By Ian Palmer
Greg Thompson has his work cut out for him as Scotiabank’s highest level security professional. Thompson, vice president of enterprise security services at the Toronto, Ontario-based entity, oversees a team responsible for ensuring that hackers, cyber terrorists and hacktivists don’t get bragging rights at company’s expense.
Thompson earned his CISSP accreditation from (ISC)² in December 2001 and received the Financial Services CISO of the Year award from SC Magazine readers in 2011. The InfoSec Institute recently touched base with Thompson to get his take on a number of issues of interest to the industry. We had a chance to interview Greg. The interview is as follows:
What positions in the IS space are currently in demand?
(Thompson) From a banking security perspective, we have a very global presence and we have a global footprint in terms of our security team. We cover everything from security operations, which include logical access management to firewall management to antivirus, intrusion detection/prevention – all that operational stuff – along with governance and some of the back office or support functions as well. And I manage a very broad team in that regards. I would say that…the things that I’m hoping to see more of are people who can work with large amounts of data.
There’s a lot of discussion right now in the industry about the needs of what is being called a data scientist function that would report into a security office. These people aren’t necessarily security professionals or trained security professionals; they’re more on the mathematics side and people who can help us deal with the large amounts of data that are generated by the security products [courtesy of] our external gateway appliances. So data scientists are people who can help us manage this large amount of data. These folks would hopefully be able to help us decipher the story that is hidden amongst that data. So we’ve got events coming at us from our intrusion prevention systems. We have antivirus events that are happening. We have firewall events at our gateways. We have logical access events generated through our active directory or some of our application controls. When you tie all of that data together, it has the potential to tell you a really interesting story in terms of what threats might be active in your environment. I see a need for that skill set to augment what we’re already doing in information security, and that’s kind of at a high level. The demand for every other domain within information security remains. Of course I’m representing the (ISC)² board of directors, and I happen to be a CISSP myself. I can tell you that demand across all of the domains remains strong in terms of the skills sets that we need in our profession.
What hard skills are in demand?
I see them all. I think the hard skills around being able to look at application code and work with our application developers is really key. I need people that have an application security background. I need people that understand how our networks hang together. I need people that understand the platforms that we work with – and I’m talking about operating systems, middleware and databases. All of these aspects require a certain level of knowledge to be able to harden those environments. Certainly skills related to broader IT operations are very, very important. Gone are the days where the security team can be the cowboys running around and playing with firewalls and fighting hackers when in reality a lot of security teams like mine manage very large, complex operations. So people that come into our profession from a broader IT operations perspective are really valuable because they help provide some of that IT operations discipline that is starting to become more mature in information security. So I want it all. I want skill sets that have a bit of everything from a hard skills perspective.
What soft skills are most in demand?
I look for people that have experience working on teams. A team environment is very important. It provides this basis of being able to work with others, being able to communicate and recognizing how teams operate – that’s only when I’m talking about new recruits. Once those new recruits start to take hold and mature as professionals, what we start to look for are [those] who can strategically influence positive outcomes. In security, we often find ourselves in an advisory role….So the ability to tell a compelling story, the ability to garner support for initiatives becomes very, very important. And as you move up through the food chain in our profession, the ability to articulate ideas in a way that’s compelling, not only to your counterparts in IT, but to the business leaders, is very important. Businesses understand the concepts of risk. Businesses understand that taking risks are necessary to do business. So when you talk in terms of risk as you move through this profession, it becomes very, very important. It provides that basis by which you can communicate with a common language.
What technologies are most in demand these days?
We’re seeing a huge demand for cloud-based technologies. The nimbleness that the cloud provides, the potential for huge cost savings and the sheer convenience of what certain cloud offerings provide really put pressure on security programs to be able to respond to that and provide the guidance and support that these business lines need to move to the cloud securely. When I talk about technology and I jump to cloud, what I’m really talking about is – what are the enabling technologies that we can use for the cloud? So I’m thinking outbound network gateway, encryption technologies….When we talk technologies, we really need to start talking about the technologies that help us protect data – full stop. The discussions that are starting to happen now all start to circle around the fact that, more and more, we’ve lost control of the networks that our users connect to us on, we’ve lost control of the endpoints that they use to connect to us, which puts pressure on security of the data itself. It also puts a bunch of pressure on the ability to authenticate users who are connecting to that. You have to implement technologies that strengthen authentication and certainly strengthen the security around the data stores themselves so that you can more confidently embrace the technologies that our users are already using.
For which technologies is there a decline in demand?
Technologies such as signature-based antivirus. While they may not be losing demand at the moment, their effectiveness is declining. And this is acknowledged by the antivirus vendors themselves. In fact, McAfee recently purchased a product called Solidcore, which provides an alternative to signature-based antivirus [solutions]. It’s a whitelisting technology. There seems to be a general acknowledgement amongst security professionals that there’s diminishing value on signature-based antivirus technologies, in other words technologies that blacklist threats. The sheer volume of the threats out there and the size of the signature files that are required to be maintained is becoming unsustainable.
Who was the last security person you hired and what set that candidate apart from the pack?
The people that I’m involved with in hiring are generally a little more senior. I look for a number of things when I hire a person. Of course I look for credentials. I want to make sure that person has the training as a foundation to their security background. I certainly want someone who can fit into the team. I look for somebody who has breadth of experience. Our profession is actually not that old when you compare it to other IT disciplines. So often what we’ll find is we have other security professionals that actually cut their teeth somewhere else in IT. Often it’s networks or it’s logical access control or it’s the military. But that breadth of knowledge becomes very key to us especially when we’re dealing with non-security entities within IT. The ability to understand where they’re coming from becomes very important. I want people to come to me with passion. I want people that have some substance to them – there’s something behind their resume that is intriguing.
