We are thrilled to present the next episode of our Security Expert Interview Series where we had the opportunity to speak with Dr. Doron Zimmermann. Dr. Doron holds the position of Cyber Security Officer at Huawei Technologies Switzerland. He is skilled in comprehensive corporate security management, strategic security design, security threat intelligence, risk analysis and assessment for executive decision-making, role-based security awareness coaching and training at all levels and the application of proprietary counter-intelligence know-how to commercial organizations. Read the full interview below to discover Dr. Doron’s views on Security Threat Intelligence, the common misconception today about the insider threats and building a strong top-to-bottom cyber security culture.

1. Welcome to our series “Security Expert Interview Series”. Could we have you introduce yourself and tell us a little bit about your background?

I am a security management practitioner in the fields of corporate, information/cyber and supply chain security. I have been active in the field of security for over two decades, starting off in research and teaching at ETH, where I was working for the Center for Security Studies on countering terrorism, intelligence analysis and security risk management.

Moreover, I had roles in several verticals, i.e. insurance, energy and national and global supply chain, while also having worked as a security consultant for large organizations. I served as the assistant deputy chief of staff with the Swiss Federal Council’s Security Committee staff, where I ran the situational analysis and intelligence assessment section and acted as secretary of the Security Steering Group in the Federal interagency process.

2. You are holding the position of Cyber Security Officer (CSO) at Huawei Technologies Switzerland. Could you please share with us what are the challenges that excite you in that role?

First off, my current role allows me to employ my professional skills in the context of internal executive and external security stakeholder management – a part of my duties in several prior roles that extended to briefing senior executives and member of the cabinet and government, as well as customers, industry peers, associations and regulators. I enjoy that this aspect of my role is strategic in reach and requires and sometime challenges my communicative skill and ability to provide political insight to my colleagues.

I like that my role focuses on the big picture, including matters of company governance, regulatory risk, industry deliberations on security, while I can also perform information security audits and security reviews, e.g. of our supply chain. The role further demands that I act as an interface between the technology-driven engineering personnel, the sales teams, the management, legal and compliance. Not having a technology background has taught me how to understand and help translate all the disparate groups’ security needs across the organizational level. One of my main roles is to enable and underpin the internal and external security risk dialogues.

3. One of the areas you are skilled in is Security Threat Intelligence. How do big organisations use security threat intelligence?

That depends at which level you wish to look at security threat intelligence. For the operational level, we have dedicated internal capabilities, up to and including a product security incident response team (PSIRT). “Intelligence” in the technical domain to me is not the focus. If there is a technology-driven event, such as a zero-day exploit, a backdoor or man-in-the-middle-attack in our or our customers’ networks, of course this becomes a matter of considerable interest to us.

However, where the subject of intelligence does become first more interesting to me and aligned with my role, is in the twin areas of government and public affairs. Thus, when the revision of a relevant law is under discussion in parliament, the industry association wants to review the risks of the up and coming 5G technology, or if  customer or government regulator has questions or even concerns associated with our business, our products, solutions and services, I and my colleagues will join the risk dialogue and support our interlocutors in understanding what we do to ensure security at Huawei.

In recent years, a growing trade competition challenge generating its own intelligence-based insights has impacted our internal discussion and also demonstrated to us the value of transparency underpinned by concrete action. We maintain cyber security Transparency Centers, e.g. in Brussels, Banbury (UK) and Rome, where we address, among other concerns, our customers’, regulatory and other government threat intelligence-based warnings, red-flags and advisories.

4. In fact, there are different levels of cyber threat intelligence, one of which is strategic threat intelligence. In which way strategic threat intelligence informs better security decisions?

I concur in that there are different levels of intelligence analysis. My sense is that for decision-making (with few exceptions), it is clearly the strategic intelligence assessment – or as we like to call such weighted information: inisghts – derived from the industry, economic, public, regulatory, government, domestic –and foreign policy environment that offers a richer, more insightful yield in terms of a decision-making basis for our business leaders.

It is well and good to understand threats and vulnerabilities and communicate such to our clients in a timely manner, but it is equally important – if not more so – to understand and control for the risk to our supply chain in the current circumstances, hone our ability to manage crises and render resilient our business continuity endeavour. In other words, getting lost in the nitty-gritty of the technological security challenges, while missing out on the bigger picture is not helpful.

