The role of a chief information security officer (CISO) is not an easy task. Working with multiple variables for ensuring data protection of a major company can be seen as endless and painful effort. In 2017, there were no shortage of major security threats: From the harmful ransomware campaigns, including Wannacry and Petya, to massive cases of data leaks such as the Equifax incident, security incidents are increasing in number and sophistication.
It is easy to say that, in one way or another, these threats affect most companies around the globe. This reinforces the importance of using a standardized approach for security controls.
It is precisely in this hostile scenario that Rafael Narezzi faces daily. As chief information officer and responsible for information security at TS Lombard, a London-based company focused on providing investors with the best combination of macroeconomic, political and thematic research across both developed and emerging markets, it’s his job to make sure corporate data is protected.
Recently, InfoSec Institute had the opportunity to talk with Mr. Narezzi about key points regarding the practical use of standards and frameworks as a data protection measure.
InfoSec Institute: Which standards and frameworks are currently implemented at your company?
Mr. Narezzi: Currently at TS Lombard, we have adopted the NIST (National Institute of Standards and Technology) as our primary source of standards and frameworks.
InfoSec Institute: How were those standards were selected?
Mr. Narezzi: Every action for managing cybersecurity risk follows a risk-based approach. We always consider that a breach may be imminent, and focus on reducing risks and closing any security gaps.
InfoSec Institute: What was the primary motivation for adopting security standards and frameworks at TS Lombard?
Mr. Narezzi: Our primary concern is avoiding any situation that could lead to a data breach. Since TS Lombard is regulated by the Financial Services Authority (FSA), a breach could not only impact our reputation, but also imply in a substantial fine. Also, we like to think that our actions focus on being proactive instead than waiting for an incident to happen.
InfoSec Institute: What were/are the biggest challenges regarding implementation of standards and frameworks?
Mr. Narezzi: Facing a cultural change inside our organization was one of the most demanding challenges we had to face. That included special attention regarding board-level education, as many members with no technical background are required to cooperate in case a crisis happens.
InfoSec Institute: Do those standards extend to third parties? How so?
Mr. Narezzi: Right now, the standards themselves are not mandatory or enforced to third parties. What we do, as suggested by our company policy, is having a strong preference for working with partners that take sufficient care of security risks, including doing a cyber assurance, ISO 27001, Cyber Essentials, Cyber Essentials Plus (desirable).
InfoSec Institute: How do you think using a standard for information security impacted corporate culture?
Mr. Narezzi: Security is a complex subject, and users and businesses are not very fond of complexity. Therefore, creating a cultural change is essential. One of the key points is making sure to build a cyber-educated company, one that understands even in entry-level roles, a security unaware employee can be the source of a major incident, affecting the entire company no matter how much is spent on technical solutions. Working on educating and keeping the staff aware of current security threats is one of the biggest challenges.
InfoSec Institute: Regarding the standard’s implementation, what would you do differently?
Mr. Narezzi: From start, a standard implementation must be adaptive and avoid excessive enforcement of rules whenever possible. Especially in the initial stages, I would recommend taking small steps so security efforts can embrace the company as a whole, focusing on changing bad habits as soon as possible.