Prior to the conference, we had the privilege of interviewing Lars Minth who shared his insights on some of the challenges for a secure digital transformation in cyber security, how cyber professionals can build a strong culture of cyber security, and how to defend against the latest malware threats.
Lars Minth holds the position of Group Chief Information Security Officer for the Swiss Securitas Group comprising of 20+ companies in the DACH area, focusing on security and safety for over a century.
Lars was a panelist in the session “Security measures: How to balance acceptable risks against convenience while transforming digitally?” together with Scott Cruickshanks (Executive Director – Cyber Security & Technology Controls at JP Morgan), Alina Matyukhina (Head of Cyber Security at Siemens Smart Infrastructure Global HQ), Carlos Arglebe (Head of Cyber Security at Siemens Healthineers) and Philipp Grabher (CISO at Kanton Zürich) at the Global Cyber Conference 2022.
What is the number one challenge for a secure digital transformation in cyber security?
Digital transformation without cyber security is a recipe for disaster. In the companies’ haste to digitalize in order to respond to a global crisis like Covid 19 or supply chain challenges, or just because all the others are also digitalizing, a crucial step in the process is very often skipped which is cyber security.
Traditionally digital transformation is divided into four categories – domain, process, business model and organizational/cultural – and naturally generates a tidal wave of connections and data. This “wealth” of information surely provides new opportunities for innovation and optimization, hence a good EBIT, but also renders organizations vulnerable to data breaches and cyber threats.
This means that organizations are often spending millions on the digitalization of their processes only to risk a data breach that costs around 5 million Dollars per breach on average. Just do your calculations if you are revenue-oriented.
Now we are at the point of fingertip one number one challenge, proper company data politics and data management. This sounds weird but the Cyber Security Leader has also to take care of neighboring disciplines in order to pave the floor for good strategical cyber security measures. So, I say that cyber security travels with the data nowadays, i.e., data security dominates the different cyber security challenges. The Cyber Security Leader needs to consult the mentioned side disciplines and therefore needs a sound business backpack also.
Stepping three steps back, the main challenge still is the fact that the problem lies with unknown surprises, sometimes called Black Swans. Reaching out beyond resilience and longing for an antifragile approach in order to secure digital transformation is my personal advice here and the defined strategical way to go with my Swiss Securitas Group employer.
How can security leaders better help their organizations build a strong culture of security?
The culture of security is in the heads of all employees. How do you approach the company`s board and the janitor in order to intrinsically let them learn not to open suspicious emails with nice attachments in one row?
And here we are. While the financial sector has incredibly, and sometimes, terrifying internal communication structures worse than the military forces of the seventies, small businesses and more modern companies do have established channels to reach their people.
A pivotal point here is a perfect match and relationship with the company`s central communication team – that very often is also responsible for internal/external marketing – plus the Human Resources team.
Surely the traditional way is to publish regulations spread among the intranet and be signed via HR. Change of Culture of Security needs a pedagogical, maybe even a psychological approach understood by the Cyber Security Leader. Instead of extrinsic and enforced regulations and orders, it is necessary first to study the clientele and learn about the different types of characters in your company. Once one understands how the CEO is ticking and knows the janitor`s business motivations in order to close all windows in the evening, then awareness can start.
In order to better help their organizations, security leaders need to establish an understanding of the employees` business motivation plus have a backpack or – a specialist at hand – of pedagogical and psychological methods at hand while cooperating with HR and Communication/Marketing.
What practices would you recommend to small businesses defending against the latest malware threats?
Small businesses do not have the financial budget to establish their own team of “up-to-date” malware specialists or things like that – even if they do understand the importance of cyber security.
So, seek a trusted partner that specializes in security but keeps a specified level of cyber security capability inside your own SME.
Ok, what are the latest “malware threats”? Ransomware via phishing emails? Malware is defined as any software intentionally designed to cause disruptions. Any recommendation, therefore, is dependent on the business area of the SME (e.g., securing critical infrastructure or running a supermarket), the threat itself, and the accepted risk appetite.
Basically, SMEs must understand the necessity of cyber security and then decide to what degree they need to outsource activities like SOC, SIEM, phishing email handling, or hardening of the ICT infrastructure. This degree of engagement depends on the current cyber security capability of the SME, the budget, and the business they are running, hence the specific sectorial threats.
What do you foresee will be the biggest obstacle for security leaders and practitioners to overcome in 2023 and beyond?
These are the years for security leaders!
Surely it takes time to penetrate all the companies` board levels, especially in the more traditional sectors of the global economy to raise the security budget but the voice to be heard is given at its best for decades.
So, the biggest obstacles are the security leaders themselves. The change from compliance-driven men-in-black to welcomed business advisors to the board is still ongoing in 2023 and years ahead. The security leader must take care that he/she is capable of understanding the business beyond the cyber threats:
- operational risk management
- buying behavior of the company`s customers
- the business motivation of all the employees.
These are just fragments of capabilities the security leader needs to take into consideration when deciding on a costly approach to buying a SIEM, SOC, or security solution.
In my eyes, the security leaders` openness and capability to self-develop in the mentioned neighboring disciplines bring the necessary understanding of what is possible when drafting nice cyber security strategies and measures in order to persuade the board to follow.
One of the more central challenges or obstacles here is the disruptional approach from overcoming the fragile situation to jumping via sound resilience into an antifragility that seeks more upsides than downsides. This topic is mature in the meantime, but I see a lot of space to explain, discuss and persuade to go for the obstacle of not remaining in security patterns that are historical. Leaving the comfort zone is the number one obstacle!