Posted on

Tia Jähi, KONE: Finding the Right Partner & Partnering Right

From cost fluctuations to accelerated digital transformation, business leaders are faced with a crucial responsibility of managing organizational resources smartly to stay competitive and at the forefront of development.

The plethora of IT solutions designed to optimize businesses drives the need for better IT vendor management and data-driven decision-making to maximize an organization’s potential. As an indispensable tool to IT leaders, vendor management is a complex and challenging task fraught with potential pitfalls.

We spoke to Tia Jähi, KONE’s Head of Business IT about the organization’s supplier management approach, and how to cultivate rewarding partnerships with vendors in the long run.

 
Tia Jähi is an IT leader for the renowned elevator company, KONE with the mission to improve the flow of urban life. She has served various roles in the company since 2012 and is experienced in vendor management and relationship management, with a focus on cost optimization, efficiency, and creating a culture of collaboration. Currently she is leading IT for KONE Europe.
 

How has your strategy for IT supplier management evolved over the last few years, especially with the rapidly changing digital environment?

 

The past years have been quite change-intensive with the pandemic, remote working, digital advances, and the consolidation of the supplier market. We have seen quite significant changes to the technology suppliers consolidating, and the market overall.

When it comes to the impact of this on strategy, it’s about being very active in monitoring the changes and creating a new outlook, because there have been cases when some of our core technologies have merged into other providers. We have close relationships, so when something happens, we can have the dialogue to ensure continuity of priorities.

Additionally, we also create transparency to our pipeline. For example, when we’re working with Supplier A which then goes through a merger or change in the market, perhaps expanding their scope, we are not just reviewing them as a supplier for technology in area A but also as strategic supplier. We open our roadmap from the perspective that even though we are currently doing business in this area, there are other core areas we could be investing in and that leads us to broadening our discussions. Of course, this applied especially to strategic suppliers.

 

In your experience, what are the most important components of a successful supplier relationship?

 

I often say, the first thing is about finding the right partner and running your RFIs and RFPs, but it’s not the hardest part. For example, if we think about services providers in the IT space, there are many world class players, most of whom are capable of doing the job. Then, it’s about our priorities and what’s right for the moment. After that, the work starts.

The more important and difficult part is partnering, and this happens regardless of whether it’s a strategic or preferred partner. It’s not just a relationship based on KPIs and monthly reports or spending. It’s about having intimacy on all levels.

Partnerships are not just selecting a vendor; you need to be a partner too.

This leads to my earlier point about sharing your roadmaps with your partners. You also need to understand their KPIs and expectations. If they’re entering a new market, for example, you need to be ready for them as well. Only then can you really build a sustainable, long-term, mutually beneficial relationship.

I was once asked how I would handle a quality issue with a supplier. The textbook answer would be to monitor SLAs and apply the penalties. That’s what you can do contractually. But you are not any better off even if you get service credits because you still have a problem. This is where partnering right comes up. We need to jointly understand the root causes of the issue. Is there attrition in the team? Immaturity in the technology? Depending on the relationship, what effort do I need and am willing to put in?

For example, we’ve seen, in the past year, both in the partner and corporate landscape that there has been huge attrition and turnover in certain geographies. I have to decide if this is something I want to invest more effort into – such as onboarding new team members. Again, it may contractually be the supplier’s responsibility to ensure the right quality of competence, but we’re both suffering. So do we jointly battle against attrition? It’s about making sure the teams are integrated and the supplier’s team feels like they are part of this company as well.

We do quite a lot of team building with our internal and supplier teams. In our part, we are investing in the relationship and in creating a joint vision for the whole team. To me, that is partnering right.

It boils down to getting people engaged and leading with a vision and a motivating view of the future.

This doesn’t only apply to colleagues on your payroll. We extend our recognition practices to our supplier teams as well. I think this is a core success element that should be considered, especially when we’re outsourcing part of the work more and more. It creates certain benefits without fully taking away leadership responsibilities.

