cybersecurity – Management Events

August 22, 2022

What Do You Do If You Fall Victim to a Cyber Attack?

As cyber attacks become a more constant threat, organizations are forced to examine their risk management strategies. Checkpoint found that there were 50% more attacks per week on corporate networks in 2021 compared to the previous year.

On top of that, more than 55% of large companies are not effective at stopping cyber attacks, identifying and fixing breaches, or containing the impact. Accenture’s State of Cybersecurity Resilience 2021 report also noted that 81% of CISO said that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020.

We spoke to Nuno Martins da Silveira Teodoro, Cyber Security and Privacy Officer of Huawei Portugal and Tom Hofmann, CISO and DPO of Eniwa AG about whether humans really are the weakest link as well as the role CISOs play in this increasingly risky security landscape.

Nuno Martins da Silveira Teodoro is a cybersecurity expert with experience in cybersecurity strategies and programs, threat intelligence, cybercrime and warfare, and data privacy. He has worked with regulating bodies and managed international certifications and cyber programs.

Tom Hofmann has over 20 years of experience implementing projects from Finland to Tokyo and an interest in how to leverage human-centered innovation in social and technical systems.

We need more engaging cyber awareness training

When asked why humans are still the weakest link in cybersecurity despite hours of training, Teodoro counters that humans are simply the “most probable link to be exploited” given the sheer number of employees in any given organization.

He added, “You only need one to execute what criminal actors want.”

Specifically, he pointed out that bad actors try to exploit people’s needs to help and support others. This, combined with a lack of cybersecurity awareness from just one person in an organization can have devastating effects.

Attackers are becoming savvier by exploiting chinks in the human chain via social engineering. So even the latest technology can leave an organization vulnerable if people lack the right level of cyber awareness. According to the Identity Theft Resource Center’s 2021 Data Breach Report, social engineering attacks such as smishing, phishing, and business email compromise (BEC) were the most common cause of cyber breaches in 2021.

In fact, the 2022 State of Phish report found that 78% of organizations experienced email-based ransomware attacks in 2021. Moreover, 79% experienced spear phishing attacks while 87% experienced bulk phishing.

Attackers have all the time in the world to exploit humans in an organization and they’re getting very good at it. In contrast, businesses are simply unable to spend all their time and resources training their employees, which presents a disadvantage.

As such, Teodoro suggested engaging employees in a pragmatic way when training as opposed to showing slides or running computer-based simulations that they do not identify with.

He said: “This is where I usually try to target the training courses we do, which is to identify the fine details that can indicate that someone is a victim or an attempted social engineering attack.”

Hofmann agreed that forcing people who are overworked and understaffed to watch boring training videos are ineffective, adding that blaming employees for falling victim to phishing attacks would also be pointless. Instead, he advocated for leaders to try to understand the problems their employees face and what they need to be more secure.

Human-centric approach to cybersecurity

On the question of a human-centric design of cybersecurity, Hofmann explained that it’s about combining technical and business viability. However, this is made difficult when there is a lack of trust between employees and their supervisors.

Hofmann recalled that in his experience, project managers’ bonuses are tied to certain projects. Under pressure to deliver, they do all they can even if it means coming up with workarounds that may compromise security.

Teodoro elaborated, “For sure, penalization is something that creates a culture of fear, and it creates a culture of not alerting or reporting anything or hiding things that could otherwise be critical.”

“I think we should foster a culture of transparency, a culture of openness, and a culture where everyone is at ease to report to the upper management or CIO or to anyone who has the responsibility that they believe something is wrong, even if it started with them,” he added.

Hofmann, who agreed, stressed that the only way to build this sort of trust is for leaders to go out and meet people, while also refraining from using blame or shame.

Even so, both speakers conceded that this will be difficult to do. An organization-wide cultural shift requires the cooperation of each department. The challenge is that everyone has their own agenda and way of doing things. Each person also responds differently to engagement and security awareness training. This means CISOs are faced with the mammoth task of figuring out how to best engage employees across the organization and merge them together to create a holistic version of security culture.

When asked about the greatest contributor to behavioral change in cyber awareness, Teodoro suggested creating ‘Cyber Champions’. These are employees from different business areas who can spread the message while also using them as a conduit to understanding what each team is concerned with daily in terms of security.

Gain more insights on how the newest technologies can impact your business in our ME Business Buzz Outlook webinar series with industry experts.

Ransomware: To Pay or Not to Pay

According to the Sophos State of Ransomware 2022 report, there was a 78% increase in the number of organizations hit by ransomware attacks alone in 2021. It is also an expensive breach. On average, the cost of rectifying the impact of ransomware attacks the same year was USD 1.4 million.

On whether organizations should pay the ransom, Teodoro and Hofmann both agreed that it is the absolute last resort.

Hofmann specifically noted that paying the ransom only serves to fuel the “ransomware pandemic”. The only exception he would consider is if someone’s life is on the line – for example, if a hospital was hit by a ransomware attack and needed to recovery access to their life-saving systems. He warned, however, that there’s no guarantee that everything will return to normal once a ransom is paid because decryption keys do not always work.

Teodoro went on to emphasized that resolving a ransomware attack is a complex process, even if you did decide to pay. Finance leaders should consider if they know how to negotiate with ransomware attackers and if they have a team in place with the required expertise to handle such situations.

This is particularly important given that in 2021, 65% of ransomware attacks resulted in data being encrypted, while only 4% of organizations that were breached recovered all their data, according to the Sophos report. Additionally, 90% of organizations that experienced a ransomware attack has faced operation issues as a result while 86% faced a loss of revenue.

As such, the experts recommended setting up a crisis management team for cyber attacks to contain the incident and manage the fallout both internally and externally. After all, haven an incident does occur, it has the potential to turn into a crisis.

Teodoro said, “If you have everything on crisis management prepared, you will know that being vocal, transparent, honest, and confront the public facing audience and your customers in a direct and open way are the best possible thing you can do. If you try to hide or conceal it, you will lose all your credibility.”

Noting that communication is vital, Hofmann noted his surprise at how leadership in many organizations remain reluctant to openly address breaches on the assumption that it would hurt their brand. He described this as a “biased decision”.

He explained: “I would rather trust a company who is open about it and who is transparent about what they are doing rather than a company that is hiding stuff from me. As a customer, I would ask, do I trust this organization with my data?”

April 12, 2022

What’s Your Cybersecurity Budget?

The damage cyberattacks cause organizations is on the rise, costing them millions. Although cybersecurity spending is projected to increase dramatically, CISOs must structure their cybersecurity budgets based on their organization’s needs, vulnerabilities, and swiftly evolving trends such as the shift towards remote/hybrid work and a growing reliance on cloud services. Read on to discover the key current factors driving cybersecurity budget prioritizations.

The rising cost of cybersecurity breaches

A report by the Identity Theft Research Centre noted that data breaches in 2021 exceeded that in 2020 with an estimated 281.5 million people affected. The cost of this is monumental, especially for businesses. The average cost of cybercrime amounts to $1.79 million per minute for businesses, highlighting the impact that cybersecurity has on an organization’s operations.

It is no surprise then that cybersecurity budgets are on the rise each year in line with this evolution. Approximately 44% of IT professionals cited improving cybersecurity as a justification for increased IT investments according to the ESG research report on its Technology Spending Intentions Survey in 2022.

In fact, cybersecurity spending is growing at a faster rate than overall IT spending, with 44% of security leaders expecting their budgets to increase in the next 12 months according to CSO’s 2021 Security Priorities Studies. This is in line with the findings reported in PwC’s 2022 Global Digital Trust Insights report stating that 69% of organizations predict a rise in their cyber spending for the year.

Additionally, tech research firm Gartner projected that spending on information security and risk management will top $172 billion in 2022, a $17 billion increase from 2021 and $35 billion more than in 2020.

In 2021, Microsoft announced a $20 billion cybersecurity budget over the next five years while Google CEO Sundar Pichai announced that the company is investing $10 billion in that same period.

Cybersecurity spending priorities

Though the projections for cybersecurity spending increase each year, it is still limited. As CISOs grapple with increased risk, they are also searching for ways to spend their funds most efficiently.

