Cybersecurity challenges can vary according to a range of factors, from industry type to geographical location.
Robert Bainbridge, CISO at Woolworths, has worked as a cybersecurity professional in South Africa for close to two decades. He spoke to Infosecurity about some of the unique challenges he faces operating in this region, including in recruiting talent and facilitating cooperation and information sharing.
Amid a number of recent high profile cyber-attacks on the retail sector, Bainbridge also discussed threats facing Woolworths’ ecommerce platform.
Bainbridge set out his thoughts on the current state of the cybersecurity industry, including concerns that the community has become “accustomed” to security defects.
Infosecurity Magazine: Could you tell us about the make-up of your cybersecurity team?
Robert Bainbridge: The make-up is fairly standard with pillars covering architecture, engineering, security operations (offense and defense), business information security and program delivery.
Each pillar is responsible for a set of capabilities and tools, and collectively we all support business security enablement – the combination of advisory, guidance and input into business projects.
Our team sits within the IT enterprise – an appropriate position given most of our work is with the technology teams. It is on a journey to grow and evolve to meet the needs of our organization, which also continues to undergo change.
Strategically, we are building an in-house capability with support from specialist third parties where relevant. The goal is to remain relatively small while leveraging good processes and tech.
We also engage with teams beyond IT on topics of awareness and culture, and this will grow and evolve as we continue to promote and highlight conversations on cybersecurity across the organization.
IM: Are there regional cybersecurity recruitment and retention challenges you are experiencing at Woolworths in South Africa? If so, how are you overcoming these challenges?
RB: The challenges are largely around supply and demand. Recruiting highly experienced cybersecurity professionals can be difficult because many organizations have similar needs and are after the same skillset.
Over the years, we have seen more recruitment competition from international companies tapping into the South African talent pool, a great sign for local talent, but a challenge for us when hiring.
We aim to overcome the challenges through a strong value proposition and by nurturing talent, which is in abundance in South Africa. We try to let the market know we’re a great place to work.
Our headquarters are in Cape Town which is an attractive place to live. Although we prefer the team to be in Cape Town due to our growth stage and the need to develop and support relationships, we offer flexibility and growth opportunities.
"We aim to overcome the challenges through a strong value proposition and by nurturing talent, which is in abundance in South Africa"
Philosophically, we try to create a workplace that allows people to focus on what they enjoy doing. We aim to support the growth and development of passionate, eager people by offering them an environment that will challenge them while providing the opportunity to upskill and grow.
There is lots of opportunity to learn and grow due to the nature of work we do, evolving technology and the various projects requiring our team’s input.
IM: What are the major cybersecurity challenges you face working in Africa compared to teams working in the UK and US?
RB: Firstly, the exchange rate and associated costs. International software-as-a-service (SaaS) security tooling can be prohibitively expensive, and we navigate this through tough negotiations, staged implementations and hedging foreign exchange rates.
Secondly, access to training and conferences on cybersecurity trends is limited. The Southern African market is relatively small, and that comes with challenges that aren’t apparent in the US or the UK, where a vibrant conference culture exists, and teams can easily access or engage with speakers or industry leaders.
Lastly, relevant Africa-specific threat intel is more limited than in other parts of the world.
IM: Recent years have seen a rise in attacks targeting online payment platforms, aiming to steal customers’ payment details. What are the main attack techniques faced by Woolworths on its online payment platforms and how is this threat being managed?
RB: The most common attack techniques are the usual credential stuffing attempts, as well as more targeted activity on our ecommerce platform.
Managing these risks within the retail sector, where customers continue to need frictionless shopping and checkout, regardless of cyber incidents, does add a level of complication.
We manage threats with the usual combination of people, processes and technology.
IM: You are currently studying for an Executive MBA. Why did you decide to take this journey and how do you believe it will help you in your role as CISO?
RB: I’ve been in tech my entire career and all my formal studies are in this domain. I am doing something different to challenge myself, create space to think about entrepreneurship, and to develop more range. I use the word range in relation to David Epstein’s book with the same title – a great read.
"The infatuation with technology and sales can be a distraction that interrupts the community’s focus on building proper ecosystem resilience"
As CISO, I need to be creative and diverse in my thoughts and actions – in some cases establishing new organizational paths while challenging the status quo in others. We also have complex problems to solve which require insights from multiple disciplines. I believe learning something totally different can only help.
IM: What are your biggest concerns in cybersecurity today?
RB: Firstly, capitulation and the associated stresses are a concern. We have become accustomed to expecting software defects and vulnerabilities in code, presuming security solutions are complex to configure, and believing attackers won’t get caught.
This has supported the booming security tech economy and rising corporate security spending to increase the cost to the attacker. The infatuation with technology and sales can be a distraction that interrupts the community’s focus on building proper ecosystem resilience. An industry-wide, holistic approach could help raise the consequence to attackers.
Secondly, we should be wary of hype around certain technologies like AI. This technology certainly can help address some difficult issues (like easy to manage data protection), but the concern is the hype tempts organizations to bypass foundational controls in pursuit of something exciting that doesn’t deliver.
Read now: How to Discover the Right AI Cybersecurity Tools for Your Security Strategy
Lastly, the existence of unnecessary complexity in our environments increases risk. The driving force of product, coupled with internal corporate silos, can lead to unnecessary complexity in our environments and more attack surface and more security debt. The challenge is being able to influence these decisions at the right level and at the right time within the organization.
IM: What are the biggest successes the cybersecurity industry is experiencing today?
RB: Despite my concerns, I do think the industry is slowly improving with small incremental steps across the spectrum rather than any single big success story. Three positive signs are:
- Some vendors have made a conscious effort to build security tools that are simple to use
- The principles of secure by design and secure by demand, have become a board-level conversation, spurned by vocal advocates like Jen Easterly
- New legislation regarding security in smart devices is a positive sign that we are working towards putting accountability in the correct place
IM: If you could give one piece of advice to fellow CISOs, what would it be?
RB: It’s tough to give just one piece of advice as the role is multifaceted and organizations have different drivers and levels of maturity.
I think the core focus is to be a change agent through education and influence. You should try find the best way to influence organizational decisions that impact security as early as possible.
Make sure you have a plan and then start executing. Take time to regularly zoom out to reassess and refocus. Hold the line and do take it personally – you might be the only leader in the organization who does.
Image credit: Bay_Media / Shutterstock.com