DINIS CRUZ, CISO OF PHOTOBOX GROUP ON HOW TO IDENTIFY, COMMUNICATE AND RESOLVE CYBER SECURITY RISKS.

Dinis Cruz is the CISO of Photobox Group. With a revenue of over £300m and around 1300+ employees, they have grown massively in eighteen years since being founded at the start of the millennium.
Photobox are thriving due to their digital presence, whilst other traditional high street retailers are struggling, but they rely on strong cyber security to ensure they remain protected online.

1) WHAT IS THE SINGLE MOST IMPORTANT FACTOR FOR CISOS TO REMEMBER WHEN BUILDING A CYBER SECURITY TEAM AND HAS THIS CHANGED OVER THE PAST 3 YEARS?

So, I think the most important factor when we lead a team is the understanding that security has to be in the neighbourhood. So, I take the view that our job here is to alter the top and the bottom line of the company, and we have to find ways to empower and enable the business and I think that has changed in the last couple years. Security is moving from being very active to the Department of now to basically the bond that empowers the business. I think having a service based mentality where we think the view that our job used to help, our job used to facilitate, our job used to allow the business to make good decisions, and I think that’s a very very important factor in how we position everything, which is when you look at the way we manifest in that vulnerabilities in our graphic kind of base world, it’s all about allowing every player to make good decisions and secure has an amazing asset which is we sit at the epicenter of data so we are almost the only entity in the business. I can talk to anybody we can get data from anybody. The question is what we do with it and how we almost feed that data back to the business and work with them, in helping them to understand the side effects of what they’re doing because fundamentally the business makes a decision, the business at high levels can choose A B and C our job is to make sure that they understand the side effects of A, B and C so they when you build a team and you build a new structure that should be the kind of the center of gravity where everything comes out of it.

2) WHAT DIFFICULTIES DO YOU ENCOUNTER, BOTH DURING THE HIRING PROCESS AND THE FEW MONTHS AFTER?

I think this is that culture fit and so we- the massive process of exchange and and I find that the hard part in the way is not the technical change, I remember the hard part is finding somebody that has the right fit for the change that we’re trying to do, has the right sort of level of energy and because we move very fast right here, the transformations are very common and you kind of need to have a certain personality, but not to say that we only cater for this type, well if you look at our team at the moment it’s quite interesting because we have some, if you look at the Myers-Briggs and you kind of look at the whole sort of personality test, we do have a wide spectrum, but they all love to learn they all are passion about what they do, they all want to drive change and I think that’s the kind of hard part and one of these I’d really like to have more is actually the diversity element, but there is definitely, yeah and I agree with you, they I don’t think there’s a skills gap, I think there’s a lack of skills – there’s a mapping problem in our skills, where I would say the talent pool that sometimes we see is not as diverse as I want it because it’s so very easy to say I’m looking for an AppSec specialist and it’s very easy for the market to just go “Well unless you’re an app expert, I’m not going to apply but actually it’s almost like if you’re a great engineer, and great at development actually the jump from that to application security is very minimal, right. It’s almost the other way around. If you have somebody who’s in AppSec, he’s not gonna be good enough because the opposite person I want is somebody that’s there for a c-level presentation in the morning followed by a threat model for my quarterly review view so you kind of need to have a wide set and if you don’t have very strong engineering skills, it’s not gonna work. So I think there’s an interesting mismatch sometimes when we say we want that sector, what, actually, that’s what we want the person to be, but there are other skill sets. If you have a great data design, which just deploys a great service; things that might make a great application security specialist especially if they’re passionate about something but that’s the key requirement, they have to have that understanding of security. Security has a different element which is that passion about how does it work?, and and the vulnerability element and the fixing element definitely a lot more dynamics I think I would say in any developments, in fact, developers say this is the debrief, can you do that? and that’s it, whereas security is this other really cool side effects, so I think security is a really great career and I think it’s essential for development. I’m a better developer because I learned security, security makes me ask the question why? How does it work? Why does it do that? What’s the side effects? So, magic is not a good thing in security!

3) HOW DO YOU ASSESS CYBER SECURITY TALENT WHEN RECRUITING?

So what we do with a person, we have first see if they fit our culture, so we try to see if they are a good fit and then what we do is we share what we do, very very often, we show the JIRA stuff, we show the graphs, we set them a challenge. We say ‘Look, this is what you are going to do’, and the right candidate looks at it, gets excited and starts saying ‘Well that’s not very good, and I can improve that’, and that’s a good sign. If they excited about where we are and the path we’re going and what they can do about it, that’s one’s a sign. We do this thing sometimes where we get everybody to make a recommendation, they get one-liner about a candidate, and you don’t have a one-liner why do you think the candidate is amazing and you support it, even publicly then that’s kind of already a not a good sign.

4) WHAT ARE THE TOP 3 CHALLENGES YOU FACE WHEN TRYING TO GET CYBER ON THE AGENDA AT BOARD LEVEL?

