Deika: At this day and age, I believe that the average data breach is right around $4 million. So you wanna be in a position where the likelihood of it occurring is reduced by good governance. In addition to putting sensitive data into the hand of competitors or losing the availability of your product, tool or service, a data breach can damage your company and brand's reputation. It can cause erosion of trust between the company, its shareholders, customers, employees. So a little bit of, you know, good governance, which in essence is just having measures to keep assets, people, and data secure is essential. And, you know, at the end of the day, I feel as though a little bit of trust issues goes a long way.
Caroline: From Cobalt at Home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. My guest today is my good friend and colleague Deika Elmi. Deika is an ISO 27001 certified lead auditor and a CISM. She has published articles in "Security Magazine" and was recently profiled by risk and compliance organization, Risky Women in 2021 as a woman to watch in the GRC space. Deika, we will be talking about GRC today. Deika is a first-generation American with roots in both Africa and Europe.
She has lived on three continents and is a polyglot who speaks five languages fluently. Deika is currently living in Austin, Texas, where she is active in her community as a library volunteer and a community leader. She's also a bookworm, a foodie and a wine expert. Welcome Deika. We are so happy to have you on the show today.
Deika: Thank you so much. Hi, everyone.
Caroline: So bookworm, I have to ask, what books are you reading lately?
Deika: Okay. So I have two books on my nightstand. One is just a novel, so I can just escape and have fantasy. It's by JK Rowling. It's I believe the first book she wrote after her famous series, Harry Potter. It's called "The Casual Vacancy" and it's a story about a brother...two brothers, and a family, and homes, houses that are...I won't say anymore. The other book I'm reading is an organizational psychologist, Adam Grant wrote a book about givers and takers and how there need to be more givers than takers for an organization to thrive. And it's super interesting as well.
Caroline: Wow, good stuff on all fronts. You know, I love this question and in fact, I think I'm gonna start asking more guests, what book is on your nightstand, because I think it's so interesting. And Deika, you are actually a particularly unique individual as a Somali-American woman who was born here and grew up in Rome, Italy. I would love for you to share your story and your career journey with our listeners.
Deika: Absolutely. I was born in New York City and my parents were both Somali immigrants. My father worked at the General Assembly and he married my mother, brought her to New York, I was born, and then they were transferred to Rome, Italy. He worked as an economist for a UN agency called FAO. So I grew up in Rome. I spoke Somali at home. I went to private English schools, and then I met little Italian kids in the neighborhood. And there was a park across the street, and we had a courtyard in our building, and so I spoke Italian outside of the home.
I think that the exposure to languages and cultures really made me into an open person, and it has given me the ability to speak to anyone. The other thing about my work and this idea that I have of being of service comes from my father. My father used to always tell me when I was a little girl, and, you know, he was a religious person, I'm not, "There before the grace of God go you." You know, I was a diplomat's daughter going to private schools yet I went to Africa every summer, and outside of our house, there would be young children, you know, asking for things and panhandling, and asking for food. So he instilled, imbued in us service, being of service. And I think that's how I wound up in security. It's because I have this desire to protect and serve. It just kind of dovetailed in.
Caroline: It's fantastic. I don't know if your father's alive today. I expect that if he is, he's very proud of you. I expect that if he's not, he's very proud of you. Thank you so much for sharing that with us. You know, and you have developed such an extensive career of over two decades of experience in software, FinTech, banking, and more. You are an expert on security, third-party management and risk. I have an awkward question for you. I wanna talk to you about compliance. The reason it's an awkward question is because of the way I'm going to frame it. Compliance is often a huge driver for security, but some people think it's boring. It might not be the most exciting, funnest topic. I would love to know your perspective on why security governance is important.
Deika: Absolutely. Security is...governance is the foundations of security. If you don't have good governance, it's difficult to have the ability to protect perimeters and protect people. That is the most important thing in any organization or should be, assets and data. You have to have governance, which is a series of policies and processes in place that allow you to enable access controls and control the access to facilities, and also digital spaces. At this day and age, I believe that the average data breach is right around $4 million.
So you wanna be in a position where the likelihood of it occurring is reduced by good governance. In addition to putting sensitive data into the hand of competitors, or losing the availability of your product, tool or service, a data breach can damage your company and brand's reputation. It can cause erosion of trust between the company, its shareholders, customers, employees. So a little bit of, you know, good governance puts...which in essence is just having measures to keep assets, people, and data secure is essential. And, you know, at the end of the day, I feel as though a little bit of trust issues goes a long way.
Caroline: Absolutely. I mean $4 million, that is significant. That is a board-level discussion and topic. You know, I'd love to chat with you a little bit about going back to the basics. When we think about information security, fundamentally, let's talk about those three principles. What are your thoughts on CI and A?
