A

Welcome to cyberatthettop, a podcast from RSAC that unpacks real experiences, lessons learned, and

B

practical strategies from CISOs at some of the world's leading organizations.

A

For years, information security was almost always concerned with protecting confidentiality. But as our world becomes more digital and dependent on uninterrupted trustworthy information, integrity and availability are becoming just as important and far more challenging to guarantee. I'm joined by Bjorn Watney, Global CISO of Interpol, to explore this change and why it's so fascinating. We'll discuss how it reshapes risks and and the new challenges it presents for security teams and how CISOs can balance all three pillars of information security. So let's get into today's conversation. Bjorn, welcome. Thanks so much for being a part of this.

B

Thank you so much for having me. It's a really interesting topic that we will be talking about today. So happy to be here.

A

Oh my gosh, it's fascinating. And let me ask you, before we get into it, could you start off by telling us just a little bit about your role at Interpol?

B

Absolutely. I am a chief Information Security officer and most of us know what that entails. We're in charge of looking after the confidentiality, integrity and availability of data in our organization. Interpol as an international organization is a little bit different from at least a private company. Our vision together against crime is built on pillars where one of the most important pillars is that we will be the trusted global information hub for law enforcement. That is quite a big elephant that needs to be chopped up to manage, but that's where I'm currently sitting with a lot of really, really, really competent colleagues.

A

Amazing. What an important institution to be sitting in that particular role.

B

So.

A

So can't wait to get into this topic with you. And we were talking just before we got started that historically cybersecurity really was centered around protecting confidentiality. At least that's how it felt. But now there's this growing importance of integrity and availability. And you're always taught, probably Cybersecurity 101, the triad of CIA. But with integrity and availability becoming more important now, first, what's driving that shift

B

to the biggest degree, the digitalization of society as a whole and also the convergence between it and OT. So if we go back 20 years and we were without Internet, for example, that was a nuisance. At most we would just go onto our Word files, our Excel sheets, the coffee machine, and we will wait for the Internet to get back and then we could send emails again. But today we are hooked up with almost everything to the Internet. All of our devices has some sort of communication with the Internet. If the link is broken and the system is unavailable, it will also cause problems in the physical domain. And that is something that we didn't have before. So I think the fact that we have the physical digital domain connected drives this shift. And also the fact that we have so much of our systems dependent on these data to operate. In Norway, for example, where I'm from, we're almost 100% digital when it comes to paying for goods and services. If that sort of availability is gone, then we won't be able to to do simple things as buy food. Yeah. Digital dependencies and it ot convergence, I think, are two big elements in why this is changing.

A

You know, you bring up such a good point and you really bring it down to basic human needs, like maybe we couldn't even buy food. This increased dependency on information feels like it's changed the risk landscape substantially. I had a friend, and this was a few weeks ago, there have been obviously, as you're very aware, some major cloud outages over the past few months. There's been some outages of other things before that. And this person had a pillow top that would adjust temperature just based on how they're sleeping and to keep them comfortable. But it was hooked up to a cloud service to control it. And when the cloud service failed, it defaulted to becoming the hottest it could possibly be. And so the person just woke up in a massive sweat. And it's just an example of what you're saying around even sort of physical things having this dependency on information. But would love to get a little bit deeper with you on that. How has this increased dependency on data and information and services changed the risk landscape and how you think about risk?

B

If we look at the risk back in the old days, I mean, when we were primarily focused on confidentiality, it was primarily theft of data that we were worried about. And the threats that were also mostly focused on stealing data. The last few years, we see tendency of this changing toward systemic disruption instead. So from data theft to systemic disruption, ransomware, for example, as a service that is now a very, very popular service that you can buy on the Internet. And these guys are quite clever because they have double or triple extortion. So they will actually steal your data and then they will render your systems unavailable. They can hit you with all kinds of extortion and whatnot in multiple layers. So systemic disruption is becoming more of a an issue and more of a target for threats rather than data Theft, supply chain attacks, for example. That is something we see. And I also mentioned in the first question we had here, the OT or attacks towards physical infrastructure that we didn't have before. There are many, many changes in the threat landscape.

A

I gotta ask you, how do you strike then the best balance between these things? Obviously, and to your point, the confidentiality concern isn't going away, right? We still need to keep data confidential. We do care about the integrity of that data. Still, availability is a point that you've hit on already. How dependent we are on these services being available and data being available. How does somebody think about striking the right balance of controls and energy around those things, especially when resources and attention tend to favor one over the others.

