Andreas Schneider, Field CISO at Lacework: “It sounds simpler than it is but culture, basics and detection are the keys to successful cybersecurity”

We all want jobs we love to do, and for Andreas Schneider, Field CISO at Lacework, surely that dream has come true. A fan of strategy “round-based” games from an early age, he views the constant cybersecurity fight in the same light. Albeit with more at stake than a game of chess.

A 20+ year career has seen Andreas take on several senior CISO positions in Switzerland, where he established the security teams at the Swiss Broadcasting Corporation and the European Broadcast Union.

But, as Andreas is keen to point out, it’s not about having one team focused on security but making it central to your company’s culture. “The root cause of many cybersecurity incidents we see today… is usually related to weak basic hygiene or human errors that all trace back to a lack of cybersecurity-aware culture,” he said.

The bad news? Culture alone can’t fight the attackers, who are already wielding AI to create deepfakes and other weapons to great effect. And Andreas fears most organisations don’t have a deep enough pool of expertise to keep that at bay through traditional means. The good news: there are ways to fight back, and that this time we can use AI to help us. What’s more, some of the measures we can take are as simple as they are effective.

Read on to discover what those measures are. And remember, cybersecurity is not a game.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

My name is Andy Schneider, I live in beautiful Zurich, I am married, a father of two sons, and I am Field CISO EMEA of Lacework. In the early 2000s, I began my professional journey as a Mainframe System Programmer. However, my fascination and unexpected interest in cybersecurity led me to pursue this field. It was never part of my career plan, but when I reflect on my childhood, I realise my love for strategic games like chess, Risk and round-based games may have played a role. Cybersecurity reminds me of those games.

I started with core banking systems security and helped roll out the first security standards (before ISO27001 was created). I then moved over to a tiny security startup and subsequently worked in an outsourcing business as a customer security officer and security consultant.

My journey eventually took me to multiple CISO positions in Switzerland, where I established the security teams at the Swiss Broadcasting Corporation and the European Broadcast Union. Following that, I spearheaded several DevSecOps and Cloud Security projects at TX Group, the biggest private media enterprise in Switzerland.

At TX Group I always tried to implement the latest and best technologies available on the market, which led me to implement Lacework. I was very impressed by the innovative approach to detection and the underlying platform. About one and a half years ago, I was drawn to the opportunity to join Lacework and become a member of a team of highly intelligent individuals. In my role, I am able to assist and motivate our clients and CISOs worldwide as they navigate their cloud security path. I also collate customer feedback for our product organisation, influencing which features are built and shaping the future of our company.

What do you think are the best approaches to combating deepfakes?

With the upcoming elections in the US, UK, and Ukraine, and sports events like the European Football Championship and the Olympic Games combined with GenAI becoming more powerful and easy to use, there’s already a flood of deepfakes on almost all social media platforms. Deepfakes are also used by advanced threat actors for fraud (eg the CFO Fraud case in Hong Kong where a finance employee transferred $25.6 million after a video call with the “faked” company’s CFO).

We see that content moderators still try to validate images or videos on platforms like X but for humans, it has almost become impossible to differentiate between fake and real content. For businesses that usually do not have any content moderators, there’s no real protection against advanced deepfake attacks.

I believe that there is a way forward. A combination of new innovative defensive technologies that can detect deepfake videos, voices and pictures – and a new healthy scepticism for digital content will help fight deepfakes. We might also need to adjust established controls like the four-eye principle.

It’s comparable to phishing and scams via email. We’ve trained employees for decades to be careful, looking for suspicious indicators, and we deployed technology to detect those emails. Deepfakes are levelling up this game, and we have to keep up with the technology, processes and training of our employees.

Worth a read: Can Australia go it alone on combating deepfake porn?

What are the biggest cybersecurity challenges those in leadership roles are facing?

Implementing a successful cybersecurity strategy relies mostly on the company’s culture. Culture starts at the top and is lived by all. The board of directors requires a sense and expertise in cybersecurity-related matters, be it a dedicated board member or an advisor to the board. The executive management needs to be held accountable for cybersecurity, and this then drills down to every employee who is part of the cybersecurity perimeter.

Without that culture, cybersecurity is always faced with competing business priorities that will get more attention than cybersecurity. With business and technology growth, the needed cybersecurity growth will always stay forgotten and measures will only be implemented by external forces, not by understanding the necessity.

The root cause of many cybersecurity incidents we see today, including the ever-increasing amount of ransomware attacks, is usually related to weak basic hygiene or human errors that all trace back to a lack of cybersecurity-aware culture.

