Gabriela Gorzycka is the Global Head of Endpoint Threat Management at Atos.
In her role, she is mostly focused on strategy and management of delivery of cybersecurity services to over 150 customers out of numerous locations worldwide.
Her main areas of focus are endpoint protection and data protection services, and among the others are Endpoint Detection and Response, Encryption or Data Loss Prevention. She has been a member of Atos’ Experts community, focusing her research and expertise on IOT and OT security.
She also has a strong process background (ITIL V3 Expert) and holds ISO certifications in Service Management and 20000 and 27001.
How do you articulate the three-pronged approach of ‘people, processes and technology’?
All three mentioned aspects are inevitably bound together and as such I see them as three pillars of a successful organization. Technology by itself acts as the enabler of the business, but it should not exist in separation from processes and people. As a person who’s been working with processes for years, I am always proclaiming their importance within the organization. Processes are the backbone of the company, the additional dimension on top of technology that makes it run within agreed frameworks and brings order to how the organization functions.
Obviously, the challenge is to properly design and apply processes within the organization, including security-related processes and procedures. Otherwise, instead of being real support to how the business is done, they would be considered by the employees as additional bureaucracy and burden and abandoned whenever possible.
Last but not least, people – users, customers, employees – should be at the center of this trio, perceived both as recipients and orchestrators of technology and processes that lie behind.
How important is it to have the CEO thinking that security matters?
I’ve been working with companies from various industries for years and I understand well their struggle to build a comprehensive IT security strategy with limited budget. As cybersecurity is not directly related to profit and revenue, but at the same time brings considerable costs to the organization, some CEOs will always put limitations on funding the cybersecurity measures within their companies. But this strategy will sooner or later have an incremental effect and can lead the whole company to a disaster.
I have seen how lack of focus on security may materialize when I was helping some companies that initially did not apply appropriate security measures, mostly due to limited funding for that purpose, but later faced a severe ransomware attack and needed to build their IT environment and services from scratch. The point is, sometimes only in the face of such tremendous disaster to the company operations, do CEOs start to understand how important it is to have our business secured.
Once the intellectual property, data and knowledge are lost and production is brought to a standstill, the negative financial impact is usually bigger than all the investments in cybersecurity that were considered as too costly. So, if I needed to face a discussion with a CEO who is reluctant towards giving additional funds to cybersecurity, I would ask him or her if the company can really afford to go into such a scenario -stopping the business or loosing critical data.
In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of the cyber security awareness program?
In all companies, irrespective of their profile and industry, cybersecurity awareness programs and training are absolutely essential. As the saying goes, “the chain is only as strong as its weakest link” and the sad truth is that by the weakest link we often mean the people in the organization. Of course, not all of the damage done internally is caused by bad will, but more often by ignorance and lack of knowledge that an employee’s behavior may expose the business to real threats.
For example, phishing comes back in more and more intelligent form that needs to be read carefully and therefore gets harder to recognize by ever-busy corporate employees. Employee education can and will really bring added value in eliminating potential threats or data leakage that can result in a company losing reputation and income.
Some aspects of user education can be delivered through dedicated training, others embedded within cybersecurity services, like data loss prevention where the user gets a notification whenever he or she tries to make unauthorized use of data.
Threats are everywhere and always changing. How can we address this difficult reality?
I see it like a never ending arms race. On one hand, we face new threats every day and need to constantly improve our capabilities in order not to be compromised; on the other hand, the maturity of cybersecurity services and products are also improving all the time. A couple of years ago the main connotation with cybersecurity was a basic, signature-based antivirus.
Currently the portfolio of cybersecurity products is very broad, covering different environments: endpoints, perimeter, cloud, IOT/OT. Different potential vectors of attack from inside and outside can be recognized now by using AI and machine learning. Thus, I would say that we are armed pretty well to protect ourselves from various kinds of threats, but this requires the organization to adopt comprehensive approach on many levels and to constantly keep an eye on new solutions that are able to address new types of threats. Only multi-layered cybersecurity services will be able to secure a company irrespective of the attack vector.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
The bigger the company is, the harder it is to make people inside the organization talk to each other. But security should not be considered as separated from infrastructure, business and processes, it needs to be cross-divisional and acknowledged in the organization also in terms of setting strategy. For example, security representatives should participate in meetings related to introducing new products or services.
In this way they will be able to 1. assess how to adapt cybersecurity related processes and products currently used to secure the business, 2. advise on if and how cybersecurity adjustments will require changes in the environment, what additional budget is needed and if timeline will be affected in any way and 3. highlight any possible risks in the area of security that the change in business may bring.
If this is not done at this stage, it may result later in delays and crossing the budget as well as an overall bad picture of cybersecurity as a “showstopper”, not a supporter.
What is the best way to foster an image of information security being there to help support the business rather than just being about the raw technology? How might we address the perception of cyber security holding back the business?
I believe that I have already answered this question, but to summarize: we should raise awareness in the company, not only among executives, about possible threats from inside and outside and that bypassing security brings certain risks to the business.
In our private lives it’s natural for us that, when we build a new house, we equip the door with the locks at least, not to mention alarms or monitoring. Why are we then surprised that we need to secure our business as well, especially as we are talking about much higher net worth of what data can be stolen, such as designs, models and other things related to intellectual property ?
In order to raise this awareness, we should however use business language, not technical language: the examples can be revenue lost on stopped production, costs needed to build the IT environment from scratch or cost required to invest in public relations to regain a good image, or penalties to be paid for leaked data.
On the other hand, we can also show the positive aspects/possibilities that applying security measures may bring to company, such as introducing BYOD with appropriate products or services to secure them, and which may in total bring some cost reduction to the company. This is however a very individual aspect and requires in-depth knowledge of company values, strategy and limitations, which brings us back to the fact that security needs to talk to business on a regular basis and that people, processes and technology need to be perceived as inseparable pillars.
Henry Ford once said: “The only real security that a man can have in this world is a reserve of knowledge, experience and ability”. Bringing his words into a cybersecurity context, to develop the well-secured organization, we should focus on:
Knowledge – of organizations’ crucial data, processes, products and people, but also weak points that require strengthening in first place. It’s the same analogy as building the wall: we need to know what it protects, from whom and to constantly search for its weak points. It’s also about the general awareness of risks and attack vectors.
Experience – organizations should rely on specialists for their security strategy; control the new technologies and services available on the market; talk to cybersecurity specialists; exchange knowledge and experience with the others; build a strong cybersecurity team or outsource the services to a renowned and certified third party.
Ability – to operate within agreed processes, including security ones; to align between business, technology and cybersecurity strategy; to find funding for cybersecurity; to build not necessarily complex, but multi-layered security that is comprehensive to all the aspects of the business; to constantly improve, learn and plan further improvements or enhancements.
Having all this in place, we may say an organization is better secured. But we cannot then rest on our laurels, because the technology is changing, the business is changing, the actors are also developing and improving their tools, skills, and knowledge. Being a part of this race may sometimes be tough, but for me it’s a real commitment and feeling of mission – especially when we find out we have experienced an attack attempt and managed to bring real support and protection to our customers.