In this episode of We Talk Cyber with Monica, we talk with Bjorn R. Watne, CISO, Storebrand on
- threat landscape over last decade and amidst pandemic
- how to build robustness, visibility and detection amidst increasing digitalization
- how do you know you are doing enough?
Need for security leaders at the executive levels is vital to understand and manage cyber threats and risks in today’s landscape. As Bjorn Watne says it:
“With Covid19 pandemic and everyone working from home, we are putting even more eggs in the digitalization basket”.
Looking for your dream job in cybersecurity?
Don't know where to start or how to go about it?
Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career.
You're tuning into the podcast series We Talk Cyber with Monica. Your platform for engaging discussions and expert opinions on all things cyber. For more information, check out MonicaTalksCyber.com. And let's hop right into today's episode.
Monica Verma 0:18
Hi, everyone. Good morning. Good afternoon. Good evening. Wherever you're tuning in from today. Welcome to today's episode where We Talk Cyber with Monica Verma. This is your host Monica. Welcome to today's episode. Today we have a wonderful guest with us. Someone that is an inspiration to me, but also one of the very first people from the cybersecurity community that I got acquainted to when I moved to Norway. One that has been working on this and working in that industry for more than decades and has been a true inspiration in this industry. So we'll switch directly to our guests and we'll be hearing from him.
Bjørn Watne 0:56
Yeah, nice to meet you all. Thank you for tuning in. And my name is Bjørn Watne. I'm currently the Chief Security Officer with Storebrand, which is an insurance company and financial services company here in Norway. And like Monica said, I'm also very engaged with the cybersecurity community in Norway. And I've been on the boards for many years, so the Norwegian Information Security Forum, the ISACA Norway chapter and also involved with Cloud Security Alliance, and yes, whatever cyber.
Monica Verma 1:32
You're welcome. It's so wonderful to have you. And as you said, whatever cyber and that's the beauty of this podcast, because we're talking about all things cyber and would not be the same without having you on as a guest on the podcast. So I'm really, really glad that he could take time to join us today. So we'll be talking today a bit about cyber threat, landscape and evolution of cyber landscape that has happened over the last decade, let's say. How do you believe, because you have worked in this industry quite a long time now you've worked over decades, how do you see has the cyber landscape actually evolved in the last decade, let's just take it from there.
Bjørn Watne 2:07
Well, I would say that it's evolving with society as a whole. Because the digitalization of society sort of creates the threat landscape. If we look back, we don't have to go too far back either. It's maybe 20 years, we started to see the first online web shops, usually you can shop for computer parts, because it was mostly computer people that were using the Internet. And at the time, there was not so much value floating digitally. And petty theft, the crime rate was low, we were using it mainly to swap a little bit of products and services. So criminals there were still preferring other arenas. But as we make ourselves increasingly more dependent on the Internet, and on the cyber universe, the threat landscape evolves with it. Because, it is a clear fact that in every sort of arena where there are values, there will also be criminal elements present, trying to gain access to those values in unlawful and criminal ways. And as we now put more and more dependencies, more and more value into the digital arenas, the threat actors come as well. So it's definitely a different picture. And it's not only the monetary values, we also put a lot of government, sort of governing of society, through the digital channels. We see criminal elements or nation states try to affect the elections. You have a dialogue with your physician [and] with your medical doctor, digitally. So there is a lot of stuff that we use now that might be interesting for other people to use in a bad way. So, absolutely, the threat landscape evolves, with the digitalization and the increased dependency on the cyber universe.
Monica Verma 4:14
And you brought up a very good example here, which is the attacks of modifying the elections, using the attack for that purposes. And also recently, [amindst] the pandemic, also attacking the health sector and so on. Have you also seen how the attack vectors or the TTPs (Tactics, Techniques and Procedures) that these attackers use, has that also evolved over time? Is it been a lot of tremendous change? Or are they [sort of] using both the previous ones and new ones at the same time?
Bjørn Watne 4:42
I would say, it is a mix, but they will always follow the crowd. The way that most people interact, this is where they will sort of adjust and tune in. But I think that it depends also on the threat actor, what kind of TTPs you will see because if you were a nation state for example, increasingly more of a country or state governance is gone digital, and then you have a lot of time. So, you will usually see a very stealthy, very sort of thorough slow mapping of attack surface.
Monica Verma 5:24
Very sophisticated taking time without getting discovered right away, being stealthy in that manner, right.