One way to do that is to understand the threat landscape and needs of the organization. In the last three years, Gartner predicted the top five areas to show security spending growth are application security, cloud security, data security, identity access management, and infrastructure protection.

Current developments will also affect budget priorities. In the two days following the start of the Russia-Ukraine war, suspected Russian-sourced cyberattacks were observed by US-based cybersecurity agencies, an increase of over 800%.

In March, the hacker group Anonymous warned that it would attack major corporations that have not pulled out of Russia since the war began. It was later reported that the group had hacked Nestle and leaked over 10GB of important data including client information, emails, and passwords. Other organizations that were targeted include Burger King, Subway, and cloud computing firm Citrix.

The US Department of Homeland Security, FBI, and others have issued warnings for organizations to be prepared for further threats.

Cloud Security is a key focus

The global pivot to remote work catalyzed by the COVID-19 pandemic has redefined many organizational structures and led to a growing reliance on cloud services and digital tools, leaving them vulnerable to different types of cyberattacks.

An IDC survey by Ermetic found that 79% of companies experienced at least one cloud data breach in the last 18 months. This is alarming given that 92% of an organization’s IT environment is cloud-based, making cloud security a key concern for CISOs and other C-level professionals.

Unsurprisingly, CISOs are prioritizing cloud security, which would drive budget priorities. According to ESG, 62% of the IT personnel surveyed said they are planning to increase spending on cloud application security while 56% said they are investing in cloud infrastructure security.

We have also found, as shown in our latest Cybersecurity Investments trend report, that 60% of CISOs and their C-level counterparts are focusing on cloud security, specifically third-party management and resilience or Zero-Trust Architecture. Many of the organizations interviewed also noted that they are looking to expand their cloud solutions and adopt a hybrid cloud, thus enabling them to secure their processing data on-site.

Employee Awareness can reduce security risks

Another area of focus for CISOs is employee awareness, with 58% of organizations citing it as a key focus of their cybersecurity strategies. A Ponemon Institute study showed that 68% of organizations have experienced at least one endpoint attack, compromising their IT infrastructure and data.

Similarly, IBM found that a staggering 95% of cybersecurity breaches were caused by human error.

As Mika Susi, former Executive Director of the Finnish Information Security Cluster said: “Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network.”

Eliminating that factor would mean that 19 out of 20 cybersecurity breaches may not have occurred at all. Though it would be impossible to solve human error completely, it is crucial to implement strong policies and training programs to equip employees with the right knowledge and tools to avoid potential cyber threats, which would decrease security-related risks by as much as 70%.

One of the challenges with improving employee awareness is that there hasn’t been enough of a focus on building a culture within organizations to identify risks.

“As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees is key to making an actual risk-based culture,” says Magnus Solberg, VP & Head of Security Governance at Storebrand.

Implementing a bottom-up approach to training employees to think in and act in a risk-based manner is one way to mitigate the human factor, says Mr. Solberg. He also suggests arming employees with tools to perform more structured and documented assessments, both mental tools as well as stronger policies, guidelines, and software.

Cybersecurity resilience and readiness

At the same time, cybersecurity leaders are actively searching for new strategies to quickly detect and respond to cyber breaches.

In 2021, there was a major surge in cyberattacks compared to previous years. According to SonicWall’s Cyber Threat Report, there was a 105% increase in ransomware attacks that year from the previous year. Narrowing down, government institutions saw a 1,885% increase and the healthcare industry saw a 755% increase in such attacks. According to Sophos’ State of Ransomware 2021 report, retail, education, and business & services sectors were hit with the most ransomware attacks.

In July 2021, Swedish supermarket chain Coop was forced to shut down over 400 stores due to a major ransomware attack on its point-of-sale systems. This was part of the same ransomware attack which affected over 200 businesses, mainly in the US. More recently, several oil storage and transport companies across Europe were hit with ransomware attacks. Specifically, Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands were all forced to operate at limited capacity due to the attack.

Sophos’ report also revealed that, on average, it costs an organization a total of S$1.85 million to recover from a ransomware attack, up 143% from the previous year. The findings also showed that only 8% of organizations that fell victim to a ransomware attack were able to recover all their data after paying a ransom. Approximately 29% only managed to recover no more than half their data.

Beyond that, a recent survey found that 66% of respondents suffered a significant loss of revenue following a ransomware attack while 53% reported that their brand images were negatively affected. Alarmingly, 29% said ransomware attacks led to employee layoffs.

The cost of a ransomware attack or recovering from other forms of cyberattacks could set organizations back a major chunk of their budgets if they are not prepared in advance. In fact, the increased cost of ransomware attacks has also driven up premiums on cyber insurance policies, adding to the need for organizations to be financially prepared.

CISOs are constantly looking for ways to strengthen their organization’s ability to resist and recover from a multitude of threats, which in turn informs their cybersecurity investment priorities. What other factors should organizations consider when setting their cybersecurity budgets?

December 23, 2021

ECSO’s Luigi Rebuffi: Bridging the Gap In Trust and Talents Within Cybersecurity

The impact that COVID-19 has had on cybersecurity has shown how much work businesses still need to do when dealing with cyber threats. From attacks such as the SolarWinds hack, there is a need for CISOs to build awareness, prevention, and security practices into their organization’s culture.

As the Secretary-General and Founder of the European Cyber Security Organisation (ECSO), Luigi Rebuffi shares with us his insights on the role of Public-Private Partnerships (PPP) in digital security, the challenges that come with it, and how organizations are bridging the talent gap within cybersecurity.

Understanding The Role of Public-Private Partnerships in Digital Security

Private-Public Partnerships (PPP) in cybersecurity continue to be a necessity for both the government and the private sector to overcome the increase in cyber threats. While PPPs can serve as a foundation for effective critical infrastructure security and resilience strategies, there is still a need for clarity from both sides.

Rebuffi highlights how cooperation will be key in setting up an effective relationship between the government and businesses to effectively use PPP in cybersecurity.

How can PPP be used effectively for both the private and public sectors to overcome digital threats?

When looking at a public-private partnership, the traditional relationship in the private sector gives information to the public sector, which will then assess the situation and give guidance on how to solve the crisis.

However, a more dynamic cooperation must be continuously built up in order to be ready and react rapidly in an efficient partnership in case of a crisis. That is what we’re trying to set up with ECSO, since 2016, where there is full cooperation in different elements of the cybersecurity ecosystem.

Cooperation with the public for policy and legislation to give certain advice and standards, certifications, investments, discussion on the cyber threats, and what are the cyber threats that the private sector is facing every day, not only during the crisis periods.

And the cooperation should not only be about overcoming the crisis but also about how you support the companies, including SMEs and startups through education training in the development of certain innovative technologies and services.

It is a full spectrum of cooperation. Not just a quick fix in the case of a crisis, like the SolarWind attack. And we need to change that, to have that full public-private cooperation across different ecosystems. It is a bilateral relationship, not just a transfer of information.

Establishing Trust and Overcoming the Challenges In Public-Private Partnerships

The creation of the PPP was meant to improve the collaboration between private stakeholders and the public agency for Information Sharing. However, establishing trust has always been the biggest barrier for many businesses to engage in PPP.

Rebuffi reiterates the point that the key foundation in building a solid bridge between the private and the public sector will be on CISOs to build trust while overcoming the challenges that come with incorporating PPP within their organization.

What can organizations do to foster trust and improve the relationship between the public and private sector and bridge the gap in PPP?

Trust is not easy to build, especially in this period characterized by COVID-19. Establishing trust via remote connection is not an easy task, especially when you are working on sensitive matters such as cyber security. You need a kind of bottom-up approach where you first build up trust in your sector.

For example, if you are in the private sector, it is easier to build up trust with the people that you know, the people who are around you, in your region, in your country, and your sector. So you build trust from the bottom up.

The problem then is to see how you can link with other sectors or from other countries.

What challenges does the CISO face in establishing and nurturing PPP within their organization?

