KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
First do a quick round of, of introduction starting on from, from my end left hand side with cast and Fisher cast and Fisher Fisher is the deputy CSO of Deutche bank. So I know him for many years, very pleased to have you here, Carson. So then we have Christopher Schutze. He is the CSO of co a Cole, and he's also the head of our cybersecurity practice at COA Cole. Thanks for coming as well. Thank you for invitation. Thank you for invitation. I continue with Ralph Schneider. Ralph Schneider is CIO from Alexei. I'm sure many will know the biggest insurance company of the world, I believe. Right.
So good to have you here, looking forward to that discussion. And finally, we have all Martin who is the CSO of Nordea bank from Denmark. So to make sure that we are not the pure German job here.
So, so thanks for, for, for doing the job here and, and, and, and helping us on the discussion. Yeah. I'm very glad you are here. And obviously I've prepared some questions. And I think given what we just found out, we have to talk about ransomware Carson. I look to you, you, you catch the first question from me.
So, so obviously that seems to be on everybody's mind. And it's certainly on the mind for, for, for many months, if not years of security experts, what about the business people? What about senior management? What about the board? Has this arrived in your discussions already?
So, so are they concerned as well? Probably. You make sure that the board isn't concerned, but it has reached the board for quite some time already.
And it's, it's a lively debate. We did a tabletop exercise on ransomware 12, 15 month ago, including the board, because it has hit the board. They want to understand what that is. The CFO's interested. What do I do? Do I need to pay, do I need to accrue for something in case it happens? So they're very likely debates also with the board. The question that they most likely will always ask is around what is that ransomware attack? And then it comes back to the slight you you've shown earlier. I think it's a combination of all those attacks.
So it's the outcome, maybe something new from a concern level perspective, but the threat vector that is behind that, like a phishing email attack or others is there for quite some time. And we've been working on that for quite some time. I think the complexity that now comes is what happens in a case where you are impacted by a ransomware. And we have seen that in the press with all the stuff that happens, it then really becomes the trick around, like, how do you get your board quickly activated to take decisions on, do we pay the ransom? And if we pay the ransom, what does that mean?
Are we even allowed to pay the rent sum for some jurisdictions? So it's a very, very likely debate with the board and they're heavily involved in all those discussions. And we will most likely do another tabletop exercise very soon, including even more board members to make that more transparent. It's the number one topic that keeps them and maybe you're right. Keeps them concerned because they're read it in the press every day. Thank you, CIN Ralph, I have a question for you in order to fight ransomware.
It seems that that we have to do a lot of things, which we anyway do right already, right? Regardless of the, of the threat. Would you agree to that statement and or if not, is there anything on top we need to do What you understand with your statement?
What, what Is yeah, we, we, we do vulnerability management. We do awareness training. We do all these classic security measures. So I think the sway is just another reason to increase our efforts here, but, but I'm was wondering, first of all, do you agree? And secondly, is there anything which comes to your mind, which we have to do even more?
Yeah, Yeah. Understood. I go five or four years back and it was really boring. It's coming from us with our us operations. And it was a little bit boring of all these friends were five years ago. It was not very serious because they were not so sophisticated like nowadays. And the only what happening was that you have to bring in your, your backup files. Yeah. But it was boring. And we have to say, we have to start with this VIR. So prevention, what you said, vulnerability management hum. Firewall invest in cyber hygiene to avoid this noise of VIR. And we did here pretty good job.
And it was on the agenda of each and everybody, but what's coming now. It's the difference. You can do a lot and you have to do prevention. Yeah. I would separate in prevention is a key topic, but the what's coming next is very fast detection. And then how you respond and nowadays you have to prepare to respond and therefore you have to train because you cannot be sure that it never ever happens to you. So the training is very important. And what I see you need also support, I would say, never walk alone in cybersecurity, also in ransomware when you are trying this.
So you need partner and now a little bit advertising, also a partner could be a cyber insurance, not so much of the damage because this is a little bit tricky. The damage that you get, the money you Anticipated. My next question. Yeah. Yeah. But you get support also to manage the rents in a very professional way and you need support. And the second, I would say training training from the top to the button and back yeah. Training. Yeah. Yeah. So because it seems that some people think that, oh, I just get the insurance and then I've solved the problem for me. And I can go on right.
