Swiss Cyber Storm

Your feedback to Swiss Cyber Storm 2025

Dr. Christian Folini — Tue, 04 Nov 2025 00:00:00 +0400

Your feedback to Swiss Cyber Storm 2025

By Dr. Christian Folini

Here we go again with the traditional blog post with the feedback for the conference that brings you - our audience - some transparency about the event. We received feedback from 68 participants, which is a bit higher than our usual response rate.

Overall impression of the Swiss Cyber Storm conference

We start every survey with this simple but telling multiple-choice question. The idea is to tune in and lead people to the conference. The fact that it’s the same question allows us to compare the feedback year after year.

55.6 % (2024: 57 %) – It was a very interesting and cool event, keep it up and I’ll be there next year.
41.3 % (37 %) – It was quite good – I will consider attending next year.
3.2 % (6 %) – It was okay, but I probably won’t go again.
0 % (0 %) – Bad, I won’t go again.

That translates into a 97 % positive vs. 3 % negative sentiment, which is an absolute top score. I would not overemphasise this, since there is lots of blur with such a survey, but anything above 90% sounds good.

Year	Positive	Negative
2025	97 %	3 %
2024	94 %	6 %
2023	93 %	7 %
2022	95 %	5 %
2021	96 %	4 %
2020	—	—
2019	91 %	9 %
2018	91 %	9 %
2017	89 %	11 %

So, once again: a very happy audience!

Average speaker rating

As always, we asked participants to rate each speaker individually (on a 1–4 scale, from bad to very good). We don’t publish those per-speaker numbers, but we do calculate the average — a good reflection of how well our program committee curated the lineup.

For 2025, the average rating was 3.27, up from 3.20 in 2024. That’s a very strong result and close to 2021 when we ran a Corona edition in front of a small audience of fans. When I started as program chair in 2017, we received an average rating of 2.96, and it felt like a success. Now at 3.27 it has become the standard for us.

Year	Average Rating
2025	3.27
2024	3.20
2023	3.02
2022	3.19
2021	3.34 (a fanboy audience with fewer attendees than usual)
2020	—
2019	3.04
2018	3.04
2017	2.96

One element that plays into this is the shaping of the audience after the lineup. With a consistent direction and quality of the talks, those people appreciating that style will return and those who don’t like it will attend other conferences. That means that the fact the numbers are going Northeast should be taken with some humility.

Still, we’re proud of this steady quality — and grateful to all speakers and the team who make it happen. Inviting speakers is one thing, but preparing the conference so they feel at ease and deliver their perfect talk is more work.

Get your ticket today!

AI Village

The AI Village premiered in 2025, and it got people curious. Finding the village was a challenge for many (the frequency clearly grew in the afternoon).

27.9 % I visited it
14.8 % I even took part in a workshop
57.3 % I didn’t visit this time

When asked whether we should bring it back, 64.3 % said “Yes, and I’ll visit next year!” Another 25 % would like it to return even if they won’t personally participate, and only 10.7 % said “No, thanks.”

That’s a clear “yes” from the community. We will have to balance that with the costs such an endeavour brings with it.

Choice of the focus theme “Resilience in a mad, mad world”

Our 2025 focus theme — “Resilience in a mad, mad world” — received 83 % positive feedback. 8 % didn’t like it, and 9 % admitted they didn’t realise there even was a focus theme (we’ll make it more prominent next time!).

Year	Approval	Theme
2025	82 %	“Resilience in a mad, mad world”
2024	95 %	“The AI Revolution”
2023	93 %	“The Human Factor”
2022	92 %	“Digital Identities and How to Secure Them”
2021	88 %	“Securing the Supply Chain”
2020	—	—
2019	83 %	“Embracing the Hackers”
2018	78 %	“Trust”
2017	67 %	“E-Voting” (but not very prominent)

When you look at the numbers, the approval is surprisingly low, and on top, a stunning 9 % did not even notice the focus theme. I have a hard time making sense of this. People were exceptionally happy with the conference even when a surprisingly large number of participants did not really like its focus topic.

But anyway, it’s a result that makes sure we don’t lose touch with reality.

Food and beverages

Food is always an emotional topic, and after two excellent years, we faced some issues at lunch. Food ran out too fast, and some people complained about the dinner options (some of the food was ignored because it looked like dessert).

This is visible in the numbers in the survey.

Here’s how 2025 stacked up with recent years.

Year	Great	Good	OK
2025	49 %	44 %	7 %
2024	65 %	29 %	6 %
2023	59 %	27 %	11 %

Where did people hear about the conference?

This question always reveals a lot about our community — and how word of mouth continues to be our strongest marketing channel.

63 % (2024: 53 %) – I’ve attended before
17 % (26 %) – Colleagues
5 % (10 %) – Through communication from a sponsor
4 % (5 %) – Through a partner organisation (InsomniHack, SATW, etc.)
2 % (2 %) – Online articles or blogs
4 % (2 %) – Social media
5 % (2 %) – Other

Returning visitors remain the backbone of Swiss Cyber Storm — a positive sign of trust and community loyalty. And inviting them to bring their friends continues to be a successful marketing strategy.

All in all, SCS 2025 was another highly successful conference. We really loved the vibes in the network area, the wonderful presentations, strong connections in the workshops, and many new bonds formed among the audience.

Stay tuned for Swiss Cyber Storm 2026 on October 20 — and consider grabbing your super-early bird ticket. The ticket sale has started and this is the best deal you will get.

Get your ticket today!

New tickets for the AI Village and traffic rerouting for Kursaal Bern

Alessandro Monachesi — Tue, 07 Oct 2025 00:00:00 +0700

New tickets for the AI Village and traffic rerouting for Kursaal Bern

By Alessandro Monachesi

Swiss Cyber Storm 2025, focusing on the theme of “Resilience in a mad, mad world” is now three weeks away.

New for this year’s conference is the AI Village, a co-located event featuring hands-on workshops, discussions and talks about artificial intelligence in cybersecurity. It’s a space for exchange between experts, beginners, makers, and the just curious. Access to the AI Village is included with a Swiss Cyber Storm entry ticket. More about the AI Village here.

Buy your ticket now!

While access to the AI Village’s demos, presentations, and poster sessions is unrestricted, seats at the workshops are limited. The first batch of workshop tickets was quickly gone, but there’s good news: We have increased the number of tickets available for the workshops. If you haven’t bought a Swiss Cyber Storm ticket yet, now is the time! During the regular ticketing checkout process, you can select up to two of the six available AI Village workshops.

Already have a conference ticket? No problem, you can still register for workshops by updating your registration. Just click on the link in the confirmation e-mail we sent you when you registered for the conference and change your registration details. If you can’t find the e-mail, go to the ticketing site and click the button at the bottom (“Request order link”).

We expect these new workshop tickets to be in high demand, so act fast!

The following workshops are available:

“Agentic AI: A Hands-On Session with Fabric” by Daniel Miessler (Unsupervised Learning)
“AI Security – What Could Possibly Go Wrong?” by Andrea Hauser, Ralph Meier, Yann Santschi, Lucie Hoffmann and Marisa Tschopp (scip)
“Navigating the AI Crisis: An Interactive Crisis Experience” by Katie Koetke
“Threat Modelling LLMs and Their Integrations” by Andrei Kucharavy (HES-SO Valais-Wallis)
“Dark Prompts and Malicious Agents: Offensive AI in Action” by Candid Wüest (xorlab)
“Automation of Cyber Defense” by Roland Meier (armasuisse)

Please note that the AI Village timetable has changed slightly since its initial publication. You can find the whole schedule with the actual times here.

Buy your ticket now!

Changed traffic routing for Kursaal Bern

This year, the city of Bern has prepared a big surprise: Kornhausbrücke, the large bridge spanning the Aare valley which provides us with a beautiful view of Bern’s old town, is undergoing renovation and is therefore closed to traffic.

The journey via the Bern-Wankdorf motorway exit (2 km away) will remain unchanged.
From Bern railway station, the replacement bus line 9A (in the direction of Schönburg/Viktoriaplatz) will take you to Viktoriaplatz in 5–10 minutes. After a walk of around 260 meters, you will reach the entrance to the Kursaal Bern.
Pedestrians can still cross the bridge from the old town to the Kursaal.

For more details, maps of the rerouting and additional parking information, see here.

Six more exciting speakers in our conference line-up

Alessandro Monachesi — Wed, 25 Jun 2025 00:00:00 +2500

Six more exciting speakers in our conference line-up

By Alessandro Monachesi

Smart cities, undersea cables, risks to the DNS, ransomware, GovCERT, software bills of materials, independent cyber threat intelligence, metrics, and the CyberPeace Institute are just a few of the topics our speakers will address at Swiss Cyber Storm 2025. Some of these topics are part of our focus topic – Resilience in a Mad, Mad World – while others focus on additional relevant security topics.

Get your ticket today!

With Program Chair Christian Folini looking for more exciting security experts, the conference schedule is filling up quickly. Over the past month, we have announced our keynote speaker, Mark Barwinski, as well as Camino Kavanagh, Michael Hausding, and Carlos Ishimaru. Now is the time to officially add a few more names to the line-up:

Marina Bochenkova is a cybersecurity analyst specializing in digital forensics, incident response, and the security of industrial control systems and other critical infrastructure. Control systems and the various connected sensors play a major role in smart cities. Marina’s talk will be about the specific resilience problems that come from the exposure of these urban areas to cybersecurity risks.
Roman Hüssy is Co-Director of the Government Computer Emergency Response Team (GovCERT), the Swiss national technical cyberincident response center. Roman has many years of experience in cyberthreat intelligence, having founded Abuse.ch in 2007. In this rare public appearance, he will show typical incidents handled by GovCERT, and how they gain knowledge and share that with Swiss critical infrastructure operators and the wider audience.
Aram Hovsepyan contributed to the science of metrics for his PhD at DistriNet KU Leuven. During his fifteen years of experience in cybersecurity, he came across a lot of bad dashboards. This talk will teach us how to improve them with the Goal-Question-Metric framework that helps to pick the numbers that actually contribute to our goals.
Olle E. Johansson has over twenty years of experience in telecommunications, VoIP, and cybersecurity. Olle is active in open-source projects and standard forums, the founder of major appsec and network security initiatives, and a specialist for various categories of software bills of materials (SBOM). These days, SBOMs are everywhere, but not every SBOM use is equally successful. Olle will tell us how to improve their application, how to work with them day in and day out and how to develop your own SBOM lifestyle for your organization.
Panos Vlachos is an information security expert with a background in software engineering. Currently a PhD candidate, he volunteers for the CyberPeace Builders (CPB) programm for the Geneva-based CyberPeace Institute. CPB matches NGOs with security needs with practicioners. The support can include advisories or hands on missions like the work Panos is doing: dark web monitoring, vulnerability scanning, etc. Panos will present the CPB program and show us how to join.
Verena Zimmermann is Assistant Professor for Security, Privacy and Society at ETH Zürich. Her research interests comprise the human aspects of safety, IT security and privacy, like usable authentication, privacy-friendly smart home concepts and the human-centered design of tasks in smart cars. Her presentation will explain certain design principles and how to make practical use of her research.

Get your ticket today!

We will complete the program in the coming weeks.

