Stéphane Hurtaud - Lead Cyber Partner Deloitte Luxembourg
“Deloitte Luxembourg Cyber Risk Services has reached 37% of female professionals and this includes females in leadership positions. This is a great achievement but we can go one step further. We continue to strongly support initiatives like Young Women Challenge and Women in Cyber because we believe that promoting gender diversity is a key success factor for the cyber security industry.”
Stéphane Hurtaud - Lead Cyber Partner Deloitte Luxembourg
Becoming a cyber leader, bit by bit
Dr. Maya Bundt, Head of Cyber and Digital Solutions at Swiss Re
To all those who fear their careers have so many twists and turns that they will never get to the top, Dr. Maya Bundt, Head of Cyber and Digital Solutions at Swiss Re may help you reconsider. As she puts it “if I look back from where I started, it looks like I picked each and every job at Swiss Re in order to get to where I am now. But while I was on that journey, it didn’t seem that way.” Whether in cyber insurance or cyber in general, Maya’s advice to those who want to step into the field is “accept non-linearity in your career.” From the outside, what may seem like a straight dash to the finish line, feels more like navigating through a giant jungle gym from the inside. However, as non-linear as it may be, Maya has seen every role change and every risk as a critical step in the journey that is her career.
“I’m a natural scientist at heart. My passion for the topic and our planet led me to pursue my education in environmental sciences. With my Master’s degree in hand, I decided to continue in this direction and obtained a PhD in soil physics. As many of my fellow doctors, I was then faced with the question of what to do next: stay in academia or move into industry? Having spent most of my life in school, I decided to make a change and got a job as a strategy consultant. Three years later, I joined Swiss Re as a senior project manager. After fourteen years with Swiss Re, I’m now the Head of Cyber and Digital Solutions.
Looking back, it’s clear that each move I made and job I took was exactly what I needed to get to my current role. But at the time of taking all of these decisions, there was no such thing as cyber insurance. So, at the start of my career, I wasn’t looking for this job because it simply didn’t exist; the entire field didn’t exist! However, with time, it became evident that what Swiss Re and other financial service providers could do in a new digitalised world would also create great vulnerabilities. I thought that was fascinating!
Now, I absolutely see myself staying here. Cyber insurance is the most exciting field you can imagine. There is so much to do and there are so many facets, which means that there’s room for people from all kinds of backgrounds.”
Maya breaks her journey down into three phases – getting started, broadening her skillset and leading her own team – and highlights the lessons she has learned along the way.
The early years
Reflecting on her experience in more junior roles, Maya remembers learning how to convince and negotiate:
“You often don’t have the formal authority to get things done”. She argues that a key skill for those starting their careers is to work with others to achieve one’s own goals and ensure those who help also benefit and get recognised. Maya highlights that, along with technical, theoretical and practical knowledge, one must never underestimate the importance of personal networks, soft skills and collaboration: “It doesn’t matter who you are or how good you are. Nobody can achieve great things by themselves.”
Stepping up your game
Maya strongly believes that everyone has room for improvement. She quotes the popular saying:
“If you’re the smartest person in the room… then you’re in the wrong room.”
Although it may be more comfortable to be the big fish in a small pond, true personal development requires constantly seeking to gain new skills. She emphasises that even those that have mastered one particular area of expertise can and must learn from their colleagues and branch out. This is especially true in cross-functional disciplines such as cyber insurance, where each member of a team should bring a certain expertise, be it underwriting, technical cyber security or law, and make the effort to become proficient in other relevant areas. Not only does this contribute to great team dynamics; it inevitably results in better solutions.
Taking on the responsibility of leadership
In her current role, Maya is not responsible for protecting Swiss Re’s infrastructure, systems or data. Instead, she is in the business of building cyber insurance solutions and developing the market. For these tasks, she needs a team with many different skills and argues that she would be very hard pressed to find all of them in the same person. However having fostered a multi-disciplinary team means that Maya is regularly presented with questions or solutions that challenge her views. Regardless, she sees this as a gift and when asked what advice she would give other leaders in cyber security, she replies “listen to what you don’t want to hear.” She believes that leaders should not only be open-minded; they must also proactively encourage and reward those that constructively disagree with them.
In summarising how she became the Head of Cyber Solutions at Swiss Re, Maya reflects:
“How I got here? Some luck, good choices and a lot of really hard work.”
Maya has taken each phase of her career, each obstacle in the jungle gym, as a stepping-stone to her next role. As the challenges in cyber are in constant flux with ever-evolving threats, the field needs the agility of people who are driven by change.
Cyber security is a business accelerator
Darine Fayed, Head of Legal and Data Protection Officer (DPO) at Mailjet
Companies today are more interconnected than ever before, this has placed cyber security at the core of sustainable business models. Now, technical and legal departments are more involved in driving growth with the business than ever before.
Darine Fayed, Head of Legal and Data Protection Officer (DPO) at Mailjet, has successfully led a data protection and security transformation program in order to tackle the legal challenges related to the General Data Protection Regulation (GDPR). All the effort, time and money invested in cyber security and data protection allowed her company to grow its business with minimal risk. In fact, today, under Darine’s direction, Mailjet is accredited by AFNOR Certification as being GDPR compliant, adding to their ISO 27001 certification already obtained.
