Security Expert Interview Series: Dylan Johnston
We are very happy to have had the opportunity to interview Dylan Johnston about his journey into the world of cyber security and his personal views on topics such as global privacy challenges, concerns for the state of cybersecurity and the information security and data privacy skills-gap. Dylan is the founder, CEO and CISO of MOD1 AG, a provider of cybersecurity, privacy, risk and compliance services to start-ups in the digital health, biopharma and MedTech space, having previously held the role of Senior Security, Privacy and Compliance Manager at Roche Information Solutions – pioneers of cutting-edge software solutions that enable improved patient outcomes and smarter, more efficient R&D.
1. How did you come into cyber security as a profession?
I left university with a Bachelor of Science in Business Information Technology. My first role was as a Network Operations Analyst, troubleshooting frame relay, ATM and IP networks for a global telecommunications carrier. I then held various network engineering positions in the financial services sector where I became involved in the design, implementation and operation of session filtering firewalls (Cisco ASA, CheckPoint), as well as application load balancers (Nortel, F5) and web application firewalls. Having established myself as a network security engineer, I began exploring other security domains through reading, attending training courses and sitting certification exams from the likes of ISC2 and ISACA.
Today my work is focussed on the establishment, implementation and continuous improvement of information governance, risk management, privacy and compliance programs for organisations in the medical diagnostics and digital health space.
2. What is anything you wish you knew when you first went into this career?
That compliance does not necessarily equate to security. I often hear the terms used interchangeably but it is important to understand the difference. For example, an organisation initiates a project to certify to ISO 27001. The project team plans, assigns resources, conducts a risk assessment and implements controls to reduce the identified risks to an acceptable level. They then provide evidence of their work to an independent third-party auditor who reviews, makes recommendations and issues the certification. This is compliance.
Security is everything else that happens between certification audits. By means of a second example, ISO27001 requires an organisation to implement and document an information security incident management process. The documented process itself is of little use if it is just going to sit in a shared drive until it is dusted off in time for the next third-party audit. Effective incident management requires a continuous effort to make the incident response team aware of their roles and responsibilities as well as carrying out regular drills that train responders to react with speed and efficiency.
3. It is a fact that the role of Security Privacy and Compliance Manager is highly dynamic. What are the most critical attributes that someone in your position must demonstrate to succeed?
This may sound paradoxical, but you need to be passionate about your purpose as a security and privacy practitioner whilst being able to demonstrate tact, patience and diplomacy. Striking the right balance between these attributes is something that I have found challenging on occasion. It’s a skill that I’ve had to work very hard to develop.
Subject matter expertise is important since most roles require you to articulate complex concepts and scenarios to a diverse audience including, but not limited to c-suite executives, data scientists, software engineers or HR managers. Communication skills, of course. You need to be persuasive and demonstrate the ability to influence without direct authority.
4. To what extent does the day-to-day work of a Security Privacy and Compliance Manager involve in-depth technical knowledge?
Whilst in-depth technical knowledge is certainly an advantage, a solid understanding of the fundamental concepts will suffice in a majority of situations. For example, my background in network security engineering has served me well in conducting risk assessments for cloud infrastructure and applications. My knowledge of cryptography has helped me explain to privacy experts with legal backgrounds how encryption and key management concepts are applied in the pseudonymisation of sensitive personal data. Other factors to be considered when determining the extent to which in-depth technical knowledge is required would be the number, skills, and expertise of the larger team, the complexity of the systems architecture and the characteristics of the information assets that are being protected.
5. What do you see as the main challenges for our privacy today?
Nation state surveillance laws. Whilst the incompatibility of US surveillance laws (FISA, CLOUD) and European data protection law (GDPR) is certainly nothing new, we are starting to see some significant fallout in light of the SCHREMS II judgement which invalidated the EU/US Privacy Shield as mechanism for the legitimization of cross border transfers of personal data.
In a second judgement, the European Court of Justice (ECJ) ruled to uphold the use of standard contractual clauses (SCCs), whilst prescribing a case-by-case assessment as to whether or not supplementary measures would be required to ensure an adequate level of protection. I found it particularly interesting that the subsequent publication by the European Data Protection Board (EDPB) entitled “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, outlined scenarios involving Cloud Service Providers (CSPs) in which no effective measures for the protection of personal data could be found.
The EDPB recommendations state that in scenarios where there is a technical necessity for CSPs to access unencrypted personal data for the provision of the service:
“transport encryption and data-at-rest encryption even taken together, would not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys”.
Since a CSP would certainly have the “technical ability” to access unencrypted personal data, it is difficult to make the case that hosting personal data with a US CSP (AWS, Microsoft Azure, Google) could ever constitute an “adequate level of protection” under GDPR.
6. What level of awareness is there among businesses about risks to their privacy?
Interesting question and again, it depends. The importance of senior management buy-in may sound a little clichéd but there is a reason for its inclusion in almost every information security management book ever published. There has to be an appreciation of privacy risk at board and senior leadership level before privacy awareness can permeate throughout the rest of the organisation. Embedding privacy awareness into organisational culture requires considerable time, effort and resources which are extremely difficult to secure in the absence of a top-down approach.
7. Do you have concerns about the state of cyber security today? If so, what are those?
Where do I start? We face an uphill battle on a number of fronts. First and foremost, the drive towards digital transformation and the proliferation of data driven businesses has presented the challenge of protecting increasingly large quantities of sensitive information. The speed of technological development and the architectural complexity of cloud applications presents heightened security risk and practitioners are struggling to keep pace with an ever-evolving threat landscape.
One of the primary objectives of GDPR was to harmonise data protection law between EU member states although there is still a significant degree of confusion, inconsistency and fragmentation when it comes to its application. The aforementioned issues are compounded by the shortage of skilled professionals in the field of cybersecurity, privacy risk management and compliance. On a positive note, our jobs are secure for the foreseeable future.
8. Is the cybersecurity workforce shortage a reality for you? How can this be solved?
Absolutely. I founded MOD1 AG late last year in a bid to alleviate the problem through the provision of cybersecurity, privacy, risk and compliance professional services to startups in the digital health, biopharma and MedTech space. Our security and privacy officer “as a service” offering is designed to safeguard against data breach, loss of revenue, reputational damage, operational downtime and legal liability through the adoption of a risk-based approach that delivers optimum results, maximises return on investment and allows our clients to focus on their core business of developing effective devices and therapies.
Whilst plugging gaps with professional services is the prudent short-term solution, I truly believe that the industry as a whole has a role to play in addressing the issue on a larger scale. We need to provide more internships, training and employment opportunities for graduates and be more open to taking on experienced candidates with transferable skills.
9. What would be your one important piece of advice to every young cyber security enthusiast?
My advice is for every enthusiast, regardless of age. Many highly experienced individuals have transferable skills and the willingness to embark on a second career in cybersecurity but still struggle to find an entry point. Be persistent and demonstrate a commitment to continuous learning and personal development. My experience is that the first step is typically the most challenging so do what you can to get your foot in the door and the rest will take care of itself.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.