"The platform providers need to be at the forefront of security and technology," says Jyrki Rosenberg, Executive Vice President, Corporate Security Business Unit, F-Secure, in an exclusive interaction with R Giridhar, Group Editor, CSO Forum
Q. Can you tell us about F-Secure?
JR: F-Secure is a 20-year old company that specializes in cyber security and protecting against threats on the Internet. It has grown from a small Finnish company to a global organization, and evolved from being an anti-virus firm to providing cyber security protection and solutions in the marketplace. F-Secure is now well known for its consistency and reliability in protecting against threats.
Q. How is the cyber threat environment evolving? What can CISOs expect to encounter?
JR: What’s happening in the marketplace is that threats are becoming more targeted. CISOs should accept if they have some valuable information or business processes, there is a possibility that someone is targeting them using several methodologies. So, malware technologies are becoming more diverse, and attack approaches are more specific to the user. If a company holds valuable customer information, financial information or other processes’ information critical to the business, then the CISO should specifically invest in protection for areas that are most critical.
Increasingly we see a combination of technologically very advanced attacks combined with social engineering and email phishing. An attacker often finds it easy to get into an organization’s network by using employees as the weak link. So, you have to invest in protection, as well as detection and response to the threats that are already in place. You should assume that even if you have protection at the perimeter and end-points, it is possible that someone can enter your network. You also have to invest in training people for operational security—otherwise attackers will get in through your people.
Q. Why is social engineering and spam still a big threat? Do we need different techniques to tackle this problem?
JR: Employees are often the weak link in the security chain. When you have new employees, new business partners, new policies, new processes, etc., or if things change, then you have potentially new sources through which you can be compromised. So, employee training and awareness building is never-ending.
But this problem is behavioral, not technical. So, you need different tools to tackle it. Some of it is training, awareness building—and ensuring that people are actually complying with good practices.
Q. Are organizations focusing too much on sophisticated and advanced security solutions—and overlooking the basics?
JR: In the field of cyber security, you have numerous buzzwords and new technologies—many of which are good for advancement in the field. But, as a CISO, if you focus too much on these things and ignore the basics, then you’re not safe. So, what you should do is move to detection and response solutions, have the protection layer always up-to-date and state-of-the-art. Move up to the next level only when you have secured the foundation technologies and processes.
Q. In an interconnected business environment, how much should enterprises focus on security with external contractors, partners and suppliers?
JR: Just like any responsible company puts requirements to their suppliers for product quality or business ethics, example, I think that they should enforce security standards and requirements for partners and suppliers. Every company in the business eco-system needs to understand the most valuable assets, critical processes and information—and maintain keep them securely. A breach or leakage anywhere in the chain will have serious implications for all participants.
Q. What are the key issues today in cloud security?
JR: I know some organizations that are not moving to the cloud because they feel they are safer if they manage everything themselves. My view is that a cloud environment is as secure as you make it. Just as you invest in security solutions for on premise assets, you need to do for the cloud.
Q. What aspects of the mobile environment concern you the most?
JR: The reason mobile security is becoming so critical is that the use of mobile technology and solutions is exploding. Increasingly, not only personal information but also business processes are being delivered through mobile devices--on the go, and anywhere. For mobile environment too, you need to have the security basics right. Have good end-point solutions, and make sure that your overall threat analysis covers the mobile threat vectors. The human factor also needs to be trained and sensitized to security issues.
Software platform providers have a big role to play in mobile security. When you are downloading apps from apps store, then you are less likely to be exposed to risks. The platform providers need to be at the forefront of security and technology.
Q. Do you foresee greater collaboration and cooperation amongst security solution vendors in the future?
JR: I don’t think you can have a monolithic security solution that does everything. We are living in a world of distributed development, distributed economy and products. That means that your threats are distributed too—and your approaches need to be varied as well. You need to have not only local presence and understanding, but also technological capabilities in many different areas.
I do see greater collaboration and cooperation between different security vendors. For instance, some players might work on a particular bit and then integrate their offering with another vendor to provide a better solution to the customer.