The balancing act

As the Global CISO of Eviden, I have to balance various demands.  On one hand, we have the strategic and tactical agenda of the business that I work for, and on the other I have to ensure that our IT systems are safe from attackers.  All of this needs to be done in compliance with regulations that exist across the 50+ countries where we operate.

Furthermore, our cybersecurity world is in constant change and innovation.  This is both on the attackers’ side and on the side of the defenders.  A CISO needs to keep abreast of the developments in this cybersecurity arms race.

As we approach 2024, I have three hot topics that I shall pay special attention to:

  • Artificial Intelligence (AI)
  • Compliance to new regulations
  • Human behavior

Artificial Intelligence

In the second half of the 1990s the internet-based era started to become pervasive, and the world changed immensely based on that pivotal technological leap. In 2023, with the advent of useable artificial intelligence (AI) involving Generative AI (GenAI), our world is at another pivotal moment of change. The race is on across many spheres of work, leisure and well-being to harness the power of this technology.

In cybersecurity there are two aspects of AI that we need to pay attention to:

  1. Security of the use of AI in Eviden, both for internal and for external (customer) systems
  2. Use of AI in defending various IT assets

Security of Product and Services Incorporating AI

Like many organizations around the globe, Eviden is incorporating AI into services and products that it sells to its customers. The question is how does one ensure these are safe. In some ways, the answer is no different compared to when AI is not in use.  So, classical security measures are still relevant.  For example, vulnerabilities in infrastructure components and application development still need to be checked.  Identity and Access Management (IAM) still needs to be carried out, and so on.

The main problem is establishing that the AI results are accurate and unbiased.  In this context there are two GenAI components that we need to consider: the generative model and the data set on which the generative model is applied.

Some generative models can be relatively easy to explain, such as those based on a simple decision tree. In other cases, the decision mechanism is a black box, in which the model is not transparent to the user. The understanding of these and the protection of these will no doubt mature in the future.

Data sets can be biased because the developer of the system has not chosen them wisely for the use case. Equally, a cyber hacker could alter them to suit a particular narrative that favors the attacker. Here, classical security measures like Identity and Access Management (IAM), and log management should be used.

Use of AI in defending IT assets

The use of AI is helping, and will continue to help, cyber attackers as well as defenders. In fact, AI is harnessed to finetune very realistic phishing attacks. They are likely to be using AI in other types of cyberattacks too. Thus, their attacks may be more focused and can be executed within shorter timeframes.

From a defender’s perspective, AI can be used to automate many cybersecurity processes. We are already using AI in our Managed Detection and Response tool (AIsaac). Other security tool providers are also using AI to complement existing tools. I expect to see more of these in 2024, and CISOs can leverage GenAI to assess their efficacies!

Compliance to new regulations

In a large, geographically widespread organization like Eviden, compliance to local laws and regulations is extremely important. Furthermore, as technology advances, governments will continue to introduce regulatory safeguards.

Here are a couple of major legislations that we have on our radar:

In the EU, our focus is on the Network and Information Security Directive (NIS2) legislation. The member countries will need to transpose NIS2 into their respective national law by October 17, 2024.  Eviden will then have to be compliant to those national laws, particularly as it comes under the high criticality sector definition. We have already started a project to look at how that compliance can be achieved and have started discussions with the relevant national authorities.

In the AI context, the EU announced the AI Act in 2021. This is in the discussion phase. 2024 will be a crucial consultative period, when a wide variety of stakeholders (including Eviden) will provide inputs. We will also participate in this discussion via the Charter of Trust.

Human Behavior

According to the Verizon Data Breach Investigation Report, 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.

The primary method for social engineering attacks is phishing. Through a regular campaign of anti-phishing simulations, the rates of being phished have reduced from 20-30% a few years ago to less than 5% nowadays. I see this as an effective way of reiterating the importance of awareness to users periodically. The inventiveness of the security function to come up with novel anti-phishing e-mails is often a topic of conversation – the adjective “sneaky” is a label that we are proud to have!

Each employee is encouraged to take a security awareness training annually. Knowledgeable users can opt to take a quiz at the beginning of the course.  Depending on the results, the users are guided to the parts of the course that are relevant for them. In this manner, a course that would usually take 45 minutes to complete, may be done in 15 minutes too. This has been appreciated by our users.

Despite our successes in anti-phishing and security awareness training, it is always a challenge to ensure security awareness becomes an unconscious behaviour. In 2024 we shall be looking at ways to get the appropriate messages to different user populations. The aim is to increase the user’s ability to make cyber-risk-informed decisions by themselves.

The trick for our IT Security function is to be not seen as a drag  on the user experience, but rather as an enabler. This is one of the reasons why we filter a vast majority of malicious emails via our email filters. We complement that by adding a coloured banner on top of all the emails that users receive from external sources. This alerts them to check for potential phishing attacks. By working with user groups, we shall add to such interventions to make cyber security as frictionless as possible.

Facing challenges in partnership

As the Global CISO for Eviden, I must keep working on strengthening our security in the constantly evolving threat landscape. All of this happens within the ecosystem of our partners, suppliers, and clients.

Sharing information and returns on experience (REX) matters in order to prevent attackers to reach other organizations. This has proven effective and crucial in the Move-it file transfer tool’s vulnerability. I am looking forward to facing our security challenges in partnership with the entire cybersecurity ecosystem!

As a CISO, my 2024 resolution is to  act on all fronts: AI, regulations and staff’s cybersecurity awareness.