In this week's episode Dr. Crane talks to Yiannis Pavlosoglou about Resilient Systems.
From supply chain shortages to natural disruptions from changing weather patterns, it seems everything today needs to operate while under some type of duress or attack. But what do CISOs need to know to create resilient systems? And what can we learn from other CISOs who've already gone down this path?
NIST defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. That's a mouthful, but what does it actually mean to have to build a resilient cyber program to drive the change management necessary to build that type of program, to put in place the governance processes and procedures necessary.
To discuss this and more, who better to talk with cyber resiliency and governance than Yiannis Pavlosoglou. Currently, the Founder and CEO at Kiberna, and most recently, the CISO for UBS in the UK.
In this episode:
00:00 — Highlight Clip
02:51 — Introductions
03:45 — What Is Resilience?
04:18 — What Works?
05:47 — CISO as a Change Agent for Resiliency
07:17 — Challenges Driving A Resilient Organization Forward
08:57 — Where To Look To Build Resiliency
11:11 — Challenges To Building Resiliency
12:30 — The Role Of The CISO In Leading Cyber Resiliency
16:21 — Tools For Building Resiliency
18:39 — What To Do Once You Have A Set Of Risks To Tackle
19:55 — References
21:24 — Sign Off
Yiannis Pavlosoglou:
LinkedIn — https://uk.linkedin.com/in/yiannisp
Kiberna — https://www.kiberna.com
Links in this episode:
Operation Resilience for UK Financial Bodies — https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
FCA on Building Operation Resilience — https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
CERT Resilience Management Model — https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30375
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/007-resilient-systems-with-yiannis-pavlosoglou
[00:02:37] Earl Crane: Yiannis, welcome to the program.
[00:02:39] Yiannis Pavlosoglou: Earl, thank you for having me.
[00:02:41] Earl Crane: It's a real pleasure having you here. Today we're going to talk about something that's dear to your heart, and that's the role of the CISO in operational resilience. I wanted to see first, if you could provide a general introduction and a background on your experience as a CISO.
[00:02:59] Yiannis Pavlosoglou: Sure, and what an intro, thank you. So, my name is Yiannis Pavlosoglou. I hold a PhD in information security, and I'm also a CISSP. Recently, I've completed the 10-year tenure at one of the large financials, three of which was in the role of UK CISO, regional CISO. Reporting of course, into the group CISO. And before that role, I was responsible as change manager as the head of change and operational resilience.
[00:03:30] Earl Crane: Let's start with a simple definition because I'm not clear on it. What is resilience?
[00:03:37] Yiannis Pavlosoglou: Resilience is being able to basically have a set of processes that when things don't go to plan, your organization is able to respond proportionally and have a response that makes sure that things continue, as much as possible of course dependent on the disruption, to tick along as they did beforehand.
[00:04:03] Earl Crane: When you're looking at that, can you give any insights as you've built resilient organizations, what works and what doesn't?
[00:04:12] Yiannis Pavlosoglou: Good question. So, if we look at things that work as typically a set of processes that interlink, are able to have oversight for the process as it operates, and also live and breathe an evolution. So they're not static processes they're able to adjust, evolve, become better. And those processes tend to be at the core of what we do in security as well.
[00:04:39] If we then look at the role of a CISO, with resiliency in mind, we have a set of processes involving protecting the organization and being able to absorb those types of malware attacks or phishing campaigns or anything similar. That is being resilient in the context of cyber and information security.
[00:05:00] Yiannis Pavlosoglou: Similarly, on the opposite side of the organization, people who are not experts in cyber and information security, that make the organization viable, are becoming accustomed to this mentality of not if a disruption happens but when. To be able to identify what is key, to be able to plan for that, and not to deal with technology, business continuity or business processes as separate areas but actually look at things holistically front to back.
[00:05:32] Earl Crane: So it sounds to me like the CISO is a change agent for resiliency. And for the CISO to be able to drive that forward, to enable resilient processes in their organization, where they hold standing in the organization is going to matter. What's your perspective on what does the CISO need? Does it matter where they report to, where they are in the organization to be able to be that change agent for resiliency?
[00:06:00] Yiannis Pavlosoglou: Yes, and no two CISO functions will be the same. I haven't found any two organizations that have either common reporting lines for the chief information security officer or chief security officer. So it really depends on how an organization is set up. What are the common reporting lines either into the CIO, CRO, CTO sometimes or directly to the CEO as well? So that's around reporting just an average assessment of, depending on size, complexity and also type of organization, where you see the CISO report into.
[00:06:37] Yiannis Pavlosoglou: Going onto the point of change management, a very important point. Any cyber program in an organization is a program of change. You need to have people that are not only good with cyber terminology, but also you need to have people that are trained on topics of change management. Questions like how much change can an organization absorb? What is the process of adopting a new technology? How to look at establishing processes and improving them.
[00:07:02] Earl Crane: So it sounds like you've had some experience seeing successes in reporting structures or driving changes forward. Can you provide any insights into, or examples or situations, where either there was a challenge to drive a resilient organization forward because of either reporting lines or change management.