I would say having good data, I’m figuring out the story that we will want to tell them and translating that into the business, into what they require. So, when you look at, so, we started by doing a massive mapping at the bottom so with me going up so I could come down, this is the top level risk, we’ve done what we can from the bottom up so we’ve mapped the one of those. We map the risks so we’re arriving from the top from the data here so that means that when we’re saying ‘Hey’ from C-level and above level, we have X, we have the evidence, we have the tree that supports that little evidence, that the interesting part that we didn’t know is how do we tell those stories, how do we translate this into something that relates to them and that’s all about that’s why. The why is when we talk here’s a set of risks and then why they matter, why they matter actually we say why they matter for that audience which is very powerful, so it is like saying you care about X, let me tell you in your frameworks in your mental or business models, why these problems matter there, and it’s very very good because it it has an ability to be a kind of self correction because if you go to a marketing person and you talk about something that doesn’t relate to them they’re gonna go why ‘I don’t get this’, right, the same thing if you go to a product person, we either talk about stuff that affects the brand, they might go well actually ‘I’m more about shipping things’ right, so let me go to the finance person, so lets talks about production, they say ‘I don’t care’ but he talked about the financial cost of X and they go ‘well actually, I really care about that’ so this actually forces for every audience to understand what they think about is their centre of gravity and then translate our message into them. So the power is that we do is we create a story, around that story you have these universal tickets and graph, and then we reverse that per stakeholder and then you figure out the storyline for each of those.

5) WHAT ADVICE WOULD YOU OFFER A CISO ABOUT COMMUNICATING THE IMPORTANCE OF CYBER SECURITY OUTSIDE THE SECTOR?

Well, I’m a big believer in openness. I think we need to be as transparent as possible because also it’s very efficient. I think if there’s a line there you said, ‘Okay I’m not gonna share customer data, we’re not gonna share this critical stuff’ but, apart from that, I think most people are afraid to just share it. I believe in open source and creative commons because it’s also very effective and from a high point of view I can tell that two of our best hires probably would not be here if we didn’t have such an open approach- and if you go to our blog, and you know we didn’t have a sort of openness to communicate right and I think that again should be an important part of your strategy. I think that it also helps to have a more honest relationship with multiple clients. If you are transparent with them with the good and the bad things, then it also helps them to understand better what we do, so we use regular briefings to management on incidents and sometimes they ask ‘Sorry why did that exec only just get that report.’ That we do that regularly, we actually we try to keep them aware.

6) WHAT TOOLS AND TECHNIQUES DO YOU USE TO GET CYBER SECURITY CONCERNS ADDRESSED AT BOARD LEVEL?

So I’ll say that the fact-based approach, the graphs that we create, these are the truth. I mean, we use JIRA because it happens to be a good data store, but we could have built the same thing on top of GitHub or other places, but the key tool I would say is our graph because our graph is what gives us the data and the solidity of the evidence to say this is a problem because of A and they say, why is that? Because of B and C and why is that because… so we can now go as deep as they want to which is kind of a tool in itself, and then they start to trust the fact that when we say ABC, we have solid evidence to do that.

7) IF YOU HAD TO SEND A CYBER TEAM 5 YEARS FROM NOW, WHAT BATTLES WOULD THEY BE FIGHTING THERE?

It depends what company sector you’re in. I definitely think there’s a field where AI is gonna be a lot more prevalent, but I think that the graph-based thinking of hyperlinking data and codifying your workflows and creating these visualization frameworks will still be used five years from now. The big change that has happened is the whole surveillance stuff, the whole ability to create an infrastructure that is so much more real-time, so much more streamlined and the innovation is just gonna be much more effective. So, I think that in that world, probably five years from now is gonna be a lot more prevalent, but the ability to think in graphs and codify your thinking is probably the best skill set I think you can have that we still survive five years from now.

8) WHAT DO YOU THINK THE BIGGEST RISK WILL BE IN THE FUTURE?

I think the biggest risk is happening now. it is the professionalization of the criminal business model. The evolution of that model is a real problem right now, like there are some people who have really advanced attackers, but they also gonna have a really good security team and they don’t care and they eventually learn, but the problem is the criminals have business models and they evolved and that’s kind of- and you can see that the evolution of the criminal business model still drives a whole number of expectations and I think that’s the danger. The danger is that we are we still making far too easy for a lot of these criminal activities to occur, and I think the view that our security model is based on the attacker making mistakes, so they’re always gonna make a mistake, there’s a mistake he’s sensing that was not supposed to happen. I think the lack of visibility is what allows a lot of these attacks to occur, so I do feel that the biggest danger we have is the evolution of the criminal business models and not understanding when we allow those things to occur until it gets too late.

9) WHAT DO YOU THINK WE COULD DO TO ADDRESS THESE FUTURE RISKS?


I’m a big believer on visibility and I think there’s a very extreme balance between the things that government need to do and the market needs to do. So, clearly the market for software development is not working, the market for security is not working because- it’s what Rish Nya talks about, the externalities, so when people put horrible code, they don’t pay the cost of the vulnerable code, so if there’s an entity- there’s a pollution problem that we have, so that’s a great analogy. I think then if you have visibility, what happens? You allow the market to correct itself, so if the company doesn’t care about private data, maybe that’s fine, but we should know about it. It shouldn’t be their marketing departments that determines their visibility, or their posture in security. In the same way that in food, we have standards, we have all sorts of things I think there has to be a balance where the current way we push in these codes and allow code to govern our lives with no accountability, no traceability, no understanding of what’s going on in there has to change, and then the market correct itself. Then the places where we need high resilience will have high resilience, the places where we can afford to have more flexibility, or more creativity, or less resilient systems, that’s fine but that should not be determined by how good their marketing department is, or if they have been attacked or not, which is what happens today. Today the security portion of a company depends on have you been attacked and how good your marketing department is, and that’s it.