Features

David Lin – Gemological Institute of America Inc.

CISO ensures cybersecurity isn’t a hidden gem at GIA

It was a fishing contest without a bass boat or even a rod and reel.

In October 2021, employees at the Gemological Institute of America Inc. competed to see who could land the most “phish” by reporting suspicious emails to Chief Information Security Officer David Lin and his team.

The contest was part of GIA’s awareness month about cybersecurity and data protection. Lin created it, in part, to emphasize that GIA employees should use a newly installed “report phish” button. It also added needed fun to his efforts, he says.

David Lin | Chief Information Security Officer | Gemological Institute of America Inc.

David Lin | Chief Information Security Officer | Gemological Institute of America Inc.

Lin was vice president at Sony Pictures Entertainment when the company was breached by North Korean hackers in 2014, so he knows the importance of making cybersecurity a part of every business strategy.

“If you want to go digital, information security needs to be part of the consideration from day one,” Lin says. “Security is not an option anymore. It must be part of the playbook, especially if you want to maintain the trust of your customers. GIA elevated the CISO role to be part of the executive team. This speaks to the support and recognition it’s giving to the role.

Making the grades

GIA was founded by Robert M. Shipley in 1931 as a nonprofit educational institute. It developed the global standards for analyzing and grading gems including diamonds, pearls and colored stones while also providing research and public education.

What began as home study courses for jewelers and gemologists is now a global organization with labs and proprietary technology that, for instance, can differentiate between natural and laboratory-grown diamonds.

David Lin | Chief Information Security Officer | Gemological Institute of America Inc.

The Quality Assurance Benchmark (QAB) is a process to identify basic jewelry manufacturing standards that help ensure an item of jewelry retains it’s integrity and properly secures precious stones in their settings. A QAB form covering setting and process standards is used to evaluate an item of jewelry. Using iPad content | Photo Courtesy of GIA

Wholesalers, retailers and consumers submit stones for grading and analysis and share the reports with their customers. Grading reports can also be searched on the GIA website.

While the accessibility of reports and transparency are crucial to GIA’s mission, Lin says that because of their value, diamonds and other gems are often subject to fraud and other crimes. That means the nonprofit’s reports and intellectual property used for grading precious stones need to be protected against forgery or theft—for example, someone fraudulently using a report to sell diamonds.

Using the tools

Before Lin joined the nonprofit in September 2019, GIA, as well as the industry, were undergoing a technology transformation. That includes GIA’s collaboration with Hong Kong-based conglomerate Chow Tai Fook to add blockchain technology protecting information in diamond grading reports.

Still, Lin’s efforts have been less about adding new technology than using technology GIA already had. For example, he found the Institute had market leading security systems but needed to optimize their use while he increased employee awareness on the importance of cybersecurity.

David Lin | Chief Information Security Officer | Gemological Institute of America Inc.

GIA Carlsbad diamond grading lab. Taken June 2019 | Photo Courtesy of GIA

“There’s still the challenge of understanding what normal behavior is and how to baseline the environments,” Lin explains. “Phishing and personal information threats are the same across industries. Just the attack methods used are different.

He adds the training program focused on teaching users to identify common social engineering methods at work and at home because it translates into increased protection of GIA. Lin created the phishing contest in October 2021 to move away from traditional training that tends to be dry.

“I’d rather not use fear and doubt to assimilate my users into changing behavior. I prefer to educate and empower my users. Making security fun and engaging while educating achieves better results than just pushing videos out every few weeks,” Lin says. “Our mission is to instill trust and that continues.”

A seat at the table

Lin emigrated to the U.S. from Taiwan when he was 12. He attended public schools in West Los Angeles and earned his bachelor’s degree in social studies, as well as his master’s in information and computer sciences, from the University of California, Irvine.

He began his career as a system administrator for Fleck Research, working there from April 1997 to April 1999. Then, he was a network solution architect for QLAN Corp. from April 1999 to January 2001.

David Lin | Chief Information Security Officer | Gemological Institute of America Inc.

Gemological Institute of America, Inc. | The Robert Mouawad Campus

Lin turned to consulting when he joined Deloitte & Touche in February 2001. Over the next decade, he rose to become a senior manager while assisting Fortune 1000 companies improve their cybersecurity programs and information protection strategies.

In April 2011, Lin joined Sony Pictures Entertainment as a director. In late November 2014, the company was hacked by a group calling themselves the Guardians of Peace.

Lin led SPE’s IT recovery—a six-month effort from the ground up to full restoration of the technology and operating environment. He says the experience gave him a new perspective on what’s possible for any organization when there is a common set of objectives and shared mission in mind.

David Lin | Chief Information Security Officer | Gemological Institute of America Inc.

Gemological Institute of America, Inc. | The Robert Mouawad Campus

Lin joined GIA in September 2019, eager to apply experience to an industry he says is undergoing a comprehensive digital transformation.

“Information security is a multi-disciplinary function in an enterprise,” Lin says. “Effective security leaders speak in simple terms, not technical jargon. A CISO may be a peacekeeper, interpreter, negotiator, facilitator—and most importantly, a business leader. My experience from consulting and global multimedia entertainment taught me how to create a sound security structure in a constantly changing environment, and my flexibility allowed me to identify creative and effective solutions for our business.”

View this feature in the Spring II 2022 Edition here.

Published on: April 14, 2022

regions:

categories: ,

Showcase your feature on your website with a custom “As Featured in Toggle” badge that links directly to your article!

Copy and paste this script into your page coding (ideally right before the closing tag) where you want to display our review banner.

Testimonials

Alliant is very pleased with our experience working with the TrueLine Publishing team. We were not only impressed with the caliber of the whitepaper that was produced, but with the level of attention from the team we partnered with. They were very detailed oriented and I appreciated their follow up. They even offered to refresh the article and invited Alliant to participate in some of the design features. It is without reservation that I highly recommend other businesses partnering with this publication and I look forward to an opportunity to work with them again in the future.
— Katie Patterson, Director of Marketing, Alliant Technologies

LATEST EDITION

Fall I 2022

READ NOW

GET TOGGLE IN YOUR INBOX.

  • * We’ll never share your email or info with anyone.
  • This field is for validation purposes and should be left unchanged.