Deloitte’s Global CISO: Authentication to Become Behavior Based

Dr. JR Reagan is global chief information security officer (CISO) of Deloitte Touche Tohmatsu Limited (DTTL) with revenue of $34 billion, over 210,000 employees and operating in more than 150 countries. As the senior-most information protection officer, he leads the next-generation design of the global security organization.

In addition to his role at Deloitte, he serves on the faculty at Johns Hopkins University (Carey Business School), Cornell University (Johnson Graduate School of Management) and Columbia University (Graduate Studies Mentor). He holds a doctorate in organizational leadership from Shenandoah University and has been a guest lecturer on innovation, cybersecurity, analytics and marketing at Harvard, Wharton, Georgetown, Notre Dame, Northwestern, American and Southern Methodist Universities.

You predicted that cell phones as ‘pass phones’ will soon become the norm. With hackers already compromising mobile devices, what will be the next authentication mechanism after the cell phone?

The device will become less and less important as security moves away from procedurally-based–requiring the user to input a password, enter a thumbprint or take a “selfie,” for instance–to behaviorally-based. Already technologies in development can detect how a user holds a device, the pace and accuracy of a person’s typing, and so on, noting what’s ‘normal’ for the user—similar to the way banks monitor credit-card or debit-card activity, noting patterns and flagging behaviors or locales unusual to the client. Whether the authentication device of the future—phones, wearables or something else—it will likely know its user’s usual whereabouts and behaviors, and delay or even deny access when it detects deviations.

How does the information security profession achieve the Holy Grail of five- nines reliability?

The telephone utility was the first to boast of 99.999 percent reliability, setting the standard for service that we all strive to meet. But phones weren’t always so reliable. The industry achieved its success after innovators moved beyond a piecemeal approach to design on a grand scale, collaborating with one another to engineer improvements across the entire network and give customers what they want—around- the-clock availability, ease of use, and quality experiences.

We in information security have much to learn from this narrative. In many ways, our profession seems still in the early, “piecemeal” phase, with many focusing on protecting their own organizations’ data and that of their customers, or on developing apps to secure a single device or network.

But as the telephone’s history indicates, success may come only when we “think big,” enlarging our scale, moving beyond the local (company-focused or product-focused) to the global (industry- or even Internet-focused). To get there, we collaborate with one another for a common good — such as data protection — and innovate strategies and solutions to thwart intrusions system-wide. And, like the phone industry, we ought to always keep the customer front and center in whatever we design.

What will be the global impacts of the EU General Data Protection Regulation set to come into enforcement in 2018?

International privacy laws may continue to limit our ability to share data across borders. Already more than 100 nations have adopted laws governing the transfer of citizens’ personal information. The E.U.’s set to issue its Data Protection Regulation and other such laws—all unique—being considered by governments including the U.S. could make sharing become more difficult.

Instead, discrete “data islands” may form, separated by a morass of laws and regulations. Not only are these restrictions making it harder for us to see the big picture, but they could also undermine the way we conduct international business. Firms with offices in multiple countries will have to work hard to keep abreast of laws and regulations in all the locales we serve — and we’ll need to put on our thinking caps to figure out how best to balance the needs for privacy and security while serving our customers and clients.

Some organizations are making the CISO a direct report to the CEO or even the Board. Where is the right place for a CISO to report? Should CISOs have a seat on the Board?

The role of the CISO is shifting, along with the responsibilities, from technology leader to risk leader. How this manifests itself depends on the organization: some are granting the CISO direct access to the CEO—and vice-versa—while an increasing number are adding the CISO to the board. How this will ultimately play out remains to be seen, but this much is clear: to succeed, CISOs now must hone their knowledge and understanding of business so that, when asked to move from the backroom to the boardroom, they’ll be ready.

A question you yourself would like to be asked…

Even as organizations step up security awareness programs and other forms of security training, data breaches continue to happen on a massive scale—largely because of user errors. How can we design our systems to protect users from themselves?

Rather than place the security onus on employees or executives, perhaps we ought to work around the “weak link” of human error. Instead of burdening workers, who are busy doing their jobs, with the task of keeping our organizations safe, maybe we ought to design more cybersecurity that protects people from themselves.

Examples include systems that recognize and flag “phishing” emails before passing them along, or that stop potentially unsafe links from opening, and “self-healing” networks that may someday have computers doing the vigilance work now being asked of people. In the meantime, perhaps we should consider adding more than a touch of human unpredictability to our cybersecurity recipes—moving away from a “digital strategy” focused on technology to a “human strategy” focused on people living, and working, in a digital world.

While working as the ghostwriter for Dr. J.R. Reagan, Global Chief Information Security Officer at Deloitte, I wrote his answers for this Q&A published by CSO Online, a premier publication for Chief Security Officers, about a number of topics including behavioral authentication, the “five nines” approach to cybersecurity, and the EU’s General Data Protection Regulation (GDPR). I used my own knowledge as well as research into the topic to draft the piece; he made comments and suggestions, and I revised it. Many of his/our predictions have come true!

Client: Dr. J.R. Reagan/Deloitte

Format: Article
Cost: $4,000 US