Interview with Michal Wojnar - Deputy Director of Cyber & Privacy at PwC

Life-threatening attacks in the healthcare sector and VR games in education. These are just some of the cybersecurity topics that elucidates Michal Wojnar – Deputy Director of Cyber & Privacy at the PwC Czech Republic. You can discuss all the remaining topics with him in person at the virtual escape room stand at KCP.

Your parent company PricewaterhouseCoopers is better known as an audit firm. What is your portfolio when it comes to cybersecurity (from now on, SC)?

PwC Czech Republic today offers a complete end-to-end solution where we can help the customer design, plan and implement security based on processes and specific technologies. For some technologies, we can even ensure their operation. And the wheel comes back to the beginning when we audit such environments and suggest further improvements. But this is not the case for all customers; some prefer to separate the roles of different security firms as implementers and auditors in terms of consistency.

What technologies do you deal with specifically?

We are primarily related to Security Operation Centers, i.e. SIEMs, Vulnerability Management, Endpoint Detection Response (EDR) tools. Among the European leaders are our experts in managing privileged accounts, administrator permissions at the OS level or selected applications. We also deal with advanced methods of IT risk management; for example, we have a cutting-edge platform for articulating risks to top management so that they are understandable to executives.

Quite unique are your training tools that use gamification. Can you be more specific?

We have two fairly advanced simulations – firstly, Cyberarena, a team game again for top management of companies, where we simulate what individual attacks on a company look like in terms of reputation, in terms of company revenue, in terms of technology investment. And then we have an individual escape game in virtual reality, where you put on a pair of goggles and find yourself in the world of an attacker trying to get information from Big Data Corp. and damage the company. The player either succeeds or ends up in jail. It’s interesting mainly because you see the situation from a different perspective, which alerts you to the risk from the average user. For example, if you leave an unsecured computer running, an attacker can insert a flash drive into it and successfully carry out an attack. The game will always warn you that this was done, for example, because the password was hidden on a piece of paper under the keyboard. After all, participants can try it out for themselves during the ECSC finals.

Among other things, you are dealing with the security of companies in the healthcare sector. What makes it unique?

This is an area where the cyber world closely touches our real world and can do us harm. There have already been such attempts to harm us remotely by computer. For example, in Germany, a ransomware attack made it impossible for a hospital ward to function, and the patient had to be transferred and died in the process. In the USA, an attempt was made to mix chemicals in a sewage treatment plant to turn the water into a poisonous liquid. Last year, we conducted a survey among the IT professional community to find out how they perceive the safety of the Czech healthcare system. Which information channels do they consider safe, and which medical information do they consider sensitive, such as blood or organ donation.

According to your survey, what are people most worried about?

That someone will invade their pacemaker or diabetes pump, which can now be commonly connected to a computer and download data from it. That these communication channels could be used by an attacker in a destructive way to harm or even kill someone. On the other hand, they are least concerned about the possible leakage of data from a smart weighing scale.
You obviously care about healthcare, which is why you decided to support pro bono building defence capabilities for Doctors Without Borders?
At PwC, we choose several socially beneficial activities every year, whether it is in the form of mentoring in various social projects, hackathons, lectures and seminars for students, etc. In addition, we have decided to select one project each year that specifically helps the non-profit sector. Last year, it was Doctors Without Borders, where we helped them with an assessment of their security, proposing improvements adequate to their situation, size and available resources. This was not just the Czech office, but the entire global IT service was operating from Prague. In the case of such a non-profit organisation, the attackers are probably not after money or remote harm; their motivation may be political or ideological, for example, and cannot be underestimated in the least.

You mentioned students. Do you cooperate with universities? Do you support the education of students in any way?

My colleagues teach at the Czech Technical University (ČVUT), Prague University of Economics and Business (VŠE), they are lecturers at Czechitas, they are active at lifelong education (U3V). Systematically, we support such activities through the so-called Teachers Club. We also allow students to play in our Cyber Arena. We also try to support other departments through virtual reality, so we have, for example, an application called Virtual Auditor in the Recruitment Programme, which helps to show and make the auditor’s job role more attractive in a playful way.

Do you offer any internships or junior programmes for young cybersecurity (CS) candidates?

We offer paid internships for students who are interested in pursuing CS. We are always interested in their individual motivation – what brought them to the field, why they want to follow CS and what path they would like to take. There are already many of them, and if they are clear about this, we can then provide them with an adequate project to try it out. Sometimes they find that it’s not the right path for them. Typically, someone is interested in standards and norms, goes to try out work around ISO 27001 and information security management system implementations, and then finds they are more interested in technical work. With us, they can try one or the other and compare the two. That’s where we provide a unique opportunity to try out a broader spectrum of work. And also a chance to get an outside view of how companies operate at multiple customers.

Thank you for the interview

Silver partner