As Christopher already mentioned, I am be Karen I'm the CEO of co cold. And this interview is actually part of a series of sessions where I will talk in upcoming Casey life events to sea level experts and practitioners about their current challenges and approaches to cybersecurity and identity and access management. Today. I'm really glad to have Stefan working back with me, who is a very famous guest. I could say even. Yeah, if you don't know that he was, he, he was elected as a CIO of the year in 2016, I guess, and also nominated for the CIO of the decay even. So we'll see how that works out. As Christopher already mentioned, Stephanie, you are the Cecil or from Mabo inks as not everyone who's listening to us today may know the company. Perhaps you could say a couple of words, what Mara inks is about what they are doing and also perhaps very briefly what your role at marabou is.
Yeah. Thank you for, for being here. My name is Stephan Berger and I'm the global CIO of marabou I have, for my role, I have all roles in person which are, has to do with ization it stuff. So I'm CIO, CSO and CDO. In one person, I report to the management board and system to have a secure infrastructure. Marabou ins. We are manufacturer of colors, which are using for different applications like C and Tumon truck screen and pet printing, like iPhone Hills and, and other stuff, plain printing for, for the deliveries and so on. And we are really specified in, in our products and we are one of the hidden champions in, in the, in the world. So we are operating in a global approach. We have 17 subsidiaries in the world and yeah, I care about all of them and all about it, security, which is my new favor and my approach to be, have a company.
Yeah, yeah. Stephen, I, I, I still remember the moment last year. I think you joined us already talking about something really serious. So, so there was an attack happening at Marable inks and, and you were very openly talking about that, but, but very briefly what really happened. Can you elaborate on that a little bit?
Yeah, for sure. So as I started at Marable afterwards, 40 days after I joined, we are headed by a, a really bad cyber attack. So in a couple of six hours, we are completely encrypted by a double pay ransomware. So it was really hard. I have not that overview over the it and the stuff. And so yeah, we have to figure out how to come out of this huge cyber tech. We are lost 90% of our infrastructure service, all encrypted. We have to, to handle that approach over the world. So all subsidiaries has had the impact of encryption and yeah, we can't work for mostly five days, which we needed to bring back the infrastructure of the EOP systems. And we have took over four months to be back online with 90% of our infrastructure services. And yeah, the last 14 months, I'm I have the opportunity to rebuild the security infrastructure, to cyber, to be a cyber security awareness. And we have now approached a zero trust model for our cyber security.
Yeah. Yeah. I think obviously after such an event, you, you really need to think hard. What can you do to make sure that something like that does not reoccur. Right. And, and I would be of course, and I'm sure the audience as well would be interested. You said you are following our zero trust approach. What exactly does this mean? So what, what are you doing in, in, in, in detail because zero trust means different things to different people. Yeah.
That that's completely right. So from our, from our approach, we redesigned our security infrastructure. We have not a flat environment. We have structured that. And we, we downsize that we, we make a lot of different networks in the group. So we have also implemented a lot of, a lot of security protocols. We trust nobody all has to be authentic by a device, by a certificate. And also for that it's for us approach that all data is secured. And when you want to access, you have to out indicate every time at the application. And therefore that's our approach to zero zero trust model. As you know, well, we have conditional access. We have multifactor out indication. We have data center security. We have EDS EPS implemented. We have a security operation center implemented, which takes care about our global it security infrastructure, which we are communicating very well. We have a cyber defense organization in our company. So we have dedicated people who are taking care about incidents and response for that, for that all of cybersecurity. Also we have security hub in Azure, which, which care about our cloud infrastructure and that's all of the puzzles to make a big picture of cybersecurity.
Yeah. Yeah. So that, that, that, that's that's great insight. So you mentioned there are obviously lots of components required, which all need to be orchestrated to, to make a zero trust model work in practice. So perhaps for people who may not have all the components already in place, you mentioned are in access management, you, you mentioned the stock and many more, is there anything you would start with in particular?
I, from, from our perspective, we have started to get the people on board, which are using, using it, that they are aware what they're doing, how to, how to handle it, how to handle spa mails, or fishing emails. That was one of the first approaches. While when you have the people on board, then it's easier that they understand when you implement new security tools and procedures, how they can approach that two, while we from the it, and all of my colleagues, we know well, how it security has to be working and how we implement that. But we don't have to forget our employees, which then have using security infrastructure or security programs like multifactor authentication. That's from the new, they're all well known about that when they use online banking. So they have heard a lot of multifactor authentication, but they can't realize how is it's that approach in the company, why we are doing that. And for us, it was really, really important to get the people onboarded. And then we have the journey started to restructure our security, to implement new services, to make awareness programs, to make indu I identity access management. When they're on travel also in the home office about the Corona times when they are moving to the home office, what they have to do there and how the procedures are in the home office. So that's what we have done in the last 14 months since the cyber.