The first you would see that, that the insurance will not pay the Renton. What, Yeah. All happy to have you here as well. Research indicates that, that the attackers typically go after opposite the rich companies, all the well insured companies. So actually we've seen that, that, that, that attackers actually do some research, which companies have the insurance because they're more likely that they pay. Right.
So that's, that's, that's, that's a fact critical infrastructures obviously are a target or companies, this poor security, right. Obviously easier target.
So no, I guess only no one wants to belong to the latter category, but what are you doing at Norde to, to fight that, that threat, Maybe, maybe, you know, and thank you for having me here. And, you know, in, in, in the spirit of this great event, I've been looking into the, some numbers I wanted to prepare on the statistics here. It is true that the rich well insured and companies with poor security are at stake. But I would like to challenge that as well. I've been looking into some, you know, current numbers on what would it cost to buy some ransomware kits online, right?
You mentioned, and a development five years back where we saw some ransomware tax, but I think we see some new stuff coming up here, 66%, sorry, 66, us dollars for a ransomware kit. Or you could choose to opt in for a, an affiliate model where the ransomware kit provider will receive 30% of the potential profit. And if you're not satisfied with the ransomware kid, you'll get a survey and you will have money back guarantee. Right?
So it is true that we see a situation where the attackers are, you know, spear fishing are trying to look for the rich companies, the industries with poor security, but we also have to factor in that this has become so easy to reach a level of, you know, tooling experience and so forth, enabling many people to do these things. Yeah.
So, so that adds to the complexity of this, right? So to the question, what, what we do, we, you cannot only do one thing, as you also mentioned with audience, you have to do it all I saw up there that supply chain risks is on top.
And I, I dug into some of the nest assessments, frameworks almost 19 different control families are at stake when talking about supply chain. Yeah. And the same here. So it's a very broad attack surface. It's a very broad skill that we need to build up in order to, to withstand this. Yeah. So we need to do both. We need to do more. Thank you. And thank you also for that nice topic of supply chain, because that is what I wanted to, to ask cars next. Cause you were, you were amongst the group who last year already predicted that this is a big threat.
And, and we, we are now knowing that this is a tricky one. And, and, and, and the question obviously is what can companies actually do themselves? If something like solar wins happens to them? Obviously.
I mean, we, we always thought we could, we could just trust these, these, these tools and these software. So, so what, what can we do? I don't think that there's an answer to, what can we do, to be honest. I think the first one is coming back to some of the discussions we had yesterday as well. And we keep having around, like, how can you detect it? And in the solar banks case, and some other cases you will always see somehow your identity and access management system will play a role in being able to detect it. Second thing is around trust.
We probably need to change our position to supply chain and not trusting those vendors as an intro. But what do you do if the, the major providers call them Google, Microsoft whatsoever, you cannot stop trusting them because they're providing majority of your infrastructure environment. So you need to still have that level of trust. On the other hand, you need to be careful because you, you know, that they're sort of in your chain fully Tools, you were talking about too many tools.
And I absolutely agree with that, but some of those tools will probably also need to start changing and think about how could they be able to spot things in a supply chain. Things talked about libraries. I think this morning that are infected with a backdoor, if you would scan them right now, you wouldn't find that. So maybe we need to change our thinking there around, like, if we embed libraries into our environment as sort of supply chain, then we need to start thinking around how can we detect stuff? So super complex.
I don't think that there's that one answer, the, the security programs we have in place. We all hope that they are sort of being able to detect it at one point in time, but there needs to be that certain level of trust. So I'm not sitting here and saying, I know all the answers to that problem, but it was foresee that it will become a problem and it will remain being a problem. And I do think that will be a major focus area also for the security tool industry over the next couple of months. Yeah.
And it's, it's, it's, it's really a tricky one. Right. I think in the, in the solar wins case, we we've seen that the vulnerability came via patch, right? So normally we, we, we urge companies to, to be quicker, to be faster with patching because many people, many organizations struggle with that challenge. So typically we, we, we urge the, it colleagues like, like you to, to, to do that faster and, and more often, and now we've seen, oh, the patches, the problem. Yeah. This was really very strange that the, that the ones was the winner who hasn't patched. Yeah. This really strange situation.