[00:07:24] Yiannis Pavlosoglou: So I have, been fortunate enough to have mentees, people that I've mentored, in other organizations where they've said to me, I can't pin the decision of responsibility for this topic on any one individual or function. It typically has to go to committee and oversight and so on.
[00:07:47] Yiannis Pavlosoglou: That would be a key area where a resilience program would drive out an improvement activity. They would report a risk around being able to basically name the individuals, either accountable, responsible, or even consulted in some cases, for the specific decision-making process. So then from that would come a change activity which would be we then need to define for these responsibilities who is the person in the role who's making that decision. And also what is the process of governance for those decisions?
[00:08:27] Yiannis Pavlosoglou: That's one area of change management that we often see needing improvements where organizations typically run that federated model, where there's just a little bit too democracy in some of the decision-making processes that they might have.
[00:08:42] Earl Crane: So important takeaway from that is, at the starting point you need to have a named individual, you could say a neck to choke, who's going to be in charge of driving that resiliency. Because if you can't pin that decision authority, it'll go to a committee, and it's difficult to move anything forward.
[00:09:03] there any other key steps that you would recommend when someone starting up looking at building resiliency into their security program?
[00:09:13] Yiannis Pavlosoglou: One of the key steps looks at the handovers between different parts of a large organization. Those are typically points where you have low tolerance to any sort of change that can have a big impact that can cause the process to fail. So imagine a delivery line, and then that leads into let's say the packaging line, but somehow those two are not interlinked in a way that if the delivery line speeds up or slows down, the packaging line does not do the same. Therefore, in a simple manufacturing example you would have empty boxes or boxes with partial products leaving the factory. That point of handover is key, and we also see that in the context of cyber and information security. How, when you have a potential incident that comes in, that corresponds to a couple of emails, to investigate if that's a phishing campaign or not, and then look at if the organization's being attacked. That requires handover typically to another team within the world of cyber and information security.
[00:10:24] Yiannis Pavlosoglou: So that process is consistent if the handover allows for some form of elasticity. That's one example outside of governance, just looking at the nitty-gritty detail, where you need to make sure that one part of the organization talks to the other part of the organization about what is going on. And always in that oversight capacity of the person responsible, reporting up the factual changes that they're experiencing due to those disruptions.
[00:10:56] So just like in supply chain logistics, great example, the weak point will be the handover point, and if there's a breakdown in communication that's where we can run into a challenge.
[00:11:07] Earl Crane: Can you provide an example of a time where you had a challenge in driving resiliency in the program and, some of the ways you overcame that?
[00:11:17] Yiannis Pavlosoglou: Resiliency is a relatively infant field. Questions get asked. Typical questions involve that disruption that you're describing is not going to happen. Or we've dealt with disruptive events beforehand, and we've survived. What's the big deal here? What you're trying to do here is actually build a collective consensus within the organization that when something goes wrong, there's a culture of reacting to it.
[00:11:45] Now to compliment this whole process, you need to be able to, through your change program, allow for that culture to basically adapt to it. It's actually part of the fabric that the organization has.
[00:12:03] Yiannis Pavlosoglou: They have handovers between them. The right oversights are in place. And frankly, the difficult questions get asked between people as to if a disruption happens, would we be able to sustain it?
[00:12:15] Earl Crane: So I like this idea, your focus, that you need to build a collective consensus. You're building a culture for operational resilience. And if you're going to try to shift that, from a reactive to a proactive function, you're trying to break down silos so that teams don't see as throwing an issue over the wall, but the part of resilience means that those hand-offs between teams is more effective in building those more effective processes for that operational resilience.
[00:12:49] Earl Crane: So what is the role that the CISO has in leading that change and driving that hand-off and process excellence?
[00:12:58] Yiannis Pavlosoglou: So we are left in 2021 with a new term cobbled together by two words, cyber and resiliency. And if we think about some of the attacks that we've been seeing recently, you have that term materialize. Effectively the role that the CISO has is to build a cyber resiliency program. When it comes to cyber resiliency, we want to be able to make sure that if we're dealing with a disruption that has a malicious threat actor, then that is part of a resiliency response plan. You cannot have the rest of the organization learning about dealing with disruptions and not cater for the fact that some of those disruptions might come from the domain of cyber and information security.
[00:13:50] Yiannis Pavlosoglou: Practically, for the CISO That means two things. First of all, they need to have an ambassador or many ambassadors, actually, in their team that understand resiliency. Are able to sit at the same table with the people that are looking at operational resilience, and also be part of those initiatives to change the culture and look at processes and handovers more holistically Second, that chief information security officer needs to be able to report back disruptions they're experiencing, something like a mass phishing campaign, straight-forward, most organizations have them, which actually could be a pre-emptive to a larger disruption. Attackers will often send an extortion email that then will be followed by a specific activity that involves DDoS, and then in some cases a ransomware after that.
[00:14:50] Yiannis Pavlosoglou: In order for a CISO to be able to react to that, they need to have mastered cyber resiliency within the organization. So they need to have mastered the ability to capture any extortion email that comes through, regardless of where it lands in the organization. They need to be able to then look at and deal with a DDoS in a way that allows for the organization to respond in the most effective way.
