David Lin – Gemological Institute of America Inc.
It was a fishing contest without a bass boat or even a rod and reel.
In October 2021, employees at the Gemological Institute of America Inc. competed to see who could land the most “phish” by reporting suspicious emails to Chief Information Security Officer David Lin and his team.
The contest was part of GIA’s awareness month about cybersecurity and data protection. Lin created it, in part, to emphasize that GIA employees should use a newly installed “report phish” button. It also added needed fun to his efforts, he says.
Lin was vice president at Sony Pictures Entertainment when the company was breached by North Korean hackers in 2014, so he knows the importance of making cybersecurity a part of every business strategy.
“If you want to go digital, information security needs to be part of the consideration from day one,” Lin says. “Security is not an option anymore. It must be part of the playbook, especially if you want to maintain the trust of your customers. GIA elevated the CISO role to be part of the executive team. This speaks to the support and recognition it’s giving to the role.
Making the grades
GIA was founded by Robert M. Shipley in 1931 as a nonprofit educational institute. It developed the global standards for analyzing and grading gems including diamonds, pearls and colored stones while also providing research and public education.
What began as home study courses for jewelers and gemologists is now a global organization with labs and proprietary technology that, for instance, can differentiate between natural and laboratory-grown diamonds.
Wholesalers, retailers and consumers submit stones for grading and analysis and share the reports with their customers. Grading reports can also be searched on the GIA website.
While the accessibility of reports and transparency are crucial to GIA’s mission, Lin says that because of their value, diamonds and other gems are often subject to fraud and other crimes. That means the nonprofit’s reports and intellectual property used for grading precious stones need to be protected against forgery or theft—for example, someone fraudulently using a report to sell diamonds.
Using the tools
Before Lin joined the nonprofit in September 2019, GIA, as well as the industry, were undergoing a technology transformation. That includes GIA’s collaboration with Hong Kong-based conglomerate Chow Tai Fook to add blockchain technology protecting information in diamond grading reports.
Still, Lin’s efforts have been less about adding new technology than using technology GIA already had. For example, he found the Institute had market leading security systems but needed to optimize their use while he increased employee awareness on the importance of cybersecurity.
“There’s still the challenge of understanding what normal behavior is and how to baseline the environments,” Lin explains. “Phishing and personal information threats are the same across industries. Just the attack methods used are different.
He adds the training program focused on teaching users to identify common social engineering methods at work and at home because it translates into increased protection of GIA. Lin created the phishing contest in October 2021 to move away from traditional training that tends to be dry.
“I’d rather not use fear and doubt to assimilate my users into changing behavior. I prefer to educate and empower my users. Making security fun and engaging while educating achieves better results than just pushing videos out every few weeks,” Lin says. “Our mission is to instill trust and that continues.”
A seat at the table
Lin emigrated to the U.S. from Taiwan when he was 12. He attended public schools in West Los Angeles and earned his bachelor’s degree in social studies, as well as his master’s in information and computer sciences, from the University of California, Irvine.
He began his career as a system administrator for Fleck Research, working there from April 1997 to April 1999. Then, he was a network solution architect for QLAN Corp. from April 1999 to January 2001.
Lin turned to consulting when he joined Deloitte & Touche in February 2001. Over the next decade, he rose to become a senior manager while assisting Fortune 1000 companies improve their cybersecurity programs and information protection strategies.
In April 2011, Lin joined Sony Pictures Entertainment as a director. In late November 2014, the company was hacked by a group calling themselves the Guardians of Peace.
Lin led SPE’s IT recovery—a six-month effort from the ground up to full restoration of the technology and operating environment. He says the experience gave him a new perspective on what’s possible for any organization when there is a common set of objectives and shared mission in mind.
Lin joined GIA in September 2019, eager to apply experience to an industry he says is undergoing a comprehensive digital transformation.
“Information security is a multi-disciplinary function in an enterprise,” Lin says. “Effective security leaders speak in simple terms, not technical jargon. A CISO may be a peacekeeper, interpreter, negotiator, facilitator—and most importantly, a business leader. My experience from consulting and global multimedia entertainment taught me how to create a sound security structure in a constantly changing environment, and my flexibility allowed me to identify creative and effective solutions for our business.”
View this feature in the Spring II 2022 Edition here.
Showcase your feature on your website with a custom “As Featured in Toggle” badge that links directly to your article!
Copy and paste this script into your page coding (ideally right before the closing