F-Secure’s CRO on Hackers, Hacktivists, and Extremists: An Interview with Mikko Hypponen

Related Expertise: Corporate Finance and Strategy

F-Secure’s CRO on Hackers, Hacktivists, and Extremists: An Interview with Mikko Hypponen

By Jens Kengelbach


Cybercriminals are more skilled than ever before. They can create a variety of threats to strike at any time, from seemingly anywhere. To safeguard IT networks, company leaders must understand who their prospective attackers are, what they want, and how they operate. To explore these and other issues, Mikko Hypponen, chief research officer at F-Secure, sat down with Jens Kengelbach, a BCG managing director and senior partner. Their conversation shines a light on how organizations can safeguard IT networks in a world of increasingly complex threats.

About Mikko Hypponen

Chief Research Officer, F-Secure

Mikko is a global security expert who has worked at F-Secure since 1991. He has written for the New York Times, Wired, and Scientific American, and he appears frequently on international TV. Mikko has also lectured at Stanford University, the University of Oxford, and the University of Cambridge. He has been on PCWorld’s list of the 50 most important people on the web, and he has been included in the FP Top 100 Global Thinkers list. Mikko is on the advisory boards of t2 infosec conference and Safeguard Cyber and on the advisory panel for the Monetary Authority of Singapore.

You’ve been the chief research officer at F-Secure for a while now, and you were one of the first employees. Can you tell us a little about what F-Secure is doing?

We build security software, including endpoint security for computers and mobile phones, and we do a lot of enterprise work, including consulting, penetration testing, red teaming, and audits.

Today, as the chief research officer, I do a lot of work in trying to understand the big landscape—what’s happening right now, why is it happening, where are we going, and, most important, who are we fighting; who are the actors behind the attacks.

What are the current developments in cybercrime, and what are the most urgent threats for corporations?

We don’t have a general archetype of a hacker or cybercriminal. Different organizations get targeted by different hackers and attackers because they have varied motivations and use diverse techniques in their attacks. That means you have to fight them in different ways.

Some companies only have to worry about criminals who want to steal something that is worth money or who want to use banker Trojans, ransom Trojans, or [stolen] credit cards to make money. But other organizations have to worry about foreign nation-states. For example, if you are a defense contractor, you most likely are being targeted by foreign intelligence agencies. Other organizations have to think about hacktivists—hacker activists who attack not to make money but to express their opinions; they have a political agenda or a protest agenda.

How can companies prepare? And once you are attacked, what possibilities do you have for reacting?

For years, we’ve been telling companies that they are defending their network by building strong walls around it and hoping that nobody ever gets in. But today, when we look at what’s really happening in the marketplace, we see that those walls are not strong enough. You have to look beyond the walls. You have to keep assuming that the walls you build will fail—because the larger your network is, the more likely there will be a breach. Instead of trusting that your walls will hold, you are now looking at what’s happening inside your network. You have to be very quick in detecting breaches so you can respond to them.

Not every corporation has a chief security officer on the board. Where does responsibility sit for cybersecurity?

Cybersecurity should be a permanent board-level topic for every company—and I can tell you, it isn’t that today. Right now, cybersecurity becomes a priority for top management and boards only after something has happened—a breach or some hack.

But that’s not good enough. We should be thinking about security in the long term. Security is a process. It should be embedded at every stage of manufacturing, at every stage of development.

Is it possible to be completely safe?

In today’s world, nothing is 100% safe. You cannot build an “unhackable” computer. Well, an unhackable computer is a computer that is turned off, which is not very useful. However, most companies are being targeted by criminals, and criminals don’t really want to break into your company. Criminals want money. And if it’s too hard, too slow, or too expensive to break into your network, they will forget about you and go after an easier target.

So you don’t have to have perfect security. You just have to have a little bit better security than the other targets.

What is the CFO’s role in cybersecurity?

Security, when it works, is invisible. Sometimes I’m in meetings with leadership teams, and they—usually CFOs—look at how much money we’ve spent on cybersecurity last year. CFOs might say, “How come we’re spending all this money on cybersecurity? We have no security problems.” And then I typically respond with, “It’s awfully clean around here in your boardroom. You can fire all the janitors and cleaners, because you obviously don’t need them.”

But it goes a little deeper than that. Security is an enabler. Security is the layer of your organization that enables it to do what it wants to do and enables your employees to be productive and creative.

If you look five or ten years ahead, what’s going to keep corporate leaders awake at night?

What we’re seeing right now is smart devices. Smart TVs, smart cars, smart grids, smart factories—things that are connected to the internet. What I’m worried about is not when smart devices go on the internet. I’m worried about when stupid devices go on the internet. And this is going to happen.

What I mean by stupid devices going on the internet is household devices like toasters. You don’t need your toaster to have internet connectivity. It’s not a benefit for you as a consumer. However, it would be a benefit for manufacturers if they knew where every one of their toasters was. They would know where their customers are. They would know how the customers use the device.

This is valuable information. Manufacturers would like to collect this information today, but they can’t, because it’s still too expensive to put a toaster on the internet. It’s going to double the price of the toaster. But in ten years, an IoT connectivity chip is going to cost five cents.

When stupid devices go on the internet, everything will become a computer, whether we like it or not. And that’s what worries me about the future of connected devices.

Subscribe to our M&A, Transactions, and PMI E-Alert.

Subscribe to our M&A, Transactions, and PMI E-Alert.