Joe Hancock
So, hello everyone and welcome to this Mishcon de Reya Digital Session. MDR Cyber is the cyber-security practice of our firm which helps our clients with cyber-security, incident response and digital investigations and today, we’re discussing the personal implications of managing cyber-security. A relevant topic given the uber-indictment we all saw recently and the way in which the world seems to be very much focused around who does security, not just what they do. I am joined by Becky Pinkard who is the CISO from Aldermore Bank; Lorraine Dryland, who is the CISO of First Sentier Investors and Jon Baines who is the Senior Data and Protection Specialist from our firm, Mishcon de Reya. A big welcome to everyone, thank you so much for giving us your time today and for joining us. I’m really looking forward to this kind of chat. So, perhaps we could talk about what the sort of broad implications are for, for having the responsibility of cyber-security, particularly in that sort of CISO role?
Becky Pinkard
I think in terms of the like you said, the implications for it, I’ll default back to my favourite answer in security which is, it depends. Right? Eventually people will get sick of me saying that repeatedly but just until it changes. I think it boils down to you know, the company that you work for, it boils down to obviously the type of role that you have and even as you just pointed out a CISO role in one company can be completely different in another company and then again completely different from you know, a third company. So, I think when it comes down to the implications you also then have to look at it from the maturity of the person involved, the emotional capabilities of the person involved and one of the things I’ve really been exploring a lot over my past sort of year and a half over… just over a year and a half now being in this role, is how much sort of emotional toll there is to the whole thing.
Lorraine Dryland
Also we get that and I think you know, we talked about the responsibility and is it changing and what the emphases are on now and I do actually see that role changing to it being a lot more emphasis on being an advisor, building relationships, engaging a business. So, you know we’ve moved away from you know, technical security aspects. Yes, it’s still a really important part of the job and there’s a level of understanding that needs to be there in an individual but certainly I can see it actually moving through risk regulating. And as Becky mentioned, it’s about company culture you know, I have to say where does that sit? And actually say that it’s a shared responsibility and we see as being more advisory aspect in SMEs to a business.
Joe Hancock
Thanks Lorraine. That’s, that’s really useful. Jon, from a DPO perspective are the responsibilities different? Is it an easier job? Is it a harder job?
Jon Baines
I think a big difference at least within the European framework is, is that the DPO is now a statutory role that GDPR actually creates the need for certain organisations to appoint a DPO and sets out tasks and also sets out obligations on an employer about the position. When GDPR came out in draft I remember pronouncing on, on social media that, ‘Data protection officers, your time has come’. Because you look at some of the wording of GDPR and it does make it sound like the DPO had been elevated to a real position of importance. Realistically speaking, on the ground I haven’t seen that in the way I thought it might be four or five years ago. I think one thing I will say that there are real differences but DPOs and CISOs or however you, you define them in those organisations that don’t require a DPO you’re still going to need someone responsible for data protection compliance and even if the, the information security person’s got a different title, the two roles have got to talk to each other and they’ve got to work with each other.
Joe Hancock
Do you think that a CISO should be responsible almost outside the business in the way that we have to appoint the DPO or we’ve seen with money-laundering reporting officers you know, where there is a requirement to have that role and it has certain powers? Or is this just an ethics issue that is present in every role across the business?
Jon Baines
Something does occur to me. I’ve been thinking about this in advance of the call. Bearing in mind all the time that, that GDPR is not solely a, a, an information security piece of legislation but it does have specific obligations. Article 32 in particular sort of lays out what, what sort of appropriate measures should be in place to protect personal data anyway. And what I’ve been thinking about is, article 40 of GDPR encourages or creates an opportunity for codes of conduct and they can be sectoral codes of conduct and indeed it actually talks about you know, a code of conduct that can be drawn up by associations in other bodies representing categories of controllers and having regard to for instance, the security measures in article 32. I’ve been thinking about it from a DPO point of view that I think there’s possibly a real call for a… I’m saying this in my role as chair of NADPO that, that I think we should be preparing a code of conduct which would be given to the ICO for approval. But similarly I wonder if information security practitioners have thought about that sort of code of conduct and I guess here I am taking over and asking questions to the other panellists.
