For the purpose of cybersecurity month, we asked our Information Security Officer, who joined our team in July, to share some insights into his job and the current state of cybersecurity.
How did you become an Information Security Officer?
I studied Business Information Technology at Corvinus University in Budapest, and from the second year onwards I was very interested in information security and privacy and therefore I wrote a scientific publication (TDK) for a student academic competition, analyzing the security and data protection of cloud services. That was the time when I came across Tresorit, and I conducted an interview with Giorgio (Gyorgy Szilagyi, Co-founder & CPO of Tresorit) because one of my teachers and my teammates from college from advanced studies had already been in contact with him before.
In this study I analyzed the data protection practices of global providers and how they handle data. This was the beginning of my journey, and from that point I was keeping an eye out for information security anywhere. I was a very active student, giving lectures as a demonstrator, participating in College for Advanced Studies, Student Union and I went to many events where technology and security were in the spotlight.
In the second year, I had already started to work as a management consultant to get to know more industries and projects. It was a really good decision, because I gained lots of experience in different sectors. Later on, as part of my consulting assignments, I worked as an Information Security Officer at companies which provided financial services and became a Regional Security Program Manager for almost 2.5 years. It was my duty to support local subsidiaries to enhance current maturity level of information security.
This is how my professional career really started. During my time at university I also started to work at ITBN (one of biggest infosec conference and expo in the region). Since then, I have been contributing to the annual ITBN event day of information security.
Local representatives of the IT Security market collaborated in 2004 to create a forum to represent the interest of all the market players independently. The original goal has been far exceeded by ITBN: the event is the home for innovations and announcements of fresh products. ITBN presents the actual opinion of government officials and legal, financial, professional spheres of the IT Security profession. Everybody is here: high-level IT Security specialists, auditors, CISOs, vendors, decision makers, consultants, distributors, CFOs and CEOs, and IT procurement managers.
This year it takes place at the end of October: https://online.itbn.hu/
Last year the creator of the “Have I been Pwned?” website and web security expert Troy Hunt accepted my invitation and came to this event. It was his first time in Hungary, and it took me almost 2 years to get him here from Australia. I contribute to the event voluntarily in my free time, and I like it because you can meet the experts of the industry and it also helps you staying up to date regarding the latest news, current issues and new solutions. I regularly give presentations on security awareness and conduct trainings. My goal is to raise awareness of information security and share Tresorit’s mission as well.
Why did you join Tresorit and what are your most important responsibilities at Tresorit?
Back then Tresorit's main message was that the solution helps individuals and companies to protect their privacy. Today we live in a so-called information society. Every person's life and every company's profile are in bits and bytes, and everyone has a digital persona. This has pros and cons. Companies offer many products with value, but some have hidden dangers too when it comes to data security. Leaked data has a big value on the black market as well. I did some research on this – you can buy health records for a couple of dollars, passports, passwords, driving licenses etc. You might ask, why is it an issue if my personal ID number or password gets out? The problem is that because many data breaches happen, a lot of data gets out and there is a complete digital profile available about many people.
Data broker companies market themselves with selling these. In this turbulent world where we as individuals share lots of information about us, we contribute to the fact that providers can access our data to offer benefits for us, but it may cost us dearly, too. From the very beginning, Tresorit has promoted its solution with a zero-knowledge service, which means that not even Tresorit can get access to the data of its users, in contrast to mainstream providers. I am very proud to be working for this company with this mission and vision.
How do you see the status of information security awareness nowadays?
Our customers trust us to protect their health or finance data, so they will not get into the wrong hands. A bank using Tresorit, for example, has to make sure that the employees are aware of their responsibility, as they have promised their clients to ensure data security as well beside ordinary business service. So, security is a crucial part of the service - which is a fact the market is often not aware of. One reason for that is that there is no education on this topic, families do not speak about this at home. Now with digital education becoming more common, more attention is drawn to the need for this.
Do you think there will be a positive change regarding what people think of the value and protection of their data?
I am striving for this every day and believe in it, yes. With a company like Tresorit I can do more to achieve this. We offer security and have privacy-conscious clients and users. We need to lead by example and show that we live our values.
How was your onboarding experience?
I was very lucky to take over the position from our former Information Security Officer - with special attention on Governance, risk management and compliance - because exchanging knowledge with her was very well-structured and thorough, all the materials were available, we had a good schedule, it was really an exceptional journey. It was easy for me to get to know the system
. As the ISO27001 audit is approaching, it is a big task to prepare for it in the next months. We had many online meetings, sometimes 6-8 hours a day. I was looking forward to meeting the team, as I felt at the beginning that there is an open and welcoming atmosphere at Tresorit.
What other daily responsibilities do you have?
There is a so-called Information Security Management System with a technological, practical, procedural and also documentary aspect. I am responsible for running the machine. Training new employees on information security is also one of my tasks as well as driving incident handling, business continuity management and organizing audits. There are many regulations to update and some new ones to work out in depth. If there is an audit, there are always recommendations we have to work on, make some changes. I like to do my best, so we don’t just create documents and give trainings, but I want to see these new guidelines being put into practice.
I see some room for improvement for this even in this company. Such a change in company culture is not easy and a long-term goal. I witnessed it at several companies during my professional career. Employees need to understand what impact an incident can have on security and business and that it is a common interest to revise and obey rules. A Security Officer’s job is somewhat similar to a pastor’s. Some follow the rules, others listen but are a bit skeptical, others don’t listen and don’t believe what they say.
We also get many questions regarding information security and I coach my colleagues answering those. With the knowledge regarding information security growing, they will soon be able to answer those without my help. And there are also certificates, not just ISO but other ones, for which we need to develop our cyber-capabilities, before we can apply for and benefit from them.
What do you see as the biggest challenges regarding compliance and information security for businesses nowadays? What would you give as advice?
We as companies, but as individuals as well, must take more responsibility when it comes to protecting our digital identities and valuables. It can be hard to realize the value of our data, as it is not tangible. It is not like the value of machines or other physical objects in a factory 200 years ago. Today companies’ valuables are on computers in form of data. We are aware of our digital persona, but again there are advantages and also threats. We need to think differently about cyberspace and compare it more to physical space. Just to give an easy example: We do not usually cross the road when the light is red. Because a car could hit us. There are security rules in cyberspace as well, but they are less often recognized and applied. The digital and physical immune system are different, but still similar. Many get hooked by phishing attempts online. In the physical world, we would react differently. The two worlds need to be closer to each other, our instinctive reactions like us closing the window when it's cold or washing our hands to avoid an infection are similar to using 2-factor-authentication. I could list many analogies, but the point is that we need to change our thinking about the online world.
Is it also necessary to learn more about the available technologies to choose the right one with security in mind?
Definitely. We all have our smartphones with many apps without enough knowledge about them. We must pay attention to what we give our permissions to. Technology has become part of our life very quickly, but we haven’t been able to adjust our mindset quickly enough. Just think about how everyone started to use Zoom when remote working became the new standard, but many were not aware that without proper E2E encryption, critical business data is in danger. There is a huge amount of technology solutions available and it is hard to get an overview of this excessive supply.
This is why we founded our Information Security Management System, too, to enhance the security of individuals and companies.