Information security is all about operational risk management, according to chief privacy and information security officer at UBS Wealth Management Dennis Dickstein.
Speaking in a keynote presentation at the Cloud Security Expo in London this week, Dickstein argued that information security is not a technological issue nor is it about rules and regulations – stating it all boils down to how risks are managed.
“Let’s look at risk management,” he said. “The typical approach is to look at it from a ‘what has happened’ point of view. So of course set up your risk environment, then manage the risk, monitor the risk and then you disclose the risk.”
From an information security risk point of view, Dickstein explained there are various threat vectors that CISOs are currently having to contend with to safeguard against cyber-attacks.
“We worry about cyber-threats; we also worry about data confidentiality; there’s fraud risk; and then we can worry about other types of business risk.”
“So, speaking as a CISO, and I hope there’s a number of CISOs listening today, this is a lot to worry about. In fact, this is something that the CISO is expected to worry about – but we can’t handle all of this, how do you prioritize all of this?”
Dickstein reiterated the only way CISOs can attempt to juggle all of these challenges and deal with information security as a risk is to prioritize a risk management approach, which involves focusing on the five following things:
- Policies and procedures
- Response plans in the event of a breach
- Training of people
- Internal controls
- Third-party vendor threats
“There’s really two types of CISOs/CEOs when it comes to information security,” Dickstein continued. “One type is the one who has experienced a breach or a compromise of their systems. The other is the one who doesn’t realize that they have had a breach or compromise of their systems. Everyone has been breached.”
“The key thing is, be prepared to accept that you have been breached,” he added.
“At the end of the day, I am accepting a certain amount of risk. I’m not going to get rid of everything; I’m not going to eliminate every single risk. I will have a breach.”
To conclude, Dickstein explained that the key element of cybersecurity is people – people, not technology, are carrying out the attacks and people are the ones who try to deal with them.
“You don’t have to worry just about technology; don’t buy the latest gadgets, don’t buy the latest software, you have to worry about your people, because people will break things, and people can fix them.”