CISO Panel | Securing the Composable Enterprise

Yeah, securing the composable enterprise. Thanks Martin, for your, for your keynote to discuss this, obviously we have to clarify two things. What is that composable enterprise? And secondly, obviously how to secure it. And thankfully I have some help to explain these two topics. All of you, they are coming from companies. You all know. I'm pretty sure about that, and I'm really honored to have them here. So I practice start on the right hand side for me. I introduce Navi warm welcome from Hanza group Caesar from Los family group. Thanks for coming.

Then we have Renee Caesar from eon also, thank you very much for being here with us. Then we have Michael Frank from Adidas C from Adida. Thanks for coming. And then two former colleagues of mine, Carsten from Deutsche bank, deputy CSO, and also head of technology, data and innovation, which sort of fits to the topic very well as, as well. And finally, Henry feer, chief security officer of Deutsche be group or German stock exchange for those who don't know DEU be well enough. Thank you all for coming. Thank you. Yeah. What is the enterprise? We've heard some passwords from Martin already.

It's agile, it's decentralized it's reusable software, API driven. What else? Modular new business opportunities can be realized by flexibly combining so-called packaged business capabilities. I do. I would hope that this is not wishful thinking. And so on of force with other words, it's like higher, further, faster. I'd like to start off our discussion with a quick Porwal. So I'd like all of you to tell us in your view, what is the composable enterprise?

So is it, is it just another buzzword of, of some Analyst? Is it something for startups? Is it perhaps already happening or, or is it just some vision and you never will, will, will, will achieve it. So I'm really interested to, to get your views on that Navi. Would you like to make a start Better? Thank you very much for having me again on stage. What is a composable architecture or enterprise, frankly speaking, we at Hanza group, we are current currently not using the naming of composable architecture or composable infrastructure or enterprise.

Nevertheless, I truly believe that, you know, all those things are passports that you have mentioned it coming from Gartner or from other Analyst have been in the one way or in other one, you know, addressed by our company in terms of the aspiration to become the most digital airline of the world, meaning that we have to tackle a lot of challenges coming out of the customer demands that we do have in terms of being more agile, more flexible in terms of also, you know, responding to the fast demands that we receive from the customers on a realtime basis.

And it is clear that we cannot do it with the legacy environment that we currently operate. That's why years ago we have started with our so-called digital transformation and in this digital transformation, of course we do have one part, which is, I would say infrastructure driven and related where we are now going to the cloud. We are adopting, you know, new ways of working. We are modernizing our infrastructure and to network with software defined networks. And I don't know all those things. It is the one thing.

And the second thing is clearly when, you know, adopting the cloud, it is necessary needed. I would say to deal with the native cloud concepts, what we are currently doing, it is one thing on the other hand, we have also started cyber security journeys three years ago, where we clearly said that we should not, I would say, you know, we should not wait until those modernization have been done in order to build in the security afterwards. That's why, of course we intended to, to, to, to, to, to, to really make a so-called build insecurity with all those things.

So for me, if I see now the single puzzles, I will say, okay, that's what we're doing. But honestly speaking, we are not using the naming of composable. So I heard cloud, I heard more flexibility.

Alright, Renee, what's your view on that? Yeah, I have to admit that we are also not using this terminology at eon. Nevertheless, I think that's, that's describing the journey we are on. So in the electricity and gas industry, we are coming from central power generation and we are now going into a world where the electricity is generated locally. And every player in the market is basically connected to our network and to support this business, we need exactly this, although we don't call it like this, but it has to do a lot of, a lot with cloudification bringing or connecting many players.

Also it wise to our networks being more flexible and very, very decentral. Thank you, actually. Yeah. So actually, when I read the briefing paper for the session today, I was quite grateful because I learned a new buzzword that's that's at least how I felt, but I mean to aside, so being with Adidas, we are in a very fast paced industry. And so for us, we had to adopt very early to certain new technology. And that also means for us, for example, zero trust is something we started building very early and I guess looking at my peers as well, we by far have the largest cloud adoption.

So we have more than 80% of our workloads in the cloud already be in SA as I et cetera, and not only lifting and shifting the stuff, but really rebuilding it from scratch, make it cloud native. And obviously when we were talking about composable enterprise, those components, we are talking about, that's what we have in many environments already, so I can live with the term, but I'm also quite happy to, to learn something new.