[00:15:16] Yiannis Pavlosoglou: And then also finally, when a specific ransomware attack comes, they need to be able to make sure that that is not successful. Linking those three together is where the resilience becomes part of what a chief information security officer needs to do.
[00:15:34] Earl Crane: So, you mentioned two key things that an organization needs or a CISO needs to be able to deal with disruptions. You said that you need an ambassador, and that sounds to me, a term like a BISO or a BSO, business information security officer or a business security officer, which is that CISOs representative embedded in the business.
[00:15:56] Yiannis Pavlosoglou: Yes. So that would be one form of an ambassador role that is facing off or more closely aligned to what's happening in the business within respective divisions.
[00:16:06] Earl Crane: So, if I can paraphrase some of what you said. It's the role of the CISO in building that resilient organization, is you're part leader, part orchestrator, and then always cheerleader trying to link these other processes together, and trying to advocate through training and awareness, to build that program.
[00:16:27] What have you seen that, if you were to go into another organization next week, and they said we need to make this more cyber resilient, what are some key things you would make sure to have in your tool belt?
[00:16:38] First of all, we need to be able to identify what's important to that organization. And we're used to that as cyber professionals in the context of either a crown jewels exercise or what's critical infrastructure or something similar, that's only a tip of the iceberg. So being able to identify how the organization makes money, what is revenue generating, what are the processes, supporting those corresponding services. That's key for a CISO as a starting point.
[00:17:09] Yiannis Pavlosoglou: Then there's a deep inspection that needs to happen as to what has worked thus far. Patching vulnerabilities, dealing with phishing, and similar low-hanging fruit type of attacks. With that second ingredient, we get a few of actually what's in place now, today.
[00:17:32] Yiannis Pavlosoglou: And then finally, we need to know where we want to take that organization. Are we going to be expanding a program that has a multi-year span? Do we have the budget for that or the resources? That's the third and key element to be able to then start planning your change activities.
[00:17:54] Yiannis Pavlosoglou: And the output are a set of risks that we either want to tackle, contain, or simply assign. And depending on the level that we want to contain those risks, we build the corresponding change program that gives us the goals to be able to target these areas. Those are the three key pillars or constituent ingredients that any CISO needs to master cooking with and bringing those together for a successful cyber change program.
[00:18:24] Earl Crane: Now, you said the output of that has a set of risks to try to tackle, to build that change program. If that's been dropped in your lap, go build us a resilience cybersecurity program. What should you know about what should you do as a CISO?
[00:18:41] First of all, you need to have a set of staff that are outside the traditional, technical, knowledge, and space of what we teach in an undergraduate master's, and in some cases, even post-graduate programs. You need change managers, you need lawyers, you need risk managers. You need people of all backgrounds, definitely of all ethnicities, because a more diverse workforce when embarking on a change program gives you better results as is well-documented.
[00:19:11] Yiannis Pavlosoglou: So it's an alignment exercise Earl. What were looking at is being able to focus and align a group of people, that often have very little in common, under a goal that corresponds to terminology that is relatively new. And set them off on that direction and have clear deliverables and goals that will help them achieve that mission on the vision that you've set.
[00:19:40] Earl Crane: Thank you. I think that's a great point to end it. Are there any sources that you would recommend? Where should people go to learn more about operational resilience?
[00:19:51] Yiannis Pavlosoglou: There's, a couple of publications specific to the finance sector on defining operational resilience as part of what the UK is doing in the context of financial bodies. Those don't only apply to banks. And I think looking at that work will satisfy the more technical people. They'll learn more about impact tolerances. That's one really good starting location. The UK Financial Conduct Authority and the respective press releases on how to build operational resilience, even if you're not in the financial sector, great starting point. Just helping define that evolution of disruption under the term of cyber resilience. It's definitely worth a Google search.
[00:20:37] Earl Crane: I also want to highlight the Carnegie Mellon CERT Resilience Management Model, the RMM. Have you had a chance to look at that any?
[00:20:48] Yiannis Pavlosoglou: Oh, yes, indeed. Really fascinating work at Carnegie Mellon.
[00:20:52] Yiannis Pavlosoglou: I remember when it first came to my hands, it was one of those books that I couldn't stop flicking through the pages, and it almost had an answer for all- There it is. Cert Resiliency Management Model, Cert RMM. A little bit more advanced, but a great book to set the scene on resilience.
[00:21:09] Earl Crane: I think that is fantastic. I appreciate that. Appreciate you taking the time to share the insights about what's worked for you when building a cyber resiliency program. Yiannis Pavlosoglou, was the CISO most recently of UBS UK. And just recently left that one and is now an independent consultant and advisor. How should people get in contact with you if they want to reach out.
[00:21:36] Yiannis Pavlosoglou: LinkedIn is probably the quickest way. Happy to answer any questions on cyber resiliency and topics we've discussed here. Thank you, Earl.
[00:21:44] Earl Crane: Thanks so much for joining us. Appreciate it.