A first look at this year’s speakers

Alessandro Monachesi — Wed, 16 Apr 2025 00:00:00 +1600

A first look at this year’s speakers

By Alessandro Monachesi

We are pleased to announce the following speakers for Swiss Cyber Storm 2025:

Camino Kavanagh is THE expert on subsea cables. She is currently a Senior Fellow at King’s College London and became known to a wider audience with her 2023 UNIDIR report „Wading in Murky Waters”, which addresses the fragility of our deep-sea infrastructure and how we can make global connectivity more resilient.
Michael Hausding is a member of Switch CERT and a board member of FIRST.org, the global forum of incident response and security teams. As a well-known DNS expert, he is familiar with all forms of domain abuse and the complexity of the regulation and technology surrounding the system. He will explain the risks for the Internet in Switzerland and abroad if the USA were to exert direct influence on the system.
Carlos Ishimaru is a young Brazilian threat intelligence analyst and researcher specializing in reverse engineering, HUMINT, and anonymization. He recently made a name for himself by reporting inside information from ransomware gangs he joined as an affiliate.

More speakers will be announced in the coming weeks.

Get your ticket today!

Mark Barwinski, our opening keynote speaker, has already been announced. But today we are thrilled to present a new article by Mark on our blog. He weighs in on the SignalGate leak and shares first-hand accounts of OPSEC issues from his time at the NSA. He covers several examples and offers strong advice for realistic OPSEC practices in 2025. You can read the article exclusively here on our blog.

The AI Village: A new addition to Swiss Cyber Storm

Alessandro Monachesi — Tue, 15 Apr 2025 00:00:00 +1500

The AI Village: A new addition to Swiss Cyber Storm

By Alessandro Monachesi

With its focus on AI, last year’s Swiss Cyber Storm clearly struck a chord. And in 2024, neither the development nor our commitment to the topic has stopped. This year, we want to go deeper and involve you, our audience, more in this discourse: Enter the Swiss Cyber Storm AI Village.

Get your ticket today!

The AI Village at Swiss Cyber Storm 2025 puts the focus again on artificial intelligence in cybersecurity—in a hands-on, interactive, and accessible way. Our goal is to make AI in this context tangible, spark curiosity, and share knowledge at eye level. Whether it’s threat detection, anomaly analysis, or ethical issues, visitors can explore how modern AI systems are used in security, what their limitations are, and how they can be used creatively, safely, and responsibly.

With live demos, short workshops, and discussion sessions, the Village invites everyone to participate, no prior knowledge required. It’s a space for exchange between experts, beginners, makers, and the just curious. We want to show that AI in cybersecurity is more than just hype. It’s a powerful tool with real potential if understood and used wisely.

As part of the Swiss Cyber Storm Conference, the AI Village will be free for all conference attendees.

More information about the AI village will soon be available here: SCS AI Village.

Signalgate and the Enduring Relevance of OPSEC in 2025

Mark Barwinski — Mon, 14 Apr 2025 00:00:00 +1400

Signalgate and the Enduring Relevance of OPSEC in 2025

By Mark Barwinski

The following is a post by Mark Barwinski, the opening keynote speaker for Swiss Cyber Storm 2025. Mark has over 20 years of cybersecurity leadership experience spanning financial services, professional consulting, manufacturing, and government intelligence. In this blog post, he shares first-hand experiences of OPSEC failures from his time at the NSA, and offers strong advice for realistic OPSEC practices in 2025. By publishing this article for the first time, Swiss Cyber Storm hopes to provide a basis for further discussion.

For more info about Mark Barwinski: https://www.linkedin.com/in/markbarwinski/

Executive Summary

In March 2025, senior U.S. national security officials exposed classified military strike details against Houthi targets through improper use of the Signal messaging app—an event now widely referred to as “Signalgate.” This significant operational security (OPSEC) failure highlights crucial vulnerabilities not only within government communication practices but can also inform corporate security protocols. This paper examines the Signalgate incident, extracts critical lessons from historical OPSEC successes and failures, analyzes Signal’s limitations, and emphasizes actionable strategies for corporate leaders.

Effective security relies fundamentally on the consistent application of OPSEC principles, cultural awareness, robust communication protocols, and exemplary leadership behaviors. Technological advancements alone cannot safeguard sensitive information. By implementing structured, disciplined communication practices and fostering a culture of security awareness, corporate leaders can significantly mitigate risks from espionage, leaks, and cyber threats—protecting their competitive advantage and, crucially, ensuring the safety of their personnel.

Introduction: The Breach at the Highest Levels

On March 24, 2025, a significant breach in U.S. national security occurred when top officials mistakenly included a journalist from The Atlantic in a Signal messaging group titled “Houthi PC Small Group Chat.” The group, comprising America’s most senior national security leaders—including the National Security Adviser, Secretary of Defense, Vice President, CIA Director, and others—shared detailed classified information about an imminent military operation against Houthi targets. These communications revealed sensitive operational details, notably involving Israeli intelligence assets providing real-time confirmations before and after the military strike.

The consequences were serious, exposing not only critical intelligence methods but also systemic flaws in operational security at the highest levels. Similar security failures take place on the private sector too, where sensitive discussions frequently occur through inadequately secured communication channels. The parallels between governmental and corporate OPSEC failures can be reduced not to technical short comes – although they play a factor – but rather in the laxed attitudes and failure to practice fundamental security concepts.This paper explores the Signalgate incident’s broader implications, highlighting lessons that corporate entities can apply to prevent similar operational security failures. By integrating common sense OPSEC principles into daily practices, organizations can protect sensitive information, maintain operational integrity, and safeguard their competitive positions against increasingly sophisticated threats, and ensure the safety of their employees in risky geopolitical environments.

Signalgate Incident Analysis: A Cascading Security Catastrophe

The Signalgate incident reveals a systemic collapse of operational security at the highest levels of American government, going far beyond an isolated mistake. The cascade began when National Security Advisor Mike Waltz mistakenly added The Atlantic’s editor-in-chief, Jeffrey Goldberg, to the Signal group, believing he was communicating with another government official. This critical initial lapse in verifying group membership quickly escalated into a series of alarming disclosures.

Secretary of Defense Pete Hegseth subsequently shared detailed operational plans approximately two hours prior to a scheduled military strike against Houthi targets. His messages explicitly detailed the deployment of F-18 fighter jets launching at precisely 12:15 pm ET and a second-strike wave at 2:10 pm ET, the launch of MQ-9 strike drones, and sea-based Tomahawk cruise missiles commencing strikes at 3:36 pm ET. Such precise operational specifics provided adversaries ample opportunity to alert targeted individuals or deploy effective countermeasures. Yet, Secretary Hegseth insists all information is not sufficiently sensitive to rise to the level of classified information.

Vice President Vance, requesting operational confirmation, prompted National Security Advisor Waltz to further compound the disclosure by confirming that the U.S. had “visual identification” of the primary target, identified as a leading missile strategist entering his girlfriend’s building—which subsequently collapsed from the strike. This explicit disclosure jeopardized Israeli human intelligence (HUMINT) assets, potentially compromising their lives and years of meticulous intelligence-gathering efforts.

Further troubling was the style of communication observed among these senior officials, characterized by unnecessary mutual reinforcement, personal praise, and informal congratulatory exchanges as if immature children seeking acceptance. Such behavior sharply contrasts the disciplined, concise, and highly professional communication typically expected at the highest strategic levels and witnessed by me during 12 years of closely collaborating in mixed military and civilian environments across three continents, including one year in Afghanistan. Experienced military commanders know collateral damage is highly likely and American lives can also be potentially at risk during such missions. Perhaps due to this, a recognition that it is not “War-by-Chat” on Signal, that my experiences working with these leaders differs from what we witnessed in this exchange. In this instance, the World witnessed the complete callousness of this leadership towards human cost. Instead, they seemed more concerned with the adequate sprinkling of appropriate emojis throughout their padding of each other’s back.

Lastly, special envoy Steve Witkoff’s participation from Moscow—an epicenter of sophisticated signals intelligence and espionage operations—significantly increased the risk exposure. This risk was intensified by the heightened geopolitical tensions marked by sabotage operations and assassination plots across Europe as we have experienced over the past several years. Just days following Signalgate, The New York Times published “The Secret History of the War in Ukraine,” outlining extensive U.S. intelligence support directly resulting in significant Russian military losses, including several generals, during this multi-year conflict. It is therefore reasonable to conclude given the opportunity, Russia likely would exploit the compromised U.S. operational details as an opportunity for retaliation, potentially placing American pilots in severe jeopardy or allowing the Houthi leader to escape.Ultimately, Signalgate demonstrates a breakdown in OPSEC discipline, highlighting critical vulnerabilities in both communication practices and operational culture at the highest governmental levels. Failing to follow some fundamental practices can result in catastrophic real-world consequences.

Personal Insights: Operational Lessons Learned

I joined the National Security Agency as an intern in 2004, performing protocol reverse engineering and seeking to identify potentially sensitive or classified information in everyday Department of Defense (DoD) network traffic. By 2008, I assumed the role of Chief of the Joint Communications Security Monitoring Activity (JCMA) Europe (a.k.a. CIRCUITKEG). This experience offers me an invaluable insight and opinion into the systemic vulnerabilities exposed by the Signalgate incident. At JCMA, our mission was uniquely focused—monitoring our own communications through the eyes of adversaries, identifying critical vulnerabilities in seemingly secure systems, and rigorously enforcing operational security (OPSEC) practices.

One key lesson consistently reinforced during my tenure was that most security breaches do not arise from sophisticated technical exploits but rather from basic failures of discipline, awareness, and operational culture. At JCMA Europe, seemingly innocuous details like aircraft parking patterns or travel itineraries, casually shared through unsecured channels, consistently posed significant security risks.

Operating from our windowless secure facility, we maintained constant vigilance—our screens flickering 24/7 with communication intercepts, our analysts hunting for fragments of sensitive information appearing where they shouldn’t. Unlike conventional security that builds walls, we looked for what seeped through the cracks.

In one such example of innocuous information having potentially catastrophic consequences, vehicle parking patterns could reveal to an adversary the most appropriate attack windows against VIP delegations. During a VIP European visit, my team detected a disturbing pattern in the logistics communications and patterns. Through careful analysis of ground transportation arrangements, and aircraft movements as well as parking configurations on the tarmac, we could pinpoint precisely if this most senior of senior U.S. representatives was present in the aircraft. The truly alarming realization came when we confirmed these same patterns were visible to anyone with binoculars from a freeway near the airfield. Guidance was issued for executive protection teams to thwart potential adversarial attacks by changing these telltale practices.

In another instance, we intercepted unencrypted emails/faxes containing detailed travel itineraries for the NSA and DIA directors’ upcoming visit to Kabul, Afghanistan. The messages, sent through unclassified channels, included specific routes through Kabul and exact arrival times at multiple locations—essentially a targeting package for anyone seeking to attack the motorcade. My team worked through the night, coordinating security details to implement completely new routes and timing.

These operational security gaps extend beyond obvious breaches. Intelligence professionals have long recognized how seemingly innocuous patterns reveal sensitive operations. The oft-cited “pizza box intelligence” phenomenon—where increased late-night food deliveries to specific Pentagon sections coupled with late night office lights can be correlated with operational surges— This demonstrates how indirect indicators can reveal classified activities, and how adversaries’ piece together intelligence from unexpected sources thus anticipating upcoming U.S. military operations.

The vulnerabilities I confronted at JCMA Europe weren’t confined to government operations. Corporate executives traveling through our region faced similar risks—their movements, meeting patterns, and communications potentially revealing negotiation strategies, merger plans, or product launches to competitors and foreign intelligence services alike. The same methodologies we developed to protect military operations now provide the foundation for corporate security in an increasingly hostile business intelligence landscape.

