World Health Organization CISO suggests a holistic approach to cybersecurity

Flavio Aggio, CISO at the World Health Organization, has had a challenging year. Since the onset of the COVID-19 pandemic, the WHO has become a significant target for cybercriminals, and cyber attacks against the organization have skyrocketed.

He recently spoke at Cyber Week 2021 in Tel Aviv, and in this interview with Help Net Security, Aggio talks about the modern threat landscape and offers tips for organizations that want to increase their security posture.

Prior to joining WHO, you were the CTO of the City and County of San Francisco. How did your previous work experiences help you in your current CISO role?

Prior to joining the World Health Organization, I was the CTO at the City and County of San Francisco, where I developed technology solutions to modernize and protect the city. Before that, I held technical leadership positions in Enterprise Architecture, Project Management, Telecommunications, and IT operations with Unisys, ASML, Dow Chemical, and Rohm & Haas.

These experiences confirmed cybersecurity is an ever evolving, changing, and challenging field, and they helped me to understand how people, process, and technology are the key factors in digital transformations and risk management. Cybersecurity must be part of every solution from development to operations.

Since the start of the COVID-19 pandemic, the WHO has become a big target for cybercriminals. How has your team adapted to a significant increase in cyber attacks? Are related organizations looking at you for guidance?

Since the start of the COVID-19 pandemic, WHO has seen a dramatic increase in the number and complexity of cyberattacks directed at its staff, and email scams targeting the public at large. My team has worked with the private sector to establish more robust cybersecurity systems and to strengthen security measures and to educate staff on cybersecurity risks.

Cybersecurity collaboration with related organizations increased dramatically due to the increase in the number and complexity of cyberattacks. There is a lot of guidance exchanged by helping organizations to be more prepared.

One example of guidance received by WHO is the implementation of DMARC (Domain-based Message Authentication, Reporting and Conformance) to reduce the number of email impersonations. After the implementation of DMARC, my team is giving the same DMARC guidance to other organizations. Another example of guidance given by my team is the monthly phishing exercise method adopted at WHO.

Pandemic-related phishing attacks and disinformation campaigns continue to create trouble. What advice would you give to organizations considering security awareness programs, but are unsure about what they need?

Phishing attacks have been widely used by cybercriminals as basic doors to organizations. Attackers can easily manipulate people into clicking links or open files. By having a cybersecurity awareness campaign with constant phishing exercises, any organization can prepare themselves to deal with this type of attack as any preventive technology can be bypassed eventually. Having email phishing prevention technology is a must, but it is not sufficient to stop phishing attacks. A cybersecurity awareness campaign is essential.

When you look at the threat landscape in general, what are you most worried about? How do you expect current threats to evolve? What will, most likely, be a massive problem a few years down the line? How can CISOs prepare for the unknown?

I am most worried about organizations only relying on technology to be cyber safe. Cybercriminals will always find ways to trick people to bypass technologies and processes implemented by organizations. It is essential for organizations to adopt a holistic approach by including people, process, and technology in their cybersecurity programs.

By relying only on technology and digital transformation efforts, organizations will not understand cyber risks well, and may be impacted by AI, supply chain, and other types of cyberattacks.

CISOs must initiate the zero-trust principles in their organizations, so any solutions must always be able to never trust any user or device until they are properly authenticated. Identity is the new perimeter.

Security leaders must make multi-factor authentication mandatory and have additional identity verification measures to ensure only approved devices can access the organization systems.