But I would say the following, first of all, when you doing from a quality standpoint, you would not say I use Microsoft because then you are urged with patching and vulnerabilities each and every two weeks. Yeah. But you cannot avoid Microsoft. Therefore I would say for, for the industry is very important that we share information and that also quality checks done on these software from companies, which, which are not touching also the functionality, but also the quality on the capability to patch the vulnerability because no software provider can say we are zero vulnerability, no chance.
Yeah. Therefore, it's more important how fast they detected, because I, I see, I, I have some suspicion for, for example, Microsoft, that there only disclose debilities, which are public and all the others, they do not disclose. And they wait, have such a gut feeling. But also this is very important that the, the software provider are able to detect their vulnerability, manage it quite well.
So quality is, and I would say for the buy side for the, it, we have to share our information with other companies and say which tools we have, which problems we have with the tools, because to charge each and every supplier, no chance. And then the good idea of the procurement guys or the management guys restrict to only a few number of supplier, no chance in it. And the innovation is too fast. And therefore, I would say, we have to share from the buy side, what we learned about the provider and the supplier. Yeah. And not doing everything alone. How can this sharing look like?
Are there already existing channels? Yeah.
There are, there are, there are different organizations where they here in Berlin, what we found it also as one of, for companies, the cybersecurity organization, DCS O there is exactly this sharing, but there's also voice, they say sharing their information, but we have to organize because we have on the buy side, we are in a poor situation because the vendor, I do not know exactly how many vendors are here.
They are in a strong position and we are in a weak position to charge what's going on in the service quality, not in the product, quality, what you are doing, an Analyst, but what is the service quality and how fast they can react against cyber is risk in production, but also near the products. Yeah.
No, no, thank you, Christopher. I think these, we we've discussing ransomware and, and supply chain and sometimes they are mingled anyways. Right? So ransoms the same time, a supply chain problem and, and vice versa, would you recommend people need organizations need a re resiliency strategy.
And, and, and if that's the case, what actually should, is that yeah. Yes. For sure. You need some kind of resilience strategy within a new organization. That's exactly what we did yesterday in the ransomware workshop, for instance, that we tried to share, it's not only prevention. This is what Raj mentioned. It's also about preparation. Detection mechanisms really know what is going on on, are my measures relevant? Is there any gap or need, do I have to, to do any preparation or improvement?
And what I recommended yesterday, and same for this group is starting really not with the basic, but risk management or asset management really is the foundation, know what is relevant. And if it's really a critical asset, especially if you want to put something into the cloud, store it on teams, Microsoft, Google, wherever. If it's an business critical document or information for you, then you can decide whether you encrypt it, you have additional measures or you do not store it there.
And this is really something important and goes hand in hand into such a strategy to be resilient against a text. Yeah. I think that resonates with Kain also said, so I think prepare, plan and train it. Yeah. I like to add because what we see when you share information exactly what you said, it's not only for ransomware. The successful ransomware is expensive, like media Saturn now, but also when they prepared ransomware and you detect them to get rid of them, this is only really expensive. And you have costs.
Nobody is telling you, but there are a lot of costs to avoid its not only about a successful resume, there is a gray area, which is really, really cost expensive. Yeah, Exactly. And even if you pay the ransom ones, that's what you stated yesterday. Maybe they ask, ask you a second time because entering the decryption key does not guarantee you that the ransomware is still there. And do they ask you for your two weeks later again? And this is something we need to be aware of and removing, this is a very specialized topic. Yes.
And, and adding to that, we also see a development where not only you need to pay for the encryption key, but you also need to pay for not disclosing the data that they, they breached. Right? Yeah. Yeah.
And, and, and the, I think the new dynamics also is that, that the costs for ransom were explode. Right?
So we, we, we have in, in the third quarter this year already double the ransom then in the first and second quarter this year. So that's, there's a, a clear dynamic to see, right.