Yeah, I was trying to, in honest words, translate what my colleagues said and what we discussed earlier in the waiting room as well. We needed to Google composable enterprise because we didn't really know what that is. If you think about what that is then in banking terms, I would say if we look back last century banking was pretty much driven by somebody going into a retail crunch handing over that bar. And that was banking and banking nowadays is happening. Digital everybody's using a banking app, not necessarily the app of your bank, but a financial or banking app in the cloud.

So to Michael's point, we are definitely not 80% cloud, but if we would follow the logic that our client data is already sitting in the cloud via all of our clients, using third party banking apps with APIs, we would follow that process as well. I think banking in the future. So digital banking, it's already a digital banking and it will happen in the cloud. It will happen natively. And we need to follow that process. Pen tests have taken three weeks in the past release cycles of banking. Apps are usually one or two weeks. Those things don't fit any longer.

So we need to start thinking around it different way. Security needs to be like an API. You ping it, you get a zero or one, and then you move on. Thanks Carsten. Finally Henry here you, yeah, obviously I need to commend on the term as well. Google auto, correct to compostible.

So and, but, So do Beza we are a financial infrastructure provider, so, and actually invented as well, the digital trading with our counterparties and all this. So that was probably quite early move, but now I think we need to rethink as well, how we actually leverage here cloud opportunities. And we start probably a little bit from the outside in dev test and all this is to be moved into the cloud, which we are leveraging. Then we are using pastas services, of course, for everything that supports the enterprise, but not necessarily for the core business.

Our core business is extremely time sensitive. And we need to ensure that we treat each participant market participant absolutely equal that goes down that the fiber cable from our service needs to have exactly the same length to the market participant equally, where they sit in the data center and all that for co-location. This is just a very visual example, how sensitive that is. And obviously that is not something cloud providers can actually support today, but there's more than the pure trading.

And we have as well, all the pre and post trading activity, which is not so time sensitive and all this endware as well, a big data provider. So obviously enormous amount of financial data is being produced. And we are thinking at the moment about ways, how to leverage as well, a cloud presence and a stronger cloud native capabilities to leverage this rich data part we are, we are sitting on, but I think you see the low hanging fruits.

Yes, we move. And we are quite agile with that. Then the surrounding support technologies as well. But on the core side, I think that's probably the step ahead. Yeah. Thank you for, I appreciate that. That you don't like the term. But when I, when I reflect, I heard cloud a lot. I heard agile a lot. I heard reusable software a lot. So that are the things certainly you have to deal with, which lead to, to higher pace and, and higher challenges right now.

Let's, let's focus a little bit on now the security aspect of you are all security experts. So, so what does, what are the consequences of this new Inno innovation pace?

We are, we are all seeing perhaps I, I just go go right in, in the middle. Does this, does this new, new Carson? Do you know? I have two companies to protect, let's say the mature over years grown. I hate the word as well. Legacy and the new agile stuff. Or is this the same? I hate legacy, not the word I hate legacy. I don't think you can protect too. You need to combine them one or the other ways. So you need to find a common layer where you bring things together, cuz they're so closely connected.

Even if you are, if you have an on-prem environment and then you start connecting it with different cloud environments, this becomes more or less one environment parameters are going away. And that there's a lot of connectivity, so it's not two or three or four or five different worlds. It's actually, it's one, it's just a different way. Maybe how to set up one or the other logic on security.

So I, I would challenge to look at this as we need to protect tool, we may need some different methodologies to protect part of the overall environment. I mean, if, if a client looks at us Tor bank, then they don't look at, oh, this is the cloud part of Deutra. This is the on-prem.

I mean, Renee can probably more so talk about that you and old world, but we need to see that as one and then look how we protect it in those different technologies. Yeah. Yeah. Because you mentioned Renee, I have a question for Renee as well. So I think in this newer world, the, the aim is also to more quickly introduce software components also from, from, from software providers, obviously, why are APIs cetera?

So how do, how do we make that in a secure fashion? We have seen the problems around lock for J everybody knows that.

So, so what does, what are the consequences of that? I think with lock for J we have realized that the old legacy asset management needs renewal because we need also kind of an asset management in our software and also in the software components.

