BDO Switzerland steps into the ring at GOHack23

Florian Muff, Certified Ethical Hacker and graduate of CAS Cyber Security & Digital Forensic, joined BDO in Zurich in 2014. He has been serving his clients in a senior cyber security role for about 5 years. Florian is a board member of the Allianz Digital Sicherheit Schweiz association, where he also serves as an auditor of the CyberSeal seal of approval.

Florian, how did you get into cybersecurity? What was your inspiration?

I started in the IT department at BDO. I was increasingly called upon to provide technical support for forensic investigations of the "Management Consulting" team. This activity appealed to me very much, which is why I fully joined the said team. I helped to expand the existing forensic service with new technical possibilities and processes.

In the course of various investigations, I repeatedly came across weak points that posed considerable risks for our clients and required subsequent investigations. In response to this, BDO has developed various services that serve in particular to prevent such risks. In this way, we want to help companies identify vulnerabilities in their own networks and associated processes at an early stage and implement suitable measures in collaboration with our experts. So my path to cybersecurity did not take me through the classic training steps, but rather the requirements that companies are increasingly having to contend with today.

What is your current role at BDO and what do you like most about your job?

I am responsible for the development and growth of the "Cyber Security Consulting" department. We help customers to better understand the topic of cyber security and its relevance for their own company and to protect themselves accordingly. Furthermore, my team provides technical support for forensic investigations. It is precisely this mix that makes our work so exciting.

In the area of cybersecurity, I particularly enjoy the exchange with the companies and the people responsible, as well as the constant further development that we experience as a team together with our customers.

BDO is a main partner of this year's GOHack. Why is BDO supporting this cyber security hacking event?

For BDO, it is a matter of course to always deal with the current challenges of our clients. Knowledge of risks that companies face in the area of cybersecurity are of central importance to us as a service provider. As part of our existing partnership with GObugfree, we are pleased to support the GOHack23 as a main partner - and also to be tested ourselves.

BDO is active in areas such as auditing, fiduciary services and consulting that require the handling of very sensitive data. What challenges arise when dealing with such data? And what is the strategic importance of cybersecurity for BDO?

The challenges in handling sensitive data are quite different depending on their origin. This depends, for example, on the data protection laws of the respective countries of origin. We also work in projects where data may not flow out of a particular country.

For BDO, cybersecurity has a very strong strategic importance. On the one hand, because as a company we have to protect and defend ourselves against possible attacks. On the other hand, because we want to be a long-term contact for our clientele and observe that the "arsenal of weapons" of cyber criminals is developing at a rapid pace and is increasing in perfidy.

You have been with BDO since 2014. How has the significance and approach of BDO in the area of cybersecurity developed during this time?

The last ten years in particular have been a very exciting time in the field of cyber security. The increasing number of vulnerabilities discovered in systems and networks and the rise in attacks have increased the demand to further develop competencies and resources in this area.

The development of services for our customers has also moved steadily forward over the last five years, becoming more and more adapted to effective use.

How do you see the role of forensic technology in today's digital landscape and what impact does this have on corporate cybersecurity strategies?

We see a significant difference in the use of forensic technologies, which can be seen firstly in the company divisions and secondly in the company sizes.

For many SMEs, forensics does not play a major role because services like this are often not affordable for them. Clarifying a cause down to the smallest detail is set against the focus on being able to work productively again after an incident. More energy is put into managing and preventing a reoccurrence of an incident rather than forensically processing the event in detail.

Thus, cybersecurity strategies vary widely, depending on need and opportunity. There are companies that prepare for every possible eventuality and others that only deal with the issue superficially. Many companies assume that the internal or external IT service provider will take care of the company's cybersecurity. Unfortunately, in our experience, this is often a fallacy.

What career opportunities does BDO offer in cybersecurity?

At BDO, there are various career opportunities in the field of cybersecurity. We support both young people who want to work for us after completing their studies and people who are interested in a lateral entry into the cybersecurity field. Social soft skills, curiosity and the will to provide top service are among our main requirements.

In the area of cybersecurity, we have two paths: on the one hand, working internally for BDO itself, and on the other hand, working as a consultant or security tester for our clients - these are different career paths. If someone focuses on internal services, the focus is on gaining a deep insight into the subject matter. In the external area, employees are in close contact with our customers and deal intensively with the challenges and the handling of resources.

BDO places a special focus on SMEs. How does BDO specifically support SMEs with regard to cybersecurity?

We support SMEs as a reliable contact for all cybersecurity concerns. At the beginning of a cooperation, there is often an evaluation of the current initial situation. This can be followed by a joint review of the technical points, which results in a vulnerability analysis. In this way, vulnerabilities can be identified and eliminated. Another step is the human component. With various interactive measures and training courses, we address the people of a company directly in order to raise awareness of the issue and create a holistic culture.

We also support customers and their IT service providers to promote further development and strengthen the focus on the challenges.

What advice would you give to SMEs that are aware of the importance of cybersecurity but don't know exactly how to get started or improve their current level of security?

I advise every company to discuss the topic with its internal or external IT department. In this way, it is possible to evaluate which protective measures are already in place. This exchange automatically reveals areas for action that can also be dealt with at low cost. A good example of this is the periodic checking of existing user accounts. In this way, it can be ensured that no persons have access rights who are no longer active in the company.

Our Cyber Barometer can be used as an introduction to the topic in order to identify such fields of action. We work with a small questionnaire and two technical checks to determine superficially in a first step what the status is in the company. This is made visible with the help of the barometer, without any obscure technical terms. It quickly becomes clear: Are we in the red, yellow or, hopefully, green zone?

New talent, interested parties and career changers will also be attending GOHack23. What advice would you give to someone interested in a career in cybersecurity who might want to start at BDO?

Build up as broad a network as possible of people who are active in the area that interests you. The most exciting opportunities usually arise through direct exchange. That's why I'm particularly pleased to be able to present BDO and my work in more detail in a personal meeting. After almost ten years, I can certainly offer one or two tips along the way. Perhaps an insider tip to finish with: show that you are prepared to go the extra mile. That is exactly what is crucial in our field. Active interest and a lot of initiative are central when it comes to dealing with the ever new challenges.