Name: Petri Kuivala
Current position: Chief Information Security Officer (CISO) at NXP
Petri Kuivala is a CISO with a unique background. Until 1999, he was a founding member of the IT crime investigation unit at the Helsinki police department. From there, he joined Nokia’s cybersecurity team in Finland. After a few years, he moved to China to lead Nokia Corporate Security. Between 2009 and 2011, Petri served as the first CISO of Nokia. This is when his career led him to Microsoft after leading the integration of Nokia Security into Microsoft. For the last six years, Petri has been the Chief Information Security Officer of NXP Semiconductors, a company that delivers ‘Secure Connections For A Smart World,’ first establishing, and then leading a team of cybersecurity professionals.
Just recently, we sat down with Petri to discuss the challenges CISOs face right now. We talked about how cybersecurity has moved away from being just focused on compliance and IT, focusing on reducing risk and increasing reliability instead. We also discussed how teams face constant unpredictability in their work due to the rapidly changing environment, and how COVID-19 is impacting the work of security professionals as well as the cybersecurity market in general.
How has the CISO’s role changed during your career?
In the cybersecurity department, one of our top goals is always to reduce the risk of a breach. We are using the best tools to make sure that the company is always fully operational so that we can avoid loss of operations, loss of innovation capital, or other negative impacts, such as loss of reputation associated with a data breach.
The cybersecurity field has been rapidly changing during the last ten years, and investments have been spiking in various tools and services. It’s safe to say that the CISO’s role is more business-critical than ever. Ten years ago, your top priority could be in many companies to ensure compliance with regulations. Now, it’s all about mitigating the short-term bottom line-related risks and/or long-term strategic risks.
Today Kill Chain brings in good structure for conversations between cyber professionals and helps to organize planning. Back in time, we understood it only vaguely, but the professionals did not really have a common language around the attack patterns. Today’s major challenge is the lack of objective metrics about cyber incidents. If comparing to the health care and insurance industry, they know exactly, [for example,] the standard causes of mortality and related statistics, whereas in the cyber[security] industry we still are basing our decisions per the views of experienced individuals.
Cybersecurity is obviously in the spotlight today as companies invest in digitalization. IT is moving to the cloud, which makes the security of the cloud important for cloud providers. Of course, being a CISO means a different thing in different companies. The responsibilities and priorities vary in a company that is highly digitalized compared to those in a company with fewer digital assets and tools. As more traditional companies are catching up with digitalization, security is becoming a primary concern for them too.
Each company has its own priorities—besides risk reduction, of course. For some large-scale organizations, reliability and availability are an absolute must. In contrast, others may emphasize protecting the company’s intellectual property, for example, from the Chinese competition that is developing at a fast pace.
There are a lot of stories about how COVID-19 affects cybersecurity. Has it had an impact on your everyday work?
It hasn’t really had an impact. Unpredictability is the story of CISOs’ lives. As a CISO, you must be prepared for the unpredictable. You can never be quite sure what’s going to happen tomorrow. Things can change very quickly: new issues can arise, or global events can happen. Whatever it is, you need to react quickly and have a plan in your pocket ready for execution.
Of course, you still need to have a strategic plan. But then, suddenly, the unexpected happens, like a significant incident, and you need to steer the wheel in a new direction. That’s when you go back to the drawing board to re-prioritize and re-strategize. This is what makes a CISO’s job so challenging, but also exciting and fascinating.
What do you think cybersecurity teams are battling with as a result of COVID-19?
COVID-19 is a textbook example of how a global event can turn businesses upside down—and, of course, the same is true for the cybersecurity department.
People suddenly started to work remotely. First, companies needed to make sure that they had everything ready to continue business as usual. Once that was done, security remained uncertain. As it happened in many other departments, the strategies, priorities, and workflows changed.
So how do you secure this new reality? In just a few days, most companies went from having a couple of physical locations to having as many locations as they did employees. That was an immense security challenge.
Remote work is a norm for many, as it has been for me for years, but there are also large populations to whom it is new. I’m happy to see how societies at large are adapting remote working capabilities, but I’m also a bit worried. In the office environment, you had a social network around you that you could use to reflect your challenges. Now, you might be more ‘alone’ when making quick decisions. This also applies to risks like phishing. You can’t assume that people know how to recognize attacks like phishing emails if you have not educated them and given them the proper tools that your team then backs up.
How will the recent events impact spending on cybersecurity?
I believe that cybersecurity leaders will continue to spend somewhat on their roadmaps, but at the same time, it is clear that everyone needs to think more about how to adapt those tools and practices that are cost-effective. I think that the current situation is teaching us to work remotely, which will become the new norm for many of us. We CISOs need to re-think our roadmaps to make sure that they are 100% supporting the ‘traveling worker’ concept in which the corporate network is just ‘one cloud’ that serves us.
As for what the most important tools are, teams are looking for technologies that will enable them to be more effective; areas such as automation, AI and ML, and threat detection continue to be something you must spend on. Now is the time to spend on must-haves that will make your life easier and, at the same time, help you fight your battles to reduce the risk.
How are cybersecurity teams tackling their human risk?
There’s a lot of buzz around phishing, simply because most attacks start with it. It’s just a part of the kill chain. Filters prevent 99.99% of the attacks from slipping into people’s inboxes, but 0.001% get through, and 0.001% in a large organization over a year’s time means thousands of bad messages. One email is enough for a successful attack. I have seen how one click on a wrong link or attachment turned into a disaster.
This is the reason why the ‘human firewall/IDS’ component of cybersecurity is so important. You can control the technology stack, and technology is quite difficult to penetrate. Attackers are totally aware of that, and penetration is a lot easier when they attack people with social engineering attacks. Visionary and innovative CISOs know that they need to focus on minimizing human risk, and they have been drafting strategies, plans, and have been on the lookout for the best solutions on the market. You can’t be there to advise every employee about their online hygiene, but what’s the second-best thing that you can do to minimize the chance of a mistake?
You need to count on your people to join you in protecting your company’s assets. How do you engage them? What’s the plan? What actions do you take and what tools do you use? On top of that, you need to be able to measure and justify that your approach is working.
I believe more and more CISOs will want to do right by their people and make awareness training interesting for them. It’s a win-win situation: you make people like the training, then they care and join you in your fight; as a plus, it can help you to improve the security team’s reputation in the company.
What does the future hold for security?
In short, the future of cybersecurity will more often be built on two core aspects:
- Understanding and including people around to fight against the ‘evil’
- Understanding what differentiates your company in the marketplace and how you can help the company stand out even more