In this interview, we spoke with David Mantock who is a Chief Information Security Officer (CISO) based in Switzerland. His domain knowledge includes managed security services, GDPR, cyber risk management, data center, and network, cloud, and unified communications. Continue reading and discover David’s interesting insights around key malware trends that have dominated 2020 and how organisations can adapt their security to be ready for tomorrow’s malware attacks.

1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, David?

Thanks for this opportunity to further the discussion on cybersecurity and to raise awareness and widen the discussion through your platform.

I have been very fortunate to have a varied career that has always focused on technology and information security. It has also been helpful that these roles have been in various industry sectors. My very first IT role was in the financial sector, and then I had the chance to work for the Royal Airforce, which was a great experience for getting extensive training and working on some interesting projects. However, before long I was back in the finance sector.

One of the highlights of my second spell in this sector was that I formed my own consultancy company and had significant engagements with blue-chip enterprises. One mandate was the European-wide roll-out of an access management project on behalf of the technology risk management department. In this role, I  learned how valuable it is to be a clear communicator and determined facilitator so that deadlines are honored and outcomes have the expected quality. I love technology, but helping people is far more rewarding – so it was no surprise that when I got the opportunity to work as a consultant IT trainer, I was more than happy to accept the challenge.

This was very exciting, dealing with the dynamics of a classroom environment and having the clarity of thought that is necessary to consistently deliver engaging content. I mainly saw my role as to help the students overcome fear, as I could often perceive that they felt that the subject was too much for them. It was satisfying  when I got feedback like “I thought I could never learn Unix Administration, but that is exactly what I have learned on this course!” However, up until then, I was still UK-based, and my next big adventure was my relocation to Switzerland in 2001. Since that time I have been mainly on the IT provider side of the industry, including my current role at SPIE Switzerland.

2. As we noticed, you are a Chief Information Security Officer. Could you please share with us what are the challenges that excite you in that position?

It is an exciting time to be a CISO, the main reason being that the role itself is evolving to enable business initiatives in a dynamic and secure way. So there are business requirements that need to be mastered that are not immediately in harmony with cybersecurity. Things like speed and complexity are traditionally the enemies of cybersecurity.

But this is a part of today’s business landscape, so the challenge is to support in such a way that despite this, obstacles are overcome and the required security is still maintained. Of course, I cannot do this on my own, so working with various specialists gives a multi-faceted richness that would be hard to beat in another role.

3. Please, describe a way that you help your company understand the value of information security.

This again comes down to communication and my mission is to reach all levels of the business, i.e. strategic, tactical, operational, and also to promote responsible security behavior. The message is very simple: “No security, no business,” but the real value is being an advocate for collaboration, so my mantra is, “Alone we are smart, together we are brilliant.” Then I just need to use as many channels and settings as possible to get the message out there: Yammer, Teams, in-person, e-learning, blogs, etc. Most importantly, though, is empathy, because it ensures that the messages are received in a positive way. Then you are not “talking at” people but rather “discussing with” them and together finding innovative and collaborative solutions.

4. What key malware trends have dominated 2020 and what should we expect in 2021 and years to come?

I think we have all seen that the frequency of ransomware attacks has continued to increase at an alarming rate in 2020 – this was of course more pronounced due to the increase in remote working that accompanied the global pandemic. We know that this way of working is here to stay, so the focus of the hackers will remain on the endpoint. Sadly, I do believe that malware attacks and in particular ransomware will continue to rise in 2021 and in years to come. The magazine Cybersecurity Ventures headline makes a grim prediction: “Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031”

5. How can organisations adapt their security to be ready for tomorrow’s malware attacks? Please walk us through your top recommendations.

My number one tip is about preparation, as Benjamin Franklin said: “By failing to prepare, you are preparing to fail.” So technical and organizational methods need to be in place, and these, in turn, need to be tested and verified. More specifically, it is of utmost importance to have secured and up-to-date back-ups, so that you have a clear path to recovery if the worst happens.

However, good cybersecurity always has and always will depend on a layered and holistic approach. This means that you will employ multiple methods of defence (MFA, Zoning, IDS/IPS, AV, Firewall, Incident Response Procedure, etc.), and each of these defences should in turn help to reduce the attack surface. It is also crucial to get the basics right, so there needs to be an effective patching regime and vulnerability management, suitable logging and monitoring should also be available. Another basic is transparency: all stakeholders need to be informed timely and accurately.

Lastly, I would say that a traditional anti-virus solution is not enough for today’s threats, so I would highly recommend supplementing this with an end-point detection and response solution that can give deeper insight and better protection.

6. What are your main go-to-sources of information when you are stuck? Feel free to share the sources/websites with us.

Honestly, I have never really felt stuck, but I do have several sources of inspiration that I am happy to share. The National Cyber Security Center [1] is an excellent source of information, as is, of course, ISACA [2], of which I am a member. Most importantly though, I think if you are involved in the industry and are sharing your knowledge in presentations, panels, and blogs, then you are always connecting, learning, and growing.

I also find it important to embrace ideas that are not purely focused on cybersecurity. I belong to a design thinkers group and am also practicing nonviolent communication as made famous by Marshall B. Rosenberg. I have also benefitted from having a business coach, which enabled me to have a better understanding of what I am trying to protect. New Way Consulting [3], in particular Steen Lykke Rasmussen, helped me avoid the traps that stop you from moving forward. To stay current, I use Cyware [4], which collates news articles from various sources.

Another great resource is GitHub [5], as many tools, templates, and wonderful solutions are published there. nulcei is one such tool and a great example of what the community can do.  There are a lot of good guys out there, not just bad actors.

1. https://www.ncsc.admin.ch/
2. https://www.isaca.org/
3. http://www.newway.dk/
4. https://cyware.com/cyber-security-news-articles
5. https://github.com/

7. What is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in information security?

I would say to them, “Welcome! The more the merrier, and we really need diversity in the industry. So whoever you are – come on in, the water is lovely over here.” More specifically, I would give the following advice: Have a good think about the reason why you want to do this because your ‘why’ better be based on some intrinsic motivation. My why is that I like to help people.

Also, think about the privilege and the context: For me, it is a privilege to be entrusted with such responsibility, because what we are trying to protect is valuable. It is worthwhile to work. And finally, if you like the idea of being a life-long learner, you will not be disappointed.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.