Bjørn Watne 5:32
But then again, you can have like cartels working together, they will spam out emails trying to infect as many people as possible, do the phishing campaigns. Again, they will, since people are depending so much on the digital media, for news and for information, both from from news agencies, but also from the government, whenever there is something new, for example, with the current pandemic, we see that the attackers will jump on that bandwagon immediately. So, around Christmas, there will be a lot of phishing attempts or fraud attempts around you have received the package. In the springtime, it will be about your tax returns. And now with the pandemic, it will be about we have a cure, or here you can go to test yourself or they will jump on whatever is relevant. And then. But I would say it's the TTPs, I mean, if you go back, again, 20, 15, 10 years, most attacks were were more technical, in terms of sort of how to try to gain access. Now they realize that the easiest way is to address people. So I would say that the attack vectors have turned from trying to attack the systems to rather effect people than just systems.
Monica Verma 6:52
But in a way, they are going back to the basics, right? I mean, because you know, the concept of con (wo)man, right, by the way, it's not really correct as a man anymore. But nonetheless, the concept of con (wo)man basically was to convince people gain their trust and abuse that trust. And we're seeing a lot of that now recently, as well. Because when this whole attack vector and abusing the human aspect of it, it's basically abusing either the trust or the panic, or phishing or exploiting the sign of weaknesses and emotions that humans have. And basically exploiting them. Like, as you said, with the pandemic, the reason this is working so well, and they're jumping on the bandwagon is that is also because people are panicking, and they obviously want to find out - Oh, am I infected? How do I fix myself? Can I immediately, make sure that nothing is going to happen to me and so on. And then of course, these attackers are then trying to abuse and exploit that panic.
Bjørn Watne 7:48
And that is sort of one angle because it's not just the the panic and the distress because they can also try to lure you into being curious. For example, they will send me a video Oh, look at what this person did. This is so crazy. But there are many emotions that will make people do something and fear is not the only one. Opportunities is another. You have won a prize, click here to claim your prize. And people will do that as well.
Monica Verma 8:17
Right your Nigerian great, great, great grandfather left your huge estate or something? Right. So, we have talked a bit about the attackers' perspective and the TTPs and what are their thinking and what are they exploiting. How is that affecting the business? How has that changed over the last decade.
Bjørn Watne 8:39
Well, for the main part of the last decade, I've been in financial services. But obviously, I'm sort of following the threats on a broader scale as well. But in financial services, we've seen that the cyber domain has risen from being out of the top 20 risks to actually being within the top five risks affecting the business, So, it's definitely changing as well. There's a lot more focus. There are many, many financial services companies now that have closed down all physical offices and all their businesses run digital. So obviously, we need to be more robust as well. And we need to have better visibility and detection capabilities as well. So, the average annual spend on cybersecurity defense systems and the resources put into it has multiplied definitely. But I still think there are many, many businesses that even today can ask themselves are we doing enough because if you see the funding that the bad guys, so to speak, receive increases a lot more than the good guys.
Monica Verma 9:53
Yeah, that's actually very true. Because if you look at some of these Advanced Persistent Threats (APTs), especially that are targeting the finance sector, because all the money is there, right. And coming from financial sector myself, one of the ones that we know very well, is Lazarus group. And they have kind of their like own HR, their own financial services department because all the money that they gain from these attacks and from exploiting the finance sector, they're basically using them for becoming more sophisticated, having other kind of attack vectors and they are kind of like running a whole business in itself. We're doing this and then, from that perspective, if you look like - they have enough time, they're getting resources, whether it's monetary, or other kind of resources that you need. And then we kind of need to match because we don't have always the same amount of time, our window is quite shorter in comparison. So what do you recommend? Because you say one of the things that businesses should do is, ask, are we doing enough? Right? How do you know if you're doing enough? And what do you recommend?
Bjørn Watne 10:55
It's difficult to know if you're doing enough. But, I think that the important thing is to look to someone with the right competence. Because traditionally, if you look at financial services companies, again, it's easy to talk in the sector. But traditionally, you will see that most of the top level executives will be people with a financial or a degree in finance, maybe in marketing, they will have long careers, maybe in things like internal audit, financial audit, and those kind of things. But when it comes to technology, and in the cyber domain, security, specifically, there are not so many on the top level. So in order for them to decide whether they are doing enough, it's very important that they get someone with the right level of competence to give them advice. This is very complex area. And you need to be absolutely 100% up to date with the threat picture in order to know whether you're doing enough. So my recommendation would be ensure that someone with the right competence or maybe even a consultancy or group of people take the holistic view of the business and the operation of the business to the current threat landscape. And, yeah, the known threat actors, the known threat vectors, and then look at your defense mechanisms, and then make an informal decision based on your risk appetite. But again, ask for advice with someone from the someone from the industry with the right competence. That is, I cannot stress that enough. It's very important not to see this as a side by sort of something that happens in the movies, because, as we saw recently with the Norsk Hyrdo, a couple years ago with the Danish Mærsk.
Monica Verma 12:47
Bjørn Watne 12:48
It is not science fiction. It is very real.
