As one of the largest human resources and recruitment firms in the world, The Adecco Group depends on highly secure and efficient systems to support its global operations.
With more than 35,000 employees, over 100,000 client organizations, and two million people placed into temporary and permanent roles every year, Adecco operates on a global scale.
At the helm of the group’s global IT security, risk and compliance operation is Alex Gomez who has responsibility for ensuring that employees, contractors and clients stay secure in an environment where emails and file sharing are key to business.
As a human resources and recruitment firm, the Zurich headquartered organization must be at the cutting edge of technology to deliver customer requirements.
In conversation with Infosecurity, Gomez shared how the company is combining AI analysis with human intelligence to keep employees and clients secure against cyber threats, the importance of cybersecurity leaders having a voice at board level and why cybersecurity should be a business priority.
Infosecurity Magazine: How do you tackle the recruitment industry’s need for efficiency with ensuring employees, partners and clients remain secure against cyber threats?
Alex Gomez: The best analogy I like to draw is to picture a sports car: information security is basically the brakes. We’re not there to act as a hindrance to the business, but rather, when you have a powerful engine, you need to be able to rely on the brakes.
There’s a lot of innovation we need to do, and we need to be agile about it, but it shouldn’t come at the expense of taking on unnecessary risks. You need to develop security models that enable you to be fast but also secure.
IM: How does the Adecco Group approach addressing the combination of focusing on both innovation and security at the same time?
AG: It’s a balancing act; I’ll give you an example which I think illustrates it well. Within the entire ecosystem, the element that continues to be the one that is most under attack and the most at risk is the human element.
Within the human element part, you try to do your typical security awareness training and educate the users so that you can reduce that risk. But it is difficult to find tools or other ways that you can increase that awareness around risk.
For us, we were asking questions around how can we help end users beyond things like training, awareness and phishing simulations? We ended up finding a vendor that is on the higher quadrant of the Gartner quadrant that helps secure inboxes.
That means the threats that typically would have come into users’ inboxes are not even presented to them. You can make it so that when it's detected in real time, you don't even give the user the possibility to interact with it, they don’t see it. That's one element.
Another element is triaging that. So, once you filter everything, in the odd case that something does get through that looks suspicious, users are given the ability to click on a ‘report phish’ button. The reported email can then be sent to an AI agent to analyze if it is safe to interact with or not.
If it's not safe, then the message is quarantined automatically. This type of approach can help reduce the attack surface a long way. That is the type of thing that we're looking at AI to help with.
IM: What challenges have you experienced around the implementation of AI at The Adecco Group?
AG: The biggest challenge is the misperception that many people think that AI replaces humans. That's not the case. With automation, we’re trying to enhance what humans can do, not take the human out of the equation.
For example, with the inbox security, we still have a user, a human in the security operations center (SOC) who is making a decision in cases where we have false positives, or an email gets flagged that maybe shouldn’t be.
As a recruiter, this is not uncommon. Quite often a recruiter would have a conversation with a candidate and the outcome of that is the candidate sending them an e-mail which is just their CV as an attachment. It’s this kind of situation where you need to adapt the implementation based on behavior.
IM: What do you think is the biggest challenge in cybersecurity today?
AG: I think there's an element of cultural perception around security which is still the case. In many companies, security is still looked at as a checkbox or as a hindrance.
Security teams are seen as the bad guys that are coming in and scolding people, lecturing them on how we're doing something wrong. In fact, we're enablers to the business. We're here to help the business.
I think that it takes quite a bit of collaboration where security must come in and prove their value, so we’re seen as partners and enablers, with people coming to us.
Then we get into a situation where we can start applying security by design - which is optimal, it really is the nirvana - but it's not a given, you need to get to that point.
Having worked in different companies, I have seen the whole spectrum. I've seen where there's a lot of maturity, where there's an understanding and then you're doing everything right from the get-go. But there are others where security has been an afterthought.
That is all tied up to the cultural awareness of security within a company, which is based on reputation.
By reputation, what I mean is what type of background you have brought from the company standpoint, whether you have been able to prove the value that you can bring to the table, that you can be looked at as a consultant and as a as a supporting partner, as opposed to “these are the guys that need to do the compliance checklist stuff.” When you have a checklist approach, this is what you fail.
The aim is to reach the point where the value of security is seen for what it is. The consequence of that is being able to create the culture where we are able to do security by design as opposed to having it as an afterthought at the end of the cycle.
IM: If you were to give one piece of advice to other CISOs, what would It be?
I think the one piece of advice that I would have primarily for CISOs is to have a seat at the table with the board.
To achieve that cultural change, it needs to come from the top and it needs to be understood by everyone. So, if you have a CISO who doesn’t have direct communication with the board, you are failing on the opportunity to show the value of security and to shift that mentality.
The other piece of advice I would add is as a CISO that you should probably be careful about what type of personal liability the company is able to offer you because in absence of that.
There's been plenty of examples from CISOs having to make a call, and of course, we don't know the whole context and what happened. But they made a call, and by making that call, sometimes the repercussion has been on them personally.
IM: What do you think is the biggest success cybersecurity has seen in recent years?
AG: Not to sound like a broken record, but I think there has been a mentality change, the fact that security is looked at as an enabler, that it is not seen as a hindrance, that it is sexy!
Yes, there is a shortage of cybersecurity professionals. But the fact remains, there's never a dull moment. You're not bored. There's continual innovation, continual new things, so you have to retool and re-educate yourself.
Then there's the technological advancement that is continually happening, which translates into all of us not being bored. There are always new challenges and always new things and that’s not going to change. You still will have geographical tensions, you still will have organized cybercrime, and you’ll still have the evolution of different technologies – and there's always going to be a need to secure those technologies.
If anyone is bored easily, then the area to go into is cybersecurity, because there's never a dull moment!