How to get to the head of information security?
Hello is Kotelov digital finance. Today we’ll talk about how young IT specialists and juniors can become the head of the information security department. What skills are needed and how to organize work processes.
On the podcast, we discussed the banking security system: how the protection is structured, how people are controlled, and how they become managers within it. The result was a large amount of material from which we pulled out the most important things:
Full version of the release can be viewed here.
How to become the head of information security in a large bank at 30 years old?
I had a plan and I stuck to it
In 8th grade I already knew what I wanted to be. Then my uncle told and showed what information security is – I liked it. I decided that this is mine and I want to learn. I went to college, graduated and found my first job. I built my path step by step, and I had a clear understanding of what I wanted to achieve in life.
At 26, I was already the deputy head of the information security service at a regional bank and the acting head of the service. It so happened that I was invited to Moscow, to a large top-5 integrator in Russia. I accepted this offer, moved to Moscow and gained tremendous experience.
When you work for a large integrator, there are many customers around, many interesting projects. And after that I was invited to a top 10 bank. I accepted the offer and worked there in two directions:
administration of information security tools
SOC – secure operation center
Investigated various incidents and performed well.
Hidden text
Let’s make a reservation that the specifics of Dmitry’s work do not allow him to name specific brands. In the process, it will either denote the generic name of the specific software it uses or the generic name of the company.
If any information from our podcast is leaked, it could be used by black hat hackers to gain access to funds.
Is it possible to achieve success in infosec without connections?
Question: At first I thought that your uncle helped you get into the sphere. I take it this is not the case?
No, he just talked about the sphere. After college, I had an interview and got into the civil service for 13,000 rubles. This was my starting salary. I worked in the region and paid half for renting a room – there was fire and copper pipes.
During the eight months of working in this place, I absorbed the maximum in information security, managed to develop an information security policy for a city with a population of over a million and for the region, and then went to work for the holding company. I owe my position to the skills and knowledge that I learned throughout my professional journey.
What skills should the head of information security at a bank have?
This is a combination of several factors:
Information security expert
You need to understand not one narrow direction, but several. And understand a few more at the middle level. As well as skills, experience, competencies in the field of technical information security, methodology development and risk assessment.
Soft skills
Skill in building communications between departments and the ability to negotiate. Often there are cool experts, but they are closed – they do not want to interact at all with the outside world, with other departments. They will remain in their place – it will be difficult for such a person to become a leader even with incredible hard skills.
What hard skills should a manager have in information security?
Let's look at my example. I studied Basic at school and C++ at the institute, but I didn’t pay much attention to this area. The fact is that my focus was on developing comprehensively as an information security specialist, but there was no need to go deeper into development.
If you need to write some kind of script, I will understand this topic quite quickly. I will write certain scripts and use them.
There was an idea to learn Python, since in cybersecurity it is a very useful skill and can be used to automate various processes. In general, programming languages are very useful in pentesting, but in my work I rarely use these skills.
Pentest – analysis of the system for vulnerabilities
Personally, I don't need to know how to code because there is a development team for that: Back, Front and Product Analytics.
By the way, my team and I constantly participated in various projects on weekends and evenings. We developed various software for information security.
What are the main cyber threats to banks?
Question: Is this a DDoS attack or social engineering? Attempts to get into the internal infrastructure of the bank? What's relevant today?
In my practice, methods of network DDoS attacks and attempts at targeted attacks were used against large banks. Exploitation of vulnerabilities and infection by loading libraries into Open Source solutions on GitHub.
Small organizations are not of great interest to cybercriminals, but various attacks occur there from time to time.
The main and main victims are personnel over 45 years old, completely illiterate in terms of information security.
During our work, we try to instill and increase computer literacy and information security – instill the basics. This becomes a problem because people over 45 no longer want to understand innovations – they just want to take a regular flash drive and use their favorite browsers, and not the ones installed by “evil” security providers. Did it work before? Why change now?
Therefore, each organization develops its own business processes in the field of building information security. At the same time, it is necessary to take into account the business processes that flow in the organization and build synergy between them.
Therefore, we dive deeply into the processes and create something convenient for everyone: security professionals, users and businesses.
A business can exist without IT specialists, but IT specialists cannot exist without a business that brings in the main revenue. Therefore, it is important to do the work so that business processes are not interrupted and generate more income.
Mandatory practices for security managers
Question: Are there any established cybersecurity practices that you apply across all companies? Let's say everyone installs Kaspersky or Panda and uninstalls Internet Explorer 6?
Most importantly, when you come to work in an organization, you need to generally study the field of work and conduct an audit: accept cases, communicate with colleagues, get the contact of your predecessor to find out the nuances.
It often happens that not all cases are transferred exactly and you have to look for pitfalls in the process that the previous specialist already knew.
When you come to an organization, it is important to: get acquainted, study the field of work and outline a plan for yourself
This will make it easier to create a work plan for the implementation of information security tools, a plan for training, instructing employees, and a budget protection plan.
Budget protection is a very intimate topic for many organizations. Here the story is like with a doctor – they are ready to spend money only when it hurts, but before that it is not clear why there is so much money.
Why protecting your budget is the hardest thing in cybersecurity?
You come into business and say that we have a hole in this area. To close it we need so much money, we will use such and such protection classes and this will allow us to reduce business risks.
“Okay, what are our risks? What fines, what damages are expected?”
You provide information and risks. Business scratches its head and says: “Listen, we’ll take risks here, okay? So let’s do it another time, when you have money.”
There was an interesting case in my practice: I worked in one of the companies, representing a project for the purchase of funds of a certain class of DLP systems. I coordinated this with the IT department, coordinated this with another department, and received the support of the organization’s management team. It has already come to defending the decision and budget in front of the director of the company.
The director listened to my arguments, references to regulatory legal acts and laws and regulatory requirements. I looked at the description of the risks, benefits and bonus in general for the organization in the event of an incident.
Then the following dialogue occurs:
– Dmitry, this is of course good, but how much do I pay you? – You pay me so much! There is quite a bit of money in the region. — Dmitry, for this money you should be a DLP system yourself!
Everyone was shocked: I was shocked, my subordinates were shocked, the department director was shocked. As a result, despite the full argumentation from the SIB (Director of Information Security Systems), the support of the deputies and the Det., it was not possible to push through this decision. I later left this organization and just moved to Moscow.
Realities of the security department in a corporation: the board of directors does not give money for information protection until it is hacked. And when the data leaks, all the claims will be against you because you “didn’t take action”, “didn’t do it on time”.
World of Digital Finance
If you are interested in financial development, the inside of fintech tanks and special guests who rarely come out behind the scenes – subscribe to our telegram channel Kotelov digital finance.
In the channel we constantly announce new podcasts with cool guests, articles and other news from the world of financial development. Valera KOTELOV also talks about the features of the fintech market from the point of view of a digital specialist.