“After obtaining my law degree and working as a corporate attorney in the United States, I moved to France to continue on the same track. I naturally shifted toward digital and IT topics, working on licensing and software agreements for my law firm’s clients.
After over a decade in corporate law, I became Head of Legal, responsible for risk management at group level, at Mailjet, Europe’s leading email service provider. With the arrival of the EU’s new General Data Protection Regulation in 2016, most companies were obliged to implement actions to comply with the upcoming regulation. One of these actions was the appointment of a DPO. Due to my position and digital experience at the time, I was asked to manage the data privacy obligations and lead the transformation across the business, legal and IT teams as Mailjet’s Data Protection Officer. One of my objectives was achieving GDPR compliance through close collaboration with IT teams.
It took Mailjet over one year to become fully compliant with the GDPR’s strict requirements; one year during which I discovered new aspects of cyber security and learned about data protection challenges.
Simultaneously, I also advocated for legal tech (technology at the service of the law), aiming to combine digital and legal endeavours in companies. Specifically, I worked on including cyber security considerations in the legal yearly goals.”
Darine strongly believes in security by default. Every decision in a business process must be taken with security in mind, particularly when personal data is involved. To do so, Darine describes this industry as follows:
“Cyber security is awareness, cyber security is top-down, cyber security is a team effort, cyber security starts with legal considerations”.
Cyber security is awareness
Because it affects every employee in a company, Darine argues that cyber security is everyone’s business. The process starts with internal training and building awareness among Business, Marketing, HR and IT teams. Once there is a notable shift in the corporate mind-set, people start to see security not as a burden but as a foundation to business. Darine explains how, when working on new features in a platform or a system, a company’s security awareness improves quality and customer satisfaction:
“Product developers now ask the right questions: How do I make this product secure? How will data be collected or processed in this new feature? What system or measures do I have to put in place in order to secure and restrict the access to this feature?”
Cyber security is top-down
As previous projects carried out by Mailjet’s technical teams received pushback from the business, Darine believes that the ownership of IT security inside her company has shifted to the top: “Our CEO has driven the GDPR compliance initiatives that provided the necessary support to carry out the transformation and convince people who were still resistant to change.” Once senior management understands the importance and defines the objectives of the project, it becomes easier to get everyone on board to pursue the same vision.
Cyber security is a team effort
When we talk about team effort, we tend to view only the internal organization teams. A cyber security project can only succeed by involving all the individuals connected to a company. A company is an ecosystem of employees, partners, suppliers, clients and providers. With the GDPR, companies do not just comply with the regulation, but learn who their partners are and how to work with them:
“We had to terminate some contracts with our providers that didn’t provide the level of security that we needed. Each company needs to surround itself with providers for whom cyber security and data protection is a common objective. Indeed cyber security can become competitive advantage when the core business of a company collaborates with third parties and clients.”
Cyber security starts with legal considerations
In cyber security, people that understand applicable laws and regulations must be in charge of legal activities. The GDPR is the perfect example of a regulation that took businesses by storm. Organisations will now be put out of business if they do not have cyber security embedded within their DNA. As Darine explains, a legal department’s objective is to ensure minimal risk for the company, including cyber risk; this must be leveraged in security and privacy efforts:
“With all my previous experience in law firms, it was more natural for me to use my legal logic to manage GDPR compliance projects. I was able to interpret the regulation that allowed me to collaborate with the CTO on this journey. The translation from the legal compliance of a system to IT actions has been very interesting and rewarding for me.”
When reflecting on her career and how she was able to apply her legal background to cyber security challenges, Darine highlights the importance of continuous learning and how it has helped her deal with new situations:
“No matter if it is your goal to make cyber security your career, or if you are just curious as to how your data is processed, or even if you just want to know how to make your password a little stronger, it’s important to be deeply invested in an evolving subject like data protection. It’s no longer only clients’ concerns, but individuals’ concerns that can be leveraged as learning opportunities.”Read more stories and insights
Will humans be relevant in the future of cyber security?
Nathalie Weiler, CISO at SwissSign Group
Advances in automation, machine learning and artificial intelligence affect all areas of expertise – and cyber security is no exception. In cyber security, these advancements have enabled the delegation of time-consuming tasks such as manual threat detection and analysis to machines, freeing up the human workforce to focus on threat forecasting, cyber security strategy and governance. Dr. Nathalie Weiler – CISO at SwissSign – believes that the role humans play in cyber security has fundamentally changed and with the role, the skills required by the workforce have changed as well.
“After completing my PhD and post-doc in network security at Zurich’s Swiss Federal Institute of Technology, ETH, I realised that I didn’t want to pursue the classic academic career path of hopping from university to university. More importantly, I was most interested in the practical applications of cyber security. So in parallel to my post-doc, I co-founded a technical consultancy company, where we ran projects in secure IoT activities and building security protocols for multi-media devices.