Deika: So first of all, CIA or CINA does mean the central...I think it's information agency, intelligence agency, sorry, but it also stands for confidentiality, integrity and availability. So over the last few years most companies talk about, you know, data, data privacy, the fact that a lot of...we spend a lot of our time in the digital space and this has created just, you know, entire rivers and oceans of data. So people talk about confidentiality, but they don't talk a lot about integrity and availability.
And I believe that integrity and availability are just as important if not more so than confidentiality. Integrity boils down to just protecting unauthorized...protecting assets, digital assets, people, and also data from unauthorized changes. So you have to have good governance and good policies and controls in place to ensure that only authorized people have access to your tools, your spaces, your assets, and your people. Badges like, you know, having a badge to enter a secure facility and making sure you don't let someone in, even though that's physical security, it goes to integrity.
And availability is a principle that sometimes people forget and, you know, the point is people actually need access to their data. Your customers need access to the product that you're selling. So ensuring that your product or your tool or service or data is available to authorized people is what the concept availability is all about. And I think that availability actually is something that can be pitched towards, and SLTs or ELTs because you can tie it to value creation. You have products that you wanna sell, well, they better be available.
Caroline: Absolutely. I remember when I was on the eBay information security team, the company, our infrastructure teams had an availability requirement of 99.94%. And there was a calculation done, like, you know, it was known and proven that for every second of downtime, every second that ebay.com was down and not working, the company was losing X amount of dollars. I mean, it was just so crystal clear. And I'll never forget that. And then, you know, we've got situations like today, so many of our organizations are dependent on other infrastructures, you know, whether that be AWS or Slack or, you know, whatever it is.
And then one of these, you know, big kind of technology backbones goes down and it affects so many different people. So I think that governance is not only important but it's also...it's also so interconnected and increasingly more so. Deika, how does governance help organizations to address their threat landscape? What even is a threat landscape?
Deika: I think the threat landscape means the surface area by which you can be attacked. So for instance, if you don't have good controls in place and say, for example, if you have an instance of Confluence or Jira, but it's not behind a firewall, that could be exposing, you know, or increasing the threat landscape. So that's where, to some degree, I would say identity access management comes into place. So access controls, password complexity, password rotation, or even now password-less systems.
There are some newer technologies where they're using whether it's tokens or biometrics or smart cards, but the threat landscape is what exposes you to attacks, fishing attacks, malicious internal attacks, ransomware, or just, you know, people just burrowing into your infrastructure and causing...wreaking havoc.
Caroline: Yeah. So if I think about, you know, this threat landscape, this attack surface, what does governance have to do with it?
Deika: Governance can make a huge impact. Governance is a whole host of things. It could be, you know, access management, identity access management. Governance is also policies in place to ensure that only authorized parties have access to certain areas. Good governance can also be related to network engineering. You make sure that your, let's see what's the word, your network is segmented and so it's not flat so that if a malicious actor gets in, they immediately have access to everything. So let's, for example, talk about, say, for example, a bank, right?
Every employee at a bank does not have the same task of simply preventing robberies. It gets broken down. Yes, they are meant to protect the money that the bank collects from their customers and users as well, but tellers have a role. They have instructions on what to do in case there is a robbery. There is an armed guard out there, and they are meant to be a deterrent. Good governance helps reduce the threat landscape by ensuring that everyone has a role to play and that policies and procedures are in there in place to protect the organization.
Caroline: Excellent. Thank you.
Deika: You're welcome.
Caroline: Let's talk about integrity and availability and what those have to do with business objectives and value creation. How do these things connect from security to business?
Deika: Absolutely. So it is, I think important. You know, a lot of CISOs, and I know you're a security leader, have in the past, historically, had to go and fight or beg for funding. Right? Many of us have been there, convincing or pleading with an organization or its leaders that we need more money to protect the organization. Availability, the concept of availability, to ensure that all tools and products are available at all times, can be tied to value creation because without proper availability, you can't continue to sell or make your customers happy, or gain more customers.
Executives need to understand that security is directly tied to profitability, and without availability or integrity of our systems, tools, products, and data, not only is the organization at risk, but the services are as well.
Caroline: Yep. Deika, another topic that I want to pick your brain on has to do with third-party vendor risk management. You know, when we were talking about availability, so many organizations that provide technology products and services, they're all dependent on each other. What do things look like with regards to third-party governance these days? What should our listeners be aware of?
Deika: So, I would say, you know, everybody knows that from, I would say the '90s, more and more companies, and this is like from the titans of industry to even small and medium business, medium size enterprise, have infrastructure that is almost like, I would say...I saw some reports that said that 73% of IT management is all third parties. So most companies are dealing with a complex kind of mosaic where it's like dozens and sometimes hundreds of companies that are providing different services.