 

What was one unexpected challenge you have faced when dealing with a supplier, and how did you overcome that challenge?

Of course, you need to be prepared for everything. But one example is the acquisition of technology suppliers, where all of the sudden you enter a new relationship with a new provider who has acquired a technology supplier you’ve been working with. There might be questions and concerns about their other customers, such as are they working with our competitors?

There may even have been some cases when these deals are announced publicly, so you become aware of the significant change via a press release. This raises questions. Are your counterparts still in place? How do you extend the relationship to the new leadership?

The other challenge comes with the Great Resignation following the pandemic. Especially with our colleagues in India, we’re seeing attrition numbers in double digits. Again, it’s a joint challenge that must be addressed.

 

What is your best advice to other IT leaders and C-level executives when it comes to creating a successful supplier management strategy?

 

It comes down to first understanding your data. We have done significant exercises, starting from the purchase order level, to figure out who the suppliers are, where we are spending, and what are the future strategic opportunities. Then, creating a segmentation framework and starting to draft down.

From the C-level, it’s about having commitment to things like executive sponsorship for strategic suppliers. If we have great engagement all the way from the executive board, then when we consider having a company as a strategic partner, it comes all the way from the executive board. That gives us participation and helps build relationships. Of course, there are the core principles, such as governance, that will differ based on the layer of the suppliers. Either way, there has to be skin in the game at every level.

Looking at the different approaches you could take with strategic level suppliers, it’s about investing time and sharing roadmaps. They need to feel like a strategic partner, and they need to feel that you are a strategic partner to them with opportunities and a joint vision.

It’s also about looking at chances to consolidate. When you have over 100 suppliers, not everyone can be strategic. But if you look more into the niche or smaller players, are there opportunities there for consolidation down the line? Maybe consolidation might be beneficial from a cost management perspective.

Essentially, start with three tiers of partners: strategic, preferred, and others before starting to understand the data.

 

Can you talk us through KONE’s  process of coming up with a clear supplier selection criterion?

 

Depending on the scope, volume, and newness of the initiative, we usually start off our own education journey with an RFI round to understand the market and purify our requirements, as well as get to know the technologies and capabilities available.

With the RFP process, we have a firm framework. Then it comes to candidate assessment. Here we create a visible comparison between the first-round suppliers and decide which ones to move forward with.

For example, with selecting a technology supplier, functional requirements are very important. But equally important are non-functional requirements from the perspective of cybersecurity, privacy, performance, global reach. There’s also the cost and cost of total ownership as well as their potential as a partner.

We do this rating transparently with a broad internal team. But the weight of each factor can change. For example, functional requirements may be worth 50% of the total evaluation with the other parts being smaller. Either way, we utilize the framework and fit it to the initiative we are working on.

Of course, there may be a clear answer from the ratings. but there are also soft elements to consider that may play a role as well. This is the partnership aspect. Do we believe in their roadmap? Are they innovators or a basic provider?

It’s not just about finding the right partner but partnering right.

We have made bets that have turned out to be very successful today, where a supplier may have equal functionalities, but we chose one over the other because of their technical design and future orientation.

You can’t distill everything into an Excel that gives you a number that is the answer. Even in this phase of partnership, you must invest time to truly understand them.

*The answers have been edited for length and clarity.

Posted on

Top Internal Cybersecurity Threats: What CISOs Should Know

The biggest cybersecurity threats come from within the organization. 57% of businesses revealed that internal cybersecurity threats have become more frequent since 2020 (Cybersecurity Insiders). Therefore, it’s time for cybersecurity leaders to look inward and tackle the internal cybersecurity threats that pose as much risk to their organizations as external cyberattacks.

 

Internal Cybersecurity Threat #1: Human Error 

Human error was named the main cause of 24% of data breaches, according to IBM and Ponemon Institute’s recent Cost of a Data Breach report. Employees in the IT help desk, HR, and R&D are data security threats who are targeted by cybercriminals as they have access to valuable company information.  

