Security Expert Interview Series: Toni Sulankivi
We are excited to announce our next interview with Toni Sulankivi, Head of Cyber Security, working in the energy sector. Throughout his career, Toni has been consulting, auditing, training, and hands-on implementing in various information and cyber security domains across a wide range of private and governmental sectors. His interest and passion are in critical infrastructures that require a broad understanding of emerging digital threats and skilled adversaries. In this interview, Toni discusses the greatest threats to energy companies and what approach energy companies have to follow to bolster their cyber security preparedness, and also touches upon other interesting areas.
1. Can you give us an introduction about yourself, Toni? What made you embark upon a career in cyber security?
The biggest driver and motivation for my career has been the love for technology and endless desire just to understand how everything works. Also, I’ve always been curious in finding out how technology can be better used to benefit the world. Cyber security is a perfect cross-disciplined field to explore all aspects of these at once.
I initially started my career as a network engineer and network architect in 2007. I think understanding how everything connects and communicates through the networks was perhaps the best possible vantage point to expand my understanding further into other security domains later. Still today, I consider networks as the most important single asset for cyber security experts. Simply because they see everything, and usually don’t tell you lies.
My career has taken me from Finland and Nordic regions first to Middle East, and recently here to Switzerland. I have been lucky to work with many different industries, companies, cultures and challenges along the way.
2. You are currently holding the position of Head of Cyber Security. Could you please share with us what are the challenges that excite you in that role?
In my current position at tiko Energy Solutions AG, I’m working on a sustainable energy field and helping to develop the countless new possibilities around new future energy models globally. However, the new energy models, such as Virtual Power Plant and intelligent Energy Management Solutions bring along various threats and challenges in cyber security. It’s an interesting combination of wide connectivity, IoT, cloud technologies, Information and Operational Technology (IT/OT), critical infrastructure resilience requirements with an added flavor of personal data protection. Finding the right balance with all these aspects in the mix is an exciting task.
3. Please, describe a way that you help your organisation understand the value of cybersecurity.
Cyber security is mainly a risk management function trying to proactively prevent bad things from happening, so it’s always a challenge to measure and demonstrate the exact value of it before things actually go south. This is why many organizations wake up to it only after they’ve already been hacked and when it’s too late.
Ultimately, the way to succeed is good communication and sensemaking. Helping to see the forest for the trees requires creating an understandable picture for the company’s stakeholders of the interrelatedness of business and technology. To start with, one must accurately identify the most critical digital assets from business perspective and demonstrate this causality against any operational goals. This way you can catch the lowest hanging fruits, enable further management support, and pave the ground for more comprehensive work.
4. What is the recipe for the successful adoption of cyber security awareness within the workforce?
I see huge potential in gamification and adding more interaction to the security awareness programs. Ultimately, one must find a way to understand people’s mind and psychology to successfully convey the message and provoke their own thinking. For me, adding more fun into it is the recipe.
5. We noticed that you are working for a company that operates in the energy sector. What do you see as the greatest threats to energy companies?
Most energy industries are still in the middle of transitioning their mindset from the old traditional physical worldview and siloed island-thinking, to a digital, interconnected, and progressively evolving worldview. Rapid digitalization and wide interconnectedness create many previously unseen synergies and complexity that require dismantling the old thought patterns and mental models.
IoT, smart homes, transport electrification, cloud technology adoption for critical infrastructure use, and fast OT digitalization are just a few of the challenges. Emerging geopolitical tensions are also adding much more depth into the threats with extremely well-funded adversaries and nation-backed offensive campaigns one has against you.
Additionally, energy companies are more and more exposed to people’s daily lives, personal data, and privacy aspects through IoT, smart meters, and new energy business models, which introduce many new challenges to them.
6. In today’s highly interconnected world, reliable energy delivery demands cyber-resilient energy delivery systems. What approach should energy companies follow in order to solidify their cyber security preparedness, and ultimately, survive a cyber incident while sustaining critical functions?
From my experience, the most common and critical pitfall for companies is seemingly the most simple one – not understanding your own environment well enough. Cyber security is and has always been a very unfair game, as there are no rules that your adversaries have to follow. It usually takes only one single unattended door for them to break in, while as a defender you constantly need to divide your attention securing all the possible, countless doors simultaneously. The unfairness of this setup is quite unavoidable.
Therefore, the biggest advantage as a defender is to really thoroughly know and understand your own battlefield much better than your adversary to turn the tides in your favor and beat them on your home ground. Not forgetting to also understand the critical interdependencies with any 3rd parties that your business may rely on.
As a secondary step, professional red teaming wherever possible usually gives the best bang for the buck, which is difficult to achieve via other means. Of course, comprehensive protection requires much more than this, but if failing in these two, the odds will just stay permanently against you.
7. What substantial changes do you see happening within the cyber security domain over the next 3 years?
I think for many companies, the appetite for technological growth has already outpaced the capability to keep up with an adequate level of security and quality. I see few reasons for this. First, there is a global scarcity of experienced technical experts for specific critical subfields. Also, those who would possess also high-level technological understanding and systems thinking capability are even more difficult to hire and train.
Moreover, the understanding of these people would need to cover not only technological specificities, but the full complex socio-technical ecosystem, architecture, and it’s business aspects all at once. I think the extensive understanding of enterprise architecture coupled with strong technological leadership will make the recipe for success in the future.
Companies will also have to deeply understand and analyze the meaning of trust in their own business context. Whether it’s a trust to 3rd parties, your hosting provider, your employees, or the technology itself. Some level of trust is always needed, but no trust should be established without adequate transparency. This will be more required in the future in both B2B and B2C fields, as well as in every geographical region.
8. What are your 2 go-to sources of information when you are stuck?
Maybe a boring answer, but mainly search engines (with privacy). Mastering the art of filtering out quickly and intelligently any relevant and trustworthy information on the web (surface, deep, dark) is a skill that no cyber security expert can live without. Most of the information we need is publicly available, finding and applying it to practice is the trickier part. I really appreciate the willingness and solidarity of the Internet geek communities out there in sharing information for others and have a deep respect for different open-source projects. I try to contribute to these as much as I can, at least in the form of donations.
For keeping up to date with cyber news, I have also collected several RSS and other streams of information channels for my own customized OSINT feeds. I try to automate this as much as possible to save time.
9. What is the most important piece of career advice you would like to give to people who want to begin to learn cyber security?
Adapting and nurturing the hacker mindset, playfulness, and out-of-the-box thinking early on in your career is important. Keeping in mind that your adversaries obey no rules, so you need to be able to break traditional thought patterns too – and occasionally break some rules (think Kobayashi Maru).
Creativity and ingenuity are the most important assets besides your inner motivation, regardless of whether you will be aiming for technical or managerial cyber security roles. Also, there are usually no shortcuts other than learning by doing. From my own experience, cyber war games and red/blue team exercises are the best motivational boosters and social cohesion builders you can possibly experience.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.