Information Security Manager, Citadel Wealth Management
Marlany Wilke is responsible for the implementation of Citadel Wealth Management’s information governance, risk, compliance, and cybersecurity strategy. “The insider threat is something I am passionate about,” she says. “The threat is about psychology, behavior patterns, and intelligence. Given these are human patterns it is a difficult risk to monitor and control.”
How are you strategically allocating your budget to deal with the growing scourge of hacks and data breaches?
Spend must be against your risk appetite and not against every threat. We will never have enough money to close all the gaps. Investment is channeled towards quick detection and skilled teams to eradicate the breach.
How are you dealing with growing specter of privacy regulations?
Collapsing the silos between compliance, legal, and business requirements in favor of collaboration and understanding the data is a step in the right direction. Privacy regulations fundamentally rely on what data you have, how are you transmitting it and where is it stored. Building those concepts upfront into the business processes and supporting systems means an automated way of dealing with regulations.
Is fostering an enterprise-wide security culture a top priority for you?
Yes, security is not an IT function, it’s an organization function, from the end-users who act as the first line of defense to the assurance providers who seek to understand the risks an enterprise faces, to the executives who set the tone and priorities for the implementation of a security culture.
The easiest way to start this process is to focus on the human component and make security personal to each stakeholder via a security awareness program. The program needs to provide all stakeholders with two things – what is in it for me and what is required from me.
How are you aligning security operations with IT? – Is automation and orchestration high on the agenda?
With the advent of the fourth industrial revolution, incorporation of AI, machine learning and robotics the digital age demands that IT implementations consider security inherently.
My relationship with IT Operations and understanding the projects and type of technologies being implemented help me leverage the correct value propositions that meet a security objective. Automation and orchestration is the only way to ensure that value is extracted in the least resource intense way.
How are you addressing insider threats and risk in your organization?
We have a history of focusing on perimeter defense, also internal threats such as trust abuses are typically not caught by your traditional “signature-based” defenses. How does traditional intrusion detection systems and anti- virus systems protect you in this case?
The threat is about psychology, behavior patterns and intelligence. Given these are human behavior patterns it is a difficult risk to monitor and control. However, some basic controls should be considered:
- Understand identities in your organization and understand what that identity is capable of.
- Build analytics around simple behavior patterns and educate response teams on how to deal with any anomalous activity.
- Educate the organization on the concept of the insider – and provide a means of reporting anonymously.
- Ensure your organization policies around investigations and consequences is known and execute
How important are emerging risks to your information security vision?
Without innovation, the business cannot survive. Organizations are expecting IT to optimize and automate in order to help save money, to better the customer experience, therefore, attracting more customers. However, the world’s best technologies mean very little if they cannot be trusted, i.e., if they are not secure. The CISO vision needs to consider the threat landscape in light of robotic processing, artificial intelligence, cloud adoption, and so forth and allow IT to innovate with Eyes wide open – know the risks and be adaptive enough to either decrease the risk or accept it.
For CISOs who talk to their boards, what subjects should they mention, and which ones should they avoid?
Outside of the traditional, budget and resource discussions consider:
- Speaking about security has a trusted partner to innovation and digital transformation. Bring in its commercial value – for example: how it will assist the customer experience.
- Get the board involved – education via gamification – means the board will understand the kind of decisions that need to be made on the ground without getting into technical detail.
- Avoid fear-mongering, after all the perception of what can go wrong differs from person to person. Base your comparisons on statistical evidence where possible and show the risk in the relevant context.
- Whilst some concepts have to be explained technically – keep the GB and analytics conversations out of the boardroom.
What personal achievement are you most proud of?
Self-publishing my book with Partridge Africa, under an author-name. The content is focused on empowerment of oneself in the face of diversity.
I formed part of the woman’s coaching program when I was employed at Absa and had the privilege of guiding young women in their first year of working. The learnings for myself and watching the growth of the ladies humbled me. Two of the ladies are now coached by Senior members of PWC.
Why are internal threats oftentimes more successful than external threats?
Insiders have knowledge on the type of controls, monitoring and the business process that institutes follow, coupled with credentials, an insider processing a transaction in a normal cause of business or downloading malicious content is going to be difficult to identify unless behavior analytics, operational controls like the three-eye principle are in place.