Interview with Jeremy Tolet, Senior Operations Manager / Project Portfolio Manager at ISSP Georgia.
– Why Cyber Security? Please share how you have chosen this field? What drives and motivates you in cyber security?
– To make a long story short, I was fond of technology since I was a child. I got a computer when I was very young and became interested in “how do video games work” as much as playing them. I wanted to be an “electronic computer engineer” and decided to apply for Master studies in IT, Informatics Systems and Robotics.
Like many Security People, I fall in Cyber Security thanks to a security incident. In 2008 a now quite famous former trader of Societe Generale was convicted for forgery and unauthorized use of the bank’s computers, resulting in loss of billions euro. Following the incident, SG made it mandatory for each subsidiary to have a local Security Manager and implement security standards. Consequently, Bank Republic had to look for a one too and my technical background together with international project and standards experience easily convinced them to recruit me. That is how I became one of the first cyber security professionals in Georgia.
In the beginning, I just thought it would be for a couple of years, to explore new business sector (banking) while using my technical skills and having a positive influence. However, I could not imagine how vast and fascinating cyber security sphere is. You really have to understand the business, IT and attacker’s ambition. It is a permanent process so you never stop learning and evolving your competencies. It is a very innovative domain, full of very interesting and smart people.
– Story from France to Georgia, why Georgia. Did you have any proposals to work for some Cyber Security companies in Europe? Why have you chosen to work in Georgia?
– During my studies, I was spending most of my free time with foreign students, then all of my working experience on projects were international, I was traveling a lot but only on short missions. It became a bit annoying to only scratch the surface of new culture and then leave… during my first visit to Georgia in May 2008; I met interesting people presenting to me a huge potential of development and difficulty to find experienced resources. I decided to take the challenge of “working abroad”.
Everyone in the world is trying to find Cyber Security resources so after 2/3 years of experience in this field I started to receive regular job opportunities in Europe. When the Bank Republic was sold, many of my cyber security contacts asked if I would like to return to France or Europe and join them but I rejected the idea because as many security people will tell you “it is not IF security incident will happen but WHEN”. So far, there was no big cyber security incident in Georgia but WHEN it will occur I want to be here and provide my support.
Moreover, cyber security got a lot of developments ahead in Georgia, therefore it is more interesting to me to work here. This gives me an opportunity to use my expertise and share my experience. I want to raise cyber security awareness and make people and companies prepared once the cyber-attack happens.
– You have spent several years at the Bank Republic, based on your experience and with ongoing security breaches around the world how would you assess the Security of banking sector in Georgia in general, what are the main challenges and what are the principal threats for modern organizations?
– I can only judge the security maturity from my point of view. It widely depends on the bank itself, context, objectives, and priorities. For every bank, the subject of cyber security is individual and they are all concerned about security.
The number of cyberattacks and cybercrime for financial benefits will grow in future. The bank that thinks more about cyber security will have a competitive advantage and bigger customer trust. I strongly suggest banks to fight cybercrime. Cyber criminals are very smart, educated; they unite and need to find just one weak spot to reach the goal. Cyber Security specialists need to know 100 times more and predict the actions of the criminals. It would be much easier if there were more people working together.
I can say from my own experience, we always needed some additional consulting and advice of other professionals. That is why I started working in cyber security consulting and service company. There is a growing need for cyber security services with qualified and strong staff. It is hard for a bank to recruit such qualified cyber security professionals. As for me, it is much more interesting to work with many customers and see the whole picture. Nowadays, the banking sector is for sure a top target worldwide for international cyber criminals. They build more and more powerful weapons. The challenge for a bank is to be ready to cope with those while developing their services including new technologies and keeping customer-friendly applications. I recommend banks to follow the security trend so they are ready when, eventually, they are attacked.
– What are the CISO challenges today? Do top managers understand the importance of cyber security? Is it easy to communicate to directors, board members about cyber security issues?
– CISO got many challenges, some of them are technical and they must setup tools and/or methods to help them to detect an attack and mitigate their impacts but the number one defy is generally to get support from top management. I think all top managers understand now that cybersecurity is a serious topic but too many of them think it is just a simple technical problem. However, they do not realize that it is a complicated matter that unifies technology, process, and people. It is not a robot/computer fights on the web, “hackers” are people, trying to make a profit via technologies and the solution is not just a tool but a service (human with tool).
