Future Proofing Your Security Programme Against Changing Cybersecurity Regulations

Shawn Bowen, Restaurant Brands International’s Global CISO, is one of the many IT leaders implementing security initiatives for compliance that goes beyond ticking the boxes.

In a time where regulations are rapidly evolving and reactive to political events, Shawn discusses the need for CISOs to understand the intent of compliance items.

He explains to ADAPT’s Senior Research Strategist Aparna Sundararajan during ADAPT’s CISO Edge how this will be crucial to getting buy-in on security initiatives from stakeholders and laying a strong foundation to security by design programmes.

Aparna Sundararajan:

I’ll just give a quick introduction about myself, I’m Aparna Sundararajan, and I work with Mark Boon as a Senior Research Strategist at ADAPT. I also analyse technology and write research notes for ADAPT, trying to get our Research and Advisory business set up for Australian and New Zealand market.

This interview is a part of getting the community, writing nuances and research insights and advisory from experts like yourself.

I’ll probably start with my first question, which is related to one statement that I love from your keynote, and you said, “Security is sexy except for the compliance.”

I recently interviewed many CISOs, and everyone talks about the challenge in complying with all the new regulations and ever-changing regulations. Especially with cloud coming up the uptake of cloud providers, data privacy, and many regulations coming out from the Australian Cyber Security Strategy.

What is your view on those challenges and effectively addressing those challenges for CISOs?

Shawn Bowen:

That’s interesting. For me, it gets back to the why —the checklist. There’s a book called “Checklist Manifesto” which is a book I like, and it talks about the origins of checklists and where they came about, started in aviation and medical fields. In environments where life was at risk, checklists became a repeatable thing.

In the military that was harped on, we had checklists for everything.

When compliance becomes a checklist, it’s very easy to check the box, but I always say, compliance does not equal security.

But I say the by-product of a good security programme is your compliance. That’s the goal. It gets to understanding why.

One of the examples I’ve used in the past is when you will get your pilot’s licence or when your private pilot or whatever it might be, do you have a pre-flight checklist? One of the items on there is to check the wing fuel tank. You go to the wing fuel tank, and you unscrew the cap and, then you go, “Okay, checked it.” Screw it back on.

That’s not what the intent that’s not the why of that checklist item. That checklist item is, “Make sure you have enough fuel in the tank,” so that you can take off, get to your destination and land successfully with a reserve appropriate for that destination. The checklist item is, “Check the fuel tank,” not verify that you have enough oil in there.

That’s the whole problem, is are have this compliance stuff that says, “Train your users,” but it doesn’t say, “Have an educated workforce.”

Which one is it? Is it, “Have an educated workforce” or Give training to users?”

I can give training to anybody. I can give training to a monkey.

It doesn’t mean that they’re going to learn anything from it. Understanding the why and the intent of the compliance, is one, how you get buy-in for why you need to do it, but it’s also how you develop your programme.

Compliance isn’t sexy because they try to make it at a high enough level that it’s applicable across all industries, especially legislative type requirements.

They have to account for the construction company and the hotel and leisure company and the financial company. When it’s that broad, it goes back to, “Check the fuel tank.”

Now you have to understand what the why is to you.

I’ve found, for the most part, most auditors that are worth any penny you’re going to pay them, if you explain the why you did what you did to that checklist item, even if you didn’t meet what was originally in their head, you’re going to get through that audit or through that compliance requirement. That’s the component I think of.

Aparna Sundararajan:

I would not have assumed that to happen, aren’t auditors bound by the actual checklist and they are usually the third party and coming from legislations?

Shawn Bowen:

It’s our job to educate the auditor of our environment because they don’t understand our environment.

Last week they were auditing an automotive dealer, and this week they’re auditing a retail food chain. Hypothetically, it’s explaining to them that we understood what the checklist says and here’s how we applied it to our world.

“I did check the fuel tank. “I might not have unscrewed the cap, like the thing said, “but I put a mechanism, I unscrewed it once, “put a beacon in there that notifies me,” or whatever it might be. Some people do get stuck with that and just hire a new auditor.

Reality is part of educating that it was thought out about like, “I thought through this before I did it.” I think the term now, that GDPR privacy by design or security by design.

That means that you thought about it before you did it and you addressed it whether it was in a business briefing deck for decision or you wrote a policy or whatever it might be in my experience.

What they’re looking for is, “Did you think about this ahead of time? Document it? “And then did you follow what you documented?”

Now if that is off, like if you documented slightly wrong, but you followed it, most of the time you’re going to get through the audit or the compliance inspection fairly well.

They’re just going to say, “Hey, course correction, go this direction with this. “You just have some minor pieces,” but it’s not going to be a glaring failure in that sense unless you just suck at your interpretation, but that’s a different problem.

Aparna Sundararajan:

In your experience, do these compliances quickly arise when, a government is sceptical and fearful of events that have happened?

Especially in the case of Australia, we know that we were under a huge federal government attack.

We do know that a lot of regulations came right after, they were in the making already, but then I had a conversation with the CISO of Ministry of Home Affairs, and he said, “All of this is going to get a little worse.”

I feel like these compliances quickly spurge around when the government wants to protect everything, but then it’s not well thought through how it’s going to be executed.

Shawn Bowen:

So reactionary plans are failed plans before they start in my opinion.

I’m not saying that there’s not something good in them. There are prepared reaction plans. That’s different when you’re preparing to respond.

I think Mike Tyson had the quote, “Everyone’s got a plan until they get punched in the face “or punched in the mouth,” or something along the line.