While I was organising a conference for peer-to-peer networking at ETH, I got the opportunity to connect with many people in the industry. An architect from Credit Suisse approached me for a one-time project addressing a network security issue they were facing - I ended up working with that bank for twelve years, immersing myself in so many fulfilling and interesting projects.
There is no area in cyber security that I didn’t get involved with in my time at the bank. One day, a head-hunter approached me and asked me to join Avaloq to build up their security governance team and frankly, the position with Avaloq came at the perfect time for me; I was ready for the next big challenge of my career. So I took the position and stayed with Avaloq as their CISO for three years. Now, I’m excited to continue my journey as the CISO at SwissSign.”
The shifting frontier: cyber security skills yesterday and today
In the early days, the role of cyber security professionals was mainly to protect IT infrastructure and data. The role was reactive in nature: when a threat appeared or a risk materialised, it was all hands on deck to eliminate it as quickly as possible. Therefore, deep technical knowledge of IT infrastructure was in high demand.
Today, cyber security has expanded to include third parties, cloud environments, mobile devices and everything in between. Global digitalisation and the IoT have also shaped cyber security needs since these opened up a myriad of new opportunities that cyber criminals can - and do - exploit. It is therefore important for cyber security teams to have a broad range of skills to cover all of these environments and threats. In addition, with an increasingly common understanding that cyber incidents are inevitable, anticipating what attackers are going to do before they do it is key. Employees with the foresight and ability to think like attackers are the ones that will provide the most value. Nathalie puts it candidly:
“Attackers will not always use a hammer to get in. They are constantly developing different skills, tools and approaches, so it’s important that we stay ahead and think like them.”
With visibility all the way to the top of organisations, persuasion has also become an essential skill to master. Nathalie reflects on the importance of her consulting background in helping her implement her cyber security program:
“I wouldn’t be here if I didn’t have a consulting background. As a CISO, you need to be able to convince many different stakeholders to secure funding and get buy-in. Half of my success is based on how persuasive I can be.”
As money and resources are always finite, Nathalie articulates the importance of adopting a risk-based and pragmatic approach:
“You need to be able to get your ideas across, taking into consideration the uncertainty.”
Looking to the future
Solutions in use today will undoubtedly become less effective at some point in the future, and since no solution can be completely secure, security professionals need to be able to embrace failure as part of the process. As a result, Nathalie argues that nowadays, the field has demand for professionals with various backgrounds but with a common trait:
“We need people who can look further into the challenges that they’re presented with and see the big picture. We need people who understand why they need to do things in a certain way and can actually see the implications of their actions on business processes.”
As our lives continue to get more interconnected, the needs of the cyber security workforce will continue to evolve. There will always be new cyber security threats lurking on the horizon and regardless of how the field evolves in the decades to come, Nathalie believes that having the right attitude is essential:
“You need to break out and recognise that it’s a journey. It’s important to take your time with each problem and remember that threat actors will always come up with new methods of attack.”
Adopting this perception from the start lets you actually come to pragmatic solutions that work.Read more stories and insights
Interview - Belgium
Nowhere is the fog of war thicker than in cyberspace
Chelsey Slack, Deputy Head of the Cyber Defence Section at NATO
For more than a decade, cyberspace has slowly but surely crept into our daily lives, going from being an experiment spearheaded by few to integrating nearly every one of our devices in our pockets, work devices, household objects and infrastructure management systems. This evolution prompted NATO to add cyber defence to its core task of collective defence. Cyberspace has also been recognised as a domain of operations, with NATO allies recognizing the evolution of threats and seeing the need to be just as effective in cyberspace as in other domains such as air, land and sea. Although the principles underpinning the protection of this space are grounded in the same concepts as traditional domains, Chelsey Slack, Deputy Head of Cyber Defence at NATO, highlights key differences between these domains and what these differences mean in the context of international security.
“Growing up in Canada, my favourite subjects were always related to history, social studies and law. During high school, I had my first exposure to international relations; I learned about how countries work together and what they saw as key issues. That really piqued my interest and I decided to pursue my university studies in political science with a focus on international security.
Later, I worked for the Canadian foreign ministry and realised that I wanted experience in a multilateral context. After getting my Bachelor’s degree, I landed an internship at NATO, where I worked on trans-national threats.
One day during that internship, on my way home for Christmas, I wound up sitting at the airport, waiting for my delayed flight. I starting talking to the person sitting next to me; at the time, I was just about to submit my online application to a Master’s program and this man asked me about my research proposal. When I told him that I wanted to look into post-war reconstruction, this stranger, who worked in a similar field, looked at me very bluntly said: “That’s a very interesting topic but there are a lot of people working on it. I think you should consider focusing on something else.
When I got back to my internship after the holidays and my supervisor involved me in the development of one of NATO’s cyber defence policies, I knew this was what I had to write my thesis on… and I’ve been working on that same topic ever since!”
Chelsey sees cyberspace as a vector of potential and innovation that relies on open collaboration and exchange platforms and brings many benefits to society. That’s why she is passionate about her work in cyber defence at NATO:
“It’s about ensuring that cyberspace remains the open, secure and transparent place that we need it to be, to continue to harness those benefits.”
