Interview with David Fairman
Updated: Apr 7, 2020
David brings with him nearly 20 years of information security experience in top financial organizations worldwide, including RBC, JP Morgan Chase and Royal Bank of Scotland and is currently the CSO at National Australia Bank.
As a seasoned security professional: How has the role of the CISO changed over the years?
Traditionally or historically, CISOs were very technically focused because they grew up in the IT security space. But nowadays to be an effective CISO, you need to be able to understand the business, its processes, as well as the operational and technical risks. Furthermore, an effective CISO needs to be able to articulate and define the risk in a way that is relevant to the different stakeholders that he’s trying to influence.
What would you describe as your biggest challenge today as a CISO?
First, there’s a big challenge of articulating the impact of risk on the organization in a non technical manner. Secondly, we need to do better in truly articulating the value of cyber risk management. Instead of discussing it in terms of reducing the number of vulnerabilities, or of malware entering the organization, we need to quantify the value of cyber security to the organization in $. Concepts, like factual analysis of information risk and CyberVaR, give an anchor back to an operational risk management framework, and should be used to help quantify the potential impact of investing in a certain area. Historically, CISOs used to present cyber risks through the prism of worst case scenarios and qualitative risk statements. Modern day CISOs need to shift from a subjective and qualitative perspective to a quantitative view and demonstrate clearly how security can become an enabler, helping the organization prioritize and meet its business objectives.
What are your most pressing 2-3 pain points?
A major pain point is achieving effective identity and access management, mainly in large complex environments. In such organizations, there is a great need for understanding the permissions and access that individuals have throughout the organization. This breaks down to understanding whether someone has the right access to the right information or if there is any conflict of duties or segregation of duty controls that should be implemented. This is one of my top priorities and it is more focussed on authorization than it is around authentication.
What will be the most critical security issues for enterprises 5 years from now?
I believe that quantum computing is going to become a big concern five-plus years from now. This means that we will have to ensure that the existing encryption techniques that we have implemented so far are still fit for purpose. Another growing concern is supply chains. Although we are starting to form an understanding of third party and supply chain risks, we will need to drill deeper as I expect this to become a greater issue with time, especially with data breaches. AI and Machine Learning capabilities will continue to expand and the integrity and security of these capabilities will be key and thus will become (and already are) a prime attack vector.
Finally, I think that cyber crime as a service will continue to proliferate and become a bigger concern for all organizations, especially, as threat actors find it easier and cheaper to get access to tools, utilities and capabilities to launch attacks.
Are there any solutions you’d be more inclined to buy from an established vendor rather than a startup?
I don't have a fixed view on that. Initially, I look at the 4-5 large vendors to get the majority of security capabilities that I need. This way I can easily manage those vendors and effectively get economies of scale. However, since these vendors are not able to solve all my problems, I also turn to startups for innovative solutions. Then, my decision to work with a startup would depend mostly on the use case or the threat scenario that I am trying to solve and the make of the team itself.
What would you consider as the biggest advantage for you in working with a startup?
Early-stage startups are generally more innovative and dynamic and can therefore solve problems much quicker. Getting involved with a startup early on means you can have an impact on creating and bringing to market solutions, much faster than the large vendors. Creating a partnership in which I can assist with the product roadmap while solving my particular use cases through a tailored solution is highly advantageous.
What would you say are the most common errors that you identify in product pitches by startups?
Many startups assume that they know what the CISO’s problems are without actually trying to identify the most pressing pain points for the specific organization. This attitude positions a startup as just another vendor trying to sell a product, as opposed to someone who’s done their homework and truly understands the organization’s needs and priorities.
How much focus should be placed on the technology vs. the business aspect when pitching a solution to a CISO?
The focus should entirely be on the business aspect. What you need to understand and be absolutely clear about is how you can help the CISO in terms of business outcomes or business benefits. That can be extremely valuable as many CISOs struggle with articulating their security problems in a business-like manner and measuring and demonstrating the productivity benefits and outcomes.
Following up on that, can you share a few tips for startups pitching to a CISO?
My first tip is to be very clear on the problem and the use case that you’re trying to solve. Secondly, have a clear answer on how you plan to scale. Once you have established the problem, make sure you are able to explain how you are going to roll this out over at scale, for example to 100,000 endpoints and 20,000 servers. In other words, you need to know how you are going to operationalize your solution and clearly explain the ease of deployment.
Do you have any advice for young startups trying to get their product in front of the CISO?
I think that meeting the CISO is in many cases, especially in large organizations, not a good use of their or your time. Often, If you are trying to talk about a specific use case in a specific area, you probably don't need to talk to the CISO specifically. Make sure you speak to the person or team who actually deals with the problem on a daily basis, as the CISO may be removed from this in detail and relies on their team for guidance. Study the organization well enough to figure out who are actually the decision makers and key influencers.
Can you talk about the benefits of working with Cyberstarts?
For me, the main benefit in my relationship with Cyberstarts is in getting a first view of innovative companies and teams. Ultimately, it's about meeting those smart people and not necessarily the product or the technology that they are trying to sell. Secondly, getting involved with early startups in the form of building a strong partnership allows me to help shape their roadmap in a mutually beneficial way where I get to solve a lot of my problems much quicker than I could have otherwise. In addition, I've been in this space for a long time, so working with Cyberstarts offers me a chance to give something back to the security community.