CISOs are still struggling because they are still trying to convince their management of the importance of cybersecurity, IT systems, and the investments needed. It is something that I imagine will be exacerbated by the acceleration of the digital transformation due to COVID-19.

The challenge will be more pushed towards getting the system working to have better control of data so that when we talk about digital sovereignty, we can think about better control of data. Looking ahead to cybersecurity trends in 2024, CISOs will likely encounter evolving challenges in managing these aspects, necessitating even more robust and forward-thinking strategies. They will need to stay abreast of the latest developments and adapt to the rapidly changing cyber landscape. And CISOs who are dealing with security, sensitive applications, and services, would need trusted and reliable supply chains.

So, on one end, they have to overcome the skepticism within their organization while finding resources to “feed” their systems correctly and find trust in reliable solutions. Of course, there’s also the problem of educating employees, as the human factor is also non-negligible.

Fostering Talent to Bridge The Cybersecurity Skill Gap

With cybersecurity becoming an integral part of an organization’s business strategy, the demand for talent has grown significantly as well. However, the number of skilled and qualified workers is still well below the demand, with gender balance still being a major issue.

Rebuffi continues to advocate for more gender balance in cybersecurity through the Women4Cyber Foundation and highlights how CISO and IT leaders can still help nurture an environment for building talents in cybersecurity.

How can IT leaders and CISOs attract, retain, or build cybersecurity talents within their organization?

CISOs, IT leaders, and I would also say human resources, have to show to the talents that they have the opportunity in this cybersecurity domain for a structured and well-paid career.

Some people are interested in working in cybersecurity as it is a career that is evolving continuously. You keep learn and you face challenges in a very dynamic environment while somehow contributing to the growth of the society or organization. But talents want to be properly compensated and want to see a path in their career.

And of course, IT leaders and CISOs have to show their employees that they can give adequate education and training to those who want and are looking to transition from a traditional job to one that is more linked to the digital sector due to the digital transformation.

How have initiatives such as Women4Cyber helped in fostering cybersecurity talents?

We are at the beginning stages with Women4Cyber, which is growing like a strong wave, and now we see the creation of national chapters across Europe. We are starting to see that people want to cooperate with different activities, support inclusion, and increase the participation of women in cybersecurity.

And this is important to us because we cannot exclude 50% of the population from the talent pool simply because they are women, and businesses are slowly learning that and trying to be better.

I will say that we are seeing smaller companies, like IT startups, and larger companies awakening and looking for experts, as well as hiring more women. But as I said, the movement is a strong wave that will come up and businesses have to realize that we desperately need people and they need to support that.

October 21, 2021

Magnus Solberg: Does Your Organization Have a Robust Security Culture?

Hybrid work models and digital device dependency have greatly increased an organization’s susceptibility to cyber attacks. As these attacks become more intense and complex, cyber resilience and awareness are critical. We speak with Magnus Solberg, VP & Head of Security Governance at Storebrand, on his experience building the company’s security culture, the link between cybersecurity and risk management, and more.

How are cybersecurity and risk management connected in today’s organizations?

Cybersecurity and risk management are at this point deeply intertwined. In almost every industry, cyber risk is in the top three categories of both operational and business risks. This is because nearly all critical assets are now digital. Of course, this leads to an enormous number of risks that an organization didn’t have 20 years ago.

Unfortunately, the sheer speed of this development has caused difficulties for a lot of organizations. This goes down to simple things like definitions of risk, and of static policies and processes. Many governance structures are not rigged for disruptive change, such as “new categories of threats and risks.” I think that anchoring the understanding and competence necessary to include cyber in broader risk management is also a challenge. Beyond tech companies, it’s a fact that the board of directors and to a certain extent, C-suites, do not include technologists, which slows down the adoption of modern risk management. Cybersecurity and risk management are very connected but there is still a long way to go to make them as connected as they should be.

What makes for a robust risk culture beyond the traditional 3LoD?

As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees are key to making an actual risk-based culture.

You need to really engage the human factor by having a bottom-up approach that enables your employees to think and act in a risk-based approach as a reflex. This can be done by teaching them about threats and potential consequences by training them to perform not only ad hoc, subconscious risk assessments, but also give them the tools to perform more structured and documented assessments – mental tools as well as strong policies and guidelines, and the proper software tools. In my opinion, building a robust security culture is both dependent on and a fundamental ingredient of building a robust risk culture.

What are the most effective digital tools and technologies in risk management?

Can I answer PowerPoint and Excel? Or even the good old whiteboard? [laughs] Of course, I’m only partly joking because I think the biggest revolution in the last couple of years has been the way home officing has exploded the way we utilize collaboration platforms. At the same time, these platforms were forced to provide more robust solutions for things like proper access control, document or file revision history, classification, and of course, API connectivity to other tools. This means that we can get a lot of what we need in terms of managing risks.

Workshops, creating assessments, performing audits, and even tracking remediation can be done via these platforms. We can use everything from OneNote to the tired but time-tested spreadsheets without losing control because it’s all protected, indexed, and searchable. That being said, I still see the need for a proper enterprise risk management tool that tracks risks, makes people accountable and responsible and of course, pleases our auditors. Exactly which technological solution or which software that should be, I don’t really have any strong opinions about but there are a lot of good ERM tools out there.

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity?

It’s irrefutable but it’s the wrong way of looking at it. People are not a simple chain in a link, people are at the nexus of it all. The only reason why we have cybersecurity issues is that there are people out there who are after either stealing, changing, or making information unavailable. No company was ever created simply to be secure: We exist to create services or products for people, and there are people out there who want to benefit illegally from that. Some experts like to say that people are the weakest link, but so is technology. People are the ones configuring that technology or using that technology wrong. Some even have the hubris of buying their way into security, which is equally a weak link. I think putting the blame on people for poor security is misunderstanding the issue completely. You can’t have security without people. But then again because of people, we need security.

What were the biggest challenges during the implementation of Storebrand’s security culture program and how did you overcome them?

We’ve been at it for six years and we started very much from scratch. When we started, there was nothing in terms of security awareness training, much less a security culture program. There were several challenges that had to do with mid-management buy-in. Although we did have support from the top management, we were also not given an adequate budget or allowed to make the training portion of the program mandatory. The latter made it especially hard to motivate our mid-level managers to introduce this training to their employees. Mid-level management is all about delivering results and eating up their time and resources does not land you on their friend list.

So, it did take a lot of time and dedication to make them understand that a secure employee is a low-risk employee. As soon as we reached that turning point, it was immensely satisfying, because mid-level managers are key to enhancing the security message to all their employees. But they’re also an important target group, constituting human risks in themselves. As time went on, we could point to concrete results including the avoidance of huge risks due to more risk-aware workers. We finally received an unbroken chain of buy-in all the way from the top and down via the mid-level managers. That ended up landing us a nice budget and made training mandatory.

How did you develop the program’s framework to ensure it was dynamic enough to handle the evolving threat landscape?

The framework we developed is in its essence, dynamic, and scalable because it’s all about answering five fundamental questions: Why are we going to do this? Who are we? What do we need to address? How should we go about doing that, and When should we do it?

In order to answer these questions, we revise and update a number of working documents. For example, we have a program strategy, a target group analysis, and learning objectives based on the current threat and risk landscape. We then test out a lot of different learning platforms and other engagement activities. This is done continuously to allow for emerging risks to be included almost instantly. However, we also do it more formally once every two years, where we do a full audit and revision of the whole program. We’re actually in the middle of doing a full revamp and plan to launch a new version of the program next summer.

How do you measure the program’s success?

We use a lot of different metrics to measure success and have KPIs linked to distribution, which measures how many employees we reach and how many complete various parts of the training. We have KPIs linked to knowledge where we can see if an employee received and internalized the message. Finally, there are KPIs related to behavior — this allows us to see if training has actually changed risky behavioral patterns.

Additionally, we perform a group-wide security culture audit every two years performed by our internal audit, who, among other things, performs a comprehensive self-assessment that is sent to all employees. With this independent report, we get a clear picture of how we fare with security culture and whether the success of the program addresses our current needs.