Historical OPSEC Lessons: Successes and Failures with Lasting Relevance

The Signalgate incident is not an outlier—it’s the latest in a long continuum of operational security breaches. Understanding historical OPSEC successes and failures offers insights for both government leaders and corporate decision-makers operating in increasingly adversarial digital environments.

OPSEC Successes: Gaining Strategic Advantage through Control of Information

Operation Bodyguard (World War II): The D-Day deception campaign remains a landmark in OPSEC excellence. Through an elaborate mix of double agents, fake radio traffic, decoy equipment, and false intelligence, Allied forces convinced the German high command that the invasion would occur at Pas-de-Calais instead of Normandy. This misdirection drastically reduced German defenses at the real landing sites and saved thousands of lives. For businesses, this serves as a clear demonstration of the competitive advantage that controlled narrative and strategic misinformation can provide—especially during high-stakes negotiations, market launches, or legal disputes.

Operation Neptune Spear (2011):

The raid to eliminate Osama bin Laden exemplified disciplined information compartmentalization. Planning was tightly held within a select circle, and even senior cabinet officials were kept in the dark until the final phase. The result was total tactical surprise and mission success under extraordinary geopolitical pressure. For corporate leadership, this underscores the importance of access controls, especially in M&A transactions, product development, or strategic pivots where a leak could destroy leverage or first-mover advantage.

CIA Abbottabad Cover Operation:

In preparation for the bin Laden raid, CIA operatives used a fake vaccination campaign to collect DNA samples. This ingenious tactic allowed operatives to confirm bin Laden’s presence without compromising the larger operation. The takeaway: even in constrained environments, creative cover mechanisms can support secure intelligence collection. In corporate terms, this is akin to using benign pretexts—like routine audits or supplier vetting—to quietly gather insight without revealing strategic intent.

These three examples demonstrate the resounding success which can be achieved when information is controlled and managed as a resource. Determining what you share, when you share it, to who you share it, and how you share it, can have significant advantages.

OPSEC Failures: When Lapses Become Liabilities

USS Cole Bombing (2000):

A crew member’s seemingly harmless email about an upcoming port call in Yemen was later posted online. Terrorists used this information to time an attack, killing 17 U.S. sailors. This tragic event illustrates how even low-level disclosures can have lethal consequences. In today’s business world, similar risks exist when employees post about travel, client visits, or sensitive projects on social media. A single careless message can tip off competitors or hostile actors to strategic moves.

Russia in Ukraine (2014):

Russian military involvement in Ukraine was exposed not by spies or satellites, but by Instagram posts. Soldiers’ selfies, complete with geotags and unit identifiers, contradicted the Kremlin’s public denials. This modern OPSEC failure shows how metadata—often invisible to users—can be weaponized. Corporate teams need to be equally cautious with geotagged photos, Slack discussions, and cloud-shared files, which can reveal patterns, locations, and affiliations to competitors or hostile entities.

Technologies evolve, but the foundational principles of OPSEC remain constant. Control over who knows what, when, and how remains the backbone of operational integrity—whether it’s a military campaign or a corporate initiative. Leaders who underestimate the importance of information discipline—especially in a world saturated with sensors, metadata, and digital exhaust—invite unnecessary risk.

Relevance of OPSEC in Corporate Environments Today

Why OPSEC Matters for Businesses Now More than Ever

Corporate leaders in 2025 face threats rivaling those once exclusive to nation-states. Private enterprises are targeted by states, criminal syndicates, and espionage units not just for IP and profit, but for geopolitical advantage. Key industries like energy, aerospace, banking, pharmaceuticals, and advanced tech are now prime targets, not peripheral actors.

The threat landscape has expanded exponentially with connected devices creating innumerable vulnerability points. Adversaries deploy precise persistent threats while AI transforms data analysis capabilities. Corporate targets face sophisticated social engineering based on detailed research and psychological profiles.

Organizations now exist within a global intelligence ecosystem where previously overlooked communications—contract talks, M&A planning, product roadmaps, infrastructure plans—are actively surveilled. Effective corporate OPSEC extends beyond technical safeguards to human behavior, device usage, and communication protocols.

The Signalgate incident exemplifies what businesses unknowingly risk daily: unsecured channels, unverified participants, and casual sharing of critical information—often with little awareness of consequences.

Swiss Government Case Study: Bern’s Use of WhatsApp and Threema

When the Signalgate story broke in the United States, it naturally prompted reflection here in Switzerland. “Could this happen here?”—I believe current practices make it easy for foreign intelligence services. Officially, we pride ourselves on stricter communication protocols: the Federal Council uses Threema Work, ministers receive encrypted secondary phones, and personal devices are excluded from sensitive sessions. But those of us with the luxury of a multi-decade perspective can attest policy and practice don’t always align. Human factors—habit, convenience, and assumption—remain our biggest vulnerability. This was unfortunately demonstrated by former president of the Swiss Confederation (2024) Viola Amherd, when she admitted during an interview with Swiss Public Television (SRF) in January 2024 that, although provided with an encrypted telephone, she chooses to use her iPhone instead. While in-person or meeting discussions are a solid approach towards the discussion of sensitive topics, failing to adhere to device segregation practices unnecessarily exposes the country’s top leadership to intercept. Additionally, a trail of breadcrumbs and clues leaking throughout business-as-usual conversations may tip up adversaries significant and valuable intelligence. As with the previous pizza-box example, we may not realize trivial and innocuous activities or conversations can amount to much more.

The truth is, even within Switzerland’s layered federalism, we see inconsistency. While Bern city has adopted Threema, the cantonal executive council still coordinates on WhatsApp. The local culture often leans toward pragmatism: if WhatsApp works, why change it? Yet that very logic is what makes us vulnerable. Encryption alone cannot compensate for weak verification, unclear boundaries between personal and professional use, or relaxed attitudes toward access control. We might not have had a “Signalgate” moment yet, but the conditions for one exist here as well—particularly when decisions are rushed, and trust is assumed rather than confirmed.

What we learned in 2025 is that technology doesn’t enforce discipline—people do. And no system, no matter how Swiss, is immune to lapses if the people using it treat protocol as optional. For Swiss institutions and companies alike, the challenge is not to adopt more apps—it’s to embed security awareness in everyday decisions. We have the tools. Now we need to reinforce the mindset.

Corporate Parallel: WhatsApp Misuse in a Sensitive Business Setting

In early 2025, I witnessed an OPSEC breakdown during a client exchange on WhatsApp. Added to a group chat with fourteen participants—including general managers from a major international firm and project managers from both sides—I watched as discussion quickly turned to implementation timelines, challenges, and sensitive project details.

What was alarming: three unidentified phone numbers participated without anyone questioning their presence. The implicit assumption—if they were added, they belonged—mirrored exactly the failure underlying Signalgate: blind trust in digital group membership without verification.

The timing was striking, as Signalgate had just broken in the news that week. Fortunately, minimal persuasion was needed to shut down the WhatsApp group and redirect communication to secured corporate email, where identities could be verified and proper controls maintained.

Communication Security Technologies and Limitations

Signal’s Role in Signalgate: The Limits of Encryption

Signal is widely trusted for its end-to-end encryption, but the Signalgate breach highlighted its serious limitations for sensitive communication. Messages are only protected in transit—once they reach a device, they are decrypted and fully exposed to anyone with access. If a device is compromised by malware or left unlocked, encryption offers no defense.

Signal also lacks critical safeguards: there’s no robust identity verification for group members, no access controls, and no certification for handling classified data (such as FIPS 140). In Signalgate, these weaknesses enabled the accidental inclusion of a journalist in a high-level national security thread, allowing real-time intelligence to be leaked, however, the data could have been exfiltrated, had the personal devices been compromised by foreign intelligence services. We don’t yet know if this was the case, but we know, as reported by Vice President Vance himself, that his personal device was compromised in October of 2024 by Chinese intelligence agencies.

The core issue wasn’t a failure of technology, but of operational discipline. Tools like Signal were never meant for command-and-control or strategic coordination. When personal devices and casual apps are used for critical communication, true vulnerability isn’t the platform—it’s the people using it without policy, process, or accountability.

Sectera, VIPER, and the Gap Between Civilian and Government Comms

Government-classified communication systems like NSA’s STU-III, General Dynamics’ Sectera Edge, or VIPER phones are built with OPSEC as their foundation. These devices—used by senior U.S. and allied officials—feature hardened hardware, tamper-proof operating systems, multi-factor authentication, remote wiping capabilities, and classified-level encryption. Physically separated from personal channels, they require distinct credentials, hardware tokens, or biometric access. Their design premise is clear: don’t trust users to self-protect; enforce protection systematically.

Yet these tools have drawbacks. They’re expensive, cumbersome, and unpopular with non-technical users, unable to match the intuitive appeal of iPhones—explaining Viola Amherd’s preference. Officials often resort to Signal or WhatsApp precisely because hardened devices are less intuitive and slower. This convenience gap encourages risky workarounds, especially under pressure. Similarly, in corporate environments, secure collaboration platforms frequently lose to expedient solutions like Dropbox, Gmail, or Slack because official tools seem excessively rigid or complex.

Security needn’t sacrifice usability—it should accommodate actual work patterns. Government-grade tools demonstrate that information integrity can coexist with practical functionality. President Obama’s BlackBerry illustrates this balance. Initially deemed too insecure, NSA engineers extensively modified it with hardware and software enhancements, transforming a consumer device into a hardened communication tool with encrypted messaging, vulnerable feature removal, and a closed ecosystem filtering communications through a vetted whitelist—creating a secure enclave within an insecure platform.

Despite highly restricted access—limited to a small, pre-approved group with layered controls—it functioned effectively because leadership demanded it. Obama’s BlackBerry exemplified security enforcement that maintained speed, responsiveness, and usability.

Practical OPSEC Recommendations for Business

Organizations that treat OPSEC as a leadership function, not an IT function, will be best positioned to operate with confidence and control.

For today’s corporate leaders, you likely would not have access to NSA hardened devices, nor may you have access to Sectera or Viper encrypted phones. However, the following approach will facilitate stronger and more secure communications while on the go:

Device Security

Device Segregation Strategy – Maintain separate devices for different sensitivity levels of information. Consider having dedicated devices for your most sensitive communications that never leave corporate controls maintaining the same protection factor as your managed infrastructure.
Comprehensive Access Controls – Implement multi-factor authentication, biometric verification, and strong passwords on all devices. Configure automatic device locking after brief periods of inactivity.
Supply Chain Security – Ensure that devices and software come from trusted sources and haven’t been compromised before reaching your organization.

Communication Practices

Application Security Layers – Add individual application passwords to sensitive apps, creating multiple security layers an attacker would need to penetrate.
Data Minimization Practices – Limit the specific details shared in digital communications. Ask whether exact times, locations, names, or numbers are truly necessary in each message.
Auto-Deletion Policies – Configure messaging platforms to automatically delete sensitive communications after they’ve served their purpose, reducing the persistent attack surface.
*Public Conversation Discipline – Be acutely aware of how far your voice carries in public spaces like trains, restaurants, and airport lounges. Sensitive conversations overheard in public have compromised countless operations and business deals.

Organizational Controls

Travel Security Protocols – Implement special procedures for international travel, especially to high-risk countries. Consider using temporary “burner” devices when traveling to locations with sophisticated surveillance capabilities.
Regular Security Audits – Conduct periodic reviews of communication practices and security controls to identify and address emerging vulnerabilities.
Shadow IT Prevention – Provide approved, secure communication tools that meet user needs to prevent employees from turning to unauthorized applications.
Security Culture Development – Foster an organizational culture where security awareness is valued, and proper communications practices are consistently followed.
Environmental Security Awareness – Use privacy screens to prevent visual eavesdropping, be conscious of conversation volume in public spaces, and maintain awareness of who might be observing your activities.

