What are the biggest challenges facing CISOs for NRENs today, and how do these vary in different countries? Croatia’s Vlado Pribolšan and Denmark’s Henrik Larsen share their insights and experiences from different parts of Europe.
Henrik Larsen is the Head of Security, Trust and Identity Services at DeiC (Danish e-infrastructure Cooperation), which supports Danish universities and research institutions. His role straddles DKCERT, the 31-year-old Danish academic CSIRT, and WAYF, a single sign-on system for selected web-based services. Henrik is a well-known spokesperson for cyber security issues in the Danish media.
Vlado Pribolšan is Information Security Advisor for CARNET (Croatian Academic and Research Network), a private network for Croatia’s academic, scientific and research community. Established in 1991, CARNET’s services have branched far beyond universities and research institutes. They also support primary and secondary schools, plus many public institutions including several ministries and hospitals.
What are the biggest challenges facing NREN CISOs today?
Vlado and Henrik identify several key challenges, covering technical, strategic, and operational concerns:
Increasingly complex services and systems
Vlado: “The biggest challenge is the growing number of services, and the growing complexity of systems and organisations. We have to follow this complexity and maintain security at a certain level. We are always rolling out new services, for both new and existing constituents. And updating services to meet new security requirements.
“We try to overcome these challenges by expanding our team. And by engaging people in other departments to become more aware of the importance of security.”
Henrik: “The growing complexity of services and systems is a challenge for us too. I think that goes for every country.”
More sophisticated cyber attacks
Henrik: “One big challenge we see is more sophisticated cyber attacks on universities. In Denmark, we’ve experienced some large or more sophisticated attacks. As universities are our main constituents, this is obviously an important challenge for us.
“In some countries – Germany, for instance – we have also seen more attacks on research into high performance computing.”
Changing national strategy requirements
Henrik: “In Denmark, we are reorganising how we deal with cyber security. A new national strategy arrived last year, and now each sector has to create its own strategy. And that’s a lot of stressful work, forming that strategy together with the universities to find an adjusted role for us in that landscape.
“Fortunately, the universities are more aware of security these days and more invested in it. But resources are a big challenge. I try to address this issue at every appropriate occasion.”
Vlado: “I’m the deputy of CARNET’s representative in the Croatian National Cyber Security Council. We are currently updating our national cyber security strategy in line with a new NIS2 and other directives. After that I think we will have more obligations, and the job will just extend, not decrease.”
Recruiting and retaining cyber security staff
Vlado: “Besides the technology, the people are the most important factor in this job. But there are just not enough people in the market for this kind of role. Because of that, we focus on students and try to engage them as soon as possible, and this is a good approach.
“But also, the salaries we offer as a public institution cannot compete with those of commercial companies. So some people move to security companies within Croatia, and some people leave Croatia for better salaries abroad.”
Henrik: “It’s a general problem. In Denmark, most security professionals stay in the country but go to better-paying sectors. We need to define our role in the career path of cyber security professionals.”
“Competition for good candidates is large, because information security and cyber security skills are very much in demand everywhere. So that’s a challenge for society as a whole, to make the cake larger in terms of educating new cyber security people.”
Managing expectations and communicating clearly
Vlado: “The problem with security is sometimes you increase the security of a specific service, but nothing changes for the users. You have to invest money and effort, but the service still seems the same as before. Sometimes it will even be less easy to use than before. For example, to make a service more secure, users may have to go through two steps of authentication to log in, instead of one.
“So you have to explain why this is required when it doesn’t seem like a visible improvement.”
Henrik: “You have to be a diplomat and a good communicator. You have to be able to explain why these things are necessary, and why someone should change their behaviour, and so on.”
What are your biggest lessons learned?
Vlado: “Cyber security is an ever-changing area – a very big and rapidly changing area. It’s not like when you work in a museum and you have several years to analyse an artefact. In this role, every morning when you check your email there is lots of new information.
“And that’s a challenge, because you have to decide how to allocate your time and your resources. You have to prioritise. And that isn’t always easy.”
Henrik: “I actually started my career more than 40 years ago in a museum, and I fully agree! The only constant we have is change. You can’t predict cyber incidents. I don’t have a crystal ball.
“And what you learn is that because you can’t foresee what’s coming, you have to be ready to adapt at very, very short notice, all of the time.”
What do you enjoy most about being a CISO?
Henrik: “What I like best about my job is my team. I also like the international cooperation. I enjoy going to TF-CSIRT meetings and FIRST conferences, talking to interesting people, getting friends all over Europe and around the globe.”
“Having a somewhat extrovert role in Danish cyber security, I also regularly meet people from outside our sector, and that’s interesting and enjoyable. I’m proud of being recognised as a cyber security expert, even more outside the universities than within them!
“The thing I’m most proud of internally is that we’ve been able to build up new services. For instance, our GDPR/DPO service which has helped both smaller organisations and larger universities, and is in demand.”
Vlado: “The international security community is really excellent. I’m happy we can now meet again in person.
“I look back on projects I worked on 20-25 years ago, and now I can see their impact and I’m proud of them. At the time I was working on them I wasn’t always fully aware of their importance. On a daily basis, you’re busy so you don’t have time to evaluate properly. So you need some time to pass by.”
What does it take to be a good NREN CISO?
Vlado: “Besides the default technical knowledge, the most important thing is passion for that work. And also patience – with your users and your environment.
“This is a complicated job, not easy but very interesting. And with an excellent community.”
Henrik: “It’s also important to be able to talk to different groups – management, technicians, end users – in a language they can understand, to explain elements of security and the situation you’re in at a specific moment.
“To anyone wanting to become a CISO of a NREN, I say, go for it. You’ll get a very interesting job with many different aspects to it, and good contact with very skilled people. Be open-minded and see where you can make an impact.”
What are the biggest security challenges facing NREN CISOs over the next 10 years?
Henrik: “Keeping up the arms race between the attackers and us as NRENs. We have a tradition in the academic sector of being very open and allowing a lot of funny things to happen because someone wants to try something out.
“But with the growing interest from both cyber criminals and state-sponsored actors wanting to drive espionage against universities and attack us, we have to change our attitude as NRENs. Unfortunately, we have to be more closed, I think. And we have to invest a lot more in security. Because it’s not a peaceful world out there.
“And in DeiC, it is a challenge to explain this to technicians and management.”
Vlado: “Agreed. Universities and research institutes have become more and more a target, because of the data they have. And it is the nature of universities to always be open. So it’s not easy to bring these two things together, to protect from the threat while preserving that open nature.”
“And also, keeping pace with both ever-changing threats and the ever-expanding complexity of organisations and services.”
About the interviewees
Henrik Larsen is the Head of Security, Trust and Identity Services (DKCERT and WAYF) at DeiC, Denmark. As well as leading on delivering security and identity services for NREN members, Henrik also focuses on internal compliance work, including ISO certification, and leads DKCERT’s DPO service. He is a director of the Council for Digital Security in Denmark and a member of the National Cyber Security Council.
Vlado Pribolšan is Information Security Advisor for CARNET, Croatia’s Academic and Research Network. He focuses on ensuring effective delivery of services to CARNET’s constituents, which include universities, research institutions, primary and secondary schools, certain ministries, hospitals, and more.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022