Andrzej Kawalec is the Director of Strategy and Technology at Optiv, responsible for security strategy, service and technology architecture. He works with clients and partners to drive digital and cybersecurity transformation throughout Europe, the Middle East and Asia (EMEA).
Before Optiv, Andrzej was the Chief Technology Officer and Head of Strategy and Innovation at Vodafone, leading the company’s enterprise vision of cybersecurity preparedness in the age of digital, mobile, cloud and IoT for more than 462 million users. Previously, he served as CTO and Director of Security Research at Hewlett Packard (HP), where he was globally responsible for HP’s enterprise security strategy, roadmap, research and development and market engagement. Prior to joining HP, he held a number of positions of increasing responsibility at companies such as Siemens, Compaq, Currie and Brown, Vistorm and EDS.
Optiv helps clients plan, build and run successful cybersecurity programmes that achieve business objectives through their depth and breadth of cybersecurity offerings, extensive capabilities and proven expertise in cybersecurity strategy, managed security services, incident response, risk and compliance, security consulting, training and support, integration and architecture services, and security technology.
How would you say worldwide opinions and understanding of data security has changed in light of last year’s events and the introduction of GDPR?
A year ago, organisations were hurriedly reviewing policies, security procedures and mining their marketing databases in a desperate bid to be GDPR compliant before the deadline.
Now, organisations have focused on building organisational muscle memory to understand how to redesign and rebuild processes so that they can be GDPR compliant. For example, amidst the flurry of consent emails that were sent out, many organisations had concerns that they would be hit by requests to forget customer information or supply data, which would lead to tiresome system removals and processes.
This failed to materialise, however, and we’ve found that this hasn’t really happened at any significant scale. Consumers are not using the regulation to manage their data and privacy exposure as effectively as they could be at all, and it’s these kinds of learnings that are informing organisations on how to develop their processes in line with GDPR.
Many still view GDPR as a cumbersome set of rules to follow or to work around, but it’s more of a sea change in the way we talk about privacy. Viewed that way, organisations cannot simply ‘check the box’ to comply with these regulations and expect positive results anymore.
What is the process for building a cybersecurity programme from planning to running it?
Unlike an IT or business programme, running a security programme puts the responding to an ever-changing threat environment at the top of the agenda. The ongoing management of security programmes is relentless and dynamic with no steady state, meaning that it’s constantly having to be redesigned and adapted in the face of new attacks and regulations. That’s the difference with a security programme from IT or business programmes which can mean building one usually requires additional tailored support.
Any security programme needs to start with the understanding of the organisation that it is trying to enable and protect. This includes considering the critical information and assets that the business has. Once identified, a prioritised list of activities can be drawn up to combat the threats against those assets. Doing this builds an individual risk landscape for a specific organisation.
Following this, an organisation must ensure its security strategy is business-aligned so that the company can continue to operate in the face of continued and sophisticated attacks. This also allows the board to stay resilient in the midst of an attack and advises them on how to respond.
In the last stage of planning a cybersecurity programme, each core area needs to have the right people, technology and processes to support each of those different assets and allow the organisation to do what it needs to do.
What challenges can be run into during this process and how are they avoided or solved?
The major challenge is at the start when aligning the security programme with the business it supports. This is because it demands that the security team has to step outside of the IT realm and engage in a board-level risk conversation.
The second major challenge is that people often think of cybersecurity as being a technology answer, incorporating solutions and controls. It’s really about an end to end set of activities; the people, processes and technology all working together to survive in a constantly evolving landscape of attackers, technology change and regulation. The enemy of any security programme is complacency. It must never become static as hard-won resilience can be lost in the blink of an eye.
What are the benefits of a simpler cybersecurity programme and how is this achieved?
At present, only 23% of CIOs feel like the rest of the business understands their security strategy extremely well and unfortunately, you will never be able to drive an enterprise-wide security programme without the enterprise understanding what that security programme is trying to achieve.
Security programmes are highly complex, which means their objectives are often unclear, this damages the security teams’ ability to execute clearly. The most effective security programmes can articulate with a high degree of precision what the objectives are, which assets need to be protected, and what part of the business those assets enable. Knowing how to do this can lead to an effective and efficient focus of scarce resources, but also allows for clarity and strategic decision making.
Ultimately, the clarity and simplicity of a security programme’s goals and objectives need to be understood and described by everybody.
How would you describe your own strategy for security, service and technology architecture?
Most organisations’ security programmes are stuck in a reactive cycle, and 66% of organisations agree, saying their security programmes are reacting to attacks, changes in regulation, and new technologies. But at Optiv, we advocate an inside-out approach which starts with the organisation and its goals, and then looks to understand what needs to be achieved from a risk perspective. Only then can the capabilities and architectures be built to support the strategy. Without taking that inside-out approach of being continually reactive, businesses cannot drive forward or understand which technology choices to make, how to support users, which threats to defend against, what to outsource vs develop in house, and finally, how to maintain resilience.
