The role of a CISO has expanded beyond technical competence and compliance – an uncertain threat landscape calls for a technically competent leader with strategic oversight across the board, from engaging with multiple stakeholders to manage and get buy-in for cyber resilience programs to communicating cyber strategies to the board.
Join Christoph Hagenbuch and Alexander Silhavy in this session as they share proven strategies to help you make critical cybersecurity decisions and provides best practices on effective stakeholder management and communication.
That also impacts us in cybersecurity. Second pillar is sustainability because everything we do has to be sustainable. You see that also on the, on our starting slide. We know the challenges we are faced with by today. So everything we do has to be sustainable and that also means by today and already what we heard by the round tables today, it has to be secure. And the third pillar is digitalization. So we are coming from business which was not that digital in the past. So everybody thought, well you having energy networks and and grid and all that stuff. There's not much digital stuff in there. Unfortunately it is. And that also affects us in cyber security. And based on that overall strategy from our group, we have our own mission statement within cyber security. And with that hands over to Alexei.
Yeah, thank you very much. Good to have you all here. I also saw some colleagues from Eon, which is great. They also attend our session that we are getting a little bit more people here. Thank you very much for that. Chris have already talked about the strategy of eon in general. For sure. We have a strategy also in cybersecurity. I brought the mission statement for you because I thought could be interesting for you to see what is our goal in cybersecurity. And we clearly connected this to our business strategy. So it derived from the business strategy. We did not do anything in our silo thinking about security and not about everything around that, but connected really. And the goal is quite clear. So we say we want to shape the energy world of tomorrow, the future we world and and this as Chris have also said in the most sustainable way possible.
What is cybersecurity doing here? Crystal clear. We secure all of this. I guess a fundamental today for each and every company is securing that technology and not just technology but also the people also the organization in itself. So in our mission statement we say we secure our customers, we secure our business who hopefully make our customers happy and earn a lot of money. We also secure our critical infrastructure because when you think about an eon about an energy company, for sure you think about energy and it's the energy networks who are crucial. We are currently in a energy war. I would say if you look to the Ukraine, I guess it's crystal clear that energy is important and it's important to secure it. Even Russia is attacking in the first instance energy networks. Why I don't have to tell you, you are also experts in this area and at the end there are people relying on us and this is the society in general. So our idea is to secure each and everything. But in an appropriate way. Chris and me, we thought about, okay, are there any conditions around that? Because we want to make it interesting for you, not just for us and would be great. We are not so much people. Let's see if we find some time at the end to discuss also a little bit general conditions on that. We brought you four points.
Yes. And yeah, that's the these things we have to fulfill and what we see to get through the lab on the first, and that's something we already heard this morning. We have to think about leadership instead of management worded in that morning that the C role in the past was more about I have to decide on which, which firewall technology we use, which partner we have. And we didn't think of what do we do with the business? And it was more like yeah, task lists we worked on and not much about interaction with people. And that's exactly what I took from this morning. And it's what we see is one of the things we have to fulfill to get through the lab. We have to come into a mode from Cecil perspective where leadership is a key. So leadership is about talking to people, not about making a tick in the box.
It's about talking to business, talking to people, being emotional. And also what we heard is motivate your people. And that's leadership. And we see leadership as one of the key elements to get through the lab of cyber leadership. The second one is that we, in the past, especially in the energy business, we had many little kingdoms. So every company within our group, every country company, everybody had its own network, its own IT systems, the theme problems, but everybody managed them by themselves. We also at in the morning in one of the talks when USC C have to talk of about to a number of 50 business CIOs and business C representatives. That is quite a lot of effort. And we say all those kingdoms we have by today that must be merged and all the different cultures we have have to be melt together. So we are forcing one culture and that's also related to our strategy because we can only connect everybody to good energy if we get away all those kingdoms, all those silos we have seen in the past. And culture is a key for that. And the sees role in that is quite clear. The Caesar the one who gives the direction for the whole cybersecurity community who's living the good culture. And yeah, besides that too, we have two more things to to break down and to overcome.
