Meet the expert: Kristian Alsing to speak at PrivSec London

Live at Park Plaza, Riverbank in London on February 28 and March 1, PrivSec London gives global audiences the chance to learn more about Trust, Digital Transformation, Ethics, Data Protection, Privacy, Security and much more.

The event will also provide a unique opportunity for industry professionals to network with peers and develop business relationships.

With over two decades’ experience leading cyber resilience and security programmes for global names, Kristian’s work has taken him across an array of industries in both private and public sectors.

Kristian will appear exclusively at PrivSec London to discuss hybrid working, and how organisations can develop hybrid strategies in a way that promotes cyber resilience.

We caught up with Kristian for more on his career so far, and for an introduction to the themes on the table at his PrivSec London session.

Could you outline your professional journey to date?

I have spent the vast majority of my career securing big enterprises. Working across financial services, energy and resources, government, pharmaceuticals, shipping and many other industries.

I have spent 20 years driving cyber resilience and security programmes for the world’s biggest customers. Whereas I have spent a lot of time with clients shaping their security strategy, in many cases I have stayed with them to execute on cyber security capability roadmap and their roll out and operations.  

For eight years I focused mainly on identity and access management, but have spent a year in IT enterprise transformation in a large utility, dealing with a number of projects in business resilience and business continuity management. 

I have worked across cyber security strategy, controls and operations in energy, critical national infrastructure, insurance, banking, and financial market infrastructures.

How is hybrid working impacting cyber resilience?

Hybrid working has driven a lot of change for enterprises, that would normally spend years executing on similar projects. Examples are virtualisation of call centre operations, and enablement of much broader remote working capabilities. 

This dispersion of the enterprise, with increased workers on uncontrolled, private networks and more of the enterprise capabilities delivered through SaaS applications over the internet, has meant an increase in organisations’ attack surface, often times significantly so. 

Such organisations have oftentimes been underinvested in supplementary security controls to the basic perimeter defence, which is opening them up to attacks. As dependence has increased on identity and data level controls, resilience has fallen overall. 

Some organisations have managed to develop their controls, with for instance, stronger EDR capabilities and monitoring coverage, but many others have been unable to do this. Attackers have taken advantage of this change through social engineering campaigns to gain access and targeted attacks on capabilities such as VPN providers.

What challenges do organisations face as they push to keep data and systems secure in a hybrid working environment?

Organisations that have oftentimes struggled with basic controls are now forced down a defence-in-depth (or zero trust model) where they rely on no-one security control. That might detective, preventative or responsive or in the case of zero trust, a model where the controls are built around entities/users and data rather than an – increasingly irrelevant – concept of the perimeter. 

For some smaller organisations, the recent change to hybrid have open up their attack surface without tying together their defences to match, which has left them open to cyber-criminal attacks such as ransomware strikes. 

The challenges for some bigger organisations have been to move away from a compliance model of control (i.e. have answers to the auditors’ questions) to a more holistic, threat and risk based approach, (i.e. can we defend our whole environment from attacks and where this should fail; detect, respond and recover.) This is a major undertaking in a large complex enterprise.