GCC interview series tom hofmann

Ahead of the Global Cyber Conference, we have undertaken a series of interviews with some of our speakers featuring on stage in September. 

We recently caught up with Tom Hoffman, CISO at the Department of Security Canton Zurich and a cyber-security enthusiast with a passion for human-centered design and innovation. Tom was leading a track session at the Global Cyber Conference 2022 on the topic of “Human-centered design and cyber-security: The underestimated role of organizational design in shadow-it and breaches” on September 22nd. This 30-minute track session will take place in the library room and will provide our delegates the opportunity to deep dive into human-centered cybersecurity and behavioral change in information security.

Almost all successful cyber breaches share one variable in common which is human error. To which extent do you consider that people are most often the problem? And what are the best practices for preventing human errors and security mistakes?  

Firstly, I do not see people as a central problem or error for that matter. They are an essential part of our organizations and our societies. Security incidents happen mostly because of poor cyber-security and organizational design. 

I am totally against the term “human error”. Breaches occur due to many distinct factors. Was it because someone clicked a link? Maybe. But links are meant to be clicked. The paradigm of the assumed breach and the concept of defense in depth is still incredibly helpful and effective. Furthermore, we need to ask how organizational design contributes to such attack vectors. Organizational stress, lack of resources, budget cuts, etc. are enormous stress factors that inevitably lead to risky behavior and workarounds. If we continue to neglect them, we are doomed to fail repeatedly.

As there has been such a surge in remote working, this has created concerns for cybersecurity specialists, exposing companies to many cyber threats. What major preventive measures would you recommend a company takes to close those gaps?  

As stated above, we need to strengthen our defensive posture with proven concepts such as defense in depth and assume breach. Remote work, cloud, and smartphones are realities, and business requires flexibility. Therefore, it is our task to enable the business and find solutions that can prevent and mitigate cyber risks. There is no single action or control that can achieve this.

Artificial intelligence (AI) and machine learning (ML) are playing an increasing role in cyber security. Can AI-based cyber security be a complete replacement for human security staff?  

Human ingenuity, creativity, and empathy are irreplaceable. Such algorithms can support human operators, and free up time for more interesting tasks, but they cannot replace them. Organizations who see technology as a possibility to save on people costs will lose significant abilities in their cyber-security organizations.

What do you consider to be the biggest hurdle for organizations in the fight against ransomware? 

The commitment to cyber-security as a top priority. This means not only talking about it but truly taking it seriously. Cyber-security is a board priority, and CISOs need to be heard at that level, and they need resources. Financially, technically but also personally. Without this an effective defense against any cyber threat is futile. 

Could you please share with us your top 3 reasons for attending the Global Cyber Conference in Zurich?  

The conference gathers interesting speakers and panels, but even more, a place to meet, interact and network. A place where experts and specialists can share their insights and benefit from each other’s experiences.

What are your initial thoughts on the Global Cyber Conference’s key themes and according to you, how strategically the themes are set?  

Personally, I am very much intrigued by the topic of human centricity. On the one hand, as a CISO who leverages human-centered design on a daily basis, to achieve innovative solutions that combine technical feasibility, business viability, and foremost, human desirability. But I am also a researcher with many years of active work in that field.