Although the same principle of collective defence – where an attack against one ally is considered as an attack against all allies – underpins cyberspace as it does air, land and sea, Chelsey has developed a deep understanding of how bringing this principle to life in cyberspace is different.
The first difference resides in the nature of this space: it is intangible.
“You can see troops, you can see tanks, and you can see planes that cross your border; but it’s not so easy to see an attack or understand what you’re dealing with in cyberspace.”
The second is that cyberspace underpins our communication systems and critical infrastructure, linking it to every other domain, while remaining a distinct domain of operation. The third is the pace of innovation and technological changes in cyberspace and its effect on established procedures. In the past, you could buy a new piece of equipment, for instance a truck or a tank, and it would be good to go for years.
“In cyberspace, you have to constantly keep up with the development of technology. The minute you buy a new piece of equipment, it’s already out of date.”
This speed does not only affect the technology:
“You need to make sure you train the people so they are able to operate in this constant state of change.”
In addition, although NATO allies recognized that international law applies in cyberspace, the domain’s specificities pose challenges:
“How do you impose consequences? What is the best way to enforce the international law that we have to draw upon?”
Lastly, the number and diversity of actors involved in cyberspace is far greater than on land, in the sea or in the air. Each one of these actors, many of which are private, is a potential target. This makes governments’ role in managing cyber threats and responding to them significantly more complicated.
As the fog of war is thicker in cyberspace, there are still plenty of questions being debated amongst allies. When NATO recognized cyber defence as a part of its core tasks of collective defence, there was deliberately no threshold set to determine what it would take for a cyber attack to be considered an act of war:
“This decision is context-dependent and ultimately needs to be a political one”.
Additionally, if a cyber attack were to be grounds to invoke Article 5, it would not mean the allies’ response would have to leverage cyber capabilities.
“That’s part of the cross-domain approach; cyber is but one tool in our toolbox.”
Many of us do not think about cyber security through the foggy lens of war. Professionals like Chelsey bring cyber security from a commercial concept to one of international security, and ultimately, will have an enormous influence on the world we live in.Read more stories and insights
Interview - Switzerland
Taking on cyber security’s unknown unknowns
Karin D’Amico, former Corporate Information Security Officer at Givaudan
The former US Secretary of Defence, Donald Rumsfeld, famously said: “there are unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.” In cyber security, there seem to be more unknown unknowns than in any other field. And although this may seem like common knowledge today, 20 years ago – when there was no such thing as security departments or even cyber security degrees – this statement may not have been so widely accepted. Karin, former Corporate Information Security Officer at Givaudan, was one of those who was able to appreciate this aspect of cyber security early on and successfully built her career with it in mind.
“It all started when I was working as an executive administrative assistant and my boss saw that I was hungry for new challenges. He also saw that I had a particular interest in IT, so he started to give me more tasks in that area and encouraged me to move into a position as IT Support Manager. A few years later, I obtained a diploma in IT project management while working as a consultant for Givaudan.
At the beginning of my career in IT as a network and server engineer, security was not at the top of any company’s priority list; the security topic at that time was the chase of some of the first viruses. Over time, security projects started to come in, little by little, with broader scope and higher ambition. Given my experience in project management and IT infrastructure, I was given the responsibility of managing Givaudan’s first global security project, which was to set up a corporate antivirus system. It’s amazing to think that, back then, not having such an antivirus was the norm! After that project and as Givaudan’s needs for security experts grew exponentially, so did my interest and competencies in the field.
When I was on maternity leave after the birth of my second child, I received a call from my boss, Givaudan’s then CISO. He had received a great opportunity to work on a big integration project and asked me if I would be willing to take over from him; which, of course, I was. As I started in this new role, I decided to pursue information systems security studies to enrich the expertise I acquired in the field by working on security initiatives.“
Having been actively involved in Givaudan’s security team from its very early days, Karin was one of those who was able to appreciate this fact early on and developed a highly effective coping strategy built on three pillars: continuous improvement, knowledge of the business and a strong focus on stakeholders.
Progress one step at a time
Cyber security is an arms race; in this field, keeping up with the pace of changes requires continuous improvement:
“You need to take the time to identify what is most important to your organisation and improve its maturity one step at a time.”
This is how, over 10 years, Karin raised Givaudan to a firm with a comprehensive and coherent cyber security programme.
Know the business inside out
Being able to secure a business requires a deep knowledge of that business.
“You need to get to know the company, from different angles and perspectives”.
Knowing the business also means understanding its people and their ways of working. Karin fondly recalls learning to adapt her Swiss mentality – where being on time means being five minutes early – to a more international approach. For Karin, it is also crucial to take into consideration the organisation’s maturity level and risk appetite when implementing new processes and tools. She argues:
“The latest technology is not necessarily the best; I always put these considerations in the context of the company, the industry and the people before making an important decision”.
Invest time in getting key stakeholders on board
“Security is a collaborative effort; it’s not only the IT or security team’s problem. It’s important for everyone to understand that”.