Our most recent group-wide security culture audit was completed in January this year, the third one we’ve had in six years. That means we can now begin to accumulate historical data that shows encouraging results. Yes, our employees are more competent, more motivated, and a lot more risk-aware than they were before the program started.

Finally, another measure of success is a bit more qualitative. It has to do with how the program itself has been received. We do gain a lot of positive attention from both regular employees as well as the high reps. And even externally: My team and I do presentations at various conferences, and for other companies as well, just to share how we have “cracked the human code.”

Can you share some current highlights of the program?

Yeah, absolutely. As I mentioned earlier, we are in the middle of our biannual revamp. I think one of the best things about maturing the program is its correspondence with the maturing of the organization. We now have various security tools on the technology side that help us create more individually tailored training programs. For example, every employee is invested with a security score, which is automatically set defined by their actions — whether they fall for phishing assessments if they are reporting incidents, and so on. This also paves the way for rudimentary gamification, which will be quite fun to see how we can implement.

Secondly, I’ll have to highlight our security month. This is something we’ve been doing for six years, and it’s been one of the most important boosts to communicate risk and security, and by extension, the security culture program itself. Every October, we skip the focus on corporate security and put the focus on each person instead. “Why is security important for you and your loved ones?” We pull in external speakers every week to address some common people security problems, such as social media, digital tracking and manipulation, and fake news. We also have weekly security quizzes that are a bit tongue in cheek as well as having great prizes. We do hackathons, we do cool stunts such as “hack yourself”’ competitions, and we do physical stands with security cupcakes. It’s a lot of work, but very fun.

One of our goals is to make our employees more secure at home, which means they are going to be more secure at work. But also, it has to do with simply marketing our security efforts by getting out there and meeting people. It makes security, if not fun, then at least interesting, because for a lot of people security is boring, or they think it has nothing to do with them.

On a personal note, I felt we were getting somewhere a couple of years ago when I was invited to do a three-hour workshop on building our security culture program at the security conference in the EU parliament in Strasbourg. Knowing that we built something that works and helping other organizations do the same makes me very happy and fulfilled.

*The answers have been edited for length and clarity.

September 8, 2021

Mika Susi: How Companies Can Remain One Step Ahead of Cybercriminals

With cybercrime, it is now not a question of ‘if’ but ‘when.’ Today’s cybercriminals are more advanced, quickly adapting their tactics with each improvement in an organization’s security system. How can IT leaders ensure that cybersecurity systems are powerful enough to keep even the smartest cybercriminals at bay?

We had an opportunity to pick the brain of Mika Susi, former Executive Director of the Finnish Information Security Cluster, on how cybercriminals think, the role of cybersecurity in risk management, steps to improve employee cybersecurity programs, and more.

What weak spots do cybercriminals look out for before carrying out an attack?

It is true that digitalization tends to expand the attack surface on an organization. Many criminals carry out intelligence gatherings on their victims before the attack. There are several weak spots that are commonly utilized. Unpatched vulnerabilities are a common target for criminals. Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network. Therefore, you must assess your cyber risk environment through technology, people and partners.

What role does cybersecurity play in an organization’s risk management strategy?

Nowadays, cybersecurity should definitely be on every organization´s strategic risk management agenda. You just can´t avoid it anymore. Cybersecurity issues are currently a very relevant strategic question for most organizations. Your top-level executives should at least be aware of security issues concerning business continuity, communications, and R&D.

As a whole, a good level of security should not slow down digitalization. A well-planned and executed digitalization process, where security is taken carefully into consideration, enables safe and secure digital operations, better efficiency and resilience for the organization. Therefore, security is not an obstacle — it should be seen as an enabler.

How can IT leaders ensure that they are making the right IT security investments?

Investments should always be based on a good risk management process. This means that they are efficient and tailored precisely to an organization´s needs. There is no investment rulebook or checklist that can be applied to every environment. An organization must understand its own unique risk environment and through that set out the most urgent and effective investment needs.

What are the biggest challenges organizations face when building cyber resilience?

There is of course always the question of the need for funds and investments. Unfortunately, not all organizations are ready to invest heavily in cybersecurity. I think the major challenge for many organizations is to understand cybersecurity as a strategic level question. It is not just some IT guy in the basement using his company´s money to buy fancy security gadgets.

Building a good level of cybersecurity is an all-encompassing mission for an organization. It´s about people, leadership, communications, partners, learning and continuous development. In other words, it´s a process that will never be 100% completed. But if you invest in it, you will eventually see a good return on your investment.

What immediate measures should organizations take after experiencing a cyber attack?

Of course, it is necessary to start the containment and recovery process immediately. This means that you have to understand what is happening and what has happened already — in other words, gain the current situational picture. There is no other way to define the measures needed. If you feel uncertain about this, you can always contact professionals to help you. I would like to stress that readiness for both external and internal communications is crucial.

At the same time, it is important to remember that there are several regulatory reporting requirements concerning data leaks and breaches. Contacting the relevant authorities like the national cybersecurity center or the police is also very advisable as they can offer help and advice.

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity? How can cybersecurity training programs for employees be improved?

This might be a mantra that everyone is tired of, but in some respects, it is still a valid argument. We are all vulnerable to scams and fraud, and we can be socially engineered to do something harmful in a digital environment. However, well-trained and motivated employees are a great strength for an organization. If they notice risks, they will react, assess and report. In that case, they are definitely not the weakest links.

I see that basic knowledge of cybersecurity issues is currently a normal part of working life. Therefore, cybersecurity training programs should be very close to everyday working environments and situations. They should form a basis for continuous development for all.

Additionally, they should include some motivational aspects like reward systems. In many successful companies with good security culture personnel, reward systems have been integrated into security training programs. That is something I would like to see more.

What are the emerging cybersecurity and cybercrime trends in 2022?

This is always a good question! Nothing is harder than predicting – especially predicting the future. However, I can say that we are still going to see the constant evolution of cybercrime. Criminals develop their tactics further and we are going to see a continuous flood and changes in ransomware and other online fraud campaigns.

Secondly, one thing that already affects many organizations is growing regulation. We see this everywhere. Every company should prepare for growing cybersecurity compliance requirements. From a technological side, I think questions concerning cloud security, IoT and the security of wireless networks will be relevant in the next few years. Many organizations have uncertainty about these issues, and it is important for all organizations to experience the benefits from digitalization and developing technologies. I see that security´s role is to enable growth and efficiency, and not to hinder them.

*The answers have been edited for length and clarity.

August 12, 2021

Himadri Majumdar: How to Become a Global Industry Leader with Quantum Computing

Digital transformation is advancing at lightning speed. In a perfect world, we would test out every available emerging technology, but in real life, this is impossible due to the required time and budget constraints. Therefore, CIOs must identify and invest in the right IT technologies that will benefit their organizations the most.

Quantum computing is at the forefront of IT technologies, presenting today’s CIOs with solutions for IT preparedness, cyber resilience and business continuity. We speak with Himadri Majumdar, Program Manager, Quantum at VTT on quantum computing and why it is essential that IT leaders pilot this technology as soon as possible.

Investments in new technologies and digital tools are crucial for business continuity. Why should organizations invest in quantum computing?

It is imperative that companies try out quantum computing as soon as possible. The world is moving forward fast, making it important to see and adopt the benefits of quantum computing to stay ahead of the competition.

Luckily, organizations actually do not need to invest in quantum computing to try out or gain the initial benefits it enables. As quantum computer procurement is a significant investment, it is wise to leverage other methods of access to quantum computers rather than building or buying one. There are multiple providers of access and services of quantum computers in the cloud. IBM is one of the biggest and earliest players.

The smartest thing to do is to pilot the available services and evaluate whether quantum computing could be beneficial for your business according to the following guidelines:

Only make decisions once you see a clear business benefit. The investment will depend on the magnitude of the benefit. The bigger the benefit, the better the investment should be.
If you decide that the benefits are so great that you would like to buy or build a quantum computer, there are companies that provide customized, problem-specific quantum computers.
If the benefits are good but not that big then continuing with quantum computers in the cloud might still be a good option. In that case, you also do not need to hire or build a large company quantum computing team. Companies can leverage the service provided by consultant companies who can deliver solutions customized to your business needs.

