to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth I'm an Analyst and Advisor with KuppingerCole Analysts. My guest today is Christopher Schütze. He is the CISO of KuppingerCole Analysts. Hi, Christopher.
Hi Matthias, thanks for having me.
Good to have you and having the CISO, of course, gives me the opportunity for an episode that is entitled, Leading Cybersecurity, a Day in the Life of a CISO. And that's the reason why we're talking today. And when we look at your typical day as a CISO, can you describe what a typical day involves for you, highlighting your top priorities?
Yes, sure. So for sure I get up at four o'clock in the morning...
Sure.
...have a very cold shower and doing some yoga stuff, reading 10 books in the morning. This is typically the early morning start. No, just kidding. As an IT guy, I really, really hate to get up too early. So what is really important in my everyday business? I think the first thing that is really important is being the... good and bad guy at the same time. So building training and awareness with the people. And that is really a thing I need to do every day. Repeat, repeat, train, educate, use tools for that. Being the one in the organization that people want to ask questions if they have to deal with the security stuff. It's from help desk to the developers, but also people on our conferences that share knowledge, discuss with people, whatever. So really being some kind of the internal voice for security. So that is the engaging stuff. But for sure, also some everyday tasks like maintaining our information security, like risk management, like information security asset management, checking responsibilities, maintaining whether there's a new one, some tool is not used anymore. That is more or less the everyday stuff combined with also third party risk management. So dealing with the suppliers and also dealing with the awareness of the developers here. So something like third party risk management. But this is more on a weekly base. And also weekly basis, I think that is one of the most important things and parts of my everyday business, is talking to people, so to peers more or less, so share knowledge, share experience. And that is from my end what is a typical day or week, the normal stuff I do.
You've mentioned that already. You've mentioned the term risk management, risk-based approach. This is something that we tell our end-user customers all the time. So start with the most important challenges, the most important tasks to achieve. And the amount of security challenges that we are facing is constantly growing. And which ones do you rank then as the most critical? So where do you see the biggest risk and how do you approach these?
So the biggest risks are more or less the one you already mentioned. I think third party risk management is one of the most highlighted topics. We do this on our conferences and I do this internally as well. I discuss this with other CISOs. The challenges, it's not only the typical stuff like I use a tool. Who's the supplier of the tool? Is it a cloud service? Whatever. It's also from a developer perspective. Which library is used? Which library is used in the library and stuff like that? This is something you really need to be aware of. Otherwise, you integrate some stuff that is integrated in some other stuff and you use it and you don't even know that there might be a gap or a security breach or an incident on that level. So really... third party risk management is the most important thing. And for mine, I would also love to add on second one, which is again, the training and awareness on a simulation perspective. So really the person in front of the computer, no matter if it's an chief executive officer, an IT security guy, or someone from the help desk or finance department, this is the first line of defense and you need to train them because so many security incidents, breaches, whatever, really start with such a boring email where you enter your credentials. You have a lot of technology in the background that prevents from the worst thing from multifactor, whatever. But you can achieve so much if you really train your people and build enough awareness here.
Right. And you've mentioned that already. So you are already involved in, for example, product decisions. But on the other hand, cybersecurity people, and this is a cybersecurity company, so that might even be a more challenging task. Usually the cybersecurity guys and the CISO are the ones who are considered to be the naysayer, the blockers. And sometimes people say they're not of this planet. So the balance between the business goals and the actual cybersecurity efforts that you do. There needs to be a balance. So what is your methodology to achieve this balance to get cybersecurity and the business objectives that you want to achieve in line?
Really good question, Matthias. So for sure, information security needs to support the business and it should be part on the other hand of the important decisions and that is challenging. So for instance, or not for instance, internally with KuppingerCole, the chief information security is part of the executive team. So directly reporting to the chief executive officer and our goals as a business are the foundation for our security initiatives. So really starting with what do we want to achieve on a midterm and longterm level or strategy with KuppingerCole and security is aligned here. So this is the starting point in everyday business. This is really challenging. And my approach is really, and that is what I know from other CISOs as well, like discussing. and proving and validating every investment, every thing that needs to be done within the organization, every new product, service, whatever, is this paying into the business goal and what are the security implications here. So you need to validate it, risk management, a lot of financial mathematics and things like that can support here as well. But again, at the end, security supports the business. It shouldn't be a blocker. But if you have enough awareness and good insight into the risk management and also the risk appetite of the organization, you can really support here and not being the bad guy who always says no.
And that was challenge one. And usually challenge two is the budget to spend on cybersecurity. So budget constraints versus advanced security needs. How do you navigate this? So you only have a defined amount of money to spend on cybersecurity. How to choose, how to deal with that.