If you have a plan for after you get punched in the mouth to counter punch, well now you’re starting to think through things, and you practice that pain point.”

I was smiling because in Canada, Tim Horton’s, our coffee brand, which is an iconic brand in Canada.

In June, we had a reporter write an article about our privacy practices about what data was being collected in our mobile application. Everything we were doing was intentional. It was above board. We followed the rule. We gave a response to people, the subject access requests, we requested consent. We were doing things in that sense, but the article came out, lots of people got upset.

Then obviously the OPC, the Office of Privacy Commissioner in Canada, was four different jurisdictions, Ottawa and Ontario and British Columbia. They all got together, and they started to do a government investigation. Then it got consolidated into one investigation.

We’re currently going through that right now. That’s been a tonne of fun. I was on a phone call with the lawyers, five minutes before I connected to ADAPT to talk today

Aparna Sundararajan:

Very brave.

Shawn Bowen:

That’s exactly what you described. someone wrote an article, says that “Tim Horton’s is tracking users.” No, we’re collecting data that you authorise us to collect, but every other brand is doing this.

That’s not a defence, and we’re not going to say, “But that guy,” like that just doesn’t work. Particularly when you are the most Canadian brand, it just doesn’t work. That’s not the right approach anyways. That doesn’t build rapport.

That’s not a good attitude to have. Still, it’s about back to that privacy by design, security by design function that if you do things intentionally, deliberately do the actions that take a mental exercise, that’s some mental gymnastics that a lot of people aren’t prepared for because that’s a lot of work and thought ahead of time.

When you do that, you can withstand those reactionary effects from things like that. There are the policies that come out and that they aren’t even triggered by anything, by our brand, just the government’s gone that way.

Like in California, they had a privacy act passed a couple of years ago, and now they just passed another one yesterday. It will take three years to affect us, but they are going through privacy, and they give us some time to react to it. The problem is it’s a three-year rollout. The problem is we wait until 2 years 11 months before we start rolling it out because that’s the business mindset.

We can wait for it.

Privacy by design, security by design concept, allows us to get ahead of that.”

Even if we’re not 100% come that day if we put forth that effort and got to 80-85%, we generally can walk out of the courts in a favourable position or walk out of an audit in a favourable position because we’re doing the right things and we’re on the right path. I think that goes a long way.

The problem ends up being when people just don’t even start doing the work, and frankly, they deserve to get slapped.

Aparna Sundararajan:

That’s quite radical. If there is one advice that you would give CISOs and risk professionals right now in this environment where insecurity seems to have come into a huge spotlight more than ever. What would that be? That’s probably my last question for you.

Shawn Bowen:

That’s interesting. Let’s start at two. You said one advice.

I go back to what I said earlier; I think managing risk in terms of the company, is key to gaining allies and gaining respect. Too often, historically, we’re the department of no, it should be yes, if. Yes, if you do this or yes, if this happens and change that mindset, how can we do this? Find a way to do that.

How do you operate in a compromised environment? Assume that your systems are going to be breached.”

How do you continue doing your job? And then work back from that construction rather than the other way around?

I think there’s that factor, but on the same thing you’re talking about from COVID and the legislation, the security is starting to get more important.

Unfortunately, it’s a research exercise which I love researching. I love reading and learning. I hate writing and documenting what all I learned. I just like learning it and absorbing it.

That last step is what’s key and is saying, “Hey, I’m aware of this. “These are my thoughts on it.” And I think that that helps us go a long way because while it might not be read, it could be presented in PowerPoint, but sharing the thoughts beforehand allows you to react better when you face the situation.

I think that’s just one of those problems is we wait too long to react to things. It starts because a lot of us are in a firefighting job and firefighting sucks.”

I was a firefighter for 7 years part-time, and it’s a lot of fun to be in the fire, but you don’t want to be in that position if you could have prevented the fire from the first place or contained it when it started, it just stays to the local environment. That requires planning maturity.

Frankly, we have two problems right now. We have a workforce problem that was mentioned earlier. In the world today, we don’t have cybersecurity professionals capable of thinking from that perspective. We also have the funding issue of, “Will we ever get enough?” That’s about managing risk.

I think it’s better to do 100% of 5 things and be aware of the other 5 that you’re not doing rather than doing 50% of all 10 things.

Maybe there’s some threshold that you find a balance in there, but I would much rather attack the things I could do and say, “Hey, I couldn’t do those at all,” rather than do those half-assed.

I think that’s where we lose some respect is when we don’t, when we start to do something or redo something, but we don’t complete it, or we don’t do it well enough, now it looks like we’re incompetent or incapable, which is not the case. We’re just understaffed or under-resourced, however that may be.

I don’t want to say ignore it that’s a bad way, but by saying, “Hey I’m going to do X and ignore Y,” when Y becomes a problem, now you could go, “I asked for a resource for that. I can’t do it.” Whereas if you do half of them, you end up visually, you get two V’s. You don’t know if it’s a Y at the bottom or an X at the bottom. You don’t know which one is which because you’ve done a poor problem.

I normally say that in a PowerPoint, we say, “Hey, here’s what it looks like. It’s two V’s.” You have no clue what’s below that. That is part of the problem that we run into. Because we’re out of resources, we try to spread ourselves across them all to cover it all.

The other analogy I use is a boat. You have 10 holes; you have 10 fingers you’re going to stick them in all the holes, or do you cover two holes half? You’re still getting the same amount of water through, but at least on this side you know what you’re doing and know what your problems are, where the other ones you are only half doing the job now. How do you compensate for that?

That’s my thoughts on it. A little bit more philosophical than probably useful than a lot of people, but it’s about making people think.