Mostafa Hassanin is the Group CISO at SMG Swiss Marketplace Group AG and has over a decade of information security experience in file sharing, banking, finance, and online marketplaces. He holds a B.Sc. in Computer Science (Loughborough), M.Sc. Software and Systems Security (Oxford), and an Executive MBA (INSEAD). Mostafa has played a pivotal role in establishing and developing the security practices and capabilities of some of Switzerland’s leading brands, such as Ricardo, Tutti.ch, Homegate, Immoscout24, and Autoscout24. He has also contributed significantly to the security of Switzerland’s banking and finance industry, authoring security concepts, guidelines, technical standards, and overseeing their implementation. As a Group CISO, he’s responsible for safeguarding the assets, digital security of employees, and that of the customers at SMG Swiss Marketplace Group AG.

Among many cybersecurity topics, Mustafa has some very interesting advice to give C-suite executives concerning managing the aftermath of a ransomware attack, we hope you enjoy what he has to say. 

In your experience, what are the most common misconceptions about cloud security? 

The most common misconception I hear is that it either secure by default and little can go wrong, and the provider takes care of it, or on the other extreme, it’s not secure at all, and on premise is more secure by design. While we’re spilling the beans, I also hear that it’s supposed to be cheaper. I believe these misconceptions are missing the key point, which is that we’re dealing with information security. We secure the information regardless of its location (or deployment model), and at the end of the day, we are transferring some risks (e.g., data center security), mitigating some others (e.g., ddos attacks), but the key cybersecurity risks didn’t change and need to be addressed (e.g., misconfiguration, cyberattacks, etc.). Let’s look at it from a different perspective: let’s assume one has a silver bullet tool, but doesn’t understand it, neither knows how to operate it or maintain it, nor configure it properly, well, it won’t add much value, if at all. 

What strategies would you recommend for securing hybrid cloud environments against sophisticated threats? 

I recommend adopting a unified approach towards security, driven by risks, informed with data. I think we should focus more on digital identities, and automating detection/response as much as possible. In parallel, we need to have visibility via monitoring and having an AI-powered single pane of glass for detection/response. I would add, we make it simple; no network, no passwords, no problem! 

What are the key components of a resilient enterprise cybersecurity strategy in the face of evolving threats? 

I tend to start by having the business strategy and objectives and establishing what the cyber risks are that may jeopardize that. While addressing the risks, I focus on resilience, scalability, and key measures. Through a unified fundamental approach towards security, this becomes easier to think about. Starting with the known risks, this often jump starts the process. In my opinion, people, culture, and awareness are underestimated. Governance is often forgotten. 

Last but not least, comes the non-organizational measures, such as, digital identities, single pane of glass for detection/response, having a risk-based or adaptive approach towards information security, and automate as much as possible. If things are too complicated, start simple then upgrade (AI). 

How can businesses leverage cybersecurity as a competitive advantage? 

Let’s try to simplify it while being concrete: if you are looking for a product and find it available on two websites, one is known for its good reputation, and the other has a better deal but bad reputation. What would you do? Well, consumers tend to be risk-averse, especially recently with all the buzz concerning data leaks, cyber attacks, etc., and the negative consequences that come with them for organizations and individuals. Given the ever-evolving threat landscape, cyber attacks are on the increase. So, those companies who can protect their customers the most, or are affected the least from an attack, and/or don’t burn too many resources fighting, are the ones going to have a better reputation, be more cost-effective, thus, the winners. Well, natural selection?!

What role does Cloud Identity and Access Management (IAM) play in fortifying enterprise strategy? 

Digital identities are the cornerstone of today’s security, as over 65% of breaches happen due to identity attacks. Organizations either have their platforms running on the cloud, or their own IAM solution is cloud-based so that they can focus on their core competencies. In both cases, that has the potential to affect the C-I-A rubric of information security: confidentiality, integrity, and availability. Cloud IAM is indispensable for protecting sensitive data and applications while enabling business agility and innovation. It’s also very important that a business continuity plan addresses identity systems in particular, given their critical nature. 

What advice would you give to C-suite executives for managing the aftermath of a ransomware attack effectively? 

Pilots tend to work by the “Aviate, Navigate, Communicate” rule in case of an emergency. I like this rule since it’s highly applicable to many scenarios, such as this one. C-suite executives should first prioritise key resources to recover critical systems or business operations to contaminate the situation and minimise the damage. Then, engage with experts and law enforcement and other necessary parties to determine the best course of action. Not to mention, to have transparent and swift communications internally and externally. The timing is important: not too late when details of the attack have been leaked and rumors have begun to spread, and not too early when nothing can be confirmed. Executives need to lead by example, remain calm, foster a culture of no blame, and embrace post-incident activities to put measures in place so that it doesn’t happen again. 

How is quantum computing impacting cybersecurity, and what balance should businesses strike between innovation and risk? 

Quantum computing is threatening to break some of our encryption standards (e.g., RSA and ECC) that are based on certain mathematical problems (factorization). The issue is that this threat is significant since these standards protect most of today’s digital communications and data security. This potential makes it important for businesses to start preparing for a post-quantum world by at least understanding if/how they are impacted, and have a risk- driven plan to transition to quantum resilient cryptography based on the threats posed on the business. What’s important to understand is that this transition takes years, so it’s about time that businesses develop the awareness and to understand the risks they are running, and keep themselves up to date. 

How is AI transforming cybersecurity, and what potential risks and opportunities does it bring? 

AI has been used in cybersecurity since the ‘90s (The DARPA dataset), however, now it’s even more powerful, as it can digest and analyse vast amounts of data, enabling the identification of threats and anomalies that would be impossible for humans to detect in a timely manner. Moreover, if a problem can be transformed to a text-based problem, GenAI comes to the rescue. This boosts efficiency, effectiveness, and automation. But though it can be used in defense, it can also be used to attack. Attackers are using AI to develop more sophisticated malware and attack strategies, creating a continuous arms race between attackers and defenders. Let alone that AI can sometimes make incorrect decisions (like a human, I would argue), however, it raises concerns about privacy and the ethical use of data, as well as the potential for manipulation or bias based on the data they are trained on. And as long as we’re aware of that, and take it seriously, I believe we can address it. The challenge is that not everyone is ethical. 

What are the unique cybersecurity challenges that Switzerland faces in 2024, and how are they being addressed? 

Switzerland, with its significant financial sector, advanced technological infrastructure, and political neutrality, faces unique cybersecurity challenges, including targeted attacks on its banking and financial services, espionage targeting its research and development sectors, and the need to protect its critical national infrastructure. To address these challenges, Switzerland is enhancing its national cybersecurity strategy, focusing on strengthening public-private partnerships, investing in research and development, and improving national cyber incident response capabilities. Switzerland is also working on enhancing international cooperation to combat cyber threats more effectively and implement more regulations. I believe that we need to increase the pace, we have all we need to lead and be pioneers in this sector.