Yeah, so basically it's about finding the right level of paranoia and preventing things towards mitigating risks as much as possible or as necessary. And for instance, if we again think about something like hacking, so external partners, this is a business model. They want to earn money with you. They want to get your data. They want to access your data. They want to do a ransomware attack, whatever, and that you pay money to them. And if you are too expensive, so the effort is too high to get access to your data, to manipulate your data, or even destroy your business, that is always a good starting level. So really finding the right balance between investing and risk appetite. So you need, and here comes again the business perspective from senior management, they need to have defined some kind of risk appetite. What is the maybe concrete amount of money we accept of a business risk as part of the overall revenue of an organization? So that is more general, but we also do it is acceptable and what is not. And that can be calculated more or less for every bigger business risk and business impact. And you can use it for argumenting. And sometimes maybe it's not the one million investment for achieving the maximum level of security. Maybe it's sometimes only the 500,000 or maybe even the 50,000. Or in the worst case, or business driven, you don't do it because the risk is higher than the expected outcome of that. And with that argumentation, you really can support business decision. You can support senior management and you can... find valid arguments for security pros and cons in that case.
Right. And I've mentioned that we are a cybersecurity analyst company. So usually I would go to Alexei or to Martin or to Paul and ask them about cybersecurity trends and what is important. You are the practitioner. You are seeing that in your daily business. So when I ask for your opinion, looking at emerging cybersecurity trends, which will most significantly influence your role in the near future? What do you expect?
Yeah, surprise. Artificial intelligence will be number one. But there are different dimensions here. So I think and I expect and we already do use it in defense, so in the detection. And this has grown in the past and this will even increase. So typical stuff like getting so much logging information from different forces adding some machine learning capabilities, knowing typical threat patterns really improves here a lot. And that is, I think, one of the biggest advantages. There are already good solutions in place. We have a good solution here. I think this will even more improve. The other thing, maintaining stuff from assets, their related risks, your general attack surface, our attack surface, our vulnerability management. We have so many services, we have so many devices, endpoints, different versions and stuff like that. And again, a lot of data with some related risks. So whether it's my mobile device, my computer as a chief information security officer, whether it's one of the board members or only one guy who has basic level access. And this can be used for different calculations and for evaluating even if you then want to give a specific access or not, or with some specific conditions and artificial intelligence or more machine learning can support here a lot. But one thing we need to have in our mind in that case, so even if artificial intelligence helps us in defending our organization, defending KuppingerCole, also, our attackers use these tools. And that is something we need to have in our mind. Again, also supply chain. We talked about third-party risk management and the supply chain. And I think we saw this in the past and even in the future that especially the integrated, the frameworks, the SDKs and stuff like that, that is part of deeper investigations. And we also can see this in all the new regulations and new regulatory requirements that came across the European Union or especially Germany. And that is something which is a mixture of trend and new challenges we have to face.
Right, and you've mentioned the technology part, you've mentioned artificial intelligence, but we started with the topic and I want to go there for the closing of this episode, is really the natural intelligence, us, the team, maintaining readiness against cyber threats, that demands for constant vigilance, though, that people are really alert and... How do you ensure that your team stays ahead, me being part of your team in that part? So how do you make them, yeah, to stay vigilant?
At the end, you need a great team with a good mixture of people. So we need, that is what we have a mixture of hardcore developer, infrastructure guy, some governance compliance guy, IT security, advisory, research, also people that are very interested in ethical hacking and stuff like that. And you need to implement or support a culture really of interest in new things, improve your skills, learn new stuff. There are so many platforms out there where you can become the attacker, where you can learn about even boring regulatory requirements and stuff like that, and how to apply and use artificial intelligence in your everyday life. And internally with KuppingerCole, we share so much knowledge with each other. We share it at our conferences. We learn from our conferences. And this is really, I think, the value I mentioned at the beginning, the talking to peers. So internal peers, allow your people to talk to those peers, but also be part of the community outside. That is the thing, I think you really can learn from each other and build a more resilient organization.
Brilliant. So one thing that always comes to my mind when I hear the term CISO, these are pale people with not getting too much sleep, with grey faces, with the rings under their eyes, and really not getting much sleep because they cannot sleep, because they fear all the upcoming threats. You don't look like this. So with the stress associated with your role, how do you ensure a healthy work-life balance and how can you switch off in the evening?
Yeah, having a great artificial face filter implemented for sure.
Might help, yeah.
So the first thing is really having a good team that you can rely on and having the buy-in of the senior management that knows how important information security is and that it is a business enabler, not just paying money for services to prevent some attacks. So this is from a company perspective. Personally, and that's maybe helping for my not too white colored skin here, playing some golf on the weekend with friends, having some physical exercise outside. And for sure, going for a really long walk with my dog, at least at the weekend for three, four hours. That is what helps me.
Great. Thank you, Christopher, for being my guest today. That was really interesting and it really gave an insight into the life of a CISO. And for all the participants out there that are listening to that, if you have any questions towards Christopher or if you have any additional feedback that you would provide as a CISO, for example, please leave a comment below this episode on YouTube or just drop Christopher or me an email. We would be happy to hear about what you experienced here, how you experience that role and how you really manage that role and how you decide which decisions you've made. So really interested in getting your feedback for now, for today. Thank you, Christopher, for being my guest today.
Thanks, Matthias.
Thank you and bye bye.