And, and this is now the challenge for us and we don't have a server bullet yet, but we are currently searching for solutions, how we can really look into the components so that we do understand what we have built in and where for, for, until we have this found, we are of course, working with asset databases, kind of nevertheless, I think we all know that asset databases are, let's say not always a hundred percent correct. And thus, I think it's important that we all find such a solution that automatically tells us which components we have in ware. Yeah. Very good.

Michael Adidas obviously is a well known consumer trade. Yeah.

And, and the user experience place an exceptional role in, in that regard security often is seen as the break here. So to, to make things more difficult, more inconvenient to, to be secure. So how do you resolve that conflict? Yeah.

I, I mean, it's one of those traditional conflicts that we, that we always see, especially in my world, as I mentioned before, being very fast paced and also very consumer focused. So the consumer counts most, we need to make sure that their journey both in our apps, but also in, in our websites is seamless and as easy as possible. What I'm trying to do is actually to position security as an enabler for the digital journey for us as a company, because what we are obviously also seeing is a lot of fraud related to our online business as an example, and their security becomes the enabler.

So one of the, the funny, or maybe sad conversations that every one who is responsible for security at one point has, is should there be multifactor authentication? And yes, we would all say in the enterprise world, yes, we need it. It's the standard. It should be there, but let's look into the consumer world in the consumer world, it can break a deal. So if a consumer has a tedious login experience, it can be a deal breaker. The thing is for us, it became a huge enabler, actually building it in a way that it's convenient for the customer.

And I love to position my teams, not as the ones coming late to the party and then saying we can't do that, but rather coming in early and then building solutions that also are usable and accepted by the customers. Now, when you did your introduction, you mentioned that Luhan is, is trying to become a digital at advanced, right? How can actually security help the business to be successful?

I think Luhan one of the chance or advantage that we do have is that we can rely on a culture based on safety, you know, and if you can, really, from the safety adoption, it is a little bit easier compared to other companies that I have seen to bring, I would say cyber security as also one of the core topics that has to be tackled and also by the board in order to be more resilient, to become successful. And that's really the way that we are adopting not only with our business units, but to also with our, I would say supplies and partners, right?

Because at the end of the day, it is not only about Hanza, it is about an ecosystem that we have to serve and to retry with also our partners and supplies to bring them those safety cybersecurity mind, so that hopefully at the end, we can protect the data of the customers and our assets accordingly. Thank you. Question to you, Henry.

The, when everything is getting more agile, faster, cetera, there's pressure coming from the business, but also pressure coming from the it teams obviously to be faster, faster, faster, and then the security guys come around the corner and oh, you need to fix that. You need to, to can't do this cetera, cetera.

What, what is the consequences for, for leadership, but also for the, for the security teams to cope with that, with that challenge, right? Yeah. Because no one wants always to be the one who slows everything down.

Yeah, absolutely. Absolutely. And we probably all have, have been living in this conflict for quite a time. So I would like to bring in the, the cloud proposition again into that, in that conversation because traditionally everything on-prem and securing all with protective detective measures and so forth, I think this is going to be history on-prem is going to be the new mainframe. Yeah. It's going to be around for next 20 years for sure.

But it's, it's some sort of something from, from the past. So going forward, I think the security is going to change dramatically because all the major cloud providers offer security by default. So that things are not even cannot be built in the first place, which is going to change our role dramatically because all the compliance work and all this ideally is going to go away is going to take some time. But from the perspective, which pays as well into the business case for the business.

And of course doesn't take away anything of the speed, because if that is the only way you can build it in a secure way, just to begin with, there is no stop sign. There is you see nothing that, that actually stops you from making fast progress. And I think that's the proposition I'm looking for to move into this sooner than later. Yeah.

So KA, do you recognize any change in, in, in leadership behavior also in your communication style with board cetera, because of, of that new dynamic, obviously we all recognize that security is now a board topic. So can you talk about your conversations you were having with, with this, with the board? So you mentioned lock for J and then obviously we're in the middle of a crisis or war or whoever wanna call it.

Those events are sometimes a disruption, but sometimes also an opportunity if it comes to cyber security, especially lock for J and then potential cyber attacks coming our way is helping in those discussions. Because obviously it's, now everybody is aware, everybody's worried lock for J made it to the press as, as a really spreading and, and major event. And it may not have been the same for all of our companies, but it's something that is keeping people thinking. And we now read every day in the press that there was an attack against the government.