So it's a, it's a problem, which is, which has been around for, for many, for long, but it's, it's, it's, it's, it still has a dynamic, right. Going a little bit away from the tools.
And that, that is what I presented as where people think that apart from the technology, the humans are still a big problem. Right?
Yeah, Exactly, exactly. Again, sorry. I did some research on my own used some of your good material as well. Right? So we see that 85% of the breaches that we have right now is in some perspec related to the human factor. So 85% of the breaches, and I'm looking into a population of 5,000, 300 breaches, you know, based on this, we see that 61% of this population of these breaches are related to credential theft, right? So this is the new, the new attack vector. It's not so much you you've been talking about, we still need to defend ourselves with the, the more preventive controls. Right.
But the, the new attack vector is, of course is, is the human one. Yeah, I would add, yes. It's a little bit more complex because the credential is only the entry point. Yeah. Then we have the next problem. That lateral movement is too easy in some companies. The next is that the exercises of some users are much too high. What they have end, end, end. The factor is the entry point and you are totally right. We invest also really in, in awareness, cybersecurity, a lot of money, but it's only the entry point. And the moment is the cheapest entry point to come in for, for a hacker.
Therefore they use it. And when you have the credential, you are in the system and nobody, when he has not user behavior, analytics can charge whether you are a hacker or not, therefore it's easy to, to come in, but then the ransomware starts and there are a lot of more layers where you to have to do like patching when you are not patching with the wrong things. Yeah. Yeah. But this is the next layer and there are a lot of layers, but you're totally right.
The, the most easy entry point is still credential and then start. Yeah, I think Carson, of course, I know that that, that identity and access has been top on the list for, for many years. Now we have also seen that people seem to invest into data security. Do you see that trend as well?
Is there, are there any particular initiatives you you're currently seeing perhaps also in your organization? Yeah. So to actually what you discussed and then coming to that point, sort of preaching it. But if you would've asked me two years ago where we will be now between the level of prevention and detection, I would've thought that prevention will come further down and detection will go further up because we all recognize that prevention may be too complex and costy over time. I don't think that really happened. If I look back two years to now, prevention is getting more important.
And then if we talk about prevention, then identity in access obviously is on the forefront because you try to make sure that you have multifactor in all that stuff. So that credential fishing becomes more difficult. You will still not be able to prevent everything. And that's why data security becomes so important. I remember discussion you and I had with a major provider of identity and access solutions probably four or five years ago. And he told us, it will all be around the data. You will stop worrying about an identity or this or that. You will worry about the data.
How can you secure the data? How can you make sure that that data sell is protected because then you don't need to worry too much about the rest. And that's why it probably took longer for the industry to recognize that than this guy did four or five years ago. And that's probably why he's running a major security company, but I think we are there. Everybody's now worried about the data. What do we do with your data? Encryption has become more important. The positive encryption, not the ransomware one, but the encryption of data so that you make sure that your data cell is protected.
And even if somebody is accessing it, it will be difficult. So I, I would see that that probably is one of the big trends for the future. That we will see more investments into that, cuz we are, I mean, Ralph, you said that we all can be hit. Let's not fool ourselves. So what do we do if we are hit operational resilience, a big topic, but trying to make sure that that data is properly encrypted, hopefully with an algorithm that is still valid after post quantum. Yeah. Yeah. Thanks. So we have seen identity and access is a, is a, is a priority.
Everyone is moving into the cloud and we, we also see that more and more people seem to work on, on zero trust initiatives in order to exactly deal with, with this new challenge and zero trust as a concept is around for more than 10 years, we just recently had John kinder work in our cybersecurity council talking to us. And I think he invented this term 10 years ago or even longer, but only now it seems to become a practical, practical relevance in organizations.
So, so Christopher, that question probably goes to you. What's your take on the importance or relevance of zero trust today?
Yeah, for sure. Zero trust, not only in the survey we did is a very relevant topic, especially during the pandemic crisis or the last two years, we had a lot of problems with accessing our data in the organizations distributed all over the world. Classic Monday morning, trying to lock in the traditional VPN gateway proxy. They broke down because they didn't prepare or haven't been prepared sufficient for dealing with 10,000 of access temps. This is one hand and going more into the multi-cloud multi hybrid environments.