Social Engineering 

Also known as human hacking, social engineering is often the entry point of a large-scale cyberattack. Social engineering allows cybercriminals to bypass firewalls, antivirus software, and cybersecurity measures. It takes nearly nine months for companies to identify and contain data breaches caused by social engineering (IBM). Phishing is by far the most common type of social engineering attack. 

Phishing

In Management Events’ report, Navigating the Future of Cybersecurity, 75% of European cybersecurity leaders named phishing as the most worrisome cybercrime. In addition, the IBM Security X-Force Threat Intelligence Index 2023 found that phishing was a leading malware infection in 41% of incidents. Phishing attacks are also easier to execute with Phishing-as-a-service (PHaaS) offerings such as phishing kits and open-source phishing frameworks (Zscaler).  

Notable Phishing Attacks  

  • Facebook: Evaldas Rimasauskas and his team stole over $100 million from the tech giant by defrauding specific employees. Rimasauskas impersonated a computer manufacturer and sent employees invoices for genuine goods and services, directing them to wire money to fake bank accounts.  
  • Microsoft 365: Employees were tricked into installing malicious code on their devices. The targets received a pop-up notification saying that they had been logged out of Microsoft 365 and invited them to re-enter their login credentials. Those credentials ended up in the hands of hackers.  
  • Google Drive: Targets were tagged in a suspicious document with malicious links to a phishing site. They received a legitimate email notification from Google containing the comment’s text and a link to the relevant document. Acting on this urgency, targets unintentionally clicked on one of the malicious links and were asked to enter their login credentials.
 

Internal Cybersecurity Threat #2: A Growing Remote Workforce

A whopping 91% of IT personnel experienced pressure to jeopardize security to enable business continuity within remote work conditions (HP Wolf Security). Therefore, it’s unsurprising that work-from-home and remote work practices have led to increased internal cybersecurity threats. A study by Check Point recorded a 38% jump in cyberattacks in 2022 compared to 2021 due to the rise of remote and hybrid working conditions.  

Unsafe Data Storing and Sharing Practices  

Company data becomes more vulnerable with the rise of remote and hybrid work. It’s difficult to ensure that all employees are practicing healthy data storing and protecting practices. Terranova Security found that only 53% of employees understand their role in protecting company data, and 35% express low concern if company data was stolen. Sharing confidential company information with third parties could have dire consequences. All it takes is a moment of carelessness such as accidentally posting something publicly or sending information to the wrong email address.   

The Use of Unauthorized Devices 

According to Lookout’s State of Remote Work Security Report, 92% of remote workers use personal devices such as smartphones and tablets to do work. Additionally, personal devices connected to insecure Wi-Fi networks may leave them susceptible to malware and viruses. Portable devices like USB sticks also pose a cyber risk. Although convenient to use, portable devices are easy to steal and are goldmines for cybercriminals – especially if they contain valuable company data.  

 

Internal Cybersecurity Threat #3: Shadow IT 

Shadow IT is still a bane for CISOs as it offers unmanned entry points for cybercriminals to breach. Gartner found that 41% of employees acquired, modified, or created technology outside of IT’s knowledge. In addition, 57% of small and midsize businesses reported shadow IT activity (Capterra). Remote workers are also more likely to utilize shadow IT, but enforcing security controls proves to be a challenge. 80% of IT staff dealt with objections from remote team members who did not agree to additional security measures (HP Wolf Security).  

Dissatisfaction with Current Tools 

According to a Beezy report, 61% of employees were unsatisfied with the tech stack at their jobs. Existing tools were buggy and difficult to integrate with legacy systems. 85% of them also relied on shadow IT tools despite the risk of their activities being monitored. Popular shadow IT includes personal messaging platforms, video conferencing, cloud storage services, and collaboration dashboards.  

