Interview: Erka Koivunen, CISO, F-Secure

In the recent keynote presentation at the Gartner Security and Risk Summit in London, Gartner analysts talked of the need for automation to be at the center of security and risk management, and explored how it can enable access to a wide spectrum of capabilities.

In Infosecurity Magazine's own research, AI and automation was cited by 18% of respondents as a current trend, and by 36% as a future trend, with one CISO saying that automation is “huge” and we are “currently only scratching the surface of its possibilities.”

So how can a CISO and security practitioner efficiently adopt this sort of technology, and make it work effectively? Infosecurity met with Erka Koivunen, CISO of F-Secure, and discussed the ongoing trend of automation. He said that, in his mind, AI and machine learning are not the automation he is interested in, in terms of security operations. 

He explained that in his view “they are useful tools” which are trying to solve problems “for which we don’t have a clear rule base.” However, in terms of catching malicious or suspicious user activity, this can work as well as people “in a new circumstance.”

He added that “we cannot hire enough people” for this technology.

“As we are a digital company, much of our security is digital security, and so that boils down to our ability to run our networks in a secure fashion,” he said.

“That doesn’t mean it has to be bulletproof all of the time, but automation – heavy use of scripting and orchestration – gives us predictability, so we know whatever happens there is a response.”

Is there a benefit of automation and machines over humans? Koivunen said that a manual mode of defense and response “depends on the availability of that sys admin or devops operative” and can be impacted by the mood they are in, the skillset that they have and the chances of getting things wrong, as opposed to “when a script goes loose, we can fix it and trace it back.”

He said that the benefit of automation is that if a task needs to be repeated, the script doesn’t get tired, the machine is predictable and “if I want to know if it is stable and behaving in a similar fashion, I can check change logs of the scripts.” With a person, if something went wrong, you need to interview lots of people, “some of whom don’t work for us anymore.”

Concluding this point, Koivunen said that he “wholeheartedly agrees with the notion of automating and orchestrating” as that way there can be a distributed operational workforce, who can review plans and post action logs remotely.

Koivunen joined F-Secure in 2015, and was appointed CISO in 2017, and formerly worked in telecoms and spent 10 years working for the for Finnish government’s national CERT. This led to a conversation on breach response, and in particular how a company like F-Secure could deal with the fallout of what we see on such a regular basis.

He acknowledged that this is “a major concern, as we know we are targeted and there are powers lurking out to get us, and we could argue that much of our business is running on a heightened risk scale.” However, F-Secure has infosec specialists and “ordinary people working for us,” and Koivunen admitted that “not everybody is capable of recognizing a situation where they are able to defend themselves.”

This doesn’t make defense and response any easier, and he admitted that “if and when something happens, we will be under the spotlight by our customers, partners, government and the media and the general public, and they will want to see us fail miserably or expect us to act like the professionals that we are.”

He said that while you can have procedures in place to respond, each and every incident is going to be different, so there is a deep sense of unpredictability and uncertainty “and that comes with the job description.”

He added: “Professionally, I have to come to accept the fact that for whatever challenges I have, I cannot blame others, users, budget or technology for failing us. If I give into these excuses I will not be doing my job. If we get hacked, no explanation is good enough, so not only do we need to understand that something might happen, maliciously or by accident, but we need to be effective, professional and fast enough in our response and we need to learn from our mistakes.”

What’s Hot on Infosecurity Magazine?