A conversation with Mikko Avikainen
MIKKO AVIKAINEN – CYBERSECURITY, OPERATIONAL RISK & PAYMENTS EXPERT
Tell us a little about yourself:
I am a Cyber Security and Operational Risk specialist with a background in Data Networks and Telco. I have worked in this business for 15+ years across multiple sectors and regions. I am Finnish and grew up in Eastern Finland with a degree in engineering from Jyväskylä University of Applied Sciences. I live in Phuket where I have been based for the past 10+ years. I love it here and in my free time, I work in the diving industry. As well as Finnish, Swedish, English and German. I speak Thai which I’m trying to use while working locally in Thailand. I have been working anywhere between Indonesia and Brazil.
How would you describe what you do for a living?
I have been working with many areas of IT and telecommunications. I used to work in Network Operations Center at the beginning of my career, advanced to WAN support and deployment for global customers and used to manage access backbone networks when Metro Ethernet was the up-and-coming technology. While working for a vendor I started to specialize in security as a solution architect and security consultant. After that, the financial sector got my focus in the form of PCI DSS and later SWIFT CSP. My speciality is ISO 27001, PCI DSS and SWFIT CSP gap assessments and remediation and security testing. In some cases, I have been embedded in the client organization to lead the technical implementation of controls with remarkable results as I enjoy working with diverse kinds of people and learn from every experience.
Why cybersecurity?
Working as a systems tester (bug hunter and fixer) for a vendor I started to realize the importance of software security as part of the entire security landscape. While companies were setting up firewalls and IDS/IPS systems and focusing on the appliances, a single bad input was enough to compromise a system. All the fancy controls and monitoring were defeated by a few bytes of malicious code. Hmm... maybe a step back to get the bigger pictures was in order.
Cybersecurity offers lots of challenges and opportunities. This varies from IT/Cybersecurity strategy to writing custom shell code or penetration testing. The opportunities to learn something new are endless. Just when you think you have caught up with everything, there’s something new. You get to learn new techniques and sometimes even develop your own tools which guarantee that no two days are the same.
How has the pandemic affected your work and how have you compensated for it?
Naturally, the pandemic brought several challenges to the table, as to pretty much everyone else’s. Performing on-site assessments and testing was a no go for the better part of the year 2020 and working with African clients in the past few years became difficult. During the lockdown, I used my time to practise my penetration testing skills with Hack-The-Box which was the best way to weather the lockdown for several weeks. While some assessment work is now allowed to be performed remotely the organizations not used to remote work are still scrambling to get things done a year into the pandemic. Focusing on the local market has been the major shift for me as the options to travel globally have been reduced by the pandemic. Working for the Asian market is refreshing after several years of focus on other regions.
What are the key items in Cyber Security?
Cybersecurity is not just about technical controls and gadgets. They do provide the tools for the organization, but the main ingredient is the people using those tools. If the security architect or officers don’t know what they are doing or the software developer doesn’t implement security at the code level, those gadgets are just expensive paperweights. Similarly, if a single employee clicks a phishing email, that might compromise the perimeter of the organization. The same goes for implementation and maintenance of mission critical systems. These are typically not viewed critically from the security point of view as they sit behind the firewalls and intrusion detection.
Having a proper strategy and culture of security is critical for any organization. While cybersecurity supports business, it can also enable more efficient ways of working while meeting the controls to reduce the risk. Automated processes and authentication using biometrics may increase productivity and, in my opinion, if security interrupts business, then it needs to be redesigned.
Focusing on your capability to respond to incidents and including cybersecurity awareness in the training curriculum will save you the cost of getting hacked and your data were stolen or manipulated eventually.
What advice would you give a bank’s CTO?
If you view cybersecurity as something that costs money because of mandatory compliance requirements, then you have been presented the entire idea in the wrong way. While regulatory compliance is unavoidable in the cybersecurity world, it is not the goal by any means. If your governance framework, processes and controls relating to your business goals are implemented in the right way, you will meet your compliance targets automatically, whilst reducing risk and making your business processes more resilient.
If you want to know more about Cyber Security, Operational Risk, Compliance or Payments and how we can help you click here to start a conversation with Mikko.