Any model that works best for your company is ideal.

Which industries will benefit from quantum computing the most?

In simple words, decision-making in any business is based on the compromise of a huge number of, often conflicting, choices or parameters. Therefore, industries that have optimization-related aspects playing an important role in their business will need quantum computing. This can be related to process optimization, logistics optimization, and data optimization, among others.

For example, if you are in the logistics business, in-time delivery might depend on parameters such as in-time delivery of goods from a partner, availability of fleet, choices of drivers, weather conditions, and real-time traffic towards the destination. When multiple parameters are considered, more accurate predictions can be made.

However, computing various options with many parameters utilizing classical computers will take a long time – hours or even days. This often results in businesses making compromises by considering fewer parameters.

This can be illustrated by going back to the logistics example: businesses can compromise by choosing to ignore data on real-time traffic. The worst-case scenario of omitting real-time traffic is delays in delivery and poor customer experience.

For more accurate predictions based on as many parameters as possible, we need computing that enables faster optimization. This is why quantum computers are critical.

In 2020, VTT launched an ambitious three-phase project to acquire Finland’s first quantum computer. What are you most excited about leading this project? What progress has VTT made so far?

I am excited for many reasons. Firstly, I am very excited that we are able to build almost the whole computer indigenously.

Quantum technology is so strong in Finland that we do not need to rely on significant parts and components from elsewhere to build the machine. Companies like Bluefors and IQM are big domestic players with a strong global presence and acceptance. They have successfully capitalized on the deep low-temperature physics expertise and technology developed in Finland since the 1960s and are now leading the field. Therefore, we can be very proud that we in Finland invested in this technology so well and so early that we are now in the perfect position to reap the early benefits and lead quantum computing globally.

Secondly, I am excited about the possibilities that Finnish companies will have. Companies that will be users of quantum computers will be able to find world-leading solutions close to home. They can become global leaders in their respective fields by leveraging quantum computing.

There are so many other excellent reasons too. We are on track for the first phase of building the quantum computer in Espoo, Finland. We expect to demonstrate the 5-qubit quantum computer by end of 2021. We will then continue building phases 2 and 3 with 20 and 50 qubit computers respectively. We are also making excellent progress in the R&D front which will help us make quantum computers more integrated and cheaper in the future.

At VTT we now have a dedicated quantum algorithm team comprising experts in quantum theory, mathematics, and AI. The team is ready to help companies see the benefits of quantum computing in their businesses.

Organizations are more vulnerable to cyber-attacks than ever before with the rise of digitalization. What is your advice on building a resilient and scalable cybersecurity system?

Indeed. Cybersecurity is one of the biggest threats for businesses in this decade. We already witness the risks in the U.S., where the vulnerability of even traditional businesses, like oil and gas, are exposed through ransomware attacks. So, we need to be prepared.

Quantum computing and quantum communication add another dimension to cybersecurity. Quantum communication is an emerging topic that will be the mode of quantum-safe (tele)communication protocols based on things like quantum key distribution (QKD). It needs to be understood that quantum computers are amazing codebreakers. Once there are affordable and fully deployed quantum computers in the market, malicious players will take advantage of them to break the current cryptography protocols like RSA. We also must be prepared for that. Europe and more specifically, Finland, is also at the initial stages of making its communication infrastructure quantum-safe. Currently, available QKD solutions involve dedicated hardware in special-purpose networks, but in the long term we will need to improve safety protocols for communications more generally.

Apart from the quantum communications hardware I mentioned above, we also have to be ready from a software perspective. We have to update or replace the classical software with new quantum-resistant algorithms, that will be unbreakable with quantum computers. This software is what we call post-quantum cryptography. Finland is already running a big national project on that topic. We are getting prepared with cryptographic and cybersecurity codes that will protect us from attacks made with quantum computers.

This is a two-pronged approach where we use quantum communications to our advantage to strengthen cybersecurity and create solutions that keep organizations secure from attacks by malicious quantum computers.

How do you expect quantum computing and post-quantum cryptography to affect IT trends in 2021 and 2022?

The National Institute of Standards and Technology (NIST) in the U.S. is leading the effort globally. The goal of post-quantum cryptography, also known as quantum-resistant cryptography, is to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks. Almost 70 potential candidates have been narrowed down to seven in 2020. In 2021, the winner(s) will be declared, and it will become the chosen platform for future post-quantum cryptography.

Efforts in 2021 and 2022 will be dedicated to the identification and understanding of new standards and how they can be implemented. Following that, the implementation phase will begin. Time is of the essence as quantum computation, the potential threat that makes post-quantum cryptography relevant is making progress very fast. Preparedness for the future needs to start early enough for companies to have business continuity in the post-quantum era.

Today’s CIO no is longer just a manager of the IT department. How has the IT leader’s role transformed since the pandemic?

I agree. The CIO’s office is now both the first line of defence for a company’s IT department and solution provider for companies’ current and future ICT needs. During the pandemic, the CIO’s office went into overdrive to create IT solutions that could enable maintaining the companies’ business in remote settings of employees without compromising security.

Finding solutions for remote work placed a lot of pressure on IT teams, that they had to, very unwillingly, make some security compromises over business continuity. The pandemic was an unforeseen, unfortunate event and not every business was prepared for it.

The IT security vulnerability caused by this sudden change has left many companies susceptible to ransomware attacks. We will probably learn in the future the extent of this during the pandemic, but it is not hard to imagine the magnitude of it.

Therefore, the CIO’s office should also look into future opportunities and threats like quantum computing and communications. This could be a strong aspect of their IT preparedness for the future. If the situation demands, they will not need to make any security compromises. In that respect post-quantum cryptography is one topic that CIOs of companies should start paying attention to.

*The answers have been edited for length and clarity.

July 1, 2021

Lokke Moerel: Digital Sovereignty and the Changing Landscape of AI & Privacy Laws

As we enter the second half of 2021, it’s becoming evident that societies worldwide embrace digital transformation as part of their everyday lives. This is backed by the fact that half of the world now uses social media and at least 4.66 billion people around the world now use the internet.

However, as societies become more digitized, the vulnerabilities that come with it also increase. From malware attacks that rose by 358% to a significant increase in risk of successful ransomware attacks due to remote working during Covid-19, to difficult-to-combat online conspiracy theories of the anti-vax and anti-5G movements, stimulated by Russian infiltration.

Lokke Moerel, professor of Global ICT Law at Tilburg University and member of the Dutch Cyber Security Council, shares her insights into the need for digital sovereignty within the EU and how AI and privacy laws are changing rapidly due to digitization.

Accelerating Digital Sovereignty across Europe

In today’s increasingly digitalized landscape, more and more users feel the need to keep their data safe and are willing to leave popular platforms, such as Whatsapp, based on a change of privacy terms.

With 92% of Western data being kept in the US, EU nations have realized the need to adopt a joint strategy on how data is controlled and shared. While fostering the Digital Single Market is needed for innovation to thrive, effective safeguards must be placed to protect users in a data-driven world.

Lokke goes into detail about how the current situation has exacerbated the need for digital sovereignty in the EU, particularly for the Netherlands as advised by the Dutch Cyber Security Council.

Europe has been focusing on digital sovereignty and recently, the Dutch Cyber Security Council issued public advice that the digital sovereignty of the Netherlands is under pressure. What does digital sovereignty mean?

We are one of the most digitalized societies and this has been accelerated by the Corona crisis. Within no time, people worked from home, and children were schooled online. It was amazing to see how quickly we were up and running again. However, every upside has downsides and we saw new vulnerabilities and dependencies.

A tremendous increase in the activities of cyber criminals abusing the vulnerabilities due to remote access to systems when people worked from home.
Foreign states stealing COVID-19 research
Flaws in privacy and security of video tooling.
More data on children are in the clouds of non-EU providers due to the increased use of digital teaching tools.
The dependency of the Netherlands on social media platforms for combating misinformation and the lack of control from the government to combat it.