This is the true challenge for cybersecurity, and this requires a modern type of cybersecurity leader (not an officer) who can articulate on all levels but also explain in business terms new regulatory requirements like the upcoming NIS2 and DORA or the SEC cybersecurity regulation that will force companies to take care of cybersecurity at the top.

Next to culture and cybersecurity leadership, the lack of talent is concerning. The estimated growth for the cloud market in 2024 is expected to be more than 20%. This will drive demand for cloud security professionals that are already rare in the job market. This lack of talent will require companies to use new technologies with fewer people. Our approaches from decades ago will not work in a fast-paced cloud world with a permanent talent shortage. I believe only platforms that are powered by machine learning and AI, like Lacework will allow companies to solve this issue.

Which cybersecurity best practices are being adopted with the most success by companies?

It sounds simpler than it is, but for me, culture, basics and detection are the keys to successful cybersecurity.

There are simple measures that can be very effective and raise the bar in cybersecurity. Having visibility, basic measures like MFA, enforcing encryption by default, checking for unsafe configurations, and continuously patching are a good start. But those measures are only effective if you have a security-aware culture in place. So everything starts with culture, and this is hard to implement. You have to live and breathe it.

From my personal experience, embedding cybersecurity into the company’s culture is essential to creating sustainable cybersecurity. That’s where CISOs should spend most time. From a technical perspective, having basics is a start, but I would always try to focus on effective detection, specifically anomaly detection and machine learning. An attacker just needs to find one flaw, whereas you as a defender need to fix all of them. This unfair battle can’t be won. By closing the big and obvious flaws, you force an attacker to take more effort. This improves the likelihood of detecting and responding effectively to any attempts made by the attackers.

Worth a read: Dear Lord, let this be the last World Password Day

What role do you think governments play when it comes to cybersecurity?

The increasing amount of large-scale incidents and also the dramatic impact on the world economy show that the current model of self-responsibility has mostly failed. The estimated cost for the world’s GDP is around $8 trillion for 2023 and is estimated to be $9 trillion in 2024.

Cyber is also considered to be an essential part of hybrid warfare, as a weapon to take down critical infrastructures up to the influential impact of fake news on democracy. Every regulation is a compromise of different interests, but still new regulations like the cybersecurity ruling of the SEC, the upcoming NIS2, DORA, and CRA regulation in the European Union show the need for increasing the resilience of organisations.

Those regulations will raise the bar, but this won’t eliminate attacks. Companies that understand the need for protection will always do more and focus on “being secure” while their compliance with regulations is a result of this approach. These companies usually have a cybersecurity-aware culture and strong measures in place. Those who just follow being compliant will have gaps that haven’t been covered by regulations and those gaps will be the entry points for cyber attackers until new regulations try to tackle the identified gaps.

Governments will not be able to solve this issue, but they can enforce more cybersecurity expertise in boards and executive management and hold companies and individual executives accountable for negligence.

The new SEC ruling, NIS2 and DORA have strong requirements, including a recommendation to use innovative technologies and AI for anomaly detection. Time will show how those will be implemented by organisations and how non-compliance will be treated.

What’s something that has drastically changed about cybersecurity since you first got started in the field?

Complexity, size, speed and attacker’s maturity have mostly changed. As an example: patching has been an issue for decades. A common approach in the on-prem environment was to patch regularly (to follow regulations) and this was normally around every second month. Every patch had to be tested and you had to wait for maintenance windows to apply the patch and have roll-back procedures in place. Attackers on the other side tried to find unpatched environments, but the exposure of unpatched systems was very limited, and the security perimeter was mostly defined by firewalls and malware protection.

If we fast forward to today, patches – for log4j for example – are exploited even before the vulnerability is known. The environments have grown in the cloud, but also on-prem, and complexity has increased massively. DevOps results in more autonomy for distributed development teams. This requires a completely new approach to protect your company. Patching, network segmentation, malware protection and other measures are still needed, but without distributed security with a strong focus on applying modern detection technologies, even the basics will not help to avoid damage to organisations.

Attackers’ maturity has grown in parallel, and bypassing rules-based detection systems is a common step in the attack chain from criminals and nation-state actors. For defenders, this requires new detection approaches that embed into decentralised organisations that are less prone to being bypassed and are able to detect new methods and patterns. I believe anomaly and behaviour-based detections driven by machine learning are the only way to achieve that goal in a fast-paced cloud world where attackers’ skills, infrastructure sizes and speed of development continue to grow.