… but by the efficiency and efficacy of responding to attacks when they occur. A good CISO builds processes, implements technology, and puts in place the right people to reduce the attack surface, detect attacks immediately when they occur and respond efficiently to protect data and the business.

Craig Fletcher has worked in the field of Information Security for over 20 years. In that time, he spent 12 years at UBS, occupying several Information and IT Service Leadership positions. He has been the CISO at Skyguide, the Swiss Air Navigation Service provider, and also worked at ISPIN, latterly as its CEO.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Craig Fletcher, the CISO at Galderma in Switzerland. In this interview, Samir has been discussing with Craig the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how one should prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience. 

While cybersecurity and cyber risks have become a top issue in the boardroom, IMD claims that 90% of boards fail to add value to their executive team. Who’s to blame?

I think blaming is not the solution to the problem. Very often Board members are less technical people and CISOs are very technical people. This leads to a language barrier between the two. The horror stories in the press further worry Board members and can result in knee-jerk reactions rather than strategic management of the topic.

Board members must understand that cyber threats are here to stay and are part of the environment their company operates in. And the CISO must find a way to communicate the current state of information security to the Board members so that they are able to understand the situation and make valuable decisions for the company.

Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?

The CISO’s role is in my opinion one of the broadest roles within a company. They must understand technical architecture and technologies in detail, define the security posture to support the business, balance budgets and answer all questions posed by the Executive board and the Board of Directors. CISOs should be very mature leaders and technology geeks at the same time.

Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?

The value of a CISO should not be measured by the absence of attacks, but by the efficiency and efficacy of responding to attacks when they occur. A good CISO builds processes, implements technology, and puts in place the right people to reduce the attack surface, detect attacks immediately when they occur and respond efficiently to protect data and the business.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

The CISO should have direct access to the board. This does not have to be a chair or a direct report, but the ability to escalate topics to the board immediately.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

Organisations should change their mindset away from treating cyber threats as pure risks (probability and impact), but more to the concept of cyber resilience which implies that attacks can and will happen. Building a security framework based on the disciplines of cyber resilience and ensuring the right maturity of each of the disciplines is key.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

Up to a few months ago I would have answered this question with “Artificial Intelligence”. For many years now vendors have been selling their products using AI in their marketing brochures. But in most cases the hype topic of AI was misused.

But with the latest developments in AI I can see that the next levels of AI could be very interesting and potentially a game changer for how much insight we will receive into our environments.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

Awareness! The easiest and most common attack is against humans. Creating a corporate culture where the security mindset is integrated is in my opinion one of the most efficient and effective ways to prevent attacks.

While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

It all depends on the members in the board and on the CISO. Ensuring the board has the right level of understanding is key to be able to address cyber risks.

The nature of recent cyberthreats has tended to focus on business disruption and reputational damage. Is this what you have experienced and if so, how does this impact your organisation?

Yes, we see the same trends. But a bigger trend we are seeing is that hackers are attacking SaaS providers which allows them to gain access to data of multiple companies instead of only one. Therefore, Third Party Risk Management, Cloud Security, Data Classification and Encryption become much more important.

Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?

Every new technology adds risks to an organisation’s environment. Having the right processes and controls in place to manage these risks accordingly is key.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?

CISOs must be good managers and good leaders ensuring they offer an interesting, supportive, challenging working environment which allows their staff to grow and succeed.

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

WFH is the new reality. It’s just something me must accept and adapt to – in the spirit of cyber resilience.

What do you look forward to most at this year’s Global Cyber Conference?

Meeting cyber professionals from various companies and exchanging experiences and views.