Shadow IT Made Easier with Digitalization  

Shadow IT is more widespread than ever before due to the ease of buying and launching software without consulting cybersecurity teams. The ubiquity of cloud services has also made shadow IT more prevalent.  

In the past when you used to have to procure hardware and know how to get a network connection, there was a barrier to entry. Cloud has lowered that barrier,” says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at PwC.  

Furthermore, undocumented APIs are a relatively new form of shadow IT. A report by Cequence Security found that 68% of organizations experienced shadow APIs.  

 

Types of Internal Cybersecurity Threat Actors 

Internal cybersecurity threat actors include current employees, former employees, business partners, and suppliers who have access to an organization’s computer systems, data, and cloud platforms. Internal threat actors in cybersecurity either act unknowingly or have dishonest intent. 63% of internal data breaches are attributed to negligence, and cost companies an average of USD 11.45 million (Ponemon Institute). 

Common Insider Threat Indicators 

According to CrowdStrike, events that may indicate the presence of an insider threat actor include strange authorization requests for access to company documents, logins at odd hours, and unusual surges in traffic. Cybersecurity leaders should also keep a close eye on employees who display suspicious behavior such as conflicts with peers, absenteeism, unreliability, and underperformance at work. In addition, employees who display anger and resentment due to factors such as a lack of career progression could also pose an insider threat risk.  

 

How to Mitigate Internal Cybersecurity Threats

Review Cyber Awareness Training  

  • Adapt training to fit the company culture and risk profile 
  • Organize function-specific training so that employees are aware of how their responsibilities relate to company data  
  • Cover topics such as data management, incident reporting process, personal device policies, passwords, and physical security 
  • Conduct phishing simulations  

Practice Good Cyber Hygiene

  • Identify security gaps such as outdated software and database performance issues 
  • Review access control and data protection policies among remote workers 
  • Tighten access control among current and former employees, business partners, and vendors   
  • Prepare a comprehensive cyber hygiene plan that covers daily, monthly, quarterly, and yearly upkeep and maintenance activities 

Improve Employee Cybersecurity Awareness  

All employees should:  

  • Use strong passwords and change them regularly  
  • Recognize signs of phishing scams 
  • Report colleagues who demonstrate suspicious behavior  
  • Not share login credentials with anyone, even colleagues  
  • Be wary of what they share about themselves and their workplace online 

Fortify Organizational Cyber Resilience  

  • Perform a thorough cyber resilience assessment that includes risk factors, access points, and industry-specific cyberattacks 
  • Back-up mission-critical data 
  • Encrypt data, MFA, and SSO logins  
  • Devise a mobile device cybersecurity strategy 
  • Leverage AI and machine learning to improve cybersecurity systems  
  • Work with IT personnel to perform organization-wide shadow IT audits  
  • Set up a crisis management team and incident response plan 
 

Cybersecurity leaders must implement consistent, ongoing, and up-to-date practices to instill a security-first mindset among employees to stay ahead of the latest cybercrimes and keep confidential data out of the hands of malicious actors.  

Posted on

How to Use AI in Cybersecurity for Business

With rapid advancements in technology, security leaders are actively exploring how to use artificial intelligence (AI) in cybersecurity as traditional measures alone may no longer be sufficient in defending against sophisticated threats. AI has emerged as a potentially powerful tool in bolstering cybersecurity efforts, offering enhanced threat detection, prediction, and response capabilities among other uses.

A survey by The Economist Intelligence Unit revealed that 48.9% of global executives and leading security experts believe that AI and machine learning (ML) are best equipped for countering modern cyberthreats. Additionally, IBM found that AI and automation in security practices can significantly reduce threat detection and response times by up to 14 weeks of labor and reduce costs associated with data breaches. In fact, global interest in AI’s potential in countering cyberthreats is evident by the growing investments in it. The global AI in cybersecurity market is projected to reach USD 96.81 billion by 2032.

