Ahead of the Global Cyber Conference, Samir Aliyev, CEO and Founder of the Swiss Cyber Institute, takes the opportunity to speak with Roman Zoun, Cybersecurity Innovation Lead at Adnovum, a high-end software and security engineering company based in Switzerland. Roman shared his insights on the risk and reward trade-offs between technology innovation, security compliance, and business impact, key considerations for building a cyber-risk management strategy, and how to implement a healthy cybersecurity culture.
SA: Dear Roman, in this incredibly fast, complex, and competitive environment, could you tell us how Adnovum supports CIOs and CISOs in playing an increasingly strategic role in their organization?
RZ: We support CIOs and CISOs in different ways, from analyzing and managing ISMS to quality assurance of the security controls. However, I would focus on our top-down approach here. We help companies establish a guide to cybersecurity by quantifying their cyber risks.
To do so, we create a virtual dashboard to monitor identified risks according to their impact on the business. Starting from the top of the list makes it easier to allocate budgets to mitigate these risks. In addition, business and IT managers on all levels take informed decisions which improve the company’s cybersecurity posture.
Let me give you an example. The biggest risk for the stock exchange is the failure of the digital system. If this happens, you may need to first take care of denial-of-service attacks. By involving business stakeholders from the start, a CIO or CISO can provide technical background information and turn the narrative from impediment to creation of business value.
We support CIOs and CISOs in aligning all stakeholders and thus developing a clear security vision based on company specifics. Everyone, from stakeholders to the application team, will understand why multifactor authentication is needed to protect sensitive customer information and which business processes, business assets, and security assets are protected in this way.
“Innovation without a strong security concept leads to additional cyber risk exposure.”Roman Zoun, Adnovum
SA: CIOs need to fulfill their innovation value-added agendas in a rising economic pressure environment while maintaining a high level of trustworthiness of the new technologies being introduced. How do you evaluate the risk/reward trade-offs between technology innovation, security compliance, and business impact?
RZ: Technology innovation must be backed up by appropriate security measures to make sure that when moving fast you are not leaving an open window. For example, isolated test environments or even micro-segmentation with test environments to explore new technologies without impacting production can accelerate innovation while keeping assets secure.
In our top-down cyber risk assessment, the business stakeholders are involved from the start. Hence, the outcome is a prioritized list of risks and mitigation measures tailored to companies’ most valuable assets.
This list allows them to focus on the risk scenarios with the greatest business impact and to balance risks and rewards. It also implies that companies know both the risk impact and the rewarding impact for the business. This tradeoff should be understandable for all decision-makers.
SA: From your perspective, what are some examples of too much innovation focus at the expense of cyber-risk exposure, and what is a well-balanced approach for companies?
RZ: Innovation without a strong security concept leads to additional cyber risk exposure. The security concept must be based on a rigorous risk assessment, which uncovers and addresses potential vulnerabilities.
For example, accessing sensitive information on an unencrypted channel may lead to data exposure, even inside of the company perimeter. Another example. If the new tool collects customer data from multiple countries inside the same data store, this may result in non-compliance with data protection laws. A consistent security concept prevents exactly these types of cyber incidents.
But what is a well-balanced approach? The only way to make informed decisions and balance innovation, time to market, and security is to create a security concept based on all your innovation projects’ risks.
SA: With the increased use of new technologies, organizations have set up a large attack surface that opens the door for potential cyber-attacks. What are some of the key considerations companies should be aware of when defining their cyber-risk management strategy?
RZ: Risk management is not only about technology but also about people and processes. It requires a culture of cyber risk awareness and common security objectives across the company.
Key considerations include the threat landscape, business resilience objectives, critical internal processes, the Zero Trust paradigm, security concept, and risk monitoring. Defining a cyber risk management strategy requires a major effort. Therefore, it might be advisable to get support from an expert.
SA: I recall Bruce Schneier stating that «If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology». To which extent do you agree with this statement?
RZ: This statement goes hand in hand with the top-down cyber risk assessment approach. This approach is threat-driven – it means that you start by identifying critical business processes and end up with defining mitigation measures for key risks.
Only when you have identified the risks, you move on to technology, which is the final step. By using our approach, you gain a holistic view of your digital systems and potential vulnerabilities, i.e., there are no blind spots in your security posture. Hence, I fully agree with the statement.
SA: Implementing a healthy cybersecurity culture in a workplace plays a vital role in the entire organization’s security posture. What are some of your key recommendations?
RZ: A healthy and strong cybersecurity culture doesn’t happen overnight. It needs to be continuously nurtured and cultivated. Some key recommendations: get your leadership team on board, foster accountability, raise awareness, make communication easy, and test with real-world scenarios.
Most problems are due to people’s lack of awareness. Human error is the biggest reason for data breaches. This shows that traditional security awareness training is not solving the problem. The compliance-based awareness campaigns are outdated.
Companies need to invest in holistic behavior and change programs to transform the culture. Instead of just pointing out how bad phishing is, organize phishing email creation workshops with your employees to show them how easy it is to write such emails and how dangerous they are. The goal is for employees to work in a secure way, hence, intrinsic awareness is needed.
SA: Many companies have realized the strategic long-term importance of addressing cybersecurity as a core value. How does it translate into a competitive advantage?
RZ: There are different scenarios for different business models. In B2B, cybersecurity is a requirement that allows companies to prove their compliance with certifications such as ISO 27001. But being certified and truly being secure are two very different pairs of shoes.
If you are a SaaS company that needs people to trust in its infrastructure, you can emphasize what you do beyond compliance: for example, storage or backup governance or data privacy management. Such measures – depending on the customer segment – reduce the customer’s risk, which is a competitive advantage.
If a business is “cybersecure”, it means it is resilient. By combining innovation with appropriate security, you can move faster than your peers without taking additional risks. If we look again at SaaS companies, the biggest asset making your business competitive and resilient is “customer trust”. Hence, having cybersecurity as a core value allows you to preserve this trust and remain an attractive service provider.
SA: Thank you Roman for sharing those great insights, we are pleased to have Adnovum as a Global Cyber Conference partner and look forward to hearing more about it in your track session.
Roman Zoun delivered a Track session at the Global Cyber Conference 2022 on the topic of “Innovative top-down approach to cybersecurity risk assessment”. In this practical session, attendees discovered some of the shortcomings of classical approaches to cyber risk management based on lessons gained through building secure IT infrastructure for Swiss brands such as UBS, Twint, Holcim, and PostFinance.