Public Consultations Ignored when coming up with IT Security Policies-Wahome

0
77
George Wahome,IT risk manager and information security specialist,

 

Technology played a central role in the just concluded general elections in Kenya that have since been nullified. Kenya is also a tech hub in Africa with most of its processes having been automated. With so many important processes revolving around technology, it is only natural that people will be concerned about cybercrime which has been a thorn in the flesh for users in the country.

Techmoran had an interview with IT risk manager and information security specialist George Wahome who helped shed light on the current IT security situation in the country and the part of public participation in coming up with the right policies.

TechMoran: Describe a typical day for an IT risk manager and information security specialist.

George Wahome: Typical days involves an early morning, typically 4:30 a.m. and thereafter preparation to head to the office to catch-up with the happenings in cybersecurity before the usual day activities start. Non-working days are not any different as usual routines apply – this can be perceived as being a workaholic, however these are some of the perks of working as an information risk and security consultant in such a dynamic field. The hour’s that follow are a combination of meetings, reviewing deliverables of on-going projects, drafting proposals, coming up with new approaches to information security challenges that client’s face and conducting proof of concepts for sales pitches.

TM: What approaches do you use to ensure that the organization you are working for is guarding itself against cybercrime

GW: The cybersecurity challenge is becoming an IT Security practitioner’s motivation to deliver change. The three aspects of it; people, process and technology are inherently vulnerable depending on organizations at varying percentages. The greatest task is to create awareness across the organization, as the human aspect is always the weakest link that lowers security maturity on process and technology. Be it, competence to convince on the need for higher budget to address key controls to ensuring compliance to security governance controls is measurable. My approach to cybercrime revolves around building capacity and skill sets required to collaboratively address the challenge through consulting for various companies.

TM: What are the best tools to use ensure an environment free of cyber-crime in an organization?

GW: As eluded, technological tools are just enablers for control enforcement and are therefore as good as the people who use them or configure them. The corporate culture has a lot more to do with exposure an organization has compared to technology deployments in the IT environment; hence the best tools should revolve around maturing the security governance through real-life examples of what could go wrong. I have done consultancy work across 9 countries in Africa and essentially the goodwill to deliver change is pegged on the resilience of the driver of change. Many tools are designed to provide cyber resilience since it is apparent that offensive security will always be steps ahead of defensive security approaches/ tools such as SIEM, DLP, UTM’s, IDS/IPS etc. but I always question the maturity of the deployments and if indeed there is value on investment in as far as achieving proactive detection and mitigation of threats is concerned. Moving from compliance to security focus requires adequate tooling/ enablement through the information of the stakeholders from top down and bottom up.

TM: What are some of the milestones that Kenya has achieved as far as cyber security is concerned to make your work easier

GW: Kenya since the promulgation of the new constitution in 2010 has made commendable progress in creating a favorable environment to drive cybersecurity agendas. The development of a National Cyber security strategy amongst other policy, standards, regulation and legislation initiatives such as National ICT Masterplan (undergoing implementation) and Cyber-crime bill (in draft) is a clear testament that we are in the right path. All through, ensuring public consultations are embedded in the process of drafting these documents. My only disappointment is on the extent public input is put into consideration, from experience I was one of the few Kenyans who provided significant feedback (approximately 15 areas) on the National Cybersecurity Strategy once released for public input and to my disappointment, the final copy did not reflect any of the issues raised as there was no change to the draft. Nevertheless, government agencies, citizenry and corporates can leverage on available/ ongoing development of policy and legislative documents to collaborate on various initiatives or independently develop execution paths and roadmaps.

TM: Would you say that Kenyans are aware of cyber-crime or more needs to be done

GW: Definitely more needs to be done. The citizenry has become a target of cyber-related attacks and cases are increasing at an exponential rate based on information availed in the public domain. A recent global report by PwC indicated there is a 38% increase in detected information security incidents; the numbers have become numbing, year on year, cyber-attacks continue to escalate in frequency, severity and impact.  The awareness challenge has been taken-up by a collective of security practitioners going by the name, AfricaHackOn.

TM: Would you say that Kenyans are aware of cyber-crime or more needs to be done

GW: Definitely more needs to be done. The citizenry has become a target of cyber-related attacks and cases are increasing at an exponential rate based on information availed in the public domain. A recent global report by PwC indicated there is a 38% increase in detected information security incidents; the numbers have become numbing, year on year, cyber-attacks continue to escalate in frequency, severity and impact.  The awareness challenge has been taken-up by a collective of security practitioners going by the name, AfricaHackOn.