In any organisation, it’s not surprising that employees don’t want their daily tasks and creative processes to be disrupted by having to put their passwords in three times. So it’s important to appreciate that and find the right solution to keep the firm safe while maintaining a good employee experience.
What we can learn from Karin is that CISOs have an enterprise-wide responsibility. They are responsible for building up their organisation’s lifeline: the tools and processes that will keep them safe in the long run. Ultimately, cyber security leaders cannot predict the future, but Karin is the perfect illustration that preparation is the next best thing:
“Nobody is born an expert; but those who put in the effort will be rewarded.”Read more stories and insights
Looking forward in the field of Cyber Security : Key statement of a Cyber Women
Laureline Senequier is Director in Risk Advisory Services focusing on IT Risk. We interviewed her about her career path, how she successfully navigated through the unconscious bias and what she is looking forward in the field of Cyber Security.
“I have a diploma in Telecommunications from the Grande Ecole d’Ingenieur from France and a Master of Science in Computer Science from the Illinois Institute of Technology from America. This academic background together with a thirst for learning were strong assets when I started my career as an IT Auditor 13 years ago. However, during my first assignments in IT Organisations, I uncovered the unexpected challenge of unconscious bias. I had to go the extra mile compared to my male peers, as with the persons I was auditing who unconsciously assumed I did not have the technical knowledge to address IT matters like my male colleagues. It required perseverance. When your knowledge is regularly challenged, you have to constantly strive to strengthen it and update it. This in turn allowed me to learn and progress faster than usual.
Being a young women, there are more decisions to be taken at key moments of your life: while starting a career, while settling down with a partner, whether becoming a mother or while becoming a mother. The first big decision for me was not committing to quit my job to follow my university boyfriend after he graduated, which costed the relationship. The second was to pursue my career while living my passion for sport, which brought me to my husband. The last big decision was to work part time at 80% when I came back from maternity leave, which enabled me to progress in my career while being active in the upbringing of my son. The driver for me has always been to find the right balance between professional fulfilment and personal development.
Looking back this first piece of life, I do not regret any of these big decisions as they brought me where I am. I love my job, I love my team and I love my life. I am proud to be now in the lead of a team with high diversity in gender, nationalities, cultures and academic backgrounds.
Laureline is also actively looking forward to the exciting future of technology and cybersecurity. By managing Deloitte Luxembourg IT audit team, Laureline is at the forefront of new technology changes of her clients, and of the current IT audit and cybersecurity practices across Deloitte.
Looking forward, I see a lot of exciting development in the field of Cyber Security. It is an ever evolving subject and this is what makes it interesting. As new technologies arise, so do new threats. But threats shall be evaluated in their whole context which does not limit to technologies. For example, evolution of the profile of hackers can be linked to geopolitical contexts. One should consider that data is the new gold and the internet is the new battlefield. System intrusion now appear more often in the news than intrusion in the safe of a Bank, data breaches have significant financial and reputational impact to organisations and political elections are influenced by data mining. This is why Cyber has come to the top 10 Global Risk for business and Cyber Security Professionals have promising and guaranteed career in front of them.
Since my first steps in the field, I’ve noted changes in gender balance and progress in unconscious bias but we have not gone the whole way yet. The proportion of Women in Cyber is not 50% and some of the unconscious bias I personally experienced still remain. Nevertheless I am now fulfilling my aspiration in this field and find it very rewarding. That is why I am now involved in the Women in Cyber initiative, to help other women to jump into this field, and like me, become proud of themselves. I think cybersecurity is a great career path that can help everyone, women and men, to grow stronger, more confident and also have a lot of fun!
Building a secure digital world is a legacy we owe future generations
Prof. Dr. Solange Ghernaouti, Director of the Swiss Cybersecurity Advisory & Research Group and Professor of Cyber Security at the University of Lausanne
The image of cyber security relying on lone hoody-wearing teenagers hacking in the dark needs to change. In reality, to improve cyber security, engineers, lawyers, economists, criminologists and policy makers need to collaborate to address cyber threats with comprehensive strategies. Prof. Dr. Solange Ghernaouti, Director of the Swiss Cybersecurity Advisory & Research Group, President and Founder of the SGH Foundation - Social Good for Humanity and Professor of Cyber Security at the University of Lausanne, has found success in building her career on such an interdisciplinary approach.
“During my PhD and the first years of my professional career, I gained experience in most areas of computer science, such as databases, operating systems, programming, electronics ands telecommunication networks. I discovered a particular interest for networks and technical network security and quickly realised that technical security would never be enough; vulnerabilities will always remain. This led me to study network management, a field that I found particularly fascinating and still do. That realisation brought me to focus on cyber risk management and I joined the University of Lausanne’s business school as professor.
As a consequence of wanting to better understand cyber criminals’ motivations, I started exploring the field of criminology. Then, understanding that politics and the economy are what make the world go round, I started becoming active in those aspects as well.
