Subscribe
  • Home
  • /
  • Malware
  • /
  • From systems auditor to security assurance

From systems auditor to security assurance

By Allyson Towle
Johannesburg, 16 Aug 2016
Mai Moodley, head of department for financial systems and processes, SITA.
Mai Moodley, head of department for financial systems and processes, SITA.

Maiendra Moodley started out as a systems auditor with a focus on security before moving on to security assurance. He found he enjoyed identifying security vulnerabilities and finding the golden thread behind the root causes; working with customers to remediate these security vulnerabilities and helping them derive more sustainable value from their security investments. He understands the challenges aren't just the vulnerability per se but that every customer has their own set of budgetary restraints as well as different risk/threat profiles.

Cyber security in the financial sector is of significant interest to him. His MBA examined the security risk management countermeasures adopted by banks engaged in online electronic banking.

Moodley finds it intriguing that the reason cyber attacks manifest, and the processes and technology used to safeguard against them, are the same from one enterprise to the next. But the types of risks/threats that the financial sector is exposed to, despite certain similarities within the sector, vary greatly, he says.

One of the biggest challenges when dealing with the threat of and risks associated with cyber attacks in the financial sector is trying to explain the value of a security investment to customers who have equally pressing demands for the same funding from their other lines of business, he points out. It is imperative that supplier/vendor can demonstrate the value of security, which is increasingly challenging as the client is inclined to believe the security investment is not necessary once the threat has been mitigated.

Moodley nevertheless enjoys the constant evolution of new attack scenarios, which keep him on his toes and intrigued to see what will happen next. He is frustrated that the countermeasures that would mitigate against these attack scenarios (or at least minimise their impact) are not necessarily new, and that the failure to address this often creates unnecessary vulnerabilities which can be exploited.

In an area of expertise that is constantly changing, Moodley takes up the challenge to stay ahead of the curve. He does this by engaging with his colleagues and peers at dedicated events, such as those hosted by ITWeb. This keeps him at the cutting-edge as he is able to understand and draw on experiences encountered by his colleagues and peers which may be different to what which he has personally encountered. He also reviews reports on how attacks/exploits have been successfully undertaken which allows him to gain insight into whether, and under what conditions, a similar attack could manifest.

What is his advice to new entrants in the field of cyber security? The challenge for the chief information security officer (Ciso) will be to build broader and more compelling arguments for supporting the role of security. The Ciso will be required to frame the value of security to different stakeholders with diverse agendas. Understanding these agendas and how to position the security portfolio will require the Ciso to have both business skills as well as sound security skills. Moodley advises that security professionals develop a comprehensive set of business skills to complement their security skills. The challenge is being able to translate the value of security into terms which the business can understand. This will not only impact on their ability to source the funding and support, but also build the necessary relationships which they need to forge as part of career progression.

Moodley sees the role of the security professional becoming further entrenched in the organisation, and moving beyond the technology to encompassing a more risk-orientated function. The Ciso will need to engage with (for example) the chief risk officer to provide a singular coherent view of the risks/threats facing the organisation. Ultimately, the role of the Ciso will evolve to where the Ciso becomes the glue which binds the way in which digital and electronic security risks are perceived and acted upon.

We asked Moodley what he regards as a career-defining moment and what he had to learn the hard way. Moodley reveals that joining the SA Reserve Bank was a time of growth for him, both personally and professionally. He has learnt that not everyone will see the world as you do, or share the same priorities, and as people may not be opposed to who or what you believe, but rather their opposition may be driven by you not being able to align yourself with their agenda.

Moodley leaves us on an inspiring note. When asked who he most admires, he says: "My son, Shaylan. He has a level of focus and drive which I didn't have when I was his age, and a sense of caring that I am grateful to his school for instilling in him."

At the ITWeb Security in Finance Forum on 1 November, Moodley will demonstrate, through a series of case studies aimed at finance professionals, typical pain points and challenges that need to be addressed and will also demonstrate how to measure the ROI from security counter-measures within the finance context.

Share