Event Recording

Insights of a CISO: Interview with Thomas Tschersich

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Now thank you, Christopher. And also thanks to the audience for, for joining this session. As you may know, this interview is part of a series of sessions where I will talk in each and every Casey life event to a C level expert, or a C level practitioner about their current challenges and approaches to cyber security to either the access management and day, obviously, to security, orchestration, automation and response, or I'm. And I'm the CEO and head of the advisory at co Cole. And I'm very glad today to be able to welcome Thomas Sahi from Deutsche telecom. As my guest Thomas, you are chief security and chief te of Deutche telecom and DGE telecom security. But before I say something wrong, I I'd like to ask yourself, please give people a little bit of an idea of what your role is and what you are doing at D
Thanks, be for, for having me first thing, by the way, in your intro, which was coming in in my mind, there are no challenges for security. There are just a lot of opportunities. Yeah. About my role. I'm chief security office of DOR telecom group and in my second life. So to say I'm managing director and CTO of DOR telecom security entity, which is providing digital security services to our clients, but to the Dodge telecom group as well. So from background, I'm an electrical engineer. So therefore, you know what it means to be careful not to touch certain things. At least if you do a high, high voltage electrical engineering and yeah, I'm, I'm working in security for now almost 25 years.
Yeah. Yeah. Thanks for that, that brief introduction. But the lot of people listening in at the moment, they are probably at the beginning of their career and they may be interested to understand your path to the CS or your path to the chief technology officer. So can you help us to understand what, what, what is it, what is necessary to get there? How did you get there and, and what would you recommend people?
I, I would say it happened more accidentally in, in my case. So in the, in the late nineties, we were sitting in the office of my former boss and we had two topics to deal with. The one was security and the other one was X 500. And we were both pitching for the X 500 stuff, I guess nobody knows about X 500 these days anymore. And nobody was really willing to deal with security at these days. Yeah. As security was more the roadblock in the organization and mostly the physical stuff and less the cyber part. So my boss decided that that I should go for security and I was not happy with that decision first page. And, but I took the best out of it. And I worked on it with, in several positions, always with the attitude, try to be a supporter for the business and, and not to be the roadblock and the one who is always saying no, and this is the best tip for the career. If you want to make career insecurity, not really, really work as everybody's expecting from security people, always pushing back and making things difficult and, and complicated, be open minded and try to be as much supportive for the business and show them how it works instead of show them what is, is not working. Yeah. So that the best tip for the career I can give, I would say,
Yeah, yeah. Some people think that business on the one hand side or it on the, on the one hand side and it security on the other hand side are two complete distinct disciplines. And when I researched for our interview, I found a statement which says, ultimately, there can be no further successful expansion in terms of digitization, without security. I hope you know who that said. Yeah. It's obviously from, from yourself and, and that sort of really nicely expresses that there is no, no business without security anymore. Right. Certainly no digital business.
Yeah. Look, you know, pretty good. What it means to be in CIO and being in CIO is also dealing with trust. Yeah. The whole organization has to trust in you that, that you provide the right tool sets that you handle the data with care. And this trust really means at the very end, also security. Yeah. It's privacy, for sure. It's security. It's also stability in, in operations availability and all these kind of things, but it's more important and increasingly important to have the security attribute in as well. And this is even more true when you talk about providing those kind of services to, to our clients. Yeah. Giving our organization as Doche telecom. Yeah. People trust in us that we handle their data with care if they don't trust or if they would not trust in us and they would not hand over their data and they would not subscribe for our services anymore. Yeah. So trust is the basic foundation for everything. And this trust can be only provided by security. And of course also by, by privacy.
Yeah. Thank you for, for that, for that answer, we, we of course wanted to talk about solar today. So security orchestration, automation, and response. And I'd like to start with this one element, which is detection. Obviously we need to have the ability to detect anomalies or problems. We have seen how important it is that this happens just recently. When we, when we look at the solar winds case, for example, how can a sewer approach or a solar solution help with detection
Be before we come to that, I guess we need to talk a little more about what is really essential insecurity in the past. It was more about the preventional aspect. Yeah. So creating defense around your infrastructure, or at least a virtual fence. And I guess this approach is already broken with cloud service coming into your organization. The defense is broken with the increase of new services and new apps coming on a daily basis in, into the organization. This is not the one and only approach anymore, for sure. It's still, still necessary and still needed to be focused on that. But you need in, in modern security infrastructures, more focus on really the operational things. And that means it makes no sense to record lock files if nobody's watching into it at the very end. Yeah. So, and the biggest issue not looking into lock files is the pure amount of data you have there.