The growing sophistication of surveillance capabilities means corporate leaders must recognize that they too may be targeted by advanced persistent threats, particularly when traveling internationally or working in strategic industries. The case of Saudi dissident Jamal Khashoggi, tracked through compromised mobile devices before his murder, demonstrates the extreme risks posed by device exploitation.

Conclusion

Signalgate should not be viewed as an isolated government communications incident. The same operational gaps, informal communication habits, and misplaced reliance on consumer-grade apps exist across boardrooms and executive suites worldwide. The difference is only one of visibility—government failures make headlines; corporate ones often remain hidden until it’s too late.

At its core, OPSEC is not a technical feature or a compliance checkbox. It is a mindset. The tools matter, yes—but without disciplined leadership, clear policies, and a culture that understands why information protection matters, those tools will fail. Businesses that want to thrive in a contested, surveilled, and competitive world must approach communication security with the same seriousness as financial controls or legal risk. The future belongs to those who treat information as a strategic asset—and who protect it accordingly. In 2025 and beyond, OPSEC must be elevated to the C-suite, embedded in day-to-day operations, and championed as a core leadership responsibility.

Looking for Switzerland’s cybersecurity talents in 2025

Alessandro Monachesi — Thu, 06 Mar 2025 00:00:00 +0600

Looking for Switzerland’s cybersecurity talents in 2025

By Alessandro Monachesi

A message to all cybersecurity talents in Switzerland: On March 1, the qualifiers for the Swiss Hacking Challenge (SHC) 2025 have started.

The SHC identifies and selects the country’s most skilled young cybersecurity talents to represent Switzerland at the European Cyber Security Challenge (ECSC). In recent years, the Swiss National Hacking Team has consistently ranked among the top competitors. In addition to selecting the national team, the Swiss Hacking Challenge also serves as the official SwissSkills qualifier in the field of cybersecurity.

The competition starts with an online qualification phase, running from March 1 to May 1, 2025. Participants will compete in a Jeopardy-style Capture-the-Flag (CTF) format, solving cybersecurity challenges individually.

The top ten competitors in each age group (Juniors: 14–20, Seniors: 21–25) with Swiss citizenship will qualify for the onsite final, taking place on July 12–13, 2025. The final will determine the composition of the Swiss National Hacking Team, which will represent Switzerland at ECSC 2025 in Warsaw, Poland, from October 6 to 10, 2025.

However, everybody else is free to enter the qualifiers just for fun.

More info on the SHC website.

The Swiss Hacking Challenge, Switzerland’s annual national hacking championship, is organized by the Swiss Cyber Storm association.

Your browser does not support the video tag.

Resilience is key in a world gone mad – Swiss Cyber Storm 2025 motto and keynote speaker

Dr. Christian Folini — Thu, 27 Feb 2025 00:00:00 +2700

Resilience is key in a world gone mad – Swiss Cyber Storm 2025 motto and keynote speaker

By Dr. Christian Folini

Since the US election, the whole world seems to be descending into chaos.

Under Biden a US threat against the territory of an allied nation would have been very hard to imagine. Meanwhile, the new president is openly contemplating the use of force to invade Greenland. On Monday, the US voted with North Korea against a UN General Assembly resolution condemning Russia for invading Ukraine, and the White House called President Trump the King. The Old Continent and Switzerland have been caught off guard by this change in policy. Everybody expected a fresh wind, but not on this scale. It’s like everybody secured their roofs for a Beaufort 9 gale but the storm turned out to be a hurricane at Beaufort 12. Russian TV pundits are applauding divisive US initiatives, while Elon Musk provided a unique business opportunity for phishers worldwide by announcing an email sent to all federal employees. CISA and other government cyber initiatives such as NIST are being defunded, and the Starlink network used by Ukraine to defend its territory is now being actively used to pressure the country into submission.

There is a lot of headless chickening going on, the information space is in turmoil, and we are no longer sure what is real and what is fake. What facts are important and what are we missing in all the noise? It has become almost impossible to find the truth behind every headline. It feels like everyone has gone crazy.

When the world stops following familiar patterns, anticipating the future becomes increasingly difficult. Planning ahead feels like a futile exercise, yet preparation becomes more important than ever. In this time of uncertainty, resilience emerges as the essential skill and the central cyber security topic.

That’s why the Swiss Cyber Storm focus theme for 2025 is

“Resilience in a mad, mad world”

How do we prepare our businesses and our customers for the challenges that lie ahead?
How can we build architectures for resilience?
How do we de-risk our relationship with an increasingly unreliable US technology sector?
How do we secure our careers and even our personal lives against the blows that will come our way?
How do we judge whom we can trust on a mid- and long-term horizon?
How can we saveguard our assets in their cloud-native environments?
What fallout do we have to expect from this perfect storm and how can we mitigate it?

Swiss Cyber Storm 2025 will explore these and other topics using our traditional approach: We will invite international speakers to look at issues from multiple angles. They will separate the hype and panic from the hard facts, they will present novel approaches and they will help you change the way you look at the world. And we will provide you with the time and the space to discuss it all with your peers.

Get your ticket here!

Mark Barwinski to deliver opening keynote

“Resilience in a mad, mad world” is also the title of Mark Barwinski’s opening keynote at Swiss Cyber Storm 2025, on October 28. Mark’s presentation will set the stage and provide the foundation for the rest of the day.

Mark Barwinski has over 20 years of leadership experience in cybersecurity spanning financial services, professional consulting, manufacturing, and government intelligence. Mark began his career at the NSA, where he played a pivotal role in offensive and defensive cyber operations. He was deployed across multiple continents and he also served in the Afghan war. Moving on to PwC and Siemens, Mark revitalized cybersecurity teams, developed next-generation defenses, and orchestrated responses to nation-state threats. As Global Head of Cyber Operations at UBS, he led security strategies, enhanced detection capabilities through machine learning, and optimized global SOC performance. Today, Mark advises startups and other organizations, shaping global strategies, optimizing security operations, and reinforcing technical processes.

Beyond his corporate leadership, Mark is a dedicated cybersecurity advocate and writer who keeps a close eye on the evolving geopolitical security landscape. On top, Mark is an avid sailor. He is currently preparing for a possible Pacific Northwest Passage expedition in the coming years.

Mark, sailing from Iceland to Norway

Get tickets for Swiss Cyber Storm 2025!

Your feedback to Swiss Cyber Storm 2024

Dr. Christian Folini — Fri, 07 Feb 2025 00:00:00 +0700

Your feedback to Swiss Cyber Storm 2024

By Dr. Christian Folini

We’re a bit late with the conference feedback for Swiss Cyber Storm 2024, but I don’t want to launch 2025 without a proper and transparent review.

We received 62 responses, which is above 15%, an above average feedback rate for our conference. One reason could be the promise to give away a free ticket for SCS 2025 to those people who fill out the feedback form and leave their email address (so we can pick them). Said winner has been chosen and I think it’s something we’ll do again this year.

Overall impression of the Swiss Cyber Storm conference

This is the first question, also meant to break the ice. It’s a multiple-choice question and we stick to the same wording every year. This gives us some baseline for the quality of the event:

57 % (2023: 54 %) It was a very interesting and cool event, keep it up and I’ll be back next year.
37 % (39 %) It was quite good – I will consider attending next year
6 % (7 %) It was okay, but I probably won’t go again.
0 % (0 %) Bad, I won’t go again

When we take the first two responses and the latter two together to get a positive/negative sentiment of the conference, we end up with the following numbers:

2024: 94 % positive / 6 % negative
2023: 93 % positive / 7 % negative
2022: 95 % positive / 5 % negative
2021: 96 % positive / 4 % negative
2020: no conference
2019: 91 % positive / 9 % negative
2018: 91 % positive / 9 % negative
2017: 89 % positive / 11 % negative

So, very positive, like it usually is from this perspective.

Get tickets for Swiss Cyber Storm 2025!

Average speaker rating

We ask our audience to rate all the speakers individually. We don’t share this information publicly for obvious reasons but we’re open to recommend speakers to other conferences (-> just get in touch). What we also do, though, is to calculate the average or mean speaker rating which gives us a pretty good idea of the quality of the work of the program committee.

The rating goes from 1 – bad to 2 – average to 3 – good to 4 – very good. Our speakers came in at 3.20, which is the 2nd best rating ever (after the 2021 conference where the audience was super excited to have a conference at all!)

2024: 3.20
2023: 3.02
2022: 3.19
2021: 3.34 (a fanboy audience with less attendees than usual)
2020: no conference
2019: 3.04
2018: 3.04
2017: 2.96

In 2023, we had two remote presentations and two weak speakers who did not perform very well. This pulled down the numbers. We had no such thing in 2024, and the numbers rebounded. We are very pleased with this result.

Around 400 security experts and enthusiasts took part in Swiss Cyber Storm 2024

Choice of the focus theme „The AI Revolution”

95 % of our audience thought we had picked a good focus theme (“Good choice”) while 3 % did not like it. Another 2 % were not aware there was a focus theme at all, which is always a bit puzzling. But thanks for the honest answer.

95 % is the best score we ever got in this category. In hindsight, it was a homerun of course. But given we picked the focus theme in January, there was a substantial risk people would be fed up with AI by Autumn. We’ve been very lucky this was not the case. Not at all, apparently.

2024: 95 % (“The AI Revolution”)
2023: 93 % (“The Human Factor”)
2022: 92 % (“Digital Identities and How to Secure Them”)
2021: 88 % (“Securing the Supply Chain”)
2020: no conference (but it would have been “E-Health” 🙂)
2019: 83 % (“Embracing the Hackers”)
2018: 78 % (“Trust”)
2017: 67 % (“E-Voting”, but not very prominent)

95% will be hard to beat, but the topic we picked for 2025 might just do it!

Food and beverages

We no longer asked about the raffle, but we still have two questions about the food. 65 % (59 % in 2023) thought it was great, 29 % (27 %) found it good and 6 % (11 %) thought it was OK.

Over 85 % (80 % in 2023) said there was enough food and 13 % (14 %) even said there was way too much. 2 % responded it was barely enough (4 %). Something to keep an eye on since it’s really hard to order the right amount of food, especially for the standing dinner after the conference.

Where did people hear about the conference?

These numbers are always very interesting. Unlike with other questions, the answers here are not very stable. And they seem to be quite hard to influence. The thing that is clear is that colleagues are a very strong motivator for our audience.

53 % (2023: 58 %) – I’ve attended before
26 % (16 %) – Colleagues
10 % (15 %) – Through communication from a sponsor
5 % (2 %) – Through a partner organization (InsomniHack, SATW, Area41, etc.)
2 % (2 %) – Online articles in the media or blogs
2 % (2 %) – Social media
2 % (3 %) – Other

Daniel Miessler delivering the opening keynote to Swiss Cyber Storm 2024

Speaker suggestions

We contacted a few speakers suggested in the 2023 feedback, but unfortunately, none of them worked out. We’re keeping some of them on the list for the future. New additions are neuroscientist Andrew Huberman, Raffaello D’Andrea, and Rob van der Heer. Look them up if you are not familiar with these names. We’ll keep them in mind for future issues.

The next focus topic We asked this for the first time to see what we might get from the audience. Top suggestions included two previously used focus topics (that’s OK, we’re aware that only very few participants attended every edition) and then risk management. Security culture is also very hot, as is quantum.