Throughout my studies and career, the trust I received meant a lot to me. For example, before starting my PhD, my advisor told me that if I wanted to graduate with him, he expected me to teach him something. The fact that this expert believed that he could learm from me powered my will to do good research and not disappoint him. I had a similar experience when writing my first book. I had never done anything like that before and didn’t know where to begin. Having the editor’s trust and support went a long way in helping me achieve that milestone in my career.”
As our society becomes increasingly digitised and connected, more security requirements and challenges naturally arise. Solange, who has been involved in the development of cyber security technology, standards and policies from their early years, believes there is still a lot of work remaining to improve the current state of cyber security and to create a safer world for future generations. Solange explains: “If we want to serve the common good, think about our youth’s future and the legacy we will leave behind, we should care much more about cyber security, including data protection, mass surveillance and the means we will use to address these issues”.
When asked why we are struggling to keep safe in the digital realm, Solange points out: “The biggest mistake we are making is thinking that technology alone can solve a human problem with socio-economic and political entanglement. Technology can help to solve certain issues, but it can also create others.” According to her, there are three critical obstacles in the way of robust and effective cyber security:
- A lack of cyber security awareness within the general population;
- Insular cybersecurity measures that fail to comprehensively address complex cyber risks; and
- Insufficient collaboration on national and international scales due to the fear of reputational damage in case of a security incident.
Let’s take a closer look at each one of these obstacles.
Lack of cyber security awareness
“How many campaigns or public service announcements related to cyber security risks have you seen in Switzerland recently? None? Exactly.”
Solange currently sees a paucity of resources and funds dedicated to cyber security on a federal or cantonal level in Switzerland. Solange believes that our authorities and the private sector need to invest in educating all of their citizens in cyber security risks.
Solange sees a power imbalance between those that control and those that use technology and strongly disagrees with claims that our children will all naturally be digitally fluent and security aware. She believes that we must adapt our education systems to the increasingly digitised world around us if we want to develop proper digital skills: “Having children use tablets in schools is not enough! Students need to be taught how to programme; not only to create new applications, but also to de-code what is happening within the devices we use every day.” She believes that awareness is the first step in understanding the long-term consequences of our word’s digital transformation.
Solange may be onto something, and not just for youngsters. How many of us can say we understand how our everyday tools work, be they SAP, Facebook or even email services? Today, most of us use these as black boxes, not knowing how they function and make use of our data.
Insular cyber security measures
“There is a certain over-confidence of technical people with regard to others with non-technical backgrounds; similar to lawyers and non-lawyers, doctors and patients.”
This can make collaboration tricky amongst experts in engineering, law, politics, social sciences, industry and research.
Instead of seeing cyber security as an issue that only engineers can solve, Solange argues that we need to recognise and value a wider variety of professional experience as well as education. For example, professionals should have the opportunity to complement their existing work experiences with courses to obtain specialised technical, managerial or legal skills.
Solange cites understanding the need for surveillance and intelligence as well as that of the fight against cybercrime as challenges where a variety of different skills are essential. Solange is very clear about this: “It’s not reasonable to assume one single profile can cover all facets of these complex issues and diverse expertise and experience ads significant value in cyber security.” This is why she believes that an integrated approach to cyber security is vital for our society and that efforts should stretch beyond traditional boundaries, whether they be geographic, political, military-civilian, left-right, black-white-purple. According to Solange, there is an urgent need to overcome conventional political divergences if we want to master cyber risks.
No company wants to grace the pages of newspapers because they fell victim to a cyber attack or because they produced or used vulnerable technologies or services. However, the reality is that major breaches occur regularly and there are many lessons to be learned from vulnerability disclosures:
“We should not let the fear of reputational damage stop us from sharing these lessons learned and hinder our progress towards true cyber security, but instead should understand the benefits in sharing knowledge, expertise and experience.”
To overcome this obstacle, there needs to be more encouragement from the top, be it from regulators or the government. In addition, processes and tools such as anonymised reporting and privacy-preserving data sharing must be developed to enable and encourage companies and people to share valuable information while protecting data subjects’ privacy.
Reflecting on Solange’s career path and her views, it is clear that greater collaboration from all relevant areas of expertise is in everyone’s best interest. We all have a stake in cyber security; it’s an issue that we as a society and individuals cannot ignore. We all need to work towards security in cyberspace and the physical world. Although the path to true cyber security may be long and at times tedious, Solange keeps a pragmatic and positive attitude: “We might as well enjoy the ride!”
Interview - Luxembourg
Security is about balance and cooperation at all levels – the organizational, security community at national, EU and international levels.
Myriam Djerouni, Chief Information Security Officer (CISO) at Luxith G.I.E
Myriam is a dynamic security professional who started her career as a developer in a start-up after graduating from the French University of Lorraine. Her career quickly set on a path towards security through career steps across different sectors driven by her quest for challenge.
"Although I was originally hired as a developer in a start-up, my responsibilities quickly escalated. I discovered the world of security through the implementation of the ISO 27001 framework. My journey to cyber security did not stop there as I moved to the audit department of a payment card provider and then to a Luxembourg bank. I have now embraced new challenges as Chief Information Security Officer (CISO) of LUXITH in the health sector. LUXITH manages a shared IT infrastructure and services for all Luxembourg hospitals. As a CISO, my two missions are securing our IT services provided to hospitals and facilitating the establishment of their shared IT security strategy".
