Cybersecurity: An Interview with Nawid Sayed, CISO at Payback
Introduction
In this interview, Nawid Sayed, Chief Information Security Officer (CISO) at Payback, shares his insights on the current state of cybersecurity and the importance of a well-structured incident response plan. Sayed emphasizes the need for a comprehensive approach to cybersecurity, which includes not only technology but also people and processes.
The Importance of Cybersecurity
Sayed: Cybersecurity is based on three pillars: people, processes, and technology. These pillars should serve as the foundation for identifying and prioritizing risks. It’s essential to define and implement the right measures to mitigate these risks.
Preparing for Cybersecurity Incidents
Sayed: Preparing for cybersecurity incidents is crucial. It’s not about having a single tool, but rather about having a process in place. The incident response plan should be established before an incident occurs. It’s essential to clarify roles and responsibilities, including who to contact and how to communicate during an incident.
Awareness and Training
Sayed: Awareness is key to cybersecurity. We use a mixed approach, including regular training sessions for all employees and testing their attention with phishing campaigns. Additionally, we have introduced shock measures, such as temporarily shutting down the coffee machine and displaying a ransomware warning message. We also offer live hacking events and escape rooms to raise awareness about cybersecurity threats.
Dealing with Human Error
Sayed: When an employee accidentally clicks on a phishing email, we don’t reprimand them. Instead, we provide additional training to help them avoid similar mistakes in the future.
The Role of the CISO
Sayed: I don’t see a problem with the CISO being part of the IT department. In fact, it’s essential to have close collaboration between the two. We work together to achieve a common goal: improving and protecting the organization.
Cyber Insurance
Sayed: Cyber insurance is a useful tool, but it should not be the only security measure. The insurance provider will typically require basic security measures to be in place. Cyber insurance should be part of a comprehensive security strategy. Even with the best security measures in place, there will always be a residual risk. This is where cyber insurance comes in.
Conclusion
In conclusion, cybersecurity is a complex issue that requires a comprehensive approach. It’s essential to have a well-structured incident response plan, regular training and awareness programs, and a close collaboration between the CISO and IT departments. By following these guidelines, organizations can significantly reduce the risk of cyber attacks and protect their sensitive information.
FAQs
Q: What is the most important topic in cybersecurity right now?
A: Information security is based on three pillars: people, processes, and technology. These pillars should serve as the foundation for identifying and prioritizing risks.
Q: How do you prepare for cybersecurity incidents?
A: Preparing for cybersecurity incidents is crucial. It’s not about having a single tool, but rather about having a process in place. The incident response plan should be established before an incident occurs.
Q: What is the role of awareness in cybersecurity?
A: Awareness is key to cybersecurity. We use a mixed approach, including regular training sessions for all employees and testing their attention with phishing campaigns.
Q: How do you deal with human error in cybersecurity?
A: When an employee accidentally clicks on a phishing email, we don’t reprimand them. Instead, we provide additional training to help them avoid similar mistakes in the future.
Q: What is the role of the CISO in an organization?
A: The CISO plays a crucial role in an organization. They should work closely with the IT department to achieve a common goal: improving and protecting the organization.
Q: Is cyber insurance necessary?
A: Cyber insurance is a useful tool, but it should not be the only security measure. The insurance provider will typically require basic security measures to be in place. Cyber insurance should be part of a comprehensive security strategy.
