I am live from Sphere 24 in Helsinki in this special Tech Talks Daily Podcast episode. I am pleased to speak with Christine Bejerasco, the Chief Information Security Officer at WithSecure. Christine brings her extensive 20-year experience in cybersecurity to our discussion, offering a unique perspective from the CISO point of view.
We dive into what makes Sphere 24 a standout event in the cybersecurity landscape. Christine shares her passion for this participant-driven unconference that brings together experts from diverse backgrounds to tackle the multifaceted challenges of cybersecurity. She emphasizes the importance of collaboration and multiculturalism, highlighting how these elements are integral to the success of Sphere and WithSecure's approach.
Our conversation covers the primary challenges CISOs face, particularly in balancing minimum adequate security with proactive cyber defense, especially in resource-constrained environments. Christine provides valuable insights into how exposure management is helping organizations identify and prioritize their most critical vulnerabilities, ensuring a more strategic and practical cybersecurity posture.
Christine also shares her thoughts on cyber adversaries' evolving tactics and the importance of embedding security into organizational processes to elevate overall security maturity. We discuss the role of AI in cybersecurity and the necessity of adopting a "secure by design" mindset to build resilient technologies and organizations.
Join us for this engaging discussion, during which Christine Bejerasco offers practical advice, forward-thinking strategies, and a glimpse into the future of cybersecurity. Whether you are a business leader, cybersecurity professional, or simply interested in the latest trends, this episode provides knowledge and inspiration. Listen in, and don't forget to share your thoughts with us!
For more information, visit WithSecure's website at www.withsecure.com and explore their latest blogs and resources on the evolving cyber threat landscape. Thank you for tuning in to the Tech Talks Daily Podcast from Sphere 24.
[00:00:00] Welcome everyone to another session at the Sphere event in Helsinki by Withsecure.
[00:00:08] Yes, I'm Neil, your host, and today I've got the Chief Information Security Officer at Withsecure joining me today.
[00:00:16] Her name's Christine. She brings 20 years of experience in building software-based cyber defense capabilities,
[00:00:23] and she's here to share her invaluable insights from CISO's perspective.
[00:00:28] She's appeared on stage today not once but twice.
[00:00:31] She's led a discussion on balancing minimum effective security with proactive cyber defense,
[00:00:36] where the panel delved into the delicate balance between implementing essential security measures
[00:00:42] and embracing forward-thinking defense strategies, particularly in environments where resources are limited.
[00:00:49] And she's got a fantastic background in malware and threat analysis too,
[00:00:54] so I think her hands-on experience in developing robust solutions that counter cyber threats makes her the perfect guest for today's show.
[00:01:03] And she's led both operational and strategic teams, making her also an authority in navigating the complexities of cybersecurity.
[00:01:11] And Sphere here in Helsinki is not just a conference but a co-security un-conference,
[00:01:16] where they break down traditional barriers and foster things like open communication and collaboration.
[00:01:23] More importantly, it's a place where cybersecurity experts join forces to make the digital world safer and more resilient.
[00:01:30] And I've got you all a backstage pass.
[00:01:33] So buckle up and hold on tight as I beam your ears all the way to Helsinki here in Finland, where Christine is waiting to join us.
[00:01:42] So a massive warm welcome to the show.
[00:01:45] Can you tell everyone listening a little about who you are and what you do?
[00:01:49] I'm Christine Bejarasko, and I'm the Chief Information Security Officer at WithSecure.
[00:01:55] Well, it's a pleasure to have you on the podcast today. I know you've been very busy. You've been speaking on stage and moderating a panel.
[00:02:00] So just to set the scene though for Sphere and our conversation, what is Sphere?
[00:02:05] What does it mean to you, and what is it you love about this event?
[00:02:08] Well, Sphere is obviously like our own event and the biggest one that we have for the year.
[00:02:15] And the thing that I love really about this is that, I mean, for one, it's all about cybersecurity.
[00:02:20] Not only the fact that it's ours, but sort of like we bring different people from outside as well to take a look at the different angles, the different facets of cybersecurity.