The core message of the public advice of the Council is that our digital dependencies are now so great that the digital sovereignty of the Netherlands is under pressure. This goes further than guaranteeing the cybersecurity of our critical IT systems and the data generated with these systems. We also need to maintain control over our essential economic ecosystems and democratic processes in the digital world.

Can you give us examples of how digital sovereignty (or lack of it) can affect the economic ecosystems and democratic processes?

Examples of essential eco-systems:

Lack of control over critical technologies will result in new dependencies. For example, without proper encryption, we will not be able to protect the valuable and sensitive information of our governments, companies, and citizens. Current encryption will not hold against the computing power of future quantum computers.

We will therefore have to innovate now to protect our critical information also in the future. This is not only relevant for future information, but also current information. Do not forget that foreign states systematically intercept and preserve encrypted communications in anticipation that these may be decrypted at a later stage.

To be able to make large-scale use of data analysis using AI, enormous computing power is required (which requires cloud computing) as well as access to large quantities of data, which will require combining data in specific industry sectors (such as health), which is currently difficult.

Efficient access to harmonized data and computing infrastructure will become the foundation for the Dutch and European innovation and knowledge infrastructure. Maintaining control over this is an essential part of our strategic autonomy.

Examples of democratic processes: When the state is not in control over the election process, due to targeted misinformation and systematic infiltration of social media by foreign states to influence citizens, our digital sovereignty is at stake.

We see that digital sovereignty is very high on the EU’s agenda. For our neighbor Germany, for example, it is Chefsache. In the Netherlands, however, we mainly respond to cyber threats in a technical and reactive manner. We respond in crisis mode.

The council thinks it is high time for a more coordinated and proactive approach, starting with ensuring three basis facilities: sovereignty-respecting cloud for secure data storage and data analysis, secure digital communication networks, and post-quantum cryptography.

Want more insights on cybersecurity? Join industry leaders and C-suites from top 500 companies and gain exclusive insider knowledge at Management Events’ 600Minutes Cyber Security in Belgium.

CISO and Their Roles in Digital Sovereignty

At the core of digital sovereignty issues is the need to safeguard information assets for European countries.

As the Netherlands continues to build upon its Dutch Digitalisation Strategy 2.0 and integrate more cloud-based technologies within its economic ecosystems and democratic processes, it is up to chief information security officers (CISO) to be aware of what it all means for an organization and how it affects its cloud strategies.

What does digital sovereignty mean for the CISO?

Most governments and companies will have a corporate cloud policy. I see that these policies really try to address the direct requirements of a specific cloud project.

When deciding whether to bring services to the cloud, the company will weigh up the benefits of public cloud (better security, better functionalities) on a project-by-project basis against the specific dependencies and security issues in the project in question.

However, considerations of loss of sovereignty are not taken into account. As a result, for each project, the decision can be justified, but ultimately these decisions together do threaten our sovereignty, where in the future you want to be able to process data across cloud solutions for example (an example of The Tragedy of the Commons).

I think it is important for CISOs to be aware of all the EU initiatives to increase our digital sovereignty.

What should they be aware of in terms of initiatives?

GAIA-X: many people think that the GAIA-X project, is about setting up a European cloud infrastructure. GAIA-X is, however, not about creating Europe’s own vertical cloud hyperscalers. It is also not about keeping the non-EU cloud services providers out or keeping all data within the EU. It is about achieving interoperability between cloud offerings by setting common technical standards and legal frameworks for cloud infrastructure and services.

This form of interoperability goes beyond the portability of data and applications from one vendor to another to prevent vendor lock-in; it really concerns the creation of open APIs, interoperability of key management for encryption, unambiguous identity, and access management, full control over storage and access to data, etc.

Worth keeping track of I would say.

European Data Spaces: data spaces intended to unlock the value of European data for innovation.

The aim is to create common data spaces for certain sectors with common interests (e.g., for health data and governments) so that the scale of data required for innovation for this group can be achieved.

Looking Into AI and Its Purpose in Cyber Security

As remote working conditions and digital processes continue to become the norm for users and organizations, cyber attacks are becoming increasingly prevalent. 95% of cybersecurity breaches are a result of human error and as the information security market is expected to reach $170 billion in 2022, the cost of digital attacks can be enormous.

AI has always been seen as a silver bullet for organizations to combat cyber-attacks and increase resilience in areas where a majority of human error lies. However, Lokke describes the potential and possibilities of AI as both good and bad, depending on how it is utilized.

What scares you the most regarding the seemingly endless possibilities of AI?

Like all technology: AI is not good, it is not bad, but it is also not neutral.

To start with, AI is as good as the purpose for which it is used. In the cyber context, this means that we really should keep ahead of the bad guys.

New technologies play an increasingly crucial role in cyber resilience. If we are not on top of new technologies like AI and encryption, this will result in new vulnerabilities and dependencies. An example here is that with AI, bad actors can detect and exploit vulnerabilities automatically and on a large scale.

However, AI is also expected to make it possible to automatically detect and patch vulnerabilities. I am currently involved in a research project, to investigate what options there are to facilitate real-time security patching by suppliers.

Privacy Laws in The EU and Its Future

With digital sovereignty being top-of-mind for EU nations and the increased awareness of data privacy among the public, governments and regulators understand that there is a need for comprehensive privacy laws that protect both users and businesses.

From California Privacy Rights Act to the ever-evolving GDPR, more and more data protection acts are being introduced and implemented across the globe. Moerel shares her views on how privacy laws will continue to shift and change to adapt to the new digital landscape and what global privacy laws mean for an organization.

In what ways do you see privacy laws changing in the future?

Every week there is a new privacy law being adopted somewhere in the world. By now there are about 130 countries with omnibus ‘GDPR style’ privacy laws. Everybody heard about the Californian Privacy Rights Act, but less well known is that by now, 20 other U.S. states have introduced privacy bills.

In the EU we now have the draft proposal of the European Commission for an AI regulation and it is not a risky prediction to say that – like what happened with GDPR – other countries will also look at this draft and start preparing their own legislative proposals.

The way to deal with a myriad of global rules is to implement a very robust company-wide security and privacy protection program. After all, compliance with the law is a baseline where you cannot go under. Do a proper job and you do not have to worry about compliance.

In the end, it is about trust more than compliance.

June 14, 2021

Monica Verma, CISO of Helsedirektoratet: The Necessity of Resilience and How to Embed it in Your Organization

The rising number of cyber attacks has caused IT leaders across industries to take cybersecurity measures more seriously than ever before. This is reflected in our interviews with CIOs on cybersecurity investments who revealed cloud security and cybersecurity strategies as top priorities. A number of industries have also adopted digital twins to protect their digital assets, allowing cyber security platforms to perform at higher efficiency and accuracy.

However, CIOs and CISOs face continuous challenges with implementing high-level cybersecurity due to limited budget and online security obstacles in a hybrid workforce.

Monica Verma, CISO of Helsedirektoratet, podcast host of We Talk Cyber, and blogger on MonicaTalksCyber.com, shares valuable insights on operational and cyber resilience, effective cybersecurity programs for critical infrastructure, the evolution of the CISO role, and more.

What are your top cybersecurity lessons learnt from the pandemic?

There’s no absolute security. Things can and will go wrong. That’s true for both a pandemic and a cybersecurity crisis. The pandemic has shown us an increasing need for adaptive security as a part of building resilience and crisis management.

Operational resilience is as much dependent on the human and communications aspect as the technical capabilities in place. It’s not a matter of “if”. It’s no longer even a matter of “when”. It’s a matter of:

How long ago did attackers infiltrate?
How quickly can/did we detect it?
How quickly and effectively can we respond?
How do we handle the unknowns?
How do we adapt and continue critical services?

Preventive controls are not enough. Effective crisis management requires planning for both the known-unknowns and the unknown-unknowns.

How do you think the role of CIO/CISO has evolved in terms of ensuring the security of their organization?

Traditionally, the CISO role started as a technical role — a younger sibling or a distant cousin of the C-Suite. It’s mostly a title associated with a lack of budget, mandate, or even a seat at the grown-ups’ table.