Yes, on the one hand side we have the new norm. So don't know how, how this was for you. For me, if I talk to friends today I say it's crazy how my life changed due to Corona, especially in the working area and the working world. So I've never asked myself why I drive to the office every day in the morning somehow crazy. Yeah. Today I'm just working from the home office, very seldom in the office traveling around the world to the colleagues. But that's it. Yeah. So offices are in a total different manner today to use them. I guess it for everyone that was changed due to kohona.
It's, it's not just asking yourself why do I drive to the office or I don't have to drive to the office. It's much more about we have a more flexible, we have a more mobile world and we have a more, much more decent decentral working world. And due to this, it's also that we all have to learn new skills in my opinion. So it's not just enough to do everything as before co-owner, it's you have to adapt to the new normal because it's there. It will not go away. And there are skills needed on the one hand side for persons, for people on the other hand side for for the organization in itself, we are today talking a little bit about also leadership and I want to give two sorts to that. So for the employees for sure, it's much more self-organization needed. They are in the majority of the time, at least if I talk for us at Eon, they are in the home office.
They have to organize themself and they have to lead themself. So self leading is a topic for employees but not just for the employees in the company. Also for the leaders, if we want to call 'em like that, they have to learn virtual leadership. So what to do if my colleagues don't want to come to the office, what to do if a team member asks me why I should come to the office because people ask themselves, hopefully you do you do that too. And we as the leaders have to have answers for that or we have to have reasons and have to explain why this is important. And if employee think that's an argument, then we will meet in the office, have collaboration meetings, whatever workshops. If we don't do that, if we don't adapt to this change as a, as a a organization and as the people in the organization, then I guess we will directly get into a digital divide, which means some of the colleagues will adapt to the new situation, to the new normal as us will not. And we don't want that from a cultural perspective that we are dividing people. So it's important to think what are new skills in the new normal,
But it's not just a new normal as Hagi Setoff. And by the way, thank you very much to the technical colleagues, that's such a cool set here to work on the state. Very, very good. It's not just a new normal, it's also the skilled that skilled security folks are needed. Everyone needs security experts. I don't know a company which would not get buy in for a, for a security expert if you wants to apply for a job in a company. However,
These people will look at, look at the company and at the culture and they will ask themselves, do I want to work for this company? At least I do. And especially in the area of cybersecurity, we have a market where, as I said, everyone is looking for experts. So coming back to the, to the new normal, if I don't adapt the new normal to my company, to my culture, I will not get the right people. At least that's my opinion. But let's see at the end, what's your opinion on that? Yeah, because people choose and they have much more opportunities today. If I look at LinkedIn or something, there are job offers where they stay 100, 100% remote. You can work for a company, Los Angels from Berlin, not a problem. But are you able, have you talked about have you have you have you do you have the skill about virtual leadership for example? All this stuff is really, really important in my opinion, to survive as a company. Let's be honest, there is more than culture and being a nice company, there is also this money aspect. People are asking for money. Just an example from Eon, I know three colleagues who left Eon due to monetary reasons.
Two of them called us three months later and asked if they come back to Eon, can come back to Eon because they figured out it was not the money, it was the colleagues, it was the culture, it was the company, what they loved. Easy set, eh, everyone is looking, looking for money for sure. But just keep this in mind. And also this is where I want to come back to the why. Why are you working for someone? Because me we know. Yeah,
And what What you said exactly, it's about people coming back. It's about cyber leadership. Cyber leadership means we have a good culture, we have a good environment and we never talk about business units. We talk about the cybersecurity community because we are all part of the group and that's the spirit we see And that's maybe the major key to get through the labyrinth. But another one, I think we have it on the next slide,
What's also key? Yeah, the question is if we talk about all these conditions, that's really nice, but who should take care for this? Who's the one responsible to do all of the stuff I talked about? And for sure the answer is everyone is is every time everyone has this role in the company and has to take care. But there is one everyone is looking to, especially the board and this is the chief information security officer. Funny story, Our chief information security officer Renee talked about, talked with us about the slides, we showed them what we want to present for sure. He said, yeah, very good, but we have to change a little bit. And then the presentation was completely new after that. But that's totally fine also learning for us. But he said something like, Hey, I saw this picture from rna, don't know if you know this guy.
