Peter Dornheim - Build Up a Security Operation Center and Provide Added-Value to Business Operations

In the next 20 minutes, I want to talk about the security operations center. Like we build it up at our company and I will not explain some project charts or some resource planning or something like this. And I will also not talk about the necessity of building up a cybersecurity center, because I think I hope we are all on the same page that this kind of product or process or organization is really important for a company. So before we start, I want to give you an overview in which environment festival is, is working and maybe, you know, FTO as a, as a customer or as a provider, as a supplier, also from the ESA, which is a big fair for industrial automation. And we have all these nice products, which you can see here on the screen, for example, on the left side, these nice electronic art, and we have also kangaroo, which is very nice and these spider, but these are not the products which we earn a lot of money with.
I mean, these are our innovative products, our bionic products, where we test and evaluate new technologies, but this is our core business. So as you see, it's not really related in the past to it. I mean, we started also with IOT devices, we started with product it, but we have another background. We are manufacturing company. We have a lot of pragmatic devices. We have air preparation valve tubes. So everything from the past, which is not really related to, to it. And of course not related to cyber threats and in an environment like this. Yeah, we are a privately held company, a family owned company, 3 billion Euro revenue in the last year, 20,000 employees acting globally. Yeah. So let's call it a big German middle stunts company. And the question is how to build up a soccer cybersecurity center in an environment like this, where of course we are very WAYN.
Maybe you also hear it in my voice and we hated to spend money for anything. Yeah. So we are very frugal. And that's the, the first question, how you, how you make an investment for such a big topic where you have no added revenue or where everybody ask for an ROI of this project. And this was at the beginning, we started one year ago. It was how discussion. Yeah. The second discussion is, okay, Peter, the cyber security center, how does it support our core pro the core processes? How does it support to build more valves, more terminals, more industrial components. And also this was a big discussion, but then, and this is also the reason why I like it really to work for this company. Then the colleague started to ask the right question, how can so protect our core business? How can it drive innovations or how maybe new customers can be addressed with a, with a so technology and to answer all these questions, my team and me, we focus on three pillars of our.
So when we say, okay, we want to build it up. And we have three pillars, which is our guideline for the next months, for the next year. So I would say the first is we start small. We say, okay, please manage our scope. As small as possible. We have to sell results. We have to show our sock is working. What is the benefit? But we have to start small, a lot of vendors and all vendors, which we are talking about. They come to me and say, Hey, we can implement a lot of use cases. We can implement 20, 30, 50 use cases in the first one or two months, but I wasn't happy with that, to be honest. And we focused on just four use cases for the beginning. Very, very short of very small scope. The second point is the think big. I mean, you cannot go ahead with four use cases.
You cannot spend a lot of money and say, okay, now we can look at the active directory passport log or whatever that's, we're not leverage. And the third point is the preparation. When you start your soccer, that's my experience. Every security topic will be addressed to you and say, okay, you are now the security guy. Look at our firewalls. Look at our end virus protection. Look at our clients, look at everything. What we have, and you have to be prepared and have to build up a strategy, how you, how you manage all these requirements. And if you go into detail, the start small approach, I mean, these are the really important things. There are a lot of more, but these are the three topics in the start, small area where we said, okay, this is the most important topic to be successful with the ramp up of our, so, and we started this.
So, or the planning for this. So one year ago, more or less exactly one year ago. And I mean, it's sounds very, very easy or very trivial, but you have to ensure the support of your, of your management board, because you have to change organization with, with the, with the cybersecurity center or the security operation center. And you have to ensure awareness on all levels in, in your company. And for example, you also have a kind of information security campaign, which is aligned with the cybersecurity center each and every employee should execute or should perform a, a test, the web seminar. And it takes more or less one hour. And every planned leader comes to us and say, Hey, we have 8,000 employees working at our plant. These are 8,000 hours, which we cannot produce. How should we do it? Yeah. So you have to ensure the support from the, from the management board.
The second point is the vendor selection. And I also talk to other companies during our rebar process and a few companies also, which can be compared to FEO, decided to build up an own. So an own SOC team and manage it internally completely. And for me personal, this is, we decided another way, because I think this cannot be done. You look at our history, our products, we are not an it service provider, right? So we decided to select the right vendor on this vendor selection took more than six months. And I would say we are, or we was, we were not lazy with this vendor selection, but we invited a lot of vendors. We had a big question catalog with more than 60 questions, but this was learned, this was too much. Yeah. Also for the evaluation, but the window is your partner for the next three, five, or how long you also wanna make the contract for the next three or five years. So it should be yeah. A good partnership or should be able to, to increase the partnership with the window. And the third point, as I said before, was the scope and the extensions. So start with a very, or we started. And we, I think we are successful with this approach, start with a very small scope. The window comes and they want to implement new use cases. Sure. And also the partners, the colleagues, and also some executive want to see how it works and how, how the use cases are implemented. What's better than before. Yeah. But we try to do everything to protect our scope from extensions in the beginning.
So when the think big approach, the, the second pillar is where, from my point of view, the opportunity starts to create or add business value to the company. Because as I said, you cannot go ahead with just these small use cases. And you have to prepare a so strategy where you can decide, or when you can show how you want to implement other companies, our company areas, for example, operational technology, the product technology units, IOT information security is also big part in this topic. And it must be a long roadmap and it must be aligned with the stakeholders. And this is also not quite easy yesterday. We had a discussion with the colleagues from operational technology and they try to, or they think about to start their, their own sock. Yeah. But I mean, this, this makes no sense. And this should be combined in this strategy must be communicated.
