IT security should be as natural and important to everyone who uses a PC or mobile phone as driving safely.
Cyber security is on everyone's lips, and not just because of the new EU directive NIS2. In this interview, next level expert Walter Sedlacek explains why NOW is the right time for a paradigm shift in IT security awareness.
The new EU Directive NIS2, which must be implemented from October 2024, has brought us additional challenges and obligations in the area of cyber security. The second edition of the 'Network and Information Security Directive' (NIS2) applies to companies with more than 50 employees and a turnover of more than 10 million euros in 18 defined sectors. Membership of the "Essential Entities" or "Important Entities" determines the level of government oversight and possible sanctions.
For many entrepreneurs, this sounds like a series of requirements and burdensome obligations. But, as our interviewee Walter Sedlacek points out, the second edition of the Network and Information Security Directive (NIS2) also offers an opportunity to raise awareness of the issue. After all, it affects everyone - every single one of us.
Mag. Walter Sedlacek, MSc, MBA , is Managing Director of next level consulting APAC, responsible for expanding the consulting business in the Asia Pacific region. However, the physicist's heart beats for one topic in particular: cyber security consulting for organisations. His extensive and in-depth experience comes from implementing a global cyber security programme in 52 countries for an international IT service provider, as well as advising on an NIS/NIS2 implementation for a global company based in Austria. You can feel his passion for the subject in every sentence he utters, and you would do well to know at least the following key questions in this context before having a conversation with him - or any other IT security expert:
- Who is responsible for IT security?
- What is a security framework and what is a security audit?
- What is NIS2 and what do affected companies need to do?
But don't worry if you feel completely lost at first. Walter has a strong sense of purpose and the patience to make us understand the importance of this topic. By the end of this interview, you'll be well prepared and ready to pass your IT security "driving licence"– for a bike, at least.
Interview with Mag. Walter Sedlacek
Hello Walter, how difficult is it to make people in organisations aware of and interested in IT security?
To illustrate the perception from a security professional's point of view, I'll start with an admittedly macabre joke from the industry: "What's the difference between a security officer and a terrorist? A terrorist has sympathisers.
In practice, unfortunately, a security officer does not have sympathisers. Firstly, as a security officer you attack the managers' budgets and therefore their bonuses, and secondly, you always get into trouble somewhere. It's like going to the dentist - nobody likes going there either.
I found an interview with you from 2017 in REPORT magazine, in which you summarised the following simple recommendations for IT security in companies:
"Only properly maintained PCs should be allowed to connect to the network. And the most important security factor is still the user - they should have a certain amount of common sense, be vigilant and sceptical."
Now, seven years later, I ask you: Are you happy or disappointed with the development of cyber security in companies?
I am neither happy nor disappointed. That would be too emotional. I am pleased to see that legislators, particularly the European Union with its rigorous NIS2 guidelines, are compelling companies to confront this issue head-on. It is clear to me that the entire IT sector is still failing to meet the most basic standards in many areas.
What basics are we talking about here specifically?
We're talking about fundamental processes like incident management, problem management and change management – in other words, processes that are already well developed. Let's be clear: cyber security is based on these processes, and in many areas of companies or industry, this is not yet sufficiently understood or implemented. In other words, progress is being made, but not fast enough.
Why isn't cyber security progressing faster in organisations? Every large organisation has an IT department...
IT doesn't pay enough attention to these issues. When you hear cyber security, you usually think of hackers from China or Russia doing a lot of damage. This is all true. But the focus should be on the most basic, often very simple things. And these are still being ignored.
What is the reason for this?
In most cases, IT departments are well equipped in terms of both expertise and technology. However, these departments are always busy and cyber security is often at the bottom of the to-do list and rarely addressed.
But even when IT departments have the time and resources, cyber security is far from a done deal. This is because IT security cannot be implemented by individual people or departments alone. You can't just fill a department with well-paid experts and expect cyber security to be a thing of the past.
How can an organisation prepare for cyber security?
