Cyber Security in the c-suite and board rooms — Sikkerhetsfestivalen 2022
Disclaimer: Freely reproduced from the panel on “Cyber Security in the c-suite and board rooms” on “Sikkerhetsfestivalen” 2022. The participants has not been able to review the opinions that was expressed at the panel and therefor might want to moderate themselves if they where asked to review them in written form. ref: https://sikkerhetsfestivalen.no/bidrag2022/silvija-seres
Led by: Dr. Silvija Seres
Participants:
Ingeborg Øfsthus, CTO, Telenor Norge
Sofie Nystrøm, Director, NSM
Dr. Hugh Thompson, Managing Partner Crosspoint Capital and Program Chair for the RSA Conference
Introduction by Dr. Silvija Seres
We find security vulnerabilities everywhere in all devices, systems, and the challenges concerning managing the risk for addressing security vulnerabilities are growing. There has been an increase in risk, globally, concerning sustainability and cybersecurity that wasn’t there 10 years ago. How can we solve new problems and implement new solutions and innovations when humans doesn’t assess risk well enough?
We are the first generation that experienced industrial availability of microchips, AI and interconnected devices and systems (Internet). There is a need for being able to perceive new risk faster as the pace of emerging technologies continue to increase. As the price of food, energy and the risk to the environment and social sustainability are continuing to increase, how can we remain focused on solving our challenges within cybersecurity?
Cybersecurity is becoming a license to operates amongst investors and board members as we are seeing an increase awareness concerning security in the boards. An increase focus on transparency concerning sustainability and cybersecurity in the board rooms are on the rise. How do we regulate? how do we increase awareness? how do we ensure that the board rooms are informed and knowledgeable?
Dr. Hugh Thompson: There is a huge lack of knowledge and understanding of cybersecurity in the boardrooms, but regulations has increased the urgency to focus on information and cybersecurity as a topic. The introduction of GDPR has made board members more aware of the importance of cybersecurity. As companies started to hire GDPR consultant in order to ensure they could become GDPR compliant, they also became aware that there is a cost associated with ensuring proper security and privacy. Secondly, worldwide cyberattacks like “WannaCry” made the boardrooms aware that there now was an increased probability and risk for security breaches and that anyone could be targeted. This has also helped raise new questions concerning emerging information gathering like machine learning and privacy that previously wasn’t raised. There is an increase in the need for quantifying risk concerning reputational damage and the loss of trust in relation to security breaches. Insurance is not a good analogy in this respect and the boards are currently lacking a framework for properly assessing the impact of the decisions they make concerning challenges related to cybersecurity and privacy.
Dr. Silvija Seres: Considering the technical language that security professionals use. Are we able to properly communicate the challenges to the leaders in the public sector? Do the public sector understand the challenge? What is the state of public readiness in respect to cybersecurity?
Sofie Nystrøm: We in NSM are spending a lot of effort on talking to leaders within the public and private sector. In Norway, we haven’t really seen the true effect of the changes to the threat landscape that has appeared over the last years. In terms of readiness, there is a huge difference when compared to the US. We have been much slower to implement new measures here as compared to oversees. Threat actors are investing heavily in 0-days vulnerabilities and we are not doing enough in the public sector in order to mitigate these challenges. One of the most effective measures is to talk to top-management. Cybersecurity professionals are lacking the management skills to talk to the boards. We have a long way to go. There is a need to be able to quantify the risk in order to get the points across.
Thompson: Many of the people sitting on boards are exceptionally smart and intelligent. In order to get your message across, master the art of story telling. People think better in terms of stories and analogies. If you can communicate using analogies and stories to get your message across, you can come far in communicating the challenges.
Silvija: How is cybersecurity becoming a strategic topic for companies?
Ingeborg Øfsthus: IOT and new technologies comes with inherent risks that need to be taken into account when designing new solutions and there are challenges around addressing security for legacy systems, the language is complex, Telenor is operating in various markets and cultures around the world, Together with our partners and sister companies, Telenor has lots of experience building and delivering secure systems around the world and we have a good collaboration between the group and the local level in our organization. There used to be tension between project managers and the security experts in the local projects. Telenor has therefor created a security board where the CEO and managers from different parts of the company can raise questions and communicate freely. We regularly train and have a lot of practice in crisis management where cybersecurity is a part. We believe that when addressing cybersecurity, we need to think cross-borders, not only locally.
Silvija: 2 years ago, the municipality of Toten was hacked. One of the sentences that was often heard when citizens and politicians was interviewed in the press afterwards was that they never thought this could happen in Toten. Did the hackers care? When we depend on our local geography, seeing that digital is borderless, how can we address the challenges of cybersecurity which are global in nature?
Thompson: There is an increased need for government to know how the suppliers secure themselves. The hackers doesn’t really care where and what they attack. The number of ransomware attacks have increased year over year so it’s not a country specific problem it’s a global problems.
Silvija: Norway is one of the countries with the most digitized infrastructure in the world. One of the watershed moments was when Norsk Hydro got hacked. Seeing that our hospitals are getting more and more digitized, do we really have to wait for the loss of life to be a fact before something gets done?
Sofie: Mostly we know what the vulnerabilities are. All we need to do is to fix them. The board very often believe that things are just fixed and do not see the technical challenges that cybersecurity professionals are facing. We are lacking the tools for fixing vulnerabilities in the public sector. The public sector needs a push towards implementing the basics.
Silvija: We are moving towards the digitalization of everything. We are laughing about metaverse today, but 5 years from now, when we all are in metaverse, we won’t be laughing. Can cybersecurity become a competitive advantage when working with partners?
Ingeborg: Yes we see this happen already. We need to think holistically. In the board rooms, sometimes, we have solutions that have many different parts and we need to include cybersecurity as an end-to-end strategy, you are only as strong as the weakest link and that is certainly true for cybersecurity and technology.
Sofie: Military and civilian entities within the public sector are operating 20–30 years in the past. Legacy debt are making it difficult to ensure that the general citizen is secure. We in NSM are trying to prevent fires in these public entities from exploding and some of them are already exploding as we are speaking. We are trying to prevent this from happening.
Silvija: Talent shortage is a challenge when recruiting, even with a great digital strategy, talent shortage is becoming a challenge. How do we address this?
Thompson: Security challenges in legacy systems shows that paying down technical debt also is a huge opportunity for reducing security risk. The move to cloud is in many cases causing companies to move the same issues they had locally to the cloud, Norway has an incredibly advantage regarding security knowledge because of the amount of security talent that exist in Norway. I believe this to be a strategic advantage in Norway.
