Among the topics discussed are, for example, the use of artificial intelligence in cybersecurity, dealing with the shortage of qualified professionals and the debate on the NIS2 directive.
You can read the entire interview either in the printed edition of E15 or in a longer version online on the E15 website (Czech language). The full transcript is provided below.
Cybersecurity is an unpopular discipline. It always brings limitations to the system and restricts comfort. And when it works well, nobody notices it, says Michaela Stonová, the Security Director at OKsystem. According to her, the biggest problem is the lack of specialists.
How are public institutions like hospitals, the police, and government offices doing in terms of security after recent events?
Unlike the private sector, the public administration does not have as much freedom in managing financial resources. They often have to work with equipment such as MRI machines, which may be twenty years old or even older and vulnerable from a cybersecurity perspective. When a doctor says they need to connect to it from home, you accommodate them because patient care is, of course, the top priority. However, this creates an open gateway to the system.
Hospitals also often lack adequate funding to pay cybersecurity managers or ensure a continuous security monitoring service. Organizations like NÚKIB or NAKIT could play a crucial role here by providing centralized solutions for the public sector—sharing people, services, and knowledge. The commercial sector generally finds a way to manage. State administration and local governments, however, need assistance.
Is it more because hospitals are often led by doctors, fire departments by firefighters, and so on? Or is it that funds may be available but not in the right category?
I can’t speak for these institutions, but it’s definitely partly a matter of budgeting categories and partly an unenviable position for management. The most valuable asset is always people, regardless of whether you're in a hospital or a commercial company. You always need to retain key employees. Security is something that restricts them.
If you tell an employee they won’t be able to connect from anywhere to anywhere, it might happen that your top doctor, programmer, designer, or architect will choose to work elsewhere. Somewhere where they won’t face such restrictions.
Security measures have a lot in common with flood protection. Everyone in a floodplain wants maximum protection against flooding. However, when it comes to specific measures, like building an unsightly flood barrier in front of their home, their support drops rapidly. It’s a classic example of NIMBY (Not In My Backyard). In the case of cybersecurity, it could be paraphrased as NATEOMC (Not At The Expense of My Comfort).
That’s why I claim that security is an extremely thankless discipline. It’s a constant balancing act of pros and cons. You either have perfect security and unhappy employees or vice versa. There is a golden middle path, and it’s the only right one, but it’s immensely challenging. Another complicating factor is that security is a form of prevention. You spend money to prevent something that may or may not happen.
When it works, you don’t even see it.
Exactly. A hallmark of functional security is that it’s invisible. That’s why it’s hard to secure funds and support for it. Paradoxically, even that is often not enough.
Even though at OKsystem I have plenty of both, even the best technology still needs someone to integrate it effectively into the system and maintain it. For the state or hospitals, finances are the primary problem. In the private sector, it’s simply the lack of people in the labor market.
Through the Confederation of Industry, which does excellent work in this area, we’re involved in various activities to increase their numbers. At OKsystem, we support internships for high school students and participate in teaching at various universities. Unlimited courses for all our employees are an absolute given.
How feasible is outsourcing? Or outsourcing an entire information system?
This trend undoubtedly exists. The question is how reliable these services are and whether they meet your needs. These companies also face a shortage of quality workers in the job market. Generally speaking, outsourcing is definitely more advantageous for smaller companies and often the only option. Beyond a certain size or security level, such as critical infrastructure, it becomes more cost-effective or even essential to have these services provided internally.
How can the shortage of qualified experts be resolved?
If I knew the answer, you’d be interviewing a Nobel laureate right now. But kidding aside, the Czech Republic has a certain number of economically active residents. This number cannot be artificially inflated by any magic. We can only reallocate their focus or supplement them with foreign workers.
What could help is an increase in top-notch technology developed in the Czech Republic. The reason some experts leave for abroad is not just about salary conditions but also the lack of interesting and stimulating projects. The more people we can attract and prevent from leaving in this way, the better. In any case, we are talking about solutions on a national level.
Can artificial intelligence help? Or is it more of a threat?
Artificial intelligence is currently enjoying a lot of popularity. But it’s nothing new. Humanity has been playing with neural networks, the foundation of artificial intelligence, for over half a century. Now, this topic is in the spotlight because it has reached the broader public. Personally, I see AI as something that slightly changes the rules of the game in the IT world again—a further evolutionary step, like the internet nearly 40 years ago and social media more recently. Any technology can serve either good or bad purposes.
Therefore, I’m not afraid of AI, and I don’t believe we’ll be fully replaced or even controlled by it. Regarding regulation, I’d suggest a cautious approach for now. As offensive technologies evolve, so will defensive ones. Plus, every AI is only as smart as the data it’s trained on. It’s like with children. You can have a very smart child, but if you don’t provide it with the right stimuli, the result won’t be great.
Isn’t the risk not so much about control but that AI is fast and productive, making it useful to attackers who don’t mind making mistakes?
Attackers have a significant advantage. Attacking is always more fun than defending. Ask a five-year-old hockey player if they want to be a defender or a forward; everyone would rather score goals. We only choose to become defenders as we age and gain experience. But one seasoned defender can eliminate many rookie attackers. This balances things out a bit.
The same goes for AI. Language models have advanced tremendously, and they can be used by anyone—defenders and attackers alike. An attacker can use them to generate large quantities of misinformation or attacks. But these are still generic attempts. An advanced defender or reader can always recognize and effectively counter them. As offensive techniques evolve, so will defensive ones.
Of course, one could devise a very sophisticated attack. But the question is how much AI or advanced algorithms will be used in it, or if the success will depend only on the human factor.
For now, technologies like ChatGPT are strong in their generality. Once they reach a specialized area they haven’t been trained for, they usually fall short. If we wanted to train them to near perfection in a specific narrow area, they wouldn’t be as widely available. So even here, there are systems of checks and natural corrections.
To put it in the spirit of Forman’s Amadeus: Artificial intelligence is still only Salieri—the patron saint of mediocrity. It will never become Mozart. On the other hand, most of us would give a lot just to be like Salieri. Even Mozart might appreciate it on a bad day. So let’s use AI freely but be aware of its limitations.
Will NIS2 help cybersecurity in any way?
The directive’s goal is certainly right. OKsystem is already designated as a so-called obligated entity under the current Cybersecurity Act. For more than seven years, we’ve been meeting all security measures, which will now apply to regulated entities in a so-called higher obligations regime. Therefore, I can objectively say that the stipulated obligations contain nothing extra that you wouldn’t do yourself with the “care of a diligent security steward.”
The depth of certain security measures or the defining criteria for different levels can be contentious. But it’s essential to realize that nothing will ever be absolutely fair, and thankfully, there are various grant programs that help with the financial impact of technical measures. The only issue we will all genuinely struggle with is the lack of specialists. The commercial sector will eventually manage, but state administration and local governments will need help.
What’s your advice?
First, realize that security is a never-ending process. Then, accept that absolute security can never be achieved. A successful cyberattack can always be carried out; it’s just a matter of determination, resources, patience, and sometimes luck. Therefore, you can eliminate major risks and minimize impacts. If someone tells you otherwise, don’t entrust them with your security. Lastly, technology alone won’t secure you. Proper integration and usage are essential.
Michaela Stonová
She has been working for OKsystem for three years. Previously, she spent over 15 years in public administration, focusing on security and Big Data system designs. She is a longtime member of the International Association for Cryptologic Research (IACR).