In this edition of Ask the Expert we talk to Christoph Ratavaara, Information Security Officer at isolutions AG, a leading Microsoft partner in Switzerland that creates digital working environments that foster creativity, enable intelligent collaboration and create positive customer experiences. Christoph shares insights on how he uses the ahead intranet to effectively communicate cybersecurity risks, navigate the challenges of internal information security communications, and maintain a strong security culture, especially in a remote working environment.
Could you tell us more about your role at isolutions?
As Information Security Officer at isolutions AG, I am responsible for the information & cyber security of our organization. I am the link between the different areas of IT, Security and Business. My tasks include the planning & implementation of technical and organizational measures, risk assessments, protection against and handling of threats and incidents as well as one of the most important components: Establishing a security culture.
What strategies have you implemented to regularly inform employees about cybersecurity risks and best practices?
I use our ahead intranet as a communication channel for short-term and urgent messages to all employees, for example to warn about an upcoming phishing campaign, as well as for official communication in case of changes or new policies and guidelines. Likewise, ahead serves me as the main basis for our awareness campaigns and regular security newsletters with different content on the topics of information and cybersecurity to keep all employees as well as our subject matter experts up to date.
What do you think are the biggest challenges in internal information security communications?
One of the most important success factors is people. When all technical measures fail, it is usually the human being who makes the next decision. If this person is not informed or is misinformed or has no awareness of the topic of security and protection, incidents can occur that could have been prevented by simple means. Information security is often an abstract, complex and also technical topic. Clear and level-appropriate communication is key, but not always easy to achieve. It can be very time-consuming to find the right composition without getting lost in long explanations. As an author, ahead gives me a comprehensive but easy and quick way to use the intranet that allows me to communicate in a timely, level-appropriate manner to everyone. I don't have to struggle with the technology, instead I can focus on the content. The statistics show me how the information is being received, and the comment feature allows everyone to give feedback and interact directly with my post.
Can you describe a case study where you and your team successfully communicated about information security/addressed a security issue?
For the past two years, we have been running a Cybersecurity Awareness Month, for which we use ahead as a base. With the campaign feature, we can link all posts and events from our awareness campaigns and make them available to employees. We use ahead from the beginning to the end of the campaign, at the beginning to promote the Cybersecurity Awareness Month with all events and information, during the campaign month for stories & posts and interaction with employees and at the end with the provision of all created content.
How can internal communication strategies be adapted to maintain a strong security culture among employees working remotely or among blue collar employees?
With the flood of information we are all exposed to on a daily basis, the topic of information security & awareness needs to be actively addressed again and again. There should be regular, recurring and recognizable formats within the communication strategy. In this context, it is important to critically scrutinize one's own communication on a regular basis to determine whether it is appropriate for the level and whether it is also read and taken seriously by employees; otherwise, adjustments or new formats must be developed. Ultimately, a good format does not work forever, it also needs variety, interaction and what always helps is when employees can derive a private benefit from something and it does not only take place in a professional context. If you have communication and change experts, be sure to include them as supporters and critical reviewers.
What tools or technologies do you use for this purpose?
I use our ahead intranet as the basis for all communication. Other tools I use include Deepl to write and translate texts and Midjourney as image generation AI for posts and campaigns.