We talk to Nikola Dinic, Chief Information Security Officer of CONVOTIS, about the role of cybersecurity in a modern company.


Dear Nikola – CONVOTIS has a a proven expert as CISO. To begin with, we would like to introduce you to our readers.

After my Bachelor studies (Business Administration) at the Vienna University of Economics and Business Administration and specialization in Management Information Systems, my way led me to Ireland and Norway for exchange semesters. I completed my Master’s degree in International Management and wrote my Master’s thesis on “Cloud Computing”.

My career started shortly after graduation at Big4 companies in Vienna, where I spent 7 years supporting mainly international but also domestic clients in the areas of IT compliance, cyber security as well as IT governance as a manager. The last year I spent in Zurich at the oldest and renowned Swiss life insurer, where I worked mainly in IT Risk Assurance as well as IT Security on group level.

Music is one of my main hobbies, I try to rehearse with my band as often as possible. As a former soccer player, I also play a lot of sports.


In our newsletters, we constantly focus on the topic of security. Let’s start by talking about the role of cybersecurity in a modern company?

Cybersecurity has come a long way in modern enterprises from an exclusively technical or supporting role to a holistic, integrative and multidimensional discipline that is now an enabler but also a critical building block of business objectives.

The massive proliferation of Internet services and the associated digitization or automation of content and marketing processes have contributed to this in particular. This exponential and lightning-fast growth in complexity and volume of processes as well as supporting technologies, has nowadays become a normality that will keep cybersecurity specialists but also C-suites worldwide busy in the coming years.


What are the key elements that need to be included in a holistic cybersecurity view?

In addition to the classic approach and subdivision of cybersecurity activities into Governance, Risk & Compliance (GRC for short) as well as Incident Response, in my opinion, the holistic approach as well as continuously reviewed resilience has proven to be essential in recent years. And this not only on the level of the now powerful security tools, but above all the integration of cybersecurity into all relevant business processes as well as product sourcing/lifecycle regardless of the industry, existing infrastructure or process maturity.
Another aspect that seems to be more important than ever is the human factor: best security strategies as well as sets of rules often fail due to fundamental gaps in employee awareness, which in turn have led to some of the biggest breaches in recent years.

The unfortunate truth is, likewise, that many organizations are likely to continue to face increasing threats this year, but also in the years to come, as cybercriminals become more creative and sophisticated. The only way to combat these threats is to meet them with equal creativity, sophistication and, most importantly, resilience. This is often branded as “resilience by design,” however the underlying concept is critical – organizations must be proactive rather than reactive to meet cyber threats. This primarily involves anticipating disruptions with a comprehensive understanding of current and emerging risks, simplifying cybersecurity processes, preparing specific response actions for relevant attack scenarios, and not neglecting lessons learned after each critical event or attack attempt.

However, a holistic cybersecurity approach is also based on the concept “Security by Design” – which is very successfully offered in the future Convotis portfolio and perceived by customers. The underlying idea includes integration of key security tactics/paths and solutions to enforce the necessary requirements for authentication, authorization, confidentiality, data integrity, privacy, accountability, availability, security and non-repudiation (even if the system is attacked) already in the system design or development phase.