CSO at RBI & Chairman at Austrian Cybersecurity Platform of the Austrian Government, Raiffeisen Bank International AG
i.CONECT IT called in Thomas Stubbings, CSO at RBI & Chairman at Austrian Cybersecurity Platform of the Austrian Government, to discuss promising enterprise cyber security concepts and associated service models. After graduating from the University of Technology in Vienna in 2000, Thomas Stubbings joined a major global consulting firm and took a lead in consulting financial institutions in matters of IT and security. In 2003 he joined Raiffeisen Zentralbank Austria AG, the top institute of one of Austrians key banks, as head of IT Security. Over the years he developed the security function into an integrated global corporate security function and was responsible as CSO for the governance of 15 network banks across the globe with more than 300 security professionals. Since 2015 Thomas Stubbings started his own consulting business but still acts as strategic consultant and Cyber security Commissioner for the board of Raiffeisenbank International AG.
Thomas Stubbings: New technologies like cloud computing, mobile devices and SaaS bring a lot more flexibility to companies. It is possible to access data, software and services from everywhere, all the time, with any device. This is a paradigm change and it will change the way we work in the future significantly. We will no longer organize our travel around the work, the work will travel with us. Secondly, the new service models offer significant saving potentials to companies, as you only have to pay what you really need, when you need it. The challenge here is, however, that a lot of due care needs to be put in defining the right service contracts and SLAs to avoid high follow-up costs, e.g. because it becomes difficult to move data between clouds or providers offer a cheap basis service but charge a lot of hidden additional costs for necessary adaptations later on (e.g. for interfacing between different providers or for supporting security requirements like encryption).
The downside or risk of the new technologies and service models on the other hand is the inherent security risks associated with them. By giving data into a cloud, you give away part of your control over the data. You have to trust the cloud provider that he has suitable security mechanisms in place and treats your data with the necessary care and privacy; there is also legal risk associated with that. Additionally mobile devices and services have a much larger threat exposure and even more technology needs to be invested to secure those accordingly.
As said above: more care needs to be taken to secure data and processes on mobile and cloud services and special care needs to be put into definition of service contracts and SLAs in order to avoid risks or high follow-up costs. This puts even more emphasis on a strong and effective security department within companies. Experts are needed who understand the risks associated with the new technologies and service models and are able to translate them into SLAs and security requirements. It is not enough to rely on standard clauses and assertions of providers, as the responsibility for the data and services outsourced always remains with the data owner.
To create service models that can satisfy cost, usability and security requirements at the same time. Especially challenging is the problem of diverse legal frameworks between data owners and service providers, which impact the security and privacy of data.
Significant. New technologies and service models will change the way business is done in the future and IoT is the logical next step towards complete interconnection of devices and services. In the future, we will be able to do virtually anything from everywhere. This puts huge requirements on suitable security concepts.
Interview partners: Nikolaos Kapetanis and Thomas Stubbings