These would all be fine topics. But none of these proposals will be the 2025 focus theme. We’re soon ready to give the real one away, so stay tuned!

Summary

With a few numbers being slightly down in 2023, we rebounded in 2024 and we’re as eager as ever for the 2025 edition. Big news will be coming in a few weeks. So, stay tuned and don’t forget to get your early bird ticket in time for the conference on October 28, 2025!

A first look at this year’s speakers

Dr. Christian Folini — Tue, 09 Jul 2024 00:00:00 +0900

A first look at this year’s speakers

By Dr. Christian Folini

We’ve made it – just before the summer break, the program for this year’s Swiss Cyber Storm Conference on 22 October on the topic of “The AI Revolution” and other hot security topics is online. In addition to the already announced opening keynote by AI thought leader Daniel Miessler, we would therefore like to introduce you to some more speakers. Five of them, here they are.

Get your ticket today!

Eva Wolfangel is a is a freelance journalist and speaker with a long-standing interest in privacy and security. She regularly presents at CCC and has an impressive track record when it comes to investigative journalism. Eva strongly advocates for transparency and accountability in data handling practices – a stance that also underlies her AI talk: “When chatbots talk too much: the risks and rewards of AI manipulation”.

Lukasz Olejnik is a very active author with an exceptionally broad portfolio that stretches from technical analysis of browser tracking mechanisms to threat intelligence to online propaganda. He is a cyberwarfare advisor at the International Committee of the Red Cross (ICRC) and has worked on several W3C standards. Lukasz will present his newest book (“Propaganda: From disinformation and influence to operations and information warfare”) at the conference, in which, among other things, he discusses the use of AI methods to create a system for information operations.

David Rosenthal, one of the best-known Swiss lawyers in the area of cybersecurity, is a strong presenter and able to bridge the gap between techies and lawyers with hands-on experience. David is known for sharing very practical guidelines and decision guides for legal handling of privacy questions (e. g. cloud storage of sensitive data). His approach to AI regulation is equally intriguing. At Swiss Cyberstorm, he will give security people an understanding of how lawyers are seeing AI.

Ruben Santamarta is a highly respected security researcher with a track record of uncovering and disclosing vulnerabilities in critical systems and devices, often critical infrastructures. Among other, he has found several issues in Swiss Post’s e-voting system. His latest work focuses on the security of nuclear power plants. As part of this research, he also looked at several Swiss sites. While the disclosure process is still going on, Ruben has promised to lay it all out at Swiss Cyber Storm.

Laura Bell Main, founder of safestack.io and former developer for CERN brings a unique perspective to the security discourse. Her take is: IT should be secure by design, and you secure it by talking to the UX designers that will define how people work with it. If the designers get it right, users will be led towards following security best practices. If they don’t, insecurity will be the default and achieving security will be very hard for everybody – especially for the users and their sensitive data.

Other enlisted speakers so far are Maya Bundt (multiple board member and chair of the NCS steering committee), Cornelia Puhze (Switch), and Matt Tesauro (DefectDojo, OWASP).

We will complete the conference schedule in the coming months.

The AI Revolution – Swiss Cyber Storm 2024

Alessandro Monachesi — Tue, 02 Apr 2024 00:00:00 +0200

The AI Revolution – Swiss Cyber Storm 2024

By Alessandro Monachesi

Artificial intelligence as a topic may seem hardly original and the number one buzzword everywhere. But it would be negligent not to make the tension between AI and cybersecurity the focus of this year’s Swiss Cyber Storm. Our motto “The AI Revolution” reflects the reality that AI is shaping the security world anew – let’s take the bull by the horns and go straight at it!

In cybersecurity, the topic of AI is interesting from the following three angles:

Attackers are leveraging AI to hit you faster and harder
AI promises to strengthen our defenses and make incident response faster and more efficient
The security of AI systems is a major concern – their contribution to the attack surface is poorly understood and the subject of research.

We will examine all three of them at Swiss Cyber Storm 2024 and provide you with the latest insights into threats, tools, capabilities and limitations of AI available today.

Opening keynote by Daniel Miessler

We are delighted that Daniel Miessler agreed to kick off the conference with a thought-provoking talk focused on the intersection of humans, cybersecurity and AI. Daniel Miessler is an information security professional, writer, and founder and CEO of Unsupervised Learning. Unsupervised Learning is a product, services, and media company with the declared mission of “increasing security and eudaimonia on planet Earth”. The company counts prominent organizations such as Apple, IOActive, Robinhood, HPE, and the US Army among its clients.

Further details about speakers, talks, and the conference will be unveiled in due course on this website.

Be an early 🐦 and get your ticket for 430 instead of 490 CHF (offer valid until May 31).

Get your ticket today!

The Swiss Hacking Challenge 2024 has started

Alessandro Monachesi — Fri, 01 Mar 2024 00:00:00 +0100

The Swiss Hacking Challenge 2024 has started

By Alessandro Monachesi

Great news for all young Swiss cybersecurity specialists: Qualifications for the Swiss national hacking team start this Friday, March 1, and will run through April 30 with the finals on July 13/14.

To join the Swiss Hacking Challenge (SHC) and compete for a place in the official team, you need to be aged 15-25 and be a Swiss citizen. However, everybody is free to enter the qualifiers just for fun.

The most successful partcipants in the qualifications will be chosen for the national team which will then participate in the European Cyber Security Challenge (ECSC) in October in Turin, Italy. In last year’s ECSC, team Switzerland finished second – the highest placing for a Swiss national team so far.

You can find more about the SHC on their website.

The Swiss Hacking Challenge, Switzerland’s annual national hacking championship, is organized by the Swiss Cyber Storm association. Furthermore, the SHC is the official partner of ICT-Berufsbildung Schweiz for qualification in cybersecurity for participation in SwissSkills and WorldSkills.

Your browser does not support the video tag.

The 2023 conference feedback report is here

Dr. Christian Folini — Thu, 16 Nov 2023 00:00:00 +1600

The 2023 conference feedback report is here

By Dr. Christian Folini

We had a very successful 10th edition of Swiss Cyber Storm. Shortly after the conference ended, we sent out the feedback forms and received 43 responses, which is 10-15 % return rate, which is in line with previous years. We send more or less the same questions every year, so we get consistent responses and we can identify trends and compare the individual editions. We also included two questions on the catering for the first time.

As usual, we make the feedback transparent to a certain extent. Apparently, we are not publishing the scores that the speakers received. But you will find the mean rating below.

So let’s dive right in:

Overall impression of the Swiss Cyber Storm conference

This is the first question, also meant to break the ice. It’s a multiple choice question and we stick to the same wording every year. This gives us some baseline of the quality of the event:

54 % (2022: 59 %) – It was a very interesting and cool event, keep it up and I’ll be there next year
39 % (36 %) – It was quite good – I consider attending next year
7 % (5 %) – It was ok but I probably won’t be there again
0 % (0 %) – Bad, I won’t be there again

With visitor numbers being more or less on par with the previous edition, we can see a slightly less bright look of the conference. When we group the top two categories into positive and the other two categories as negative, and then compare with previous years, we get the following:

2023: 93 % positive / 7 % negative
2022: 95 % positive / 5 % negative
2021: 96 % positive / 4 % negative
2020: no conference
2019: 91 % positive / 9 % negative
2018: 91 % positive / 9 % negative
2017: 89 % positive / 11 % negative

So you could read this as going back to pre-Covid levels and thus a more realistic perspective of the event. Or we did slightly less good than in previous years. Maybe a mix of both.

Average speaker rating

We are asking our audience to rate all the speakers individually. We are not sharing that information in public for obvious reasons but we’re open to recommend speakers to other conferences (-> just get in touch). What we also do, though, is to calculate the average or mean speaker rating which gives us a pretty good idea of the quality of the work of the program committee.

The rating goes from 1 – bad to 2 – average to 3 – good to 4 – very good. Our speakers came in at 3.02, which is still good, but less good than the previous editions.

2023: 3.02
2022: 3.19
2021: 3.34 (a fanboy audience with less attendees than usually)
2020: no conference
2019: 3.04
2018: 3.04
2017: 2.96

We had 1-2 speakers that really did not leave much of an impression with the audience and the two remote presentations seemed less interesting than the on-site ones.

I’m inclined to say our focus theme was about as un-technical as a security conference can possibly be. This made it a bit more difficult to appreciate some of the speakers for their very good content. This is also visible in the free form feedback.

But either way, the average 2023 speaker was rated slightly lower than the one from previous years.

Yanya Viskovich delivering the closing keynote to Swiss Cyber Storm 2023

Choice of the focus theme “The Human Factor”

93 % of our audience thought we had picked a good focus theme (“Good choice”) and 5 % did not like it. Another 2 % was not aware there was a focus theme at all.

These numbers are even better than previous years, with the positive feedback as follows:

2023: 93 % (“The Human Factor”)
2022: 92 % (“Digital Identities and How to Secure Them”)
2021: 88 % (“Securing the Supply Chain”)
2020: no conference (but it would have been “E-Health” 🙂
2019: 83 % (“Embracing the Hackers”)
2018: 78 % (“Trust”)
2017: 67 % (“E-Voting”, but not very prominent)

I would argue that almost everybody agrees the human factor is key for IT security. But as discussed with the speakers, it’s more difficult to relate with the speakers, since so much sounds like common sense and things you seem to have heard before somewhere.

Where did you hear about Swiss Cyber Storm

59 % (2022: 58 %) – I’ve attended before
30 % (16 %) – Colleagues
2 % (15 %) – Via communication by a sponsor
2 % ( 3 %) – Via a partner organisation (InsomniHack, SATW, Area41, etc.)
2 % ( 8 %) – Online articles in the media or blogs
2 % ( 0 %) – Social Media
3 % ( 0 %) – Other

We see the regular returning audience and colleagues took the position the sponsors had last year. Partnerships and social media does not play a big role for selling tickets. In fact we did an experiment with LinkedIn ads the first time this year. With almost no effect. We’ll continue to discuss this internally, but advertising for a security conference is very hard in Switzerland.

Did you like the Raffle?

The raffle is a way to get the audience engaged with the sponsors. A detailed explanation is here.

54 % – Yes, that was fun
43 % – Neutral
2 % – What raffle?

This is very good feedback for the raffle. It’s been more negative in the past, so I think we found a decent balance between making it known it exists and getting on everybody’s nerves with a prominent position for the raffle.

The Lego set is always the first prize to go in the Swiss Cyber Storm raffle – and Pascal Fouquet of the Swiss Pirate Party a very happy winner

Was there enough food & beverages served?

We asked this question for the first time. The responses vary, but not as wild as we feared. The difficulty is to make enough food and drinks available at the right moment and in a way everybody has access to them. In a hall crowded with hundreds of people it may easily look like there was not enough food when it’s in fact just on the other side of the hall. I think the numbers mean we did ok (with quite a few desserts being left behind in the evening).

14 % – Way too much
80 % – Enough for everyone
4 % – Barely enough
2 % – Way too little

How was the selection and quality of the food & beverages?

Another new question, and again one with favorable responses:

2 % – Bad
11 % – Okay
27 % – Good
59 % – Great

After yearlong problems with the catering, things ran smoothly in 2022 for the first time and I get the impression the kitchen was equally successful this year. I think this noteworthy, also since we had a vegan option that was displayed on par with the meat dish at lunch.

