1 month ago
5
ARTICLE AD BOX
CISOs get more done less through gatekeeping than proposing security reforms that follow the company’s course forward, argues Templafy’s Ellen Benaim. (Image: Templafy)
In cybersecurity, it’s commonly thought that an organisation should be a metaphorical fortress, with the CISO acting as the suited sentinel at the gatehouse. The reality, of course, is far more complex and convoluted, especially in a rapidly growing tech-based startup. “It’s hard to keep track of everything coming through,” says Ellen Benaim, CISO of the document automation platform Templafy. “But we try to work collaboratively to monitor things.”
Moving from Ireland to Denmark (for love, not work, she says), Benaim enjoyed a rapid rise to CISO status at Templafy after having held only two previous security roles at the firm. Seven years on, Benaim not only has the top infosec job but also responsibility for IT and privacy policy, most recently guiding the company through its ISO compliance journey. But how does she stay on top of it all? In this interview, edited for length and clarity, Benaim discusses daily challenges, her approach to the CISO role – and the essential qualities of a good cybersecurity partner.
CISOs get more done less through gatekeeping than proposing security reforms that follow the company’s course forward, argues Templafy’s Ellen Benaim. (Image: Templafy)Tech Monitor: What are the biggest challenges you’re contending with right now?
Ellen Benaim: The biggest issue we face is an increasing prevalence in attacks, up around 400% (from April to April), despite being a small company. It’s all sorts – malware, phishing emails. I attribute that to AI. It’s making it easier for attackers to get into the field and to leverage economies of scale. Even the phishing emails we’re getting are more sophisticated; it’s a day-to-day challenge.
Internally, the issue is the rapid adoption of AI across our company. We’re a tech startup so, naturally, we experiment. The challenge lies in how we keep up with security and privacy as an IT team, in monitoring what’s being used. Even the existing systems we’re using will have additional AI features on top of that, with all sorts of data practices that aren’t fully visible. But that’s our job, to get that centralised oversight. We’re keeping up as much as we can, but I think, as an industry, there may be tools or frameworks that we haven’t made yet for this rapid increase.
You’ve said leveraging Conditional Access, zero-trust and zero-touch can help protect dynamic AI ecosystems. What does this look like in practice?
AI or not, this is the right approach given the shift of much of the workforce to remote working. We’re not all in the same perimeter all the time, and we don’t know what every user should and shouldn’t be doing in their perimeter. With conditional access and zero trust, what we do is, anytime a user completes an action, that will be checked against a criterion, and then authenticated based on the context.
For AI agents – essentially faceless users doing things on your behalf – the same principles should be applied. That means observing their behaviour, logging it and setting up an alert mechanism if things go awry; for example, if any unauthorised data exfiltration has taken place. However, we [the industry] haven’t adapted conditional access tooling properly for AI yet, purely because the context within which these agents operate is still very new to us. We’re very familiar with the logic behind user actions; there’s a baseline of what they do. But with these agents that make their own decisions and do new things, there’s a new baseline that we need to incorporate. There’s some setup that needs configuring before we can leverage that full benefit.
When agentic AI fully ‘arrives,’ as it were, what do you think will be the biggest security risks and challenges surrounding its use?
When we talk about security, it’s always about the loss of control of data. What agentic AI does is exponentially increase this risk probability, because all they do is input and output data. Then, if you don’t know what you have, you can’t protect it. It’s about visibility, knowing what Agentic AI is being used for and then knowing how to protect against that. It’s a dilemma we always have: balancing between using AI in the organisation and not just shutting everything down.
As the CISO, what are the most common questions you get asked from colleagues – and how do you go about answering them?
We’ve really tried to move away from the outdated perspective that we’re the ones to say no to everything. It’s better to have a more collaborative approach to embracing AI with your business stakeholders, to understand why they’re using it, so you can get that visibility. Speaking with other CISOs, that’s how they’re approaching it, but it’s hard because it takes time.
Instead, we try to find a solution to say ‘yes’ safely to staff requests, which takes work and time. But to live that philosophy, we need to be innovative and actively find solutions. Some of the questions we get are just ‘what can we do?’ ‘What are our contractual commitments?’ ‘Can I put XYZ into AI?’ And it’s great that our staff ask these kinds of questions, because it shows that they’re aware of the risks. From our perspective, these kinds of conversations form part of a broader narrative about security awareness and training, of what AI should and can be used for, and then helping everyone toe the line between the resulting grey areas.
As CISOs, what we can do to make it easier for ourselves to be heard is to find ways to shape security improvements with the organisational rhythm of the company; to really discern the momentum of what’s happening in terms of the firm’s overall direction and slipstream updates and reforms intuitively. We’ve got to stop saying to staff, ‘This is how you implement it, there’s no other alternative.’
Outside of your organisation, do you think there’s enough sharing of cybersecurity intelligence between the public and private sectors?
As it happens, I discussed this exact question during a recent roundtable with some of my fellow CISOs. The feeling was that, with the budgetary tensions in the US, we might not get the same signal data as we used to, and we were considering what to do. We decided it was important to keep informing the government of how important these tools are to us. This information is helpful to everyone, even smaller companies like us. I think we’re still getting the insight we need, but we must preserve the visibility of incidents across the Western world so we can counter the hacking groups. However, if it’s not a material security incident, you don’t have to report it – but it’s important that the security industry, regardless of the legal regulations, share those experiences.
As a CISO, what are you looking for in an external cybersecurity partner – and what do you consider to be red flags?
The first thing we’re looking for is expertise – that has to be highlighted to you in the sales process, through you getting to know their key engineers, as well as their approach to security and whether it’s in line with yours. That is the most important quality in security. If you don’t know what you’re talking about, we can sniff it out pretty quickly.
More broadly, they have to be attuned to our philosophy that not every problem can be solved with a quick fix. And they have to have good security practices. I’ve seen IT vendors send important items in emails that aren’t encrypted. If they do that in front of you, then what are they going to be doing behind your back?
How do you cope with the stress of being a CISO in such a dynamic threat landscape?
I think everyone who goes into this job is very aware of how stressful it can be. The best way to cope with it is to have some authority and control over how to work with the threats and challenges that cross your desk. Being in a company that understands your role and its importance, and gives you the right resources to advocate for good cybersecurity practices, is really important. There are so many organisations that don’t take this seriously, where you just face an uphill battle. That’s where the stress comes in.
Of course, you will always have pragmatic discussions on what you can implement, but being in a place where you can be heard and respected is very important. I think now it’s getting easier. Many board members are also more familiar with it. They’re seeing it more in the news and asking more questions, which they didn’t do before. I have a yearly meeting with the board, and that’s invaluable. That’s how I know that I’m in the right place.