What is the best way to protect one’s identity, especially as use of the cloud and mobile devices becomes more prevalent?
There are very strong parallels to be drawn between consumer use of technology and corporate identities. Consumers are using multiple online cloud-based services on different devices, to share, connect and communicate with friends and family. But maintaining control of privacy, data, and communications and managing access using passwords and biometric information such as fingerprints or facial recognition are all similar challenges that are mirrored in the corporate environment.
Understandably, enterprises are able to put a much more comprehensive set of identity and data management processes and tools in place to help mitigate some of the risk that consumers otherwise face. However, this cannot be done without impacting on the usability of devices so that their experience feels as easy and frictionless as logging into their Netflix account or sending a WhatsApp message. That is the challenge facing enterprises; they need to adopt a coherent identity and data strategy to allow users, partners, employees and consumers to access data they need from any device, at any point, whilst also managing the risks associated with that.
What is the first step when undergoing a digital transformation? What should be kept in mind before one starts?
When undergoing a digital transformation, it is important to recognise that a significant and enterprise-wide change will occur. Each particular stage in that process of change needs to be managed and worked through so the organisation can make the right investments and not duplicate efforts or transform down the wrong path.
Often, there is a misconception that digital transformation is just about evolving or incrementally changing the IT infrastructure to keep pace with cloud adoption or new mobile technologies. It’s important to keep in mind that, actually, a true digital transformation is about completely addressing how technology and the digital landscape can support and provide new markets for a business and its products and services. It may indeed mean a branch shift and doing things in a completely different mode, but that is the type of transformation that organisations should strive to achieve so that they can excel.
For security to play its role in digital transformation, more has to be done than just renewing and refreshing all of the existing security controls and putting it in the cloud or mobile context. It has to be about completely rethinking and rearchitecting how security is built into that new digital reality and how it becomes a much more a strategic asset for the business. If organisations assume cloud adoption or a mobile workplace is digitally transforming, they are doing a disservice to the end-goal.
What would you say is the most important thing you’ve learned during your experience at Hewlett-Packard and Vodafone?
HP and Vodafone are both pioneers in their fields – reaching, powering and connecting hundreds of millions of people around the world. The experience of building security into those businesses, at a global scale, and at the forefront of their respective technology waves, has taught me a lot about tech adoption. Additionally, this gave me the knowledge in building business models, which can be executed at speed, that support hyper-growth. It also taught me the importance of having a great team around you when being a part of a global organisation.
Being part of large organisations has shown me the value of having a strategy that has a clear, simple purpose, as size can often breed complexity. Established machinery and organisational infrastructure can be both a wonderful roadmap for change, but can also create many barriers. It’s always hard to introduce new ideas and new technology, even for technology-based innovation companies, as legacy business models and the thinking that surrounds them, are very hard to dislodge. At Optiv, we drive innovation around security globally but without the barriers and impediments that exist elsewhere.
Is there a difference between the cybersecurity that a public vs. private entity might need? Would your advice differ depending on which one you’re handling?
For private enterprises, the level of organisation and direct accountability are much higher, making any impact much more profound. For example, through the handling or mishandling of a major security breach, share prices can be halved, CEO’s fired, and brands can be damaged. We’ve even seen criminal cases being bought against directors of companies and of course it has led to GDPR in Europe and other regulatory frameworks around the world.
In public sector organisations, the focus is less on brand, product, fines, and individual accountability, but much more to do with resilience and the ongoing delivery of services. For example, if benefits aren’t distributed, if hospital procedures are impacted, or if core functions of central and local government are affected, the impact is much greater on a societal level. Because of this, you can see how that different focus of security is played out in both public and private sector responses.
Often, there is an unfair assumption that the public sector, particularly central government organisations, have more direct access to security intelligence and security resources, but that’s not always the case. Instead, they predominantly use the same processes and technologies and are fighting to get the same cyber talent as their private sector counterparts. This is why there continues to be a strong argument for more information and knowledge sharing in the industry to learn how to combat threats more effectively and get the best use out of scarce resources.
How do you believe that cybersecurity will advance going forward? Is there anything in particular that you hope for?
There are three things that would make the biggest difference to cybersecurity.
The first would be a very strong and direct link between people’s identity and their online activities. The removal of anonymity would pose great problems for cybercriminals and expose the plethora of online harassment, hate and cyberbullying that occurs on the web. If the layers of anonymity are removed, then we can create an understanding of what cybercriminals are doing, creating a safer online world in the process.
The second would be to have all organisations share their intelligence around incidents and processes. The digital world should not permit us to build individual security ‘castles’ anymore, complete with moats and drawbridges. We need to start to work together to pull and share resources to create bigger scaled security teams and technologies.
The third would be the use of machine learning and artificial intelligence to perform advanced research against the cybercriminal industry. This heightened intelligence would allow us to target cybercriminals at scale in very precise ways. We weren’t able to globally address the illegal drugs trade that was distributed and monetised around the world, but when it comes to cybercrime, we have the chance to act now to prevent it reaching that irreversible level.