Speaker proposals

We’re going fully circle with previous keynote speaker Troy Hunt being proposed as future speaker. Brian Krebs was mentioned the way he usually is and a first vote for Meredith Whittaker from Signal: Great choice, she’s on our wishlist. Also two nominations for Lisa Forte. Duely noted.

Freeform Feedback

The freeform feedback always adds color and perspective to the numbers presented above. We had people being very thankful for the vegan and vegetarian options with the food and other people complain bitterly about the lack of these options. (As explained above, it’s very much a question of making the right food available to everyone at the right moment.) And also thank you for the positive feedback for the wine: Much appreciated, the anniversary champagne and wine were selected in a diligent process and we see this paid off.

Several people note they were tired by the repeated tech problems with the live demos. That feedback is warranted. We have never done much live hacking at SCS and when several speakers approached us with their plan, we did not anticipate the problems enough. Critical feedback accepted.

A noteworthy response was that the venue did not provide a cyber security atmosphere, unlike CCC for example. If you think a security conference needs to be dark and red and hackerish, then I fear we are not on the same page on how good security looks. After listening to our Human Factor speakers this is even more true.

Summary

We had a very successful conference. We are happy most of our audience plans to return in 2024 and when the feedback forms were extremely positive in 2021 and 2022, it all feels more realistic again. Thank you for bringing us down to earth again. SCS audience is the best!

The organizational team of Swiss Cyber Storm 2023 (President Bernhard Tellenbach missing, since he attended the ECSC finals in Norway)

Switzerland shines at the European Cyber Security Challenge 2023

Alessandro Monachesi — Fri, 27 Oct 2023 00:00:00 +2700

Switzerland shines at the European Cyber Security Challenge 2023

By Alessandro Monachesi

The Swiss national team has finished second at the European Hacking Championships in Norway with 28 participants. It is the highest placing for a Swiss national team so far. The young cybersecurity specialists scored points thanks to a consistent performance and their strong strategic skills, remaining composed under pressure.

Team Switzerland has finished the prestigious European Cyber Security Challenge (ECSC) 2023 in Hamar, Norway, in second place, marking a milestone in its participation in international cybersecurity competitions. It is the highest placing ever achieved by a Swiss national hacking team.

The event, which spanned three action-packed days, pitted Europe’s best young cyber talent from 28 countries against each other in a series of complex tasks. Participants had to solve security-related tasks in areas such as web security, mobile security, crypto puzzles, reverse engineering and forensics, earning points for their solutions. The victory went to Team Germany, with Denmark coming in third.

Team /mnt/ain (m0unt41n) at work

Team Switzerland, which competed under the name “Team /mnt/ain (m0unt41n)” and is made up of a group of the country’s best young hackers and security experts chosen at the Swiss Hacking Challenge, demonstrated remarkable skill and perseverance throughout the competition. It showed a consistent performance, but the decisive factor for the good final result was its strong strategic skills and great composure under pressure. “This victory is not only due to our technical skills,” explains Nicola Bühler, the team captain. “It is equally an expression of how we came together as a team, supported each other and stayed focused under great pressure. I’m proud of every team member.”

Team coach Marc Bollhalder highlighted the significance of the excellent final result, saying, “Second place at ECSC 2023 is a testament to the talent and potential we have in Switzerland in cybersecurity.” He added that the Swiss team’s success will not only serve as an inspiration for budding cybersecurity experts in this country, it also underscores the critical importance of cybersecurity skills in an increasingly digital world and the need for continued investment in this area. “It’s important that we continue to nurture and support these young talents to secure our country’s digital future.”

Team /mnt/ain (m0unt41n) at the start of the tournament

About the Swiss Hacking Challenge

The Swiss Hacking Challenge (SHC) is Switzerland’s annual national hacking championship. It is organized by the Swiss Cyber Storm association, a non-profit organization that also hosts the annual Swiss Cyber Storm Security Conference. The Swiss national hacking team is ultimately recruited from the SHC’s most successful participants, who compete as Team Switzerland at international tournaments such as the European Cyber Security Challenge (ECSC). The SHC is the official partner of ICT-Berufsbildung Schweiz for qualification in cybersecurity for participation in SwissSkills and WorldSkills.

Insights into the SCS program around “The Human Factor”

Dr. Christian Folini — Mon, 04 Sep 2023 00:00:00 +0400

Insights into the SCS program around “The Human Factor”

By Dr. Christian Folini

Prepare for an amazing keynote at our anniversary Swiss Cyber Storm conference on October 24! We are very happy to announce that Eva Galperin, a renowned advocate for privacy rights and a leading voice in the battle against big tech, will be starting our conference. As Director of Cybersecurity at the Electronic Frontier Foundation, Eva brings years of experience defending our privacy and an intriguing focus on fighting stalkerware. Her talk offers a fresh perspective on the security industry and what’s at stake these days.

In the end, it’s all about humans. It’s humans that create computer systems, it’s humans that use computer systems and it’s humans that instruct AI to abuse computer systems (if they are too lazy to do it themselves). Whatever the hard problem in cybersecurity, it’s always the human factor that makes it such a challenge.

That’s why we chose “The Human Factor” as our 2023 Swiss Cyber Storm motto. You can expect a rich interpretation of this focus theme with talks looking at humans and computer interaction from very different angles.

Christina Lekati explains time consuming spear phishing campaigns against high profile victims – and how this may become a commonplace when AI takes over the grooming period. She shares insight into virtual personae that took months if not a full year to build rapport with individual board members of large enterprises. And she will also tell us what she recommends these targeted individuals.

Edzo Botjes has used Nassim Taleb’s concept of anti-fragility and applied it to cloud architecture: How can we design systems, that become stronger when attacked? His PhD is almost finished now and we’re one of the first conferences, where he speaks about his findings.

A regular at Swiss Cyber Storm is Stefan Lüders, the CISO of CERN. A pragmatic user of all new technology, he is facing an over-complex architecture that threatens to overwhelm the capabilities of his operation. While many companies do not admit that they are no longer on top of things, Stefan has the guts to point the finger where it hurts.

Two years after our “Securing the Supply Chain” focus, Swiss company Xplain illustrates the fact that there are untrustworthy suppliers of closed-source code systems. Tim Blazytko is an expert in reverse engineering and malware analysis. He gives us an insight into the options you have to analyze a black box and to learn if it might contain malware.

Another technical talk comes from Joe Slowik. Joe is a very well known incident responder and threat hunter. He joins us to explain how attribution is getting harder and harder since attackers, namely APT, no longer have a unique signature. The techniques, the exploits, the tool set, the methodology, everything is converging and a growing number of attackers no longer download any code at all, they use locally installed tools for most of their work. This results in a situation where defenders no longer know whom they are really facing.

Mauro Verderosa returns the focus to the human factor. He is not only the key figure in the Geneva “Swiss-CyberSecurity” community, but also a hard boiled expert for authentication processes. We need authentication and we still need passwords. Multi-factor is uses as a remedy but even if you leave text messages behind, there are various pitfalls when deploying these schemes. Join Mauro for a deep insight and advice how to improve your setup.

A similar angle is used by Christine Bejerasco from Finnish WithSecure: How can we design secure systems with the user in mind? Admittedly, we can continue to blame all insecurity on the user, but that’s a poor execution of our job. Good security architecture means to take the users and the psychology into account and design systems, so that users will use them in a secure way: secure by default.

And, finally, Jospeh Da Silva: Joe who wrote his PhD about the roles and perceptions of CISOs in various enterprises. It’s obvious that a CISO can be a teacher and at the same time an enforcer of security policies. The “no way” CISO is a familiar figure after all. But did you ever think of the CISO as a messenger from a magic world the C-Level suite can not grasp? That he can be a soothsayer sharing prophecies of daemons and all sorts of evil that tries to break into the enterprise? Who has the authority to dispel the message and whom they’re going to blame if the daemons do indeed penetrate the enterprise? Joining Joe’s closing keynote with be a highlight of the day.

Please find the program with more details (and a few empty slots we are currently filling) here.

Tickets for the conference can be purchased here:

Tickets conference 2023

P.S. We previously announced a talk by Myriam Dunn-Cavelty. Unfortunately, she had to cancel her participation because of an official engagement.

The schedule for Swiss Cyber Storm 2023 is online

Alessandro Monachesi — Wed, 30 Aug 2023 00:00:00 +3000

The schedule for Swiss Cyber Storm 2023 is online

By Alessandro Monachesi

The conference program for Swiss Cyber Storm 2023 is now online – albeit with some spaces to fill in. The schedule will be completed in the next few weeks. Stay tuned for the announcement of more amazing talks on hot cybersecurity topics by selected international experts.

Swiss Cyber Storm celebrates its tenth edition in 2023 with the conference theme “The Human Factor”

Alessandro Monachesi — Fri, 26 May 2023 00:00:00 +2600

Swiss Cyber Storm celebrates its tenth edition in 2023 with the conference theme “The Human Factor”

By Alessandro Monachesi

This year, Swiss Cyber Storm celebrate its anniversary: On October 24 in the Kursaal Bern, the tenth edition of the Swiss Cyber Storm conference will take place since the founding of the independent supporting association. The first conference of this name was held in Rapperswil back in 2010, but at that time still under the umbrella of Compass Security.

The first independent Swiss Cyber Storm took place on June 13, 2013, at the KKL in Lucerne. As no conference was possible in the pandemic year 2020, the Swiss Cyber Storm association is now celebrating the jubilee year in its eleventh year of existence. To mark the anniversary and as a thank you for the loyalty of visitors, we have come up with a number of activities to benefit the community. We will announce more details in the months and weeks leading up to the conference.

With “The Human Factor”, a motto has been chosen for this year that underlines the central role of people in the fabric of IT security. But are people really the weakest link in the security chain, as is often claimed? Can user training really improve security in companies? How can organizations create awareness of threats without everything coming to a standstill afterwards? Is increased security awareness desirable at all, or rather sand in the gears? What would IT systems have to look like to be “secure by default”? At this year’s Swiss Cyber Storm, these and other IT security topics will be presented and discussed.

Learning from the specialists

Once again, this year, visitors can expect to meet a large number of national and international security specialists:

Joseph Da Silva explores the role and identity of security officers in large organizations.
In an original approach, he describes CISOs as possessing a mystical knowledge that enables them to deal with obscure threats that members of senior management do not understand.
A very refreshing keynote that offers some explanations of corporate policy.
Joe Slowik is an expert in threat analysis and detection.
He will talk about the convergence of tools and methods used by cybercriminals and state-sponsored actors, and how this complicates incident response and perpetrator attribution.
Cristina Lekati uses her background in psychology to talk about spear phishing attacks on high-level stakeholders and how strict rules alone do not provide effective protection.
Myriam Dunn Cavelty will speak about her core expertise: Cyber policy and Switzerland’s position in the international context.
One topic is possibly the new Swiss Cyber Command.
Edzo Botjes uses Nassim Taleb’s concept of antifragility in the context of organizational design and how it might be applied in cloud architecture.

Additional speakers and the full conference program will be announced at a later date.

For Tickets to Swiss Cyber Storm Conference 2023 go to Tickets. Early Bird tickets are still available at a reduced price until May 31, 2023.

How to Set Up a Great Conference

Dr. Christian Folini — Mon, 20 Mar 2023 00:00:00 +2000

How to Set Up a Great Conference

By Dr. Christian Folini

Swiss Cyber Storm has been around for more than a decade. And if we look at the positive feedback we are getting from our audience and from our sponsors, we are doing something right.

We see a lot of conferences struggle after the pandemic, so maybe it’s worthwhile to share a few insights into what makes an IT security conference great.

