Behind the Scenes with a CISO - What it Takes to Get More Sleep and Avoid Security Threats
Jason Ozin is the Group Information Security Officer at PIB, a fast-growing group of insurance advisory businesses in the UK, and Egnyte customer. Ozin is responsible for information security, cybersecurity, data governance, and compliance.
PIB Group has grown rapidly since launching in 2015, building its team from 12 employees to over 1,400 today, through a combination of acquisitions and organic growth. They are now based in over 40 locations across the UK as well as Guernsey, Germany, and Ireland.
With the business accumulating significant amounts of unstructured data from a variety of sources, Ozin needed the ability to manage risk and deploy data protection at the source without the day-to-day chaos of mitigating cyber threats. Ozin has one rule: he doesn't want to lay awake, or even be woken up by an emergency call if he can avoid it.
According to Jason Ozin, there are four things a CISO needs to sleep well at night:
- Trusted business platform partners
- Next-generation endpoint protection with behavioral analysis
- Consistent vulnerability patching
- Two-factor authentication on log-ins, wherever you can
But keeping company data and clients’ data secure also means making the right choices early on.
“Start as you mean to go on. Set a strategy, stick to it. Don’t let business drivers let you compromise simplicity, privacy, and security because you will live to regret it. It doesn’t mean you can’t be flexible or you can’t be forward thinking, but there are basics around data governance and they have to remain the same.” - Jason Ozin
Egnyte’s Director of Corporate Marketing, Brittany Carambio, recently sat down for a conversation with Ozin to discuss the strategies that PIB Group has incorporated to manage data governance and compliance for its rapidly growing business, steps taken this year to support their remote workforce amidst the COVID-19 pandemic, and advice for IT and Data Security professionals thinking through similar business challenges.
Read their conversation below and watch the full interview.
Carambio: What are some of your main responsibilities as CISO and DPO at PIB Group? What are the things you work to stay in front of and that have kept you up at night in the past?
Ozin: My one main responsibility is to keep our data and our clients’ data secure. That’s effectively everything I have to do. It’s interesting that you mentioned “what keeps me up at night.” I have one rule: I don’t want to be kept up at night. Or woken up at night with an emergency call. My department makes sure that we have great partners in place, and great teams in place at those partners, so we outsource a lot of that security work and a lot of our platforms. If I know I have the right partners in place it means I have less worry and less sleepless nights. I think there are four things a CISO needs in order to sleep well: Trusted business platform partners, next generation behavioral-based endpoint protection and 24/7 security information center who can deal with alerts that come out of that, patching is really important, and equally important nowadays if you look at all the breaches that have taken places is two-factor authentication on every login wherever you can. Those are my rules for keeping me asleep at night.
Carambio: I’m glad you’re getting good rest. You mentioned that PIB Group has gone from 12 employees to 1,400 employees over the last few years and you mentioned there are more acquisitions on the way. Mergers and Acquisitions is a big use case for many of our customers. What sorts of challenges does M&A pose for your team in terms of managing data governance, and information security for those acquired companies?
Ozin: We were lucky, we made the right choices early on. We are primarily cloud-first. We found the right cloud partners. We have a core set of platforms that we migrate our acquisitions to if we can when the time is right. Egnyte is a big part of that. Our IT migration teams go in and move the acquired data… into the Egnyte ecosystem where we can then look at their data to a greater extent. We try to move it off the legacy platforms as soon as possible. The great thing though is that the end users tend to remain happy because Egnyte presents their data in the same way they are used to either as a file share, as a web share, or however they are used to doing it. Egnyte is flexible enough to do that for us. Egnyte is a big part of our M&A process.
Carambio: This year has brought about so many new challenges for businesses, particularly those who are working remotely outside the walls of the office trying to maintain a level of security and control over data. How folks are working and how they are sharing information is really a different world for many companies. Can you talk about the strategies that you have employed for Information Security and protecting against growing threats like ransomware, insider threats, and the complicated world of compliance and regulation? How has the Covid-19 pandemic, or remote work more broadly, played a role in that?
Ozin: Once again we were lucky. We planned well. The move to 100% home working at times was hard work logistically but we had a great start. We are essentially cloud-first so it meant that we had everything in place to hit the ground running. We had some logistics we had to deal with around getting the hardware, additional laptops for employees, but in terms of our platforms, things were in place. Take Egnyte as an example, we had already protected Egnyte by partnering it with our single sign-on product, so it makes it easy. These people can login to it from unusual locations and we know we’re secure because we’re using our SSO and two-factor authentication to get into Egnyte. It plugged in very well with that. We had that extra level of security in place and people could work from home really quite quickly. Couple that with the really great endpoint protection that we have here and we didn’t struggle nearly as hard as some or my peers did.
Carambio: Jason, you mentioned a few times that you have already been a cloud-first organization for some time. You have been using Egnyte for a number of years which has been a helpful element of your transition to remote work and thinking about data governance in M&A. You are now starting to onboard Egnyte for more governance functions. Can you talk about the decision process for bringing data governance into your organization and what did you see as the opportunity there? Why was looking at your data from a governance and security perspective important right now and what drove you to that decision?
Ozin: The thought process went like this: We needed to have greater visibility of the type of data that we were holding and how it was being accessed. We have a lot of data from acquisitions and from our business processes. We wanted to mine more meaning and understand exactly what we had. We also wanted, and this was very important, to be alerted to unusual activity such as insider threats or insider mistakes which is a big issue, and we are already leveraging that really well. Egnyte is giving us those alerts, we’re looking at those. It’s been a really useful exercise.
Ultimately what we want to do with Egnyte is to categorize our data so that we understand what sorts of data we have in what sorts of places and what happens to it. How then that leaves our organization or if we stop it leaving our organization, or at least get alerted to it leaving our organization. Once we’ve been a few months down the line we’re going to start the categorization process.
Carambio: I’d love you to leave our audience with a piece of advice. What would you say to your peers who are maybe at the beginning of this process thinking through their own data governance strategies, thinking about secure remote work, maybe thinking about M&A as well. If you had one parting thought and piece of advice that you would impart, what would that be?
Ozin: Start as you mean to go on. Set a strategy, stick to it. Don’t let business drivers let you compromise simplicity, privacy, and security because you will live to regret it. It doesn’t mean you can’t be flexible or you can’t be forward thinking, but there are basics around data governance and they have to remain the same. Think about structure and manageability and have a plan for the future. Imagine yourself in six years’ time, looking at his bucket of data and wondering how you manage it. Start managing it early on, because the earlier you start putting a structure in place, the better it’s going to be. Going back to your sleepless nights question, and bringing it on to this as well, you will thank yourself in the future when you realize that you can take two weeks off in the Caribbean and have a holiday because everything is managing itself, your team is managing it and they don’t desperately need you. That’s a good thing.
Carambio: Absolutely. Here, here. We look forward to the days in the near future where that is something we can all do. Jason, thanks again for your time. We really appreciate your insight. Thank you for being an Egnyte customer. We look forward to having more conversations like this in the future.
Ozin: It’s been a pleasure.
Watch the full interview here.
Get started with Egnyte today
Explore the best secure platform for business-critical content across clouds, apps, and devices.
Don’t miss an update
Subscribe today to our newsletter to get all the updates right in your inbox.