Myriam does not regret her career choices as she explained.
"Entering in the security field makes you a specialist and helps you develop your strength, skills and confidence but most importantly it helps you better challenge the various stakeholders in your organization".
In this interview, Myriam shared with us a couple of thoughts about cyber security today across sectors then specifically in the health sector and in the future.
Regardless of your industry, security is always about balance
With her experience across different sectors, Myriam can say there is common ground:
“information security is about balance”.
Balance between being technical and understanding business, between security and productivity, between being a showstopper and having sufficient social and communication skills to make consensus, as well as balance between all the constraints faced by a CISO such as regulatory, resources and business constraints.
“I think a CISO cannot rely solely on his/her technical skills. Sure he/she needs them, if nothing less for understanding threat agents’ techniques, but he or she also needs to understand the business side."
In the financial sector, the balance is between the means of the external attacker and the means of the institution to defend itself. Financial institutions are a usual target because a successful attack means almost direct financial income for the attacker or financial loss for the institution. In the health sector the balance is between security and productivity,
“because productivity in hospitals saves lives that is why it should not be underestimated” Healthcare centers and hospitals have recently become higher value targets due to the sensitivity of the information they process and the general lack of maturity.”
Myriam also strongly believes that cooperation is key to find that right balance.
“To ensure success in the policies, standards and procedures I am developing, I involve experts in the organization from the beginning. I always seek consensus, especially in my current job, where I need to make all Luxembourgish hospitals align on a common strategy.”
In niche domains and life critical environments, security is a
synonym of challenges which can be solved through cooperation
One of the reasons Myriam decided to change job and become a CISO was her quest for a challenge. For a long time, information security was not a major concern in many hospitals, and they did not have the same maturity as organizations in more regulated sectors. Nowadays with the increasing number of attacks targeting hospitals such as ransomware, and with the new EU regulations such as the General Data Protection Regulation (GDPR) or the EU Directive on Security of Network and Information system (NISD), hospitals need to invest more in information security.
“Healthcare is the only industry where the threat from the inside is greater than the ones from the outside according to latest reports. When you see that human errors and internal threats do still have a significant impact, you understand that you have quite some work ahead”.
“Securing medical devices is also a considerable challenge. It is a niche domain where providers do not have much competition. It is therefore difficult to impose security requirements to them. This is paradoxical considering industrial systems such as medical systems can directly affect people life or death and at the same time are hard to patch and secure. To cope with those problems, I think cooperation is key. In the medical domain, we are trying to increase collaboration with all health actors including the ministry within Luxembourg; and in some neighboring countries such as France. We for example sometimes reuse relevant standards developed abroad. But cooperation demands a huge amount of time, and time is hard to find. In parallel, the European Union defined, in 2017, a Medical Device Regulation entering into force in May 2020 to handle the security issues related to these devices.”
Future of security will be built at two different dimensions,
the organization level and EU/international level
Cyber security is becoming strategic and the internet is the new battlefield; governments building cyber armies is a good example of that.
“Nowadays a cyber-attack can have national-scale effects. The cyber-attack on the Estonian Government in 2007 or the Ukraine hack in 2017 are only foretastes of what may happen in the future, especially now that all our systems get digitalized. In my point of view, security needs to be tackled not only in an organization (or in a consortium of organizations) but also at the EU and even international level. The new NISD will most likely be of great help. The NISD deals with defining an EU cooperation mechanism to respond to cyber incidents at the EU level. The Directive also defines critical infrastructures and the digital providers EU countries critically depend on. In our modern society, no country is self-sufficient, for example we all depend on each other for electricity, IT infrastructure etc. As such, collaboration at the EU level is particularly important though we probably still have a challenging journey ahead. In my experience, cooperation in a consortium of organization is already very challenging, as everyone have his or her own pride and fear of losing control. For me the main success factors are test, exercise and simulation.”
“Information security is about balance. Balance between security and productivity for example because productivity in hospitals saves lives that is why it should not be underestimated.”
“I think a CISO cannot rely solely on his/her technical skills. Sure he/she needs them, if nothing less for understanding threat agents’ techniques, but he or she also needs to understand the business side.”
The modern CISO: A cyber risk leader who partners with the business and the board
Daria Meyer, CISO at Panalpina
The role of a CISO has changed significantly over the years, as cyber risk has gained visibility at the highest levels of many organisations. So what does it mean to be a CISO today? According to Daria Meyer, CISO at Panalpina: “You become known as CISO when you bring business value to the company but you get appreciated when you successfully guide the company through a cyber incident”.
“My journey in cyber security started with hands-on security 101. After obtaining my degree in telecom and network engineering, I took a job in a remote access support team. I had opportunity to gain experience in hands-on security engineering. I really enjoyed that time in my career and after a few years, I moved on to expand my know-how in project management, where I was managing cyber security for large global merger and acquisition projects. That was when my career really took off.
