THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Urmas Aamisepp, Head of Information Security, EpirocUrmas Aamisepp is the Head of Information Security at Epiroc, serving in a consulting role and delivering strategic advisory services around cybersecurity in many industries, including energy, IT, defense, chemical, retail, and government. Aamisepp has garnered broad experience working as a senior consultant with strategic management consulting, followed by 12 years in Chief Information Security Officer positions. His core competencies include analytical skills, governance, risk and compliance (GRC), and information and IT security (strategy, roadmaps, ISO 27001, NIST, security architecture, contingency planning, and others). At the moment, Aamisepp is trying to decode business processes and apply the correct, risk-based level of security needed to keep them running uninterrupted but with reasonable security.
In an interview with Enterprise Security magazine, Aamisepp sheds light on how advanced innovations, proper teamwork, and correct guidance from CISOs can enhance information and enterprise security.
In terms of information security, are there any promising trends you have observed being prevalent?
Generally, the threat landscape is constantly changing and is turning out to be multifaceted. In terms of information security, threat actors have become more sophisticated and technologically advanced as they leverage artificial intelligence in incorporating deep fakes in business emails, including fake voices and images. Furthermore, as soon as the global business landscape started to adopt the remote working culture due to the pandemic, the scope of cyberthreats broadened with it. Suddenly, companies were required to find ways to manage and monitor the IP security of their employees’ homes and keep in check the latter’s behavior and vigilance in such environments.
Another trend I witnessed is the deepening and widening of the trust landscape. Just as threat actors use the latest technologies to fulfill their criminal notions, we can protect ourselves with the same, such as leveraging artificial intelligence and machine learning to enhance information security.
How do you think can CISOs capitalize on the latest advancements in technology?
Today, the baseline of normal business operations in every company translates into having a robust AI/ML infrastructure. Incorporating the latest innovations, like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), enables businesses to identify anomalies in their information security efforts, get alerts and forensic information in real-time, and investigate them efficiently. In addition, these innovations automate the response of businesses to incidents, meaning that they do not require more manual labor in their security operations center.
In a nutshell, investing in advanced technologies will help CISOs show faster and more accurate responses. However, gearing up with these innovative tools requires proper documentation, training, and testing, and a CISO needs to have these processes in place as soon as possible to secure their information better.
Can you walk us through some of the best practices you have incorporated to help all organizations you work with?
People often mistake the domains of cybersecurity and information security to be incomprehensible, but in truth, they are very much based on common sense. All they need to do is understand the basics and scour for the crown jewels, such as pre-patent data, intellectual properties, financial figures, algorithms, and so on. Next, they need to ensure the classic CIA triad: Confidentiality, Integrity, and Availability. Confidentiality in information security is typically about data and ensuring that it never gets corrupted. From the integrity point of view, the data must always be protected—intentionally or unintentionally. Lastly, availability is about making sure that the information is available to those whenever they need it. Also, whenever it comes to the availability of information, accountability and traceability must be ensured.
“People often mistake the domains of cybersecurity and information security to be incomprehensible, but in truth, they are very much based on common sense.”
Furthermore, another important thing is to base your work on actual risk. I have witnessed several organizations aligning security efforts on the sole foundation of compliance. Most times, they look at ISO 27001, NIST, or other standards and, based on that, incorporate security solutions.
However, this practice does not secure information but only makes it compliant. If businesses just focus on compliance, it will let them be compliant and pass an audit with flying colors but have poor security. To that end, companies must conduct risk assessments to identify the current risks and then apply the security controls to different degrees based on them.
Would you like to highlight any GRC-related developments useful for industry leaders?
The frequent emergence of newer regulations and compliance guidelines presents a constant challenge for companies worldwide. However, the most challenging feat is to find a common denominator of all these compliance rules that will allow the proper handling of information. I think industry leaders can achieve this by ensuring good cyber hygiene. In addition, they need to master data management and classify different sets of data in order to protect them.
I firmly believe that if businesses comply the right way from the beginning, it becomes easier for them to ensure customers that their data is in safe hands. It will also inspire customers to give more data, allowing them a scope to provide better services. However, as privacy regulations differ from country to country, figuring out what needs to be done region-wise is a challenge. To counter it, businesses need to house a legal team, especially if they are international companies. The team would help them follow the rules prevalent in different nations like China, Russia, the U.S., and so on.
For those from the EU, GDPR guidelines are easier and simpler to understand because they have been in the market for over two years. Yet, GDPR poses some stringencies when it comes to data storage which is difficult to be compliant with. For instance, data storage needs to be kept locally specific to an area, making the process rigid. However, the rest of the guidelines are not much complicated to adhere to. All you need to ensure is having proper processes in place that notify breaches when they occur.
What would be your advice to peers and newer CISOs entering the information security or enterprise security space?
Assuming that they know the information security field, I would highlight two important things—knowing a business and understanding what needs to be done to do business and being pragmatic about it. CISOs should not become someone who always gives objections to their teams because then, the team would start avoiding them. Unfortunately, many CISOs turn into a ‘Dr No.’ These people make a business be flabbergasted by making the team adopt a trial-and-error methodology, where they focus all their energy on trying to convince their superiors about taking action. Instead, what they really should do is have faith in the judgment and actions taken by their team in reducing risks and securing information.
Read Also
