Well, thank you very much. And it's, it's such a pleasure to finally be back at a, at a real life event. I don't know. I don't know what to say to that intro. You've basically stolen at least two slides that I don't need to talk to. So thank you very much for that. I just want to add to that, that I've, I've spent the last few years working in security risk and compliance in large organizations that are going through huge digital transformations. And now going back and talking to the people at the business school, I'm suddenly seeing that in what we did there in order to, to get further on that, there is some method to the madness and that there actually is some thought behind this, that maybe we in it, and in the cybersecurity field, we don't see so often. So topics like robust action frameworks, you look that up or competing demands, et cetera.
Those are all things that I saw going through. This is actually something that we're dealing with on a daily basis. And I thought I'd share that with you now, before I sort of go into the whole thing, what I want to talk about today is not to look at our own teams, but how we as cybersecurity information security and, and risk professionals, how do we operate within our organizations? How do we play together with the others in order to bring our organizations further forward? So just here in the room. And I, I realize there are a lot of people online as well that I don't see at the moment. And so that I know on whose toes I'm stepping, how many of you are more in the digital transformation piece as opposed to cybersecurity?
Good. So there's only when I start talking about how I view the digital transformation people, I will only be stepping on your toes. Very good. So let's talk about perception. If we look at security and compliance teams on the one side, if we look at digital and innovation teams on the other side, all of us think that our own team, that, that we are the superheroes of this story in security and compliance, we are protecting the organization from all of the bad things down there. And if we do our job, right, we are going to prevent the downfall of culture and civilization. At the same time, if you talk to the digital development teams, they see themselves as the heroes of tomorrow, they are the ones who are going out there and who are enabling the organizations to be that next step ahead, to move ahead of the competition. If you ask the teams how they see each other, it's a bit more like this.
So how do we move from this obvious competition and divide between these two teams to actually moving together? Because that divide, it is huge. If you just look at the risk piece of it, we in security, risk and compliance, we try to minimize the risk to the organization because that gives our organization stability. It prevents things from going wrong, and hopefully that will help the organization survive this year, next year. And the next 10 years after that, on the other side of the scale, digital and innovation people, they want to be more risky to use those opportunities, to move that one step ahead, to seize that day and to move forward. But if, and I was, I was listening to a talk a few days ago, I was saying that our huge problem here is that we live in it. We live in a binary world. We think it's either one or the other, and there's nothing in between. So what's the solution. The classical answer to this is get everybody in the room, put a senior manager in there. Talk about the organization's purpose, build that roadmap on how everybody is gonna work together on that purpose, put in some milestones. And everybody's happy,
Except not everybody's happy because the thing is first,
There's no flexibility in this. There is no agility in this. This is classical waterfall thinking if anything changes. And I'm not just talking about things, changing in the digital piece of new requirements, new demands coming in, I'm also talking about changes in the risk profile, new attacks, coming out, new attack vectors that we have to deal with, etcetera. Then we need to LAN, we need to redefine all of these milestones. And if we want to commit to that method of going forward with the plan and the milestones, then we are in a constant process of replanning. And the second thing is, this is neither security,
Sorry, get it the right way around. This is neither security, nor is it agility. And both sides feel that they've lost. You know, the definition of a good compromise is the one where nobody, where both sides feel that they've lost. And that's not really what we want to do if we want to get to a point where people actually work together. So how do we address this first? We need to define and talk to each other and define what the boundaries are that each of the two parties is willing to accept that this road, that we are going down, that it is actually not totally unacceptable to the security people and that it's not totally unacceptable to the digital and innovation people either. And the way to do that is actually to talk to each other and to understand what it is that is the absolute no-nos in each other's perspective. And then the second way thing is to put in guardrails, crash barriers, whatever you want to call them, methods that
Protect you from going over the edge. And those things can be anything from really, really formal things you put in policies you put in metrics, you report on them just to make absolutely sure that if you get even close to that boundary, that it turns up in a report and you can then act. And if that is how your organizational culture works, then that may be exactly the right thing for you, but it may be at the other. They're all, sorry. There may be at the other extreme, it may just be a thing of having somebody on your team who has had experience in the other field. So having a developer on your security team, or having a security guy on your development team who then know what those sensibilities are and between those, and you can see that on the slide between those two extremes, there's a spectrum of various things that can be done to make sure that we actually recognize when we are going into dangerous country and to steer us back before we go over that edge. And which one of those you choose is of course, I've just said, this, this is dependent on your culture, but it is also dependent on the level of contention that you have between these teams. So how much
