ADAPT’s Peter Hind interviews Theo Nassiokas, Director, APAC Cyber and Information Security (CISO) at Barclays in Singapore. Theo began his working life as a Policeman in Victoria, first getting involved with the challenges of cyber security over twenty years ago. He has worked in major financial institutions across Asia Pacific.

Speaking at ADAPT’s CIO Edge conference, he discusses the importance of assessing cyber security threats against the context of the business in which you are working and using the appropriate language and discussion points to engage the business leaders on these matters.

Peter Hind:
Is it possible to sleep soundly with the escalating volume of cyber security threats that are emerging today?

Theo Nassiokas:
It is possible. The way to do it is to respect and understand what cyber threats are and why they are happening. They are not a fad or a temporary phenomenon. They are part of a bigger picture many of whose components are often connected to geo-political events. Cyber-attacks don’t happen in a vacuum.

Peter Hind:
How do you think people should assess the cyber-attacks they are encountering?

Theo Nassiokas:
You need to look at the business you are trying to protect. Everything within a cyber threat must be assessed in the context of that business. This assessment entails asking questions such as:

  • Why do you think this is a threat to you?
  • What impact would this have on your business, (e.g. financial consequences, loss of intellectual property etc.)?

Many people seem to apply simple categories to these threat actors such as state sponsored, criminals or hacktivists. The reality is that it is just not this simple. It is rare to find a cyber threat actor who neatly falls in to just one of these categories. What you find is that they fall in to multiple categories, (e.g. a state actor could also be undertaking a criminal activity to steal money or else they might be looking for intellectual property or for blueprints or certain information because they might get a competitive advantage from these things). As such, you need to understand the context of how cyber security and cyber threats apply to what you are trying to protect.

It is about how inquisitive you are, how fast you can learn on your feet and your ability to adapt to change very quickly.”

It is about asking the right questions, knowing when to follow processes and when to ignore them. It is about trusting the people you work with but verifying what they do because sometimes people unintentionally make mistakes.

Peter Hind:
CIOs are increasingly finding that the Board and senior leadership team and coming to them for help with cyber security. They have legislated duties of care as Director’s of an organisation to demonstrate vigilance in protecting their organisation from potential risks. What would you recommend is the appropriate cadence for these discussions and what material do you find is most helpful for these engagements to be the most effective?

Theo Nassiokas:
The simple answer is that you need to talk to the Board or executive leadership team in a language they understand. Again, it is all about contextualising it. Therefore, the CIO should think about cyber threats and resilience in this context and terms. For example, if return on equity is important then frame cyber threats in these terms. What would be the impact on return on equity if such and such a threat occurred and then show how this can be determined by looking at what has happened elsewhere around the world?

If you can phrase things and use a dialogue familiar to the audience and what is important to them, you will have an instant connection.”

However, if you turn up to the Board and talk about how the firewall has blocked 65,000 intrusions today no one will care. If you front up to the Board and ask for monies, why will they approve whatever you want to do from a security controls perspective.

However, they will approve it if you have engaged all the right stakeholders, you have been able to determine that something is technically feasible and can happen, you have involved the business, you have determined how something could have a certain impact which has been verified by the business you are protecting and you can crunch the numbers and come up with a real quantified figure and you can say with some conviction that this will probably happen to us. In effect, the conversation is providing evidence of how we know this and here’s how much is needed to fix it and then providing the reassurance of what is being proposed is feasible from a commercial perspective. Then the decision for the Board is akin to buying an insurance policy. You need to think of your conversations with stakeholders this way.

There are very few cyber security professionals with the extensive experience of Theo Nassiokas. ADAPT events consciously seek to involve global thought leaders like Theo to equip the busiest leaders of Australian enterprises and governments with the knowledge and competencies they need to gain advantage.

Contributors
Theo Nassiokas Director, APAC Cyber & Information Security (CISO) at Barclays
A technology risk and regulatory focused security leader with over 20 years of diverse experience, with accountability ranging from law enforcement and... More

A technology risk and regulatory focused security leader with over 20 years of diverse experience, with accountability ranging from law enforcement and criminal intelligence to risk and security strategy and policy development and implementation within government and more recently, financial services organisations across Asia-Pacific. An acknowledged authority in the areas of security, risk, compliance and cybercrime, Theo has publicly spoken on these topics on many occasions.

Theo holds an MBA (Tech Mgt) from La Trobe University and is Board Certified in Security Management (CPP) by ASIS International and a Certified Information Security Manager (CISM) by ISACA. Specialties: Security & Investigations: Information Security, Intellectual Property (IP) Protection, Commercial Counter-Espionage and Cybercrime and Internal Investigations. Information Technology: Technology Risk, IT Security, Data Leak Prevention (DLP), Payment Card Industry – Data Security Standard (PCI-DSS) and Sarbanes Oxley (SOx). Legal & Risk Management: Strong focus on interpreting and advising on banking technology regulations in North & South East Asia – the region with the highest regulator concentration globally for banking.

Less
Peter Hind Principal Research Analyst
Peter Hind has spent the last 25 years as an analyst and commentator on the ICT industry. He says his primary areas... More

Peter Hind has spent the last 25 years as an analyst and commentator on the ICT industry. He says his primary areas of interest are the potential of technology to transform the way organisations operate, the change management obstacles executives encounter in realising this potential and the tactics and techniques leaders have deployed to overcome these difficulties.

Peter now takes on multiple roles within ADAPT including the moderation of private events and roundtables, interviewing business executives about the strategies they are pursuing and assisting with the structuring of our delegate surveys and the interrogation and analysis of ADAPT’s treasure trove of end-user and C-level data

Less
Security Compliance Management