European Security Forum: Data Security and the New Era of Zero Trust
“Data security: everyone’s business” and “The new era of Zero Trust” was the topics of the morning session of ICT Spring’s European Security Forum, which took place September 15th. Local and international speakers discussed the latest trends in the cybersecurity field.
Sheila Becker, Vice President, Women Cyber Force, and Desirée Alegre, Secretary General, Women Cyber Force, were the masters of ceremonies of the European Security Forum.
The first speaker, Pascal Steichen, CEO, SECURITYMADEINLU, took the stage to welcome the participants, saying that cybersecurity, which used to be “a cryptic topic” for many, has become the “main topic of many companies, states and even individuals worldwide”. A trend has only grown stronger with the pandemic.
Steichen was followed by François Thill, Cybersecurity Director, Luxembourg Ministry of the Economy, who gave an introduction talk about cybersecurity as a community and called for a mutualization of security solutions at the European scale to lower costs: “We need high quality and affordable cybersecurity solutions that can profit to all companies, not only to the wealthy economy.” Regretting the lack of women in the sector, Thill wants the cybersecurity to reach priority level on managers’ agenda to achieve a culture of cybersecurity governance.
It was then time to enter fully in the European Security Forum’s programme with the first theme: “Data security: everyone’s business”.
“EU Security & Cybersecurity Union Strategy” was the title of the presentation delivered by Despina Spanou (photo), Head of Cabinet for European Commission Vice President Margaritis Schinas & Founding member of Women4Cyber. “Cybersecurity Strategy is not something that stands alone anymore, it is an integrated part of Security Strategy in the broad sense of the term”, stated Spanou. Cybersecurity issues are no longer considered as purely national issues by member states, which have understood that it must be addressed at an international level. For instance, the creation of a Joint Cyber Unit by June 2023 will help states facing threats at a European scale. “We need something to counteract in case of attacks. We have a major skills shortage in the area of cybersecurity and no state can do it by itself. We need to pool resources to create a European force.”
After Despina Spanou, Alexander Hanff, Co-founder & CEO, Think Privacy, brought “A message from the future…” for the audience. His speech was above all the story of a disillusionment with what the internet has become, from a utopian place of democratization, for sharing knowledge, to an area of “commoditization, manipulation and surveillance” run by psychographic profiling and algorithms.
If we live in an algorithmic world, “everything we do is manipulated, choices we make are not actually choices.” That’s why Hanff pleads for many years for not seeing privacy and cybersecurity as “an hurdle to innovation and tech development”. At the opposite, privacy is essential to innovation because without it, you don’t have autonomy, self-determination and freedom of thoughts. “We can’t think outside the box, we can’t innovate, we become static, stagnant.”
“Why Cybersecurity is everyone's business in an organization?” was the question asked by André Meyer, Security Practice Lead Luxembourg, Accenture, in a round table which brought together Barbara Daroca, Head of Corporate Services, ING, Niccolo Polli (virtually), CEO, HSBC Luxembourg, Nasir Zubairi, CEO, the LHoFT, Debora Plein, Coordination BEE SECURE, Ministère de l’Éducation nationale, de l’Enfance et de la Jeunesse (Luxembourg), and André Adelsbach, VP – Group Information & Cyber Security, SES.
First observation, the threats are constantly evolving, as pointed out by Niccolo Polli: from being hacked to get access to the bank’ system beyond its firewall, to social engineering to get access to the passwords’ staff. Now with the Covid and the massive digitalization, cybercrime is going after the customers themselves.
André Meyer followed: “We, humans, are the first line of defence.” Cybersecurity goes above the core security functions, noticed André Adelsbach. “It’s a team effort” and everyone around agreed on that. So, you need “training and awareness”, Barbara Daroca added. Because there’s a balance to find between usability and security, a middle ground between neglect and extreme paranoia, according to all participants.
Another share of concern is the lack of talents in the cybersecurity field. For Nasir Zubairi, “we need to build a framework where banks can access high quality of cybersecurity prevention and it is going to be external.”
Frédéric Becker, Project Manager, Luxembourg Ministry of the Economy, then, took the stage for a “Luxembourg Trade & Investment Offices session: connecting with startuppers worldwide”, with Adi Hod, CEO, Velotix, Chad Duffy, Director of Cloud Engineering and Global Marketing, CyCraft, and Steven Hsu, Product Marketing Director, TXOne Networks.
