Daniel Anastasi, METACO CISO talks about his role, priorities and main challenges.
What is the role of a Chief Information Security Officer?
The role of a CISO is to help organizations reach their business objectives by putting all the relevant information security processes in place. Essentially, it is about understanding where the company wants to go, which information risks it faces and how to mitigate them. No organization wants its confidential information – from IP or business plans, to client information – leaked, stolen or misused; it could put the whole business in jeopardy. The CISO is precisely there to have a plan to minimize and mitigate these types of threats and to ensure compliance with the relevant regulations in each territory in which we operate.
All of the above makes the job broad and complex: you must have business understanding, and a holistic view of how people, systems and processes blend together in the transmission of information (who has access to which information, how it is exchanged, when and where) and the resulting risks. It is a very multidisciplinary role that involves deep technical, operational and organizational knowledge. Technical knowledge is necessary to understand, assess and size offensive and defensive techniques; a good CISO must be able to think like a hacker, test attacks (ethical hacking) and do threat intelligence. Operational and organizational knowledge is key to ensure the organization relies on the right infrastructure, employees, processes, and procedures to prevent and mitigate risks.
Lastly, the CISO needs to be skilled to assess which tools a company should and shouldn’t use to store and manage information. Nowadays there is a wide range of commercial and open-source tools which make similar jobs at different costs. A good CISO should be able to find the tools that deliver the expected levels of security, at the correct level of investment.
Is there any particularity in the role of a CISO of a blockchain-related company?
The blockchain technology is changing the world of money, far beyond cryptocurrencies. This market is meant to grow exponentially and cybercriminals – not youngsters behind their computers, but proper, well-structured and ruthless criminal organizations – will be there to make easy money. To understand the size of the threat, cyber-crime brings mafias more revenue than drug trafficking while sparing the physical exposure, complex and costly logistics, etc.
Hence, a CISO working in a blockchain-related business must be extremely vigilant and meticulous. All eyes are set on this industry and the company’s intelligence and business integrity are heavily exposed to both external and insider threats. A CISO in blockchain must be thorough when anticipating all possible people, processes and technology weak links, as well as exhaustive when defining prevention and mitigation strategies.
How do you do to keep up with security threats and trends?
I am passionate about this job; which makes it much easier because curiosity is essential in this field. As I mentioned before, the CISO must not only hold deep business knowledge but also technical expertise, so staying up to date is not only about keeping yourself informed of the latest news and industry best-practices, but also being able to roll up your sleeves and PenTest.
In my case, my approach is quite strategic and draws from a wide range of tools. On the one hand, I am deeply involved in the CISO community, attend relevant conferences and keep strong ties with other CISOs regardless of their industries. On the other hand, I use social media a lot. Unlike what many people may think, Twitter is a powerful business tool: it provides real-time information about bridges, countermeasures, and best practices. And what is best, it gathers everyone, from security experts to the criminals themselves. This gives a unique window to the real world – and although you must be extra rigorous when assessing the truthfulness of the information – it gives a broad, unfiltered view of the security landscape. Personally, I get notified when cyber threats are identified; that allows me to do my due diligence straight away and define if countermeasures are required and which. Also, I follow security experts in forensics, cryptography, CISO management, ethical hacking, etc., to collect their findings and views.
As CISO of METACO, what are your immediate priorities?
Above everything, ensuring that all the standards and controls required to support METACO’s business strategy are in place. For example, ISO 27001 is a very complete standard we are compliant with, but not the only one: we have so far incorporated many security best-practices and methodologies to ensure we anticipate and are ready to mitigate the widest possible set of threats, from those related to the technology and processes to employees.
Moreover, METACO has several partners involved in the product’s development, for example, HSM are provided by Guardtime and Cysec. In the world of partnerships and third parties, trust is good, but control is better. As a result, whether through policies or contractual agreements, we minimize all possible third-party risks.
And your priorities for the years to come?
Generally speaking, staying aware and in a position to countermeasure all threats derived from the political, economic, social, technological and legal environment. Essentially, use the PESTL framework to measure and manage risks.
With crypto becoming mainstream and attracting all sorts of people, including dishonest job seekers any very skilled criminals – threats will become not only more sophisticated but also intense. For example, AI applications are around the corner and with them, a whole new array of attacks. Deploying adapted controls (e.g., using OWASP for secure coding) to cope with them will be imperative. Also, controlling and enforcing secure internal communication practices will remain critical. In an era of instant, easily uncontrolled communications, honest employees could still provoke unintentional security bridges just by misusing messaging services, social media, cloud services, etc. The job will be to keep up with all security threats and mitigation strategies.
Also, we will surely need to monitor the political and legal landscape very closely. Governments and policymakers have a strong influence in local and regional business environments and with crypto transforming the economy, we will need to be agile responding to fast-paced regulatory and compliance changes, market conditions, etc.