As chief information security officer for the world’s third largest airplane manufacturer, Edward Kiledjian says his mission is to build a security model that is agile, nimble and cost effective. With more than 20 years of experience to back him up, he was a natural choice to become the first interview subject or the launch of CSO Digital.
Besides his work at Montreal-based Bombardier, Kiledjian has also helped support IT security and risk management efforts at Air Canada, Cathay Pacific Airlines, World Intellectual Property Organization, the United Nations and the Canadian government.
Kiledjian spoke by phone with CSO Digital earlier this year about his perspective on the state of IT security in Canada and the challenges large enterprises face. The interview has been edited and condensed.
What motivated you to take on the role you have today, and how did you get there?
My career has been spent on both sides of the table. I’ve worked both on the consultant side and on the customer side. Almost 14-15 years ago, I was the security practice manager for a small Canadian company called Caron Systems that brought a lot of these big security vendors into Canada. I was already preaching security to a lot of our customers, whether it was intrusion detection, firewalls. It was much more basic technology. It was something I believed in then, and I believe in now, and I think all of the revelations we’ve had in 2014 shows it has become the de facto agenda items for most boards and executives, even outside of IT. Most CxO executives today are asking questions about security. The best way to describe it was that 2014 was the year of the breach. It’s become much easier to talk about security now than it was two years ago. Security used to be like selling life insurance. You had to convince somebody it was a worthwhile investment even though it was completely intangible. Now we can quantify it, we can measure it, and we can provide guidelines around it.
If last year was the year of the breach, what do you foresee as the next step to holistically approach the threats organizations face?
The reality is, it’s going to get a lot worse before it gets a lot better. When I talk about security, we break it up into three distinct sections. There is the technology, which is the easiest part, because vendors sell technology. Then there is the people and the processes. I’ll give you an example. If you look at all the information that was leaked about the target breach, Target actually had a tool from a company called FireEye that alerted them to the fact that some of their equipment was infected or corrupt. The problem wasn’t the technology. The technology did its job. The problem was the fact they didn’t know what to do when the alerts happen. That’s the process piece. The first thing they need to do is take a step back, evaluate the products they already have, and figure out how to best use those before spending any additional money. They’ll need to buy additional tools as they develop their security maturity, but a lot of companies can be helped by properly implementing what they already have. When we look at all the breaches that happened on Windows, for instance, 80 percent of those could have been prevented if users had not been running with privileged accounts day to day, and if the machined had been patched probably. It’s not expensive, and fairly easy to do, but most organizations aren’t doing it.
What do you think needs to happen for more organizations to develop a “security-first” kind of culture?
I think it’s already happening naturally given all the media attention given to breaches. We’re starting to see breaches become very tangible for the average user, and I think that’s going to drive a lot of the change we’re going to see in security. You could really isolate a few major trends. There’s cybercrime, which was extremely present in 2014 and now in 2015. This is organized crime that conducts espionage for the purposes of sheer theft, competitors who want to steal intellectual property, and people who do things for a political reason, like hacktivists.
The second thing that we’re seeing is privacy and regulation. As soon as major breaches are made public, lawmakers start discussing tougher regulations, bigger sanctions. We’re going to see governments regulate breaches a lot more, and I think Europe is taking the lead on that. I also think we’re going to start to see users be much more careful about their own data. If you look at the younger generation today, they’re not using Facebook as much, they’re using things like Snapchat. Why? Because I think they see those services as being a little more private, even though we know it’s not.
That really ties into the third piece that we’re seeing, which are threats from third-party providers. We see third parties as being the biggest attack vector touching both corporate and individual privacy. In other words, when you use your credit card at Target or Home Depot, and your number gets breached, not through any action of your own, but because it happened to the third party. And I think what you’re going to see are technologies like Apple Pay. This is a situation where you are the owner of your credit card number, and you actually would never give that number to a vendor. It’s the first time where we’re starting to see a consumer be responsible for their own privacy.
What’s your advice for your peers on making sure that security isn’t an inhibitor for adopting important technologies for business transformation, but enables change to happen?
I think the first step is that the organization needs to understand that absolute security means you have no flexibility very little usability. Absolute flexibility and usability means you have no security. So each organization has to define their own risk appetite. How much risk is the organization willing to assume? How do you benchmark how much risk you’re going to take? It really comes down to that. Once you’ve done that, then you can decide how to protect your organization.
How do you think these challenges will change the way organizations hire IT security experts?
One of the realities of this new cyber threat landscape is that you’re not being attacked by a thing. You’re being attacked by a person. So at the other end of that attack is a human being trying to get something from you. The only way to defend against that is to have your own people working on your side to counterbalance that. There is definitely a skill set, and most organizations you’ll talk to, particularly in Canada, are having a tough time finding and recruiting these specialized skills. The reality is, it’s not just a security specialist that you need. It’s not just a firewall expert. It’s a technical expert for each of the spheres you’re operating in, whether it’s networking, operating systems, applications, application development. Plus, it also requires soft skills, such as people specializing in communication and change management. And I think it is this combination that people are having a difficulty finding. We’ve said it for many years, and it’s still true: The biggest risk to enterprises is their own users. And you look at some of the biggest breaches, and the fault was human. You need a new breed of risk specialists now, who can come and provide that estimate to these companies. Sony had no idea that they would lose everything. They didn’t impact it would impact their brand, that it would impact their ability to get employees, to get actors. I think that’s what typically happens when these breaches happen. Ultimately, who is responsible? In many organizations, you may have a CISO, but the CISO is just a tool. We’re there to provide support and guidance to the executives. But ultimately the responsibility for information security in an organization stops with the data owner, and the data owner for most organizations is the CEO.