Despite the promise of AI, Baker McKenzie found in a survey that C-level leaders tend to overestimate their organization’s preparedness in relation to AI in cybersecurity. This serves to underscore the importance of realistic assessments on AI-related cybersecurity strategies.

 

Security Applications of AI

Many tools in the market leverage subsets of AI such as machine learning, deep learning, and natural language processing (NLP) enhance the security ecosystem. CISOs are challenged with finding the best ways to incorporate cybersecurity and artificial intelligence into their strategies.

 

1. Enhanced Threat Detection and Response

One of the main examples of AI in cybersecurity is its use for malware detection and preventing phishing, AI-powered tools are shown to be significantly more efficient compared to traditional signature-based systems.

Where traditional systems can prevent about 30% to 60% of malware, AI-assisted systems have an efficiency rate of 80% to 92%.

Researchers at Plymouth University detected malware with an accuracy of 74% on all file formats using neural networks. The accuracy was between 91% to 94% for .doc and .pdf files specifically. As for phishing, researchers at the University of North Dakota proposed a detection technique utilizing machine learning, which achieved an accuracy of 94%.

Given that phishing and malware remain the biggest cybersecurity threats for organizations, this is good news. These advancements enable organizations to identify potential threats more accurately and respond proactively to mitigate risks that could cause massive financial and reputational damage.

 

2. Knowledge Consolidation

A pressing issue for CISOs is the sheer volume of security protocols and software vulnerabilities poses a challenge for their security teams. An advantage of AI in cybersecurity is that ML-enabled security systems can consolidate vast amounts of historical data and knowledge to detect and respond to security breaches. Platforms like IBM Watson leverage ML models trained on millions of data points to enhance threat detection and minimize the risk of human error.

AI’s ability to improve its knowledge of cybersecurity threats and risks by consuming billions of data points and recognize patterns and anomalies faster than humans enables it to learn from past experiences and come up with increasingly efficient ways to deal with combat cyberattacks. This allows AI-powered security systems to keep pace with the evolving threat landscape more efficiently.

IBM notes that AI is also able to analyze relationships between threats in mere seconds or minutes, thus reducing the amount of time it takes to find threats. This is essential to reducing the detection and response times of cybersecurity breaches, which can significantly reduce costs to organizations as well.

The global average total cost of data breach according to IBM is $4.35 million USD in 2022. Organizations also took an average of 277 days to identify and contain a breach. However, if that number is brought down to 200 days or less with the help of AI, organizations can save an average of $1.12 million USD.

 

3. Enhanced Threat Analysis and Prioritization

Tech giants like Google, IBM, and Microsoft are investing heavily in AI systems to identify and analyze and prioritize threats. In fact, Microsoft’s Cyber Signal’s program leverages AI to analyze 24 trillion security signals, 40 nation-state groups, and 140 hacker groups to detect software vulnerabilities and malicious activities.

Given the vast amounts of data that must be analyzed, it’s not surprising that 51% of IT security and SOC decision-makers said they were overwhelmed by the volume of alerts (Trend Micro) while 55% cited their lack of confidence in prioritizing and responding to them. Moreover, 27% of surveyed respondents spent up to 27% of their time managing false positives.

Worryingly, Critical Start found that nearly half of SOC professionals turn off high-volume alerts when there are too many to process.

One answer to the question of how to use AI in cybersecurity is by applying it to analyze vast amounts of security signals and data points to detect and prioritize threats quickly and effectively. With the assistance of AI, security teams are better able to promptly respond to threats under the increasing frequency of cyberattacks.

 

4. Threat Mitigation

The complexity of analyzing every component of an organization’s IT inventory is well-understood. With the help of AI tools, the complexity can be managed. AI can identify points within a network that may be more susceptible to breaches and even predict the type of attacks that may occur.

In fact, some researchers have proposed cognitive learning-based AI models that can monitor security access points for authorized logins. This model can detect remote hacks early, alert the relevant users, and create additional security layers to prevent a breach.

