How Insignia Financial’s CISO tackles emerging threats and open-source risks
James Ng, GM Cyber Security (CISO) at Insignia Financial, shares how the company tackles emerging threats, open-source risks, and strengthens governance and identity management in this Security Edge interview.James Ng, GM Cyber Security (CISO) at Insignia Financial, shares how the company tackles emerging threats, open-source risks, and strengthens governance and identity management in this Security Edge interview.
He explains that company boards and CEOs are more aware of cyber security risks, with Insignia taking a top-down approach to cyber security.
James’ mandate was to build a cyber security operating model by aligning Insignia’s corporate and security strategies and applying the NIST framework to assess gaps in talent and maturity levels.
This approach creates a business case that secures executive and board approval.
James highlights specific areas where Insignia focuses on improving security, particularly third-party security governance and identity and access management.
These gaps stem from Insignia’s amalgamation of several different businesses, which led to inconsistencies in security processes. Additionally, he points out the importance of educating staff on emerging threats like phishing and QR code-based scams.
Social engineering tactics have advanced, making it essential to tailor training with real-life examples from within the organisation, making it more relatable and effective for employees.
Board-level engagement is essential with cyber security.
Insignia briefs its boards quarterly and provides out-of-cycle updates on legal and regulatory changes.
James emphasises the challenges in managing open-source software, particularly the risk of hidden backdoors or vulnerabilities that may not surface until later.
Insignia has implemented controls to detect vulnerabilities in open-source libraries, though he acknowledges that mitigating these risks is an ongoing process.
Key takeaways:
- Top-down cyber security approach: Insignia Financial built its cyber security model by aligning corporate and security strategies while leveraging the NIST framework to identify skill gaps and maturity levels.
- Focus on emerging threats and education: The organisation prioritised strengthening its third-party security governance and identity access management, while also educating employees on evolving phishing and social engineering threats using real-world examples from within the company.
- Open-source software vigilance: Insignia faces challenges with open-source libraries, especially with the risk of backdoors or vulnerabilities emerging over time. This requires continuous monitoring and detection processes to manage these risks.