And then we are at a stage of optimization. So first of all, it's important really to, to have a real time view on your organization, on your systems and to, to figure out what's really going on there. And all the cases I've seen in the past where a client had incidents could be discovered much more earlier just by increasing the capabilities of looking into what you already have in your organization. Now, the problem then really is how to deal with the mass amount and then really comes the automation in place, which helps you really to deal with these future amount of data with terabytes of lock files. It's not possible anymore to have that manually to have sitting on people in front of the, the consults, reading all these, these locks. So therefore it's essential to, to really dive into that. So piece to be able to deal with the, with the, of you have to with,
Yeah, so, so I think we, we discussed it in length already, the shortage of talent of, of cybersecurity experts in almost every organization. And, and you just, and on the other hand, the amount of data increases on a daily basis. So, so, so one reason for such a solution then obviously is the bandwidth, right? No one would have the bandwidth to look at everything in the necessary level of detail without, without technology, right?
That's absolutely the case. And, and here automation really helps. And the so really so, so first, and it, it is all the same blueprint. I would say, always the same blueprint. It's first you start with, with people working on the consoles, doing the work manually, then you figure out, you need to, to do more, you need to have more lock sources, you need to have more people. And then, then suddenly you're confronted with the problem that there is the skill shortage in the market as you described. And then the only way out is really using saw, try to engineer certain things which are being done in the past by, by people and to clean up the resources and, and to, to have the resources then again, available really to focus on the very serious things. Yeah. So automation helps you to overcome also a little bit of the skill shortage. It, it's not the only answer for that, but it helps you to, to free up some resources to then being able to inspect more deeper in the, in the serious alarms and not dealing with all the false positives anymore, but then the, the, the next
So let me add 1, 1, 1 very important aspect to that is also the speed as, as you can see today and, and giving totally different example when Microsoft, for instance, is introducing a new critical software update. They're just saying we are fixer vulnerability in, let's say Microsoft edge or exchange or whatever software tool they're saying, and this is a critical vulnerability, but they're not saying how this can be, be used by, by an attacker. But what we see is once they re release the update within hours, we see the first fully optimized attack on the market. So attackers are really fast, so we need to become fast as well. And the only way to be fast on that is having also the automation tools in place, which are helping you to readjust your search filter for attack patterns. So to say, and, and to be fast on that as well, and this can't be done in, in these days just by adding more people to, to the team.
Yeah. Yeah. And I think, and I also see another difference, obviously, when you have knowledgeable experts, they sort of, or you hope they know where to look at. Yeah. And of course it's a little bit, well, unreliable, someone would look at it, others won't etcetera. I think with the automation we can put in more consistency, more reliability, however, I believe you still need to define the use cases. So how important is that to, to look at the right? So
This is really essential. We had a client, for instance, not saying who that was, but everything in place, which was necessary, technology wise to do cyber defense, but they just had the wrong filters. They just had the wrong use cases implemented. And so they were not able to discover a single incident so that we're looking for the wrong thing. So it's really essential if you start implementing those technologies to spend at least the, the majority of the effort in defining proper use cases at the beginning. So yeah. So there is a famous quota it's shit in shit out, and this is true for automation as well. Yeah. If you don't define a proper use case at the beginning, you will never get a proper result at the end.
Yeah. And I think the other thing you sort of mentioned it earlier already, even if, if, if, if skill shortage or capacity, wasn't the issue. I think with the necessity to look at real time data, it's very obvious that no human person could deal with that amount of, of data and time of, or time pressure. So you need automation.
