Samir: In this incredibly fast, complex and competitive environment, how do you support CIOs and CISOs to play an increasingly strategic role in their organization?
Roman: In different ways: from analyzing and managing ISMS to quality assurance of the security controls. In particular with our top-down approach we help companies establish a guide to cybersecurity by quantifying their cyber risks. To do so, we create a virtual dashboard to monitor identified risks according to their business impact. Starting from the top of the list makes it easier to allocate budgets to mitigate these risks. In addition, business and IT managers on all levels take informed decisions which improve the company’s cybersecurity posture.
For example: The biggest risk for a stock exchange is a failure of the digital system. If this happens, you may need to first take care of denial-of-service attacks. By involving business stakeholders from the start, a CIO or CISO can provide technical background information and turn the narrative from impediment to creation of business value. We support CIOs and CISOs in aligning all stakeholders and thus developing a clear security vision based on company specifics. Everyone from stakeholders to application team will understand why multifactor authentication is needed to protect sensitive customer information and which business processes, business assets and security assets are protected in this way.
Samir: CIOs need to fulfill their innovation value-added agendas in a rising economic pressure environment while maintaining a high level of trustworthiness of the new technologies being introduced. How do you evaluate the risk/reward trade-offs between technology innovation, security compliance and business impact?
Roman: Technology innovation has to be backed up by appropriate security measures to make sure that when moving fast you are not leaving an open window. For example, isolated test environments or even micro segmentation with test environments to explore new technologies without impacting production can accelerate innovation while keeping assets secure.
Since with the top-down cyber risk assessment business stakeholders are involved from the start, the outcome is a prioritized list of risks and mitigation measures tailored to your company’s assets. This list allows you to focus on the risk scenarios with the greatest business impact and to balance risks and rewards. It also implies that you know both the risk impact and the reward impact for the business. This tradeoff should be understandable for all decision makers.
Samir: What are some examples of too much innovation focus at the expense of cyber risk exposure and what is a well-balanced approach for companies?
Roman: Innovation without a strong security concept leads to additional cyber risk exposure. The security concept must be based on a rigorous risk assessment, which uncovers and addresses potential vulnerabilities. For example, accessing sensitive information on an unencrypted channel may lead to data exposure, even inside of the company perimeter. Another example: If the new tool collects customer data from multiple countries inside the same datastore, this may result in non-compliance with data protection laws. A consistent security concept prevents exactly these types of cyber incidents.
But what is a well-balanced approach? The only way to take informed decisions and balance innovation, time to market and security is to create a security concept based on all your innovation projects' risks.
Samir: With the increased use of new technologies, organizations have set up a large attack surface that opens the door for potential cyber attacks. What are some of the key considerations companies should be aware of when defining their cyber risk management strategy?
Roman: Risk management is not only about technology but also about people and processes. It requires a culture of cyber risk awareness and common security objectives across the company.
Key considerations include the threat landscape, business resilience objectives, critical internal processes, the Zero Trust paradigm, security concept, and risk monitoring. Defining a cyber risk management strategy requires a major effort. Therefore, it might be advisable to get support from an expert.
Samir: Bruce Schneier stated that «If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology». To which extent do you agree with this statement?
Roman: This statement goes hand in hand with the top-down cyber risk assessment approach. This approach is threat-driven – it means that you start by identifying critical business processes and end up with defining mitigation measures for key risks. Only when you have identified the risks, you move on to technology, which is the final step. By using our approach, you gain a holistic view of your digital systems and potential vulnerabilities, i.e. there are no blind spots in your security posture. Hence, I fully agree with the statement.
Samir: Implementing a healthy cybersecurity culture in a workplace plays a vital role in the entire organization's security posture. What are some of your key recommendations?
Roman: A healthy and strong cybersecurity culture doesn’t happen overnight. It needs to be continuously nurtured and cultivated. Some key recommendations: get your leadership team on board, foster accountability, raise awareness, make communication easy, and test with real-world scenarios.
Most problems are due to people’s lack of awareness. Human error is the biggest reason for data breaches. This shows that traditional security awareness trainings are not solving the problem. The compliance-based awareness campaigns are outdated. Companies need to invest in a holistic behavior and change programs to transform the culture. Instead of just pointing out how bad phishing is, organize phishing mails creation workshops with your employees to show them how easy it is to write such mails and how dangerous they are. The goal is for employees to work in a secure way, hence, intrinsic awareness is needed.
Samir: Many companies have realized the strategic long-term importance of addressing cybersecurity as a core value. How does it translate in a competitive advantage?
Roman: There are different scenarios for different business models. In B2B, cybersecurity is a requirement that allows companies to prove their compliance with certifications such as ISO 27001. But being certified and truly being secure are two different pairs of shoes. If you are a SaaS company that needs people to trust in its infrastructure, you can emphasize what you do beyond compliance: for example, storage or backup governance or data privacy management. Such measures – depending on the customer segment – reduce the customer’s risk, which is a competitive advantage.
If a business is “cybersecure”, it means it is resilient. By combining innovation with appropriate security, you can move faster than your peers without taking additional risks. If we look again at SaaS companies, the biggest asset making your business competitive and resilient is “customer trust”. Hence, having cybersecurity as a core value allows you to preserve this trust and remain an attractive service provider.
This interview first appeared on the Swiss Cyber Institute website.