We have different areas where we want to have access with our initial credentials, but there's something in between. So for mainly a network, a public network, and this is a big threat to our access attempts to our data, whether it's encrypted or not, or additionally protected. And therefore we need to have measures to secure this. And your trust is here a really good option to do exactly this, this, so do not trust, always verify and access.
So don't trust that this access attempt is from, for me, from Christopher and not manipulated, really focus on, is this a validated access and doing this with policies was you can do this really complex. I'm pretty sure we will discuss this based from device ID authentication, time stamp, even behavior is a really good option to identify whether is access is a good one or a false or a fake one. And then you can protect your relevant it assets much more. Yeah. The other thing which came up and, and that was a discussion in the, in the column council R arrive as well was.
And I think we also discussed it briefly in the, at the EIC already is the complexity, which comes to the table on the table because of cloud. And we also see that that on-prem will not go away.
So what, what, what is best practice? How could security people work with the it people who implement all this to make sure that we don't introduce new problems. First of all, you have to think a little bit why is cloud so, so important? And you can say a hype when something is coming, then you see, and when you start a new enterprise or new journey, you would always start in the cloud. Nobody came come with a startup idea.
The first, what I have to build is a data center yet. No Do, But we have done this 50 years ago and it was really, really with the mainframes. You have to find a place for the mainframes. And indeed you have to understand this dynamic. The second is we in a huge, huge dilemma and nobody is raising this in a correct way because we are living in a, in a world of digital transformation and cyber risk, Both. Yeah. And when you are doing digital transformation and we want to support as an it guy, the business, and we want to make a business.
So I can, the best way to be secure is I would go to an analog world. Then I'm have no cyber risk.
Yeah, yeah. No analog world. You have no cyber risk. Yeah. By the way, the military is exactly doing this. They have forces, which are only in a can act analog. Yeah. Interesting. Very interesting. So this dilemma we have to manage now in the middle comes now the cloud. Yeah. I would say the most challenging topic. You have third player in your, in your operations, you have the cloud provider and you have to work very closely together with this third party. Not only your business, your it, but you have a third party and I guess, and the feeling, but also do the colleague how to manage.
You have to manage now a new partner and you cannot only say I trust whatever he is doing because he, he is on, on risk when he makes a mistake. Yeah. And you have seen it's possible. And we will see that they will also make mistakes. And therefore, my feeling is how to manage this cloud provider. Yeah. And how to monitor what they are doing. And I guess they have also to open their books, what they are doing to, to get trust from our side. But is this, is this not the case yet?
So do the, do you recognize your resistance or We discussed this topic also in the closed shop. I, I no names, but what the, the cloud provider to manage their cloud environment, what they use in retiree protocols, you have no guarantee what they are doing on the, on your devices. They promise that they are doing nothing wrong, but they have the, the possibilities or the opportunities therefore. And when you ask them, tell me what you are doing and tell me your protocol. Have you got the answer of this cloud provider? Yeah. I Not. Yeah.
Yeah, yeah. Agreed. They have, they have their agents on each and every of my it assets Yeah. In real time, super. But to be fair, the data center providers do that as well. So I don't think that this is a major change and to be fair to the cloud providers, I think ideas like access, transparency are super important. I'm struggling. Why some services of cloud providers are not yet on data access transparency. I think that's a key component. You need to know who's accessing your data, those type of things, encryption protocols.
I think we will see more of that front to back encryption rather than having a break in between where you encrypt and transit, where you encrypt and rest, but you don't encrypt in motion. So I think that will happen as well. And the first products are out there. Some are beater, some are a bit better, but this will come. So I think they will evolve as well because the first data centers, I mean, I remember audit reports from 20 years ago across all companies where people were just able to walk into a data center, pull out a disc and walk home that it started simple as well.
So I, I do think there will be a lot of an remain being difficult. But Then I have a question how you solve this gap. Of course what's coming is also confidential computing I'm we have to do this. Then when you have confidential computing, but how to manage this when you are sitting on a huge punch of legacy, and then you have the high end confidential computing, But this is exactly the discussion.
