Meet the expert: Martin Gomberg to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Author of CISO Redefined (Cyberite, 2018), Martin Gomberg is founding member at The Privacy Panel, and was CIO for a global media network for nearly two decades. 

A CISO and global director of security, privacy, and business protection for the same, Martin headed global technical strategies for a major bank, and was Vice Chair of a US State Department Overseas Security Advisory Council Industry Group.

Martin appears exclusively at PrivSec Global to discuss Zero Trust culture and how it can drive organisational resilience in the digital age.

Below, Martin answers questions on his professional journey and the themes of his PrivSec Global session.

Could you briefly outline your career pathway so far?

As the ‘Privacy CIO’ I advise companies on Privacy, Data and Business Protection, both as the founder of Cyberite LLC, and now as a founding member of The Privacy Panel, a collaborative of global experts. I am the author of CISO Redefined now in its 3rd revision subtitled ‘Protecting Business’. My book speaks to leadership, risk, controls, and business protection in the broader context of security, privacy, continuity, operational management, ethics, culture, and compliance.

Although I still work directly  or through other companies as an advisor under my company Cyberite, for me, the founding of The Privacy Panel was such an important step, a much needed option to address the needs of companies of any size and anywhere, including small to medium enterprises that are expanding or operating in global markets, in complex industries or specialized areas, fall under multiple regulations, need local language attention, or are dissatisfied with their current place, pace or progress.

I frequently consult and speak to why privacy and security projects struggle or fail, where the disconnects are with the way business is done, and how to mature privacy and security programs for ongoing success. Every business has internal barriers to adoption and success that need to be identified and cleared. Bigger companies have more of them. And even the best of platforms will fail if not a fit or if not properly positioned or resourced. Privacy is not solely a legal problem for an operating business, but too often is approached that way and struggles. Nor is it solely a technical security issue.

 As CIO for a global media network for almost two decades, founding member of the CIO Executive Council, a global CISO, a privacy, security, and incident preparedness specialist, and chair of both public and private enterprise security, privacy, and crisis response committees, I have worked with more than 70 companies globally, of all sizes, structures, and in all industries, to bring a business, risk, and operations perspective. I write and present frequently on leadership and the maturity of security and privacy practices and programs. I can speak and work with corporate leadership and line of business management at all levels.

Of course, there is a certain audacity in assuming the moniker of ‘The Privacy CIO’. I apologise but it was deliberate and purposeful. As I scan the online forums and privacy groups it is incredibly informed lawyers, regulators, and specialist privacy professionals that dominate the conversation, and to a lesser degree CISO. But much of security and privacy is about technical and business operations, administrative controls, processing, and the movement of data through organizations and systems. Yet despite controlling most of the handles for these in many to most companies, the CIO is underrepresented in these conversations. Much of corporate leadership, CFO, COO and CEO is virtually absent. These are important voices, but equally, they are important perspectives with unique capacities found nowhere else in an enterprise. 

It’s not enough to say we have leadership support. Whether privacy, ethics, security, diversity, inclusion, sustainability, or any other quality of maturity by which a business can be measured, only corporate leadership holds the levers and the language to clear barriers, shape corporate culture, and engrain core corporate values. The power of a CEO stating ‘This is important to me personally and to our brand’ brings down all barriers to success. My goal as The Privacy CIO is to reach and engage with these critical voices. 

Why is a Zero Trust approach more relevant now than ever in terms of how companies secure their digital estates?

Never Trust, Continuously Monitor, Least Privilege, and Always Verify

Zero Trust is arguably and conceptually one of the better advances we have seen in the application of technical security to business defence and operations. It is defined by its major principles - Never Trust, Continuously Monitor, Least Privilege, and Always Verify, and then act and prepare as if breach is anticipated.  

These principles express a very mature security perspective. But Zero Trust is viewed differently by many, and defined, architected, and implemented in platform differently by varied solution and platform providers. And expectedly, there isn’t a singular roadmap to achieving Zero Trust for a business to follow as they go down this path. 

There likely aren’t two companies that are the same, or where implementations or definition of adoption of success will be the same although several solutions providers and consulting firms have put out some adoption stats for the US, EU and elsewhere. Adoption in one report approached 80% in the US, a number which given the deficiency of most cyber security programs in providing an effective defence in even very well-known companies with strong teams, large budgets, and considerable expertise, I find highly suspect.  

