Thank you very much and thank you very much for having me. And it's a great pleasure and honor, and of course, warm welcome from eyesight to everyone participating online and, and, and in real life. So I've been talking a little bit about different development stages of cyber risk management, and I bundled together with different stages as I see them that a company goes through different development stages when it comes to cybersecurity, as you can see from the, from the current outline, I envision four stages and I will try to try our conclusion. What kind of cyber risk management is actually possible in those, and will later on then give some further ideas how this can be maybe smart and up or can be improved. So let's start with the beginning. So the first stage a lot of company go through, I would like to call it at Fox cyber security.
So basically someone comes up with the idea, oh, it might be good if we have firewall, it might be good. If we have an antivirus system, I heard a lot about a lot of good things about those kind of things. That's of course not really a structured approach. And it, it is undoubtedly normally combined with lack of knowledge within the company, right? So, and so there's probably not enough security professionals there and this kind of thing. So, so this is always from our perspective, the starting for some of our companies, this is decades ago for some of our companies. This is not too long ago. However, as pointed out, I want to put that into context with, with the cyber risk management. And my conclusion out of this is more or less that there's no real risk management possible because you don't know where your risks are.
You don't know how you actually deal with them or any kind of thing. So this is really a tricky state and should be left as soon as possible, the next stage or the next step that I normally see within companies is a maturity based model. So the, the good thing about maturity based models is that it is someone is trying to have a holistic look at, at the company and is trying to identify security gaps. And that's, that's really good. And a lot of essential topics get started within the company's previous. I would like to actually say gap based model and maturity based model. And you see a lot of companies that are introducing socks due to this get based model because there's no sock. The really good thing about this is, is that there will be then established proper security operating model and then proper security organization.
So this is when CS get established or get established because there was a clear gap and it was understood from the first stage that then there needs to be not only technical solutions, but then also needs to provide organization to handle this. So this brings me then back again to the, to the risk management to look at. And for me, the, the problem with this is, and I assume that a lot of colleagues will disagree with me on that is that this does actually not allow for a specific risk management. It only looks at the, at the, the whole company. And if you look at the capability maturity models, I mean, you, you reached stage three. What does that mean? If you wanna do actually risk management, I mean, is, is, is if, if you have multiple locations, if you have multiple countries, what does that mean?
What, what was in scope for that level three for, for that defined stage within the capability maturity model. And there's, there's, from my perspective, a lot of discussions also going on because a lot of cyber insurance companies look at it from a maturity based level. A lot of assessments look at it from a, this kind of model, but it's not specific. It's, it's, it's really a gap based analysis. And then you base your risk management on while there's the gap. So therefore my, my next stage that I'm looking at is, is a risk based approach, right? And for that, I will go into, into more details a little bit later on as well. But what I mean by that it's, if you start to actually identify what kind of processes are really important for the company, what, where are your golden nuggets are, and then start to actually direct your efforts into that direction to really say, okay, where are our company goals or where, where are our golden nuggets?
And let's focus on that. And then we can actually say, okay, process X, Y set produces X amount of value per year. And if we reduce the risk of it being, being obstructed or being destroyed or whatever, we then can actually say, what did we do when we implemented a measure? So how much did we reduce the risk? We can actually pinpoint it much better down. And therefore this is for me the stage where we can make specific risk management, where we can actually look at certain financial processes at certain production processes and this kind of thing, and actually look on that level and make it much more specific. That, of course, I mean, as, as you can see, is for me not the last step, the last step is more or less. Let's get into a proactive side of security. And what do I mean by that?
I mean, baked insecurity. So that makes it of course a really interesting topic we heard and privacy by design, but the things should be secured by security, by design. And it was pointed out. I mean, those things are, should be bonded together. Anyhow, so, but the interesting thing is that the risk management becomes much, much more easy because no process gets initiated. No new tool gets initiated without already the right cybersecurity measurements being in place. So the risk management becomes much more leaner and that should be in stage where, where we should aim in the end on the long run. This also what makes it for me interesting is that we can then also have a much more holistic look at things because then we can look at how our, our customers dealing, how our partners dealing any third parties and what are actually the regulat up to in the different countries that we re operate.
And that allows from my perspective on a specific risk management and the general risk management, or as I just pointed out a holistic risk management. So we can see where our security measures have actually reduced the risk of processes. And we can have a look at it on a, on a more general perspective, meaning not just our ecosystem, but the whole surrounding ecosystem as well. So what that, the main evolution from an expert evaluation or an expert opinion to a modern integrated cybersecurity, where we are talking about reducing risks and not closing gaps. That brings me to my next slide where I think, how can we even further pinpoint it down? What kind of ideas could be actually put forward on this so that the makes it much more lean, much more elegant and makes it probably one of the most efficient ways to do so.
Just a quick extract. Why was I thinking about this? Because a lot of the time risk management is okay, we define a risk level, and if something is about the risk level, we do something. If it is below everything is good. So, but that doesn't allow you to fear your efforts and make a really risk based approach. So my idea is let's look at all the company strategy, as you can see, I going used a lot of thoughts. So it's of course not one company strategy, but it is made out of multiple strategies that combined are the companies strategy. Let's have a look at those list them all together. And then let's say what company strategies have, what importance within our organization. Once we did that, we can then have a look at the processes. So the processes who are actually contributing to those strategies and the strategy that was rated the most important, then of course, the process that contribute to that is probably a good way to look at it as a, as a golden nugget or as a, as a, as a important process, this kind of things.
And then we can actually identify the cyber risks on those processes. And when I'm talking cyber risks, I'm not talking anymore about security gas. I'm actually talking about cyber risks. So exit by third parties, that's for me is cyber risk. And once we did that, we can then actually put the whole, the whole thing together and look at the cyber risk. So counteract cyber risks against the strategy report on reduced cyber risk. So the last point is also for me, quite important, because if you go to management and say, we have reduced our risk on those processes by this amount, or by, by this grade, they can probably actually do something with that information. So quick reg up, look at the strategies, look, which one, how the management writes them identify those processes that are actually serving these process, these strategies, and then you have a good deal of actually putting measures forward in the best, best efficient, and, and financially sensible way, just small notes.
As I pointed out, I think it's much more important to, to report on cyber risk, so possible unwanted access by third parties, to this strategic planning and financial Analyst. This process has been reduced. That's probably something that the management board can can work with and not by 55% of the database has been encrypted to put that a little bit into before I come to, to, to a little bit more of an example, to put that more in an holistic aspect, I tried to put everything into one picture saying, where are we on the whole QRC kind universe with this? So the first thing I did is I looked at the, at, at the timeline, right? And I looked at the future, which for me is risk management. I looked at the now, which is the internal control system, what we are doing now. And I looked into the past, and then that's where the audit realm is happening.
So they are looking if everything has worked according to plan. So we are looking into the past to control system. What are we actually doing right now? And risk management, what do we anticipate in the future? So I think it helps sometimes to just put that on a, on a timeline. So as I pointed out, we can then have the risk management. We can look at the different risk classes, the risk classes can then be sub subdivided into different categories. And then we have certain cyber risks. So I pointed out, for example, access by third party or violation of segregation of duties or these kind of things, and can look at the process or on the organizational level and can say, okay, let's look at that process green. Now we don't have this risk red. Yeah, we have this risk red. Yeah. We have this risk and then let's do something about this.
So then we are into the control system. So we looked at it really specifically on a process level. If that process level doesn't work, we can org unit level and then put everything together. We can see the controls or measures what needs to be in place. And then audit can come back and say, okay, this worked, this didn't work. So let's put in continuous improvement process on it and let's put everything together. So that's just for the holistic view, putting that into, into a more practical thing that I'm currently working on is so let's, let's, let's have a, have a look at that. So we have the corporate or the business strategy, right? So these are just a few examples. I put together like 55 different examples and different strategies and goals for a company, as you can see, I also classify them in, in certain types and this kind of things, but let's, let's have a look at it.
So we can say, okay, let's grow shareholder value. Let's grow earnings per share. Let's increase revenue. And then what I said is at the beginning, right, is let's, let's give that a rating. So here I gave the rating five here. I gave the rating free here. I gave the rating one. Okay. I do understand that those ratings do probably not make a lot of sense from a realistic point of view, but it's more or less to demonstrate the example, right. So I can say one, it has next to no significance five. It has the most important. So then I know this kind of thing. And then as pointed out, I identify the, the, the processes. And when I have identified the processes, I can then say what kind cyber risks are actually included in there. And then I can actually steer my effort really, really in the, in the right sense.
So coming back to it, right? So we have the CRO share the value. So we have always the same results in risk. So we did the risk analysis on that process and it came out high. It came out high for the pro earnings per share, and it came out high for increased revenue. However, now that we know what, how important that is actually to the organization or to the management board, I can actually say, okay, here grow shareholder value. Let's put in measures in place controls in place. And let's monitor that. Let's not just wait, audit comes back with a good or good or bad signal growth earnings to share while measures and controls might be actually enough, increase revenue. Well, measures might be enough and not even up. So let's have a clear picture on where to focus and where to look at. So, and that's actually my idea, and I'm trying to work out if it works with different people and in the, in the spirit of thinking time, I think I saved you three minutes, so thank you very much.