A careful balance between levels of intelligence analysis must be struck, an understanding of differences between incidences that tend to be technological and crises, which are more often caused in the strategic environment of economy and politics, must also be developed at the appropriate level of maturity for the organization’s needs. The impact of an incident is mostly less than that of a crisis. Hence, strategic intelligence to my mind remains essential to decision making.

5. You have also worked with government security organizations towards preventing insider threats. What is a common misconception today about the insider threat?

First off, I was struck by how different – purely in terms of breadth, depth and maturity – from the private sector insider threats are being viewed by government security organizations. My impression is that businesses mistakenly believe that the advent of insider threats is a more recent phenomenon and that they accordingly shaped an entire nomenclature around this subject, e.g. “social engineering.” In the private sector, there is also this sense of insider threats generally being confined to being malicious employees.

Colleagues in the security industry, to the extent that their respective business environments allow them to engage with insider threats (and, yes, that is part of the problem), know that there is no real boundary to provenance, motivation, tradecraft and support network of an insider-threat.

Insider-threats can originate in state, parastatal or hired or allied non-state organizations be ideologically or financially motivated, be professionally trained to overcome surveillance, befuddle investigations and resist trained interrogators. Hence, it makes sense to understand the distinction between, and different capabilities of, defense and security related espionage, economic and industrial espionage and/or sabotage.

Insider threats are not necessarily disgruntled employees; they can be defectors-in-place, waiting to be recruited by a criminal, parastatal or state organization. If a state is running an asset inside a target organization, one can safely assume that the asset is being directed by a case officer and supported by an operations team.

Failure to understand this reality is often at the root of insider threat-related incidents. The proverbial question by business leaders: “What is there to steal from us?” ignores the fact that those that ask this question lack the perspective of the “adversary” and, hence, neglect the key question: “Do I know the other side’s shopping list?”, i.e. how does any business know that the product, solution or service they are manufacturing and/or selling is not the missing link between two other products, solutions and services? The single biggest challenge is that because nobody enjoys suspecting work colleagues or business partners, there is a natural inhibition to actually check observable behavioral patterns that indicate ongoing insider threat activity: Only few are willing to shine the figurative flashlight into a dark corner. Yet “dark corners”, i.e. un-monitored domains of a business are exactly where insider threats flourish.

6. How would an organisation go about building a strong top-to-bottom cyber security culture?

First, by reviewing its own relative security maturity and by honestly engaging with the findings of such an inquest. Secondly, by accepting that security can only succeed, if deployed in a comprehensive manner, i.e. not only IT-security (as is often the case), but a melding of IT-, cyber/information-security with typical aspects of corporate security programs, e.g. physical, personnel/executive, travel security, supply chain security, security insurance management, intellectual property protection, etc.

Security is very much a people business: If the CEO and the business leaders will not practice Cyber Security in a comprehensive sense, why – notwithstanding glossy governance and compliance policies – should employees? Senior executives need to act as role-models, demand that the staff engage with the topic, because they themselves do and impress upon their personnel how important they feel security is by directly addressing the issue in management and all-hands meetings. And, concomitantly, leaders in business ought not to confuse compliance with security; they should not turn what is a highly agile endeavour that requires independent thinking into a tick-in-the-box exercise. Security should be integrated as KPIs into management-by-objectives performance evaluations for all management levels in all units and among regular staff, as it is an endeavor the success of which depends on concerted collective action.

Conversely, business leaders ought not to compel their staffs to run through a WBT or CBT course on security compliance, but take the initiative and either themselves or through a CSO or other security ambassadors speak directly to all management and staff, leaving no doubt about just how mission-critical cyber security and security in general are. Security, typically deemed a support process by organizations with lower security maturity or myopically simply being considered a cost-center in such business environments is neither: Security is a baseline that ensures that all staff can count on going back to work on the next day.

It is the culture of a company, which needs to receive the imprimatur of cyber security thinking. Only if the culture of a company can be shaped, is there a realistic chance for positive change toward the development of relative security maturity. Ultimately, if an organization does not maintain regular and demonstrable “hygiene,” why should its customers and stakeholders trust it?

