Sandro Bucchianeri, National Australia Bank.
Sandro Bucchianeri has traveled the world in his career as a safety engineering expert and Absa was probably very fortunate to be able to hold him for a few years as he led his safety teams until 2021.
He now has a slightly larger role as Group Chief Security Officer for National Australia Bank and dialed into this year’s ITWeb Security Summit with some advice for his security peers.
Bucchianeri wanted to speak out about how cybersecurity is now a team sport, and in a conversation with many sporting credentials, he said he was “unfortunately” a lifelong Manchester United supporter.
He said ManU built their football program around one man – Sir Alex Ferguson – and when he left everything faltered “because it was that person who held them and the whole structure together”.
He asked delegates to consider whether their cybersecurity program was built to last, and if they left, could it continue?
Expanding his cyber and sports metaphor, he referred to the football superteam Galácticos, whose members included Zinedine Zidane, David Beckham and Cristiano Ronaldo. Bucchianeri said that a team of superstars could never be an effective team.
Referring to the global cybersecurity landscape, Bucchianeri said there are about 1,900 different hacking groups around the world and “they seem to be winning”.
He also claimed that the scale of cybercrime has been grossly underestimated and underreported. He believes that only 10% of cybercrime is reported for a variety of reasons, such as fear of losing one’s job or censorship by the authorities.
Also, prosecution rates are only 0.075% in the United States, and he believes they are significantly lower in other countries.
He said South Africa had the third highest number of cybercrime victims in the world and he estimated it was costing the economy R5.3 billion annually.
Bucchianeri said it must be enough [cyber security] players on the field and that no company could build a winning team with a massive skills deficit. He put that gap at around 3.5 million professionals worldwide, and the number is growing.
He pointed to the Cybersecurity Academy run by his former employer Absa, which aims to equip marginalized young people with cyber skills.
“You might think there is a huge population of talent in Australia that we can tap into and yes we do, but so does all of our competitors; Everyone is looking for the same players, driving up salaries. That’s great for the person receiving the salary, but it’s not great for me as the CISO.”
He also considered the current situation with astronomical salary demands from cyber security professionals to be unsustainable.
Bucchianeri said investing in employee training is paramount and predicted that global spending on it would reach $10 billion by 2027. On the other hand: “We never really spent any money on employee training.”
More variety, more security
Global spending to protect businesses from cybercrime will reach $1.75 trillion over the next five years: that’s R27 trillion.
He also believes that diversity of mind makes for better security teams and that only a quarter of cybersecurity jobs worldwide are held by women.
“If you have five people in a room, we will have similar ideas to solve a problem. But if you add a woman or two, we will automatically start thinking differently about our risk issues. We need to solve this problem, and that’s something I strive for in my leadership team that I’m hiring. It is also not only female but has a diverse cultural background. It is important to address the next wave of challenges we face as security professionals.”
He had some advice for his security colleagues gathered in Johannesburg, saying the area was not “rocket science” but it was certainly an area in constant flux. To this end, he proposed a continuous process of defining and redefining security issues.
He said cloud security is a must and that in just three years, half of the world’s data will be in the cloud.
“Because you’re in someone else’s data center, how do you protect that? Simply moving applications from your on-premises data center to the cloud is not the answer.”
The billions of IoT devices in the world also posed challenges.
Bucchianeri reiterated that getting the basics right is important.
“We’ve been doing security for 25, 30 years and we’re still doing the same things wrong.”
For CISOs, he suggested putting together a “dream team.”
“I know it’s difficult and I’m going to come and poach all your people because you don’t pay them enough; and I pay much, much more in Australia. But other than that, pay your rock stars well. When you do that, you create a culture that is inclusive. I guarantee they’ll stick around a lot longer than those who are just after the next paycheck.”
He left his audience with an African proverb he admired: “If you want to go fast, go alone. If you want to go far, go together.”