In this interview, Philipp discusses cyber resilience, what companies should be doing to protect themselves from external cyber threats, and his cyber security predictions for the upcoming 5 years.
Philipp Grabher is the Chief Information Security Officer (CISO) of the Canton Zurich and responsible for its cyber security strategy. Further tasks include ensuring adequate cyber security resilience in the cantonal administration, planning and carrying out security assessments and audits, raising awareness, and developing the necessary security policies. He was one of the opening keynote speakers at the Global Cyber Conference 2022 on the topic of “Cyber security in Switzerland: from a public sector perspective“.
Cyber security focuses on protecting data, however, it’s no longer that sufficient, meaning that businesses need cyber resilience. What does cybersecurity resilience mean to you, and how can businesses achieve it?
As a foundation for cybersecurity resilience, each organization must do its “homework” on basic protective measures, including cyber risk management, vulnerability management, identity and access management, and enhancing your risk and security culture.
We all know the defender’s dilemma, which states that “breaches are inevitable because defenders must be right 100% of the time whereas attackers only have to be right once”. The good news is, that there is also something like an attacker’s dilemma – as many cyber-attacks typically take a while to conduct, we as defenders have to be able to detect breaches early and have established processes and backups in place to respond should an incident occur.
Furthermore, an organization must prepare for the worst case and have an appropriate crisis and communication plan in place. Obviously, those procedures should be trained and updated regularly. In this context, anti-fragile practices should be applied by intelligently “shocking” one’s infrastructure and processes to learn and restructure it.
The costs of cybersecurity failure constantly increase. Is this trend to continue forever and what should companies do to adequately protect themselves?
For us, the acceptance and success of the security function will crucially depend on our organization’s meaningful and up-to-date risk landscape. We see that more and more board members or risk owners in different organizations do not trust classical risk assessments anymore, as in most cases, the impact and probabilities are subjective estimates.
With this approach, you are running into problems when trying to decentralize the risk decisions of your organization – you often get inconsistent results on similar assessments. Furthermore, no historical data is available in cybersecurity, and the threat landscape is changing fast.
Hence, we at Kanton Zurich are looking into alternative approaches and trying to work with risk scores instead of the classical risk matrix. Based on the assessment, potential countermeasures are automatically suggested, which should aid in decentralized risk decisions. Furthermore, the risk landscape should be updated regularly. This could be done by continuously integrating various trustworthy data sources into risk assessments, e.g., the analysis from security rating services, regulatory compliance reports, or findings from vulnerability scans.
Having risk management for cybersecurity that offers transparency, uses trustworthy and up-to-date data, and delivers reproducible results is the foundation for buy-in from the board members and the risk owners. That way, cyber risks can be discussed from a business perspective, and resources can be allocated accurately.
Considering the rapid increase in cyberattacks, what do you believe will be the major trends likely to emerge in cyber security over the following 3 to 5 years?
Given our increasing dependence on digital technology, the rise of digital currencies, and the upcoming of the metaverse, the issue of whether we can trust the applications we use and the Third parties we interact with will play an even more critical role in the future.
Today, cyber-attacks are the top risk for all businesses, and this trend will most likely continue into future years. Many organizations will use cybersecurity maturity as a vital component of whether to conduct business with another party or not. Hence, it will be of interest for an organization to demonstrate that it is a trustworthy and secure participant within the digital landscape. A good posture in cybersecurity will become a quality feature comparable to a Triple-A rating in the financial markets. Companies will also start integrating cybersecurity into their environmental, social and governance (ESG) goals to promote digital trust.
As the role of the CISO keeps transforming from a technical subject matter expert to a board-facing business enabler, security leaders of the future need business acumen and communication skills, are experts in cyber risk management and can influence a wide range of groups and bring along mediation and conflict resolution skills.
Furthermore, there will a huge market for big data analytics and automatization in the future. Combining threat intelligence sources with a real-time risk landscape of an organization will allow to proactively bolster the cyber defense with economical use of resources.