Security Expert Interview Series: Andre Maeder
We recently interviewed André Maeder who is a cybersecurity professional for 20 years and is currently working as CISO in the project “Justitia 4.0”. The project aims at nothing less but digitalizing the Swiss justice system. As you can imagine, there are plenty of opportunities and necessities from an information security and data privacy viewpoint. His broad background as an IT professional, having worked in different industries, helps equally as his broad education and further studies to support the project’s claim “For a secure digital justice system – so that the path to justice no longer leads over mountains of paper”.
1. Firstly, thank you for taking part in this campaign, Andre. How did you first get involved with information security? Could you share a project or inspiration with us that prompted your involvement?
I first got involved with information security hands-on in 2013 while working in the pharmaceutical industry. As IT project manager, I got assigned a vast initiative to strengthen the cybersecurity posture and processes for continuous remediation of vulnerabilities.
The project was placed with impacting the objectives of IT personnel and I added an IT-Security expert to support me on the cybersecurity technical elements of the project management. Both allowed me to have a successful deep dive into the topic of information security. It also sparked my interest to stay on the topic even after the one-year project was completed. I achieved that by moving to a role as Senior IT Auditor with a focus on cybersecurity and data privacy before landing at my current role.
2. We noticed that you are currently serving as Chief Information Security Officer (CISO). Could you please tell us what are the major challenges that excite you in that position?
For CISOs in general, I believe a major challenge is the speed of change regarding threats, new and changed regulations, and user behavior. As a CISO in a project, there are some specific key challenges related to staying on the timeline in a secure manner and the pace at which questions appear and need to be answered.
3. Based on your experience, what do you think are the most essential skills that CISO should have?
A must-have is the will to continuous learning, on-the-job and institutional. Further, it is essential for a CISO to have persuasive and expressive communication when it comes to the setting of priorities.
4. As a matter of fact, insider threats are a massive problem for organizations across many industries, particularly now with new remote-working arrangements. How can organizations stop and prevent these threats?
Organizations can reduce the likelihood and impact of insider threats. A multi-layered approach is needed spanning from tone-at-the-top to enforced and granular access controls. It must be clear that damaging the organization by any means is not accepted and consequently sanctioned. Awareness training and spot-checks are helpful instruments when used in a positive way (congratulate the ones that found the phishing test and report on the ones that failed on a statistical level only).
On the side of safeguarding organizational valuables, it is required to use state-of-the-art technology to ensure effective and efficient protection. That very much includes treating risks related to remote-working.
5. What advice would you share with other CISOs when it comes to communicating a ROI for security investments to other stakeholders?
The said communication is a key element on every CISOs agenda. First of all, you have to understand the level of understanding regarding Cybersecurity of the stakeholders. The calculation of security investments is based, among others, on the agreed risk appetite.
If this is not defined and/or no continuous adoption process is in place, you need to enable the relevant stakeholders to do so. Once that is achieved, you need to communicate the planned spending across the entire risk landscape, I recommend using the five functions of the NIST CFS for that. Make sure there is an understanding that funding is also required for responding to successful attacks.
The projection of the ROI in a project environment brings added complexity since the circumstances are even more volatile than in a steady organization/situation. On the positive side, making changes on the financial and technical sides is usually quicker in projects.
6. What do future information security careers look like? Any strategies you would like reveal to future-proof a career in this industry?
IT in general and information security, in particular, have always seen various different backgrounds of people in related roles. I see that as a strength and would therefore not set a focus for future-proof on the origin of coming experts.
As mentioned earlier in the interview, an essential skill for security careers is continuous learning. To me, this includes communication and listening skills. It also means you need to have a natural interest in building and supporting a network of people and organizations. Oh and reading should be something you like, think of all the regulatory papers…
Overall, my own strategy has been to pursue a career in a role that does not trigger thoughts about work-life balance but more of work-life integration: working on topics I have a personal and genuine interest for.
7. What significant changes do you see occurring within the information security market over the next 5 years?
The importance of information security and thereby its professionals will continue the trend and become even more relevant.
I see a strong tendency in seeking technical-only remediation of information security risks. Whilst these are and always will be important, I also believe that the personal touch and behavior will have a revival. Trying to technically strengthen the weakest link has its limits and so I trust that the information security market will expand and cover more interpersonal topics over the coming years.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.