„Cyber Security is a Game of Cat-and-Mouse"

By definition, the Chief Information Security Officer takes full responsibility for the subject of information security. In other words, protection of analog and digital information. The classic tasks include further development of a company-wide information-security strategy, expansion of existing guidelines and implementation of continuous training for all company employees. I personally enjoy the challenge of dovetailing different teams from throughout the company – such as Production, Procurement, Sales or HR, for example. 

The primary goal is to protect the data within the company which is really sensitive. In order to achieve this goal, existing measures constantly have to be updated. One method, for example, is to evaluate information according to a 4-step model, in order to then be able to classify it. As part of this process, the relevant information is allocated to one of four categories – public, internal, confidential or secret – in order to better asses their level of sensitivity. 

Protective measures may be of a technical nature; something like anti-virus scanners or a system for protecting mobile end-devices, or they might be organizational or procedural. At the end of the day, the decision depends upon which protective measures and/or combination of measures is best suited for each company.

Hackers essentially have two options when choosing their targets: Systems or users. The majority of cyberattacks require interaction with the user. Conversely, this means that employees represent the most significant lever as a security factor. This means that companies can never achieve 100% security. The goal must therefore be to dissuade external attackers from their undertaking by placing many small hurdles in their path. Vigilant employees, who critically question abnormalities in good time, report them and stay informed about the latest methods of attack, make an enormously important contribution to the protection of your company.

By addressing the issue in the most exciting manner possible. That is why we use live-hacking events, for example, to make our employees aware of potential risks, and to illustrate them. Because we have to be clear about one thing: For companies today, it is no longer a question of if, but when they will be the target of a cyberattack, and how severe this will be. Anybody who has seen how easy it is to take over a notebook using malware, or crack a password is a lot more careful. What’s more, the knowledge gained can also be implemented in the private sphere. There too, people receive phishing emails, have their identities stolen and get their accounts hacked. This is precisely what we talked about in our Global Information Security Month October.

The same applies here: An understanding of the risks and openness to a constructive partnership are the key to success. We want to support the business in the best possible manner. Here, the same thing also applies: Only secure products gain the respect of our clients as part of our high-quality offers. Our motto is “Security by Design”. To this end, we work closely with our colleagues in Research and Development so that their ideas can be transformed into secure products.

For me personally, an information-technology background is a basic prerequisite for my job. Most company information is stored on servers which are growing in size due to ever-increasing digitization In my opinion, a broad basic knowledge in the field of information technology is essential in order to perform one’s own role as effectively as possible.

It is also necessary to understand the demands of the specialist areas. Information security is not an end in itself, but always serves to support the business strategy. That is why working together, hand-in-hand with the different teams is certainly a decisive factor when it comes to further increasing the level of security at a company. 

Actually, in practice we find that successful methods of attack from previous decades remain in place, and are only developed incrementally – macro-viruses in email attachments, manipulated USB-sticks and social engineering are still effective. This means that the risks of tomorrow are often the same as yesterday. However, these days we are much more dependent on functioning systems.

In order to remain up-to-date, we must strive to continuously learn and develop. That is why, alongside public message portals, we also keep our eye on the forums and databases where hackers share information about new weak points or attack scenarios. I also believe that talking to other CISOs is particularly helpful. We all want to ensure that our companies are protected. That is why an interdisciplinary exchange outside the limits of one company is highly valuable. 

Artificial intelligence is a double-edged sword. On the one hand, this technology helps us to recognize attacks earlier in a more targeted manner. On the other, attackers themselves are using this technological approach to their advantage. We are currently following the development of so-called ‘deepfake’ attacks with increasing concern. This method is used to alter and distort media content such as photos, audio and video through the use of neural networks. An example: suddenly the telephone rings, and someone who sounds like the CFO initiates a transaction to an overseas account. The audio files that you hear were edited in advance, and can no longer be differentiated from the real person.

A cat-and-mouse game is taking place between attackers and defenders. This makes it even more important to support our employees on a daily basis in order to provide the company with optimum protection. That is why we regularly inform ourselves about the current risks using a range of different channels – via our Intranet, in personal meetings and at special events.