I mean, you rest that also on your, on your slides earlier, it's the multi-cloud hybrid environment that everybody's worried about when we talked yesterday. I don't think that was anybody in the room saying, yeah, no, I need less resources in the future. I think everybody was saying, theoretically, I need more because I need to, I need to look into this provider cloud, this cloud provider, this cloud provider end into my on-prem and traditional scene concepts may likely fail as we have seen then in the past. Yeah. So we need to rethink the whole model, how we're doing it.
And that could be resource intensive in the beginning where all of us are now trying to become more efficient and, and all of that. So I think that's the real challenge.
I, I don't worry too much about the cloud provider in itself cuz their investment in security is easily 10 times of what is sitting around that group of investments. Yeah.
So, So, but resources talking about resources, a good topic, obviously cybersecurity nowadays is a multi billion Euro dollar business. So is, it is attracting a lot of people, a lot of workers, universities, universities increasingly offer courses around cybersecurity.
So Ola, do we now have enough people? No, Absolutely not.
I, I, I think some of the numbers show that and, and this goes back a long time, three and a half million, you know, security SMEs are needed in, in 2021. Something like that. It's a huge number.
You know, of course I have a view from the business side, you know, how are we going to attract, retain and develop these people. We cannot, as it is now, ask for people with 10 years, experience SMEs with all these certifications, we need to build people. So we need as a company to change our approach. But it's also a matter of, of how we should as a community interact with, with universities and, and try to build up some development programs together. That's A topic. So there's a business perspective and there is a community perspective of, of this. Yeah. Yeah.
So skill short is, is difficult. Yeah. It is one actually one of my top threats, I would say, not necessarily looking at technology all the way, but keeping talent is A threat. Yeah. Yeah. I think Carsten final question. Before we come to the last round many years, actually regulators have especially forced banks to, to do certain things, which they wouldn't have done without them, which led to the fact that the finance industry somehow is in, in many instances ahead of the game. Are you now out of this mode?
So can you now more concentrate on, on the risks in the threats or is this still effect? I don't think we will ever get out of that mode.
What we, what I think we as an industry have achieved together with the regulators is to take more of a risk based approach to really look into things more from a risk based rather than from a compliance driven approach. Let's not worry about whether you have all the controls that are relevant from a compliance perspective. Let's make sure that you have all the controls that are relevant from a threat based perspective. What's the threat you're trying to fight. And what's the control that is most relevant to that threat.
And I think that is resonating and all the discussions with a regulator by now, if you have a proper threat and risk model, then compliance of controls becomes less relevant. I think this is probably where we are. It's still a way to go with some regulators. And I think that will then get us out of that discussion because then we're hopefully fully threat focused.
But yeah, I don't know, but I will still be in charge when this is happening. All right, let's come to the final round. I'm now playing genie in a bottle. Obviously you need a big bottle for that.
So I, I give you, I give you no, I lost it. Five choices. The rule is you can only choose one and you can't invent another one. So you just have to pick one of the five, right? So that's the rule and you have to be quick is the last final round. So the five choices are, if you could wish something from me to give you, would it be a or one unlimited budget? Would it be the best talent? Would it be full alignment between security it and business? Would it be no legacy or would it be the latest security technology, if you could wish.
So again, unlimited budget, best talent, full alignment, no legacy or latest technology, all Talent. You cannot talent, talent. You cannot address the other topics without having the right people on board. Whether they come directly from the university, you need to build them yourself, or you can attract, you know, proficient Well it's talent, talent, Best talent, because talent is capability. Christopher, you probably go for budget. I know you, It's a mixture of talent and alignment with the business, but please rules one choice.
I fully agree to, to the first statements with the right people, you can build everything. So I also talent It's full alignment. Security is not a sea job. Security is a job for everybody in an organization. That's why it's full alignment. Thank you very much for being with us. Please give a applause. Yeah.
And obviously we, we could have discussed for longer, but we do have, and everyone knows that the round tables throughout the day where cast and, and others are available for you, please book, book your seat, have a continue discussion with them or be, or be, be there in time because the seats are, are limited. So we only have eight seats per table. So please make sure you you'll be there in time, but thanks again and really appreciate it over to you. Yeah.