7. How do you see the cyber security world evolve in Switzerland the rest of 2021?

Especially in the cyber security context, Switzerland is not an island, but very much an integrated part of the globalized economy’s complex interdependence. What happens abroad, very much affects us locally. I am concerned that we will see more trade and geopolitical competition, which will drive the involvement of high powered and professionalized capabilities among parastatal and state actors (a.k.a. Advanced Persistent Threats) to new heights. I worry that cyberspace will, even more as is already the case, become the surrogate battleground of interstate rivalry, in turn affording more incentives to rogue states and non-state actors to wreak havoc, while also incentivizing and enabling such powerful parastatal and state organizations to farm out more and more of their mission to third-party criminal or ideologically driven non-state actors.

In spite of the damage wrought by the ubiquitous attack vectors, e.g. ransomware and DDOS, the threat emanating from the manipulations of data, command-and-control systems (think: SCADA and generally ICS), man-in-the-middle interceptions and acts of sabotage through manipulation, e.g. at the interface between IT and OT, to me seems far more serious. Especially with respect to highly sensitive targets, such as critical government services and privately or publicly held owners and operators of national critical infrastructure, e.g. energy, telecoms, health, transportation, etc.. What I find particularly perturbing is the propensity of business leaders and also  government security organizations to look the other way.

While no longer willfully ignoring the problem of cyber security in an obvious manner, those with key responsibilities still do not act, as is they fully understand their own vulnerability. I am afraid that we could well see a steep increase in significant physical manifestations of cyber-attacks, e.g. along IT/OT interfaces or due to the rise of IOT smart devices that can be turned into myriad attack vectors, as the attack surface hence has increased manifold. Especially, in the course of the Covid-19 boosted digitization of the economy during the last year.

8. What are your 3 go-to-sources of information when you are stuck?

First, my colleagues in the organization. Ours is vast and has many knowledgeable people working for it. Second, my peer network – depending on the type of question I have, either only nationally or nationally and internationally. Third, open sources and failing that, specialized security and/or auditing consultancies.

9. As a CSO, what are your 2 important pieces of advice for corporate cyber security?

(1): See the big picture: Do not conceive of cyber-security as merely a technical issue, but as a comprehensive, horizontal and strategic endeavour that binds together different aspect of security: Organizational, personnel, physical and information/cyber security. Cyber security is not to be confused with, or to be reduced to, IT-Security.

(2) Accordingly, my second piece of advice, is that a CSO or CISO is first and foremost a security management professional, not an IT engineer on the security detail. The assumption that someone who has been taught, for example, computational science, math, physics or electrical engineering is automatically a security-savvy practitioner when dealing with the security aspect of digitization in my experience is, with very few exceptions, a mistake.

Security is part learning, be that security immanent topics or security management. But a big chunk is the practice, the experience, the internal and external contact networks and the bits you cannot pick up with a professional certificate, such as how do I explain cyber security needs and requirement to my boss, the executive team or a cabinet member in a way that they as business leaders can relate to the topic and assess the appropriate course of action?

I have seen talented IT professionals, who well understand security and its requirements; in turn, I have experienced the intense frustrations of some IT-specialized colleagues, though without security management know-how, in the face of scuppering entire corporate cyber security programs.

10. Lastly, if you could give your 23-year-old self just one piece of career advice, what would it be?

Stick to your guns and find your way through the occasionally bewildering security jungle. I originally moved from academia into the private and public sectors. In academia, I had to engage with the topic of security from square one; there was no compact way to learn about cyber or corporate security, such as a CISM or CPP.

My introduction to the subject of cyber security happened when a crisis landed on my desk in 2010 and I had to make sense of what I had so far learned about the subject matter and its wider context, i.e. that the crisis was not a technological, but very much a composite, challenge, involving people, organizations and technologies.

Studying security from the ground up, e.g. corporate, national or international security affairs, will always provide you with the fundamentals of a comprehensive, strategic understanding you need in order to understand the underlying and at times less than obvious complex interrelationships and, hence, also the challenges of cyber security.

Professional certifications are always a welcome addition to a professional skill-set, but no substitute for fundamental security know-how. Thus, all vicarious knowledge about cyber security cannot compensate for the actual practice of corporate cyber security.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.