What would you describe as your most memorable achievement?
Ensuring that about 2 million patient records were secured from being freely accessible is, in my view, the most memorable one. Back in 2019, while researching about unprotected medical devices connected to the public Internet, I had discovered several hundreds of archives for medical imagery leaking patient data, including full CT scans or X-rays series. I worked with several CERTs and major IT publications across the world to get a majority of these off the net. Unfortunately, this is a never-ending task, as the last update on the numbers shows that hundreds of new medical devices have been connected to the Internet without appropriate protection.
What first made you think of a career in technology?
The very first person to spark my interest in tech was my dad, an electrical engineer, who always asked me to help him wiring stuff or doing some maintenance on machinery we had on our farm. Later it was all about how a computer works and what can I do with it; sometimes with the notion ‘better not do that’.
What style of management philosophy do you employ with your current position?
There is that old saying: ‘I know that I know nothing’, which I try to keep in mind when managing a team’s tasks or mentoring colleagues. The quote implies that I need to stay curious, should learn every day and to trust my team, their knowledge and ability to overcome limits. In a team, it gives room for saying ‘I don’t know but will figure out’. With that, the team evolves continuously without the fear of making mistakes. It is about knowing that limits exist and knowing that you can find ways to go beyond.
What do you think has emerged as the technology trend of 2022 and why?
If it is one technology in digital security to name for 2022, it would be Zero Trust with all the areas it touches. If about the trend behind it, with that technology being a major milestone, it is cyber-resilience.
The last few years have made it clear that the need to be safe and secure with everything digital we have, the data we own or create, our identities and the devices we use, our infrastructure, that this need is simply fundamental.
Using Zero Trust-enabled technology to protect, data, identity and systems, be it via Multi-Factor Authentication or least privilege approaches, is a great leap forward to cater for that need. 2022 has seen a great number of companies running projects around Zero Trust-enabled tech across the globe, mainly because the technology has evolved in usability.
The trend behind cyber-resilience is both an ideal and an attitude. You can’t buy it and it won’t be delivered by technology. For businesses, technology exists to support your processes and your ideas of how things can be done. In the same way resilience can only be supported by technology, but not achieved by it.
What do you currently identify as the major areas of investment in your industry?
With companies investing resources, time and effort into digitalising their business processes and models, this larger business trend will split information security investments into several areas:
1. Solutions that help to reduce the hybrid attack surface, represented by the multitude of ways digital equipment is used and the user and identities on top of that. Better approaches to user awareness will also be seen in this area.
2. Organisations will make investments to secure their supply chains and the related software bill of material to tackle that risk of a third-party compromise. That might not be an investment in technology, but it can also be a consolidation of suppliers and a streamline of the supply chain.
3. Investment in compliance will see an uptick. The EU’s Cyber Resilience Act forces companies to investigate the details of how their products and services are manufactured or rendered, thus influencing one and two.
How do you deal with stress and unwind outside of the office?
‘Cybersecurity and stress, never heard of’, For a lot of people in cybersecurity, including myself, that bit of sarcasm is a good vent when dealing with some low-level stress. The real ways to unwind for me are either to go out with my two dogs or to be with my family talking about everything else other than digital risks and being far away from any devices. A good book or some minutes with one of my Rubik’s cubes does help as well.
If you could go back and change one career decision, what would it be?
There is one career decision I made many years ago, which keeps nagging me whenever I recall the moment. The time spent in that position has taught me a lot and in keeping myself to that often-used phrase, I would not be where I am now without this mistake. So, the change is not so much about the career decision itself, but rather about telling my younger self to ask more questions.
What are the region-specific challenges when implementing new technologies in Europe?
Paradoxically, the fast-evolving threat landscape makes it more difficult for IT leaders to switch from the proven solution to a visionary one, even though it seems to be more effective. They feel more confident addressing the risks in a way they are used to. This is a two-way challenge: new technology has to find a way to prove itself and security decision-makers need courage to implement something innovative.
For instance, there is no need to promote a privilege Privileged Access Management (PAM) solution as security professionals are aware of how to benefit from it. However, we educate on the visionary no-vault PAM approach during each Proof of Concept (PoC) to prove its efficiency in elimination of the attack surface. Organisations tend to go with the settled tech, trying to avoid mistakes. The balance between ‘oldie but goodie’ and innovative solutions are the biggest challenges for IT pros in Europe.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
The last year has achieved much for cyber-resilience, the topic that has been a focus of my activity for the last five years. I’ve spent more much time addressing the aspects of it in discussions than in the years before, which indicates that the perception of it has changed, finally. For the next 12 months, it will continue this way, with me talking more and more about how to embed cyber-resilience into the mesh of business processes, employees and digital operations.
What advice would you offer somebody aspiring to obtain C-level position in your industry?
Never stop learning, but don’t expect yourself to know everything.