In just a few days, the second edition of Cybersecurity Week will roll out in Luxembourg. During a period of one week, Luxembourg will have the chance to visit 20 events that speak to sensitive subjects in cybersecurity on the backdrop of companies and their data usage and storage. The initiative is organized and coordinated by the team at SECURITYMADEIN.LU, at the head of which sits Pascal Steichen. In order to better understand what’s at stake in this series of events, we went to meet with some members of the team in their offices at C3, the new skills center in cybersecurity, inaugurated just one year ago in Luxembourg.
(Featured Image: Pascal Steichen, CEO of SECURITYMADEIN.LU / Image Credit © Silicon Luxembourg / Marion Dessard)
What is your role, or rather the role of SECURITYMADEIN.LU, in orchestrating this event?
We have two simultaneous roles: coordinator and organizer. Under the Cybersecurity Week label, we bring together the different major actors in Luxembourgish cybersecurity during one week of activities aimed at raising awareness and communicating the important information. Under that rather large umbrella, we hope to unite the ecosystem, coordinate the best possible diffusion of treated subjects, and communicate about the event and its importance all across Luxembourg and beyond its borders into the larger area. We have a critical role in trying to maintain cohesion across the different events. We also hope to be as inclusive as possible and offer a maximal amount of visibility to our partners and coorganizers. To be clear: neutrality and inclusion are the two big buzz words for this enormous week!
“Sensitization, training and companies’ parallel efforts to build up their skills are topics that worry us a lot, and we are taking them very seriously.”
This will be the second edition of the Cybersecurity Week, but the 14th edition of your lighthouse program Hack.lu. Can you tell us a little more about the latter?
Historically, Hack.lu has been our annual event. It has been and is still open to an alert and international public—a mix of researchers, technicians, and experts in cybersecurity. Cybersecurity Week was set up around this event and provides international visibility to the 20 local events. It’s an excellent opportunity to be able to raise awareness in a large audience.
So it truly is a question of raising awareness. Can you give us an idea of the layout of the locations for cybersecurity activity in Luxembourg?
There are several big subjects that take up most of our efforts. THE topic in the news right now concerns the question of protection of private life and data following the new General Data Protection Regulation (GDPR) put in place this year at the European scale. In all truth, it’s a really polarizing subject that does a whole lot to motivate and sensitize people on questions of cybersecurity.
Another hot topic is that which concerns a threat or attack of a “ransom” nature, sometimes called ransomware. We are observing more and more waves of fishing tactics that use emails and searches to exploit human weak points rather than digital weak points. Criminals are using this strategy more and more, as its efficacity is well known and hasn’t slowed down yet.
Sensitization, training and companies’ parallel efforts to build up their skills are topics that worry us a lot, and we are taking them very seriously. With that in the background, last year we decided to open the center for skills in cybersecurity, C3—Cybersecurity Competence Center—during the first edition of Cybersecurity Week.
“We are in a certain sense the firemen of the internet! We put out wildfires that have the ability to show up at any moment.”
What tools are you putting in place to help prepare for these threats?
Our teams intervene at the beginning and the end of the process. In the beginning, the goal is to sensitize companies to the diverse possible threats, obviously with the ulterior motive to make cybersecurity a serious point of concern for any enterprise. We propose several coinciding services dedicated to SMEs in order to help them get going at the beginning of the process. At the end, the goal is to simply verify that all procedures have been properly taken.
We are in a certain sense the firemen of the internet! We put out wildfires that have the ability to show up at any moment. What’s more, we are just as capable of analyzing infected computers as coordinating an international preventative measure. In fact, we are a part of an unofficial international network; that is, a network working outside of governmental jurisdiction. So we can very quickly exchange with counterparts about technical subjects and best practices for any given situation.
In numerical terms, how many threats and attacks do you come across each year?
In Luxembourg, we see anywhere between 1000 and 1500 cases per year in which we have to intervene. Of course, it all depends on the methods and techniques employed. In 2017, one fourth of the threats concerned the financial sector, another quarter concerned the industrial sector, a fourth concerned public institutions and the last quarter, individual citizens. In 2018, we are seeing more, and most peculiarly an increase in attacks on private individuals. The financial sector is still a steady target for cybercriminals. We shouldn’t think that these attacks are strictly local. They are in all evidence global efforts. Every single person is concerned. What’s even crazier is that there are successive waves and no longer unique occasions. With the digitalization of companies, the proliferation of connected objects, and other digital movements, the multitude of vulnerable targets is becoming more spread out.
“Cyber assurance is a mechanism that we see with particular favor, as it will regulate the market and permit the reinforcement and accompaniment of regulations such as GDPR.”
The topic of cyber assurance is becoming more and more trendy. Can you specify what it’s all about?
Cyber assurance has been up and coming more recently in Europe. Quite simply, it’s a type of insurance in which companies, government agencies, NGOs and public institutions can subscribe in order to protect themselves in the event of cyberattacks. We are convinced that these newly developed offers from insurance providers will make the cybersecurity market a little less “wild west” and a little more organized. Insurance providers are henceforth taking charge of a part of the risk and ask in return that companies secure their activities, putting in place good preventative measures. It is thus a mechanism that we see with particular favor, as it will regulate the market and permit the reinforcement and accompaniment of regulations such as GDPR.
