Interview: Cybersecurity is not a free choice – it’s essential for every business environment 

Recently, you can find various cybersecurity journals and experts writing about how important it is to make decisions related to cybersecurity at the top-management level. We have also written about the business perspective on cybersecurity on our blog and focused on the need for a paradigm shift in addressing cybersecurity issues. We have highlighted the importance of a holistic approach and top management’s role, which can significantly contribute to increasing the importance of cybersecurity in the organisational culture.

Although – based on our in-field observations – most companies still manage cybersecurity the “old way” (i. e., only from a technical point of view), we are pleased to see that some organisations in Slovenia are also following the trends of a new approach to cybersecurity and deserve some recognition as an example of good practice. One of these companies is Petrol d.d. The CISO Andrej Rakar, PhD, is one of the first cybersecurity experts in Slovenia. Based on his extensive experience, Mr Rakar can look at cybersecurity issues from both perspectives: hackers and defenders. In the interview, we discussed the critical role of management support in implementing solutions and services to improve cybersecurity, the most vulnerable entry points of IT systems, and the benefits of Red Teaming projects. 

Mr Rakar, you are an experienced expert in the field of information and cybersecurity; you have been active as a pentester and consultant in various companies for more than 15 years. Since last year, you have been the CISO at Petrol d.d. – responsible for information security. Being »on the other side« now, has your attitude towards cybersecurity management changed in any way? 

Of course, the experience comes in handy “on the other side”. Knowing what I want and how to achieve it may make me a tougher customer when negotiating with providers. But the ultimate goal – to achieve a higher level of information and cyber security – remains common regardless of which side I’m on. So my perspective has not changed; I have just realised that it sometimes takes more time to achieve the desired goal in large systems.

The importance of managing cybersecurity “from the top” – at the board and management level – is increasingly emphasised. What is your opinion: is the role of the CISO a more business or more technical one, or what skills would you highlight for successful cybersecurity management in a large enterprise?

High-level support for cybersecurity management is crucial. Sometimes, the measures you want to implement are not popular with end-users, and system administrators are also reluctant to accept changes to their work, especially if it means more administration and validation. Therefore, the CISO’s role must also be supervisory; the CISO must have the necessary authority to carry out the steps essential for ensuring an adequate level of information security. This cannot be left to the free choice and goodwill of individual stakeholders or users.

It is well known that cybersecurity management at Petrol d.d. is at a very high level; we are talking here about the technical aspect of security devices and detection and cybersecurity training for developers and employees. What was the primary motivation for your management to recognise the value of investing in cybersecurity?

At Petrol, activities to strengthen cyber resilience have been a continuum for many years. Compliance with the minimum requirements dictated by standards and legislation is not good enough for us; our goal is to ensure high-level information security, which usually goes beyond the minimum requirements. Management recognises that information is vital for the success of our company, and this is the only way to build and maintain the trust of our customers and partners.

A holistic approach to cybersecurity management includes using security devices and systems effectively, regular testing and verification, and ongoing user education. How do you rank these components of cybersecurity? Would you highlight any of them in particular?

I believe that each component is equally important. Only a combination of different mechanisms for defence, detection and response can guarantee effective management of such risks. If one security mechanism fails, it is crucial to have others in place. In the event of a successful cyber-attack, it is also essential to have incident response procedures in place.

What is, in your opinion, the weakest link in the IT system? Which attack vector is the hardest to detect and stop? 

According to some statistics, 80% of security incidents are caused by users. They are caused by their negligence, ignorance, or deliberate actions. If they use authorised access rights, it is hard to detect this behaviour. What is more, we should not forget about external suppliers and maintainers. This type of business cooperation has recently become a burning issue from a cyber-security point of view. Any security incident within one company in the supply chain poses a significant risk to all companies in this supply chain. Unfortunately, as a part of a supply chain, we are not authorised to monitor the IT systems of other companies. 

As cybersecurity service providers, we are seeing a growing demand for so-called Red Teaming exercises, which simulate actual cyber-attacks. This is especially the case among companies in critical infrastructure. Where do you see the main difference between penetration tests and Red Teaming, and the added value of each test?

Each form of a test has its purpose. A penetration test aims to identify as many security weaknesses in an IT system as possible to eliminate them. This typically involves granting access to operators and disabling some security mechanisms (assuming a worst-case scenario), but such a test does not reflect the actual state of defence and detection. However, Red Teaming exercises aim to test the effectiveness of all detection and protection components, including the response to a security incident. Typically, the IT administrators are not informed about the exercise and have to defend the system as if the actual attack was going on. Therefore, Red Teamers must remain as stealthy as possible.

As you’ve mentioned before, the IT system administrators are not informed about the exercise with Red Teaming. When they discover or learn that their system has been tested, there may not be keen about it; they might even be outraged. Once the “attack” has been detected, how should the CISO or the person in charge communicate the results and the purpose of the test without worsening the relationships within the team? 

Another important phase of Red Teaming is the “lessons learned” part. At this point, we should explain to all stakeholders in the exercise that the purpose was to improve our resilience to cyber-attacks, not to look for mistakes, faults for shortcomings in defence, detection, or response. We learn the most from the mistakes that we make in real life, and by doing so, we can do better next time.

To conclude, let me ask a bit provocative question: after a year as a CISO, do you think it is easier to test or defend cybersecurity?  Definitely test. Even when using the best security devices and solutions, implemented technology and user awareness cannot guarantee complete security against malicious attacks, abuse, fraud, human and technological errors, and other challenges. We can build a more secure future only by taking a holistic approach of continuous improvement and keeping pace one step ahead of attackers.