ESG Videos

Announcer: The following is an ESG 360 video.

Mark: Today increasingly, IT is a very broad church and there's a lot happening in it. And many of us, I've done this myself in my history, tend to focus on individual specialties within that. But equally, we know that what comes out of IT is what really matters. So what I'm doing is talking to some of my colleagues who understand those individual areas to try to understand both a little bit about those and also their applicability to this general endeavor. So today, I've got Jon Oltisk.

Jon: Hello, Mark.

Mark: Hello, Jon. I know it's cybersecurity but what do you actually cover? What do you focus on?

Jon: The transition, Mark, it's actually consistent with what you were talking, is we're looking at risk, we're looking at...and it used to be IT risk but now it's risk to the business because as you know, IT is baked into business processes. So if IT is baked into business processes then you have to understand risk and you have to be able to mitigate and monitor that risk. So that's what I'm looking at.

Mark: You've been doing this a long time and focusing on that area. Has that changed over the years?

Jon: No. You're absolutely right. It used to be about securing the network, securing the data, making sure that only authorized personnel could get access to a certain application. So it was very tactical, it was very technology-centric, and that's no longer the case.

Mark: So now it's about securing the business. Outcomes rather...

Jon: Absolutely.

Mark: Okay. That actually sounds quite aspirational. That's something people would want to do.

Jon: It is. And CISOs, Chief Information Security Officers have been tasked with this and they've been told you need to hire people who understand the security technology because your job is now to secure the business.

Mark: Okay. All right. And before I come back to that and that balance between technology and business, which is really what I want to get to in a second, let me just ask you this, what else now and for the reasonably short term, foreseeable future, a year or two, what are a couple of...you know, for someone who might not be as knowledgeable as you about this segment, what are a couple of the key things changing, whether in technologies, the market, the vendors, external forces? What's big on your radar right now?

Jon: Well, let's start with regulations. In May of this year, the General Data Protection Regulation (GDPR) goes into effect in the EU. And so that puts a whole new emphasis on data privacy. It places a new emphasis on operationalizing security and reacting to the market. So for instance, if you have a data breach, that may trigger thousands of people, thousands of European citizens to say, "I want you to forget about my data." And can organizations do that? Can they operationalize that?

In a world where you have more mobile users, you have more users because you're letting third parties in to look at your applications, and you have more cloud workloads. The traditional method of controlling the network perimeter, securing the network perimeter is no longer effective. So what we're seeing is there are two emerging new security perimeters. One is identity, so I need to understand who is accessing my information, and the other is data security. I have to understand is this information sensitive, is it regulated, and where is it, and how do I protect it. So that's changing quite a bit. And a lot of that is just due to not only changes in technology but changes in business processes as well.

Mark: All right. So the main thing I just wanted to get to and to close on is to what extent can the stuff you cover, the cybersecurity, risk mitigation area, actually drive better IT or better business? Are there ways that you can link everything that you are looking at to actually improving organizational outcomes?

Jon: Yes. So for one thing, security is now being baked into IT. So this is the kind of notion of do you bolt on security or do you build it in. We're now under the assumption that building it in is the right thing to do. So developers are more security aware. Infrastructure people are more security aware. The aspiration is to put security into the IT domains versus having an overlay security organization.

And beyond that, it's about business enablement. So if you're going to undertake some type of digital transformation initiative, you want the security people involved so they can understand who's the audience here, what data is being used, where are these people located, are there regulations we need to think about. If you know the risks, then you can build in controls and mitigate the risks. If you don't know or you get pulled in afterward, it's inefficient. But that's the way we've always done things in the past.

Mark: Final thing then. So if you bake it in rather than strap it on, then I can certainly understand that that's more efficient and that's gonna help with costs and so on. I mean, that's a fairly vanilla side of our business, is what it costs to do things. But many of us talk about security as closing off the holes, putting the finger in the dike, stopping the release. But I'm guessing, from what you're saying, if you do this right and you bake it in, it's exactly the reverse. If you do security well, you could actually open up the flow for this cloudy, mobile world that we live in.

Jon: That's right. You want to... If you understand the risks and you understand who you want to provide this service to, then you can do that effectively and understand where you need to close them off. So it's sort of...the thesis here is whitelisting versus blacklisting. Blacklisting means I need to know everything bad. Whitelisting means I know it's good and I just block everything else. So it's more of that whitelist mentality. And again, it's sort of about business enablement, understanding the risks, and enabling people to get their jobs done in a new way.

Mark: Right. Well, talking about new, I learned something so hopefully, you did too. Jon, thank you very much.

Jon: My pleasure, Mark.