From the battlefield to the boardroom
Olof Franck, Head of Technology and Digital Practice at Alumni: "Gartner and other experts predict that by 2020 there will be 200 billion connected things. Homes, cities, cars, planes, etc. are all being connected which means there will be software basically everywhere. Cybersecurity has become a major concern over the past few years as hackers have penetrated the IT infrastructure of governments and enterprises with increasing frequency and sophistication. The growth of mobile and IoT devices will dramatically increase exposure of cybersecurity hacks necessitating enterprises and governments to prepare themselves. A speedy, comprehensive and precise response is fundamental to cybersecurity, and the board's participation in preparing for such breaches is important today and will be even more crucial in the future."
In December 2017, Alumni hosted the annual Alumni Harvey Nash Board Report launch event for a group of select board professionals. The theme of the evening was cybersecurity.
We talked to our keynote speaker Jarno Limnéll, VP of Cybersecurity at Insta Group and Professor of Cybersecurity at Aalto, to discuss the digital frontier, in business and beyond.
You've recently been involved in briefing the EU commission on cybersecurity threats - what issues concern you most?
One of the most interesting things about the field of cybersecurity is the speed with which things change. One of the key topics that I keep discussing with my European colleagues, is the range of different cyber hostilities which can be targeted against our western democracies and especially against our elections. Look at the US, the French election, Brexit; the role of the algorithms, how much they have been affecting our thoughts, our values, our emotions. I would say that the big technology companies, who own the algorithms, will have more and more power in the coming years. One of the key points, therefore, especially in Europe, is that we should demand more transparency of these algorithms. That is going to be a very big political issue, throughout Europe.
And more generally, do you feel that we fully understand the complexity of the cybersecurity threat?
It's a very difficult situation - when talking about cybersecurity nowadays, we are concentrating too much on software. What we need much, much more, both governmentally and also in the business world, is a more strategic analysis, a strategic preparedness for the coming cyber issues. When I was giving my keynote speech to the EU heads of state at the EU summit, we actually approached cybersecurity in two different ways - both of which are also important from a business point of view.
First of all, cyber threats, different kinds of cyber hostilities - they are very real and they are only going to become more sophisticated, with severe implications. For example, the President of the European Commission has openly said that cyber threats, even today, pose a more severe threat to western democracy than physical weapons.
On the other hand, what we really should understand is that cybersecurity is not only about threats and risks, not only about the negative. Cybersecurity should be seen more and more as an enabler of technological development. Security overall, not just cybersecurity, will provide us with more of a competitive advantage when we are thinking of a technological future.
Whatever IT products and services you are providing, you should take security very seriously. Security must not be an afterthought, it should be an integral part of whatever you are doing. Primarily, we're talking about trust. That's the key word; when we are talking about the future of security, we're talking about the future of trust.
Are you implying that you can use cybersecurity as a positive PR/brand building opportunity, particularly given the upcoming EU directive on data transparency?
Absolutely. However, there is a big danger if one states that one cannot be hacked. It might be seen as a challenge. I think we have to be honest - it's going to be very hard to protect yourself from all cyber threats all the time. In the coming years, it will be more important to accept that you will be hacked and that there will be problems, either intentional or unintentional. What is your resilience at that moment? How fast can you actually discover and understand what happened? How fast can you understand what were the causes of the breach? What is your functional and mental resilience? When we talk about the future of security we are talking more and more of communications. You have to communicate very fast with your customers. You have to be open and say 'yes, we have very good protection systems, but, on this occasion, they have failed. However, we are fixing this fast. Don't worry - we didn't lose any data, we have backups in other countries and now we are improving our security according to our experiences.'
Do you think that it will change how much data companies store (given the declarations and transparency)? Obviously, you don't want the negative publicity of losing material, so If you don't need it, you might decide not to store as much?
Probably, yes. Nobody knows how data management will finally be organised. Over the coming years, we will be speaking more and more about data integrity. Who has the data and to what extent can you trust its authenticity? We will be less worried about someone breaching the system and stealing or deleting data, but instead concerned with data manipulation. What if you can't trust customer data, or the data which forms the basis of your decision making? Data integrity will therefore grow in importance. As the amount of data that we create grows, the question becomes 'what is the critical data that you have to protect?'. If you are trying to protect all the data, it becomes either impossible or extremely expensive. If you lose trust, you will lose customers. In a recent EU survey, 83% stated that trust is the cornerstone of the digital economy. Not security, but trust.
What are your views of 'unbreakable' encryption? How should we balance the right to privacy and the needs of law enforcement and government to protect us?
What is privacy in the digital age? When we worry about the extent to which the government or intelligence services can look at our data, we should also look at the amount of data that big companies such as Google, Facebook and Apple collect and how advanced their data analytics already are. There is no privacy, even today. Google probably knows you better than your spouse and in the future, they will probably know you better than yourself. So, instead we should look at the transparency of the algorithms used by these big companies.
Your background is both business and military. To what extent can one field learn from the other?
I think that's an excellent question. There are so many similarities in the cyber threats they encounter. It used to be that the latest technology was developed in the military, then it took some time, usually years, to appear in the civilian or business world. Now we are turning this upside down. One hot topic at the moment is AI; when you think of AI development, you are looking at the private sector. They have the latest technology and big resources. The most valuable asset that you can have in technology is skilled people. Google, Facebook, IBM and other big companies - they have the best brains to look at these issues. Governments should therefore learn more from business in many ways. However, governments are very good at thinking of strategic trends; businesses often think about the next quarter or year - governments might look at a five-year plan. This is an area in which business could learn from government. It is, however, a symbiosis.
You wrote a fascinating study of the 2015 Ukraine conflict, specifically in the context of cybersecurity. What lessons could one learn from that event?
We must still keep an eye on what's happening in the Ukraine - many of the cyberwarfare tactics that we saw there are now appearing in other areas across Europe and the Nordics. In western countries, when we talk about 'cyber issues', we are actually talking about technical issues - how we prevent system breach and data theft or release. It's a very technological approach. There is, however, another approach, that of the psychological. In this, cyberspace is primarily an information space - where one can influence values, thoughts, perceptions, even our emotions. I think we have to understand that the biggest battles will be fought over our thoughts. How you can utilise cyberspace, this digital domain, in order to affect minds? That is going to be more and more important in the coming years.
Moving on to the business landscape, many company leaders might come from a generation that is less aware of potential cyber risks. How do you educate them as to the threats?
When you look at board level executives, you normally find that people are primarily concerned with the financials. If you can show that by not taking these threats seriously, business will suffer and profit will decrease - that's the wake-up call for the majority. They then understand that this is a strategic issue for their business, since all business are now digital businesses. This is not only an IT issue but a strategic one. This is one reason why major global companies have hired cybersecurity experts at board level.
If you had to pick your top three risks associated with cybersecurity over the next five years, what would they be?
Firstly, losing critical data. The value of data is increasing more and more, from a customer trust perspective. You lose data, you lose trust. Secondly, ransomware and fraud from cybercriminals is going to grow in effectiveness and sophistication. You can lose a serious amount of money. Thirdly, I would look at the psychological aspect - it's crucial that a company understands how they are viewed across social media. In the future, security will be more and more about perception, about a feeling. Taking care of your brand value is therefore going to be critical.
Posted on December 19, 2017 12:34 PM | Permalink