[00:02:31] So we talk about the geopolitical angle, we talk about the economic angle, and we have seen speakers as well earlier who have been discussing about that, such as Anu.
[00:02:41] So I do like that it looks at things from a holistic perspective.
[00:02:46] And of course, I like the part that it's also a launching pad of our different products and services.
[00:02:52] So kind of like how we bring them to the market in here for the first time. So that's also quite exciting.
[00:03:00] And it's quite clear as well that collaboration is a big theme here.
[00:03:03] And one of the things that I've loved about being here is the different nations that are there, different nationalities.
[00:03:09] I've spoke to French people, German, Austrian, US and beyond. Is that something that's very important to you as well?
[00:03:16] Quite, because like in our organization, we're very multicultural.
[00:03:20] I mean, we are obviously in different countries, but even here in Helsinki, we have dozens of people from different nationalities.
[00:03:27] And our language really is in the office is sort of like various flavors of whatever English you can find.
[00:03:34] So and that's how we operate. So it's quite important to us, this multiculturalism as well.
[00:03:42] And obviously, you've got extensive experience as a CISO.
[00:03:46] So I've got to ask, what are the primary challenges CISOs are facing when balancing minimum effective security with proactive cyber defense,
[00:03:55] particularly in resource constrained environments at a time where businesses are almost challenged to do more with less or more with the same?
[00:04:02] I mean, I wouldn't know about extensive. I've been a CISO for a year and a half, but like I've been in cybersecurity for 20 years.
[00:04:08] So I've been here for a while. The biggest challenge with resources is that you could never have enough.
[00:04:15] And it's also interesting when you're talking about minimum effective security, because we have been so used to thinking of security in layers.
[00:04:25] And when you think about security in layers, it's really about trying to understand that if one layer gets breached, then you have the next one to sort of like guard your back.
[00:04:37] And then when we're talking about minimum effective security and how many, how much of these layers are that enough?
[00:04:44] So I think it's also about understanding what minimum means like for your organization as such.
[00:04:50] And not just saying that once you have like one box ticked, then you are fine.
[00:04:57] So it's good to be very mindful about what that means to the organization.
[00:05:01] One thing that I really like about this minimum effective security mindset is that you don't need to have duplicate capabilities that do the same thing, because they don't really add extra value.
[00:05:12] And sometimes you may feel warm and fuzzy at night ticking all the boxes, but if they are addressing the same thing, then that's sort of like a waste of money.
[00:05:21] So those things I would remove.
[00:05:23] So another question I'd love to ask you is exposure management.
[00:05:27] It's a big buzzword at the moment.
[00:05:29] How does that help organizations identify and prioritize their most critical vulnerabilities?
[00:05:34] And what role does it play in the overall cybersecurity strategy, just for any business leaders listening to get the grasp with it?
[00:05:41] Yeah, exposure management.
[00:05:42] I mean, it's the new buzzword, isn't it?
[00:05:44] Yes.
[00:05:45] But of course, you'd have to unpack what's behind the hood.
[00:05:50] And this is the thing with cybersecurity, even during the past decade, that there are new hypes.
[00:05:56] But when you unpack things behind the hood, then that's when the reality is.
[00:05:59] And behind exposure management, for example, the thing that I really like is you have a tap path mapping, like for instance.
[00:06:07] And that would show the different assets, the different devices, for instance, that we have in an organization.
[00:06:14] And if one of them, for example, has been externally exposed and there is a clear attack path towards an asset that contains valuable data, for instance, in the organization, that gives me a very clear priority.
[00:06:29] That helps me bring that to the owners of the devices within that attack path and tell them, hey, fix this.
[00:06:36] Because this is a fact.
[00:06:39] This is not an opinion.
[00:06:41] I mean, this is a thing that's just waiting to happen.
[00:06:44] As opposed to what, for example, we have today with general vulnerability management and misconfiguration management where you say, you have a list of this.
[00:06:52] And this is the criticality of this one.