Of course, this would also require training AI/ML algorithms to recognize attacks carried out by other such algorithms as cybersecurity and risks evolve in lockstep. For example, hackers have been found to use ML to analyze enterprise networks for weak points. This information is used to target possible entry points for phishing, spyware, and DDoS attacks.

 

5. Task Automation

When talking of AI applications in cybersecurity, task automation is one of the most widely adopted. Especially for repetitive tasks, such as analyzing a high-volume of low-risk alerts and taking immediate measures, AI tools can come in handy to free up human analysts for higher-value tasks. This is especially valuable to companies that are still short on qualified cybersecurity talent.

Beyond that, intelligent automation is also useful for gathering research on security incidents, assessing data from multiple systems, and consolidating it into a report for analysts. Shifting this routine task to an AI helper will save plenty of time.

 

How Threat Actors Are Using AI

While AI is proving to be a valuable tool in the cybersecurity arsenal, it is also becoming a mainstay for threat actors who are leveraging it for their malicious activities. AI’s high processing capabilities enable them to hack systems faster and more effectively than humans.

In fact, generative AI models such as ChatGPT and Dall-E have made it easier for cybercriminals to develop malicious exploits and launch sophisticated cyberattacks at scale. Threat actors can use NLP AI models to generate human-like text and speech for social engineering attacks such as phishing. The use of NLP and ML enhances the effectiveness of these phishing attempts, creating more convincing emails and messages that trick people into revealing sensitive information.

AI enables cybercriminals to automate attacks, target a broader range of victims, and create more convincing and sophisticated threats. For now, there is no efficient way to distinguish between AI- or human-generated social engineering attacks.

Apart from social engineering attacked, AI-powered cyberthreats come in various forms including:

  • Advanced persistent threats (APT)s that use AI to evade detection and target specific organizations;
  • Deepfake attacks which leverage AI-generated synthetic media to impersonate real people and carry out fraud; and
  • AI-powered malware which adapts its behavior to avoid detection and adjust to changing environments.

The rapid development of AI technology allows hackers to launch sophisticated and targeted attacks that exploit vulnerabilities in systems and networks. Defending against AI-powered threats requires a comprehensive and proactive approach that combines AI-based defense mechanisms with human expertise and control.

 

AI and Cybersecurity: The Way Forward

The integration of AI into cybersecurity is transforming the way organizations detect, prevent, and respond to cyber threats. By harnessing the power of AI, organizations can bolster their cybersecurity defenses, reduce human error, and mitigate risks.

Having said that, the immense potential of AI also increases the risk of cyber threats which demand vigilant defense mechanisms. After all, humans remain a significant contributing factor to cybersecurity breaches, accounting for over 80% of incidents. This emphasizes the need to also address the human element through effective training and awareness programs.

Ultimately, a holistic approach that combines human expertise with AI technologies is vital in building a resilient defense against the ever-evolving landscape of cyber threats.

 

FAQ: AI in Cybersecurity

How is AI used in cybersecurity?

In cybersecurity, AI removes the need for human experts to do tedious, time-consuming tasks. AI can read an immense amount of data and identify potential threats while reducing false positives by filtering non-threatening activities. This helps human security experts to focus on vital tasks instead.

How will AI improve cybersecurity?

AI technologies can spot potential weak spots in a network, flag breach risks before they occur, and even automatically trigger measures to prevent and mitigate cyberattacks from ransomware to phishing and malware.

What are the risks of AI in cybersecurity?

AI-enabled cybersecurity tools are reliant on the data sets they are trained on. This means bias may unintentionally skew the model, resulting in mistaken analysis and inefficient decisions that could lead to terrible consequences.

What are pros and cons of AI in cybersecurity?

Some benefits of AI-based security tools include quicker response times, better threat detection, and increased efficiency. On the other hand, there are ethical concerns to AI such as privacy, algorithmic bias, and talent displacement.