Monica Verma 12:53
It's affecting the businesses. It's affecting the society. We are seeing that more often. The examples are very realistic. And as you say, it's correct. It's not just sci fi and technology. Basically, it comes down to, security leaders need to have a business acumen and understand and help businesses. What does it mean for them? How does it impact the business? So what I hear from you is that it's not enough for security leaders to just have technical competency, but they need to be able to see the holistic overview on how the cybersecurity field in itself is affecting the society and business.
Bjørn Watne 13:24
I was trying to make the point that the business leaders need to have the technical know-how. They need to understand cybersecurity is not something that IT can fix. Because it is gonna require resources, it is going to require detection capabilities. And it's going to require incident management capabilities. And it's not something that you can like make the computer do something and you will be safe. You need to address like the people, the processes, your value chain, your vendors, partners, all those things. And to understand how much resources is actually required to get the risk down on acceptable level. That might be difficult if you're not a professional in the industry. So and but obviously the security professionals as well need to understand the business, the business strategy, the security that you put in place there to support the business.
Monica Verma 14:21
The business, absolutely.
Bjørn Watne 14:22
Once you start doing security for security sake, then you're doing it wrong. You have to to understand the business and to support the business strategy and business goals but but yes, the top management, in order to make informed decisions, they need to make sure that they get the right competence to evaluate whether or not they are doing enough and it can be difficult if you don't understand the reality of this threat. And we've seen, I still believe, we see a lot of senior management that still don't grasp the magnitude and the realism of these threats. And that's why these spectacular hacks are happening.
Monica Verma 15:05
You make a very good [point]. I mean, it is really true what you're saying. And I think what you just explained is also the other side of the same point because on one hand, the businesses need to, the business leaders need to understand the technology better. And the technical security people need to understand business better, that is the only way you can really start closing the gap, right? This is really going to help to build the synergies and in place to be able to, because "I am running this business to be secure", said no CEO ever, right? That's not the reason why they're running businesses in the first place.
Bjørn Watne 15:39
To save us some money, yeah.
Monica Verma 15:41
Hmm, exactly. So what would what is your prediction for the next years? How do you see the threat landscape and the attacks that are happening in the society and the business area in general will evolve in the next coming years?
Bjørn Watne 15:54
Well, I'm sorry to say this and especially in the middle of this pandemic, but I believe that it will get worse before it gets better. And like I mentioned earlier, it comes down again to the digitalization of society, and we're putting more and more eggs in this basket. And now with the current situation, and everyone working from home, there are even more eggs going into the basket. And the more dependent we make ourselves, the more impact attacks will have. And the more willing, we will be to sort of depart with our money, for example. And an example of that is we see that the hackers are actually targeting the hospitals and the research facilities that are trying to make a vaccine. The reason that they do that is that they know that the entire society is very dependent on both hospitals and the vaccine research at the moment. So while the chance that someone might actually pay them a ransom, might be higher there because people are so dependent on it. So yeah I'm sorry, but I believe that it will get a little bit worse still, before it gets better.
Monica Verma 17:10
It's not so much about us being pessimistic, but realistic, right. It's good to have an understanding of how it can get worse. And if it does get worse. What does it mean for me? What does it mean for my business and what does it mean from my employees and from a society perspective as well? And how does it affect. Because this example with the healthcare and the vaccines, this is not just any more a sector. This is actually affecting the whole society, it is at a very systemic level. So yeah, it is, if we don't understand the extent to which it can go and in which direction can go, then it's very difficult for us to be prepared and have the right posture in place to be able to defend and also recover in a way from such a scenario.
Bjørn Watne 17:55
Yeah. And also, we see that, at the moment, we're putting a lot of energy into design, into functionality. You can see the apps that we're creating to track the spreading of the virus, for example. So a lot is going into design and functionality and not so much is going/went initally into privacy and security. And that is actually creating a gap. And we need to bridge that gap. And until we start bridging that gap, things will become worse. So that is the scenario that I see, at least for the foreseeable future.
Monica Verma 18:27
Wonderful. I think it's really, really good to know and understand these things and have a realistic understanding of where we're going forward to be able to position ourselves better and defend ourselves better. And as you say, bridge the gap to actually also think about privacy and security. It was so lovely Bjørn to have you on the podcast today. Always wonderful hearing your ideas and how you challenge the society because this is really important to get better [at]. So, that was all for today's episode of We Talk Cyber will Monica. I'll be back with more episodes. Please stay tuned. Until then take care of yourself.
Thanks for tuning in to We Talk Cyber with Monica. Do not forget to subscribe to We Talk Cyber in your favorite podcast app and YouTube channel MonicaTalksCyber. Take care and continue tuning in.