[00:06:55] But I don't really know if this device with a very high critical vulnerability is even externally exposed or it's not accessible from my other devices.
[00:07:07] So it completely changes the perspective of prioritizing which vulnerabilities, for instance, we should be addressing first in the organization.
[00:07:19] Yeah, you cannot ignore the facts, can you?
[00:07:21] No, you can't.
[00:07:23] And given your background in malware and threat analysis, how have the tactics of cyber adversaries, have you seen them evolve over recent years?
[00:07:31] And what proactive measures can CISOs implement to stay ahead of these threats and be more proactive rather than reactive that we may or may not have seen in the past?
[00:07:39] Yeah.
[00:07:40] I mean, they have evolved quite a lot.
[00:07:42] And they have evolved based on two things.
[00:07:45] So they've evolved based on the technologies that are out there and are deployed and how those technologies work today.
[00:07:52] And they have also evolved with UN behavior, how we interact with those technologies and how we behave with those technologies as well.
[00:07:59] So for example, let's say ransomware threat actors.
[00:08:03] So ransomware threat actors before, they were quite generic, sending emails to everyone and then you have attachments or you have links, then you have ransomware downloaded.
[00:08:13] Whether you're an individual or you're an organization, didn't really matter.
[00:08:18] They were asking for ransom from everyone.
[00:08:20] But they sort of learned over time that individuals, they just wiped out their computers when they got ransomware while organizations paid the ransom.
[00:08:32] Because for them, time lost was equivalent to money and ransom is money.
[00:08:38] So it becomes a matter of weighing the cost benefit of that.
[00:08:42] So now I don't even see ransomware against individuals.
[00:08:46] They are against organizations and they also pre-profile organizations as well.
[00:08:52] So it has become a whole new different business model now in the cyber criminal gangs on how they could operate with this.
[00:09:00] So from the evolution of opportunistic individually targeting to now, kind of like specializing on what you can do as a cyber criminal gang and also like cooperating with other cyber criminal gangs.
[00:09:14] And delivering for instance, these a little bit more problematic threats that we are facing today.
[00:09:22] So they are learning quite a lot.
[00:09:24] That's a great point because looking back over the years, I remember when as an IT guy, if anyone had ransomware, they come, Neil, can you help me out with my laptop?
[00:09:32] But those days have gone. It is just organizations and critical infrastructure, hospitals, etc.
[00:09:37] Because they pay and they paid a big money.
[00:09:39] So I mean, if I'm also a threat actor, because a lot of these ransomware attacks nowadays, the whole chain does not happen automatically.
[00:09:48] There are people on the keyboard, like attackers behind the keyboard actually going through the motions as well of doing that.
[00:09:55] I mean, sure, the initial stages, some of them might be automated, but this is blended.
[00:09:59] And of course, that's costly and it takes time.
[00:10:02] It takes time to profile things.
[00:10:04] It takes time to weed out the stuff and that also is costly for them.
[00:10:08] But if they get millions from that, then that's time well spent for them as well.
[00:10:13] And as I said at the beginning of our conversation, you've been incredibly busy today on stage.
[00:10:17] And for anybody that's not attended in the context of your panel, what were some of the practical examples of minimum effective security measures that organizations can implement without significant resource investment?
[00:10:29] Again, huge topic right now.
[00:10:31] Can you share any of the things from that?
[00:10:32] There was one thing that the panel really hammered on and this was training, training the people.
[00:10:38] And this is not just about your generic training everyone on your phishing simulations or having generic training that these are the threats out there, etc.
[00:10:47] But kind of like role-based training that how you should behave in your role, what are the processes that are a little bit more secure and even training senior management as well.
[00:10:58] And not just on having good OPSEC but also in why it's necessary to invest in some of these areas in cybersecurity and why it's necessary to have their support in steering the organization towards secure practices.
[00:11:13] So that was the one takeaway that really all of the panelists were hammering on because if they had nothing else, then at least they have training.
[00:11:24] And that makes all of the different people within the organization become their, I say like your human firewalls even.
