In today’s interconnected world, the importance of cybersecurity expertise cannot be overstated. With cyber threats such as phishing, malware, and social engineering attacks which are growing in sophistication and frequency, organizations and individuals alike are increasingly reliant on cybersecurity professionals to safeguard their digital assets.
In this interview, we are discussing these objectives with Tino Sokic, Information Security and Privacy professional who has been in IT waters for over fifteen years.
Tino, you are a cybersecurity expert with many certifications and experience in dealing with information security and threats. Can you highlight a certification and a certain experience in this field that you are most proud of?
The first thing I have to say about certifications is the fact that I was, and I am, very lucky that all my certifications are just a consequence of my hands-on experience. For example, and in regard to my most recent certifications, I started to conduct IT assessments where ISO 27002 controls were the framework used, and then I decided to attend and certify myself as an ISO 27001 Lead Implementer professional. From there, my “assessment” and “consulting” career took off. Regarding something that I am proud of, that is hard for me to say, never thought about it in that context – but one of the cool things was how NATO, the Cooperative Cyber Defence Centre of Excellence reached out to asking me to instruct at their base just because they have seen my work on the other side of the planet – literally a course I have created a few years back that was and is still relevant today. In a way, these things can happen. 🙂
Can you discuss a particularly challenging cybersecurity issue you’ve faced in your career and how you addressed it?
An evening call from a customer where he was out of his mind about what had happened to his computer. After an email (of course) he clicked on the attachment and executed it, and all of his files became unavailable to him. Unfortunately, a successful ransomware attack has occurred. And the reason why am I mentioning this is because of the way he reacted to the incident on an operational level. Just as he clicked, he knew something was not right! The silver lining in the whole thing was the security training we had a few days before the incident. One of the ways to protect your system is to cut off any network connection from your computer – literally plug the network cable out of the computer, or turn off your Wi-Fi connection. This is how you potentially STOP the ransomware spreading throughout your information system.
What are some common misconceptions about cybersecurity that you often encounter, and what is the way you handle them?
One of the biggest misconceptions I encounter on a “daily” basis is the fact that companies have a tendency to think how cybersecurity is the IT department’s job. “Protecting computers? We have IT to do that!” – says a manager in xyz company. Well, the truth is always halfway from here, and that is why I “fight” with arguments saying that cybersecurity is everyone’s responsibility. Just like crossing the street. You look right and left, make a risk assessment, and go for it. The bad guys need to achieve their goal only once, and you have to be able to protect yourself every time.
What is your perception of the role of CEOs and managers when it comes to cyber security and data protection of their businesses?
CEOs and managers set the tone for the company’s culture, and this includes attitudes towards cybersecurity. If the leadership views cyber hygiene as important, this attitude will trickle down through the company, influencing policies and employee behavior – simple as that. Everything comes down to Risk Management and ROSI (Return on Security Investment), and people inside an organization are the most valued and most risky asset, if we were speaking with our risk management glasses on. We can also be meticulous and chase the rabbit hole even further with compliance, regulatory/legal responsibility where there are various laws and regulations that require businesses to protect customer and employee information. CEOs and managers must ensure their companies comply with these regulations to avoid legal consequences.
Can you list the most common cyber threats in business environment? What would be your advice for prevention of cyber-attacks, and if it eventually occurs, what steps should employees take?
This one is easy 🙂 Educate – Test – Educate – Repeat… Cybersecurity is a living organism, and it has to be taken with care, just like anything surrounding us.
Can you share your thoughts on the importance of creating a culture of cybersecurity awareness for employees within a business strategy, and why is perpetual training so important?
Yes, the key in this question is “perpetual”. People are often considered the weakest link in the security chain. By fostering a culture of awareness, employees can become the first line of defense, able to recognize and respond to security threats effectively. The easiest way to resolve risk is by removing the activity that is the cause of the risk in the first place, but that is not the way we can treat risk, especially when we are talking about real people using real technology and doing real business. In essence, the goal is to create a vigilant workforce that can contribute to the security posture of the organization rather than being its weakest link.
‘Cybersecurity for Modern Businesses: A Comprehensive Approach to Human Defense‘ will be delivered by Tino Sokic on March 27th 2024. from 10:00 am – 1:00 pm (GMT + 1:00).