B

It's a very good question and it's a very good answer to it as well, I think, because what we've been taught over many, many years is that we should always have a risk based approach because if we try to protect against everything and every risk, we will fail our objectives. So the same works here, but we need to think about risk classification a little bit different. I have a colleague in Norway, professional colleague, he has this talk that he's been doing a few years where he has a bit of a dark joke. He says that he has a condition and he might get ill. And what happens if he is driving his car and he, he gets ill, he goes off the road and the paramedics, the first responders are coming, but they cannot go online to read his medical record because there is too much privacy protection between the paramedics and the hospital. So they end up administering a drug to which he is allergic. So instead of helping him, they actually kill him on the spot. And then they see that the next photo he puts then on his presentation is a tombstone with his name and his date and inscription below. At least his data was kept confidential.

A

Oh my gosh. That's the way to start a presentation.

B

Yeah, exactly. But it's very impactful and it makes people think. Right, so back to how we make this the right balance. We need to classify whether availability of a system outweighs the need for confidentiality or integrity or vice versa. So we need to, not just as we always have done, classify information according to their confidentiality level, but we need to classify systems according to their availability needs or integrity needs, for example, in financial services, stock markets, etc. So to have this classification of systems dependent on their uptime requirement or integrity requirement and then prioritization of the different systems, which one needs to be up first, which one has to always be accurate, but can be offline more or less. And how important is confidentiality up in all of this compared to, for example, availability and integrity?

A

You're right, it's sort of not an unnatural motion, but it's different than how people typically articulate security. It's usually this is very confidential data. It's personally identifiable, for example, or it's healthcare data, so we know to put bubble wrap around it. But this availability piece and the integrity piece, it just doesn't feel like there's the same level of rigor around metrics and risk. And I gotta ask, what's the biggest challenges your team and other cyber leaders might face in ensuring that integrity and availability happen and are prioritized across complex systems?

B

Yeah, I think there's a key word in your question right there, complexity. Because if you look at any organization today, it has exploded more or less into tiny, tiny bits and pieces that are now connected on a global scale. So your supply chain used to be internal, but now your supply chain is completely global. And it's very difficult to get the visibility across these huge landscapes. So to maintain visibility, to track every change and component required to keep your systems online, that's very difficult to test resiliencies. It also becomes more and more difficult because you need to involve so many third parties. And another thing that we've seen, especially with the introduction of cloud computing, is that configuration drift or changes in infrastructure is also becoming a problem. We like to say that the cloud platforms are the most secure place where you can put your data. I will not go into argument there. But at the same time, we have seen a lot of data leakage issues from cloud platforms. I know there was a survey done by Gartner a few years back that tried to find out what is the cause of, of breaches in cloud platforms. And I think more than 90% was due to misconfigurations. Yeah, it brings some challenges and you always have the human element into these things.

A

But you know, you really make me think, because if you, if you wind the clock back even three or four years ago, what you said is, was, was a big problem configuration of cloud configuration, you know, drift, for example, in that configuration, maybe even additional suppliers that your suppliers taken on that you may not even know. But I was just thinking about what you said in the context of rapid AI adoption and automation, how do you see this problem changing or how do you see this kind of adoption influencing your approach to maintaining integrity and availability?

B

Yeah, I think that it's double sided. As with many things. So these technologies that you described, they are essentially enablers. Cloud computing, for example, great for enabling increased availability. You can have data centers across the world, you can have a hot standby, you can spin up new servers when others go down. It's super nice. Automation, for example, very good at enforcing policies and security levels on a continuous running scale. AI machine learning, very good at spotting anomalies, unwanted behaviors and react appropriately. So, yes, all these technologies are definitely enablers that will improve if done correctly on integrity and availability. But they do also come with some challenges. Let's take agentic AI as an example. If you look at a chatbot of old and you try to implement controls, in this chatbot, it was mostly controls to make sure that it didn't say something wrong or that the output wasn't profane or wrong. But with the agentic AI, it might actually do real damage. So it might pay out money, for example, to the wrong account. And that is a completely different threat this time around. So you have to handle it with care. I think it's early to see, early to say how this is going to impact on the wider scale, but I would say those technologies are definitely enablers and that they will improve or help us improve both on integrity and availability, but that it comes with a bit of like a warning sticker that wear your seatbelt and do not speed.

A

You know, the wear your seat belt comment really resonates with me because I think about the time and just reading about when that was introduced and how much of an education campaign that it was for the public, right, here's why you should do it, here's why you need to do it, here's why it's important. So, putting the technology aside, how do you educate and foster a culture that values integrity and availability and tries to anticipate some of the things that you're talking about, like potential failures or corruption. As much as they value and think naturally about confidentiality, today it's about doing