However, an effective CISO role is that of a business leader itself, an advisor to the board, top management, and the rest of the business. The role has evolved from a “glorified” security engineer to a business and organizational advisor. As data breaches and ransomware attacks have skyrocketed recently, particularly during the pandemic, more organizations look up to the CISO to help them identify, understand and manage their threats and risks better.

Today, many organizations understand that a CISO’s job is not just to build an information security management system (ISMS) with a bunch of policies and other governing documents. Organizations are beginning to employ a CISO/CIO to rather effectively invest in security with timely risk management and provide sound advice tailored to the stakeholders.

As a result of this evolution, there’s also been a shift in the skills required to be an effective CISO:

Professional skills such as risk advisory and business understanding, which span very well outside the technical realm, and;
Soft skills such as concise, clear, and effective communication, are a driving force behind the vision and strategy of an effective leader.

There are many organizations that still see and employ a CISO role as a technical role, but we are seeing a shift in terms of budget, investments, and better mandate — transforming the CISO into a cross-functional advisory role worthy of an actual seat at the table.

Today’s organizations have a higher risk of exposure due to a more complex and global digital footprint. What strategies can organizations implement to better prepare for cyber attacks?

There are three critical aspects that need to be addressed in order to better manage the ever-increasing risk exposure and ever-complex digital footprint:

a. Always have a holistic view of both the current state within the organization and its supply chain as a fundamental input to your cybersecurity strategy. You are as strong as your weakest link. It’s not your employees. It’s the weakest link in your entire supply chain. You need to be aware of the weakest link in your supply chain, in order to be better prepared for cyberattacks.

b. Always have a risk-based approach when developing your strategy, operationalizing your cybersecurity plan, and investing in security controls (people, process, and technology). Your organization’s risk profile is affected by other risk profiles in your entire supply chain. A risk-based supplier management is as important as a risk-based security governance within your organization. Additionally, an effective risk-based approach will also take into account the threat landscape.

c. Balance your security investment effectively between preventive controls, predictive controls, and adaptive and other response controls, based on your risk exposure. The more critical data, services, and infrastructure you have, the higher your exposure in case of a cyberattack. It’s the difference between an e-commerce website going down for weeks vs. critical data or service not available for even a few hours or days. Preventive controls and cyber hygiene are a must. But as there is no 100% security, these will fail. Your cybersecurity strategy must take into account effective crisis management and building operational resilience over time.

Based on your cybersecurity adoption lifecycle model, how can an organization build cyber and operational resilience?

Building cyber and operational resilience requires effective planning and response to manage both the known-unknowns and the unknown-unknowns. Additionally, this takes into account people, processes, and technical aspects. Here are the key things organizations can do to build resilience over time:

a. Building resilience requires a clearly defined accountability at the top level as well as a resilient, collaborative, and prepared workforce. Accountability and awareness are key. Train your employees and train them regularly. It’s vital that the board and top-level management understand their accountability, as well as that every employee understands their role and responsibilities both during normal operations and an ongoing crisis. Test your preparedness and crisis management plans. Make sure your crisis management team works like a well-oiled machine. Run table-top exercises, learn and repeat.

b. Map, understand, and have a comprehensive overview of the dependencies that your critical services have on the underlying assets within your entire supply chain. Do your homework to have effective planning and preparedness in place. Build your crisis management and preparedness plans based on disruption scenarios for your business and critical services towards society, dependencies within your organization and on your third parties, your risk exposure, and your risk tolerance. Your crisis management plan should also take into account the steps you execute in case an unknown scenario occurs.

c. Invest in adaptive response management. As there are always unknown factors in play, an effective response management will include adaptive mechanisms, in addition to preventive controls. For example, can we activate certain policies in real-time as certain events or anomalies are detected? How can we fail-safe both within our IT and particularly our OT environments, while keeping critical services up and running? How do we adapt the use of our people, processes, and environment in real-time to reduce the impact? How quickly can we segment (parts of) our infrastructure, in order to contain the spread? How quickly do we predict a threat or detect an attack before it becomes a crisis? How do we reduce recovery time?

What are some of the technological disruptors to cybersecurity?

In my opinion, the top three technological disruptors to cybersecurity are:

a. Cloud
Cloud is no longer a new technology. However, the skyrocketed migration to cloud in recent years demands an urgent shift in mindset, especially when it comes to cybersecurity and privacy. Moving to the cloud is no longer just a lift and shift operation, even if that’s what you may be doing with some of your services and data. To effectively utilize the benefits of cloud computing, in a secure and privacy-friendly manner, a shift in the mindset is required right from the very beginning, integrated right from the planning stages of a migration, through operating in the cloud and all the way to the exit stage.

b. Convergence of physical, biological, and digital worlds
With the adoption of Internet of Things (IoT) and other emerging technologies, there is an even stronger convergence of the physical, biological, and digital worlds in progress. However, there is a big gap in understanding what risks this entails and the lack of management of these risks as a part of a cybersecurity strategy. As we go forward, there is a stronger need to address these issues at a strategy and business level to ensure that security, safety, and privacy continue to be a top priority.

c. Machine Learning and Artificial Intelligence
Machine learning and the emerging applications of artificial intelligence are some of the key technological disruptors, as ethics, safety, and other risks emerge along with it. We are already seeing Proof of Concept (PoC) cyberattacks enhanced by machine learning. As we go forward, these emerging technologies will be abused by cyber criminals and other threat attackers in various ways, including but not limited to, increased scale and effectiveness of cyberattacks, discovering new unknown vulnerabilities and exploits faster, bias, discrimination, and other ethical, security and privacy violations. As the threat landscape evolves, the use of machine learning and artificial intelligence within cybersecurity will be critical.

What are the elements of an effective cybersecurity program for critical infrastructure?

Due to the ongoing convergence between Information Technology (IT) and Operational Technology (OT) environments including Industrial IoT (IIoT), along with accelerated digitalization as a result of the pandemic, we have seen a massive rise in cyberattacks, particularly ransomware, against critical infrastructure. The key with critical infrastructure is operational resilience both during normal operations and under crisis. An effective cybersecurity program for critical infrastructure addresses three key areas:

a. Legacy systems within the OT environment
As the threat landscape and attack vectors have evolved, the convergence has left the legacy OT systems even more vulnerable to cyberattacks. Additionally, the lack of visibility and the difficulty of maintenance pose an even bigger threat as both old and new vulnerabilities and attack vectors are discovered. The basic cybersecurity hygiene e.g. patching, awareness and other preventive controls are even more important in the OT environment, as these systems get connected to emerging technologies. Hence, the basics is still one of the key aspects.

b. Over-increasing complexity and attack surface
Due to technological disruptions and ever-increasing convergence, both the complexity and the attack surface of OT environments including the critical infrastructure are increasing drastically. This increases the likelihood of a successful cyberattack, as the threat actors now have a much larger attack surface to begin with. Going back to the point, it’s not if or even when you’ll get hacked, but rather how quickly we detect, adapt, and respond to an attack. Hence, building operational resilience is a critical aspect to be addressed in an effective cybersecurity program.

c. Managing the consequences and risks to life, safety, and society
As with every cyberattack, a key aspect is to understand and contain the impact, as early and efficiently as possible. To do that, it is vital to have a comprehensive overview of what risks are associated with critical infrastructure, along with how it impacts the business, the organization, and society at large. As we move from traditional IT to OT environments, we switch from just talking about downtime or data breaches to risks to life, safety, and functions with society as a whole. A good security investment is always risk-based. This is even more vital for critical services, as the impact can be tremendous.

What are some of the key challenges with regards to diversity, inclusion, and equity within the cybersecurity industry and how can we address them?

We have seen an increasing awareness of diversity, inclusion, and equal rights over the last decades, both within society in general and in the cybersecurity industry. However, we still face massive challenges when it comes to pay grade, job requirements and hiring, reasons and motivations behind diversity and inclusion, as well as a lack of understanding of equity and the role it plays.

On one hand, we need to have continued conversations and take further actions for better representation within the cybersecurity industry. On the other hand, we need to do that while breaking down the labels and stereotypes. I am a CISO. Not a female CISO. My professional experience and contributions are independent of my gender, background, and other labels.

