Event Recording

Insights of a CISO: Interview with Markus Weißensel

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
I'm very here. Very happy to be able to welcome you to this interview session. For those of you who are new to the Casey life. Let me explain what this is all about in these sessions. I, I normally talk to C level manager about, about topics, personal history, their current challenges, especially of course, in the area of cybersecurity and also about future challenges. I'm better call I'm the CEO of putting a code. If today, I welcome. Michael's licensing from folks pet as my guest, Michael, happy to have you here.
Thanks for having me pleasure to be here.
Yeah, Marcus, you, you work for a company which one can count to the so-called hidden champions here in Germany. Folks, pet look from Manheim and you have this nice background picture of Manheim. I believe she's nicer than my picture. My background with 5,700 plus employees, but I'm sure not everyone may know folks pet. Look, can you describe what is doing?
Yeah, absolutely. Thanks for the shop introduction. And also, thanks again for having me. Let me say some, some quick words about our company that we listed in, in the Ambox stock exchange list in, in Germany. And we have a sales of around 2.5 billion per year, increasing steadily. We have around like 6,000 employees around the globe in 62 different subsidiaries with around 90 different sites, different locations where we are, are manufacturing. Our, our lubricants, we, we are producing like 10,000 different products, lubricants that, that ranges from the typical motor oil for, for cars, but also some very specialized lubricants. Like for instance, the mass Rover that just landed on the mass some weeks ago also used some of our lubricants. So we have a broad range of, of products that we, we manufacture you. Exactly. So as you say, not, not many know us only most, most, most of the, of the car guys. I always say that the guys that I really like cars yeah. They know us from the motor oils, but we do not do not sell on the, on the direct client market. It's more like business to business. Yeah. Where we sell. So we are not, not commonly known on the, on the private market. Let's call it that way.
But of course it's, it's, it's a big company and it's, it's a valuable company and yeah, I think as you said, or, and as I said, true, hidden champion in what about you? What was your, what's your background?
I, I joined folks back in 2016 and took over the role as the chief information security officer, where I'm responsible for globally, for the information security from the background. I studied business administration also in Monheim and then joined some large global working consultant companies and yeah, traveled the world. Let's put it that way. And then finally came back to Monheim and, and joined folks where now, as I said, since thousand 2016, I responsible for the information security globally. Yeah.
Can you help you to understand how, what do I have to do in order to become a CSO? So what, what is, what is the secret behind that?
I think it's, yeah, it's some kind of development story. Yeah. Back in the days when I joined folks, we did not have actually a C role established. We had lot of security related staff around the globe and very decentralized, but we had no central C organization let's call it that way. Everyone was doing information security to a certain degree, but not, not centrally organized in a certain way. We also had no clear CIO. We had a lot of different hats of its in the local sites, but no, no globally centralized steering at, at that time. And that developed throughout the last five years now.
Yeah. I mean the, the C in the word CISO is means chief, and that indicates that you regularly or frequently talk also to the board. So what, what can you say about this? So what is the board actually expecting from you and how often are you talking to them?
I think one of the most important, yeah. Skills you need to have as a C is that you do not wait until the people come to as ask for more security, must be more like a proactive search or for risks. Yeah. And I think that's especially true in, in the area of SAP security. Cause from my perspective, and also from the, from the conversations I have with some, some peers in, in a lot of companies, especially the SAP topics are hand like a black box and everyone is afraid to open that black box. Cause they're afraid something might come out, which they cannot handle and they just hope that nothing happens. Yeah. And I think that's also true for a lot of other areas in, in terms of information security and what, what is also important from our perspective is that it's not just it security, it's information security. So also the key assets information belong to that, to that area. And as I said, you have to be a proactive risk searcher and, and go to the different departments and areas and, and have a look here where you need to have more higher security posture. I think that's one of the key and the most important things you need to have as a CSO.
Yeah. So bring it all together. So let, let's go step by step. Obviously you are completely right. It's technology and people and processes, etcetera, but let's talk about technology first. So what what's, what are the main building blocks in terms of technology components of folks, you of course have an SAP system, but you certainly have other infrastructure components as well. Right?
Yeah. As I said, we, we started back when I joined together with my, my former supervisor who he, he also joined in 2016 and we started the cloud travel, the cloud journey. As we always say back in those days, we were reluctant to go to, to the cloud. And now we have ramped up the, the complete office 365 stack. For instance, we have ramped up a lot of SAP related cloud services. So we are really on, on travel to the, to the cloud. And we are already there almost would say, yeah, I mean, of course we also have some upcoming topics like S for HANA, for instance, but especially in, in the SAP area, we have C, C we have an, an eCommerce shop now round up. So we have a lot of big developments in the last, the last years we have front up success factors for instance. And we have the typical cloud services that, that are quite common now today. Yeah. But I also know that from, from the conversations with my peers, we, we still, yeah. We still at, in a driver's seat, a lot of companies come to me ask for the experiences we made throughout the journey. And it also true for my colleagues. So
Yeah. Now, so you described various elements of your infrastructure, but I believe it's fair to say that the SAP system is the backbone of your infrastructure. This is the system where the so-called crown tools it, right. And, and with, with a move into the cloud with, with new technology, with, with recent digitization, I think the, the attack surface increases, right. I mean, Twitter Sims in her presentation mentioned it that 74% of, of S systems are connected to the internet. Right. And, and downtime often SAP system cross an awful lot of money every day, perhaps even every hour. Yeah. So, so, so it's it, it's, it's, it's, it's the most critical thing, is it a true statement to say when, when you think of your job as a C, so that looking after SAP consumes quite a big portion of your time,
I think it, it should have a big portion of the time, but it's not yet enough from my perspective here. Also here we are on a journey. We started like two or three years ago with internal assessments. We included internal audit colleagues for instance, and we are also there on the development journey. And now we started to also yeah. Work with, with external partners in order to, to get a handle on that. Cause from my perspective, and also the experience I made in the last years, it's very hard to, to cope with that with only internal staff. Yeah. You always have delays in the projects and everything. Yeah. Because you, everyone is, has so much other stuff to do. And I think it's, it's really critical that you, that you really get involved with some external partners to, to have a clearer picture and get the transparency of that black box. As I, as I already said, which is from my perspective still for the most companies. Yeah. I think they, they, they always act like, okay, we have so many other problems. We have so many problems with those fishing topics around. And I think SAP security is only priority number two. So I think that needs to, needs to change a bit from my perspective in the future.
