Prioritizing and allocating resources is like choosing the right puzzle pieces – focus on risk exposure, potential impact, and business objectives. Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Daniel W. Seiler, IT-Project Manager for the National Cyber Security Centre (NCSC) in Berne, Switzerland. In this interview, Samir has been discussing with Daniel key steps an organisation should take to effectively respond to and recover from a potential cyber-attack, problems and solutions in the field of cybersecurity, such as measuring the value of cybersecurity professional, business disruption and reputational damage in the context of cybersecurity.

Many chief information security officers (CISOs) see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?

As the role of cybersecurity professionals evolves, it’s crucial for us to understand that cybersecurity is not just a technical issue, but a business one as well. To stay ahead, we should continuously broaden our knowledge, build strong relationships with business leaders, and remain agile in adopting new technologies and strategies. Emphasizing communication and collaboration within the organization is key to staying proactive in the face of emerging threats. And, just like a Swiss Army knife, we need to be versatile and adaptable!

Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?

Measuring the value of cybersecurity professionals can be challenging, as it involves both tangible and intangible aspects. Beyond the obvious impact on the bottom line, organizations should assess our effectiveness in terms of risk reduction, incident response time, employee awareness, and compliance improvements. At the end of the day, we’re here to help the organization establish a strong security posture, protect its reputation, and enable business growth.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to? Having a cybersecurity expert on the board ensures that cybersecurity is a top priority and is integrated into the organization’s overall strategy. Who the cybersecurity expert reports to is less important than ensuring that they have direct access to decision-makers and the ability to influence the organization’s cybersecurity approach.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

Building cyber resilience is like assembling a jigsaw puzzle – it requires a series of interconnected steps. The five key steps we recommend are:

  1. Conducting a comprehensive risk assessment.
  2. Developing a robust cybersecurity strategy.
  3. Creating a kick-butt incident response plan.
  4. Regularly testing and updating systems and processes.
  5. Fostering a culture of cybersecurity awareness among employees.

Prioritizing and allocating resources is like choosing the right puzzle pieces – focus on risk exposure, potential impact, and business objectives.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

The most overrated trend in cybersecurity is the excessive reliance on automation and AI. While they have their benefits, they aren’t the magical cybersecurity unicorns some might believe. Effective cybersecurity still requires human intuition, critical thinking, and the ability to adapt to ever-changing threats. Remember, there’s no substitute for good old-fashioned human brainpower.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

The most underrated aspect of cybersecurity is the human element – often overlooked but essential. Organizations should focus on training and empowering their employees to recognize and prevent potential threats.

While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

Achieving management consensus on cyber risk involves balancing competing interests and priorities. As cybersecurity professionals, we must bridge the gap between technical and business perspectives while advocating for the necessary investments in cybersecurity.

The nature of recent cyberthreats has tended to focus on business disruption and reputational damage. Is this what you have experienced and if so, how does this impact your organisation?

Business disruption and reputational damage in the context of cybersecurity can feel like constantly putting out small fires. In my experience, we can effectively manage these challenges by maintaining a strong security posture, fostering a culture of cybersecurity awareness, and having a well-prepared incident response plan that is ready to be deployed when necessary.

Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?   Balancing new technology with increased cyber risk requires a comprehensive approach. Collaboration between IT, security, and business teams is essential to ensure the benefits of new technologies are realized without compromising security or accidentally opening a Pandora’s box of cyber threats.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?

To address talent shortage and staff retention challenges in cybersecurity, we should think like talent scouts, identifying and nurturing diverse talent, offering training and development opportunities, and creating an inclusive work environment that values different perspectives and skills. Mentoring and promoting internal talent can help build a strong, committed cybersecurity team that’s ready to tackle whatever challenges come our way.

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

WFH can be both a blessing and a curse for cybersecurity professionals. On one hand, it offers flexibility and can attract top talent; on the other, it presents new security challenges. The key is to find the right balance between enabling remote work and maintaining a strong security posture. As cybersecurity professionals, we must be like tightrope walkers, delicately balancing the needs of the organization while ensuring we don’t fall into the abyss of cyber threats.

What do you look forward to most at this year’s Global Cyber Conference?

At this year’s Global Cyber Conference, I’m looking forward to diving into the cybersecurity “all-you-can-learn buffet”, connecting with fellow professionals, discovering the latest trends and innovations, and sharing ideas and experiences that can help shape the future of cybersecurity.