At the inaugural (ISC)2 Congress EMEA on 10 December 2014, Robert Coles, CISO GSK, presented on the lessons learnt implementing an information security program
After confessing that what keeps him up at night is “hacktivists, espionage, organized crime and SCADA security”, Coles suggested that whilst information security concerns are the same regardless of the industry or company, that levels of concern and risk are dependent on the assets.
Having served as CISO at Merrill Lynch, the National Grid and his current employer, GSK (GlaxoSmithKline), Coles has experience in securing a variety of companies with a variety of assets. “At GSK I worry about hacktivists and criminal gangs the most. At National Grid, it was SCADA,” he recalled.
“Anonymous have had a lot of attempts at [GSK]. We sponsored the 2012 Olympics, and they’re desperate for publicity so we became a target.” Whilst Coles stated his relief that the hacktivist organization has “not yet been successful at bringing down GSK,” he does admit that in 2010 during his tenure at National Grid, “they were successful at bringing down the internet connection of one of our peers.” So yes, he confessed, “hacktivists keep me awake. I also worry about staff stealing data – especially when they don’t perceive they’re doing anything wrong.”
Discussing the lessons he has learnt, Coles advocated gaining consensus on the most important things to your organization and focusing on those. “Either lower your risks, or accept them,” he said.
Coles referred to the independent benchmarking reports he commissioned in each of his roles and concluded the importance of ensuring the benchmarking uses industry standards.
He also shared the success of the threat assessment and control workshops he ran at National Grid, saying they resulted in “budget and buy-in to build a 32-person team, whilst establishing the need of the function.”
In his current role at GSK, Coles has implemented his most successful information security program yet. “I hired external consultants to benchmark using industry standards, and ran a three-day strategy session with 85 risk, security and IT people using the ISF categories to explore how to reduce risk and improve security.”
Coles ran internal skills assessment using the IISP skills competencies framework, and ran 21 workshops covering key assets. He prioritized three key principles for the strategy: ensuring they had the right skills; supply and demand; and identifying and prioritizing the most important stuff. “I ranked everything so that I knew what to cut if the red pen was taken to my budget. Luckily, though, it wasn’t.”
The result of his well-implemented plan resulted in clearly trackable goals and targets, overall risk reduction, buy-in throughout the organization, and “bang for buck on the ROI on security investments.”
Coles did caution against using benchmark results to drive exactly what your organization is doing. “Consider your own threats and risks,” he said. “If everyone did exactly the same, we’d all be equally vulnerable. So, focus on your biggest assets and biggest threats, and get your planning process started and get into the budget cycle ASAP,” he concluded.