A European View of Cybersecurity
By Amanda McKeon on August 27, 2018
We’ve got a special episode of the Recorded Future podcast for this week. Staffan Truvé, Recorded Future’s CTO and co-founder, returns to the show to lead a conversation with our guest Rolf Rosenvinge. Rolf is CEO of RCG – CyberInsights, a Stockholm-based cybersecurity management consulting firm.
He shares his views on the state of cybersecurity in the EU; the effects GDPR is having; the evolving relationship between CTOs, CISOs, and boards; and the role of threat intelligence as we look toward the future.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 71 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
We’ve got a special episode of the Recorded Future podcast for you this week. Staffan Truvé, Recorded Future’s CTO and co-founder, returns to the show to lead a conversation with our guest, Rolf Rosenvinge. Rolf is CEO of RCG – CyberInsights, a Stockholm-based cybersecurity management consulting firm. He shares his views on the state of cybersecurity in the EU, the effects GDPR is having, the evolving relationship between CTOs, CISOs, and boards, and the role of threat intelligence as we look toward the future. Stay with us.
Today, we’re joined by Rolf Rosenvinge, who is the CEO of RCG – CyberInsights. That’s a cyber boutique focusing on cyber program development for large clients, but they’re also working in supporting cyber startups and scale-ups. So, thanks for joining us, Rolf, and please, let’s go ahead and talk a little bit about your background.
First of all, thank you, Staffan, and thank you for having me on this podcast. I think it’s great, so thanks for that. I started off serving in the Swedish Armed Forces as an officer for 15 years, where seven and a half of those were in our Taiwan special operations units, where I spent a lot of time developing our intelligence operations capabilities. And this was during a time when Sweden was deploying a lot of forces to Afghanistan in support of the U.S. post-9/11 efforts. And then coming out of service, I spent approximately seven and a half years at GE building global security programs and working as a CISO. And then I ended up working in London at the time when the capital was a systemically important financial institution, covering a million aspect regions. A lot of travel during that period, but great fun.
And then I moved over to PWC and worked for the Swedish firm, where I, as a partner, built the Swedish firm’s cyber practice, which was also great fun, but as of a couple of months back I am now heading up RCG – CyberInsights. It’s great, it allows me to move more freely around all the spaces where I find it really interesting to be. You know, I can play both in the private equity space but also, as you mentioned, in the start-up and scale-up community, but still continue to serve large clients. That’s great.
Yeah, with your perspective, having worked both all over Europe and in the Middle East, I think the obvious first question is, how do you see the cybersecurity space evolving in EMEA now, and what makes it different from the rest of the world?
Yeah, I think that’s a great question, and not an easy one to answer, but it’s still a great question. So, I think one of the core components of understanding cyber is that you have to understand digital. So our societies at the moment, across EMEA and basically across the globe, are going through massive change. Digitalization is going so fast. It’s not all nation-states, it’s not all enterprises taking the impact of this on board.
I spent a lot of time during the last couple of years working with boards and executive managements and teams. You know, these are really, really smart people, but they are business people. And what’s intuitive for us as cyber practitioners may not be as intuitive for them as business people. So I think there’s a lot of responsibility, given the context and the background that lies on us as cyber practitioners.
And maybe, to circle in a little bit about your question, I think, generally speaking, the U.S. has probably moved faster on these issues, probably because they had to. And I think this is really starting to pick up in EMEA now. I think the U.K. is obviously leading the way, but also some other nations around EMEA are picking up speed relatively quickly.
But I do think the EMEA region as a whole, if you can assess it as a whole — which is on one hand very difficult — it’s still lagging a little bit when you compare it to the U.S.
When you say “a little bit” there, I sometimes say that I think we’re four or five years behind. Do you think that’s fair, or are we catching up?
No, I think it’s fair. I do think it’s fair. I don’t think it’s — it isn’t that easy to assess EMEA as one, because it actually varies a lot. I think the U.K. is definitely in front. I think the U.K. is probably on par with the U.S. At least that’s my experience from having worked for GE and other clients later on, and working both in the U.S. and in the U.K.
Then there are some other countries, like the Baltic countries. Very close to Russia, with Russia basically having had those as their training ground. So some of them are actually … Like Estonia, for example, is actually pretty advanced at this point. But overall, I would say that you’re absolutely right. I think it’s fair to say that, on an overall basis, EMEA is probably four or five years behind the U.S.
And it’s interesting, of course, the fact that you said that there’s different maturity in different parts. This makes me think of one thing. We had a big sort of scandal here in Sweden happening last year, I think it was, when one of the government agencies outsourced a lot of their very sensitive operations, and that ended up somewhere in Eastern Europe. People were upset about that.
What do you think about that? And about people in general outsourcing, but in particular, to countries who might have sort of a dubious reputation?
I think you’re right. I think it’s a reflection of what I tried to outline earlier, that people are really pushing for going digital. And they want to do all these second waves of outsourcing, which, of course, from a business perspective, makes perfect sense. And generally, I do think it’s the right thing to do because the businesses need that.
