We can expect to see increased use of machine learning and artificial intelligence in automated security tools

These technologies can help to identify and respond to security threats more quickly and accurately, enabling organizations to respond to security incidents more effectively and efficiently. In my view, the incorporation of these technologies into automated security testing is still in its early stages, and there is certainly scope for improvement in the short and medium term.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Onur Veyisoglu, Senior Security Researcher at Zurich University of Applied Sciences (ZHAW). In this interview, Samir has been discussing how Onur views the evolution of automated security tools as being critical in supporting an organization’s digital transformation goals.

Usage of automated security tools has become DevSecOps best practice. How do you see those tools evolve in the short-medium term to support an organisation’s digital transformation goals?

Although usage of automated security tools has become DevSecOps best practice, the GitLab 2022 DevSecOps Survey findings highlight an important gap between the use of automated security tools and the integration of security into the development workflow. While the majority of DevOps teams are running security scans regularly, fewer than a third of developers are getting those results in their workflow. This suggests that there is a need for better integration between security and development teams, and for security tools to become more developer friendly.

Therefore, in the short to medium term, we can expect to see automated security tools evolve to better support an organization’s digital transformation goals by improving integration with development workflows. This may involve the creation of more developer-friendly security tools that are easier to use and understand for developers who may not have a security background.

We may also see more automation of security testing and vulnerability remediation. This will allow security teams to focus on higher-level activities, such as threat hunting and incident response, while ensuring that security is built into the development process from the beginning.

We can expect to see increased use of machine learning and artificial intelligence in automated security tools. These technologies can help to identify and respond to security threats more quickly and accurately, enabling organizations to respond to security incidents more effectively and efficiently. In my view, the incorporation of these technologies into automated security testing is still in its early stages, and there is certainly scope for improvement in the short and medium term.

Furthermore, I believe that compliance is a fundamental aspect of security, and it is likely that automated tools will advance to assist organizations in automating compliance checks and audits. By doing so, organizations will be able to comply with regulations and standards more efficiently, reducing the risk of costly fines and reputational damage.

Overall, the evolution of automated security tools will be critical in supporting an organization’s digital transformation goals. By improving integration with development workflows, increasing automation, and incorporating machine learning and artificial intelligence, these tools can help organizations stay secure while embracing the benefits of digital transformation.

Survey: https://about.gitlab.com/developer-survey/

What do you consider to be the most underrated trend and/or technology in cybersecurity and why?

In my consulting experience in Switzerland and Turkey, I have found that investment in efficient user awareness and training is an underrated trend in cybersecurity. On the contrary, I have observed a growing trend of over-reliance on technology as the sole solution to combat cybersecurity threats. While technology plays a crucial role in protecting against such threats, it’s important to recognize the significance of human factors such as user education, awareness, and training. This is because cyber attackers often use social engineering tactics, such as phishing emails and pretexting, to exploit human vulnerabilities.

I think there is certainly room for improvement in measuring the efficiency and using technology in more effective cybersecurity training to increase the general knowledge and awareness of people.

While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

Yes, achieving management consensus on how best to address cyber risks is still a challenge. I believe it is a challenging task by its nature regardless of the awareness level of the business leaders. Conflicting opinions and interests can arise, particularly when it comes to identifying which risks are most critical and how to prioritize them. This can be further complicated by budget constraints, resource limitations, and conflicting business objectives. However, having different opinions and approaches can also be beneficial in finding the best solution to address cyber risks. Therefore, having a diverse range of backgrounds and expertise within security teams is crucial in the cybersecurity field. However, achieving that is another challenge itself.

The nature of recent cyberthreats has tended to focus on business disruption and reputational damage. Is this what you have experienced and if so, how does this impact your organisation?     

Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?   In my opinion, there are four essential components to consider in balancing the value of new technology with potential cyber risks.

Firstly, conducting a thorough risk assessment is crucial in identifying potential threats and vulnerabilities to take proactive measures before introducing new technology.

Secondly, having a robust cybersecurity framework that includes policies, procedures, and controls is necessary to mitigate risks related to new technology. Regularly reviewing the framework to align with changes in the digital environment is also essential.

Thirdly, continuously monitoring the digital environment is critical to quickly detect and respond to any security incidents or breaches. Employing advanced cybersecurity tools and techniques to identify potential threats and risks in real-time would be helpful to achieve this goal.

Last, but not least, organizations must consider the impact of new technologies on their employees. Ensuring employees receive adequate training on risks and best practices associated with new technology will equip them with the necessary skills to respond proactively to potential threats. By prioritizing these four key elements, organizations can effectively balance the benefits of new technology with potential cybersecurity risks.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?

According to the latest report on the Cybersecurity Workforce Study in 2022, the workforce gap in the field has more than doubled and is estimated to be around 3.4 million, which is concerning for the entire industry. However, I have personally experienced and continue to witness that individuals who want to specialize in cybersecurity have difficulty finding entry-level positions. I observed that entry-level positions are scarce, and the available ones are typically over-demanding. Given the global talent pool shortage, it makes sense to invest in individuals with diverse backgrounds and security instincts instead of imposing strict requirements. In this regard, I think CISOs should increase their visibility on social media and academic institutions to attract potential talent.

To fill mid and senior-level positions, I think that job descriptions should be clear and reasonable. Often, there is a mismatch between the actual talent required and the posted job requirements. Additionally, it is essential for CISOs to provide a clear training and development plan that demonstrates the organization’s commitment to the professional growth of its employees.

In my view, CISOs need to offer a flexible work environment, as cybersecurity professionals frequently seek opportunities such as the ability to work from home, as shown in several surveys.

The mentioned survey: https://www.isc2.org//-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-Workforce-Study.ashx

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

Remote work has certainly introduced several challenges from a cybersecurity perspective. With employees accessing organizational resources from outside the office network, there is an increased risk of cyber-attacks such as phishing, malware, and ransomware. These risks can be considered a curse and source of significant concern for CISOs. I personally have not experienced it within my team, but there are also concerns regarding effective communication and collaboration in virtual environments.

On the other hand, remote work has enabled organizations to broaden their search for cybersecurity talent globally, offering access to a larger pool of potential candidates. This is particularly advantageous given the current talent shortage in the cybersecurity industry. Additionally, allowing existing employees to work remotely can boost their morale and job satisfaction by accommodating their preferences. In my personal experience, having the option of working in different environments certainly helps overcome the stressful nature of a job in the cybersecurity field.

To balance the benefits of remote work with the potential cybersecurity risks, CISOs need to ensure robust remote access policies, strong identity and access management controls, and secure remote collaboration tools. Employees should also receive training on cybersecurity best practices and be aware of the potential risks associated with remote work.

I believe it is a hard task to find the right balance. Nevertheless, access to the global talent pool and improved employee satisfaction make WFH a risk that is worth taking. Overall, it is a blessing more than a curse for the CISOs considering how serious the skilled cybersecurity professional shortage is globally.

What do you look forward to most at this year’s Global Cyber Conference?

With a line-up of excellent speakers from all over the world, I am both excited to attend and humbled to be among them. I am looking forward to hearing their views on latest trends and especially the impact of geopolitical tensions on cybersecurity.