TM:What needs to be done as far as sensitization is concerned

GW:There is significant public awareness and collaboration that is required to effectively respond to cyber-attacks. Notably, the national cybersecurity strategy has recognized the need to build national capability and what needs to be increased is the number of initiatives that empower the Kenyan public to be safer and secure online.

TM:When allocating budgets for their functions, most companies do not give the information security departments much money. How can an IT security manager cope in such a situation?

GW:The reality is that the information security department is a cost-center and with that in mind, the manager should create value from the allocations provided and position the objectives of the department such that they speak to the business strategy. Of significant consideration is a demonstration on reputational damage, financial impact, regulatory and loss of intellectual property; this best works through real-life simulated scenarios. The burden of proof is however on the manager to demonstrate impact and to provide a return on security investment. Of importance is internalizing the security principles and looking for smart open-source solutions to achieve the same objectives initially while working on having higher budgets approved based on need.

TM: How can one cope in an environment where there is no compliance to some of the data protection measures a manager may out in place?

GW:Data protection has always been a thorny topic in most organizations as it has become a challenge to comply with set governance measures. The basics of data protection lies in data classification and I therefore think that should be the starting point and thereafter enforcing policies defined with technology tools based on use case. A variety of commercial and open source tools such as Data Loss Prevention (DLP) are available with varied functionality. What is of most importance is to embed data protection to the staff awareness sessions, creation of a responsibility matrix based on risk posed to data as classified and device ways of detecting and/ monitoring adherence to the relevant policy.

TM:How do you choose the security tools to use for your organization? (how do you know the best one to choose)

GW: The choice of security tools to use is largely dependent on the objective to be achieved. I find doing extensive research on available options with a keen eye on online reviews. It is important to note that most times depending on the objective alternative non-tool related solutions come-up especially related to people and process aspects of security; at times prerequisites that facilitate the maturity of the tool upon deployment. Tools are as good as the build in functionality, use and implemented configuration.

TM: When you are asking for a tailored tool for IT surveillance, what do you look for?

GW: The importance of threat intelligence cannot be over emphasized and hence the need for a way to do surveillance/ monitoring. When looking for such a solution, the ideal approach would be to work backwards, by ascertaining the outcomes; what to be reported, what devices and activities are in consideration. Thereafter, assess the available options as mentioned earlier. The decision of whether to go for an enterprise-grade commercial security incident and event management solution (SIEM) or to go open-source is dependent on the end-game, the customizations supported and solutions available.

TM:  What are some of the challenges that apply across the board for IT security managers?

GW: One of the challenges for an IT security manager revolves around getting the right talent, getting buy-in from the board for security budgets, creation of metrics to assess improvements in security programs and enforcement of security controls. It is said that you cannot teach old dogs new tricks, this is one fact that has been a challenge as there is a preference to maintain status quo. Nevertheless, in these times of heightened advancements in the cybersecurity space, we have no choice but to adapt accordingly.

TM:Are more companies investing in IT security consultancy?

GW: In the wake of increase in cybercrime, companies have seen the need to engage consultancy firms in assessing their exposure. The more the incidents hit the headlines the more questions linger into just how secure the deployed information systems are, the ripple effect is creation of awareness, which is very much needed. This however, does not mean the only solution to building the capability is through acts of cybercrime in the

TM: Highlight some of the achievements you have had in the span of your career

GW: There have been a number of key milestones in my 8-year career. Moving into consultancy has been at the pinnacle of my achievements. Working in different client sites in 9 countries leading more than a dozen projects has been a combination of working long hours, satisfaction when the client appreciates the deliverables and dynamism of different cultures and perspectives. However, the most fulfilling as it is where my passion lies is ensuring a five times growth in information security business for my employer and at the same time seeing measurable progress in security maturity of my priority clients (some having a regional footprint) due to my inputs at various stages to their security program.

TM: What have been some of the most stressful moments in your career?

GW: Stress is one of the perks of being an information security consultant, therefore I have numerous moments. I say this because every project has its own dynamics and the nature of the job is such that you are required to work outside your comfort zone.  The memorable one is the execution of a project for a global company whilst managing two members of my team. The job required working a minimum of 12 hours straight due to tight timelines for 2 months while doing plenty of research, planning and executing in 6 countries in Africa.

TM: What is your advice for people who want to take up this career or consultancy in the field?

GW:The advice is simple, have passion for the trade, if that lacks, it is not your ideal career choice for you. You may ask, how do I know if what I reckon is passion is good enough? Well, if you don’t spend long hours in front of your laptop (like a crazy guy) typically doing matters cyber security, then you got your answer.

Finally, a brief background, I work as a Manager with PwC’s Risk Assurance Line of Service, prior to which I worked as an Advisory Manager with EY before moving from Safaricom Limited, IT Department.