For our latest specialist interview in our series speaking to security leaders from around the world, we’ve welcomed Tony Giles, Lead Auditor and CMMC Provisional Assessor with the NSF.
Tony has conducted audits globally for over 10 years and worked on large-scale security implementation projects, including NIST 800-171, NIST 800-88 and ISO/IEC 27001, ISO 28000. Tony has also conducted audits for DoD suppliers and private sector organizations implementing multiple security controls including cryptographic erasure and other custom security programs.
Tell us about the business you represent, and its vision & goals?
NSF International Strategic Registrations (NSF-ISR) is an NSF company, whose mission for more than 75 years has remained the same: protect and improve human health. NSF-ISR is a leading global management systems certification body known for its superior technical expertise and high levels of customer satisfaction.
NSF-ISR is built on integrity and focused on public health and safety through risk mitigation. We’re committed to offering a comprehensive portfolio of management systems registrations to internationally accepted standards for quality assurance and environmental protection for the automotive, aerospace, chemical, energy, medical and manufacturing industries.
We also have a strong focus on information security as this type of work is imperative to protect public health, especially with the increase of cyberattacks on our critical infrastructure.
What inspires and energises you within your work?
Cybersecurity risks can vary across businesses and require different security measures. This means that no customer or security project I work on is the same, requiring me to think on my feet to identify the risks and find the best solutions.
I also enjoy learning about the latest technological innovations and how they affect the security portion of the industry. I love this type of variety and creativity within my work because it makes each day different and exciting for me.
Can you share a little bit about yourself and how you got into cybersecurity?
I became extremely interested in cybersecurity when NSF expanded their services to the information security space with the rollout of ISO 27001 in 2013. I enrolled in the lead auditor course to get involved and learn more about the certification and the industry. Upon completing the course, I began working on key accounts for security projects with DoD customers in Washington, D.C. and Reston, Virginia.
The program continued to grow and my colleague Rhia Dancel and I really immersed ourselves in learning more about cybersecurity. We did this by attending conferences like Blackhat and RSA. We applied our knowledge to NSF’s program to help it continue to grow to where it is now and plan to continue expanding our knowledge to help it grow even further.
What was your journey to becoming a CMMC PA?
Becoming a Cybersecurity Maturity Model Certification Provisional Assessor (CMMC PA) is a difficult process, and it's also a limited certificate. I was fortunate to be selected as one of the first 50 PAs in all of CMMC. The process included rigorous training as well as an exam.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
Cybersecurity risks will continue to become more prevalent as we continue to live in a virtual world. A strong line of cyber defense is a crucial aspect of any business as critical industries that have direct impacts on communities, such as water utilities, will be targeted more.
While cybersecurity can seem challenging initially, the act of simply starting the process can help companies to ramp up their baseline security. NSF-ISR provides a basic security assessment to help businesses understand the current performance of their cybersecurity system and in what areas they can improve it.
From there, companies can utilize third-party resources such as NSF-ISR to build a strong cybersecurity defence strategy, particularly against malware, as these types of attacks are becoming more popular and successful when it comes to digital breaches. Rigorous employee training on cyber defense, multi-factor authentication, and strict protocols for breaches are all imperative.
As far as recent technologies are concerned, it will be particularly interesting to see how cyber risks continue to evolve in new areas such as the Metaverse. I believe we will continue to see risks like we normally would in any other virtual environment including online fraud, eavesdropping and Metaverse bots.
Before entering the Metaverse, users must understand what it is they are signing up for and where their data is being shared. Businesses who choose to enter the Metaverse will also need to be very transparent with their consumers, especially considering that at this time, the majority of users in the Metaverse are kids and teenagers. Additionally, I believe there will be cybercrime in the Metaverse since it is a form of virtual reality. What this looks like, however, is yet to be determined.