Yeah, absolutely. So, so we at Dr. Telecom, we're processing a couple of billion data sets a day, a single day. Yeah. So this, this really stands for itself. Yeah. Without automation, how to do that, that's impossible. If you think every available expert on this planet, we won't have efficient resources to do that. Yeah. So, so therefore automation is key. Automation can help, but automation can also guide you in the wrong direction if you don't spend. Really. And, and this is the point we talked before about, if you don't really create the, the proper use cases at the beginning, then, then you're somehow in a false secure states. So to say, so you think you're secure, but in real, there's a lot of things happening under your radar screen. And, and by the way, and this is, this is also crazy observation I have in the market these days.
It's, it's very common to have corporate sneakers. Nobody come to the idea to build this sneakers by themself. They all ask Nike Adidas or whomever to, to do that for them. But in it, everybody has the mindset. It can be done by everybody. And this is for me, a risky assumption, for sure. There's a lot of things you can do by yourself, but in some cases, and especially if you talk about these highly, highly professional stuff and where you need very, very deep skills, it might be better to consult at least an external supplier who can help you by doing so, instead of trying it out by yourself, it can work. But if it's not working, you have to pay a high price for it.
Yeah. I, I have a, I'd like to throw another provocative statement to you coming from someone called too much Chas as well. It says 95% of our cyber security incidents, or more would not be an issue if software updates were installed faster, I think that's from you. Yeah,
Now, if people did that, would that replace the necessity to implement the source solution?
Because we wouldn't have an issue anymore.
We wouldn't have different issues, I would say. So we would have different issues. We, we wouldn't have the same issue than we have today. Look, if you analyze the things being reported in the news, the incident only the minority of it is about zero day attacks. For sure. We, we just had some, some cases of, of zero days with the solar winds and also with the latest Microsoft exchange. But this is only a few out of a thousand everyday happening. And most of these attacks happening because software updates are missing. So this is building a fence around your house, but leaving the front door open. And this is what we do usually because we fear something can went wrong. If you're introducing software update can cure an outage. But just by fact, we have more problems because of missing software updates as we have, or compared to, to problems occurred by mislead or, or software updates who went on error. So the problem is, is really, we need to do the homework. We need to fix the infrastructure first. It makes no sense to spend money for the fence if you leave the front or open.
Yeah. Thanks for, for this, for this answer. My last question to you would be what's coming next. So what, what is your next challenge in that context? What do you see coming for
That? That, that's a good question. Yeah. Having the right answer on that, you can, can earn a lot of money. I would say I tend to not to focus always on what's next. Yeah. So as we just talked about missing software update pieces, this is so old, like the it industry as here it's, it's a 30 years old problem and we didn't fix it yet. And I believe attackers will always find their ways and we need to be fast. We, we need to stay par prepared and, and we need to have the right resources to react. As digitization will move forward. Digitization will enter also different areas like the connected car and what we see there is just the beginning would predict. And as it is just the beginning, we will also see more and more attacks on this. You we're the first person dying in, in Germany last year because of a cyber attack.
It was a cyber attack on a hospital and they were not able to bought on the, the patient. And, and then the first person really died because of a cyber attack. So this will become more serious, more problematic in future. I believe if we don't fix it yet, if we don't put security as a design criteria in, and then maybe a little look in the crystal ball, the tease will become the boss of the CIO in future, as the security is becoming more and more important. Now, kidding a little bit, I guess these are functions, which should act on, on eye level instead of the one report to the other. This is what, what I really see as the next level is that, that we have security organization treated equally to it operations and it development organization. And with that, whatever is on horizon can be managed, I would say.
Yeah. Yeah. I totally agree. And, and I think tailored com is, is a good example how important security is and that it can be used as a competitive advantage.
Absolutely. Absolutely.
Yeah. Thomas, thank you very much. It's always a pleasure to talk such a senior expert like you of coming from one of the, let's say most advanced companies in Germany, at least when it comes to it, security information security. So again, it was a pleasure. Thank you very much for, for joining today and also thanks to the audience for, for listening in. I hope you enjoyed our talk and yeah, there's more to come in upcoming in upcoming Casey life event with other prominent guests. So if you liked it, please join again. And in the meantime, I wish you a continued good, good event, thanks to you all. And over back to Christ.
Thanks for having me stay healthy. Bye. Thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00