12 Apr 22 IT Security: The role of cybersecurity in a modern company.
We talked to Nikola Dinic, Chief Information Security Officer of CONVOTIS, about the role of cybersecurity in a modern company.
Dear Nikola – we are very pleased to have an expert like Nikola for CONVOTIS as CISO. For the beginning we would like to introduce you to our readers.
Hi, my name is Nikola Dinic. After my Bachelor studies (Business Administration) at the Vienna University of Economics and Business Administration and specialization in Management Information Systems, my way led me to Ireland and Norway for exchange semesters. I completed my Master’s degree in International Management and I wrote my Master’s thesis on “Cloud Computing”.
My career started shortly after graduation at Big4 companies in Vienna, where I spent 7 years supporting mainly international but also domestic clients in the areas of IT compliance, cyber security as well as IT governance as a manager. The last year I spent in Zurich at the oldest and renowned Swiss life insurance company, where I worked mainly in IT Risk Assurance as well as IT Security on group level.
Music is one of my main hobbies, I try to rehearse with my band as often as possible. As a former soccer player, I also do a lot of sports.
In our newsletters we constantly focus on the topic of security. Let’s start by talking about the role of cybersecurity in a modern company?
Cybersecurity has come a long way in modern companies from an exclusively technical or supporting role to a holistic, integrative and multidimensional discipline that is now an enabler but also a critical building block of business objectives.
The massive dissemination of Internet services and the associated digitization or automation of content and marketing processes have contributed to this in particular. This exponential and lightning-fast growth in complexity and volume of processes as well as supporting technologies, has become a normality nowadays, which will keep cybersecurity specialists but also C-suites worldwide busy in the coming years.
What are the most important elements that must be included in a holistic cybersecurity approach?
In addition to the classic approach and the division of cybersecurity activities into Governance, Risk & Compliance (GRC) and Incident Response, in my opinion, the holistic approach and the continuously reviewed resilience have proven to be indispensable in recent years. And this not only on the level of the now powerful security tools, but above all the integration of cybersecurity into all relevant business processes as well as product sourcing/lifecycle regardless of the industry, existing infrastructure or process maturity. Another aspect that seems to be more important than ever is the human factor: best security strategies as well as sets of rules often fail due to fundamental gaps in employee awareness, which in turn have led to some of the biggest breaches in recent years.
The unfortunate truth is likewise that many organizations are likely to continue to face increasing threats this year, but also in the years to come, as cybercriminals become more creative and sophisticated. The only way to combat these threats is to meet them with equal creativity, sophistication and, most importantly, resilience. This is often branded as “resilience by design,” however the underlying concept is critical – organizations must be proactive rather than reactive to meet cyber threats. This primarily involves anticipating disruptions with a comprehensive understanding of current and emerging risks, simplifying cybersecurity processes, preparing specific response actions for relevant attack scenarios, and not neglecting lessons learned after each critical event or attack attempt.
However, a holistic cybersecurity approach is also based on the concept “Security by Design” – which is very successfully offered in the future Convotis portfolio and perceived by customers. The underlying idea involves integration of key security tactics/paths and solutions to enforce the necessary requirements for authentication, authorization, confidentiality, data integrity, privacy, accountability, availability, security and non-repudiation (even if the system is attacked), starting at the system design/development phase.