Yeah, from a Netflix series. He's a Viking. Yeah. So we thought, okay, we, we know why our took this, took this picture because he feels a little bit like a Viking, but that's not the case. We asked him. It's much more like he said in this serious RNA was never asked to do something. He proactively took the power to do something and this is what we want to reflect today. The chief information security officer at the end has to proactively take his power. He has to do all the stuff. Let's be honest, who in, who is interested in security? If I talk to the business and explain to them whatever two factor authentication they can activate on a voluntary basis, you know what they tell me? Thank you very much for that. Do they activate at least not our business? Yeah. So we have to force them or really help them to understand.
And this is what the chief information security officer in our opinion or in my opinion, should drive forward proactively help the people to understand why security is important and make them affected if they don't feel it. For example, we hacked all our phones in the time where we spoke. Yeah, no, not really, but this could be one, one part where we say we make people affected. For example, we are fishing for our board. Yeah, our chief information security officers going into the board telling them, By the way, at the end of the meeting, by the way, if you forgot your password, just give me a call because we fished you and we we got your passwords. And then they feel, oh, there is something. Yeah, if you can do that, someone else could do it. And now I forgot the sentence I wanted to say for the next slide. That's because I've just pressed now we see what's coming there.
Yes. So the question is if the chief information security or officer is the one we tell you who is responsible for that? Who's accountable for that? How should he or she do all of this? Is there a superhero out in the world who can make this magic happen? And the answer is hopefully we, we are also no fortune teller. So I have no clue about that. But this is what we worked out and said that's important at the moment. And this is what we saw at Eon. So this is not talking about theoretical stuff, but what what we did. The first one is tear down xylos join your forces. So it's really important that you say we have a good connection to our business. We understand our business, the needs, the challenges. What we at Eon did is we put our information security officers, so the security responsible guys and ladies in our company, we put them into the businesses.
They are not somewhere in a central organization. Yes, they are from a functional perspective in cyber security, but they work directly in the business. They are on the payroll of the business because we don't, we don't, the payroll doesn't care if the money at the end of the month starts fine, but we have the same mission. You'll remember this first one. So this is why we say tear down all silos in the direction of business. And at the moment, for example, we are focusing on, I don't tell you any lose I guess that we are running from one crisis to another at the moment in the world. This is why we said disaster recovery seems to be getting more important and not just disaster recovery, also business continuity. So we said let's bring this people together because they are not in the cybersecurity organization. Let's take the BCM lady, let's take the business guy, let's take the information security officer and let's take someone from the business, put them in one room and they talk about what does, for example, disaster recovery means for us in the Italian business. So don't work in silos.
Then we can look forward to the risk we have to manage in the future. And as I said, I'm not a fortune teller. I have no clue. We could ask Gartner or so we, I'm quite sure they have some risk for the next year or the next five years even for the next 10 years. However, what is really important, and this is something our chief and for, hey, why do you leave? Not that well, all right. Our chief information security officer had a good idea, good thought on that. He said, you cannot look into the future, just look what happened in the past and learn from that. And he said, for example, do you remember these cloudification discussions in cybersecurity where everyone tried to avoid it? We are going into cloud because it's not secure you up. And we ended up in cloud. Don't know how this is in your companies, but I guess everyone ended up in cloud or you will end up in cloud. So don't put your efforts into thinking how to avoid something. Just think about solution orientated. How do we do this? Because the business will do it. We not at the moment, we now, if I talk about ot, I guess everyone knows what I mean. So really the SCADA systems in our, in our world and the energy networks, the business will go into cloud with our operational technology one day. That's quite sure. So we should prepare for this. Prepare is better than being surprised. And for this, you need a lot of skilled people.
Yeah, I would try to run a bit faster to keep the time.
