For our personal email accounts, it is easy for us to spot a potential phishing email. It invariably is a message with a link to click on or an attachment to open. We have become attuned to being cautious if we do not recognise the email address and to never open an attachment without first scanning it. However, at work, we are used to receiving emails with attachments and we don’t readily recognise all email addresses. While cybersecurity systems in place will catch most phishing emails, cybercriminals have ways of bypassing normally effective firewalls and filters. Ultimately, we can inadvertently become the ‘last line of defence’.

Thomas Sutter is a Computer Science researcher at the Zurich University of Applied Science (ZHAW), while also having obtained a Master of Science in Engineering. He currently works in the Information Security Group at ZHAW.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute was fortunate enough to be able to talk to Thomas about the current threats posed by phishing attacks, together with a raft of challenges being faced by CISOs in today’s challenging business environment. Read the full interview below.

Phishing is still a huge problem despite more advanced AI based security solutions leaving the email recipient in the position of last line of defence. Have businesses simply failed to keep pace with hackers?

It is true that phishing attacks continue to be a significant problem despite the advancements in AI-based security solutions. While businesses have made significant progress in implementing security measures to prevent these attacks, hackers have also become more sophisticated in their tactics.

One reason for the persistence of phishing attacks is that they often rely on social engineering rather than technical exploits, meaning that they exploit human vulnerabilities such as curiosity, fear, or urgency. Even with advanced security technology in place, humans can still be tricked into giving away sensitive information or clicking on malicious links.

Furthermore, attackers are constantly adapting their tactics to stay ahead of security measures, making it difficult for businesses to keep up.

It is important for businesses to continue to invest in improving their security measures and educating their employees about the risks of phishing attacks. However, it is also important to recognise that no security measure is fool-proof, and businesses must be prepared to respond quickly and effectively to any successful attacks.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

Reporting directly to the CEO or another high-level executive is important because it demonstrates the organisation’s commitment to cybersecurity. It sends a message that security is a top priority and that the CISO’s role is critical to the organisation’s success.

In addition to having a seat on the board and reporting to a high-level executive, it is also important for the CISO to have a strong relationship with other leaders within the organisation, such as the Chief Information Officer (CIO) and Chief Technology Officer (CTO). Collaboration between these leaders is crucial to ensure that the organisation has a holistic approach to cybersecurity that aligns with business objectives.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?           

In my opinion, the technology that is often overrated when it comes to security use-cases is Blockchain. While Blockchain is undoubtedly an interesting technology with some very specific use-cases, such as currency trading, I believe that it is not always the best solution for security applications. In fact, I have observed proposals for Blockchain-based security applications that do not provide any significant value in terms of security or trust.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?  

I think that using gamification for educational purposes can be very effective in the field of cybersecurity. By regularly presenting cyber security students and professionals with game-like challenges, such as Capture the Flag (CTF) events, they can gain valuable experience and knowledge that can help them in their work.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organisation’s needs?

The talent shortage is certainly a big problem that will not be easily solved very soon.

Here are some strategies that CISOs can consider:

  • Build partnerships with educational institutions
  • Look for diverse candidates
  • Offer training and development opportunities
  • Create a positive work environment
  • Foster a culture of learning

By implementing these strategies, CISOs can identify and develop a diverse talent pool that can help their organisation meet its cybersecurity needs, while also fostering a positive and supportive work environment for their employees.

What do you look forward to most at this year’s Global Cyber Conference?      

To meet and greet a diverse set of cybersecurity professionals from all over the world.

Thank you, Thomas, for taking the time to answer my questions and for sharing those great insights. We are all looking forward to your talk at the Global Cyber Conference and learning so much more in your workshop.

Thomas Sutter will lead an expert focus session at the Global Cyber Conference on the topic of “Avoiding the hook”. In this practical session, attendees will learn about challenges, dos and don’ts, as well as some aspects of why phishing is still a big problem in cybersecurity.

Please also check out the interviews with our other speakers who will be in attendance at this year’s Global Cyber Conference, which you will find here.