Joe Hancock
Carry on. Becky, Lorraine any thoughts on that?
Becky Pinkard
Well, what I heard is he’s trying to take your job, Joe. So, I’d just you know, watch…
Joe Hancock
He’s welcome to it.
Becky Pinkard
…watch out.
Jon Baines
Not the first time.
Joe Hancock
You’re welcome to it.
Becky Pinkard
It’s definitely something I’ve engaged in similar conversations, particularly over the last few years, you know as we’ve seen a huge reliance come around you know, on security and security in corporations. Again, I guess to add to that you know, you’re starting to see security raised up more and more as a broad-level event and from what I understand there is even companies that are looking at having CISOs act as part of the board. So, I’ve heard of a couple of companies where they’ve elevated the CISO position to a board member position, you know so, they’re incorporating including them in all of those conversations. I also definitely am seeing more and more requests you know for CISO-led information security information being present at board-level events. So that the board is asking for and demanding those updates and they’re demanding them with a greater frequency than they ever have in the past.
Joe Hancock
Any thoughts, Lorraine?
Lorraine Dryland
Yeah. I mean I definitely would like to see it as a level of recognised profession. I think it’s got enough standing and background behind it now. Yes, it was very much associated to information technology in the past and it grew from that and the IT security elements now which I sort of badge now as just good hygiene. So, you know what we used to have as security – IT security – is now what we’re calling just good hygiene and I think what we’re looking at taking that aspect now and it’s moving into cyber-security and the, the digitised the malware side of it. Computer-only driven sort of elements of the information and cyber-security side. So, I definitely would like to see it as a definite profession. Yes, we can see it can fall out of all so many bits and the reason why I would like for it to come out is because I think then that will allow it to be seen by other people, not in this industry, that they’ve got opportunity to come into these roles and they’ve got opportunity because it is about security, it’s about risk, it’s about assessment intelligence. There’s so many facets to information security and currently I think it’s seen as you know, driven up from a technology, ‘I don’t know computers therefore I can’t do information security’. There’s so much else around it and I think if we did have this as a dedicated profession which is then seen you know with all the… you know, we’ve got the certifications and other things we can attach to it but if we can see it definitely I think it allows us to maybe approach some of the other skills gap issues that we have and getting more talent in and getting diverse talent in and people who would never have thought about information security actually seeing it as an open door and not necessarily a true technical environment.
Joe Hancock
I think that’s a very good point and I think professionalisation would be I think definitely welcomed. One of the things we are seeing more and more we’ve dealt with a few of these incidents ourselves. I’m sure you have as well. It’s where you end up with this situation saying, ‘Hey…’ someone contacts you, ‘Hey I’m a security researcher’ in air quotes or not depending on, on the situation. ‘I’ve found x, y or z. Would you like me to report this to and would you like to pay me a bug bounty?’ Or sometimes we see it being slightly more blatant and you know, ‘I’ve found x would you like me to go away and please pay me?’ This kind of you know, in some ways is at the heart of the indictment we’re seeing in the US. I’d be interested to hear kind of from your different thoughts on that. How you think these issues should be handled? What happens when that kind of stuff comes across your desk and then and perhaps where it’s been mishandled. So, can you tell me your views?
