Speaking to Global Relay’s Chief Information Security Officer (CISO), Laurence Lafond, recently yielded a discussion that is informative and practically useful for compliance and legal professionals, especially as we all embark on a new year, new to-do lists, and are surveying the new and not-so-new risk landscape ahead.

We discussed his top concerns as a CISO; the most common and easily remedied mistakes businesses can make in the information security arena; how cybersecurity standards and frameworks help with benchmarking and auditing; what he looks for in security professionals in terms of skills and approach; and how businesses can train and incentivize employees to help minimize data breaches.

In part one, we focus on Lafond’s top concerns, the role of the CISO, certifications and audits of the security program, and the needed collaboration inside organizations to pull all of this security resilience off in the first place.

Part two focuses on the interactions between tech, processes and people, the risks associated with relying on vendors, corporate incident response teams, and the common mistakes that businesses should aim to avoid making in 2025.

Let’s dig in.

Top concerns

Ransomware, quantum computing and AI

Lafond said ransomware attacks on firms have found their way into business continuity exercises, since firms absolutely must plan for and even expect to be subject to a ransomware attack at some point.

These attacks cause you (as an organization) to make a quick decision about a breach of material data that you might be willing to pay to get back – and it’s a decision you would never want to make in even a less pressured circumstance, Lafond observed.

This makes it rise to the top of his concern list.

“When our ISO 270001 auditor approached us about what she looks for in BCPs, she highly recommended that ransomware be included, and this appears to be a trend, globally. It’s a potentially significant tissue, and really a top one,” he said.

There’s also a policy angle here with ransomware, he observed. The organization needs a policy in place to deal with such an attack because knowing whether you will pay one and having an organizational framework around that decision is essential to ensure the organization can avoid making that decision as the attack is occurring, under extreme pressure.

Lafond said knowing beforehand what your CEO and CFO are willing to do in these situations is incredibly important. And he observed that knowing your organization has significant, secure back-ups available can certainly help it in making the decision in whether it will pay or not.

“Quantum computing has not been proven to be effective against some of our cryptographic controls that we have in place today, but in 5-10 years, we think it will be a bigger threat.”

Laurence Lafond, CISO, Global Relay

His second area of concern is quantum computing, which has the potential to undermine encryption. Quantum computing can break our encryption algorithms and decrypt data that should not be decrypted, which has become a big source of anxiety in security circles.

“Quantum computing has not been proven to be effective against some of our cryptographic controls that we have in place today, but in 5-10 years, we think it will be a bigger threat. For example, the keys used for encrypting data in an asymmetric key model are particularly threatened in terms of being broken by way of quantum computing. There are quantum-resistant algorithms that could be deployed, but they come as a cost in terms of infrastructure changes and re-encryption requirements,” Lafond said.

It’s an emerging area and one the security community has certainly flagged, he said.

Artificial intelligence (AI) is another area of concern – even as it offers significant benefits – as organizations face potential intellectual property loss by way of the rogue use of AI.

“When our developers at my business put applications into production, if they use cloud-based services to assist in developing AI, the core organization’s intellectual property might be provided to other organizations that do not treat that property in the way we would want it to be treated,” Lafond said.

“I want to think about our security strength and posture as a benefit for our sales teams and customers. Practicing security better than our competition is a significant differentiator.”

Laurence Lafond, CISO, Global Relay

And there are ways AI can be used in propagating malware or social engineering attempts like deepfakes – especially since convincing-looking videos are just getting more realistic-looking, he said.

When I asked who he was most concerned about as users of the AI, he unequivocally singled out employees.

“Humans are the weakest link when it comes to protecting our corporate data, overall. It’s just a fact,” he said. He suggested that this is why you have to make sure your security awareness training changes with the times. And went on to say that showing people how to spot deepfakes and what to do if they have any suspicions of it is critically important.

Role of the CISO

I asked Lafond about the prominent role and significant level of responsibility CISOs face, with ever-growing attention being paid to the job function and even individual liability being a point of argument in the data security community.

“We’re part of the c-suite and have certain accountability for being able to address security threats. We depend on strong support from the CEO and our peers in the c-suite in order to ensure a top-down culture of security in the organization. 

He said the team works directly for the CEO to add assurance to the program and raise issues in a way that the CEO can understand, so the resources and attention to those issues are allocated. That’s the core of the relationship between himself and the chief executive.

Lafond is a little concerned, though, that there could be some disincentives to CISOs staying in the role, particularly as related to recent changes at regulatory authorities, like the SEC and New York Department of Financial Services, as there’s now more of an emphasis on CISOs being more accountable for their organizations in complying with regulatory requirements, and that means in some cases CISOs are being singled out for issues that might be larger organizational issues.

And the amount of security-related work and threats organizations have had to deal with has expanded over time, especially in the last five years, so that has made the role more difficult as well.

“For example, we now have to make sure the organization can comply with privacy rules such as General Data Protection Regulation (GDPR) for our European customers – and that is true for other jurisdictions that have privacy regulations, like California and Switzerland.”

There’s going to be the potential for accountability for any role that is actually mandated to exist at the firm – which, for certain organizations, is the case with the CISO role. And many regulations mandate that an organization’s stakeholders have their data protected, along with their privacy rights.

The job comes with some personal risk, and there’s no getting around that, Lafond asserted.

Resources needed

In most cases, information is a CISO’s best method for getting the resources needed for an adequate program. This includes sharing information about what kind of attacks are going around, and how they can be mitigated with certain technical tools; information that can help CEOs and CFOs be able to authorize the appropriate funding for what is necessary in their businesses.

“I like to think about the challenges here being turned into corporate assets,” Lafond said. “Meaning, I want to think about our security strength and posture as a benefit for our sales teams and customers. Practicing security better than our competition is a significant differentiator.”

