Sandro Bucchianeri, National Australia Bank.
Sandro Bucchianeri has criss-crossed the globe in his career as a security technology professional, and Absa was probably very fortunate to hold onto him for a few years as he headed up its security teams until 2021.
He now has a somewhat larger role, as group chief security officer for the National Australia Bank, and dialled into this year’s ITWeb’s Security Summit with some advice for his fellow security colleagues.
Bucchianeri wanted to speak about how cyber security is now a team sport, and in a talk with many sporting references, said he’s ‘unfortunately’ been a lifelong Manchester United supporter.
He said that ManU had built its football programme around one man – Sir Alex Ferguson – and when he left everything had started to unravel, ‘because it was that individual who was holding them, and the entire structure, together’.
He asked the delegates to reflect if their cyber security programme was built for longevity, and if they left, could it continue?
Expanding on his cyber and sporting metaphor, he referenced the Galácticos football super team, which counted among its members Zinedine Zidane, David Beckham and Cristiano Ronaldo. Bucchianeri reckoned that a team of superstars could never be an effective team.
Criminals winning the war
Turning to the global cyber security landscape, Bucchianeri said there were about 1 900 distinct hacking groups globally, and, ‘they do seem to be winning’.
He also maintained that the extent of cyber crime has been vastly undercounted and underreported. He thinks that as little as 10% of the cybercrimes get reported, for a number of reasons, such as a fear for one’s job, or regulatory censure.
Prosecution rates, too, are as low as 0.075% in the United States, and he believes it’s significantly lower in other countries.
He said that South Africa has the third highest number of cyber-crime victims in the world, and he estimated that it costs the economy R5.3 billion a year.
Bucchianeri said there need to be enough [cyber security] players on the field, and that no entity could build a successful team with a massive skills gap. He put this gap at about 3.5 million professionals worldwide, and that the number continues to grow.
He referenced his erstwhile employer Absa’s Cybersecurity Academy, which aims to equip marginalised young people with cyber skills.
“In Australia you may think there’s this vast population of talent that we can tap into, and yes we do, but so do all our competitors; everybody is looking for the same players, and in so doing, pushing up salaries. This is great for the person receiving the salary, but it’s not great for me as a CISO.”
He also thought that the current situation with astronomical wages being demanded by cyber security professionals was not sustainable in the long term.
Bucchianeri said investment in employee training is of the utmost importance, and predicted that global spending on this would reach $10 billion by 2027. On the other hand, “We’ve never really spent any money on employee training.”
More diversity, better security
Global spending to protect businesses from cybercrime will be at $1.75 trillion over the next five years: that is R27 trillion.
He also thinks that diversity of thought makes for better security teams, and that globally, only a quarter of cyber security jobs are held by women.
“If you have five guys in a room, we’re going to have similar ideas to solve a problem. But if you add a female or two into the mix, we’ll automatically start thinking differently about our risk problems. We need to fix this problem, and it’s something I strive for in my leadership team that I hire. It’s also not just female, but from a diverse cultural background. It’s important to tackle the next wave of challenges we’re faced with as security professionals.”
He had some advice for his security colleagues gathered in Johannesburg, saying the field was not ‘rocket science’, but it was certainly a field that is constantly in flux. To this end he suggested a continuous process of defining and redefining security problems.
He said that cloud security is an imperative, and that in just three years, half of the world’s data will be in the cloud.
“Because you’re in somebody else’s datacentre, how do you protect that? Just lifting and shifting applications from your on-premise datacentre to the cloud is not the solution.”
The world’s billions of IOT devices also presented challenges.
Bucchianeri reiterated that it was important to get the basics right.
“We’ve been doing security for 25, 30 years, and we’re still doing the same things wrong.”
For CISOs, he suggested they gather a ‘dream team’.
“I know it’s difficult and I’m going to come along and poach all your people because you’re not paying them enough; and I pay much, much more, in Australia. But that being said, pay your rock stars well. If you do that you create a culture that is inclusive. I’ll guarantee they’ll stay much longer than those that are just after the next paycheque.”
He left his audience with an African proverb, which he said he admired: “If you want to go fast, go alone. If you want to go far, go together.”