Just with the onset of the pandemic at the end of February 2020, Gil Vega started his job as CISO at Veeam. The COMPUTER world spoke to the security expert about the new working world after the pandemic, data protection and the changing role of the CISO. […]
Do you think that the new home office working world created by the pandemic will remain?
Yes, I think it remains. I call this the Covid digital transformation. This is not only about working remotely, but also about implementing zero-trust architectures. I come from the government sector, where we have always worked with zero-trust, so to speak. President Biden is now very committed to zero-trust architectures in government by executive order. This then also affects the suppliers of the US government, which must upgrade their supply chains accordingly.
Is the European GDPR (Engl. GDPR) a role model or a deterrent for you?
Many people complain about GDPR in the US because they don’t understand it. I appreciate you. The US is also about how we treat the data of citizens of other states. The individual states are responsible for data protection, so there are 50 different regulations.
At Veeam, we respect and protect the data of European citizens. Ultimately, it comes down to three points: know your data, know where it is and how people use it. Before GDPR, most companies did not know answers to these three points. GDPR helped us understand how and why we use the data.
But it is difficult for smaller companies…
It’s the same challenge we see in information security. Small businesses may not have the resources to invest properly in cybersecurity.
Are the supposedly high costs for security still a reason for companies not to take the right measures or to delay them?
Yeah, I think so. But even some large companies continue to underestimate the cybersecurity threat. We need a more proactive approach and robust internal governance of cybersecurity programs.
How do you see the role of CISO?
CISO roles are becoming more strategic and business-oriented because they have to. Here at Veeam, I report directly to the CEO as part of his leadership team. It is increasingly less of a technical role, although a solid understanding and experience with technology is required. A CISO must ensure that the board understands what is at stake, because it is not only the CISOs ‘ sole responsibility to secure the company. Cybersecurity is teamwork and requires a dedicated workforce to implement it properly and effectively. More than 90 percent of all successful cyberattacks, including ransomware, start with a phishing email sent to employees. Investing in the awareness and training of these employees is the key to their protection.
Hackers are increasingly using AI for their attacks, so are defenders. Machines fight de facto against machines, but behind them are people again. What do you think of automating the backup and recovery process in the event of an attack?
You have to act faster. Running a lightning-fast, automated attack is no longer time for a quickly convened meeting. But I do not see any development where we can sit back and let the machines fight with each other, because there is a significant risk of unforeseen business effects if the wrong measures are taken. However, the technology for such automated attacks already exists. Basically, AI will evolve and continue to be used by experts.
Should a ransom be paid?
This is a very difficult decision. The U.S. Federal Bureau of Investigation (FBI) advises against paying ransom, and the U.S. Treasury Department warns of civil penalties if the ransom payment reaches sanctioned entities. Many companies have insurance policies that accept ransom payments. It is therefore important to understand that paying a ransom may not solve the problems. Nevertheless, many companies have not yet rehearsed the response to a sophisticated ransomware attack. Preparing a company’s decision makers before a real attack takes place is an important step towards improving resilience.