In this interview, Bart shares his views on communicating security investments ROI to other stakeholders, looks at some of the most underrated skills in the cyber security industry, and reveals his cyber security predictions for the upcoming years.
Bart Kulach is Chief Information Officer at NN Life and Pensions Turkey and International Information Security Manager, NN Group. A hands-on security and technology expert and a regular speaker in some of the largest hacking conferences including DefCon and BlackHat, , Bart was a panelist in a session entitled “What does successful cultural change around cyber resilience look like” together with Raphael Reischuk, Head of Cyber Security Services at Zühlke and Jürgen Paulmichl, Chief Cyber and IT-Security Officer and ZF Friedrichshafen at the Global Cyber Conference 2022.
The cost of cybersecurity failure constantly increases. Is this trend to continue forever and what is your best advice for companies to protect their business?
There are several drivers that influence the costs of cybersecurity failure that we need to consider: costs of re-work, possible regulatory fines or costs of legal proceedings, a reputational loss that may impact future sales figures or lead to shrinkage of the current customer portfolio, etc.
While this makes it difficult to predict the cost trend, there are 2 key factors that can help us limit the exposure and thus limit the risk: one being a shift to a secure-by-design model where possible, other one being a cultural change of mindset to focus on swift smart recovery strategies rather than trying to identify and prevent any possible risks.
What advice would you share with information security leaders when it comes to communicating for security investments ROI to other stakeholders?
My main advice is to make sure that you explain the ROI in the context of your business. Security investments, just like infrastructure or other technology investments, can and should always be linked to specific business goals or benefits.
My preferred method when it comes to discussing security-related expenditure is to show a concrete amount of potential losses that can be avoided if we invest properly in specific security and technology initiatives, or by presenting non-financial benefits like increased reliability, availability, or other parameters that positively impact customer trust and may help drive overall customer or employee satisfaction if implemented.
What would you say is the most underrated skill in the cyber security industry or the skill you wish more people spent time developing?
From my perspective, we, as a cyber security community, still have a long journey ahead to build up in-depth business knowledge and proper communication skills. Cyber security is a vital part of the business ecosystem, and it complements almost every area rather than being a silo on its own.
While business profiles may vary and so the hard skills required to be successful in a specific industry or company, understanding the business needs and being able to translate the business context into a specific threat landscape (and thus also identify the needed controls) is one of the key success factors of the cyber security function.
The same applies to being able to speak the business language and communicate the needs and requirements of the cyber industry to the business, which helps build a dialogue and a common platform both sides (business and IT / security) can benefit from.
What significant changes do you see occurring within the information security landscape over the next 3 to 5 years?
Looking at the dynamics of the technology and cyber security market, I do expect several developments over the next few years:
- intensified use of automation on the adversary side, which will trigger an increased need to utilize AI and automation to better detect and (to an extent automatically) react to potential threats or incidents;
- in line with the above, increase in “new-old” vulnerabilities that haven’t been identified for years due to unavailability of computing power or tools;
- reshuffling of the cyber tooling market due to the adoption of cloud-native technologies which will limit the market for more traditional or on-premise-based solutions.