Yeah. In my experience, when I, when I look in companies, I do see typically two types of, of people or organizations, even I many people have many organizations have it security partner. And of course the people working in that department, they, they know everything about it, security and named it, fishing cetera. Cetera. And can you still hear me?
Yeah. You're breaking up a bit, at least at my end. Can
You to hear me?
It was a bit scattered, but now
Can you hear me again? Yeah. All right. Okay. So let, let me repeat my question. So the question was in, in, or I, I do see in organizations, it security departments on the one hand side and of course, SAP department on the other hand side, right. A question. And often it's the case that the, it security people don't understand SAP and the ASAP people don't understand security who in your organization is actually responsible for SAP security now.
Yeah. That's really interesting question. That's also that the point I wanted to make earlier that you have to go and, and search for the risks and, and do not wait until someone comes to you and asks if you can handle that one. And I, I did exactly that for SAP, when I started the C role, it was absolutely not included in my let's call it role or chop description that I am responsible for that one. But I picked it up when I started the assessment here. And as I said, we work together now with external consultancies. And we had really interesting findings that in our last assessments we did that. We have a lot of skilled people within the SAP teams. We have a lot of different SAP teams of course. And the findings were that we have those skills around, but we just need to get them organized.
Yeah. And also what was very interesting from my perspective, it was some kind of pool effect that the, the, the colleagues said, okay, we want to get more trainings in that area. Yeah. They proactively said that they want to have more trainings and get more skills there, even if they have already the skills, but it's just not really organized. And I think that's where it all starts. I mean, you can do a lot of penetration testing and technical testing and whatnot, but I think you also have to take care of the skills you have already in the company. Because I think as there are, most, most of the guys are really skilled there and, and know what to do.
Yeah. And then when, when you look at, when you start assessing your SAP system, where, where do you actually start? I think many people think of course, along the lines of authorization, concepts of user segregation, of future place, a role, of course, everyone knows about security patching. So what, what's your recommendation since you are on that journey for quite some time now, already,
You mean from, from those organizational point of view or from the technical
And I, I mean, so what, what are, what, what, where do you start accessing the, the security problems of the SAP system? Is it the authorization schema, the, the access topics, the segregation of duty problems? Is it the security patching or, or is it code security? Where, where, where would you recommend to start?
I mean, that's, that's all, all of those parts are important from our perspective. We just be to get, get a parcel. Yeah. Put them together and you have to take care of all of them. Yeah. But I think we, we started now doing an assessment on an organizational point organizational level and, and, and on a role based and skill based area and want to dig into that deeper now. Yeah. Now we want to build up some kind of operating model and sort it all out. Yeah. Because we think we have already, the most of the skills we have already just need to build some kind of roadmap, what, what is missing and also build some, some, some clear processes. What happens when, when things like incidents come up. Yeah. Because nowadays it's, it's more like, okay. Everyone knows from, by experience what he needs to do or he, or she needs to do. But I mean, it should be more precisely put in some documentation and things that, that people can, can stick to. Yeah. Because nowadays it's only more or less in the heads of, of the SAP teams. Yeah. That's, that's my experience. Although when I talk to, to peer partners.
Yeah. So, so what I'm hearing basically is that, that, that it's one, it's, it's one of your job to bring the security guys and the SAP guys together and increase the awareness on the SAP side and increase the SAP knowledge on the security side. Right.
Exactly. Yeah. You always talk about those three lines of defense, like SAP teams, the, the audits, and also the security teams, but you, you, you need to make sure that they interact. Yeah. And they exchanged the skills and the knowledge they have also in between different SAP teams. Yeah. We found out that there should be more knowledge and information exchange and experience exchange.
Yeah. Yeah. I think Marcus, you are an early mover with looking at SAP security, but I, I bet you are not yet done with everything. Absolutely. So what are, what are, what what's coming next? So what, what are your upcoming challenges?
Yeah, I think for, for the time being it's up to us internally yeah. To, to, to build up some kind of, of yeah. Of roadmap and some kind of basic operating model where we figure out what we have already, and then we can start building the, the target picture and, and fit into in the parts that, that are missing. Yeah. And we work together with, as I already said, with external partners in order to, to get that done, because as I also already said in the past experience was that you can, I cannot manage it on your own only internally. Yeah. It won't get there. Yeah. Or it takes much to wait long. Yeah.
Yeah. Yeah. I think, I think time is, is, is, is running out. And we could probably go on for a couple of more minutes. Yes. But I think we heard already a lot. I think you gave us a little bit of an idea about how to become a CSO, what the role of a CSO is also in relation to, to the board, what your main challenges are, especially when it comes to SAP security and, and that it's all about communicating with everyone involved to, to do the right things. So, so that was, that was a great talk, at least from my perspective. And I think you are with us later on again for, for, for some more questions. Yeah. So, so looking forward to that in the meantime, thank you very much for being with me for, for having, having this great session with me. And I also hope that our audience enjoyed it and yeah, I'm looking forward to, to, to have more of these interesting sea level type interviews and upcoming case life events.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00