– Could you please tell us about the latest cyber-attacks in Georgia? What should we do to prevent future attacks? Please tell us about cyber-attacks on the Bank Republic.
– I cannot be very specific about such attacks since this is a confidential information. I think more important is that at the Bank Republic I was lucky to have services from internal CERT (Computer Security Response Team) of Société Générale, so when incidents occurred, those specialists were guiding me to take proper steps. Alone I would have spent much more time and maybe got consequent damages. It is much better and more effective to work as a team. Even the best professional in cyber security needs an advice and assistance. The criminals work together as a group and are very smart; they have all the expertise they need. Therefore, it is better to work together with a team of cyber security professionals to make sure every detail is in focus.
– Banks have enhanced password-based authentication in online banking by adding additional layers such as tokens, but the recent introduction of biometrics speaks of a different strategy in the financial industry. Are banks looking for a solution to substitute traditional password-based authentication completely? What other cyber security technologies are banks implementing now? How will the bank in 5 years look like?
– I can say that password security is already obsolete especially if entered with the physical keyboard. Banks are more or less digging into new security solutions but not really “promoting them” (most of the Georgian banks have been using security token for a long time).
There is a vicious circle, customers consider that banks shall take care of everything and on the other banks think that customers do not like security procedures and if an incident occurs then both sides lose. With the digital transformation, banks are slowly becoming online self-service companies (like Gmail, Amazon), they will offer some security options but it will be up-to people to use them. Customers shall ask banks how they protect their money, what are the options for staying safe. “Security is everyone’s concern”, when you buy new home, you check the door and quality of locks, you get an alarm system and/or an insurance… it is time to take same measures for guaranteeing our own cyber security.
– As far as we know you were offered a job opportunity in the banking industry, why did you choose ISSP over that opportunity?
– It was a very tough decision because, after 8 years in the banking industry, I know the domain well and it is a very emulative environment for security specialist but I decided to handle security from a different angle. I wanted to extend my scope and challenge myself in other industry.
I started working in cyber security consulting and Service Company, as it is more interesting for me to work with many cyberattack cases and different customers. I want to see as large as possible picture of cybercrime and have more influence, to protect people and companies in Georgia, prevent damages and future cyberattacks. There is a growing need for cyber security companies with qualified and strong staff. While working at ISSP I can help more business sectors including bank and not just one.
In addition, as I said before, security is about human connection, and by choosing ISSP I join a network of more than 70 security specialists covering projects in more than 10 countries.
– Ransomware has been the hot topic for discussion during previous weeks, why do you think it is so successful.
– Extortion and black mail exist since forever; it is an expected evolution of crime into “cyber” crime. What has changed is the impact on our lives. In 2000, 17 years ago, virus “ILOVEYOU” did much more technical damage than recent ransomware but we were less concerned. Now we are much more dependent on our computers and mobile phones. A lot of people get so desperate that they pay the ransom. However, with such actions, they actually encourage the bad guys to continue their criminal activities.
– Advices for companies what they should concentrate on while thinking about security. What do you suggest the executive management do to improve the overall security of their organizations?
It could sound strange, but at first, company shall assume that it has already been compromised. You see, criminals do not hack their target infrastructures in seconds as we see it in the movies, the average attack lasts for months, sometimes more than a year. All this time, company is not aware of these malicious actions and attack is detected only on the latest stages – on the culmination.
Once company realizes, that it might be already compromised, it needs to get a serious security assessment of infrastructure and security processes. The best way is to involve third parties, as it should be an independent assessment. Once done, build an exact road map, what you need to achieve to become safer. Once it is achieved, regularly ask your security manager about the improvement progress (security is a continuous action).
– Finally what advice can you give to regular users to stay more secure in today’s cyber world?
– Get an antivirus for your computer and ensure that Operation System is patched, do not install applications that you do not trust and always make a backup copy of your precious data on an external drive, DVD or online storage (don’t forget data on your smartphone).
For online services (Email, E-banking, E-shopping) read the security recommendations and take steps according to your needs.
Most importantly be cautious: if you receive a suspicious Email, containing a link do not click on it!