Becky Pinkard
I can certainly kick that off with I guess how I’ve seen it handled over the last few years in particular and again it’s something that has increased you know, over the last few years as we’ve seen the bug bounties pay off for individuals and their social media exposure to those payoffs has I think led to this perception of you know, ‘Hey I could turn this into a lucrative career almost. I’m going to make thousands, potentially millions you know, by going and finding and exploiting these issues and then raising them up and asking for… demanding payment to your point’. So, overall I would say about the last five years of my career in particular, I’ve seen more companies are having to come up with and create processes you know and even policy around, ‘Hey how do we handle this stuff?’ You know, what does the company, what’s the company stance? What’s our corporate stance on what we do with these kinds of requests? Do we pay bug bounties? Do we not pay bug bounties? And you see this now across the board, right? I mean, big companies I think absolutely have this but it’s gotten to the point now where even smaller companies are having to, to take a stance on what they do about it. And then it boils down to you know, you’ll see someone report something that might actually be a low sort of lower priority type of issue in the grand scheme of things. They’ll report that and raise that up and then like you’ve said, ‘We’re going to go public with it if you don’t pay us off’. You have to figure out how to handle that, right? But at the same time it’s like, ‘We’re not going to pay you buddy. This is the lowest priority on our list of raging fires right now’. And so it’s again trying to handle sort of that response, with the individual knowing that you potentially have a reputational issue to take care of. Simultaneously balancing that with the day-to-day business of prioritising and running with you know, potentially much larger risks.
Joe Hancock
Lorraine and Jon, any thoughts on kind of handling these things and any examples of good and bad you’ve seen?
Lorraine Dryland
Yeah I think handling it if you don’t have a bounty programme and there’s a lot of companies out there that’ll advertise that they do have one and how to contact and where to go etcetera and they promote that aspect. There’s now the companies that don’t have a bounty programme and therefore aren’t you know, because it’s seen as… Becky commented on about the business appetite for it. By having one you’re maybe encouraging people to come and impact and try and test your site. If you’re not a service provider or something that really focuses and relies on that capability being tight and, and a service then you might not want to advertise having a bug bounty programme. But I do feel it’s really important from an intel, internal perspective to actually have something in place so when someone calls up, it’s about making sure you’ve got a consolidated process that can find all those points in and actually where you can make a genuine assessment as to whether it’s something you know, to your point before, ‘Should I worry about this? Do I know about it already? Is it you know, is it something that I’m just yeah I know about that, thank you very much’. But certainly, I do feel if you don’t have that internal process regardless of whether you’ve sponsored a programme or not, you’ll get caught short and you’ll… the reputational embarrassment in public because they will expose it. they’ll put it on social media somewhere and you just have to worry about whether you care about that enough and then that vulnerability is now available to everyone else and they’ll all have a go.
Jon Baines
Yeah well, I think this is one of those areas which, which kind of exemplifies the need for the infosec and the data people to work together because of course under GDPR we have mandatory breach notification. It’s vitally important to understand, for a company to understand, what a personal data breach is under GDPR and whether the breach notification obligations apply. Because what GDPR says it’s… even if you’re faultless you know, even if this is zero day you know, otherwise you’re absolutely perfect, if you have a notifiable breach, you’ve got to notify it. It doesn’t say you’ve done wrong. It’s a neutral act of notification but as you and I know especially it can have real implications down the road because you’re often faced with especially if it becomes public if you notify data subjects you can be faced with claims, complaints for months and months afterwards. So, I think this is really an area where the CISO and the CISO team have got to be talking to the data protection people. You know and it’s… I think the thing with bounty that concerns me, if, if and I think your use of the word ‘ethics’ was, was great as a way of introducing this. It concerns me that, that some organisations might pay a bounty and not make a notification in circumstances where they should do. As yet, we’ve not seen a huge amount of enforcement around that, that sort of thing but I think that’s the sort of thing that the regulators, the data protection regulators, will look very askance at, if people are, are paying off in order not to make a legal notification.
Joe Hancock
Just to wrap up. Thank you to all of the panellists for your time today, it’s been fantastic. Lorraine, I’m going to take away the shared responsibility model. I really like the fact that this is everybody’s problem and therefore the implications are with everybody. Becky, great to chat around some of the, the fact it depends, which I have, I’m going to get myself a T-shirt with that on it now and how to deal with some of these issues and the responsibility and Jon, thank you very much for giving us some insight into the data protection side of these things and what the implications are. So, again thank you very much for joining us.