A company must have an affinity for cyber security in all areas - organisational, procedural and technical - and the appropriate measures must be implemented together. After all, it is everyone's business and security is only as strong as its weakest link!
It's simple. Think of it like a house. It's futile to install a strong door at the front with all your ingenuity, have lots of locks on it and put bars on all the windows, but leave a door wide open at the back. It is crucial to understand that no matter how much you invest in technology, if you do not pay attention to the processes, it is futile. Potential attackers will always seek out the weakest link. If they identify that the technical aspects are not functioning, they will attempt to exploit the processes. If that is unsuccessful, they will then try to exploit the organisation.
How do you embed the importance of cyber security in the organisation?
Cyber security must be a top priority for the entire organisation. IT should be discussing these issues with a security officer at both the staff and board levels. It is also essential to exert pressure to ensure that IT security is given the status it deserves. The only way to achieve this is for the IT department to implement cyber security across the entire organisation.
What do you need or should you know in order to have a say in cyber security in your company?
5 TAKE-AWAYS
- Who is responsible for IT security?
Everyone and every single person in an organisation! The most important thing is to look at security as a holistic issue across the entire organisation. In an organisation, IT security should not just be left to a small, dedicated department to take care of. It only works well if everyone does it. It's similar to compliance. It wasn't on the agenda 20 years ago, but now it's on everyone's mind and it's important across the organisation that you play by the rules when it comes to bribery, corruption and things like that. This compliance issue is only possible if everybody is doing it and you don't leave it to a small department to implement it. - What is a security framework?
A cyber security framework consists of a set of guidelines that establish standards to define the processes and procedures an organisation must follow to assess, monitor and mitigate cyber security risks. A cyber security framework provides a common language and set of standards for security managers in different countries and industries to understand their security measures and those of their suppliers. - What is a security audit?
A security audit is an external review and examination of whether the organisation's IT is compliant, i.e. following the rules. For example, the rules may state that two-factor authentication is required to access the network: That is, I need to know something, such as a password, and I need to have something, such as a phone, on which I confirm access with a click. That would be part of a set of rules. And an auditor will then check that all these logins are implemented correctly. - What is special about NIS2?
We explained what NIS2 is earlier in this interview. One of the special features of NIS2 is that cyber security must now be demonstrably anchored at management level, i.e. at the top. In addition, an Information Security Management System (ISMS) must be operated, including a risk management system that assesses the risks. - What needs to be done for NIS2?
A set of rules, a framework - an ISMS, Information Security Management System - must be created to ensure that security is maintained. More attention needs to be paid to risk management and the supply chain needs to be involved so that all suppliers are NIS2 compliant. You have to implement IT security technically, operationally and organisationally - which brings us back to point 1, the holistic approach: you have to train your people, you have to make it clear to everyone what they can and cannot do - for example, you have to be very critical about opening email attachments. You have to define emergency procedures so that people know what to do, where to go and so on.
What are the most common mistakes companies make when implementing cyber security measures?
That they don't think holistically, that they only secure small areas - like the technology. Someone has a small business and buys an expensive firewall to put between the Internet and their network and thinks that everything is secure. But it's not! That's the biggest mistake I've seen, is that people don't take a holistic view, they just patch things up, which of course pleases the attackers because they find the holes.
Of course, it's not easy for non-experts to see the whole thing holistically. But that's exactly why there are frameworks, collections of guidelines that help to take a holistic view. The best known is ISO 27000, which is quite old and has a lot of problems, but it takes a fairly holistic view. Of course, there are now much more modern guidelines and frameworks that are much more detailed.
What is the best way to approach the issue if you have no experience and no internal or external experts? Many companies don't know exactly where their gaps are.
The first step is to analyse the current situation. You need to know where you are. But that's generally the case with project management. You need to know where you are, how everything fits together and how to achieve a defined goal. Then you have to agree on a framework, i.e. what policy, what standard do you want to be sure of? In road traffic, I have to have a set of rules, I have to know that I stop on red, that I go on green, that I drive on the right and not on the left, and so on. In IT security, there are five to ten common sets of rules. I mentioned an ISO standard earlier, there is NIS2 and a few others.