[00:11:33] So that's one investment that I wouldn't skimp on.
[00:11:36] And it's funny, is it? Because over a decade that I know at least there's always been that humans are the weakest link in cybersecurity.
[00:11:43] I really hate that statement.
[00:11:45] Which is, me too, it's incredibly frustrating. But at the same time those same humans are given once a year compliance training where they just sit next for 20 minutes once a year.
[00:11:54] So it's not really their fault.
[00:11:56] Exactly. And my take on that is that, yeah, we keep on harping about humans being the weakest link, but I would dare say like we as cybersecurity practitioners are leading the practice.
[00:12:06] We don't invest enough about it. We are keeping them weak.
[00:12:09] Yes.
[00:12:10] So we need to look into the mirror when saying that.
[00:12:15] 100% with you on that. When it comes to CISOs effectively communicating the importance of that proactive cyber defence, we've mentioned the importance of facts when talking to other executives and stakeholders.
[00:12:27] Is there anything else that they should be doing, especially if they're focused on cost reduction to get them on board and see the value?
[00:12:36] Because I think back in the day, cybersecurity was not really seen as a value add in the boardroom. Is that changing now or?
[00:12:43] I think it's changing. Also because, I mean, of course, part of the duty of care of the board is risks.
[00:12:49] Yeah.
[00:12:50] And cyber risks are part of the risks that they would need to look at. So it is changing. It also becomes a question of are they having two-way communication with the CISO, for instance, if they are seeing the right kind of metrics that resonate with them?
[00:13:09] Because it's always a challenge. I mean, many of our CISOs, myself included, have a technical background and sometimes we get blamed for being too technical. And sure, I get it. But if you have been working in that background for years, I mean, you need to have some sympathy for the CISO. There's no other vocabulary that they know of.
[00:13:28] Yes.
[00:13:29] Because they're learning. And you do learn over time. But learning that is helped when sort of, especially during the first few board presentations that the CISO does, that somebody becomes a little bit more prescriptive that this is actually what we want to see. I mean, this is the type of risk management that we are used to. And this is the level of granularity that makes sense for us. And CISOs will tweak that accordingly.
[00:13:58] So, I mean, I do believe that a lot of the CISOs that I have been talking to are quite amenable to changing their language if they only knew how.
[00:14:08] Wow. That is refreshing to hear. And what would you say are some of the key indicators that an organisation has achieved a balance between minimum effective security and proactive defence? How could that balance be maintained over time? What does that balance look like?
[00:14:26] This is my personal opinion because you can never have enough resources in cybersecurity. I mean, whether you're large or not, like the size of organisations you have because cybersecurity is always a percentage of the total budget or the total volume of the population of the organisation.
[00:14:48] But that being said, you can actually be more impactful if security is really embedded into the different processes that the organisation has. And that would mean that you don't only do security from the security function. You're actually doing security all over the place.
[00:15:08] So, for instance, let's say in finance, there's an invoicing process. If somebody sends an email, for instance, that there's an invoice, this is our partner, you need to send this cost this much value as a payment. But now they want to change their bank account. How do they validate if that's a legitimate request? Is that one person validating that?
[00:15:33] It says several people. Do they call the partners? Do they just reply to the email? This is already like embedding security if that process actually includes, I don't know, a second factor authentication that if somebody emails, then you give someone a call in your organisation. That can be a very simple process.
[00:15:53] But this is what I'm talking about, that embedding that into this different process. I mean, everyone has a payroll process and invoicing process, and you have a hiring process. How secure are those processes? That helps a lot towards elevating the maturity of the organisation holistically across the organisation and not just adding technologies and controls all over the place.
[00:16:21] And if we dare to look into the future, is there any technologies, emerging technologies or indeed methodologies that you believe will play a significant impact on enhancing proactive cyber defence strategy or 4C? We have managed 15 minutes without mentioning the AI word. I suspect that might be another frustration for you. What excites you out there?
