5 Questions with Troels Oerting Jorgensen, Chairman of the Advisory Board of the Centre for Cybersecurity, World Economic Forum

5 Questions with Troels Oerting Jorgensen, Chairman of the Advisory Board of the Centre for Cybersecurity, World Economic Forum

 

1. CISOs from around the world are facing similar security challenges due to the pandemic. What are these challenges and how can they better work together to counter these threats?

I have had the pleasure of spending considerable time lately being on calls with hundreds of CISOs arranged by some of our biggest partners, who have scrambled to arrange such calls to find common solutions to mitigate the present situation. And the situation is, that we have moved around 1 billion global staff to move from offices to homes and from having physical meetings to conducting anything from meetings, sales, training, education to planning and coordination online via video calls. Overnight, this huge change took place and we moved a relatively unprepared workforce to work via unprepared tech based on unprepared policies and procedures. Surprisingly, this has been done impressively well by first glance, but probably because organised criminal networks were taken by the same surprise as the rest of the World. But they will adapt quickly and implement new TTP to exploit the new situation.

Bigger companies were used to having up to 20% staff working remotely or from home and their challenges is to scale and implement already existing policies and tools to all and deliver training and awareness to the 80%. Smaller and medium sized companies might not have had many working remotely or from home and are struggling with the basics like access management, password, 2FA, VPN and working on ‘home’ equipment with low security. All companies share to learn how to secure and lead staff working completely remotely and establish a working routine in that area.

Instead of working alone or in silos struggling with solving the same challenges, we should work together to find the ultimate best practice in how to work securely from home and distribute it with a view to companies’ size and sector. Not one size fits all.

I also think we are reaching the redline in acceptance of cybercrime committed by huge cybercriminal networks without any risk due to the lack of trust between law enforcement in US, Russia, EU, China and elsewhere. We have seen an unacceptable uptick in i.e. Ransomware attacks and, with the dependency of our digital infrastructure, I foresee a surge in DDoS attacks as well. We should try to establish a global law enforcement Task Force supported by global security companies to identify and bring these groups to justice. Sooner than later.

Lastly, we need to come together to create norms for state sponsored activity on the Internet. It’s the Wild West and no rules or ‘gentleman agreement’ exists anymore due to geopolitical tension. It must be possible to create a sort of Digital Geneva Convention outlining what kind of activity is banned even during cyberwar - but at least during ‘peacetime’.

2. You recently remarked that the “new normal” will require a new type of CISO. Please explain.

I do not think we will just go back to the good old days when we have dealt with the Pandemic. We will continue to work more remotely, to conduct education, training, sales, meetings, conferences etc. online. The Digital Transformation was all over us in a speedy way - but Covid-19 added steroids to that transformation. The demand, need and speed for new tools to do business, run countries and educate people has increased dramatically and availability and convenience seems to be more important that security, privacy and integrity. But ‘trust’ will be the new competitive differentiator in the time to come and that’s why a new type of CISO is needed. This function will become more important and cover a wider area and coordinate everything relevant to security, privacy, integrity and trust. That’s much more than a technical role and will require future experts with a wider educational background obtained through learning or previous functions and the ability to ‘build-in’ security, privacy, integrity by design and default in any time of business or public service.

3. One of the goals of the World Economic Forum Global Centre for Cybersecurity is to reduce the global attack surface. What is the Forum, with its over 1000 privacy and public sector partners, doing to help achieve this objective?

4. What gives you hope in the global fight against cybercrime?

I am convinced that humanity also will survive the Internet, despite that if I listen to the ‘security’ hype I should be in doubt. I am a true optimist and believe that the Digital Transformation will lead to good innovation and reduce pollution, cure cancer and dementia, ease life for most and enlighten all of us. As security professionals, we should not ‘sell fear’ but protect hope. Protect the good development and make sure it is secure to use and offers the right level of privacy and data protection. Cybersecurity is an investment not a cost and the outcome is trust. And in these distrustful times, trust is more important than ever. We should, as society, not be directed by fear but by facts and these facts needs to have proper integrity.

On my darker days, I sometimes consider to unplug and exchange my iPhone for an old Nokia 8310 - but I know that is not a viable option. The World will move on and we are entering a new era in which everything is connected, everything is sensing, everything is stored and everything is used by AI. In that reality, it is more important than ever that we keep focus, that the ‘good guys’ stay together, that we share because we care and we keep our moral compass on track. And I sense this goal is shared amongst the majority of colleagues in the cybersecurity community and that give me hope and faith in the future.

5. Why did you decide to pursue a career in cybersecurity?

I think it was by coincidence, actually. I have always been a ‘gadget freak’ and bought an Amstrad CPC 464 in 1986 and started a bit of coding. I never became a shark in coding but liked the media and kept on investing in new tools and got a 9.6 modem and linked up. Later in my professional career, I founded the first and national cybersecurity entity in the Danish police and grew that. Later, I saw cyber through the lenses of my job as head of operations in the Danish Security Intelligence service and then I got really hooked. I planned and was chosen to become the first Director of the newly established EU wide agency - The European Cybercrime Centre (EC3) - and since I have done nothing but cybersecurity and privacy protection. I have never regretted that choice and find the job to be one of the most rewarding and interesting in the World by which you serve the community, do the right things, for the right reasons, and deliver trust. I also very much like the community, which is rather small actually and, in many ways, we have created a global ‘band of brothers/sisters’ that knows each other and helps each other. With the huge development of the Internet, this will change, but, so far, it’s the case. And that makes me feel confident for the future.