This is hard to manage. It can be unwieldy and, you know, not everyone has the luxury of having, like, you know, armies of analysts and risk managers. So I would say that the new things, or the interesting or exciting things that are allowing us to deal with just sheer volume of work and also maintain, you know, security and maintain access and availability and integrity and confidentiality is artificial intelligence and machine learning. There are algorithms and machine learning programs that can just completely go through very large quantities of data and they can parse through, out on the internet, just, you know, data packets and observing behaviors, and pulling records.
And, you know, you also have financial availability. You wanna make sure that who you're doing business with is fiscally sound. And AI helps with all of this. And a lot of employees worry about, or people in the third-party vendor management space worry about AI taking over from employees and, you know, job loss, but actually, it helps speed up the work. And there's always a need for a human to go and interpret the data and then provide, you know, risk ratings and risk assessments and risk mitigation. So that's what's new and exciting. There are wonderful tools in place now that are helping us deal with just the massive volume of work.
Caroline: Very cool. You know, I happen to agree completely with your perspective with regards to, you know, machine learning and AI not taking away our jobs. I happen to believe that there is truly so much work to do that if, you know, we are able to use some of these tools to process data to do things that computers are great at doing and humans take a really long time to do, you know, I think that is awesome. Deika, as we begin to kind of, you know, explore different GRC topics with you, you know, GRC...we've talked a little bit about governance, we've talked a little bit about compliance. What about risk? What does it look like? What does it mean to shift from a compliance-based kind of security program to a risk-based one?
Deika: Sure. So the way it can be done is...the way I explain it often at work and also in the industry when I go to social events and people ask me about this topic is, a compliance-based approach is rigid and static. And an example is a company can pass an ISO 27001 audit, they can pass a SOC 2 audit, but then, you know, things can just fall apart. And you're still basing your decision of whether to do business with them or not based on the ISO or the...ISO 27001 audit that was...you know, they passed everything. A risk-based approach is more proactive. Instead of focusing on regulations, a risk-based approach is more focused on identifying and prioritizing risks.
So you identify the risks by whether it's through questionnaires or whether it's through, you know, using one of the newer tools that goes out and finds out and parses a lot of data about...that's out on the internet about people and companies and organizations, and then provides to you a risk assessment. And then you can look at that assessment and then predict behaviors. So if a company has done this and this and this, and if they had to file Chapter 11, and if they went through four CEOs, how does that affect the security of a company? And I think that it's, A, more accurate and, B, more interesting
Caroline: I think these are such strong insights. And I wanna continue to ask you questions about these things. How do we as security leaders change any perception of security, particularly the GRC parts as a boring necessity, and how do we align as much as we can with the business?
Deika: I would say that transitioning from security awareness training that uses, let's say, older, kind of outdated modalities that could be perceived as though, to more human behavior-based training is really interesting and it's beginning to really become more prevalent. And I think that also presenting to security leaders, the realization that aligning the security program with business objectives and also highlighting to them how we are part of the value creation proposition, because trust me, if you don't have sound security, you're not gonna be able to sell or do well, and eventually, something will happen that will affect the bottom line.
So it's just more communication, more advocacy, and getting...I like the idea of embedding or even training people to become security ambassadors. I talked to someone a few months ago and they had these guilds and where they had...they would actually pick someone from a division or department and train them, and then they would become the advocate. And I think that's what's...we need more of that.
Caroline: I totally agree. Love the idea of more security advocates. You know, Deika, as we are kind of coming to the end of our interview today and wrapping up our podcast, I wanna ask you, what's next for you? What are your dreams and aspirations both for yourself as well as for the industry?
Deika: Well, I think that one of the things that I am passionate about is security communication and security education. I do this all the time on my own and, you know, people will come up to me and say, "Well, what is even compliance?" And then I will, you know, talk to them about these topics. So making it more approachable and more human is the way of the future because we need everyone to participate. We're all out there in the digital space, and I want it to be secure and safe, not just for savvy IT folks and engineers, but also for the aunts of the world and little children of the world and everyone. It's everybody's business.
Caroline: Totally agree. Couldn't agree more. It's all of our data. It's all of our information. It's all of our value creation and our data, no matter where it is. Deika, thank you so, so much for joining me today, for sharing your insights with our listeners, and also for sharing your story with us. I really appreciate it.
Deika: The pleasure is all mine. And thank you so much, Caroline. I really appreciate this opportunity to learn a little bit more about you and also tell my story. I appreciate it.
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a pentest as a service company. You can find us on Twitter, @humansofinfosec.