23. September 2016
Morten Kjaersgaard is the CEO of Heimdal Security, the team which is spearheading a new approach to cyber security, based on proactive protection.
Here Morten discusses the challenges of cyber security today, how organizations can protect themselves from threats and the importance of fostering innovation in IT and beyond. Read on:
Tell us about Heimdal Security. What do you specialize in?
Through each of its products, Heimdal Security focuses on protecting users and organizations around the world against cyber attacks that antivirus can't block. As a second generation threat tool, Heimdal is engineered to provide proactive protection and block cyber threats by monitoring and filtering all incoming and outgoing Internet traffic on the endpoint.
What are some of the major issues surrounding network security for corporations today?
Ransomware, data leakage and financial fraud are the top three concerns for organizations today, no matter the size or field of activity. These three threats have something in common too: they use sophisticated, second generation malware to achieve their malicious purpose, which is, ultimately, to increase the revenue for the cyber criminals who create, sell or distribute the malware.
The problem with second generation malware is that it incorporates a hefty number of mechanisms that enable it to fly under the radar of traditional, signature-based antivirus solutions. Most users at home and organizations still rely on antivirus as their only means for protection, but its reactive response is just not enough anymore.
What should organizations be doing to stay ahead of these security issues?
I believe we need a fundamental change of paradigm when it comes to how we think about cyber security. It's no longer effective to react to cyber attacks - we need to invest resources in preventing them, both at home and in companies and organizations.
Staying ahead of current security issues entails having a strong grasp of how cyber threats are evolving. This is part of ongoing and much-needed cyber security education, which is no longer something that only specialists should engage in.
Being able to build a strong cyber security strategy and also implement it also includes knowing your assets very well. This should be strengthened with a constructive and positive company culture that favors trust among colleagues and invests in educating employees about data security, not only for the organization's sake but for their own benefit as well.
Technology is only half of the story, but the human element is the rest and just as impactful. This is also the reason why understanding cyber criminals' motivations and the technology they leverage is equally important.
What outdated/obsolete network security strategies do you still see organizations use today? What are these organizations risking by not staying ahead of security innovations?
Many companies today have people working in independent areas, in charge of separate elements that make up the cyber security strategy of the organization. Often, there is no cross-departmental collaboration to share insights on how to combat modern attacks. This responsibility split creates a disconnect between the causes of cyber security issues and their solution.
One cyber security specialist may fix one part of the problem, but another angle could be left uncovered because it's not in his department. Not mitigating threats that the company is facing as a whole is one of the biggest challenges that large organizations face today.
I believe that the IT industry should also value uptime more. Maintaining a complex system running smoothly is hard work and many companies fail to recognize this until a security issue disrupts the normal state of things. Taking uptime for granted can sometimes cause resources that are necessary to maintain it to be reassigned to different areas.
In terms of not staying ahead of security innovations, the risks this approach incurs are mainly related to data leakage, financial losses and legal consequences. Suffering a data breach is not just a corporate matter because it will also lead to your customers losing trust in your brand. And trust is not something to come by easily these days.
Security innovations should be tested and not taken for granted. They should make sense and fit into a company's cyber security strategy. Sophisticated tech terms should be backed by real technological benefits, and this all boils down to being able to work with a team you trust, a team that can constantly overachieve.
What network security trends or innovations are you following closely right now? What interests you about them?
At the moment, I am interested in how perimeter security makers are trying to mitigate the increased complexity in attacks surrounding ransomware. I'm closely following how they work with their limitations to ensure the type of flexible and proactive security that companies need today.
There is no doubt that the evolution of ransomware is the fastest moving in the industry. This makes updating perimeter security one of the heaviest tasks that security specialists have to manage. I want to see how this affects the industry as a whole, and how it changes the current way of doing things because we clearly need a better protection model, industry-wide.
How has the role of IT evolved in the past 10 years? How should IT be positioned within an organization over the next 10 years?
In the past 10 years, IT managers have moved from a marginal role, in which their main task was to make sure that endpoints were operational, to a central role that involved securing company data and ensuring business continuity.
Today, IT is as much about securing the brand itself as it is about ensuring that the company can operate safely and be protected from disruptive cyber attacks and their consequences.
In the next 10 years, I believe that IT will become even more important for a company's growth and stability. IT and security managers will sit at the same table with the CEO and become key decision makers because cyber security will be a fundamental pillar of the company's modus operandi.
The CIO will become an integral part of the commercial decision-making in the future.
In your mind, what are the most important issues facing CIOs today? What are the biggest challenges of this role right now?
Chief Information Officers everywhere are under huge pressure to create, manage and deliver effective cyber security solutions to their organizations and their customers. They have to find a way to protect their endpoints from threats that didn't even exist a few years ago, or even a few days ago, and sometimes do it on a limited (and not always generous) security budget.
What's more, it often happens that decision makers see CIOs as being the only ones responsible for ensuring business continuity in case of security breaches. Needless to say that this created additional pressure that they have to deal with.
Besides, second generation malware doesn't make it any easier for them to cover every security hole before it's exploited. Ransomware, exploit kits, and financial malware are just three examples of advanced threats that pose serious problems for companies worldwide.
In my opinion, security should be perceived as a companywide responsibility and be managed as such. It's the collective efforts of everyone in the company that keeps a company safe and thriving.
You pride yourself in being someone who recognizes and develops great talent. Why is this role especially important for IT today and how can organizations improve their leadership development?
In any company, finding the right talent is critical to driving a successful business in the long run. This is especially true in IT because keeping up with the most modern tech requires people that are willing to keep an open mind and evolve at all times.
Improving leadership development entails being concerned not only about the company's growth but also about each employee's personal growth. The company culture is shaped by each team member, so everyone should be aware of their impact and how it builds up as a whole.
From your perspective, what drives innovation within an organization, but especially within IT? What seems to kill innovation?
In any scenario, innovation is driven by the willingness to try and the willingness to do. Accepting failure and learning constantly are also two company culture traits that are essential to creating an environment that fosters innovation.
On the other side of the spectrum, innovation is easily discouraged through micromanagement, by instituting a system based exclusively on punishment and reward, and by holding on to obsolete management techniques that are no longer suitable in today's fast-paced world.
Flexibility, the eagerness to learn and an open mind are elements that fuels innovation and keep teams motivated and involved.
What organizations or individuals do you look up to from the perspective of being both innovative and agile? What can we learn from them as the pace of technology continues to accelerate?
Even though they're one of the biggest out there, I have to mention Google. They've proven, time and time again, that they're not afraid to try new things and that, they accept failure as a learning experience when it happens.
Their dedication to innovation has expanded beyond their main business to include artificial intelligence, robotics, genetics and more, all under the Alphabet umbrella. Reshaping how the company is structured also proves that they are flexible enough to change the status quo and keep challenging it to fit the times we live in and the needs we all have, as humans.
What we can learn from Google and, now, Alphabet is that we need to put a focus on constant learning. A priority for all of us should be to close the education gap and make sure that we invest enough resources now in educating and training specialists to handle future demands. The robots may already be here, but technology will always need the human touch.