This year, IT security needs to finally be on the CEO agenda | Expert interview with Dr. Marc K. Peter

About our interview partner

Dr. Marc K. Peter is head of the Competence Centre Digital Transformation at the FHNW Business School and is part of the leadership team for Dreamlab Technologies in Switzerland.

Dr. Marc K. Peter, Head of Competence Centre Digital Transformation FHNW Business School, Global COO Dreamlab Technologies

Hello Marc, can you tell us a little about your background and how you became interested in IT security for SMEs?

As a teenager in the early 1990s, I organized computer parties in Bern, Switzerland and was just generally fascinated by the possibilities of IT. At that time I was a member of several computer clubs and managed my own BBS (bulletin board system). In the 30 years since, I have experienced first-hand how the status of IT has changed as we progressed from digitization to holistic digital transformation. IT security is now one of the most important challenges for companies today but it can also offer a key competitive advantage. I‘m fascinated by this symbiosis.

You just published a new book. What’s some of the main advice it offers for SME executives?

Our practical handbook IT Security for SMEs uses clear language and a host of examples to explain how SMEs can approach IT security in organizational, technical, and cultural terms. Company leaders should understand their IT infrastructure and technologies (including the potential and risks), train and support their workforce in using communication platforms, issue recommendations and guidelines (where doing so makes sense), and develop clear access management rules (who is allowed to use what when). All these topics should be bundled in an IT security concept.

You also teach both students and experienced specialists and managers. What technical advances in IT security do you find especially interesting?

My list would include solutions for digital rights management, for aggregating and analyzing data related to potential cyberattacks (threat intelligence, kill-chain tactics) and integrating it into connected automated SOCs (security operations centers), for preventing insider breaches, for protecting e-mail traffic (security gateways with concepts like CDR, or content disarm and reconstruction), and for identifying C2 (command and control) infrastructures before they can be used for criminal purposes.

A recent study showed that about 40% of revenues of cybersecurity vendors are spent on marketing and sales. Distributors and resellers all want to take their share as well. In your opinion, is there a way to make this more efficient in the future?

I think it is already much more efficient than it was in the past. This is because investors and analysts investigate into FCF and profit of vendors. Also, if you take a look at the margin of distributors and resellers – they are lower than they have been in the past – today they make their margin more and more with value added services they provide to customers. The vendor products are just a tool for the total offering, and they do not put a big margin as in the past on vendor product sales anymore.

Many SMEs have their own production or logistics capabilities or build connected machines and components. Do they face other threat scenarios as a result? Or do most attacks really just take place through the normal office IT?

That’s an important question. The convergence or merger of office IT and operations technology (OT) increases complexity and risk. With the CyObs solution, we’re seeing many industry applications that can be addressed directly from the public Internet (with no firewall in between). Hundreds of production machines can be located behind a single OT interface, often along with ways to access the office IT. At the same time, new IoT applications are increasing risks for end customers. The threat scenarios are becoming more varied along the entire value chain.

Without naming names, do you know of any cases where better IT or IoT security would have prevented an attack or reduced its severity?

At the beginning of 2021 we connected a honeypot in Switzerland to the Internet for 24 hours. In this period, the system recoded more than 10,000 attacks from 28 countries. Within hours, a database was blocked by ransomware and the hackers demanded bitcoins to release it. An FTP service was infected with a crypto miner and the SSH service also documented more than 10,000 login attempts. In short: an IT security concept provides an initial basis for understanding and protecting your own system. Every IT security measure can help to increase this protection. But our studies show that a quarter of the SMEs in Switzerland experienced a serious cyberattack last year.

In addition to being an expert in IT security, you’re highly knowledgeable about marketing and digital transformations in general. What strikes you when you look at the marketing and sales activities of IT security providers, especially those targeted to SMEs?

Often they don’t speak SMEs’ language and make every marketing promise available. For these reasons, many SMEs need the support of established professional consulting firms.

What security claims or half-truths do you encounter again and again although they aren’t actually true (any more)?

Customers’ actual situations are complex and individual. There’s no documentation and the provider of outsourced IT services doesn’t have the details. This means that IT security solutions need lots of adjustment and calibration (which drive up costs). Many service providers gloss over this fact in their product descriptions.

And finally; if you could send an e-mail to very CIO on earth, what would the main message be?

This year IT security needs to finally make it onto the top management agenda!

Thanks to Dr. Marc K. Peter for his time!

Be sure that we do not receive any advertisement payments for the interviews. If you are interested in an interview with us, please send a short message to

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.