But you still have to really take on board what you’re actually doing and hold that up against the cyber perspective. And you’re right, that was a massive debate here in Sweden after that issue last year. And I think the biggest question is, probably, has everyone learned the lessons to be learned? And I’m not so sure.
We’re working with some clients today, just finishing a security operations center, helping them implement that. And even in that discussion, one year after that big debate we had, some of the lessons are still on the table to be picked up, really. In terms of, should you really buy your security operations center service from your infrastructure provider? It’s probably not a good idea, right? And you have to really work with the incentives to get them right. And typically, having the watcher in the same pocket as your infrastructure provider — it may not be a good thing.
If you really need to do it anyway, you need to make sure that you have the right remediation and compensating controls in place. And so I still think there’s a lot of work to do across the EMEA region in this outsourcing context.
In general, what’s your short list of key things to think about when you talk to your clients about how to solve or handle the big cyber challenges?
To your question, it often starts exactly the way you phrased it. “So, how do we solve cyber?” I’m not really sure, given the pace of how fast businesses are transforming, that you actually can solve it. But you can control it. And I think there are a couple of things. I think, first of all, it’s really important to understand your business environment. And not just in the macroeconomics of things, but also more specifically around cyber. What are the threat actors that are relevant for your business, your industry, and your region? I think a lot of clients have a lot of ground to cover to really understand their business environments, and I think the importance of threat intelligence will only increase over a period of time.
And secondly, of course, you do still need to understand your IT estate. It’s boring, but it’s still true. And then you have to understand all the vulnerabilities you’re carrying. And you have to mitigate as fast as you can, but prioritize based on knowledge acquired during your threat intelligence efforts.
Then, of course, identity and access management, right? The more you open up for collaboration, the more important it becomes that you actually understand who is on the other side of things. So identity and access management has been truly important for a long time, but that remains important.
And third-party risk, right? I think it’s also that it’s not very sexy. It’s super hard work, and it’s really difficult to actually do it. And beyond the initial Excel spreadsheets and questionnaires, to really control third-party risks, because you see … When you look at a lot of the large-scale incidents over the last couple of years, you see there is often that indirect approach. And of course, there is that for a reason. So you attack someone else to get to the ultimate target.
To really control third-party risk is going to be essential going forward. And finally, I think a lot of clients, when we look at their programs, they’ve spent a lot of time and effort and money on protecting … If you think about the NIST framework’s five key capabilities, where you have “identify, protect, detect, respond, and recover,” I think the importance of “detect” and “respond” is just increasing. You have to understand what you’re looking for. And again, I do think threat intelligence — the importance of that is just going to increase. But those are five things that I think we have a lot of conversations about right now in EMEA and with our clients.
How about the relationship with law enforcement agencies? How good are the national law enforcement agencies in supporting companies, and what is happening on the Pan-European side? Are you doing anything, for example?
It’s a great question. I do think, yes, there are a lot of initiatives going on and picking up speed at the moment, but there’s definitely more to be done. And I think coming back to, “Can cyber be solved?” No, but it can be controlled. One way of controlling it is also to really increase the private and public cooperation efforts here. I don’t think government agencies can solve this alone, and the business environment can definitely not solve it alone.
But it’s really through both inter-agency cooperation and through private and public cooperation and the increase of such. I think it’s the only way to really move this forward.
So, speaking to the EU for a bit, of course, this has been the big year of GDPR. And people have lots of different opinions about that, whether it’s going to increase security or whether some of the restrictions mean it would be harder for security researchers to do their job. What’s your opinion? What’s in the balance here?
Overall, I think GDPR has been great for security in the EU, because it’s been yet another vehicle to get our issues on the table with senior executives, and really on the boards. And of course, that’s tied to the penalties of four percent of global revenue and all that stuff. But once you get past that — because that tends to be the first conversation you’re having with the board — once you get past that, and you really get the chance to sit down with them and talk about, you know, it’s data protection and regulation for a reason. And implied with that also comes … You have to have a security program in place. And it has to be fit for purpose.
Because from a storytelling perspective, there is no chance at winning a conversation with a regulator. You can have spent all the time in the world, and all the money in the world to just focus on delivering on the so-called “data submit rights.” The right to be forgotten, et cetera. But if you haven’t spent the time on actually protecting the data, it’s a no-win conversation with the regulator.
So overall, I do think that GDPR has helped getting this even further up on the agenda for the boards and executive management teams.
Turning a bit to another question, which is always intriguing, is the professional roles here. I’m curious to get your view on how the CISO role is evolving. Is the CISO role for a typical European company the same as, for example, for an American company, as you see it?
I think that’s a great question, right. I actually wrote a piece just the other week on the CISO versus CSO dilemma. Because typically, in EMEA, the CISO role is still relatively new, and a lot of companies are actually struggling to find seasoned and business savvy CISOs to fill those roles. And that’s a problem in itself.
