Shawn Bowen is the Vice President and Chief Information Security Officer of World Fuel Services, a Fortune 150 energy, commodities, and services company. Regarded as a transformative thought leader in IT security with a track record of leading successful strategies in various environments, Shawn was a panelist on the topic of “Security incident management: key lessons from industry leaders” together with Laurens Binken, General Manager Information Risk Management Strategy and Transformation at Shell, Stuart Seymour, Head of Global Cyber Security Incident Response and Continuity at BAT, Linus Plum, CISO at Software AG, and Sascha Maier, Group CISO at SV Group at the Global Cyber Conference 2022.
In this interview, Shawn discusses some common cybersecurity misconceptions, the importance of segmentation in dealing with ransomware, best practices for preventing human errors in cybersecurity, and more. Let’s dive into all his insights below.
What are the most common misconceptions that you believe businesses have about cyber security?
One of the misconceptions that I see a lot, even among some IT folks, is that cybersecurity is one single skill set. Somehow the CIO organization needs 20 different types of engineers/developers/administrators because of the different techniques, but cybersecurity is one skill profile versus somewhat mirroring the CIO organization (in skill diversity, not size) but with a security specialty on that technology space.
The other that comes to mind is that security is just one answer (black or white) rather than it really is about risk (all gray). You often see this in the “Are we secure?” question. But to be fair, that isn’t helped by really technical security practitioners that aren’t taught to manage risk.
A lot of the training is on how to secure something, but there needs to be a final course or chapter in every curriculum that forces the security technician to think about managing the risk and accepting some ‘less than secure’ options.
What do you consider to be the biggest hurdle for organizations in the fight against ransomware?
The biggest hurdle is good segmentation. Good segmentation allows for quicker containment and limits the blast radius, hopefully reducing the impact on the overall business. Obviously, since most ransomware begins with exploiting users, user education and good identity security are a must and thus big hurdles as well.
Almost all successful cyber breaches share one variable in common which is human error. What are the best practices for preventing human errors and security mistakes?
I think something that every security team can do that is free (our favorite price) is to make time for threat modeling and incident response tabletop exercises. They are a great way to expand the education of the people impacted by the breach.
Threat modeling allows people’s imagination to grow and for common threats to be shared and discussed more regularly. Tabletops are always great for walking through the process. Definitely throw in variables and rotate responsibilities or remove key people from playing to make it more realistic.
As there has been such a surge in remote working, this has created concerns for cybersecurity specialists, exposing companies to many cyber threats. What major preventive measures would you recommend a company takes to close those gaps?
Push out MFA/OTP, limit VPN and RDP as much as possible, and move everything you can to the cloud to leverage the security technology that is better suited for work-from-anywhere approaches.
Artificial intelligence (AI) and machine learning (ML) are playing an increasing role in cyber security. But can AI-based cyber security be a complete replacement for human security staff?
Yes, AI and ML can automate and accelerate routine tasks, but in the greater view, I don’t think AI’s intent is to replace human security staff, but rather to filter out the noise and raise the key decision points for humans to decide.
The human element plays a central part in most cybersecurity incidents. To which extent do you consider that people are most often the problem?
There are plenty of studies that say humans are the cause of cybersecurity incidents X% of the time (X being a really high number). But there is a little bit of FUD in that calculation, because it needs to be broken down into misconfigurations, phished users, etc. When you consider all the threat avenues that humans are the vulnerability yes, those numbers are accurate.
But that doesn’t really help organizations fix the problem. It has to be broken down into the various threat categories and applied to the systems via tailored threat modeling so it can be addressed accordingly; whether that be training users to not click links/open attachments or slowing down the engineering process to include more thorough security reviews, etc.
How can security leaders better help their organizations build a strong culture of security?
Being open and willing to talk about security with anyone in the organization on their terms is one of the best ways I have been able to improve security culture. Also, you have to have fun with it. No one wants to talk about things that bring them down all the time.
What do you foresee will be the biggest obstacle for security leaders and practitioners to overcome in 2023 and the years ahead?
I think moving to the cloud is still just barely beginning and embedding security in that transition is critical. And obviously emerging technologies that allow businesses to set themselves apart from the competition will come with their own new security challenges (IoT, RPA, etc.).
Could you please share with us your top 3 reasons for attending the Global Cyber Conference in Zurich?
- The opportunity to collaborate with an internationally diverse group of cybersecurity professionals brings a vast array of perspectives on the challenges in the cyber world and solutions to address them.
- The speaker roster is stacked with great talent and excited to be an attendee as well as humbled and honored to be on the list with the other speakers.
- Did I mention the opportunity to network with such a diverse group of cybersecurity professionals?
What are your initial thoughts on the Global Cyber Conference’s key themes and according to you, how strategically the themes are set?
The key themes are critically impactful to the entire cybersecurity industry. I have been fortunate to be part of securing Digital Transformation for the last five years at three different organizations. Most recently at World Fuel Services, we have shut down 20 of 22 data centers in the last couple of years with the final 2 being closed down later this year.
Excited to hear about others’ journeys and share my lessons learned. Human-Centric Cybersecurity is crucial for us all. The data has been consistent for several years that an overwhelming majority of incidents have been through a human-induced vulnerability.
And lastly, Secure Finance & Banking, while some of us attending don’t work in that segment, they are often the leaders in security technology so it is an opportunity to get a sneak preview of security tech that we will all be implementing soon.