[00:16:51] I mean, from my perspective, AI is like the internet. It's like cloud. It's like IoT. It depends what it becomes depends on the hands of the person or another technology that's wielding it.
[00:17:21] If you have a thinking of secure by design for the technologies that you built, the organisations that you have, how do you embed and bake security from the ground up? And how do you embed kind of like human nature into that? Because I mean, if everyone were angels, we wouldn't have cyber attacks. In 100 years, dare I say, we're not going to become angels.
[00:17:50] That's going to be there. So it becomes a question of like, how do we make sure that the technologies that we have and the organisations that we have incorporate the human behaviour into it? That sure, majority of us, we will use the technology in a good way. But there's a person that who's going to misuse it.
[00:18:09] How do we make sure that this technology is resistant as much as possible to misuse? How do we ensure that this organisation is a bit resistant to compromise? So I think that mindset could be essential when it comes to proactiveness now.
[00:18:39] I'm sure you will get overwhelmed with how much information comes in. But what are you going to be reflecting on on the way home?
[00:19:10] technology also for the people, because it's very easy for these technologies that we have today to sort of like congregate control to the hands of a few. And we have already seen quite a bit of pictures of dystopian futures that I think we should also be cautious and support our regulators in that context.
[00:19:34] So I think for the future and how we're going to evolve this in a way that it helps our concepts as well of democracy, I think we need to be very mindful of how we can also support regulations moving forward. So I guess that's something that I'll be pondering on.
[00:19:54] Big problems. Yes, indeed. And I think that's a powerful moment to end on. But before I let you go for anyone listening, wanting to find out more information about anything we talked about today, connect with you or your team or just find out more information. What's the best starting point? Where would you like to leave or point everyone listening?
[00:20:10] Well, they can take a look at our website, for instance, with secure.com. There's a lot of information in there related to the products that we have, the services that we have, as well as the blogs that we actually push out. So we do create quite a lot of blog posts related to some threat actors that are with intelligence teams or incident response teams have seen.
[00:20:35] And they can actually be good reading because they also show what are the threat actors doing nowadays? Who are these threat actors that we should be careful about? What are their threats that we are seeing? What are the tactics, techniques that they are doing? So they can actually be practically helpful as well for organizations. So take a look at our website and browse around.
[00:21:00] Well, thanks so much for spending a bit of time with me today talking about how you're watching the cyber security from the CISO point of view, the challenges that are there. And most recently, the help where exposure management is bringing to the table. And you've been incredibly busy today, been on stage twice and a podcast, a productive day, I believe. But thank you for joining me today.
[00:21:19] Thank you so much for having me.
[00:21:20] And that wraps up another insightful discussion on balancing the minimum effective security with proactive cyber defense.
[00:21:29] And I hope you found the conversation as enlightening as I did. And I cannot thank Christine enough for bringing her extensive expertise to the table. I think her experience and insights have been just invaluable in shedding light on the complex challenges that CISOs face today.
[00:21:45] And for anybody listening that either did attend or couldn't attend in person, I'd love to discuss with you the importance of not just meeting the minimum security requirements, but also adopting that more proactive stance to anticipate and mitigate these threats.
[00:22:01] Because I think this is especially critical for organizations operating with limited resources. And Christine highlighted there how exposure management, yes, it's a buzzword, but it can significantly enhance an organization's security posture, ensuring that even smaller teams can effectively defend against sophisticated cyber threats.
[00:22:23] And as we wrap up the show today, remember, cyber security is a collective effort. And by sharing our knowledge, pooling our resources and experiences, we can build those stronger defenses against these emerging threats.
[00:22:37] So please let's carry on the conversation. Email me techblogwriteratlook.com, Twitter, LinkedIn, Instagram, just at Neil CQs. Nice and easy to find. And as we move forward, let's continue to push the boundaries of what's possible in cyber security.
[00:22:52] And remember, stay secure, stay proactive. And until next time, keep innovating. But thanks for joining me here at SPHERE. And I cordially invite you to join me again tomorrow. But that's it for today. Thanks, everyone. Speak to you tomorrow.