We visited a successful cyber company, and won an interview with their CPO.
Here is some of the conversation and insights we gained from it to how to become the perfect CPO:
What is the role of CPO at your company?
CPO is responsible for everything in cyber security area, from strategy, architecture, development, operations, monitoring, management of cyber security activities to the budgeting and planning of cyber security area.
What are the key responsibilities of CPO?
- To make sure everything is set up and running well regarding cyber security
- To raise the cyber security maturity within the organization and make sure that everyone in the company understands what cyber security is, how to be secure
- To make sure we have a good and secure environment for our developers by providing tools and services that they need to be able to do their job in a secure manner
- To help our customers to be secure by providing them with tools to protect themselves
What are your key challenges?
- Security is always a moving target. You are never done. We need to adapt to new threats, new technologies, always stay one step ahead of the threat actors. We must be constantly evolving. We need to educate ourselves continuously and keep up with the latest trends, techniques and tools. Threat actors are just one step ahead of us. We need to keep them there. It is a never ending story.
How do you keep up with new technologies? What is your learning process?
I am not a developer myself. I am not involved in coding at all. But I need to understand all the technologies we use in our products and how they work. I read a lot of papers, blogs, articles, books about cyber security technologies and try to learn as much as I can about them. When it comes to new technologies I like to be involved in their development from the beginning in order to understand how they work, what are the possibilities and limitations etc. If we need new technologies in our company I try to get involved early in their development in order to understand them better and see how they can help us improve our products.
Which technologies do you currently use?
We use AWS cloud as our main platform and for our web services. Our mobile apps are coded with React Native using AWS S3 as a source for data storage. We use ElasticSearch for search solution. We use S3 for storage of backup data for our customers. For detection of new threats we use Splunk Enterprise machine data analytics software. We also use some open source tools like ELK stack for log management and analysis (ElasticSearch, Logstash, Kibana).
What should a good CPO know about cyber security?
We are not software developers ourselves so it is crucial that we understand all technologies that we use in our products. We need to understand how they work, what their features are and how they can benefit us as well as our customers. We also need to know about other emerging technologies and what possibilities they offer for our products. For example there is an interesting project called IOTA which aims at building a machine economy based on Tangle technology. It looks very promising because it promises fast transactions with zero fees which means no central authority and no need for mining to validate transactions. It could potentially be very useful for us as well as for our customers if it works well – so we will keep an eye on this project and see how it develops.
How do you manage your budget and the security budget?
We do not have a separate security budget. Our budget is managed by COO who also manages all other department budgets. I do not have any trouble with this because you can not manage security without involving everyone in the organization. It is a company-wide activity. Security is everybody’s responsibility. If we are not secure we are not secure at all. So I do not see the need for a separate security budget.
What are the most important KPIs in cyber security?
- The most important KPI is how many attacks we have blocked and how many attacks were successful. It is very important to know what is happening on the network level, at the application level and at the end user level. Do our products work well and are they effective? Without this knowledge we will not be able to improve our products.
- Another important KPI is how many incidents we have had and what were their causes. It is crucial that we know what happened, understand why it happened and how we can prevent similar incidents from happening again.