November 2024 Member Spotlight
Nickolo Villanueva, Chief Information Officer, Crisis Prevention Institute
-A member conversation with Shannon Minifie, Box of Crayons
Shannon: Nickolo, it seems that CIOs are sort of in the hot seat for thinking about how GenAI can make their businesses better, and that probably comes with some risks we’re still discovering. I heard you speak at one of the fishbowl sessions last year about privacy and info security and I thought you’d have some useful things to share with your fellow ISAers about how to use technology to securely accelerate their businesses.
NV: So, the first thing I’d say is that technology is an enabler: it’s the grease that moves the whole engine. Technology is nothing in and of itself. It’s only meant to do something. Specifically, to enable or accelerate your business. You need to start by asking as a business: what are we trying to achieve and why? My experience has shown me that what a business does today and (as important) how they do it is usually based on processes or technology limitations at a long-ago point in time, personality biases of those running those IT teams coloured by past judgments calls or bets on technology.
This is where technology or more specifically applied innovation can step in by providing faster and more agile paths of change. AI tools in particular really open up what you can do. They can help provide a cost-effective way to scale and manage business capabilities and quickly get to a proof of concept.
But I’d like to double click on the “securely” part of your question. As a business you should understand what you are collecting, and why? And if that information gets out, what is the consequence of that data being compromised? Your position has to be defensible, and you need the appropriate policies in place. You need to assume things are not secure until you have proof and documentation that they are. For reference, if you’re applying to work with a government agency or healthcare company—more and more they are asking security questions such as “have you been breached before?” If your answer to that question is a Yes, that greatly increases the amount of due diligence and paperwork you have to provide.
SM: What information is of interest to hackers?
NV: The hacker might be after your firm. To disrupt your operation unless a ransom is paid. Additionally, be aware that sometimes you’re not the only target, but your client IS. They may leverage you to gain entrance into your client’s networks and systems.
SM: Well, where can smaller firms start, Nickolo, in ensuring better info security?
NV: Right. Well, first think about it across three domains: cloud, person, device. And realize that YOU are the main vulnerability, and so things like multi-factor authentication (preferably not via text but an authenticator application), having unique and secure passwords (for example, use strong, unique 15-character alphanumeric passwords for each account), and use a password manager you PAY for. These things are table stakes.
For the device be sure that you trust your devices and where you connect to the internet. Avoid using public business centres for private or sensitive transactions. Use a highly reputable paid VPN when you connect on your mobile or laptop/ table device. Stay away from commerce work on public Wi-Fi. Do not use public USB jacks. Wall jacks into electrical outlets are better, but USB jacks are easy to compromise. Finally, make sure you log out of accounts. For example, if you rent a car, do not sync to the car (have you ever noticed how many phantom devices are still connected in your rental?). Turn off applications you’re no longer using. Erase your digital footprints behind you.
Onboarding or Offboarding employees is another point of vulnerability. All businesses need to have a practice where you can manage access to tools that your company uses. You should consider limiting privileged users to IT, your technologist, or whomever is acting in that capacity. Inventory the critical applications of the business and ensure you (and your technology team) have access to all the systems, and that there’s two people (a backup). You have standard users, but you also have the privileged user (admin user), and an executive user (who has access, but isn’t an admin).
Most tools have cloud backups. It depends on the size of the firm, but the cloud is generally the best choice for backup. However, the cloud backups themselves can get compromised. You should consider other backup options and be sure the backups are immutable. No one is able to make a change to those backups. These backups should be done on a regular basis and then test to be sure they are what you expect them to be.
Also: just generally stay away from ALL free versions of anything. If you’re paying for it, your information is potentially not secure. Read the fine print. To put it bluntly: if something is free, YOU are the product. And your information is. As a small firm, if $20 per month is too much for a secure and value add tool – then you should consider if you really have a need for it.
SM: Right. That’s a really compelling point. So, my guess is that a number of the smaller firms are still working on getting the basics of this kind of infosec right. What’s the most interesting thing you’ve been working on?
NV: So, at CPI, we changed our ERP last year. This was a huge lift, probably the biggest project in the history of the company. This change affected all of our internal systems. Now, we are evolving our customer facing platforms, making our learning experience platform easier and more intuitive. What is sometimes lost in the frenetic pace is the amount of change management for process and people along with the platforms they use. I prefer the plane over the bus analogy. People mention making changes to the bus while you’re driving in it, but buses can stop and stand still. Most businesses are making critical and needed changes to the plane they are flying in. You can’t screw up or cause the plane to slow down or it crashes!
The next big area we are tackling is data governance, and that’s about 12 different bodies of work spanning from cleanliness to access, to vocabulary, to intended use. We’re starting with is: what are we trying to capture?—and then working through data remediation.
SM: What’s been most useful for you in being a part of the ISA community?
NV: I’m floored by the ingenuity, tenacity, and resilience of the ISA team members. The things people figure out while running a business is incredible. A huge differentiator of the group here is the sense of purpose people have about their work and its impact. People also have a level of intense optimism. And to have that common mindset of tenacious folks is rare and just such a privilege to be part of. The ABR re-energizes you for the rest of the year. The transparency, the vulnerability and trust—it’s earned, but it’s not something you see very often.
SM: I hear you’re doing amazing things for your RAFT group – can you tell us more about that?
NV: Yeah, I’ve been intentionally fostering a RAFT. It’s a like-size group—so we’ve got CCL, Myers Briggs, DDI … about 5 that are like-size, and 8 or 9 of us in total. I think the thing we’re doing differently is that we’re meeting physically outside of the ABR—it’s sort of our own mini-conference. Most of the group is in the DC area, so this has worked out well. I’d encourage members to join or attend any of those events we have—there’s a networking, social aspect to them, too—and to just reach out to me if they’re interested to learn more.