Since I’ve been leading the Swiss Cyber Storm program committee for a couple of years, this comes with a strong program perspective.

Rule #1: Know who you are and what you want

You need to have a vision – or at least a simple catch phrase – for your conference. For Swiss Cyber Storm this is “The Prime IT Security Conference in Switzerland Setting the Swiss Infosec Agenda”.

At first sight this may just sound like marketing blah blah. Yet it really defines the format for our conference. For us, it defines the need to bring together techies and security officers, blue team as well as red team players. The event needs to be attractive to all of them, including the venue, catering etc. Unfortunately, this also means it’s going to be on the expensive side. And in order to gather all people at the same location on the same date it pretty much has to be a one-day conference – which supposes a national focus, because people usually don’t travel internationally to attend one-day conferences.

There is much more in a good claim than meets the eye at first glance. A lot of thinking went into ours and it influences everything down to the smallest detail.

Rule #2: A great program is essential

Honestly, I doubt most of our audience attends the conference because of the program. They come because it’s fun, because their friends are going, they get to meet colleagues, the food is great, drinks are free, and it allows them to get away from the desk for a day, etc.

However, this is not how they justify their attendance to their bosses (or themselves for that matter): The most important justification for a day of absence in the company is the program. That’s why you always have to present it as a top-notch selection of exclusive talks.

So, treat the program like the most important part of the conference even if that’s probably an illusion.

Rule #3: Creating a great program based on a call for papers often fails

When launching a call for papers, you are asking for great applications based on great research. But what you are actually looking for are great presentations. Those are three wildly different things.

I’m sure you agree that the best researchers are not necessarily the best presenters. And while there is a certain capacity to follow a poor presentation, it’s tedious and the tolerance of the listeners is limited. One may get away with one or two poor presentations at a conference, but I would not really want to test the resilience of our audience in this regard.

People invest a lot of time in their applications, and they deserve a thorough review and honest feedback. But the person responsible for the conference program probably does not have the time for this for every application. And what do you do when the best applications for your CfP all deal with the same hyped topic, but you would like to have a balanced program?

The result is often a wild selection of talks that don’t fit together and many presentations that looked a lot better on paper.

Rule #4: Creating a curated program is much easier

A curated program is a program where you select speakers to invite them to your conference. This forces you to attend other conferences and scout for suitable candidates. To do this you have to read a lot, to talk to many people and generally to stay on top of the IT security conversation and the hype cycle.

It’s a lot of research and a lot of work. But you will get exactly the program you want with good speakers who know how to present their topics. Obviously, there will be speakers who turn down your invitation. But that number can be kept low if done right.

Rule #5: Create a speaker flyer

Think of this as a sales prospect that you hand out to potential speakers. The speaker flyer should address all the pressing questions of the candidates. It should show photos of previous famous speakers along with fabulous quotes about the experience of speaking at your conference. Keywords like “UNESCO World Heritage site”, “hotel room with a view on the Alps” etc. will certainly help as well.

In short: The flyer should present your conference to the potential speakers as an opportunity they wouldn’t want to miss.

Rule #6: Pay your speakers (at least all their expenses)

Speaking at conferences is a lot of fun but travelling costs a lot of time and money. The least you can do is to cover the expenses for the journey and the accommodation.

Occasionally, we pay our keynote speakers, but most of our speakers follow our invitation and all they get is a plane ticket, a train ride, two nights in the hotel, and that’s it. (Did I mention the view on the Alps?)

This doesn’t sound like much compared to the time an international speaker invests to attend your conference. But truth be told, most IT security conferences don’t even cover the full expenses of the speakers. I find that very impolite. Please pay your speakers!

Rule #7: Keep the sponsors away from the main track

I don’t know why, but many sponsors tend to deliver talks that do not resonate with the audience, especially when on the main stage. Some feel overwhelmed by the occasion or the size of the stage, others feel entitled to ignore advice (maybe because they pay money to speak). On top, the audience is expecting a poor sales talk, so this all comes together in very poor feedback for sponsor talks on the main stage.

The solution we have found is a separate sponsoring track. Ever since we started that, the quality of the sponsors’ talks improved greatly. And because the separate track allows more sponsors to present (offering more slots for talks), they have a greater incentive to bring their customers to our conference. And on top, nobody is forced to watch the presentations since we have multiple talks. It’s a win-win situation.

Rule #8: Treat your speakers like stars

Having the stars of the IT security community speaking at your conference is awesome. But at Swiss Cyber Storm, we try to also give lesser-known speakers an audience: People who have not spoken in Switzerland before or people who we feel deserve a bigger audience. These people are not used to get the rock star treatment. But we’ll make every effort possible to let them have a great time: addressing special food needs, bringing the family along, organizing a guided tour of the city, etc.

The night before the conference we run an exclusive speaker dinner. Most of the speakers meet for the first time, and our set-up leaves a lot of room to mingle and talk. Many friendships are born there. But the most important part of the dinner, I think, is my introduction of everybody around the table. For every speaker I explain how we met, what about them impresses me the most, and why I invited them to present to our audience. Many a speaker told me they were never introduced in such a nice way.

But it’s not just flattery, I really do think they’re great people, and I know exactly why I want them in our program. All I do is sharing positive vibes.

Rule #9: Coach your speakers

This harks back to rule #4. With most conferences, the communication stops after the confirmation of a speaker. With Swiss Cyber Storm, this is when the communication really starts.

The speakers obviously know their topics by heart. But we know our audience, and we know the other presentations. Working together, we can polish a presentation to perfection and deliver a talk that fits into the program and into the conversation we want to have with the audience.

Very few speakers have received this amount of feedback before from the organizers of a conference. Some are not interested, while others have an open ear. With them we continue the conversation until we think the presentation is perfect.

Btw, coaching a speaker does not mean you have to be petty. Don’t pester them into using your official conference slides template for example. This is about the speaker and their presentation and not about your corporate identity.

I think the coaching combined with the speaker selection is the key practice that makes the difference to other conferences.

Rule #10: Don’t underestimate the catering

We have been struggling with the catering far too many times. Lack of food, wrong food, cold food, bad food – we’ve seen it all. We have always given this topic all the attention it deserved, but it just did not work out. Bad luck perhaps.

So, whatever you do, treat the catering as super important. Make sure you know exactly the menu, the timing, the amount, the location, etc. And make sure the catering partner knows you are giving this your full attention and they won’t get away with a poor delivery.

And lo’ and behold: This really worked for Swiss Cyber Storm 2022. It was the first edition where we were completely happy with the catering. What a step forward!

Summing things up When you target the right audience, when you have a great venue, catering works smoothly, your speakers feel completely at ease, then it suddenly all comes together and every talk will feel like a revelation to the audience. This is when it really pays off to be a conference organizer. I crave for these moments.

Now I am not claiming the rules above to be the only way to set up a great conference. But if you follow my advice, I am confident you will be more than pleased with the results.

Time for the Swiss Cyber Storm 2022 feedback report

Dr. Christian Folini — Thu, 26 Jan 2023 00:00:00 +2600

Time for the Swiss Cyber Storm 2022 feedback report

By Dr. Christian Folini

We have been sending out the same feedback survey for several years now. This allows to get some consistency in reporting and allows for an internal discussion on a sound base. This is vital, since people tend to tell us they loved the conference, but then they vote with their feet and we do not see them at future editions anymore.

The other key to decent feedback is to send out the survey immediately after the conference. We’ve managed to do so again and landed 40 responses which is a sample size of more than 10% of the audience.

Overall impression of the Swiss Cyber Storm conference

This is the first question, also meant to break the ice. It’s a multiple-choice question and we stick to the same wording every year. This gives us some baseline of the quality of the event:

59 % (2021: 64 %): It was a very interesting and cool event, keep it up and I’ll be there next year
36 % (32 %): It was quite good – I consider attending next year
5 % (4 %): It was ok, but I probably won’t be there again
0 % (0 %): Bad, I won’t be there again

We are seeing a slight reduction on the top level, but that’s of little significance, namely because the 2021 edition was quite clearly a fan audience. The 2022 audience was bigger, and the numbers are more realistic. What we usually do is grouping the answers and looking at them through the years. This is what we are getting:

2022: 95 % positive / 5 % negative
2021: 96 % positive / 4 % negative
2020: no conference
2019: 91 % positive / 9 % negative
2018: 91 % positive / 9 % negative
2017: 89 % positive / 11 % negative

There is clearly an uptrend and I doubt we can get any higher: We have found a winning setup.

Contributing to the winning setup was also the food or more generally the catering. Getting the food right is surprisingly difficult, but after years of troubles, there’s no big problems in this area anymore.

Average speaker rating

We are asking our audience to rate all the speakers individually. We are not sharing that information in public for obvious reasons but we’re open to recommend speakers to other conferences (just get in touch with us). What we also do, though, is to calculate the average or mean speaker rating which gives us a pretty good idea of the quality of the work of the program committee.

The rating goes from 1 – bad to 2 – average and 3 – good to 4 – very good.

Our speakers did good again coming in at 3.19 without the sponsor talks. We see an upward trend here as well:

2022: 3.19
2021: 3.34 (again, quite obviously a fanboy audience)
2020: no conference
2019: 3.04
2018: 3.04
2017: 2.96

An interesting observation is that the 2017 speakers felt like a smashing success. But we have raised the average rating from the audience quite a bit during the years and while I think we had great speakers across the board in 2022, I do not think that the 2017 speakers have been worse in retrospect.

One possible interpretation is that the audience has changed slightly and slowly caught up with the shifted character of the conference. Swiss Cyber Storm used to have more technical talks and replaced some of them with presentations with a more holistic approach.

I do not want to dive into the “why” here but we can use this as an explanation why the 2017 audience rated the speakers lower than this year: The audience back then was expecting a bit more tech talks.

All these shifts are apparently slight, but I think they show in the average numbers.

The focus theme “Digital Identities and How to Secure Them”

92 % of the audience welcomed our focus theme (“Good choice”), 5 % was not very thrilled with the choice (with 3 % ignoring the theme).

How did we perform in the “good choice” category throughout the years?

2022: 92 % (“Digital Identities and How to Secure Them”)
2021: 88 % (“Securing the Supply Chain”)
2020: no conference (but it would have been “E-Health”)
2019: 83 % (“Embracing the Hackers”)
2018: 78 % (“Trust”)
2017: 67 % (“E-Voting”, but not very prominent)

Again, a clear upward trend, now reaching a height that is hard to interpret outside the idea about the shift in the audience.

Where did you hear about Swiss Cyber Storm?

This is a question that tells us about our marketing.

58 % (2021: 64 %) I’ve attended before
16 % (24 %): colleagues
15 % (0 %): via communication by a sponsor
8 % (0 %): online articles in the media or blogs
3 % (4 %): via a partner organization (InsomniHack, SATW, Area41, etc.)
0 % (8%): social media

These numbers vary quite wildly from year to year, but it’s pretty clear that we have a returning audience. Furthermore, our leverage to get more people to the conference is via sponsors and colleagues of people who have attended before. We’ve never been very good with social media and partner organizations and online articles did not contribute much most of the years.

Did you like the Raffle?

The raffle is a way to get the audience to engage with the sponsors. You’ll find a detailed explanation here.

33 %: Yes, that was fun
43 %: neutral
13 %: What raffle?
11 %: other, mostly negative

The share of people who enjoy the raffle is coming down vs those who ignore it or do not want to be bothered. It has been coming down a few years now despite the great prizes. Given we used to advertise the raffle more on stage, I double down on the paradoxical interpretation of last year: The less we talk about the raffle, the more people are annoyed with it. The not so obvious reaction would be to either find something new, or to give the raffle a more prominent position in the program. We’ll see.