I am being a bit disingenuous in my statement. If the goal is defined sufficiently narrowly, specific providers or managed services can provide excellent tools to address a specific need in the Zero Trust journey suitable for many companies and can implement them similarly. But adoption and implementation likely differ for a cloud vs. premises-based company, and for an enterprise with centralized control over technology vs a federated model, and for companies of different size, and for those operating globally.  

So, the question of Zero Trust success falls to how we define adoption and what are the metrics used to measure success. Zero Trust is a framework and so should be platform independent. But is it the purchase of a Zero Trust aligned platform or product and its implementation or is it the successful integration of Zero Trust into the business that measures adoption success. Irrespective of what any might suggest, there isn’t a product that you can buy that will implement Zero Trust for you. That’s not because they are deficient. There are excellent products that you can buy that help with aspects of your program or help make your program better. There also isn’t anyone that can build a program for you, unless with a deep understanding of your business. There are managed services that can provide program components, but not a program.  

And Zero Trust must always be viewed as insufficient. 

That ironically may be its greatest strength. By its own design, it is not ‘we built it and now we are done’, it also must be continually improvable. 

There are challenges in cloud

We face new risk. We do business in the cloud where our visibility is minimal. Our defences in the cloud are not technical defences that we select, implement, configure, monitor, and control, they are technologies implemented by others. It is not our teams watching out for our interests, it is others. 

And perhaps the greatest challenges imposed by third party risk, insufficient visibility and observability, and the use of N-Tier providers in the cloud to Zero Trust, is that mostly, our protection is now just paper, the contracts, agreements, and terms of service offered by the provider. And we build indemnifications into our contracts as an acknowledgement of the dirt in the system, and in glaring lights it demonstrates that irrespective of any controls that we may think we have in place, there are things that we simply cannot know

What cultures and technologies should organisations have in place to enable the Zero Trust approach?

Shadow IT. Remote access. Bring your own devices. Home-based computing. Consumerization and digital communities. Globalization. Our perimeters are gone. There are no high walls and moats to protect us. But our risks are pervasive. Our business is global and everywhere. And every business knows that security can never be 100%, we will always be vulnerable, and likely will be breached. But there are measures that we can take, for security, and equally for privacy, and for most of us, these are required by industry regulation, policy, certification, contract, or law. 

Business is about opportunity, positive outcomes from the risks that we undertake. 

We make investments, introduce new products, embrace new consumers in new ways, open new markets, we partner, we adopt new technologies, we globalize. We do all this despite exposing ourselves to complex operating environments, continually emerging threats, new regulations, and new competition. We glean advantage from the capture, processing, and leverage of data, personal and otherwise. There isn’t a day that passes where we don’t read about another well-known name company being breached. This is a war, and we aren’t winning. 

Zero Trust is not for me a panacea. It may not be achievable or absorbable for all of us. We may not all have the resources or expertise to integrate and use it. Different industries will leverage it better. But it is shining a light on areas of exposure and a need. We need to trust less, increase our visibility to our environment and how data moves through it, monitor effectively, and where risk is high, continually, and stringently enforce least privilege and limited access. We need to support this if on premise with hardened servers, effective segmentation, endpoint controls, whitelisting, data minimization, and access management amongst other safeguards. In cloud, with as much visibility, privilege management and access controls as products and platforms will provide, and the tightest contracts our attorneys can orchestrate. Zero Trust may in the end be a success for all of us, but not likely in the same way.  

Zero Trust is the right strategy and an important component of a comprehensive program of security, business, and data protection. It is a set of tools and principles for the reduction of a specific area of business risk which along with a comprehensive program of resistance, resilience, operational prudence, proper staffing, sound administration, effective access management and data hygiene, matures and moves our security posture forward. It isn’t a magic bullet. There isn’t one. But as I said earlier, the power of a CEO stating ‘This is important to me personally and to our brand’ brings down all barriers to success. For security, privacy, ethics, continuity and for Zero Trust to be absorbed to a company’s culture, we need that voice.

Martin Gomberg can be reached at mgomberg@cyberite.com