This week, we had an interview with Nikolaos Thymianis who is working as a Chief Information Security Officer (CISO). Nikolaos’s previous work made him associate with people in the Healthcare Industry while doing Cyber Security Assurance and Maturity assessments for organisations in the NHS. He has also become a Cyber Security Speaker in emphasis speaking about trust in places where it can be unreliable and data segregation where unison can mean disaster. Continue reading the full interview below and discover his insights

1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Nick?

Yes of course, first of all, having studied infosec at the University of Brighton and having worked for the NHS UK for about three months, I came to the realization that organizations in the Health Industry required a firmer hand to move forward with Cyber Security. Having that type of experience led me to lead Caresocius and for me, it was a true challenge seeing such a young company and having to build Cyber Security from the ground up. So far, the company received the measures proposed to the board with willingness and at the very least understood the need. Of course, there were many things to fix and so little time, but the company is still growing. 

2. As we noticed, you are a Chief Information Security Officer. Could you please share with us what are the challenges that excite you in that position?

As mentioned in my last answer, what excited me was setting the groundwork for Cyber Security in a young company. This meant a lot and it has been a long and strenuous work, but I managed as best as I could in the time I have been with this company. The next exciting thing that I felt was the application security where I was talking with developers in India and Pakistan, places where I never thought of working with, much less cooperate with. I had to fight many cultural biases and of course, the different times and working hours were indeed a challenge.

3. Please, describe a way that you help your company understand the value of information security.

I really like having regular talks about attacks happening in the world, it is something like an internal webinar where everyone that is interested can take place. Of course, monitoring many of my colleagues is a safe way to go about teaching them about infosec. What I really like is when I have to speak to executives in Caresocius about the yearly threats that the organization may face every coming year.

4. What key malware trends has dominated 2020 and what should we expect this year?

Generally, my studies in Information Security have led me to believe that somehow, we have forgotten the past and some people tend to think that the threats we faced and covered in earlier versions won’t come back. Trust me they will and will become even worse, and it is good to know the mistakes that were made. Also, Ransomware is a huge issue, we have seen the attacks on the NHS UK with the WannaCry ransomware, let us not let that happen to any company out there, let us focus on what we can do to stop it.

5. How can organisations adapt their security to be ready for tomorrow’s malware attacks? Please walk us through your recommendations.

Organisations can be on different levels of security maturity. Firstly, we have to identify the problem, then the information security people have to write an official policy, which has to pass to the board of directors, who will declare if it stands. After that part of the process, the company will use the policy to manage its procedures according to its guidance. After a while, the organisation will have defined a procedure that deals with the problem and will be proactive in dealing with it.

Afterward, the organisation will have measured the correct procedure and gained control over it. Finally, optimisation, a focus on what can be changed in our process to improve. This last bit is really important due to being the Lessons Learned process, this is when an organisation has reached the top level of maturity and it can deal with any issue.

Remember though, you cannot jump levels, meaning you cannot go from level 2 to level 5 or level 4. Of course, all this can be achieved if you can meet the recommendations of your internal auditors.  

6. What are your main go-to-sources of information when you are stuck? Feel free to share the sources/websites with us.

If ever I am stuck on a problem, I like to google it first but generally what I like to use is blogs like Digital Shadows (https://www.digitalshadows.com/blog-and-research/) or F-Secure(https://blog.f-secure.com/). But I really like to ask other professionals like Alex Martin (https://www.linkedin.com/in/thealexbmartin/) and others.

7. Our last question: where do you go for inspiration or resources that you use in your own personal development?

I really like using Udemy and ISACA for personal development, and of course, reading the news on DataBreachToday (https://www.databreachtoday.com/) & the Hacker News (https://thehackernews.com/)  is really interesting and keeps one vigilant on what threats organisations could be facing in the future.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.