Apex sat down with Malik Bernard, Executive Head, Cyber Governance (Cyber Security and GRC) at the City of New York to discuss the cyber journey. With over 20 years overall in the space of Cybersecurity, Enterprise IT Strategy and Design, Vendor Management coupled with IAM and DLP program implementation, he shares his experience on the pathway to cyber success.
Q: What is IT security doing to support innovation in the enterprise?
A: This is an interesting question; On its face, a simple question; but if you give it some thought, there has to be a distinction between IT Security and how it supports Cyber. Within IT Security, one may look at Data, Hardware/Software and Artificial Intelligence. I know from performing hands on labs, working with industry leaders, and analysts, the trend is towards
- Hardware Authentication
- Machine Learning coupled with Behavior Analytics
- Cloud Security or should I say, better cloud security, beyond Firewalls, Storage etc. In this space, virtualization still rules and the implementation of Virtual IPS/IDS is paramount as part of an overall Cloud security strategy.
Q: Should IT security be a business enabler?
A: Everyone and every department, should support the business through smart hiring, defined, well documented processes and procedures and with appropriate technologies.
Q: How do you stay abreast of the trends and what your peers are doing?
A: I listen to smarter people than myself. I have within my circle of whom I trust, those that are non-bias individuals who aren’t afraid to tell me no, share with me what they really think and I attend a few workshop forums yearly to challenge and stretch my knowledge.
Q: How have you searched for and found the best vendors for your organization?
A: It helps to be the SME or subject matter expert or know a few on a variety of business and tech needs. This way, you can cut through the ‘pitch’ and get to the ‘how will this help solve the challenge(s) we’re currently facing’ and how will it scale.
Q: What is the biggest challenge for a CISO today?
A: This one depends on many factors; The size of the organization; The amount of power and control trusted and given to the CISO. I would say, keeping up with the ever changing attack surface of the enterprise and ensuring that one’s defensive posture, is the ‘right size’ for their environment.
Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?
A: CISOs are more focused on tech, cyber, etc. CROs are more focused on Risk, Threats etc. They both should work closely together to ensure a full 360 view of Risk and Threats across the landscape.
Q: How has the role of the CISO changed over your career?
A: I’ve actually changed and defined in my prior role, what a next generation CISO should be focused on and how to get quick wins, towards a sustainable strategy of measured success. This role simply validated what I’ve been doing in prior, non exec, C-Suite positions.
Q: What advice would you give an early stage CISO joining an enterprise organization?
A: Discern what’s real, what’s perceived and what’s noise. Find a way to cut through the ‘pitch’ and understand how x may occur and have in place, 2, 3 options at the ready to defend the organization. Finally, listen more, speak less and be curious.
Mr. Bernard is the Senior Executive Head of the City of New York, where he heads up the City’s Cyber Governance Tower. He was also in charge of leading the following domain areas: Software Security Assurance akin to SDLC, Cybersecurity and Awareness Training and IT Risk.
Prior to joining the City of New York, Mr. Bernard held the role of Chief Information Security Officer (CISO), for a global technology company, where his and his team’s focus was on Cybersecurity (Identity Access Management, Data Leakage Prevention, Threat Management, GRC and Privacy Management.)