#331 – Security that supports business – technology and innovation
Expørt: Monica Verma
Head of Cloud Security
Med lørner Silvija Seres
How do you build customer trust? How do you build a secure cloud architecture and business platform, to create value for the organisation and its customers? And how do you manage information security risks when operating in a hybrid environment? In this episode of #LØRN, Silvija talks with Head of Cloud Security at PwC, Monica Verma, about how security is more than just a means of “restricting things”. It is about enabling businesses and innovation and, more importantly, about building customer trust and experience.
“Digitalisation, cloud computing and innovation have played – and will continue to play – a role in how technology and businesses are evolving rapidly to support their customers in better and more secure and innovate ways,” Verma explains in this episode.
Noen kjappe med ekspørt Monica Verma
Tittel og selskap
Head for Cloud Security, PwC | CSA (Board)
Master of Science in Informatics with specialisation in Web Application Security
Fitness, Gastronomy, Road Trips, Billiards, Movies
Who are you and how did you become interested in cyber security?
Since I was 17, I had two big dreams: to get a pilot’s licence and to work in what we now call information security or cyber security. I always had a special place in my heart for computers and technology.
What is the most important aspect of your work?
We help secure Norway’s digital world/business.
What areas of cyber security do you focus on?
I work on security governance and DevOps adapted to the business risks and aligned to the business strategy.
I also help customers migrate to and operate securely within a cloud computing environment.
Why is this exciting?
Digitalisation, cloud computing and innovation have played – and will continue to play – a role in how technology and businesses are evolving rapidly to support their customers in better and more secure and innovate ways.
It is exciting to be part of this journey and use aspects of information security to support these technological and business advancements.
What do you think are the most interesting controversies ?
Companies want to innovate and outperform their competitors, but very few are willing to change the way they do things. Many organisations still regard security as a hindrance and doggedly stick to the old ways of doing things, also with respect to traditional checkbox security.
It is interesting to address such conventional thinking, to hopefully build a better world where security will be integrated into businesses by default and design in a seamless fashion, and where the user will no longer be “forced” to become the weakest link. We still have a long way to go to achieve this.
What are your own favourite examples of, or projects linked to, cyber security?
Our main projects include:
- Building DevSecOps-based (i.e. product and development integrated) security governance and risk management.
- Building a risk assessment framework for cloud migrations.
- Helping customers with digital identity transformations and governance across the entire organisation.
- Co-authoring CSA guidelines to help all Norwegian companies move to cloud, with better minimum security baseline standards in place.
Can you name any other good examples of cyber security, nationally or internationally?
Cybersec has been at the heart of various significant events in recent times, such as the IoT hacks against critical infrastructure like the US power grid and a Norwegian aluminium plant, and Facebook’s struggle with a rapid drop in customer trust and stock prices.
What do you think is the most relevant knowledge for the future?
We need to invest and learn about:
- How to build security and privacy by design and default to enable business.
- How to better invest in protecting operation technology (OT) and critical infrastructure.
- How to use cloud security for enabling business and innovation.
Is there anything unique about what we do in this field here in Norway?
Digitalisation. Norway is probably by far one of the biggest proponents of digitalisation. The security aspect of this digitalisation has also gained a lot of attention here. Norway is great at taking big leaps into new areas of technology and innovation, and thinking about the security around that. By contrast, countries like Germany still rely heavily on using paper documents, paper invoices, cash etc.
Can you recommend any good material to read/view on cyber security?
I would recommend attending Norway’s biggest security conference, Sikkerhetsfestivalen, and international security conferences such as RSA.
The best material to read depends a lot on your specific areas of interest within cyber-sec. Click Here to Kill Everybody by Bruce Schneier and the Hacking Exposed series are also good.
However, when it comes to reading, I believe that it’s more important to read books that overlap with your sub-branch – as opposed to only being about that specific field. For example, reading books on how CEOs think in order to understand business motives and risk strategy so that we can better adapt security to businesses. Or reading books on psychology or emotional intelligence to better understand human behaviour and the hacker mentality, for example.
Do you have a favourite quote?
There are certain areas within cyber security where the saying “never re-invent the wheel” makes complete sense, and other areas where it doesn’t. To know that difference is the key to seamlessly integrating security with business.
What do you think is the most important takeaway from our conversation?
Security is more than just “restricting things”. It is about enabling business, innovation and more importantly customer trust and experience. Security is needed more and more, to enable businesses do things today that they couldn’t do yesterday.
Dette lørner du:
Security as a Business Enabler
Managing Information Security Risks
CIA – Confidentiality, Integrity and Availability
ROSI – Return of Security Investment
Click Here to Kill Everybody by Bruce Schneier
Hacking Exposed (various series)
Hacking the entire database of an organisation speaks volumes about its cyber security. What two major reasons could explain this?