Many times, the role of a CISO is thought to be purely technical, involving logic and procedures. Today, we have the pleasure of interviewing a professional who combines the well-known qualities of a CISO with a rich background of experience and passion, as well as creativity, a fundamental trait for solving problems in a complex and diverse environment.
Leonardo Casubolo, CISO for Burckhardt Compression AG, began his career as a video game developer and then delved into the field of cybersecurity, defining his specialization in this area. His experience, combined with in-depth knowledge of the field, illustrates how multifaceted and dynamic this profession is and how the role of CISO will become increasingly crucial in the near future.
What is your journey in cybersecurity and digital security, and what experiences have prepared you for the role of CISO?
I started my IT career in the world of video games when it was a one-man-show business. Then, I moved on to develop enterprise software, gradually taking on more significant responsibilities in managing corporate systems. From my perspective, security immediately appeared not as an "add-on" but as a core component of systems. In fact, without security, we cannot guarantee that they will operate and produce the expected results. I quickly discovered that "viruses" could exploit legitimate mechanisms for illicit actions. The first one I encountered was a boot sector infection on those lovely 5 1/4-inch floppy disks. My interest in security may also have been sparked by movies like "War Games" or "Tron."
How do you manage the complexity of ever-evolving regulations and security standards, such as GDPR, NIST, ISO 27001, and ensure that the organization is compliant?
Regarding compliance with regulations related to the processing of personal data, in addition to the usual online channels, I have a close collaboration with our legal department. I have regular meetings with our Data Protection Officer (DPO) to ensure that our processes align with various regulations, at least in those countries where we have production sites. For regulations strictly related to cybersecurity, the news circulating on the internet helps us decide which topics to focus on. Having a very close collaboration with Microsoft, we receive official information from their Intelligence channel, as well as unofficial information from interactions in various projects. In specific cases, once we hear that "something new has appeared under the sun," we verify on the responsible entity's website. Of course, networking also plays a role.
What strategies do you consider crucial for effectively communicating with the board and convincing them of the importance of investments in information security?
Fortunately, all the company's executive bodies are extremely aware of the situation, and information security has a very high priority. This is very helpful because it has allowed us to establish a series of policies and controls that are not common for a manufacturing company. My approach has always been to present the situation and the risks, perhaps referring to what is happening in the world and citing news articles. Highlighting the possible direct and indirect economic consequences. In addition, I find it extremely useful to undergo a third-party audit by one of the Big Four. Their authority increases the level of attention to the arguments presented.
How do you prepare to address emerging threats, such as the increasing use of artificial intelligence and the Internet of Things, in the context of information security?
As of today, I do not see any developments that require a significant change in our way of acting and reacting. Let me provide some examples:
a) Are SaaS (Software as a Service) offerings providing interesting solutions? We just need to ensure that these services comply with the regulations we must adhere to and offer security guarantees aligned with our needs. Case by case, this may translate into geolocation requirements, specific certifications, and/or periodic audits.
b) Should we implement an IoT (Internet of Things) solution for a specific process? In this case, we need to verify that the solution provides sufficient security conditions and implement containment solutions to detect/control any abnormal behavior of the solution.
c) Certainly, Artificial Intelligence will make "generic" attacks more specific to individual targets, increasing the likelihood of success, especially in the area of Social Engineering. However, on the other hand, our defenses can also adopt equivalent technologies. The key is to choose solutions/services that keep pace.
d) Post-Quantum Computing. You didn't mention it, but I consider it another major threat. Much of our security is based on public/private keys and can be represented by the HTTPS that precedes websites in our browsers. With current algorithms, quantum computing will easily penetrate these defenses. But here too, suitable solutions will evolve, and we will have to adopt them, as has already happened with the transition from HTTP to HTTPS and the entire evolution of encryption.
What measures do you implement to ensure the security of data and sensitive information during widespread remote work, considering the changing work models?
The fundamental measure has been, where possible, to migrate to a "cloud-native" solution. Companies that provide SaaS and PaaS solutions, as a consequence of their business model, need to ensure that their solutions are not easily attackable and are user-friendly. They also continue to evolve to counter the increasing aggressiveness of cyberattacks. Just look at the evolution of Multi-Factor Authentication to ensure user identification. Initially, there were SMS, then a popup to approve, and now a popup where you enter data presented on the product screen. For other cases, we still rely on VPNs today. We are considering Zero Trust Network Access (ZTNA) solutions, but the market is still fluid. Microsoft has its solution in preview.
In a world where data privacy is increasingly important, what policies and procedures do you implement to ensure the protection of customers' and employees' personal information?
In collaboration with the legal and HR departments, in addition to technical measures and verifying that services in which personal data are processed are provided by countries considered compliant by various authorities, we update onboarding and training courses for employees. This helps our colleagues comply with the regulations of the various countries in which we operate.
In the context of operational technologies (OT) and the industrial sector, what are the main concerns in terms of information security, and what strategies do you implement to protect critical systems and ensure operational continuity?
The problem has existed for years. Many companies providing auxiliary services to production do not have the appropriate awareness of information risks. Therefore, with a view to damage containment and infection detection, we have had a network micro-segmentation solution in place for years that inspects and controls communication between individual hosts. Of course, communications are restricted to what is strictly necessary. Initially, there was some resistance from colleagues in production. However, a meeting to clarify different needs led to satisfactory solutions for everyone.
How do you plan and implement information security to address the unique challenges of the industrial sector, including threats such as cyber-attacks on critical infrastructure and the increasing interconnection between IT and OT systems?
Focusing on the production side, we can see that there are two main areas:
a) Systems/parts that use IT technologies (such as PCs used as production system consoles).
b) Systems/parts that use specific OT technologies (such as PLCs).
In the first case, we extend the same technologies we use to protect our office PCs. In the second case, we rely on the previously mentioned micro-segmentation and traffic verification between devices. It is crucial that management accepts that "false positives" can create problems. Without this acceptance, I find it difficult to apply any protection.
What do you think will be the main challenges for a CISO in 2023, both from a technological and strategic perspective, and how do you plan to address them?
Fundamentally, we anticipate a continuous increase in the number of attacks, the expansion of attack vectors (now even instant messaging, like Teams, is becoming "popular"), and, of course, the fact that the use of Artificial Intelligence will enable technically specialized attacks, and in the case of targeting human vulnerabilities, even more credible ones. In the latter case, process review and employee training will be crucial.