Do the development people see you as the evil empire and how far do the security people just see the innovation people as, as the minions, sorry. And then the next thing to do is to start thinking about, does that road need to be straight,
Or can we start to become flexible? If we are talking to each other, then we can actually talk about changes in the environment. Our development teams can say, look, we've got this high demand from the business right now. We need to be able to do a bit more. Or on the other hand, if we are getting a new threat, a new attack, thank you very much. We need to move more and be in the security space. Then we can start adapting to each other instead of just racing down that road, stop moving more into sort of collaborative dance. And I think what we've seen in the last
Nearly two years to not use the C word here too often, but that's been exactly the case. When we all went into lockdown in March and April of last year, we suddenly had a business need to do stuff that previously at security people, we would never have allowed, but we did it because that is what was needed at the time. And then when we saw the number of attacks rising, and people actually utilizing people being at home, we went the other way and put in some more controls. And the important thing here is just to make sure that we're not always on the one side or on the other side, if this road that we're talking to each other and that we don't cross those boundaries that we're actually talking about. And there are many ways, again, that if we are talking to each other of actually not only seeing how far are we going down that road towards our organizational purpose, that's one way of looking. That's one way of measuring progress, but also to have that commitment and to ask ourselves, are we playing fair with each other? And that again can be the basis or has to be the basis of a trusting relationship between those two teams.
So how do we actually get there? First, we need to create that space where these two teams can actually meet where they can actually talk, where they can exchange their experience, their information, and their current demands. This is something that shouldn't really be done as part of normal working. This is something that should have a special feel to it. And it's something that, especially at the beginning of the process will require a moderator to make sure that, you know, people aren't at each throats, each other's throats the whole time. And then we should look at making sure that this is a regular recurring event, because what will happen is the following. And this has been seen in talking about grand challenges, like how do we deal with drought in, in, in Ghana, et cetera, this is where the idea comes from the first time you put the people in the room, they will just stare at each other and you will need the moderator to get them talking about what is actually important to them. The second time they meet, they will have thought about what is said, and they may start talking to each other.
And the third time they may actually start working together on new ideas. So, sorry, very sorry about that. So what happens when you physically meet with students for the first time in, I dunno, how many years, so set up the forum, get a moderator, do it regularly, align on that business goal and get an understanding of what the other party understands of that goal. Your own understanding is clear to you, but what it means for the others is also very important. How do they measure success? I found personally that I didn't understand the success measurement of my digital teams. And once I did understand it, I suddenly saw that I could help them achieve their goals in ways that previously I'd never thought about and vice versa. The third thing then is to have that conversation about the boundaries and the guardrails. What am I willing to accept? What am I absolute no-nos? How do we recognize that we're going into dangerous territory and what are our methods to steer us back again, and then create those common measures towards success. On the one side, of course, measuring that progressed towards the com the organization's purpose, the organization's vision, but probably even more importantly,
Measuring how are we working together and how are we making sure that we are treating each other fairly in this relationship that we now have? And if you do all of these things, it will then hopefully bring you to the place. We can actually start embracing that freedom between those guardrails, start experimenting, start doing new stuff, being agile, and going from that piece of think, not thinking either or, but thinking both and to capture that hopefully very big space in between those two extremes. So
This is, these are my thoughts on the subject. It's something that I've seen and recognized in a lot of the lectures that I've been going to and speaking to the professors, Oxford, but I'd also be really, really interested in your view and hopefully be able to incorporate that into a final paper that I'm currently in the process of writing and that that needs to be submitted by the middle of January. So if you'd like to have that conversation with me, give me your insights, perhaps discuss about it for those who are here in Berlin at the moment, grab me outside for a coffee or at else, reach out to me at that email address. And I'd be more than happy to talk to you about it. Now, I wouldn't have just come from a university if I didn't give you a reading list as well, four articles that have absolutely nothing to do with cybersecurity, but actually talk about this methodology.
Two of them are from a well known management journal that you may not be a subscriber to, but I do know that they allow two free articles per month. I think it is. And if you ask me which two articles are, those are that you should be reading this month. You'll find them up there. The other two articles on there, I think they are actually free to access from the internet. And with that said, if you do wanna reach out to me loads of ways to do so, and thank you very much for your attention. And if you do have any questions that we can answer immediately.