“The CISO teams are mostly techies, but to manage Human Risk Reduction you need psychologist, pedagogist, communication specialists, big data specialists and more.”
Hi, Petri. Welcome to the Technology Interview Series. Please tell us about your journey in the technology industry.
I have always been intrigued by technology, maybe this had something to do with the fact that my father is an engineer and a problem solver. I learned to code in the 80´s together with my best friends when the challenges of Commodore 64 games were not enough for us.
Regardless of this, I became a Police officer despite an opportunity at the Biotechnical engineering school – odd world. It did not take a long time until I found myself as a computer crime investigator and participating in Interpol courses. There I helped companies with all sorts of early days eCrimes happening at the end of the 1990´s while also studying law at the University of Helsinki.
Prior to graduating, I was hunted to be one of the first IT-Security guys at Nokia eCommerce unit where I was responsible for the security of global Internet Services (applications and infrastructure). Long story short, after 8 years I had “traveled” from Security Specialist, to CISO, and then CSO and after a few years.
After the Nokia phone business was sold to Microsoft I had the pleasure to learn from the best of the industry.
Around the same time Mika Aalto, the CEO of Hoxhunt, approached me to see if I could help he and his co-founder and Pyry Avist, (soon to be the CTO of Hoxhunt) with ideating a start-up company with them.
It was a perfect opportunity for me to “offload” my frustrations and creative ideas about what did not work and how a perfect world could look like. Already then, we decided that the solution must be focused on changing human behavior and we said, it must be based on deep feeling of psychological safety, and it must be fun for the people.
You have led IT SecOps for so many organizations across different regions.
What has been the most challenging project that you led or participated in, in your career as CISO?
I think one of the most challenging projects was when the company was breached by a nation state attacker who wanted to steal the information. Without all the details, it starts from the difficult decisions if to immediately close all the “holes” he knows about and potentially signal to the other side that they should hide themselves deep underground and return to action only once the dust had settled.
Besides these sorts of deep “business security” questions and the intensity of such projects, communicating to the CxO / Board level continuously can feel overwhelming. This said, managing the huge number of details, making sure one makes correct decisions continuously and enables company to serve its customers, and pump revenue at the same time can be daunting. In short, capturing the feeling one has when managing such breaches in a short article like this is kind- of impossible.
Could you tell us about the major challenges that CISOs face in the post-COVID era?
I do not think COVID, itself, added much to the equation.
The underlying driver that continuously drives the difficulty is the digitalization of the world. It drives the importance of the CISO job day-by-day. Since most of the CISO teams are very technology driven it is a daunting job for many CISO´s to link to the businesses in a meaningful way. Though, without doing though they will not be successful CISO in the long run. It is one thing to try to grow yourself, but that is far from enough. You must be able to grow your teams with you. This said, you cannot forget your technology, processes, and people that are your bread and butter. In short, the job of CISOs is becoming very complex and not all company management teams understand that clearly.
What kind of problems do you usually solve for your internal stakeholders?
In my current position I mostly help young cyber security professionals to grow. I see the team around me as my force multiplier. I help them to understand the CISO world and its complex landscape to enable them and simplify it for their role as CISOs.
When it comes to the customer company, I try to help CISOs from my large base of experience. I help them to understand how to report to the board of directors, how to enable the large employee base to be Cyber assets, or just listen and help with anything they have on their tables that day.
Third-party data connectivity pipelines are prone to cloud security and IT networking threats. Could you tell us how you mitigate these risks and secure IT resources?
Wow, this is a large question – we could spend a day or write a book! Instead of that, let me tell an old Nokia story here. The company was large and dominant. Its “Supplier Requirements” document was at its best (read worst) 1100 pages long. It was a document that even Santa Claus could not fulfill on his best day. Security requirements covered about 50 pages of it.
We decided to categorize the suppliers (more then 11 000 of them) and then defined the top 5 security requirements for each category.
Then, these top 5 were trained to each of our business side supplier managers who started to follow-up with the implementation at their quarterly business reviews. Interestingly, the number of incidents started to drop.
We Learned: Strategy is not a list of what you could do, it is a list of things you decided to do regardless.
Most phishing attacks are expanding along social engineering. How do you see vulnerable organizations taking up cybersecurity training for their employees and customers more seriously?
This is an area which has been overlooked for a long time in the industry…
The CISO teams are mostly techies, but to manage Human Risk Reduction you need psychologist, pedagogist, communication specialists, big data specialists and more. The most successful customers, like AES who recently received the CSO50 award, have understood that they should work with companies whose services are based on psychological safety. They have also understood that it is not that an individual can be the weakest link (read “be human”), when their minds are pre-occupied on work. Instead, the company must focus on creating a “population” that reports the attacks quickly. Doing this requires constant positive encouragement that creates a strong feeling of success that translates into lasting behavior changes.
What role do Hoxhunt and its partnership ecosystem play in mitigating human risks across multiple locations?
We started with Phishing simulations which are individually tailored to each recipient per their skill and experience level. This has helped people become extremely good at spotting not only the simulations, but the real attacks that filtering technology passes through to the users. The fastest 5% of the users reports the real attacks to SOC in average somewhere between 55-61 seconds. This is extremely important to enable SOC teams to reduce the noise from the network right at the start.
As said, phishing was the first problem, but at the moment we are already testing how we can be as successful with other challenging human behaviors like using the consumer grade cloud services in context of sensitive work files. We have internally created a “MITRE like Human Risk Framework”, which we use to map our future “battles” on priority order.
What is the most fascinating aspect of working with data management and analytic technologies such as AI and automation tools?
Do you have an AI roadmap in place for managing Infosec and cyber security at Hoxhunt?
I think the most fascinating thing is the exact same thing as the most fascinating with my police work long ago. Now we can interrogate data to understand people. When we understand their behaviors, drivers, and reasons we will be able to help them. All the AI development we do will and must be linked to the question: “how can we help humans to reduce their behavior risks in a way where psychological safety is the foundation.”
Humans will remain humans, but with the help of AI they will be stronger together.
Lighter notes:
Burn the midnight candle or soak in the sun?
Soak in the Sun
Coffee, or Tea?
Coffee in the morning, Tea is good for the rest of the day!
Your favorite Hoxhunt offering that you want everyone to know about?
Our capability to use crowd-intelligence in spotting real attacks. Helping SOC´s to be successful.
First memorable experience in your career as a technology leader?
At Nokia I was asked: “what is the difference between SSL and VPN…the year was 2001”
One thing you remember about your employee (s):
Without exception, they all have had unique skills that has made our teams stronger.
Most useful app that you currently use:
Windy.app – great for a KiteSurfer 😊
Thank you, Petri! That was fun and we hope to see you back on CIO Influence soon.
[To participate in our interview series, please write to us at sghosh@martechseries.com]
With over 25 years of experience, Kuivala has worked at the forefront of cybersecurity. Most recently, he was Vice President of General IT and User Experience at NXP Semiconductors, a world leader in secure connectivity solutions for embedded applications.
Prior to this role, Kuivala was a long-time security executive at Nokia, serving as the company’s CISO and CSO throughout his tenure of more than a decade. At Nokia, he helped form a streamlined and co-operative security management structure among product security, IT-security, product safety and corporate security. Following this, Kuivala was Senior Director of Global Security at Microsoft.
Hoxhunt helps security leaders and employees join forces to prevent data breaches.
Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.
