Humans remain the weakest link in cybersecurity. Security awareness is a constant, rather than a one-off exercise.
Choose your battles. A cyber security program will always be limited by funds and resources. Focus on your perimeter, crown jewels and employees.
Simplicity: treat everything at the same level of trust: your offices, mobile workers, home offices, the internet. This will allow you to focus on one perimeter security rather than multiple.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Arvid Vermote. He is GlobalSign’s worldwide Chief Information Security Officer and is responsible for the security and compliance across the organization. Based in Brussels, he ensures products and operations are provided in a secure way and in accordance with industry and market regulations. In his role he also actively participates in the development of new products, solutions and services. Furthermore, he is in charge of the IT department and operational governance, aligning departments and business processes with the GlobalSign strategy and executing strategic board agenda.
Prior to joining GlobalSign, Arvid was a Senior Manager within EY (Ernst & Young) were he managed and delivered cyber security advisory services in Europe, Middle East, India & Africa across different sectors. He co-led the Belgian Cyber Security and Privacy practice and was responsible for the full order-to-delivery cycle of technical information security related advisory projects. In his role he acted as one the global experts on Public Key Infrastructure (PKI) ecosystems and associated risks and provided quality assurance on PKI implementations and auditing engagements (WebTrust, eIDAS) around the world.
Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In my younger days, I was studying to be a musician as a violin player. I went through the formal master’s degrees for music and violin. But I always had two passions — one was IT and one was music. Soon after completing my education, I realized that I did not really want to play the violin or be in a creative art where I express art for a living. So, I decided to take a course in IT, another degree. One of the most interesting areas of business is cybersecurity because there you have the threats and the technicalities, but a lot depends on how humans think — the bad actors and the good actors and the victims — and how to work all of that together into a good cybersecurity program where you anticipate those actions by humans.
Can you share the most interesting story that happened to you since you began this fascinating career?
Key management — the management of cryptographic keys in a cryptosystem — is the most critical activity for a Certificate Authority in terms of security and business continuity. As a result of the COVID-19 lockdown I had to visit one of the three locations where GlobalSign stores active key pairs (private and public keys which ensure authentication) because I am the designated key manager and ceremony master for that location. I picked up a GlobalSign colleague early in the morning, drove across several countries to reach the facility, with multiple police stops and border patrol checkpoints that involved trunk searches, travel approval reviews and even some lecturing on social distancing.
We were told at one point that my colleague was sitting too close to me and had to sit in the backseat of the car. We had to stop at another office on the way to pick up secrets stored in a safe that are required to unlock the key material.
When we reached our destination, the process was more complicated than normal because all personnel involved had to wear extensive PPE and use their own individual keyboards while maintaining a safe distance from one another.
Shifting to the cybersecurity industry, as it is today, what are the three things that most excite you about the Cybersecurity industry? Can you explain?
- The speed with which threats and new attacks arise. There is something new every day and enterprises need to constantly be vigilant and focus on continuous improvement / adaptation to those threats.
- The need for digital identity and authenticity has even more strongly increased since COVID-19 on the associated implications on working remotely. This brings several interesting new technologies, use cases and challenges.
- The long-awaited shift away from passwords towards other, more advanced forms of authentication. Passwords are, together with humans, still one of the weakest and easiest paths to compromise within cyber security.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Deep fakes and other forms of advanced impersonation and identity fraud attacks. These new techniques render it almost impossible to distinguish what is genuine versus phony videos and voice recordings. Humans will need to be extensively trained on how to recognize them and we need to come up with new prevention and detection controls to be abreast of these new attack techniques.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?
- Humans remain the weakest link in cybersecurity. Security awareness is a constant, rather than a one-off exercise.
- Choose your battles. A cyber security program will always be limited by funds and resources. Focus on your perimeter, crown jewels and employees.
- Simplicity: treat everything at the same level of trust: your offices, mobile workers, home offices, the internet. This will allow you to focus on one perimeter security rather than multiple.
- Outsource wisely. Some parts of a cybersecurity program might be outsourced, but unfortunately often this leads to significant spend of resources with limited ROI or a risk of vendor lock-in.
- Security as an enabler. Ensure the senior management and other stakeholders perceive the work you do as adding to the overall viability of the firm.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Intelligent, passionate, and empathic cybersecurity employees are my “swiss army knife” and best tool. Often, cybersecurity leaders think the answer to cybersecurity is to outsource the program or have it run through a consultancy. This will never lead to a sufficiently tailored cybersecurity strategy that will be supported by senior leadership and for which effective execution will lead to a proper protection of the enterprise.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Apart from my answer on “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” a lean & mean cyber security program should be focused on pragmatism. It is very easy to get tempted by all the (expensive) tools and consultancy available on the market, whereas they typically only really increase the maturity of an already very optimal cyber security organization.
Hire one our two hands-on security officers and start with the basics: use existing IT/engineering ticketing systems to document your GRC, capture security activities and built a basic security event management system. Focus on those assets in the organization that have a substantial impact if their confidentiality, integrity, or availability is affected. Combining a few talented resources that understand the organization with existing IT tools might already bring you to a surprisingly significant cybersecurity maturity without any significant investment.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there three or four signs that a lay person can see or look for that might indicate that something might be “amiss”?
Some typical signs that might point to malicious activity are:
- User accounts being locked and the users claiming they did not try to log in. This might point to someone trying to guess / brute-force accounts of employees.
- Your data stored on fileservers becoming inaccessible (might indicate data is being encrypted by ransomware)
- Complaints from your employees that applications and/or network resources are slow to respond/unresponsive (might indicate data exfiltration and ongoing malicious activities are consuming bandwidth)
- Employee accounts suddenly having more permissions than before (indicating their might have been some kind of compromise and elevated account access and privileges as a consequence)
An employee claiming they have clicked on a link or attachment in an email and their workstation became unresponsive as a result — which might imply it is infected by malware through phishing.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!