There was an attack against that there was an attack against that. So I think that's changing awareness and obviously also on board level. And that's also making discussions a bit easier on the necessity for investment for cybersecurity measures. So it's always looking at the opportunity. Don't wanna talk about war, being an opportunity.

It's not, don't get me wrong, but the, all those events are obviously currently changing the way, how we think about cyber security as a community. And that includes sports as well. They're part of a community at the end of the day. Thank you. We started with a little poll and I, I thought it's a good idea to end also this conversation with the little poll and Michael, this question was not on the improving notes. That's okay. And we will start with you.

So we, we do have quite a number of vendors in the audience as well, obviously mainly security vendors. But of course that the question also goes to software component vendors, right? If you had one wish to the vendors or one advice, so what is your requirement from securing the agile innovative business of the future? So I guess when I think about the ecosystem right now, and I think that's a strategy, most of us are following as well. We don't wanna deal with too many vendors at once because obviously in security resources are limited.

So I, I, or we can't always interact with all the new startups, all the latest solutions. So for things that become more commodity, at least for me, I will always try to go with the platform provider. And that also means if I have selected that strategic platform provider, I don't want to end up in endless discussions with a lot of other companies, obviously who are maybe offering a niche solution on the other hand side and coming back to the topic of the panel as well in that space where we do see a lot of, of new investment and a lot of new technology coming up.

Obviously we would be looking into that as well and would be interested, but I also wanna be quite Frank on that one. We wouldn't be the early adopters because for us, yes, we are a very digital driven company, but still we can't afford to always invest in the latest stuff. So I would always take a step back. And I think that's also something the vendor community needs to understand where companies stand in terms of their security, maturity, and also their digitalization and better solutions already make sense for them at that point in time or whether they don't Rene. What's your view?

What's your number one? Wish, I mean, we have heard in the speech from Martin about decentralization, cloudification and all this other stuff. I'm not sure if you mentioned complexity, but complexity is actually what is killing us. So if you want to help us, help us reduce complexity. When I talk to vendors, I always hear we have an API E you have, but nevertheless, the solutions are not properly or smoothly integrating.

And hence, this will be my wish, help us really to build solutions that are smoothless smoothly integrating into each other. Now it's Christmas. You have a wish free For the vendors.

My, my wish really would be not to sell passwords as you have seen it. Thank You.

When I, when I, when I, when I think about zero trust, you know, nowadays on a daily basis, you know, I get some call or emails from almost every vendor saying me that he has now some zero trust products to sell to Hanza. So my wish would be really to focus and concentrate on your, the added value that you can really bring to my business to focus on your services, professional services, and to if I would have one additional wish is really to see what kind of, you know, offering or services might help my business in order to better protect.

I will say my micro services and to identity because we build everything around the identities. And the last thing is we are seeking also on solutions in the micro segmentation level, because as re rightly mentioned it, you know, there is a lot of complexity and to, we need to be, you know, more simple in the way we adopt things. Yeah.

Thank you, Henry. Yeah.

So it is, my wish is probably reinvent yourself. I think with the cloudification, I just explained as well, it is going to reinvent itself and find the new role in, in the market security as well. And if you look with the clarification, what the cloud providers actually offer very strong, they, their lifeline is on security. That's the reason they invest heavily, and that is what we wanna leverage.

So that means for the vendors, the integration, for instance, we, as a regulated marketplace, we need to have always multiple providers in all this, integrate them into a security, but don't necessarily mirror what they already do. I think that would be the wish. Thank you. And finally, last broadcast Building on what Henrick said, and Michael, you mentioned that as well with ecosystems integrate into those ecosystems, find the gap that the ecosystems have. You said don't duplicate, but really integrate into that. Stay innovative.

We have seen a lot of good security vendors coming and selling later on. Maybe that's a good concept to retire early, but I think it's also a good concept to have innovation in the market and then connecting to those bigger ecosystems where all you're absolutely right.

Michael, we're all going down that route to reduce complexity. And you could, you could help us a lot with that. Yeah. The time is over. Thank you for, for being here. We could have discussed this for, for much, much longer, but on the other hand, you are around for at least until tomorrow, because we do have our cybersecurity council tomorrow, where you are members of. So there's a group of those of you who don't know that that's a group of 15 to 20 CSOs of great companies who discuss security topics. And we do have our council meeting tomorrow.

So I think we will be enough opportunity to exchange and thoughts and discuss further topics, but for the time being, thank you very much. Thank you.