In other words, in striving to meet customer expectations about our security controls – which these customers audit us for, routinely, he went on to say.

“We undergo many of these audits – they don’t just come from regulators and the ISO [International Organization for Standardization] and SOC2 [Service Organization Control 2] certification teams. The customer audits test us against the contracted commitments we made when the contracts were signed. The CISO, then, must be engaged in those parts of the contract negotiations about those security expectations.”

The larger and more sophisticated the customer is, the more time this process can take, he noted.

The CISO must work hand in glove with the legal team to address the risks that are explored and covered in those contracts, and the audits may follow an annual schedule for some customers or, with certain customers, they occur every five years but may include a multi-week and onsite audit that is incredibly thorough.

When you have a security team that can add value to such contract negotiations and add added assurance to the sales process, it adds dividends on the back end to the relationship, Lafond pointed out.

And organizations are realizing this, luckily they increasingly see the security team as a part of the process for generating sales, keeping customers happy and building relationships of trust in products and services. “Overall, that helps us be seen as adding direct value, instead of just being viewed as a cost center,” he suggested.

Certifications and audits

Over the last 10 years, there have been significant changes in the national cybersecurity certification process. For example, Lafond pointed out that privacy was not a well-defined component of the SOC2 report, and it’s now matured significantly as one of the five main areas in the report, after a few years in which exactly what the privacy controls should look like changed from year to year.

ISO changes its list of controls every 10 years or so; now we’re using the 2022 ones, he said.

There were 114 controls in the 2013 version and the number of controls has been brought down to the low 90s now, but since some were combined, there are some new ones in ISO 27001 to track.

According to Lafond all of this means that these standards are now better understood and used by organizations – and others are used, too. “We also work with the CIS [Center for Internet Security] Benchmarks – which covers the top risks and is a very technical set of controls you can measure on a daily basis by having agents in your environment tell you things like how many of your systems are encrypted at rest and whether communications between systems are being encrypted in transit, and if your access controls are adequate,” he said.

Those are all things that are necessary to ensure we have a mature security program overall, and the CIS Benchmarks, in addition to the ISO 27001 and the SOC2, help shape what a mature security program overall looks like.

The NIST [National Institute of Standards and Technology] standards are also incredibly important – the combination of all four of the above-mentioned standards really help us have a robust program overall, he noted.

“Since our company relies so heavily on our developers and operations teams, we as a security team must ensure there are processes embedded into what they do so they become proxies for our team in terms of keeping the organization secure.”

Laurence Lafond, CISO, Global Relay

Where a couple of them might be a bit weaker on the newer technical threats or security trends (because they only change every 10 years or so) – this is where CIS Benchmarks comes into play. But where CIS Benchmarks are weaker – on the governance aspect – the other ones provide ample guidance. This is why you need the combination of them, he explained.

“For Global Relay, since we use and deploy web-based technologies, we also leverage the MITRE ATT&CK Framework, which in internet security refers to a framework that outlines the tactics and techniques used by cyber attackers across the entire attack lifecycle, helping organizations better understand and defend against threats by mapping their security controls to actual attacker behaviors.”

“There are others, but you get the idea – it’s adherence to these standards as a whole that gives stakeholders the confidence that we have a strong security program,” Lafond added.

Collaboration

Lafond thinks of organizations as layers of an onion. At Global Relay, he thinks about the two-thirds of the employees who are developers and deployers of tech goods and services representing the outermost layer, with a layer deeper inside represented by a much smaller group of operations professionals having access into servers and serving as caretakers of our hardware, data centers and other infrastructure.

The different layers require careful separation of duties to reduce the risk of a security principle known as toxic combinations of access – a concept from accounting in which the person signing a check must not be the same person who approves the check.

And then there is the security team that has a security operational center, or SOC. And the SOC needs to have its eyes on everything 24/7, not just business hours. Some organizations outsource that task.

The CISO directly manages the SOC, plus the escalation and support teams for the SOC that helps answer questions for the SOC.

“We have a team within the SOC that focuses solely on reviewing our software prior to release, ensuring no vulnerabilities get deployed. We have several security coordinators that handle our audits, collecting the information needed from whichever stakeholder-auditor is requesting it,” Lafond said.

“We have people that assess and manage various security activities, such as how we ensure our devices are encrypted, that our password vaults are protected, and that our SIEM or security information and event management tool properly collects logs and generates alerts based on the information based on those logs.”

Background checks

Parts of our company’s audit include what we are doing with other departments, such as HR, for example, the background checks that need to be included prior to an employee starting, Lafond indicated.

There are ongoing checks on persons in our technical roles, which is best practice for a tech firm, especially with an eye toward cordoning off privileged information and customer data, or spotting any potential for fraud that the Legal or Compliance teams might be investigating or not yet know about.

“Really, since our company relies so heavily on our developers and operations teams, we as a security team must ensure there are processes embedded into what they do so they become proxies for our team in terms of keeping the organization secure,” Lafond said.

“And the more technical system administrators – those that handle the most sensitive data – are the people we make sure we interface with for training, communicating and having a line of sight into their ongoing work.”

And, of course, as with anything else, there’s the less exciting but considerably important topic of insurance coverage, which is a collaborative point of discussion.

Lafond said that on annual basis, there’s a renewal of the insurance team that he participates in with the finance team, specifically answering the portions of their questionnaire that have to do with security.

Insurance companies want to know about the controls we have in place at our business, and the process of applying and being assessed for coverage is another important audit we go through, he said.

Again, this aspect relates to what we discussed earlier,” Lafond pointed out. “This supports the business case for strong security protocols, as, hey, it could even lead to lower insurance costs.”