Freeform Feedback

We fumbled the survey for this question unfortunately. It was simply missing. This is a pity since we always get some very uplifting feedback in this free text part of the survey. And it allows our audience to point the finger at mishaps that we might have overlooked ourselves.

Summary

All in all, we are happy with the positive rating from our audience. It’s now so high, that it’s very hard to optimize even further, and we have to make sure we are not getting complacent. Keeping up the quality is hard.

Looking forward to see you all at Swiss Cyber Storm 2023, the prime national conference that sets the Swiss infosec agenda.

Let’s talk: Next season of SCS in a Nutshell

Dr. Christian Folini — Thu, 25 Nov 2021 00:00:00 +2500

Let’s talk: Next season of SCS in a Nutshell

By Dr. Christian Folini

The numbers of viewers on our nutshell format continue to amaze us. When we did our first Swiss Cyber Storm in a Nutshell double-interview in October 2020, the success was immediately visible. It felt like we had hit a niche here and the extended interviews on cyber security topics with a decidedly Swiss perspective addressed an obvious interest.

Meanwhile we have done four editions:

SCS in a Nutshell 1: With Florian Schütz and Edouard Bugnon
SCS in a Nutshell 2: Raphael Arrouas and Tobias Ospelt
SCS in a Nutshell 3: Thomas Süssli and Myriam Dunn Cavelty
SCS in a Nutshell 4: Jean-Philippe Aumasson and Jonas Wagner

The interviews are also available as podcast:

We want to continue this successful series and it’s time to look into the next season.

And we’d like to discuss this with you, the SCS audience: What are the relevant topics for you? Who should we invite? How many editions would you listen to? Is this still the right format?

This is going to happen on Zoom Nov 30, 21:00. Please get in touch via mail if you want to join and I’ll send you the link.

SCS2021 – Talks online

Luke Flückiger — Wed, 10 Nov 2021 00:00:00 +1000

SCS2021 – Talks online

By Luke Flückiger

We’re happy to announce, that all of our SwissCyberStorm 2021 talks are now online on our YouTube channel.

Some Highlights:

Keynote: Wendy Nather on Supply Chain Security
Tech-Talk: Mario Heiderich on mXSS
Swiss National Team for the European Cyber Security Challenge: Climbing the Hacking /mnt/ain

Have fun watching the videos.

SCS 2021: Feedback from the Audience

Dr. Christian Folini — Thu, 04 Nov 2021 00:00:00 +0400

SCS 2021: Feedback from the Audience

By Dr. Christian Folini

After every Swiss Cyber Storm, we are sending the exactly same feedback form to all our paying attendees. We pay attention to send the same question, so we can compare the scores across different years. In this blog post, we’re sharing the feedback for the first time with you.

We received feedback from 25 paying attendees. That is less than the last time. But we also had less people in the audience. Unfortunately, people did not have the feedback form in their mail the next morning and that seems to be a decisive factor with regards to the return rate.

Overall impression of the Swiss Cyber Storm conference

This is the opening question. It’s a warmup question, but it’s also a first general impression. We focus on the rate of people who plan to come back the next year.

64% (2019: 48.1%) It was a very interesting and cool event, keep it up and I’ll be there next year 32% (44.2%) It was quite good – I consider attending next year 4% (7.7%) It was ok but I probably won’t be there again -% (1.3%) Bad, I won’t be there again

We see a significant jump in the positive feedback. It’s a first sign this was a good conference, but let’s not get carried away and look at the rest of the feedback form.

The Speakers

Next, it’s the speakers. We are using a scale from 1 (bad) to 4 (very good) and ask about a score for every speaker. We are not publishing the individual stats for the speakers, but the mean value is a 3.34 (up from 3.04 in 2019), which is a wild jump since it took three SCS editions to get from 2.89 to 3.04.

And yes, let’s share one individual stat: Mario Heiderich’s mXSS presentation scored a perfect “4 – very good”. That’s a remarkable premiere at Swiss Cyber Storm, we never had a 4.0 before.

What do you think of “Securing the Supply Chain” as our focus theme?

A few years ago we started to give the conference a focus theme. It looks like a detail for the conference, yet it forces us to think hard. Think really hard about stuff that matters to the industry, namely in Switzerland. And this thinking has to happen really, since it’s fundamental when we start to curate the program and approach potential speakers. We typically pick the focus theme around 9 months ahead of the conference.

And because picking the focus theme is so hard, the answers for this question really matter:

88% (2019: 82.7%) Good choice
4% (3.8%) No, I did not like this
8% (13.5%) I was not aware you had a focus theme

That numbers are higher than the 82.7% that “Embracing the hackers” got in 2019, so it’s a pleasing result again. I just wonder how much the planned focus theme “E-Health” would have scored if there was an SCS in 2020.

Where did you hear about Swiss Cyber Storm (optional)

64% (2019: 48.1%) I’ve attended before
0% (3.8%) Via communication by a sponsor
4% (1.9%) Via a partner organisation (ISSS, OWASP, InsomniHack, Black Alps, etc.)
0% (1.9%) Online articles in the media or blogs
24% (40.4%) Colleagues
8% (0%) Social Media

Here we see a shift from “colleagues” towards “I’ve attended before”. If this felt like an SCS edition for fans, we can understand why now. It’s like the hard core of our audience came and the potential new attendees are waiting until Covid-19 is really over.

I think the small rise of social media is also remarkable. This may look like it was by accident, but I do not think so, since we had a stronger social media presence this time, namely on LinkedIn where we were absent before.

Did you like our Raffle?

Let’s turn to the raffle, a polarizing topic for the audience. With the raffle we send the audience to get a stamp at every sponsor booth and if you complete your set, you are admitted to the final draw by lot and if you are picked, you get to pick one of our prizes. Among them a large scale Lego Excavator or a very hot drone that an unnamed CISO from the Geneva region selected. But given it’s such a polarizing element of our conference, the question is about feeling the pulse of how many people love it, and how many people hate the raffle.

The happy winner of our raffle pocketing his pick: a top notch drone (Photo: Matthias Käser) In 2019, we advertized the raffle heavily between the talks. We did not repeat that this time and I kind of expected less people annoyed with the raffle. However, the opposite was the case:

44% (2019: 53%) Yes, that was fun and got me in touch with Companies I did not know
24% (19.1%) Feels like a rat race, please stop it
12% (14.9%) What raffle?
20% (12.1%) Other

We are seeing more people being fed up with the raffle despite it being less prominent and less advertized on stage.

I’m reading the stats from the perspective of a fan conference again: People knew the sponsors already (most sponsors are long standing partners) and walking up to their booths again was probably not overly interesting for some 24% of the audience.

But let’s be very clear here: The sponsors are super-important for our conference. Without sponsors, we would not be able to pay all our speakers the full trip and two hotel nights. And one thing that a sponsor wants from us is a certain guarantee that people will come and visit their booth. As long as we send around 100 people at every booth, the money is well invested for our sponsors and the conference is sustainable. And look at the photo again: Is not this smile totally worth it?

Freeform Feedback

Let’s turn to the individual feedback now. I’m not going to comment on this, but it is a topic for the debriefing meeting of the committee.

Great location, great infrastructure, good to reach, good organization, well done!
Freue mich aufs nächste Jahr 😀
Overall it is a nice and well organized event but I would have liked more technical talks and had the Illusion to get in touch with other technicans and geeks (the security community not “just” the management and business edge of the swiss security companies. But overall I liked the event and it was a really nice experience
Werde die verschiedenen Präsentationen zur Verfügung gestellt?
Please have more technical talks like Marios mXSS talk
Great Job, great location, great speaker.
Thanks for organizing such an event during these hard times, with many unknowns.
Dinner buffet was out of order really quickly.
Gold Talk was a bit short on actual content. Or just teasing and interesting subject (bug bounty vs. pentest engagement). And then having proton “no logging, jk” mail on stage was a bit cringe if you’ve read the news.
It’d be nice to have a “Call for Papers” for talks, all these “sponsored” talks are feeling like ads, it’s annoying and reduces the overall quality of the line-up IMO.
Also I disliked the fact there were so many “virtual” talks, especially since the video and audio quality was awful. Please make sure both sides have a decent internet connection next time you do that.
I am also not so sure you are properly targeting a given audience: some talks are for engineers, some talks are for CISO or “higher ups”, it feels like a mix and it was difficult to always find interest in one of the proposed talks. Maybe have proper “technical track” and “management track” instead of mixing both types in all tracks?
The SCS was very well organized and as a participant you felt safe (concerning corona)

As stated above, I won’t go into any responses here. But we might do a blog post later in order to explain the concept of the conference and why there is such a mix of talks. And about the slides: They have been linked on the website in the meantime. Videos are hitting Youtube next week or so.

Speakers that should be part of Swiss Cyber Storm 2022 (optional)

Finally the question about the speaker wishlist. The requests are always inspiring and even if most of them won’t end up on our stage, some will, so these requests are really important for us.

Bruce Schneider
Fefe
Nicolas Ruff (“cybersecurity was a mistake”); Pascal Junod (“On the asymmetry of cybersecurity: watching the hacker hacking your crypto, rolling the new version once they finally got it”); Frederic Jacobs (“How (Apple) engineers are actually trying to do good and rolling proper crypto”)
Eduard Snowden
Jann Horn

Let’s Wrap This Up

Looking at the reduced number of participants and the jump in positive feedback, I am concluding this was a fans conference. We welcomed those who really love the conference and they tend to give us better grades then a more general audience. So I think the feedback has a very positive bias, I would say. We’ll know for sure when we have the numbers for 2022.

Speaking of Swiss Cyber Storm 2022: The conference will happen on October 25, 2022. We’re running a super early bird ticket sale up to the end of the year. If you want to get the cheapest tickets for the conference, then you better grab one now.

SCS in a nutshell with Jean-Philippe Aumasson and Jonas Wagner

Dr. Christian Folini — Wed, 25 Aug 2021 00:00:00 +2500

SCS in a nutshell with Jean-Philippe Aumasson and Jonas Wagner

By Dr. Christian Folini

" >

Switzerland has become a hotspot for security startups. Our program chair Christian Folini discusses this with his guests cryptographer Jean-Philippe Aumasson (@veorq), co-founder and Chief Security Officer of Taurus, and Jonas Wagner (@_jwagner), co-founder and Chief Technical Officer of Threatray.

Both startups started in 2018 and both closed successful financing rounds. Yet this is about where the parallels end: Taurus has positioned itself as a go-to shop for anything around the management of crypto assets / digital ledgers (we’re trying to the obvious term here). Taurus is therefore using its FINMA licence to address banks and investors. Threatray in contrast is a deep tech startup that supports malware analysis with machine learning and strong indexing. Obviously Threatray’s market are security researchers and their labs.

This 4th episode of SCS in a nutshell discusses the plan behind the two startups, the technology, financing, growth, hitting your market, recruiting and much more.

Video of episode on YouTube: https://youtu.be/lJDZJ5uCcJg
Pure audio podcast edition: anchor.fm MP3
SCS YouTube channel: https://www.youtube.com/channel/UCY-Wb3JuBv_xpa8s6ZrpUxg
SCS in a nutshell podcast:
- Web: https://anchor.fm/swiss-cyber-storm
- RSS: https://anchor.fm/s/4e5c0668/podcast/rss
Swiss Security Startup Map: https://cysecmap.swiss/