How do you check the effectiveness of a cyber security strategy in a company?
We check compliance with the framework through an external audit - and it has to be an external auditor, because an internal auditor is often blind! This person looks at the controls, looks at examples, does spot checks and can then determine whether a company is 'secure' against its framework.
When or how does a company know if it is sufficiently prepared against cybercrime?
We call the state of cyber security that organisations should be in 'Always Ready for Audit'. This means that you are always in compliance with your defined security framework. This is always proactive behaviour: You are reducing the risk of IT security incidents with cyber security, and as NIS2 is very much about risk management, it will be very successful in doing that, because then you can just measure the risk and you have to get it below a certain level.
So how secure can organisations really feel?
IT security is always about reducing a risk to a certain level; under normal circumstances you can never get rid of it completely, there will always be a residual risk. But the idea is to reduce IT security risk to a manageable minimum in order to reduce the likelihood of a successful attack.
How do you deal with people who are affected but don't know and don't care? How do you make them aware and engage them?
This is particularly difficult because IT security is always at the bottom of most people's agendas. The best way to raise awareness - and I've had a few coaching assignments in this area - is through an incident: something has happened. A lot of money has been lost and reputations have been damaged. It rarely makes the papers, but it happens all the time. When it happens, there's a fire under the roof, budgets are allocated, it's recognised by top management and things start to move. Then you want a consultant as soon as possible to advise you and get things back on track. We have done that a couple of times through Next Level and it has worked well. If it hasn't happened [yet], it's difficult. It's also difficult to sell very expensive fire insurance to someone whose house has never burned down.
How can companies ensure that their employees are prepared for the new cyber security threats?
There are several ways to educate employees. Unfortunately, it's not always enough to just tell them not to open unknown attachments. You can use videos to show what happens when you open a virus attachment and what the consequences are. There is also gamification, where you put people in front of infected computers and let them experience what happens. There are also quizzes that you can do after training.
Everybody is different, everybody learns differently, so you have to look at it from different angles, give people different opportunities and eventually one or the other will bite. My main experience is that you have to adapt the method to the audience, to the people - and that is also very culture-specific. But as I said, you can only minimise the risk, you can't eliminate it.
What is the role of a security framework in an agile and iterative organisation? Can a stable security framework be reconciled with the flexibility and rapid iteration cycles of agile teams?
This is a separate question. A security project has to be a waterfall project because the goal is completely clear and predefined. I know where I want to go, so I use the waterfall project management method. And of course you can do all kinds of agile projects and run an agile organisation that has nothing to do with security, it is detached from the company's business model.
Could you explain the waterfall process in this context?
Waterfall means that I have a security framework, a set of rules that I want to follow, that I want to meet. I know exactly where I want to go. I think about where I am now, consider where the gaps are and fill them with work packages to close them. I then organise them in a work breakdown structure and have them implemented through project management.
Is it possible to identify trends in cyber security? And how can companies respond proactively?
If you want to talk about a trend, it's the fact that we have more rules and more tools - and that's positive. There are better and better frameworks, better and better sets of rules. In 2011 there was only the ISO 27000 framework, then came NIS1 [for critical infrastructure only; editor's note]. There are also customised frameworks, for example for industry or pharmaceuticals, there is a framework for internet payments and so on.
Another trend is that legislators are forcing companies to operate cyber security according to prescribed standards, to comply with the rules and also to monitor them. So this is a trend that we can welcome.
Finally, what tips would you give us on IT security?
Now is a very good time to look at cyber security. Firstly, because companies will have to implement the NIS2 requirements by October 2024 to avoid penalties. And secondly, as a competitive advantage, because others are not doing it.
Companies need to take a holistic view of cyber security. That's the biggest mistake, because it affects all of us.
Thank you very much for the interview!
The journey begins here
We regularly send you news on the topics of project, process, change and agile management.
