Computer Futures

60 Second Interview with Eoin Fleming

Tell us about yourself…
I’m the Chief Security Officer at Leveris. We build full service retail banking software, deploying and managing it in the cloud. It’s the security equivalent of juggling burning chainsaws. I have over 20 years’ experience in leading and developing effective security, compliance, privacy, risk and audit management programs that deliver measurable business value to clients.

Primarily, I work within the financial services vertical, with extensive expertise in the management of outsourcing, service management, delivery management and SLA/contract negotiation. I also hold CISSP-ISSMP, CISA, CRISC and ISO 27001 Lead Auditor certifications.

Where do you see the corporate security department in three to five years’ time?
There won’t be one. We’re very fond of saying security’s part of everyone’s job and it's everyone’s responsibility today. But if you take that to its logical conclusion, you don’t need a security department - at least not in the traditional sense.
What you do need is one or two senior security people to set policy and strategy, and communicate it effectively so that it actually gets done by all the staff.
The job of the security team is to communicate and evangelise rather than to ‘do’. DevOPS is evolving into DevSecOPS, which combines build, deploy and operate into a single team with security as part of the process. This is sort of the half-way house to the SecCom team above.

In your opinion, what do you feel is the biggest challenge companies are facing when it comes to securing their data?
Data classification is by far the biggest issue. It’s a truism that you cannot protect what you don’t know you have. Companies are particularly good at producing a lot of data and then failing to use it effectively or compliantly because they don’t label it properly.
This isn’t just a technical issue – it’s a cultural one. Data loss prevention (DLP) technology is perfectly capable of addressing most of the technical aspects of metadata and classification in organizations if the data was correctly labelled in the first place.
However, very few companies made the leap to creating a culture and environment where the default behaviour is to classify and label their data automatically.
If you are doing it manually, you’re doing it wrong. Actually, that’s true of almost everything in security.

What process or activity do you feel is the most important in creating a strong security culture?
Communication and user education. But security people are simply terrible at this. We assume everyone sees the criticality and importance of what we do because, in many cases, we have absolutely no understanding of, or interest in, the business as a whole and see security as an end in itself.
Security staff have to focus not just on the desired behaviours and capabilities, but on how to win support with the C suite and ensure they become integral to the business strategy. They give the company a competitive advantage. In other words, the mission of security is to support the business, not the business of security.

Tell me about a business challenge that you solved through technology?
I love the Bruce Schneier quote, “If you think technology is going to solve your problems then you don’t understand technology and you don’t understand the problem”.
He said this in relation to security but it works for almost any technical solution. To really solve a problem, technology is about 20% of the solution. The other 80% is influencing, educating, implementing, and monitoring the way technology matches the business need over time.
We’re not in the luxurious position of being able to implement a fix and have it work for ever. We don’t work in an immutable vacuum - people change, markets change, businesses change and technologies change. Today’s solution is tomorrow's problem and I can’t really think of a single solution that I came up with that perfectly solved a problem for more than 12 months.

How do you stay up to date with security trends in the market?
I spend a lot of time in the less salubrious parts of the internet for research purposes boss, I swear.

What would you regard as your greatest achievement in security to date?
Working as a volunteer for ISC2 developing and refining the CISSP and ISSMP certifications. It’s an amazing experience where you get to meet a lot of the people you read about and spend time with them, whilst trying to ensure that the certifications reflect the reality of the profession. Which is impossible but doesn’t stop us trying.

GDPR is such a large topic and still not fully defined, but what would be the three things you’d recommend companies do to prepare for GDPR?

  1. Develop a privacy policy which defines the purpose behind your processing activities, what you do when, with whom and where.
  2. Educate your staff on the policy and their responsibilities, and make sure the resources and information are accessible to them
  3. Add a step to your change, release and incident policies which defines when a privacy impact assessment needs to be done and when breach communications need to occur – then do them.

Don’t waste time and money implementing new technologies until you have basic documentation and processes in place – do the basic things well first and you will be in a much better position come May 2018.

If you had a coffee with your 18-year-old self what advice would you offer?

  • Everything generally turns out better than you expect if you keep going. Stop and you generally get the worst outcome available at the time
  • Life and work are about people, not things. Treat people like things and you will have a bad time. Treat things like people and you will lose sight of what’s important, which is people.
  • If someone offers you advice, listen and then follow your gut. At worst, you’ll then be in a position to offer advice.

What does the future hold for your business?
I hope we have modest success, happy customers, and fly under the radar because moderately good news rarely interests people.

Favourite book or Film?
Book: Spycatcher – Peter Wright, he was doing technical security before it was a thing.
Film: Star Wars – I saw it when it came out in 1978 in Ireland and I came out of the theatre a different kid.

The 60 second interview series continues next week with another quick fire interview with a senior technology leader.