass, from evleaks. According to another report from SamMobile, the Galaxy Watch Active 2 will come in two sizes, 40mm and 44mm. The former has a 1.2-inch screen, while the latter will be equipped with a 1.4-inch display. Both displays will boast AMOLED technology plus Gorilla Glass DX+. Last but not least they’ll sport 360×360 pixels of resolution. Join GizChina on Telegram

Galaxy Watch Active 2

The smaller model will weigh 31g, while the bigger one scales at 36g. They will arrive in either aluminum or stainless steel case, both are built to comply with MIL-STD 810G durability standards. According to reports, Samsung will equip the newer models with a touch-sensitive bezel. Therefore it will allow users to interact with functions without having to touch on the screen. That’s an interesting feature, after all, smartwatches displays are usually too small so it’s hard to interact with a touch-sensitive display without covering the content.

The Watch Active 2 will carry Samsung Exynos 9110 SoC underhood. The smartwatch boasts 768 MB of RAM on the Bluetooth-only model and 1.5GB on the LTE-capable variant. Both versions will boast 4GB of Internal Storage. Reportedly, the 40mm unit will have a  247 mAh battery. The 44mm model will fit a larger 340 mAh cell. As previously rumored, ECG and fall detection are both on board. However, the former can take some time to arrive at the shelves.

Last details include Bluetooth 5.0 connectivity and a plethora of colors for the aluminum variants:  Silver, Black and Pink Gold, while the stainless steel color will arrive in Silver, Black and Gold. Worth noting that the LTE variant will only be available with a stainless steel finish.


Continue Reading


MacBook Pro 2019 will be a 16-inch LCD laptop

MacBook Pro 2019 will be a 16-inch LCD laptop, New report affirms rumors and points to $3,000 starting price




New report affirms rumors and points to $3,000 starting price

We may have already seen new MacBook Pro models refreshed for 2019, but the true MacBook Pro 2019 is expected to land this October as a 16-inch LCD laptop, according to Taiwan’s United Daily News (UDN).

Given that this would be Apple’s largest MacBook Pro laptop since 2012’s final run of the 17-inch MacBook Pro, the company reportedly plans to slap a gargantuan baseline price tag onto this year’s model – which could rise above $3,000 (about £2,450, AU$4,350).

This laptop will likely be pushed heavily toward content creators and developers as a demonstration of Apple’s sincerity in serving those audiences. Here’s to hoping it will somehow satisfy the cross-section of folks that also like to game on their workhorse machines.

MacBook Pro 2019 backs down from OLED

This report corroborates one published by London-based market analysts IHS Markit, adding the pricing element to the mix. More importantly, this is the second report to state that the 16-inch MacBook Pro 2019 display will not be an OLED product.

Instead, it will be an LCD to the tune of a 3,072 x 1,920 pixel resolution, which would give the display a rather competitive 226 pixels per inch (ppi) rating and a total of 5.9 million pixels. LCD or not, this is going to be a sharp 3K display.

Will that alone be enough to justify such an exorbitant starting price? Hardly. There are surely other features that Apple has cooking for this device.

We know that Apple is planning to allow this MacBook Pro up to 32GB of memory (RAM), which is already possible on the 15-inch MacBook Pro. 

And, of course, every report mentions an entirely new design likely focused on smaller screen bezels.

Exactly what kind of processor technology will be inside these laptops is also up in the air. Is Apple’s supposed ARM laptop processor to be finished in time for these new laptops? Or, will Apple go all in with AMD considering Intel’s faltering pole position in the laptop computing space?

We’ll almost certainly see more about these missing MacBook Pro 2019 details as we get closer to October 2019.


Continue Reading

Tech News

Google pays users to help build its FaceID

Google pays users to help build its FaceID, Google’s Pixel 4’s moderately sized bezel has been rumoured to be hiding




Google’s Pixel 4’s moderately sized bezel has been rumoured to be hiding a powerful secret — its own take on FaceID. Much like how Pixel Imprint is Google’s version of TouchID, Google is expected to add an additional form of biometric authentication to the Pixel 4 and 4 XL with this year.

As per a report from ZDNet, men on the street have been approached by Google employees and asked to capture different angles of their face in exchange for a $5 Amazon or Starbucks Giftcard. The images were taken with a phone in a case which obscured its design likely the Pixel 4 or 4 XL (or a prototype of one or the other.)
The firm is said to be doing this for multiple sites across the US to gather a large number of pictures with which to train its Pixel’s authentication system before launch.

Google previously offered facial recognition for its Android devices in the past. This method is likely to be more secure and 3D based than before.

Source: Google is paying users $5 to help build its FaceID competitor

Continue Reading


Copyright © 2020 Inventrium Magazine

%d bloggers like this: