Matthias
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor with KuppingerCole Analysts. Today we have a very interesting organizational topic and we want to talk about the relationship of the CEO and the CISO. So when you're through this podcast episode, you have learned from experts how this combination of CEO and CISO and their different angles of looking at things can be synchronized, how they can really work together to get cybersecurity into daily business. And for that, I have invited two important guests. And when we talk about the CEO and the CISO, guess what? I've invited the CEO and the CISO of KuppingerCole Analysts. So I would like to welcome Berthold Kerl, who is the CEO. Hi Berthold.
Berthold
Hi, Matthias. Thanks for having me.
Matthias
And I want to invite and welcome Christopher Schütze. He is the CISO of KuppingerCole. Hi Christopher.
Christopher
Hi Matthias, hi Berthold and thanks for inviting me.
Matthias
Great to have you and we really want to learn from your experience and I know that you are talking also to lots of other CEOs and CISOs. We have this cyber council where people of the same quality and the same size of organizations work together in identifying these topics and I think this is an important topic they need to cover as well. So starting with you Berthold, what do you think are the key challenges that a CEO is facing when he tries to integrate cybersecurity into the company's business, the company's growth strategy. How does that work out?
Berthold
Well, Matthias and everyone out there, typically security is indeed not the very first thought when it comes to discuss business growth. KuppingerCole's purpose, for example, is advocating for a safer digital world. And when we sat together just the other day to discuss our own growth strategy, we also did not start with security. But it is obviously clear that in today's business world, which is digital all over the place, there is no growth without a security in place as well. And therefore, although it's not the very first thought you will have, it must be considered when discussing about your strategy because it is business critical. No doubt about that. And of course, that's especially true for enterprises who work very obviously in critical infrastructures, finance, utilities, et cetera, et cetera. But everyone is dependent on technology. We just saw recently in July the the CrowdStrike incident and although that was not primarily a security issue, it all showed us our dependencies on technology, especially when it doesn't work. And I think it therefore has had another effect also on the CEOs, I guess, to make them aware how dependent they are on technology, on the security and the resilience of their infrastructure, and that is ultimately impacting the future of their companies.
Matthias
Yeah, would fully agree. I think building the cybersecurity strategy, the resilience strategy into the company's business strategy, I think it's really paramount to do so. But that was the CEO perspective. Now we switch gears and we move over to you, Christopher, in your role as the CISO. So you need to talk about cybersecurity risks, solutions to be implemented. often you talk, it's a bit more difficult or different with KuppingerCole because we are a company dealing with this stuff, but nevertheless, how do you communicate these risks and solutions to those not so technical executives, the board, how do you make sure that you get the proper funding, that they understand why you are doing this? How do you communicate?
Christopher
Yeah, first of all, as you said, KuppingerCole is a bit different here. And especially my relationship with Berthold is a bit different because he has many years of experience working as a CISO as well. So he understands the importance of security. And I think that is in general more the advice and the discussion we have with other CSOs. If the board is not speaking your language, you need to speak their language. And their language is basically, and that is what Berthold mentioned as well, security is not the first thing you think about when you do something within your organization. Your organization has typically some purpose, producing cars, insuring people, something like that, or building something in pharmacy, whatever, something around that. And that is the business purpose of the organization and security, IT security especially, and the underlying IT or the IT you are using is a supporting function here. And if you think from that perspective, the language the board, the chief executive officer speaks is, okay, what happens if one of these tools will not work? We had that with the pandemic, people are not working, able to work from the company in that typical way. This had some kind of impact. No one planned for that. And the other example Berthold mentioned around the CrowdStrike impact, having a protective software on a very deep operating system level that receives automatic updates and patches, and this causes some kind of failures, is also something you probably thought about but didn't realize that this could happen. Because from an impact perspective, let's keep the CrowdStrike example, many organizations haven't been able to produce or work for hours or even for days. And if you have a large company, global company, we are talking about a lot of money, a lot of impact. And that is really the relevant thing that the chief executive office is interested in. Internally, also often try to argue with, if we don't invest into something like that, the related expenses, if something happens like some endpoint threat, some services are not available around our events, this has a huge impact and could not only harm our reputation, could also harm financial stuff. So we need to really quantify the risks with measures and at the end you can take money, financial impact, that is a good starting point, but also the strategic objectives of the organization. Depending on your board, really try to avoid to use a too technical language if the board is not able to speak that kind of language, then translate it into business impact and in the worst case, or in the best case, into money.
Matthias
Right. So avoiding the term distributed denial of service attack and say, your systems won't be available to your customers. I think that's the business impact that you immediately can show. Now we've seen it from the two not so different different perspectives from the CEO and the CISO. How, I know you're doing that, how can CEOs and CISOs collaboratively work together to ensure that cybersecurity and business objectives are well aligned? Maybe starting with you Berthold and then just an open discussion.
Berthold
I think normal practice in most companies, and we are no exception here, is that you have to have a regular interaction, which is institutionalized between the CISO and the board, not just the CEO, so that the CISO has a channel to talk about the risks he's seeing and the strategies we have to implement to mitigate them. Then, of course, I also want the CISO to be aware of every strategic move we are going to do. Of course, is not, as I already explained, our very first thought when we talk about new strategies, but of course, he needs to be aware of what we are planning to do so that he can assess the risk, make us aware of it, warn us, or suggest counter measures to it or we stop it ultimately if it's too risky. And then of course in the case of an incident which we all hope that does not happen, at least not too often, we also have to have established processes in place which allow us to react fast.
Matthias
Maybe Christopher, your thoughts on that?
Christopher
Yeah, sure. Especially what Berthold had mentioned around the understanding the business strategy or the strategy an organization has is the most important thing. Because if the CISO, if I don't know what is the strategy of KuppingerCole in the next three months or six years, I cannot see what are the risks. I cannot evaluate what kind of impact this could have on information security or security in general, on business continuity and that stuff and then that cannot give advices or cannot say, okay, listen, Berthold, if we do something like that, that could have the following impact. And in the worst case, the following impact means, whatever, 1 million euros of damage, something like that. That is something you need to aware. And even in that case, you can sometimes then argue, depending on the size of the organization, Okay, we live with that. If it's a regulatory stuff, no, cannot live with that. Especially around NIS2 and DORA and all that stuff for more critical organizations, infrastructures and organizations. They raised the fees or the penalties to such a level that no executive will say, okay, I live with that. And that for a good reason. I really appreciate that here. And basically, I see my role here in a very collaborative way, consulting, supporting and advising business ideas, business strategies, giving hints how to improve things from IT security perspective. And I think that is the right way. So again, IT security is a supporting part of the company. Except your business model is security, then it's a bit different. But in general, we support the resilience of the organization. And if security fails, this can cause a lot of damage to the organization.
Matthias
And you've mentioned that with a half sentence, you've mentioned regulatory compliance. And I think that is a key driver also for many organizations and for the CISOs and the CEOs to drive cybersecurity within an organization. I know that we as KuppingerCole, we are very happily and very proudly carrying that badge of being ISO certified, of being TISAX certified. And I think that's also, it can be part of the business strategy as well. What role does regulatory compliance play for us and for many other organizations? Again, maybe starting with Berthold.
Berthold
Yeah, ideally, everyone would have an intrinsic interest to become secure and stay secure, etc. etc. But we all know in the day to day business, sometimes this is really hard. And it's in fact, actually good that the regulators remind us friendly about our duties. Yeah. And and I think that's a good thing. I mean, would, just an example, would all the banks who we all know are heavily regulated have started all these identity and access programs in the past couple of years without that diligence of the regulators? And if you now would ask the people who are responsible for security or accountable for security in these banks, what was the effect of that? I think they would probably all say that was actually over due. We should have done that our own, right? But sometimes it's really hard to do this without an extent of pressure and that helps. Same with critical infrastructure, et cetera. So, I mean, you look at the latest regulations like NIS2 or DORA, it's even more mentioned that the board is personally accountable. So they cannot even delegate it anymore to the CISO or to the IT, the CIO or whomever. It's exactly them who have to drive this and have to ensure that this happens. And I think that will help across the board.
Matthias
Christopher, anything to add from your side?
Christopher
Yeah, mainly just fully agree with what Berthold mentioned. The part that the board, and I already mentioned that, is also in duty for cybersecurity and they have to pay the penalties and they are not able to delegate that kind of risk. I think this really changed, especially for the non-technical or non-IT security chief executive officers, the mindset a bit. And so the compliance and regulatory stuff here really worked well because what we see and that is when we discuss with other CISOs, board is changing here. So investments in regulatory requirements are increasing year by year. And that is a very important thing. And this helps at the end, what Berthold mentioned in a perfect, beautiful, fancy pinky world. Everybody would have a sufficient level of security, maybe guaranteed with something like the ISO or a bit technical deeper like the TISAX, more for the automotive industry to really have some kind of baseline security. mean, with an ISO certification, at the beginning, it's just this, you have an information security management system, and in the worst case, you can accept all risks and still are some kind of compliant to that. That is not the idea. The idea is of a stepwise improvement. And same is something we see with all the regulatory stuff in the past 10, 15 years, starting with finance coming with KRITIS, now DORA and NIS2, that it's getting clearer what needs to be done, especially around business, business functionality, business resilience, if we talk about NIS2 here or DORA, that they are pointing into it. It's not only a single system, more or less, it's really the whole thing that needs to work. And that is something where compliance helps and is really something that improves our security in total, especially for a region like Europe.
Matthias
Right, if there is a company that, yeah, Berthold?
Berthold
Perhaps one additional comment to that. But it's also clear, and Christopher mentioned already, what regulation does is ensuring a certain basic level of measures. Obviously regulation does not ensure security as such. So it's just that if you link the minimum requirements, everyone should pay attention to. But that may not be sufficient, right? It does not replace the necessity for every organization to assess the risks and according to their individual risk profile, then take the right additional measures, right? Sometimes the things regulators want are already very hard to achieve. no doubt about that, but unfortunately, that may not even be sufficient.
Matthias
Right, and if there's a company that knows that cybersecurity can be expensive, then it's us, we are analysts watching that market and we know where the revenues go within the vendors. And on the other hand, we are users of these technologies. So when it comes to balancing the need for cutting-edge cybersecurity, and there's lots of nice four letter acronyms around there, EPDR and everything like that. How do we as a company, how do you as a CEO and the CISO balance the need of having these solutions and very, very practical considerations around cost and how do we get that implemented and how do we get that integrated into the organization? How do you do that? How do you understand what's required? How do we do it? And what is the milestone plan? Maybe starting with you, Christopher.
Christopher
Yeah, that is a really good question. We are a mid-sized company. We see ourselves as very modern, technology open and things like that. This is challenge and benefit both. So especially for instance around marketing, social media or security tools, whatever, we have multiple people in our organizations that always want to have the latest cool tool for whatever. For sure, then, Berthold from a financial perspective always says, okay, must this be, isn't there some other solution? From security perspective, then have to usually more the other view like how to integrate this within our tool set. Is it really mandatory to have 10 different tools for a specific thing or is one bigger suite the right thing for us? And basically it comes back to where we started with this discussion. It is around the risk. What happens if we use a specific tool? What could be the impact? Are we willing to accept the impact? Is there, especially around data privacy and things like that and availability, specific impact to our organization or not? And then the next discussion is for sure with Berthold about the budget, about the money and about the benefit for the customers of KuppingerCole in that case. I think that is really the interesting thing, especially, I didn't mention that in the session here around artificial intelligence. All these cool LLM models you can use, but on the other hand, what kind of data can be stored within that? How is it training, how is it secured and things like that. And you have multiple applications benefiting from this kind of LLM models right now. And this is really a big challenge. And yeah, that's basically how to deal with that.
Matthias
What are the metrics that you apply, Berthold, when Christopher approaches you and says, okay, we need to secure this and this is the price tag?
Berthold
First of all, I'd like to make the statement no one has the objective to implement the latest cutting-edge technology per se. That's not an objective per se, right? So new technology always has to give you advantages and it needs to address the risk in a better way than alternatives. So the KPIs are very clear. I think it's the relationship between what is the risk reduction and the effort we need to put in to achieve that, right? And if cutting-edge technology improves that KPI, then it's worthwhile looking into it. Otherwise not, very simple. And we are no exception. Also, are very, let's say, as I mentioned, very security, enthusiastic and technology enthusiastic, no doubt about that. But at the end of the day, we are also an enterprise with other targets as well, right?
Matthias
It is of course not true for us, but maybe if you do as a CEO to other CEOs or as a CISO to other CISOs, if you recommend trends or topics or technologies to look at when it comes to the upcoming one, two, three years, what would be something that you would highlight where people really should have a look at? Where do you expect that measures are necessary where you as a CEO and the CISO together need to act to increase the security to improve your resilience? What are trends to look at, Christopher?
Christopher
Yeah, let's start with the most popular one these days. Everything around AI driven securities, I think a huge thing, especially where you have a lot of data, you are not able to analyze this kind of data and you need to have some kind of basic decision or maybe advanced decision by automation. think for a first mitigation, AI can help you a lot and that is something we have to have in our mind for security tools. Let's go back to the CrowdStrike example. If you have a specific tool that would have realized, okay, I have within 10 minutes 500 blue screen of death, what is going on? I need to raise an alarm. Maybe I stopped something because I realized maybe it is already some specific endpoint protection detection response tool. That's a bit more advanced, but here AI could definitely help to get faster results from specific things. Then for sure around zero trust architectures where you have a lot of policies. Again, a lot of information out there. That is something you have to have in your mind and also everything around supply chain security. It's not a new topic, especially around NIS2. It's a bit deeper, a bit more enforced to be aware of your third party risks and how the organizations and the tools you work with deal with their own security measures. And I think these three are the most important trends we have to face as KuppingerCole and to deal with in the next years.
Matthias
Anything to add, Berthold?
Berthold
I would agree. I think that would have been also my three favorites. Perhaps to the last one, supply chain security. As Christopher rightly said, we are discussing this for years already. I remember we did the survey two years ago amongst security, cybersecurity experts and cybersecurity was on top of the list of the CISOs, not so much of the experts, but of the CISOs. So they have it on the radar for quite some time. It's still an unsolved problem, or at least not fully solved, and very hard to achieve. This is part of the reason why companies were hesitant to go after it. At the end of the day, you need to review thousands of contracts potentially, you need to collect millions of evidences, whether your suppliers have actually adhered to the policies you put in your contracts. I think I don't have to continue. You understand where this is going and how hard this is. And I think people are questioning now, all right, can we ever achieve this? And by the way, does this really increase our security if we do this? And that's an interesting discussion. Some regulation, mentioned it, NIS2 for example, is now forcing at least certain companies to do this nevertheless. But I think the discussion is still ongoing, what the right and best approach to it is. I do hope that we can help community out there to get to the right answers going forward.
Matthias
Right, and if you just think back to what we discussed before, CrowdStrike is a supplier, supply chain security, there we go. And it's not the next level supply chain. This is a daisy chain of lots of lots of supply chain participants and that makes things really, really difficult. But it's a problem to be solved. Thank you very much Berthold and thank you very much Christopher for being my guests today for talking about this interesting, actually not technical topic. And maybe we can continue this discussion. If you as the audience have any questions towards us, also to Berthold, also to Christopher and to me, please leave your comments below that video on YouTube or just send us a mail. It's easy to find our mail addresses, reach out to us. We are happy to cover your topics and maybe pick up one of those in an upcoming episode. Thanks again to the two of you. Looking forward to meeting you in Frankfurt and goodbye.
Berthold
Thank you.