Patrik Honegger has worked in the IT sector since the 90’s and has specialized in the IT security field since 2000. He joined Check Point in 2001. Since joining Check Point, he has been involved in the full array of the company’s solutions and customer sectors and maintains a deep technological understanding of products and customers’ needs. Patrik has successfully fulfilled roles as Security Engineer, Lead Consultant and Head of Security & Systems Engineering in Switzerland. He is a member of the Office of the CTO, and holds various technical certifications. Prior to his role at Check Point, Patrik had multiple technology expert roles in local and global companies.

In this interview, expert Patrik Honegger shares outstanding insights around how C-levels can elevate security, improve understandings of risks, and look at the cloud anew. With 20 years of industry experience, Patrik shares a wealth of knowledge that can complement your implementation of a state-of-the-art security architecture for your business.

As a cyber security expert, what kinds of threats concern you the most?

Currently there is a clear concern around remote access vulnerabilities. Since the pandemic crisis began, customers had to adapt and invest quickly in their remote access abilities for their home office-based users. How to control, manage and secure this access is certainly one of the most discussed topics today. On the other hand, more general threats are still increasing; companies need to focus on zero-days, no matter which access paths are used.

How have recent cyber attacks changed your thinking about security (if at all)?

My own thinking did not changed dramatically, as I have been confronted with similar concerns/attacks for more than two decades now. It is more a question of applying best practices and applying zero trust network access models. You constantly need to adapt your architecture to new technologies and communication methods. I’m a true believer in prevention-first approaches, even if it is not always customers’ initial thought. I also see that the security awareness in companies is critical nowdays. You need to make sure that your work force is well educated and aware of general security threats.

What are the top 3 ways in which CISOs can level-up their security?

  • By having a cyber security strategy and good open relationships with all stakeholders in their company.
  • By implementing a cyber security program, including a clear and understandable communication about the cyber security program, which embraces security awareness.
  • By having a good team of security experts who are able to measure the effectiveness of the implemented cyber security program.

How can organizations improve their understanding of their risks?

Using tools, processes and products with a central and consolidated approach could help to better and faster understand and detect risks. Security risk, at least from an IT perspective, should always include all stakeholders. It simply starts with accepting that there are high/medium/low risks and creating a culture that nourishes security rather than abstains from it.

How to achieve this?

  • By having a proper IT Service Management (ITSM) implemented.
  • By establishing a culture that embraces cyber security awareness on all levels in the organization, including accountability.
  • Repeatedly testing IT environments, involving all stakeholders up to the C-Level, making the tests measurable and the outcome something to which someone can be held accountable.
  • Never expect to be finished.

Specific recommendations for organizations that recently shifted to the cloud?

Moving to the cloud is much more than a technical transition to a new platform and should be part of an existing strategy. Are the drivers for the cloud shift clear enough? Was it done purely for political reasons, or mainly because of financial interests?  What are the expected benefits? With an understanding of your cloud environment, relevant scope, and needed compliance landscape, you can begin prioritizing your compliance efforts and can create a high-level plan for your organization.

I would recommend at least a four-step approach for gaining visibility and therefore compliance in the cloud.

  • The 1st step is to understand the environment (gain visibility). You cannot secure what you do not know or cannot see yet.
  • Step 2: Select your appropriate compliance framework and scope it accordingly.
  • Step 3:  Assess and evaluate your initial results and plan further exclusion and remediation strategies.
  • Step 4: Monitor your continuous compliance program and automate your remediation for active prevention.

Most important is a prevention-focused state of mind.

What else should CISOs take into account? 

Well, think about the shadow IT. Think about having local kingdoms in the organization, which follow their own “simple and straightforward strategies” and security risks that arise from those shadow IT islands. Therefore, there are direct legal, financial and strategic implications around security risks from those kingdoms.

It is important to focus on the big picture (overall and consolidated) instead of single best-of-breed point solutions.

What are the best ways for CISOs to communicate about breaches to executives?

The best way would be in accordance with applicable and local regulations like GDPR or in Switzerland, specifically the FADP, with a clear and pre-determined understandable process.

Anything else? 

Treat information security as a never-ending journey with a defined start and a constantly changing end or, alternatively, a delayed arrival.