Q: You took on the role of Chief Information Security Officer (CISO) at Box last year – what has been your focus since joining?
A: My role has really been split across five key pillars: security, compliance, privacy, risk management and go-to-market enablement. Each of these pillars complements each other; you don't want to focus on one area completely only to get blindsided by an issue facing another. Compliance in particular is an area that requires continuous monitoring, with an audit of what's happening across the sector to ensure that we're following best practice and meeting our governance requirements.
Go-to-market enablement refers to the work that goes into educating customers on Box's various security classifications. Once a customer signs on the dotted line, a Box deployment can take place in a matter of hours - not the six months that some customers might be used to. This means we want to give our customers a broad view of our security capabilities early on in the buying cycle.
It's then been a case of reviewing all the services that we have for each pillar - seeing what our current offering currently provides, what we want it to do and even the things that should be deprioritised or transferred to another team. This means that we don't necessarily need to overhaul any services, we just identify services that we may want to develop further.
Q: What is your approach to running a team of information security specialists?
A: I've found that once I come into a role, it's important from the start to get to know your team and understand what their priorities are. That way you get an idea of what they've been working on and what their skillset is - you may even be able to see if their capabilities are needed elsewhere in the team. And alongside that skillset, personality type is an important thing to consider. You may find someone in the team has an insatiable appetite for threat detection. That is the person you want in your threat mitigation team. But then you may find you have a junior architect who doesn't want to work in a silo. That person wants to collaborate, so you need to facilitate cross-functional engagement so that they're working with product architects and infrastructure architects. That's the way they want to work, and it's the way to get the best out of them - so my role is encouraging that collaboration and ensuring the work fits a specific personality.
For myself, I go by the mantra of 'if you are the smartest person in the room, find another room'. I believe I surround myself with smarter people than myself. I want to learn from the subject matter experts, so I listen to them and acquire a lot of their inherent knowledge. I think you should only then make those critical decisions. So, I encourage my team to talk to me about the problems they're facing in their work, or any questions they have. We can then partner on the decisions we make; it's my role to ensure that those decisions do get made, and that they match with the vision we have for the company and our customers.
I think it's also important to look at the future of this field, and in particular to encourage diversity and inclusion. I believe this can start with early-stage talent, so I'm working on opportunities with schools to show students that information security isn't just what they see in the movies, with hacking for example, but that there are lots of other exciting facets of the cybersecurity field that they can get involved in.
Q: What role is artificial intelligence taking in Box's information security?
A: There are three levels of AI: Robotic Process Automation (RPA), machine learning and artificial intelligence. RPA is the low-hanging fruit for us. For example, we've built a bot that handles our phishing recognition, vetting and remediation. Before, we'd have our IT specialists taking a lot of time handling phishing issues. Now, the bot will spot when a phishing attempt has been made, and advise the recipient on the next steps they may need to take - it could be as simple as taking a phishing awareness course. The bot will even open the helpdesk ticket for IT - all of this reduces our IT team's time spent on phishing issues by 35 per cent.
On the machine learning side of things, Box Skills is a framework we offer that allows customers to apply state-of-the-art machine learning tools such as computer vision, video indexing and sentiment analysis to automatically structure content with intelligent labelling, classifying, transcribing and more. All of this saves time and unlocks hidden value in customer's content across the enterprise.
Machine learning is also present in Box Shield - a set of content security controls we announced in August. Box Shield applies machine learning to identify and alert admins to potential threats like anomalous downloads, suspicious sessions or access from suspicious locations.
When it comes to AI, our open platform architecture allows us to offer best-of-breed partnerships with a wide range of technology partners. This means we can leverage the artificial intelligence capabilities of IBM Watson or Amazon Web Services (AWS) for image recognition and redaction. An example of Box AI in use with AWS could be a bank using the service to handle image redaction when personal information is being uploaded by a customer. It may be the case that all the personal information being uploaded in a document, like a passport for example, may not be required - only specific areas. Box AI, powered by AWS, would spot the areas which are not needed by the bank and mark them for redaction.
Across these three areas, Box has got RPA nailed down, is brilliant at machine learning, whilst our artificial intelligence partnerships are going to catapult the platform and our capabilities.
Lakshmi Hanspal, Global Chief Information Security Officer, Box