“Luxembourg Trade & Investment Offices are spread all over the world with two main goals: helping Luxembourg entrepreneurs abroad and connecting foreign entrepreneurs with the Grand Duchy”, said Frédéric Becker. He then introduced three start-ups.
Live from Taipei, Steven Hsu, Product Marketing Director, presented TXOne Networks which is a company offering cybersecurity solutions to protect industrial control systems to ensure their reliability and safety from cyberattacks.
Live from Taipei too, Chad Duffy, Director of Cloud Engineering and Global Marketing, made a pitch about CyCraft, an AI company that forges cybersecurity resilience through autonomous systems and human-AI collaboration.
“New frontiers in data privacy” was the name of the next presentation given by David Dab, National Technology Officer for Belgium and Luxembourg, Microsoft.
First of all, “data is a strategic asset holding huge value and must be protected”, said Dab. Some people use the oil metaphor. The mental model we have in mind for data protection is the fortress, with walls, controls and guards. But “unfortunately, locking data is suboptimal. Because the value of data is in its usage.” That brings to a challenge: protecting data while being able to use it.
In order to do that, you need a risk-based approach, a richer vocabulary to discuss objectives and risks and to consider multiple boundaries models. “There is a tension between different objectives in data protection: availability, security, compliance and confidentiality”, Dab stated. For confidentiality, a new boundary model has emerged: confidential computing, which closes the encryption triptych (Data at rest, Data in transit, Data in use).
“The new era of Zero Trust” was the topic of the second session of the European Security Forum, which started with Christophe Ruppert, Business Continuity Management - Practice Lead, EBRC, and José F. Correia, Chief Administration Officer, CISO, Business Continuity Manager, i-Hub.
They highlighted the way EBRC, a European reliance centre in the management and protection of sensitive information, and I-Hub, the first centralized KYC repository for ongoing due diligence in Europe, collaborated and how to step out of the Zero Trust Zone. They set a cyber-resilient framework based on standards, especially ISO 22301, the latest standard in place for business continuity management. EBRC has been assisting several organisations in implementing Business Continuity Plans, up to the ISO 22301 certification for some of these. “ISO22301 tends to position a Risk based approach perspective in identifying the major threats you want to protect from”, Ruppert explained. In order to do so, you have to be aware of the other pillars which support your company: IT service management, Quality management, Information security management, Supply Chain management.
Pascal Rogiest, Chief European Institutions Officer, RHEA Group, and Managing Director of RHEA System Luxembourg S.A., then gave an overview of “The Critical Role of Cybersecurity in Space Applications & Programmes”.
Rogiest first noticed that there is “strong convergence between the space sector and the cybersecurity sector”. As the space field becoming more and more attractive and valuable, the threats are coming out. The structure of the sector has also increased its weaknesses: from big infrastructures and big investments to an end-to-end approach where IT is the key. Threats are address to a lot of components of the space system, specially to the communication links.
Tomas Martinkenas, Director of Privacy and Security, Vinted, then joined virtually from Lithuania the forum virtually for a CISO Talk.
To manage and secure the data of its users, Vinted cares that its infrastructure is secure and efficient and makes sure to be at the forefront of innovation. “We tried to educate our teams and our members to see privacy and security as human rights”, stated Martinkenas. Even there is a global shortage of talents in the cybersecurity field, Vinted is able to attract the top talents in Europe because of the mission and the culture of Vinted and the technical challenges. Inside the company, Vinted integrates privacy and security awareness as a part of its personal employee’s development. The company also relies on machine learning and AI to treat millions of operations per day, a scale that humans cannot follow.
The morning session ended with Stefan Umit Uygur, CEO, 4securitas, who pitched about his business model. 4Securitas is an innovative cyber security firm founded in 2017 focused on protecting critical data at the core of every organisation. The company develops and commercialises ACSIA (Automated Cyber Security Intelligence Application) software, based on Open Source technology and affordable to large and SME companies alike. ACSIA is of particular interest to companies in heavily regulated industries such as banking, FinTech, utility and energy sectors as well as government bodies. “The current technology tends to focus on the reactive aspects of a cyberattack when it’s too late to intervene. With 4Securitas, we focus as well on proactive cyberdefence based on information gathering and reconnaissance.”
Article by Nicolas Klein (photo Dominique Gaul)