We recently checked in with Patrick Schramboeck to learn about how financial institutions can stay ahead of their adversaries in cyber space and what kind of challenges must be addressed in order for cryptocurrencies to be implemented as mainstream payment systems. Patrick is a Chief Information Security Officer and Blockchain Security Architect, and he previously held the position of Security and Quality Officer where he checked compliance based on international standards like FINMA (CH), MAS (SIN), HKMA (HKG), and FSA (UK). Make sure you do not miss Patrick’s interesting insights and read the full interview below.

1. Can you give us an introduction about yourself, Patrick? How did you venture into information security world?

During my studies this was the frist time I came into contact with the topic of security. It started when I was working in the university computer department, where I deployed Unix systems and helped establishing the first fiber optic connections to other universities. The area of security fascinated me quite a lot, because at the same time the first information about vulnerabilities and architecture errors of systems was published (Chaos Computer Clup).

At that time I realized that not only the software but also the overall architecture, including people, are relevant for solid information security. During my master thesis  I was able to deal with the topic of security in computer networks in more detail and to deepen my knowlegde. This work laid the foundation for my interest and now I have been working in information security at financial institutions for over 15 years.

2. You are holding the position of Chief Information Security Officer (CISO). What has been the biggest challenge you dealt with in that position, and what skills do you wish you had from the start?

If you work in the information security area, continuous development and training is extremely important because the attack techniques as well as the safety techniques also develop continuously. This willingness is necessary and it is helpful if you remain interested. In addition to the understanding of the available technology, it is also very important to convince the management and employees that security helps them doing their job. These challenges are essential for solid security, but difficult to achieve because they need endurance and experience.

3. The role of the CISO and the responsibilities and how that function works within an organization has changed greatly from what it was 10 years ago. What does it take to be a CISO in a world of digital transformation?

Digitization has progressed in the last 10 years. Many companies have digitized their processes, which has also enlarged the area of responsibility of a CISO. A CISO has to pay attention to the overall protection of the data in a company and ensure its protection, integrity and availability.

In addition, data is no longer on premise on your local servers, but is distributed and processed or stored in different places, be it at a provider or in a cloud storage in different data centers. For a CISO this increases the complexity and the requirements as the level of protection and availability must now be guaranteed through several providers.

4. Exceptional organizations create a cyber security culture that engages and motivates their employees. We have a lot of CISOs and other security experts reading this. What would you say are the initial steps they must do to create this culture?

To establish a Cyber Security culture, it always needs a clear Cyber Security Strategy, which is tailored to the requirements of the company. Here it is important to perceive the needs of management and the various departments and to align strategy and security requirements.

For example, there is little sense to highly secure the public website, but it is important to restrict access to confidential client data on servers. Therefore, it is necessary to know the critical processes and data and to protect them accordingly. Essential is also the openness to feedback and questions, because employees see that security is being lived and discussed. In general, it is much better to give employees the opportunity to question the CISO and his team to current problems, be it with projects or in everyday operation. This creates trust and promotes readiness to participate.

5. We noticed that you are also a Blockchain Security Architect, providing information security services to the financial industry. Please tell us what kind of challenges should be addressed in order for cryptocurrencies to be implemented as mainstream payment systems?

In the blockchain area, a new technology has been established, which enables cryptographically secured transactions e.g. for payments in Bitcoin (BTC) or Etherum (ETH). For a financial institution, there are various challenges, as it is a payment token, which is only electronically available (unlike traditional cash).

In addition, all blockchain transactions are worldwide visible on public nodes, which makes it more difficult to protect the identity of the bank’s customer. In addition, the custody and processes of the settlement and payment must be designed so they are sufficiently protected and regulatory (AML, KYC) compliant. These requirements make it difficult for banks to offer crypto services to their customers.

6. Financial services companies are often high-profile targets and have to be particularly vigilant when it comes to cyber security. How financial institutions can stay ahead of their adversaries in cyber space?

The difficulty is that attacks (specifically ransomware, spear phishing) become more professional. Different teams collaborate and have specialized task, like the search for possible accesses, the infiltration of the company and extraction or encryption of the data. In order to minimize the risk of a successful attack, it requires a consistent security architecture (eg according to BSI, ISO or MITRE ATT&CK) to minimize the possibility of a successful attack.

In addition, regular awareness training and employee information help that users are trained accordingly and can recognize attacks in the beginning. At the same time, the resiliance of the infrastructure must be high enough to withstand an attack (Ransomware, DDOs) and the emergency recovery process must be in place to allow continuous operation in case of a successful attack.

7. What personal development do you do to keep yourself sharp?

For me, it is important to stay up to date with new vulnerabilities and attack techniques. In many cases, there are self-study documents, or I participate in seminars on specific security topics to stay up to date on the current trends in cyber security. Other platforms such as the National Cyber Security Center (NCSC in Switzerland) or Cyber Communities enable direct interaction with other CISOS to exchange information about current security topics. In addition, I do regular training and certifications such as “Introduction to Digital Currencies” (University of Nicosia) and work with the Crypto Valley Association or with the Joint Working Group on the “InterVASP messaging standard IMS101” (Financial Action Task Force – FATF).

8. What are your 2 go-to-sources of information when you are stuck?

Whenever I am in this situation, standards such as ISO, BSI, NIST, and regulatory standards are the first sources of information to get an overview and check the consistency of measures. Currently, there are new standards such as MITRE ATT&CK, which has been specially developed to improve the overall security framework and the effectiveness of security measures. With regard to details of an attack method and possible countermeasures, services such as CERT, NCSC, and Cyber communities help to search for a solution or a workaround.

9. What is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in cyber security?

For all people who are just getting out of university, I recommend a certification such as CISA, CISSP or CISM as a first step. Try to stay openminded in your work as a security officer and learn how the company is set up. On this basis, you recognize what important resources, processes and persons you should focus security measures on, as they are the most critical assets of the company. Also attend regular trainings and be open to changes, as every company will evolve and change over the years. Therefore, security measures must be regularly adapted to the current situation of the company to support them.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.