Speaking of GDPR, have you seen any changes following its implementation last Spring?
In a general sense, the new regulations have produced a sensitivity in the population and in companies, as well as pushed them to protect their private lives. At the same time, GDPR has also been wildly abused and taken out of context by people and organizations that know, in reality, very little about the topic.
Today, SMEs are still a little afraid of the overwhelming legal nuances and do not know how to deal with them in both action and theory. It is our role to sensitize them. Now that the buzz about GDPR has passed, we need to fix the many of problems left in its aftermath. Not all of its pieces are sound. In our view, it is necessary to be conscientious that at the European regulatory level, it’s not over. On the contrary, we are only at the beginning. Everyone needs to prepare for what’s to come.
“Cybersecurity in itself remains a niche sector in Luxembourg, but this is not yet known at the international level. It is for this reason that organizing Cybersecurity Week may help us build up our visibility on the continent and beyond.”
Do you think that many foreign companies choose Luxembourg because of its favorable cybersecurity environment?
Cybersecurity probably isn’t the first factor when a company decides to set up in Luxembourg. It’s more of an unexpected bonus. The ICT sector is becoming more and more important in the Luxembourgish economy, and in just a few years the government took action to develop a good reputation in the field in order to attract more companies. Cybersecurity in itself remains a niche sector in Luxembourg, but this is not yet known at the international level. It is for this reason that organizing Cybersecurity Week may help us build up our visibility on the continent and beyond. Those who participate will also serve as kinds of unofficial ambassadors to get the word around.
How would you describe the relationship between startups and companies in the cybersecurity sector?
To my knowledge, startups do not yet offer any miraculous solutions to companies. Instead they propose, in most cases, very specific services for very specific problems.
On our side at C3, we try to establish ourselves to help startups position themselves for all solutions related to security. The goal is that startups become as mature as possible in order to respond to these problems and that they show up on the market with the best possible ideas. We give them pragmatic, factual, and neutral tests to analyze their solutions. Today, we facilitate the necessary steps for startups to do their due diligence—for example, when an investor wants to take capital in a startup, or a company wishing to collaborate with a startup—and to identify emerging technologies. During Cybersecurity Week, we will announce the launch of some activity on these topics!
In terms of innovation, what are the emerging technologies?
For the moment, cyber assurance is really at the head of the group. Startups also propose a lot of services that apply to the blockchain, artificial intelligence or even deep learning. Above all else, it’s a situation in which innovations are linked to behavioral analysis of users or systems created in order to identify potential bugs. Our biggest challenge today in protecting a company’s network is simply knowing the standard level of security in order to find anomalies and react in time. A number of startups are positioning themselves to tackle this problem but are often still doing so manually. We can already do this type of analysis, as we have the necessary indicators and skills to find the problems, but we need a lot of data to so quickly.
At SECURITYMADEIN.LU, we are positioning ourselves to better treat the exchange of information, as we do not analyze the same data in Luxembourg, Singapore, and Hong Kong. We have to refocus our efforts again so they’re more in line with international exchange with other competent organizations in each country. The MISP platform, for example, allows each organization to analyze incidents and then put those indicators in the database so that others can use them to detect local threats. This is what we call “track intelligence sharing.” Here again, there are startups looking towards this kind of cooperation and offer services in big data and deep learning technology.
“By the end of 2019 or 2020, Europe will lack almost 300,000 specialists in cybersecurity. Training, whether initial or continual, or even evaluation of skills, are really hot topics right now.”
Let’s talk now about human resources and skills. What will tomorrow’s jobs look like?
By the end of 2019 or 2020, Europe will lack almost 300,000 specialists in cybersecurity. Training, whether initial or continual, or even evaluation of skills, are really hot topics right now. It’s almost cruel how much we need specialists in the field. In Luxembourg, we don’t feel it as harshly because the job market is doing well, but this is not the case in some of our neighbors’ markets.
Today, every SME or structure of a certain size needs a Mister or Mises “Security!” We need testers, analysts, trainers, and more. We are already seeing the arrival of specific specialized curricula, for example there’s the master’s in management of Information Security at the University of Luxembourg.
Positions in CISO (Chief Information Security Officer) is in very high demand right now. It is similar to the role of a Risk Manager, who, in addition to having managerial skills, must also have technical, legal, and communication skills. A CISO is a real jack of all trades!
Cybersecurity Week is starting in a few days. Why should our readers participate?
There will be 20 events, and we will tackle every hot topic in today’s cybersecurity sector. We set up the week in a simple way: one theme per day. Themes include Threats & Vulnerability, Governance & Risk, Research & Innovation, Privacy & IoT, and of course Hackathon Day. There will be several sector-specific events dedicated to particular markets, such as finance and startups. In sum, there will be a good mix, and that will create an atmosphere capable of demonstrating the diversity of the Luxembourgish ecosystem!