We are thrilled to announce our next interview with Fred Streefland who is holding the position of Director Cybersecurity (EMEA) at Hikvision – an IoT solution provider with video as its core competency. We invite you to have a look at our previous interviews. In this interview, Fred revealed his story of how he arrived in the world of cyber security, shared his personal views on data breaches and cyber threats the small business owners face. Continue reading to see what other topics he touched upon. We promise it will be insightful.
1. How did you get yourself involved in the world of cyber security?
Actually, by accident. I started my working career in the Royal Netherlands Air Force (RLNAF) and after my graduation of the Military Academy, I served 16 years as an intelligence & security officer before, I was requested to join IBM as a public safety & security consultant. This happened in the year 2008, when IBM decided to send me to Israel for a course ‘ Big Data Analytics/Cybersecurity’. After this, I started to work within the IBM Software Group and focused myself on cybersecurity products. Although, security was always part of my job and different functions within the RNLAF, I am still grateful to IBM that they facilitated my interests into the cyber part of security. That’s where my cybersecurity started….
2. What motivates you to keep pushing ahead every day in the security field?
That’s very easy to answer. The security field is so diverse, complex, challenging and constantly changing that is not very hard to keep yourself motivated as a cybersecurity professional. I do believe that this security field is – by far – the most interesting field to work in.
3. What soft skills do you think are most important for cyber security professionals?
Great question. I think that several soft skills are essential for a security professional, with the communication skill as the most important one. It’s the security professional (CISO) that needs to communicate with the Board of Directors, the IT manager, the Legal Counsel, the Developers, the HR Director and all the other employees in the organization. To secure an organization, the security professional should be understood and supported by all of them. In order to get this support, the security professional needs excellent communication skills to inform all of them in their own ‘language’ (business language/IT language/Developer language, etc.) so they are aware of cybersecurity and act accordingly.
4. Could you please tell us what was the most important cyber security lesson you learned in 2020?
The most important security lesson learned that I experienced did not happen in 2020, but some years ago. As a CISO globally responsible for an organization, I implemented Zero Trust and I thought I had 100% visibility over my organizational IT infrastructure and I felt myself ‘in control’. Until the moment that the organization was breached by surprise (those things mostly happen ‘by surprise’), because the malicious hacker got access via a server in the network, of which the IT Manager and myself didn’t know it existed. Luckily, we had developed an incident response plan and tested this plan several times. Because of this, we could manage the breach very efficient and we could minimize the impact and limited the damage. Two lessons learned: 1) Never assume and 2) test your incident response plan!
5. What opportunities are you seeing most unfilled in cyber security, and any insight into why?
If I understand this question correctly, I think that organizations don’t use their digital transformation (‘move to the cloud’) good enough for cybersecurity as organizations should. Because the organization’s infrastructure needs to change, it’s a great opportunity to improve the cybersecurity from the start of the transformation, which is also called ‘Secure-by-Design’. For example, if an organization moves all of its data from an (old-fashioned) data center in the building to a public cloud like Azure, GCP or AWS, it has the opportunity to settle the security first before moving the data. The organization has the possibility to form a dedicated cloud security organization, to develop security processes and policies, and prepare the move of its data in the most secure way. This is an opportunity to ‘do cybersecurity good from the start’ instead of ‘fixing cybersecurity afterwards’
6. What are the TOP 3 things a new graduate in this field must be doing now to prepare for his/her job search in this field?
- Get to know a security professional with real experience and learn as much as possible from him/her.
- Understand software ( get to know how software works, how it’s developed and how it can abused).
- Build professional relationships with a CISO/CSO, a security engineer, a security architect, a SOC analyst, a software developer and as many other security professionals as possible.
7. What is the biggest or most common cyber threat a small business owner faces today?
Ransomware would have been the easy answer on this question, but I believe that the lack of cybersecurity awareness amongst these small business owners can still be seen as the largest threat. There are still too many business owners who think they are not interesting enough for cybercriminals…which is NOT true. Everybody is a target in today’s cyber world, so everybody should be aware and should protect themselves. Also small business owners.
8. Are data breaches unavoidable? If yes, is there a right and a wrong way to deal with them when they do occur?
No and Yes….strange answer, but that’s how I see this. In today’s digitalized world, everybody and everything is vulnerable and can be breached. However, it doesn’t have to happen. As an organization, you don’t have to accept this vulnerability and you can do everything to prevent this from happening by implementing the Zero Trust approach. I won’t explain Zero Trust in this interview, but in short; a Zero Trust approach needs commitment from the Board and must be implemented by a Board-supported CISO with a full mandate and therefore hardly any budget constraints. Zero Trust is a journey and might take some years to increase the cybersecurity of an organization, but it’s the only way – in my opinion – to prevent data breaches.
Unfortunately, most organizations won’t be able to avoid data breaches. Therefore a good incident response plan/policy and the testing of this plan are essential pre-requisites for a security professional that is responsible for the security of an organization (see also question 4).
9. What trends do you expect to see in cyber security in 2021?
In 2021, I expect not to see a decrease of cybersecurity incidents….unfortunately. On the contrary, I think that we’ll see an increase of cybersecurity incidents. One of the main reasons for this increase, is the use of Internet of Things (IoT) devices in combination with 5G. More and more IoT devices (e.g. edge computing) will be used in our daily life and will be connected to existing public and corporate networks. Since, it’s already very challenging for most security professionals to get a complete overview/ visibility on their traditional IT infrastructure, it will be even harder with hundreds/thousands of additional IoT devices connected to their infrastructure, which increase the threat landscape for the malicious hackers significantly.
Another trend which I expect to see is the integration and automation of cybersecurity itself. Security professionals will experience that it’s impossible to secure an organization with old-fashioned security point products, so I expect a move from a ‘best-of-breed’ to a more ‘best-of-suite’ cybersecurity approach. At the same time, Security Operating Centers cannot continue to grow in amount of SOC analysts, so an integration of security tools in combination with an automated SOAR is expected in the coming year(s).