How has your department grown or changed and how do you expect it to change in the future?
My department name is Enterprise Security Services. I supply security services for the bank globally and we operate in over 50 countries. I think we’re up to about 55 right now. I manage [the following units]…Security Governance and Compliance, Technical Security Services, Customer Protection, Business Continuity, IT Forensics and Research & Projects. I have about 68 full-time staff and about another 10 contract staff. In the next few years, we’re certainly going to need to grow in terms of staff. Keep in mind as well that Scotia has grown through acquisition, so as the bank grows so does the workload for my team. We try to grow somewhat in proportion to that, although we benefit from having the economies of scale. So oftentimes when we acquire an entity in Latin America or in the Caribbean or somewhere, if they have an IT shop and folks doing security, we’ll often absorb those security [staff] and create capacity on those teams.
Without naming specifics, what are the biggest security threats?
I can tell you what we’re dealing with right now. All the banks are dealing with distributed denial of service attempts….In terms of our biggest threats, certainly denial of service is very top of mind today. With mobility, we are seeing a rise in mobile malware, specifically on the Android side. But when you compare it with the…more traditional PC- or Mac-based browser threat, it’s nowhere near as big yet. There’s lots of hype, though. Hackers, cyber terrorists and hacktivists all have different motivations, but they often use the same techniques and the same attacks and provide the same disruptions of service ….As a bank, one of our main adversaries is organized crime….Cybercrime is a huge focus of ours. And we’re seeing a lot of cross-channel crime where you see coordinated social engineering attacks against contact centers which are designed to steal credentials and other information which can then be used to [get] data used to steal money from online banking customers.
Considering all of the challenges you face managing a global team, what is the hardest part of your job or what keeps you up at night?
I was at a conference several years ago and there was a fellow named Steve Katz. He was one of the very first CISOs; he was with Citibank. He was saying that he was giving a presentation one time and he was asked, ‘With all this stuff happening, how do you sleep at night?’ His answer was he sleeps like a baby – he’s up every two hours crying. Our adversaries do not have to be successful the majority of the time to be considered successful. In other words, they can lob millions of attacks at us, be successful on a couple of those attempts and be seen as rock stars in their underground communities. We have the exact opposite challenge where we can be successful 99.99% of the time, but if we miss one thing, we’re in the press. What keeps me up at night is – I don’t want to be dragged through the press for something that was clearly avoidable. I don’t want my bank to be implicated in something that could have been avoided. Touch wood, Scotiabank has, through good luck and lots of work, managed to have a very strong track record in that regard.
What’s the most enjoyable part of your job?
That’s an easy answer. What I love about information security is the fact that we touch every aspect of IT. We touch every aspect of how our bank does business. Banks in particular rely on information technology to deal with everything and so I could come in the office on Monday and deal with a lot of network items; the next day I might be dealing with mainframe issues; the day after that it could be a Windows platform issue; the day after that it could be a business process issue that results in something that we must take action on. So the sheer variety of the things that we deal with on a day-to-day basis keeps the job fresh….Our adversaries are hugely innovative. We have some very, very intelligent well-organized, well-funded adversaries who kind of keep us on our toes.
Which certifications and degrees, if any, do you see as important for hiring and career advancement?
Obviously, if you’re in information security, the gold standard remains the CISSP. There are a number of other credentials that are highly credible. Our friends over at ISACA have very good credentials like the CISA for the audit profession and a few years ago they implemented a new credential called the CISM…. In terms of post-secondary, Computer Science is a big plus, but it’s not a showstopper for me, personally. We see a lot of young, smart, innovative people coming out of programs that you wouldn’t expect. I had a guy working with me a couple of years ago whose background was Philosophy. He had such an interesting perspective on problem-solving. The traditional Engineering, Computer Sciences are all good. They’re great to have. But they’re not, to me, a showstopper. In terms of career advancement, a track record of continuous learning is really what I look to see. Have people invested in themselves? Have they kept current and relevant? Have they taken on roles that have challenged them? So, for me, that track record of continuous learning, whether that is through formal training or education or job development, I really put a lot of stock in that.
What would you tell a high school student interested in studying information security or information technology in college?
First of all, I would tell them that our job is not CSI. A lot of high school students have glamorized the world of hacking and they look at television programs, such as CSI, which oversimplify how computer systems hang together and how real security-based computer work occurs. It may not be as glamorous as what they see. But the field is growing; it pays well. There’s a huge future in information security….If you come out of university or any post-secondary institution with an information skill set, you then become a highly valuable asset to whichever aspect of IT or business you find yourself because you’ve got that base of security knowledge to work from.
What security sites do you visit?
I’ve actually set up a Google page. You can [add] the Google gadgets. I look at the usual such as Krebs, Secunia, a lot of the vulnerability sites. I certainly read things like Wired magazine. At my level, one of the sites that give me the best early warning that I’m going to get a call from an executive is the Wall Street Journal. The executives at the bank read the Wall Street Journal. I hit the tech section every morning when I’m having my coffee just to see what’s happening out there.
What is the last security book or magazine that you read?
I read Save the Database, Save the World by John Ottman. John Ottman was the president of Application Security Inc. at the time. He actually asked me to read it and provide him with a book review, so I didso. There are at least two books by an author named Misha Glenny, one is called Dark Market. It’s about the underground ATM skimming market that is based out of Eastern Europe. It’s not fiction; it’s real life. This reporter was able to infiltrate these underground gangs and provided a really compelling account of this underground skimming device market.
Who is your favorite fictional hacker?
My favorite hacking story is War Games. Matthew Broderick played a kid who hacked the national defense system in the U.S.
Ian Palmer is a security researcher for the InfoSec Institute based out of Ontario Canada.