And this is also a reason why it's very important to have the support from the, from the management board, because it must be one sock strategy in one company involved the existing technology. I mean, every company has a lot of firewalls, endpoint detection, software, VPN, concentrators, intrusion detection, systems, whatever it's, it's there, it's available. So use it for, for the, so technology and build up your use cases and all the techniques based on these existing technology monitoring solution, vulnerability management, a lot of reports are generated each and every day. And nobody takes an advantage of this generation must be managed and use what you have. And we did the same with our vulnerability management and also with the monitoring solutions and the integration of the players, as I said internally, for sure, the other departments, but also externally the, for example, BC and exactly, this is what I want to say.
You have also other players in the company, like when you start with this, what is your sales doing? How, what are the borders? What are the collaboration mode? What is the BCI, the business critical incident management process, how is the interface between the SOC and the, the different processes in your company? So these are the points where we said, okay, with this focus, we should be able to generate the business value a little bit. Yeah. Because I mean, it's not a project like you launch a new product or something like that, but the collaboration with the operational technology department also with our product, it, so where we developed all the new terminals and something like this, this up to now, this is very successful and it can be used also for the sales guys for the product teams. And this is a marketing instrument, right? A so,
And the last thing to be prepared step, as you see on the headline, a so is not a buy and forget service. Also, if you buy it from a vendor, you have to manage it each and every day and the vendor will not deliver the security for your company. And they deliver a lot of additional know-how. They deliver detection results. And depending on your scope, they also deliver some, some response actions or whatever, but the first or the importance point is sell your results with your reach, with your sock. Huh? Right. So show your show, your detections, make them visible, make a report. Let's let the management know what what's happening in your network and make them not feel good, but yeah. Show them that it's an added value. You, I mean, this risk page approached for a cybersecurity center is the, the common way I would say. And we also did it. We also said, okay, we have the high cybersecurity risk. We have to mitigate it. The risk is with this amount. And so that's the reason why we have to execute or implement the cybersecurity center, but also show what it's doing, make it visible to the company.
And the most important point from my perspective is this one manager, internal organization, as I said, we, we buy it the so service we had, we buy it and managed sock. But I also established the company internal team, which is fully responsible for the sock. And only for the sock, they have no other, other accountability. So other tasks, they just manage our so providers and they just are the, they just are the interface to our internal guys. It's a small team, but they are fully accountable for this topic. And it's really great because, so they have no other, other interests in the company. And they are the, the only partner for our external provider. They have a dedicated person, a dedicated contact person, and they are interface to, to the provider or to the internal employees in the different product teams like firewall like endpoint detection and whatever.
And with this internal management, I also mean that you have to value the people which are working in the other product groups, because maybe there are persons who work in the firewall teams for years, and they did a really great job and they still do it. So the collaboration between the SOC team and the, I call it old security teams, it must be really good managed, and they must be valued at each and every product group. And the last point, if it comes now, here is manage a future stock requirements. Because as I said, we started it since a few months, two months, one or two months, we have it online, our stock and the requirements, they, all the teams says, role the requirements to us. Yeah. Look here, we have this server please protected. We have this vulnerability solution, please implement it. Can you make the application monitoring something like this?
And this requirements must be managed, adhere to your initial scope at the beginning, but make some kind of a release management or something like this for your sock and implement the use cases on, on your own speed. So these are from my point of view, the, the most important points. And I also have a summary of that, where I want to show when we have the last or Mo most important topic, maybe for, for some CFOs or some financial guys, because these questions, I think in every company, these questions comes up. How can it at a value to the, to the business operation? And I mean, this is the standard formula, right? Business value is profit. Profit is revenue minus costs. And we have two possibilities to, to manage your, your profit in the company. The first one is the top line optimization with, which means not nothing other than make more revenue.
Yeah. Sell more products, make them more expensive. And this is very hard with, with a topic like security, right? There are some ideas. Yeah. We have also a combination or collaboration with our sales teams and we want to, to get them into our, our team and make the industrial security team bigger and say, Hey, we have a, so we protect the customer data kind of marketing, right. But we are far away from that right now, the second point. And I think this is more easier to, to achieve is the cost optimization. And if you ask your colleagues from the purchasing unit, you have two possibilities, you can avoid the costs, right. Or you can have a cost reduction. And these are just examples, but you have to make your calculations. And we also invested some, some time in that the avoidance, for example, pen testing, we did a lot of pen testing.
We still do it. Sure. But maybe a SOC can, can reduce the number of pen tests maybe and individual security solutions. Yeah. Two or three monitoring solutions, vulnerability management. You have to look at your existing environment and maybe some systems can be shut down. And what I really like is the external audit part in the cost reduction area. Maybe you can have a deal with your external auditor and in the annual audit, maybe they accept the, so as a implemented governance unit and they don't ask for each and every GPO release for changes and whatever, but this must be managed. And this is a long discussion with these colleagues. And in the end, without the top line optimization, I mean, for sure the costs of a SOC will lead up the cost, which can be saved by some pen test or external audits. But it's not only a risk page approach, right? And this is also a short or small level for this topic. So these are the takeaways also for the present, all in the presentation for your documents. I will not go into each and every detail of these topics here. You can come back to me after the presentation. If you have any question, thanks a lot to speak here, or to listen to me and good luck with your own sock. Thank you.
So.