Spotlight on cybersecurity: a recap of the August 2023 Inside IT event
Cybersecurity is more than just a buzzword; it is a necessity in our digitally networked society. With over 120 attendees and a distinguished panel of experts, the August 2023 Inside-IT event, "Cybersecurity of and in Switzerland" provided a platform to discuss this complex and ever-changing topic. In this blog post, we summarize the key takeaways.
Mandatory reporting and responsiveness in cybersecurity
Max Klaus of the NCSC spoke about the organizational shift of the Federal Office for Cyber Security (BAC) under the Department of Defense (DDPS). He emphasized that the shift was a purely organizational measure for now. The discussion in the room, however, showed that opinions were divided on this development.
Separately, Klaus could not comment on the recent ransomware attack on Xplain. However, he emphasized that cyberattacks, such as the DDoS attacks of June '23, are not new. He views the introduction of mandatory reporting of cyber incidents as a step in the right direction to be able to react faster to new attack vectors.
The importance of risk management
In his short talk, GOBugfree CSO, Michael Schläpfer, spoke about how essential it is to have a holistic view of security. Risk management is at the heart of cybersecurity. The first step is to understand and identify the potential risks. Only when these are known can companies make conscious decisions about how to minimize, transfer or accept these risks.
Trust as the key to success
Martin Leuthold of Switch focused his presentation on the need to maintain the trust established by MELANI, NCS 1, 2, 3 in the cybersecurity community. He praised the decision to retain Florian Schütz as head of BACS, but emphasized the relevance of how potential conflicts of interest could impact the credibility and trust in the federal civilian agency.
Leuthold made a clear case for transparency and collaboration. At a time when the Armed Forces are being upgraded with significant investments in the cyber domain, he sees transparent structures as indispensable. In addition, he stressed that the civilian BACS should be supported by the entire security community in order to respond effectively to cybersecurity challenges.
User-first security
Sandra Tobler, CEO of Futurae, argued that strong security need not be complicated. She illustrated the everyday challenges of cybersecurity with a personal anecdote. After switching to a new smartphone, she found herself in a maze of authentication steps just to buy a tram ticket through the ZVV app. The experience brought not only frustration, but also the realization that strong security doesn't have to be complicated. Tobler underscored that up to 50% of customer support tickets at banks are related to authentication and login - a clear indication of a need for improvement.
Her appeal was unequivocal: user-friendliness must be brought to the fore without neglecting security. In doing so, she warned against blind faith in biometrics and emphasized the importance of context-dependent security measures .She advocated a user-first approach to increase the acceptance of security measures.
Top-down support for cyber resilience
Konrad Zöschg, CIO at Swissgrid, emphasized the essential role of corporate governance in promoting cyber resilience. From the board of directors (BoD) to the executive management (GM), conviction and action must be clearly aligned to strengthen cyber resilience. Zöschg made it clear that this conviction does not just exist on paper, based on the regular cyber exercises that are conducted within the company. Such practical preparation is crucial in order to be able to act in an emergency.
In terms of key aspects for implementing cyber resilience, Zöschg explained that an effective defense strategy rests on three pillars: a top-down corporate culture that promotes cyber resilience, layered protection strategies and the ability to respond quickly to new threats. These aspects provide the foundation to effectively avert the enormous potential cost of a cyberattack - he mentioned that a one-day blackout could cost 2-4 billion.
No blame culture
In the closing panel discussion, the importance of a no-blame culture was emphasized. It is important that companies promote a culture in which employees feel safe reporting security incidents without fear of punishment.
The event not only provided an opportunity for an in-depth technical exchange, but also for engaging conversations. The cybersecurity landscape is constantly changing, and events like this are essential to staying up to date.