Sorry for that. Yeah. If I start
To thought we talked so long, what's important for us, and that's also part of the leadership we see, is think about which talented people you need for the future and to set this fundamental to also have enough people in cybersecurity. We are by today forming the future workforce. And we are not just hiring all those techy stuffs. We, we are not just looking for that one who was administrating fire war on IPS for 10 years. We are looking forward for people who on the one hand are keen to learn something on cybersecurity and we are forced to search for those talented people also in the business. So we are taking more and more people from the business units, which understands the business. And because that's also clear steering from our C who says, well the most important thing is to understand our business, to bring them a secure environment.
That's the one thing when we think about the workforce. And the other thing is about, we wrote down leading by example. That's also part of cyber leadership because we heard a lot and we will hear much more about crisis ongoing, not enough people, more and more techs, more and more tech vectors. Yes, we can implement this and that tool. Have a look at the, at the booth outside you will see enough tools you can implement, but you need the people to implement. So we would have more than enough work to be done. But it's important. And that's also an important feature in cyber leadership, that you have a good team being led in the right direction and not forced into 20 hours working a day because only if we think enough we can also keep up with the threats out there. And that's also an important part of cyber leadership. And that's I think all those four topics we see within eon to be done at the moment and part of our culture, part of our mindset, which helps us to get through that lever. And we, we have two more slides left, so we'll raise the time a bit.
Okay. We have two more minutes. One more, two more minutes. All
Right. So we talked a lot. Hopefully it was a little bit like you say. Okay, some valuable points for me is something I take away at least if there is one point we are happy. I would say hopefully also you recognize that there is one point in everything, which is really important. This is the people, this is just the pure people. Leadership means bringing together people, giving them a mission. And hopefully they are motivated in a, in a way which is not just for money, but for the real important stuff like having a good life and having a good life means for us meeting together with the whole cybersecurity organization, you can see them here really diverse.
And at the end it's the people who work, the chief information security officer will not get managed one topic without his people. And this is why we say it's not a one-man show. And it's really, really important to have a team spirit. You cannot force these things, but you can give a frame to it and help the people to network to get to know each other, to get into a situation, especially my team where you say, just grab the phone call A colleague three days ago, one of my team members said he wants to drive to Bucharest and he's from Italy. I said, just call the colleagues in Bucharest. They go for a beer with you in the evening. I'm quite sure. Yeah, but I'm there privately. I said, Yeah, you can drink with them a beer privately. Yeah, it's possible because it's much better working then. So bring the people together
And I think the main question we all have to answer, that's what we get from our leadership team is it's just a simple one written down there. What can I do? What can I do to make another colleague successful? And another colleague is not just cyber security community, it's part of the whole group. So what can I do to make another colleague successful? Also means from our own perspective. And we steer from our leadership, bringing security to everybody, make it part of our dna. And at the end that also contributes to the strategy. Bringing good energy, which means secure energy, no blackouts to the people.
Yes. And also to stay a little bit compliant with our corporate branding. We have a last slide, which is more or less like the incorporate branding. Thank you very much for that.
I think it was very refreshing to talk to you to, to two, let's say future CISOs. Yeah, I was very refreshing. Completely different perspective. I didn't hear a lot of
Technology's right. What's, what's what's,
Can you share with us what's your technology background?
Our technology background? So my personal technology background, I've been in a fiber operating proxy, all that security stuff for nearly 15 years. So I learned technology from the, from the ground. And we also see that the knowledge on technology is important, but we do not all have to be an administrator. But we have to understand technology because technology is so fast changing at the moment. That's, and that's also what we see is important. We train people who say, I need more technical background independent from their role because it helps to understand the whole environment in a better way. And
Yeah, makes a better place at the end.
Yeah, I, I also worked for the military for four years also in operational position and then went over into a project for digital radio. So a critical infrastructure in Germany. And was there part of the security management really operational. So somewhere in a console. Yeah. However, after the years it's getting much more away from technology. And I guess that's one of the challenges. Yeah. Not to lose this technical perspective, but also focus
On, Yeah, I think when, when we, when we all believe that digitization will be part of everything we do of our identities, but all the processes, etc. And security is also part of everything. Right? And therefore we have to involve everyone, be it the technologists or other people in that topic. Right. And I think you made a good point to that. Thank you very much. Thank you.
How can we help you