And, and I think the, the incident itself helped a lot to convince people that they have to contribute, I guess. Right.
Yeah, for sure. So when you have such an incident, all internal communication was really clear at the beginning of the cyber attack. We never hided what, what has heated us. So for the first, for the first day, we clearly communicated, okay, we are heated by a ran somewhere. We have problems, please, please be aware, not communicate outside till we have figured out what happens and such in that times, the common, such a clear communication to the employees later on help immense to, to strengthen their awareness about cybersecurity. When you not have such a cyber attack, as we have, it's, it's really hard that they understand what we are doing and how you communicate about cyber text. And also today, we get a lot of emails. Could I use this program? Could you please check this email? So they're on really high level about awareness and communicating this it,
Yeah. You also mentioned a lot things like multifactor authentication, et cetera. So I got the impression that also I, a working identity access management environment is a key component for a zero trust approach.
Yeah. Well, you know, you have a lot of, lot of entry points. You have VPNs from external customers. You have, you have suppliers and, you know, you have to know where accessing, which segments of the network, how to access the data and how to protect the data. So one essential thing is identity access management, how to get the data secured and also the locking of that when a incident happened or when a security breach occurs, while somebody tries to, to open data, which is not allowed to that in our approach, essential thing to be security and have a zero trust model.
Yeah.
All around that. We have a lot of, a lot of vendors. We have a multi window strategy to be secured.
Yeah. You, I think everyone in these days, I'm sure people will resonate with that is currently on their way or are already in the cloud or even in multiple clouds. And I heard you saying that, that you are in the cloud as well. So is cloud a driver for zero trust?
Yes. It support us a lot while things going faster in the cloud, as on premise, and as we remodeled our security infrastructure cloud was a huge enabler for us, for us in the, it it's much more complicated while you have to design the security aspects before you bring services into the cloud. But afterwards you are much, much more faster to digitalize processes or business models while you have from, from the beginning a security approach in that concept.
Yeah. Yeah. Understand. So I understand you are still in the process of implementing things. Yeah. Once that is completed or where are you with with implementing zero trust? Perhaps I started that question and asked the other one afterwards, where are you with your implementation right now?
We have, we have now transformed 90%, almost 90% of our, of our security approach. We have a lot of legacy software, which has to be transformed to be state of the art software and have a secure access to that. Sometimes we have isolated legacy software with special firewalls and, and protocols for security. We are almost 90% done. And in that we plan to have all things closed up at end of March. So, and there, then we can take care of new, new things and new new drivers of the business and new services to be onboarded
Once that is implemented. How do you think, will it have raised the bar in terms of security? So how much more will you be protected? Is this it's, it's a little bit an unfair question. I know,
I guess, you know, 100% protection you will never have while it, you have so much, so many influences your news, new software, you don't know how the, how the partners have the security approach. Like solar winds is a good example for that. So you are not, you cannot be sure, but we are on a really good approach of our it security. We are doubled our security level once we are finished, but in a zero trust, you will never be finished. You have to daily review it. You have to train, you have to ask, is that what I have done the, the right way? Is it the state of the art software and what can I do and how can I test my security environment every day? So we, we now have a better view from outside. So we see how often we are. We are penetrated from outside. We have a good monitoring and therefore you will never be finished with your zero trust model.
So I, I, I appreciate that you are not yet done at this point. However, what are your plans after that? So what will you be doing after March when, when you are finished with the zero trust information, is there anything already in you?
Yeah, we are. We are, we have now a lot of informations. We get from our, from our security infrastructure. So we have experts which are helping us, but to understand, and to optimize more and to automate that we are looking now in AI and key technology to, to get more information is what happens. And that's, that's a, that's a future thing for us. So we are, we are happy that we have time and the resources to test that. And we have the first steps done in AI technology. And we see that optimization is really cool, but you have to look into that and to understand how that technology is working. So for us, that will be the future to more optimize and to detect before something happens.
Yeah, yeah. Yes, definitely. I think you learned it unfortunately the hard way, but it sounds to me that you really learned your lessons and did the right things and, and made sure that Marvo ink is now in a better place than it was before. So that was really interesting listening to you to see what, what happened, what you did and what your plans were. So it was a pleasure having you here today. So it was really interesting talking to you, and I do hope the audience also enjoyed that. And I also hope that I will see you in, in, in some way in one of our next sessions, what we will certainly repeat. That's more to the audience. We will repeat interesting interviews like Stefan in upcoming events. And I'm really encouraging you to, to listen in and, and join these sessions because I think they give great insight. Stefan, thank you again. And with that back to thank you, Christopher.