Some of the big banks are actually recruiting divisional CIOs to the CISO roles, because they need someone more used to the C-suite exposure. But I also think there is still this dilemma. Do we really need parallel teams? Do we need a corporate security team and an IT security team, when everyone in the business is going digital?
I see a lot of companies still struggling with that question, and even a lot of large organizations where you have those parallel teams actually competing for the same bandwidth and the same resources. So when I look at EMEA and try to compare it to my experience from the U.S., I still think what we stated earlier here, that we are lagging four or five years. And when I look at, typically, at the American CISOs and where they are reporting to the organization and what type of program they are running, it tends to be still more mature.
But I do think the Europeans are picking up. We may have started behind, but I do think everyone is running extremely fast at the moment. Also, evolving the CISO, I think there’s, generally speaking, a lot of appetite within the boards to really listen to the CISO and what the CISO has to tell them. So I think there’s a great opportunity in a lot of the European companies for the CISOs to really step up to the decision-making table and lay out the plan and say, “This is what we need to do.” I do think most boards at this point, especially after the high-profile attacks last year, are really willing to listen.
Okay, so the CISOs do get access to board levels?
Increasingly so, absolutely. And we do a lot of work in that area and typically, sometimes we come in and the board asks us, “So, how do we solve or control the cyber?” And one of the first questions we always ask is, “Do you have a CISO in place, and have you actually listened to what he or she is actually trying to tell you?”
And some of the problem or problem-solving, if you like, often starts there. Get the people into the same room and once you get them started talking, you quite often find great interest from the boards. At least, that’s my perspective at the moment. So things are really picking up, because it has been a problem up to this point.
You mentioned that it’s hard to find a good CISO. But, of course, competence in general is very, very hard in this business overall. So what’s your view there on the European side again? How are we doing in terms of competence for all levels? That’s assuming that there aren’t enough people. Everyone says, “What’s happening?” How are people trying to catch up?
I think that’s very true, what you’re pointing out. There is definitely going to be a problem with talent acquisition — because basically everyone is hiring at the moment — so the government agencies are hiring. All the big enterprises are definitely hiring. All the consulting firms are hiring.
There’s simply not going to be enough practitioners around, right? So, I do see a lot of large clients doing their own type of boot camp sessions and stuff like that, and I see a lot of universities trying to pull together bachelor’s and master’s programs. Which is really good, but it’s going to take a little while. It’s going to take a couple of years to get there.
And at the same time, the need is just vast at the moment, right? So, I do think it’s going to be hard work for the ones of us around at this point. But hopefully in a couple of years it’s better. But it takes time to build experience, also. I think we’ll have to live with this for a couple of years.
And as you said, it’s great the universities are finally starting to educate. But of course, it takes three to five years for people to go through that education. And then they need to be on a job and gain the experience from real life.
So, it sounds like it’s going to be eight to 10 years before there’s any chance of backfilling the competence deficit, really.
Yeah. I think you’re right. We have hard work ahead, Staffan.
That’s good for all of us in the business, I guess, in a way. So, I wanted to wrap up with one final question. Since we are Recorded Future after all, I’m sort of keen to hear what your view is on what are the most important, let’s say, both threats and challenges for the next three years or so. What’s keeping you awake most, or what are you hoping?
Well, great question. And obviously not an easy one to just answer. But I’m going to give it a try. So, I do think, from an industry perspective, I still think that the importance of threat intelligence is truly underestimated at this point. I can say that coming from my own intelligence background and meeting a lot of CISOs. And very few of them, as skilled as they are, are really good in their roles, but not many have that core intelligence background or skill set with them.
So, I do think there’s a lot of explaining and laying out the importance of what threat intelligence actually can do for you. Start taking home some of the benefits. Because a lot of the problems, historically built, have been very, you know … Basically you taking out a standard. Whether it’s the ISO standard or the NIST frameworks, or some internal controls framework like COBOL, or whatever. And you start chasing a lot of stuff to green. But I do think that successful organizations going forward will have to understand more about their business environment, and threat intelligence is the vehicle for doing so.
I think the second part of your question was probably around, where do I see the threats coming from in the coming future. I do think that what worries me the most is definitely the geopolitical tension, which is on the rise globally. It’s definitely something we also feel in EMEA and especially here, I guess, in the Nordic countries. Because, after all, we do have that proximity to Russia, and they are extremely active. They are definitely not alone in that arena, as you know far better than I, probably.
But we see a lot of increased activities from nation-states. And at the same time, we are still pacing ahead with digital. And ultimately, that makes our societies even more vulnerable. And at some point, I do think there is a risk for an escalating conflict scenario. And critical infrastructure will be at risk at some point when nation-states are moving forward.
Our thanks to Rolf Rosenvinge for joining us, and, of course, to Staffan Truvé from Recorded Future for handling the hosting duties this week.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP address, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.