Mitel chief information security officer Allan Alford talks about evolving security challenges, machine learning – and how he unexpectedly ended up with an iPhone
What is your role and who do you work for?
I’m Chief Information Security Officer (CISO) at Mitel, a global business communications company. We provide businesses a range of unified communications, collaboration and contact centre software and services to allow them to seamlessly communicate and collaborate from anywhere, and deliver best in class experience to their customers.
You could say that my role is about turning security risks into business opportunity. For instance, I recently presented the results of an internal, company-wide infosec audit to our CEO and his leadership team. This included an analysis of risks, suggested mitigations, a timeline for implementing new security measures and the business case for implementing these measures.
It’s not just about protecting us from risk, it’s also about how it can improve our business and what we provide to our customers. As a well-respected colleague of mine is fond of saying, security is not here to facilitate the business. Security IS the business.
How long have you been in IT?
I’ve been in IT for 21 years in total, with an additional 10 year stint in engineering as well. In one of my previous roles, I was CISO for a unified communications and videoconferencing company. I conceived and led the effort to implement a full product security programme there, integrating it into the business.
The practices, techniques and metrics we created there are still in use today. After 10 years in product security I came back to the IT fold. Now I focus on securing the entire enterprise, be it IT, cloud, product, etc.
What is your most interesting project to date?
One of the challenges of working in security is that it’s often difficult to talk specifically about what you’re working on day-to-day, as you could accidentally expose security vulnerabilities.
In high-level terms, I’m currently working on aligning our IT enterprise security and cloud security programmes to streamline the risk management process while using resources effectively.
I like to drive my security programs by the pillars of Visibility, Risk Management, and Business Integration. It’s definitely fun developing and running a full security practice.
What is your biggest challenge at the moment?
I think that for those of us working in security the biggest challenge is not necessarily something of this moment only, but the perennial issue of user education and awareness. We, the humans in a given enterprise, remain the weakest links when it comes to cybersecurity.
I can create the most effective and elaborate security program out there, but if someone clicks on the wrong button or opens a bad link then there’s really nothing I can do about it! We’re all human and you can’t avoid human error.
For me, the long-term solution here is two pronged – educating users on how to best protect themselves from risk, but also implementing technology that will be able to block the bad thing from happening, or at least to control the impact of bad user decisions after they’ve been made.
What technology were you working with ten years ago?
Ten years ago, I was deep in the world of product security. I used a wide variety of security testing tools (vulnerability scanners, SAST, DAST) at the time and interestingly I still work with many of those same tools today.
Of course, over the years attacks become more clever and sophisticated, and in response our tools are constantly evolving into new iterations
Definition-based antivirus, for example, has given way to behavioural approaches to hunting malware. There are many other innovations for next-gen desktop protection such as sandboxing, white listing, heuristics, etc. The point is that threats evolve, and the tools must evolve too.
But, on the whole we’ll always be one step behind the latest security threat, with the tools forever playing catch-up. If you don’t feel like learning your whole job all over again every few years, then infosec is probably not for you. The basics remain the same, but the implementations evolve constantly.
What is your favourite technology of all time?
Honestly, it’s the internet itself. I’m using it right now to make this interview possible. And if I glance at my phone, I’m receiving messages from Canada and Germany as we speak.
Being able to instantly connect with people from around the globe: it’s something I’m still in awe of.
How will the Internet of Things affect your organisation?
IoT is a really fast-developing sector and there are loads of highly interesting use cases out there. Internet-connected smart watches, refrigerators, baby monitors, doorbells, personal digital assistants like Alexa and Google Assistant, etc. all offer fantastic functionality for users. However, from a security perspective we have to approach these new technologies with our eyes open.
I’m concerned about the new vulnerabilities my users’ IoT devices are going to be bringing to the table. I’ve already got mobile phones and tablets to deal with in terms of IP connectivity. IoT devices have started popping up in offices and we’re definitely looking out for these new devices and the vulnerabilities they could bring.
That being said, I remain optimistic that with the right security and data management policies we can implement creative IoT solutions in our organisation in a responsible way.
What smartphone do you use?
It’s an iPhone, but that’s rather by accident than by design. About 12 years ago the company I was working for asked employees what type of phone they’d like to have and I requested an Android but received an iPhone. I was about to go on a business trip so I didn’t have time to exchange it, and by the time I got back I’d downloaded and logged into enough apps that it didn’t seem worth the effort of starting on a new device.
Twelve years on, when I borrow an Android from anyone in my family it’s like giving a smartphone to a monkey, I just don’t know how to work it! Note that I’ve not bought into any of the rest of the Apple ecosystem, so the phone is a bit anomalous, but there you have it.
My main platform at home is Windows 10 and I have Linux systems here and there too.
What three apps could you not live without?
For work I rely heavily on Mitel MiCollab. I use it as an extension of my desktop, it allows me to use any means of communication that is available from my desktop phone or softphone (or mobile!), along with presence, IM and document sharing. It’s an essential tool for me when I’m on the move.
The other app I use a lot for work is of course Outlook.
I’m also a voracious user of LinkedIn. As part of my work I do a lot of public speaking, I write a lot of articles and this means that I’m constantly posting to LinkedIn.
Over the years I’ve built up a connections list of about 17,000 security practitioners and vendors, and if I’m tackling a new challenge, there’s no better sounding board than posting to my LinkedIn profile and observing the ensuing conversations in the comments.
What new technology are you most excited for a) your business and b) yourself?
For Mitel, I’m most excited about taking our security control and enforcement technologies and tying them to machine learning and AI.
UEBA, Threat Intelligence, etc. all offer opportunities to have advanced analytics managed by the computers rather than the humans, saving cycles for the team to focus on more human-centric tasks such as threat hunting.
If you weren’t doing the job you do now, what would you be doing?
I would be doing this job. I just can’t imagine doing anything else!
If I were to retire from information security, it would be to teach information security. It’s something that I’m absolutely passionate about and I think that’s really important.