B

the same thing again. And you're right, confidentiality has been the poster boy of information security. We've always been training people how to keep confidentiality, like protect your credentials and label your documents. So we need to do it again. We need to look at security not as the barrier or the gatekeeper for confidential information, but actually as a quality and resilience enabler. So the CISO maybe become like chief Risk and Resilience officer or something like this. And going back to the other question that you had, which was very good, by the way, looking at threats and risks From a CIA triad point of view, rather than levels of confidentiality point of view, when we speak to employees and managers, we need to come with that message. On the importance of having a system running, having a system available, because down the road, regardless of where you work, I would argue that if you're in it, if your systems fail, the business will fail. And there are some very good examples. Not even recently, but a few years ago actually Maersk, the Danish shipping giant, they were hit and the business just stopped. And if you would have asked any of the executives two months in advance, are you an IT company, they would look at the old maps on the wall and like, no, no, no, we are sailors. We're a shipping company. But it shows that if the IT systems are out, that whole thing stops. Another thing was Norway's Hydro. Aluminum? Yes, they produce aluminum. Would they say that they were an IT company? No, not at all. They didn't even have a SISO at the time that they were attacked, compromised. And they also needed to stop the entire production for days. And these two examples, hundreds of millions in losses. What is more important that some confidential data leaked or that this is just systems were able to restore and continue. So I think to build that mindset, to have that focus on availability of the systems and integrity in the information that they contain, now that it becomes so crucial to any operation, that is where we need to start putting the mindset. And I think that will change how the value of the information and cybersecurity professionals are seen in businesses as well. Because technology becomes so crucial everywhere.

A

It's, it's such a great point. And I didn't even think about it until you said it, but almost built into the name of Chief Information Security Officer, it almost sounds like a confidentiality topic. Right? Just, just, just if you, if you read out that acronym and you know what, what the first thing is that people would think about. But as you say, it's the entirety of the business. Like if availability fails, for example, the entire business can come to a halt. And do you think then that this role changes into something else? So you mentioned around sort of risk and availability, but also does its importance continue to rise inside of the organization?

B

Yeah, I would definitely say that. And it has been the case for a number of years. When I started, it's coming up to 25 years ago, most of the CISOs or CSOs that existed were all men. And they usually came from one of two backgrounds. It was either police or it was military. That was 25 years ago. And now it has changed. You see that most of the CISOs, they come from a technology background. They know it and technology. But lately I think we see that more and more. Also has a business education on top with an MBA or something like this, because a CISO needs to be focused on the business outcomes as technology is becoming such an important pillar of the whole business. So you can't really be isolated into technology. And as you said, the guardian of secrets, that is not working anymore. You need to be supporting the business and working on availability and risk reduction.

A

Maybe if you could give some advice on how does somebody go about best measuring or communicating success on the integrity and availability front. It feels like typically folks will talk about their data labeling efforts and what they've done on encryption and what they've done to secure the data and keep it confidential. But how do you think about success or ways to know that you're getting better on integrity and availability?

B

Yeah, I think you need to start and focus maybe a bit more on the two last letters of the triad. You need to start asking questions like what happens if these data are wrong or what happens if this system isn't available? And start making people think of answering those questions more than just what kind of data does this system hold? Is it PII or is it trade secrets or not? So I think it would broaden the risk mindset, have more focus on those two. And again, and this is a uniform thing, instead of trying to focus on prevention, you have to focus on assumed disruption. Because at one point the shit is going to hit the fan. And then you need to have a playbook and a playbook that you have rehearsed on so you know, or people know what to do on when to do it. Because if that is just a paper tiger hidden in a drawer somewhere, I can guarantee you that you will be very sad when that first thing goes bad.

A

That is so well said and so many times it is exactly that. Something that's just put in a drawer and people aren't actively thinking about it. And one last question for you, and this is for other security leaders that are listening. What's one piece of advice that you'd offer for adapting this broader view of information security? Like what can they do? What would you recommend that they do next?

B

It's going to sound very basic. If you look at the latest regulatory requirements that's being put out over here in Europe, you will see that they instruct companies to look for their crown jewels. What are the key processes and services that you're in the business of delivering. And that applies also to us as an international organization connecting law enforcement together. We need to find out what are the key services and products that we deliver. So identify those and then you start working on resilience. Assume disruption. Find out what it takes to get those systems back, get those services and products back online. If they should fall out for whatever reason. And you have to rehearse, it's not enough to just do a tabletop and write a piece of paper. This needs to be tested because it's so crucial when it happens that you are actually able to get back online. So any company, any business, find your crown jewels, assume breach, and then rehearse on how to restore. Because you can always, I will argue, but you can most of the time always recover from a data leakage. But if your system is taken offline, that's harder.

A

I can almost see that as a T shirt. Right? Find crown jewels, assume breach. And how do we restore?

B

And train, Train, train. Yeah, yeah.

A

Train, train. And practice. And practice. Bjorn, thank you so much for being here today. Really, really appreciate it. So insightful and listeners, thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Bjorn, thanks so much again for taking the time for this.