In this Help Net Security interview, Aleksandar Stančin, Board Member Adriatics, Exclusive Networks, discusses the state of cybersecurity in the Adriatic region. He talks about how local markets often lag behind EU regulations, despite facing threats comparable to those in other parts of Europe. While adoption may be slower, progress is underway to strengthen cybersecurity across industries.
Since your role focuses on the Adriatic region, what unique security challenges do you see compared to other parts of Europe?
Traditionally, our local markets are lagging behind global trends and security concepts, especially those outside of the EU regulation zone (e.g. NIS2, CRA, GDPR, etc). However, threat and risk-wise, we are of course fully in sync with the other markets and interesting for the attackers, so to speak. Key challenge is that organizations still approach the security issues on a post mortem basis meaning once the incidents occurs steps are made to avoid such occurrences in the future.
We do see a shift to a more systematic approach tied with governmental and banking sector, but the SMEs are still struggling due to lack of skills, budgets and associated understanding of the risks at hand. A good trend that is clearly visible is companies and organizations working more on resilience and investing into awareness about security risks and threats.
What are the most pressing cybersecurity concerns your clients bring to you, and how are those evolving across different sectors?
Two things are most common: help us understand legal regulatory obligations where applicable (EU countries) and how to achieve best possible protection with a limited budget. The challenge at hand is as everywhere, lack of skills and know how related to ICT security and related topics. The more systems and regulatory requirements grow so does the complexity.
If we understand that majority of the local economies (excluding governmental spending) revolves around sub 250 employee companies, you can clearly see the main challenge – small and thus unspecialised IT teams dealing with business needs first, all else follows later on, security included.
What we do notice in the past several years is the trend to outsource security concerns to MSSPs and managed SOCs which are on the rise in the region and this is a good thing to improve the security posture. Outsourcing is helping companies to offset lack of knowledge and skills. At the end of the day, you do not need to know how to wire your house for electricity, but you still have it and it works when you flip the switch. Same applies to security and risks associated, involve the experts and focus on your core business.
You work with diverse clients, legacy systems, and vendor ecosystems. How do you ensure consistency and security across such fragmented environments?
More and more the topic of automation and orchestration is being asked, alongside with AI assistance with integration and interpreting the reports and logs. The challenge is to obtain (or retain) 360 degrees of visibility across all systems, no matter what or where they are so a systematic approach and asset management is key for success.
So called single pane of glass or a security platform is in high demand to help aggregate data across on prem and cloud systems and act upon it. Hence the rising interest and proliferation of MSSPs and MSOC providers as single organizations cannot cope adequately with all of these requirements.
One aspect that brings huge improvements and benefits in reducing the local attack surfaces is migrating to cloud and decommissioning legacy systems. However, this is a planned approach that does not happen overnight, so patience and project management skills are required, as well as budgets.
What is the current state of the cybersecurity talent pool in the Adriatic region, and how are you addressing recruitment and retention challenges?
It is a challenge, especially with skilled talent often going to the highest bidder in a hindsight. In our case these are typically vendors and sometimes the ones we cooperate with, so it is kinda bitter sweet relationship on occasion. However there are mid grounds we can typically meet on providing there is a mutual interest (both intrinsic and extrinsic).
We also strive to find young talent, invest into education and training as well as sponsor development. We do have situations to have highly skilled staff returning after several years on the vendor side back to us. Companies that do invest in and nurture their talents typically also manage to retain them. There is no single answer, it is an ongoing effort.
What’s changing about the CISO role in your region? Are you more involved in business strategy, board conversations, or public-private partnerships than before?
The importance of the role is becoming more visible and better understood. Board conversations are still predominant task, to secure budget and understanding of the risks associated related to security but also business continuity and reputation on the market. Most SME organizations due to size and organizational restrictions are keen to outsource this role, similar to managing their security systems and posture.
Regulatory push is moving things forward and bringing security on everybody’s radar, thus also improving on the public-private partnership part as well. National regulatory institutions are interested in gathering and hearing opinions from the industry in an effort to meet requirements and not re-invent the proverbial wheel. Things may seem slow to the outside observer, but they are in motion.