I started focusing on cyber security operations, incident response and vendor risk management and increasingly gaining leadership responsibilities with security and risk governance roles. I became accountable for running, controlling and strengthening information security protection, managing budgets for the global function as well as for global projects. I also gained valuable experience in working in a highly regulated environment and from managing a global and diverse team.
My hard work payed off and I became responsible for Novartis’ biggest division: Pharma. I was accountable for setting and executing the overall cyber strategy, leading a worldwide organisation and ensuring that the global Pharma business and overall commercial – “go to market” – IT products, projects and services were developed and delivered in a secure and compliant fashion. This role also came with increased managerial and budget responsibilities. Prior to my appointment, this role and organisation did not exist, so I designed and established it from scratch, hiring the people I needed along the way.
When I was asked to become Panalpina’s CISO, I had to say yes. I knew this was the opportunity for me to really shape the organisation’s cyber security vision and have a real impact on society. At Panalpina, I report directly to the CIO and the Board; I’m shaping the organisation’s security vision and strategy and focus on delivering value to Panalpina and its customers. I also sit on advisory boards of leading IT technology companies, cutting-edge start-ups and global security forums."
For Daria, taking a position as CISO meant more than just keeping her organisation secure on a day-to-day basis. Daria looked at the bigger picture:
“You need to think about what it is you want to achieve, what you want to focus on to add value to the business and your customers”.
Daria’s motivation is as clear today as it was when she first became a CISO:
“I want to make a positive impact on the company I work for as well as on society in general”.
At Novartis, her purpose was very clear: participate in giving back to those who are ill. Then, when she became a CISO, she made sure she joined a company whose culture and priorities lined up with her aspirations. As a cyber leader, she sees herself not as the head of the department of “no”, but as an advisor and manager of a great team and a steward of data, information systems, and resources. She understands that, as a CISO, she will influence major decisions that affect real people. At the same time, the world of transport and logistics is relatively new to the digital realm, making Daria’s role as CISO a green field. By bringing her experience and expertise, she is not only helping her company, but also her industry.
Daria’s aspiration to help others is fed by her understanding of what cyber security is:
“A few years ago, many equated CISOs with IT. The role was seen as that of securing a company’s systems; nothing more. There was no talk about security as a competitive advantage and business enabler, let alone ethics”.
Oh - how things have changed! In 2017 already, 87% of FTSE 100 companies identified cyber as a principal risk . With this increase in attention, boards are now paying close attention to the topic and increasingly include cyber security experts. This shift comes hand-in-hand with an increased scope for cyber security roles:
“Cyber security went from covering only IT to more broadly addressing risk. It’s also about resilience: preventing incidents while ensuring the company pulls through in the event of an incident”.
In addition, data protection laws and regulations such as the EU’s GDPR protect individuals’ privacy as a fundamental human right, reinforce the notion that this field has a direct impact on people’s lives, both at home and in the workplace and for all age groups.
The time when the line between the physical and digital worlds was clearly defined is long gone and, as a result, cyber security has become too important to be exempt from morals and values. What we can learn from Daria is that it is essential for cyber leaders today to understand the implications of their actions on people’s lives and to be able to stand behind their decisions whatever happens.
Women in Cyber
Women are still underrepresented in the global cyber security workforce. What can organisations do to bridge this gap?
Cyber security has become one of the hottest and fastest-growing fields in technology across the globe today. Despite the continuous growth in cyber security spending and opportunities, women’s representation in the cyber workforce remains low - even more so than in IT. This is against a backdrop of a growing skills shortage in cyber; by 2022 there could be a global deficit of 1.8 million cyber security professionals.
How can organisations begin to bridge this gap? One way is to encourage more women in to cyber security; another is to offer them equal opportunity to rise to senior leadership roles. At Deloitte Luxembourg, we are committed to addressing this gender imbalance, which is why we launched our EMEA Women in Cyber initiative. By collaborating across EMEA, internally and with clients, we aim to promote gender diversity in the cyber security industry and work towards closing this gap. Watch the space below for regular updates on all activities.
Stories & insights
Our EMEA Women in Cyber vision
We want to make an impact far beyond our internal Deloitte Cyber team. To do so we have developed the Deloitte Women in Cyber initiative over the last three years and are now working collaboratively across EMEA with a common vision for the future:
To promote gender diversity in the cyber security industry by initiating the dialogue, creating awareness and fostering a community that inspires female talent to consider a career in cyber.
In order to achieve our objectives, we must influence and shape the minds of individuals to understand that the cyber security industry is open to anyone regardless of backgrounds, education or gender. We must harness our current talent to ensure we have a rich pipeline of females ready to step into leadership roles and raise awareness of how successful diverse teams can be.
Stéphane is a partner within our Risk Advisory practice. He has over 21 years of experience in the IT risk, Information Security and IT audit fields, with a strong focus on the financial services industry.
Laureline joined Deloitte in January 2013 as Manager in the Risk Advisory department, where she currently focuses on Information & Technology Risk.