In this episode of our Security Expert Interview Series, we interviewed Marc Vallotton. Marc is an experienced Information Security Officer with a demonstrated history of working in the banking industry. He is skilled in enterprise risk management, identity and access management (IAM), risk management, and information security. We discussed the must-have soft skills an Information Security Officer should have, key requirements for ensuring enhanced information security for the banking industry, and other areas. To uncover his thoughts, continue reading the full interview below.

1. When did you first think of “Information Security” as a career? 

Never did in the sense that I planned my career to move into this field. I’ve been in InfoSec full-time for 20 years now and when I was working for IBM in the 1990s, I began to realise that computers and the internet would require dedicated security practices, I decided I  wanted to be part of this and grew into it. It was not all new, after all securing communications and protecting secret information has been a practice for ages. And then,  when I was preparing and running classes about hacking and how to protect oneself against it, it became totally apparent to me that protecting digital assets will eventually be a  respected and serious business. 

2. What are 3 must-have soft skills an Information Security Officer should have and is  technical background really necessary? 

Negotiation, because you’ll have to discuss risk situations and be able to uphold secure practices while not sacrificing business requirements and user experience. Open-mindedness, because you’ll have to learn a lot of new stuff about your job, your employer, your colleagues, and sometimes about yourself. And, finally, collaboration, because  Information Security Officers will have to work with many different roles or teams, such as IT, legal, audit, compliance, and a number of others, based on your specific environment.

In regard to a technical background, that also depends heavily on the job profile you’ll be asked to cover. In larger organisations, it will be less of a challenge if you’re unfamiliar with technical terms and concepts, while in smaller companies, it will require some learning if you have a non-technical background. In general, it will definitely help if you have it. 

3. You have several years of working experience in the banking industry. What are the  2 greatest cyber risks that presently threaten the banking industry? 

That’s a tricky one to answer. As also stated further below, the threat landscape is in constant movement (arms race), which is an obvious result of the evolving world in terms of becoming more digital and more interconnected. Now, all this digital data becomes more valuable, while the threats from cyberspace grow in numbers, in capability and in size. The risks, however, remain the same: loss of confidentiality, integrity and availability.

I see lines everywhere becoming more and more blurred; lines between networks, lines between employees and employers, lines between work-related and personal life-related activities. We use career platforms, we work remotely from anywhere, we dynamically connect to other people and other organisations. Therefore, in my view, the biggest cyber-related risks are rooted in the very change we are seeing: Interconnectivity and the resulting complexity. It is much more difficult to control and detect anomalies. 

4. What are the essential requirements for ensuring enhanced information security for the banking industry? 

In management summary style reply: Buy-in from the board and active support from senior management. Every organisation reflects the strengths and weaknesses of its leaders, so if you can convince your bosses to visibly support your objectives, you’ll be halfway there. In order to make your boss listen to her or his information security office, you have to give them valuable insights into what you are doing.

Assemble reports, deploy dashboards, cultivate awareness feeds – if possible, role-related – because you can’t manage what you can’t measure. And then engage the rest of the staff by letting them know everyone needs to be a part of the overall security setup.

5. As a matter of fact, the banking sector is a highly interconnected sector, that banks integrate their systems with 3rd party vendors in order to increase customer experiences. Does greater interconnectivity also give rise to novel security risks? 

More complexity always bears more risks and integrating with third parties increases them likewise, of course. It happens in many industries, not only in finance, and I guess it’s a sign of our times. None of my fellow Information Security practitioners were surprised by the recent supply chain mega-hack based on the SolarWinds products, I believe. Risks spawn at all intersections of processes, so we’ll have to deal with them carefully going forward.

The challenge will be that we’ll have to find ways that allow us to decide whether a certain 3rd party is trustworthy or not. The risks spawning from this trend are, in my mind, not specifically new but the risk responses potentially are. I see certifications, assessments and security-related audits becoming more and more important because they will help us in deciding if and with which potential business partners we want to grow our businesses.

6. How does the implementation of Artificial Intelligence (AI) in the banking sector can help combat cyber-attacks? 

It’s being used more and more on both sides of the battlefield. It’s an arms race out there and attackers often have an abundance of resources, both in financial and human labour terms. It will be used by them, so more and more players in the financial industry will have to use it as well to reinforce defence capabilities and be able to withstand. ML- or AI-driven attacks will be so fast, dynamic, and much more targeted than conventional ones. 

7. How organisations in the banking sector can turn information security into an opportunity to differentiate themselves in the market and therefore, gain the trust of their customers? 

Organisations in any sector have a competitive advantage if they make information security a priority. Think of the Finnish psychotherapy company Vastaamo which went bankrupt after a cyber-attack where thousands of patient records were stolen due to weak security controls. I actually would like to reverse the statement and claim that organisations that don’t apply decent security will have to deal with a disadvantage.

Personally, I’d rather go for products or services which are less premium if I knew that the company behind is doing a good job at securing their systems and data. In some industries it’s not even a question whether serious information security is an opportunity – it’s simply a requirement. 

8. How do you see the information security world evolve in Switzerland during the rest of 2021? 

I suspect we’ll see more demand for all sorts of IT and information security roles in general as the Covid-19 situation continues to accelerate the digital transformation. With more and more businesses and services evolving in and into the digital world, more opportunities will also be created for cybercrime. Ladies and gentlemen, I believe if you are working in this field, you are not only protecting the data of your employer, or client, or business partner,  you’ll be helping to protect our society. 

9. What are your 3 go-to sources of information when you are stuck? 

My personal archive of material collected throughout the years, because some things never change. While the majority of the content is outdated, it always serves as inspiration and often helps me remember previous challenges and how I dealt with them. Which in turn gives me old and new ideas.

My collection of security-related RSS feeds which are, in my opinion, a much better way of consuming news and relevant information than scouting through all the online sites. And then, what used to be Altavista, is nowadays Google. Or a handful of specialized sites, such as Shodan. 

10. What are your 2 pieces of career advice you would like to give to people who are just getting out of university and are interested in a career in information security? 

You’ll need some knowledge and understanding of a number of key topics, such as the underlying technology, risk management, and how to work in a multi-faceted environment. As an Information Security specialist, you’ll have to deal with business-driven people, as well as with technology-oriented roles, such as engineers or software developers. You’ll have to build bridges between these two worlds, understand how they tick, and then bring them together.

Starting with a consulting position is certainly beneficial. Or depending on personal preferences and background, develop yourself in your area (business or technology) and strive to learn about the other area with information security on your mind. What will really make a difference in the end, I believe, is if you engage yourself with passion and enthusiasm, the rest will follow.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.