That means, while on one hand, we need definitive actions to reduce the pay gap, include diversified talent, and ensure effective and streamlined hiring processes including neutrally worded job positions with realistic requirements, on the other hand, we need to break down the barriers to bring in a diversified workforce independent of their labels. That includes diversity in both what we see and what we hear, i.e. diversity and inclusion of opinions.

Equity is yet another term that is highly misunderstood. Equity is not the same as equality. While equality is important and talks about equal opportunities and resources, e.g. equal pay grade, equity is about fairness, i.e. giving people what they need in order to make things fair and level the playing field. Due to stereotypes and lack of a balanced representation over decades, there is a need for equity to ensure we can reach equality. Equality is the end goal, but equity is the means to reach it. Equity is not about giving too little to people who need it or too much to those who don’t, but rather to provide fairness in order to reduce the differences of inequalities and pave the way to a more equal society and cybersecurity industry.

March 17, 2021

Clubhouse Concerns: Privacy And Security Issues

As entrepreneurs, influencers, and c-level executives (CXO) flock to Clubhouse in a bid to harness the app, the security and privacy shortcomings are becoming evident, forcing businesses to re-evaluate their approach to the social media platform.

The app’s fast rise to fame also came with a price as security issues within the platform came to light, posing the question of whether users’ data are fully protected.

In this article, we take a quick look at the recent data breach that Clubhouse experienced and what concerns it raises.

Data Spillage and Security Leaks

Stanford University Internet Observatory first raised concerns about a Shanghai-based start-up that supplies Clubhouse’s back-end infrastructure and that they would have access to “users raw audio, potentially providing access to the Chinese government.”

Another report by McAfee’s Advanced Threat Research team also highlighted similar security issues in both hardware and software due to Clubhouse’s reliance on the Shanghai tech company.

Both reports seem to indicate that the platform was working on an infrastructure that was poised to be hacked or breached.

In February, Clubhouse confirmed that chats were breached from the invite-only app. The company claimed that an unidentified user was able to stream Clubhouse audio feeds from “multiple rooms” and streamed it on their own third-party website.

A spokesperson for the company has stated that the user was permanently banned and that new safeguards were being installed, which pushes the app a step towards securing and protecting user data even more.

Next-level Insights: Gain exclusives insights on industry trends from experts at Management Events’ Clubhouse (@Managementev) sessions.

Differing Impacts of security issues

Responses from cybersecurity experts on whether Clubhouse is safe for users varied widely with some claiming it should be a serious concern for anyone who uses the app for sensitive conversations.

On the other side of the coin, experts highlighted that the security issues raised by the reports were hypothetical and that the risks were mainly concerned with users in China, where the app is already banned.

Nevertheless, certain parts of the world are taking a serious look at Clubhouse’s shortcomings when it comes to data protection and consumer law with countries such as Germany taking court action against the app due to its failure to meet GDPR requirements.

Whether or not Clubhouse security measures are compliant with data and privacy acts, it’s important for businesses and CXOs to be aware of the potential security risks involved with the platform.

Prioritizing Cybersecurity Investments

Despite Clubhouse’s meteoric rise to unicorn status with a reported valuation of $1 billion, for them to remain as a viable platform for businesses and industry leaders, the company must invest in and strengthen its cybersecurity measures immediately.

Given the vast increase in digital communications due to work-from-home initiatives and our own report on cybersecurity trends among CXOs and businesses, the onus lies on Clubhouse to ensure that their users’ data are protected.

While the recent security issues do not pose any serious threats or risks, for now, they still serve as a reminder that users need to be vigilant when using the app and that Clubhouse needs to improve its security measures sooner than later.

February 3, 2021

CIO Investments: Which Tech Is Your Priority?

As the world crosses into 2021, the distribution of the COVID-19 vaccine has brought surges in global stocks and market optimism.

However, even with great hopes of economic recovery by the end of 2021, organizations still need to ensure that their business growth and plans continue positively. Chief Information Officers (CIOs) are playing a big part in achieving these goals by maximizing information technology (IT) investments and advancements.

What IT Investments To Focus On?

According to our Executive Trend Survey, 67% of CIOs placed data science as a top priority for 2021 with core focuses on analytics strategy, data management, and big data analytics.

Meanwhile, cyber security and cloud were named as other top CIO priorities by 59% and 53% of surveyed leaders respectively.

But what does this mean for CIOs across the industries?

Based on feedback from CIOs and key IT executives, the majority (47%) of them are facing 2021 with slight changes in their goals and a lower budget for their function.

With limited budgets, CIOs need to pick and choose which goal takes priority over the others and select a solution that will truly give them the return on investment they seek.

Thus, even if CIO trends point towards analytics if their current end objectives don’t correspond with the need for data solutions, they should focus on more pressing investments.

Another key factor influencing their investment priorities lies in the current maturity levels of their technology and operations. For instance, some are still new in forming data strategies while others are more advanced in their data-driven processes, thus their focus areas in the use of data science differ greatly.

Investing In Data Science

Today, it’s uncommon to find any company that is not taking advantage of their data. From enhancing customer experience to improving predictive maintenance, business leaders are aware that data is critical to their organizational growth.

But which area of data analytics should your organization focus on? Between the different analytics applications and components, what should be the foremost priority?

In recent interviews with CIOs and other IT decision-makers, over 450 of them named analytics as their core focus. Even so, under the analytics umbrella, their interests ranged from big data analytics and predictive analytics to data warehousing and analytics strategy.

55% of them selected data management as their foremost investment in analytics, naming master data management (MDM) and product information management (PIM) implementation as some of their projects.

The MDM solution is largely adopted by the banking, financial services and insurance (BFSI) sector to manage massive amounts of transactional data on their customers. PIM, on the other hand, is seeing higher demand by the e-commerce industry and an anticipated fast growth in the media and entertainment sector.

In regards to data analytics strategy, some of the CIOs are investigating how they can make the business work more efficiently through analytics strategy while others are taking the next steps to improve data quality.

On the other hand, a number of the interviewed decision-makers are still setting up and realizing their data strategy, indicating that they’re still in the planning stages and concentrating on becoming a data-driven organization.

Investing in Cyber Security

Meanwhile, our most recent interviews with CIOs on cybersecurity investments discovered that cloud security is foremost on their priority list followed closely by cyber security strategy.

From our findings, a number of the interviewed decision-makers expressed interest in implementing security information and event management (SIEM) solutions.

Another hot spot in 2021 cyber security spending, according to Forbes, is identity and access management (IAM), which is a prime focus for 30% of business leaders investing in cyber security. Some of their projects regarding access and identity management include:

With uncertainties still forthcoming, some CIOs are worried about guaranteeing a high level of cyber security with a limited budget while facing challenges in approaching the topic of online security to a diversified and remote workforce.

Investing in Cloud

Based on CIO investment feedback from the interviews, most of them are still in the planning stage of their cloud strategy with cloud integration and migration as their core priorities.

Microsoft Azure, Amazon Web Services, and Google Cloud are three of the most popular cloud platforms in the market, and interviewed decision-makers are contemplating between the cloud computing services while some are even working with all three of the platforms.

Alternatively, a group of IT leaders and other key C-suites are working towards a hybrid cloud environment, which is commonly used in industries such as:

What is Your Focus Area?

As seen in our survey findings and interviews, each of the IT leaders is prioritizing a specific solution that best serves their target goals with consideration to their budget, their available expertise and IT talents, and current processes.

For some, the immediate focus is on surviving the consequences of the pandemic, “which has become the number one objective for most emerging technology investments”, according to KPMG’s research. For others, it’s an opportune time to shift to a more digital business model and accelerate their digital transformation.

Nevertheless, while benchmarking and taking note of emerging IT trends help your organization to measure business performance against other companies, the global situation and market uncertainty are still expected to significantly affect information technology investments.

The important thing is to have a solid focus on your strategic IT priorities, adopting agility and adaptability for business continuity, and making smart investments to prevail in the long term.