We have a panel closing out that sort of first session in the morning before we break for networking and I would like to welcome on stage three very experienced cyber experts and I'm happy to talk about Forging Strong Shields, Collaborative Strategies to Defend Against Cyber Criminals with Max Imbiel, Max is the Deputy Group CSO for N26, Sounil Yu, Sounil is one of the leading cyber security experts in the world, he created the Cyber Defense Matrix and is one of the most influential leaders in the world and then Alex Klimburg, senior fellow, he's leading the Hague Center for Strategic Studies, also very experienced working, leading the cyber expert group for World Economic Forum for quite some time, so thank you for being on stage and we have four seats so I can sit down as well.
So to sort of break the ice a bit and I know reading the title is probably as difficult to understand in the first instance than reading it, so maybe a bit of a warm-up, Forging Stronger Shields, let's talk about that, what does that mean to you, what does it tell you, what do you want to share around that? I start to my right, Sounil.
So I think that we all generally agree that we're in this together and about a cord of three strands is stronger than each one on their own, so I think at the end of the day we all recognize it, I think the as Sergey put it earlier, it's not a question of whether we know what we do, it's a question of execution, so how do we execute against that and I'll share more about I think some perspectives here but there are laws and regulation that actually hinder our ability to do this as well and so I think we need to have a conversation about what makes sense. Okay, good, thanks.
Max, you have a few. I think I'm also very aligned with what you already said and for my picture this matches really well with the shield perspective because I think what we need to really come up with more and more within security is this kind of Spartan phalanx that they did where they were all in a row, right, all keeping up their shields against the enemy and only because of that, only because everybody did it the same way and they all worked together, they had this strong shield and this is exactly what we kind of need to establish.
Alex, last but definitely not least. Yeah, I'm wondering about the topic question exactly but I guess the answer to all your questions is always information exchange so that's been the case since the very first document on critical infrastructure protection was produced in the late 1990s. Every four or five years we revisit the topic again. Every couple of years somebody throws up their hands saying I can't hear the word information exchange anymore and we're still at that topic so it's probably still the most important thing that we need to discuss.
It's irritating as it might be for people who have been in this field for a long time. And yesterday to some degree I actually made a challenge to that that we should stop, I think we should actually stop information sharing.
Oh good, we have a discussion. Yes, and I refer back to the DIKW pyramid, data, information, knowledge, wisdom. We should stop data and information sharing because for the most part that is actually not as helpful as knowledge sharing. So how we do things is much more, I think much more important than the specifics of what comes out of how we do certain things. The example being how do I look for malicious actors versus what are the outputs of what I find from that execution of how I look for it. So I would see it on a more practical level.
So like for instance, when you talk about knowledge, knowledge might be for me TTPs, right? But we do need to also have IOCs, we need to have indicators of compromise, we need to also have some tactical data that we're exchanging. You can always argue that TTPs maybe be something that can be communicated separate from the IOCs and also should be, but I'm not necessarily convinced that's the case. But we do have a level above that which is the general threat intel, which is hey what are you generally seeing from this block? What kind of general trends are you seeing?
That sometimes helps but not always and essentially the only way we make any progress in this field is if we rapidly share indicators of compromise and indicators of, there's a lot of different indicators these days, not only IOCs, right? That's just one of many. And that's to this day is the most important, the most important factor. And once we stop sharing IOCs or we stop sharing TTPs, that's instantly the point where we fail. So there are always concerns of how one does that.
Sources and methods can be quite sensitive, not only on the government side where you don't want to reveal your super secret intelligence capabilities, but also from our point of view because we don't want to reveal that we maybe are violating data protection practices when we look at stuff. So it's, you have to be careful about that. But the solution to that are super secret informal groups which most high-class information security professionals are part of.
And we've been part of these groups for decades, they're mailing lists, encrypted, you have to be triple vouched to get in and if you name, if you name it, you immediately get struck by a bolt of lightning. And then we use the traffic light protocol and if you say if it's TLP red, traffic light protocol red, you may not talk about it ever, ever, ever, ever. And that's one of the challenges because then you have a person sitting in a major company who effectively has been informed about something and he can't share it, he only can act on it.
And that's a problem of course that one has in national security all the time when you're dealing with situations outside of cyber where you have one person who's informed about the super secret stuff but not necessarily the person who can make the change. And that's the problem that we have when, with information sharing in my opinion. The other stuff in terms of having to share TTPs and IOCs and just general data I think is the most fundamental part of cyber security. Keep on going. Okay. I will not ask any further questions. Just keep on going. Just make sure Max is involved as well.
I feel a bit stuck in the middle right here. Again, I kind of agree with both point of views, especially the immediate sharing of IOCs and TTPs because that's kind of the foundation that we all need for acting against something that is already happening. But what you said as well is the knowledge part of how do we share knowledge of what is working in terms of processes, right? What is working in terms of solutions that we have implemented and that actively were going against some attacks, right?
So positive knowledge sharing also is this mindset of what we heard yesterday by the, I forget what Bürgermeister means in English, the mayor. Thank you. The mayor of Frankfurt here told that they are also distributing certain knowledge sharing activities with their local cities and their councils to get them on BCM trainings and stuff like that. It's a good next step, right? Because they need to be aware of the topic in itself, the knowledge to have that.
But then you still need the foundation, the base level of what you're saying in the information, in the data that still needs to be shared, but of course needs to be also consumed by parties that can consume them. Because if you're just sharing data out there and you have parties that sit there and have no idea what even to do with those, there's of course no benefit in that as well. So let me offer an analogy of what we're actually sharing today. So let's suppose I baked a cake, okay? And that cake I think is delicious and it helps me find all these amazing threat actors.
And I then say, okay, I would like to share something here with you. Now you would think in the way we're thinking that I'm actually sharing with you the cake.
But no, actually what I'm sharing with you is the residue powder and the broken eggshells that I don't need anymore because I've used what I needed to do and I'm now sharing with you the remaining artifacts that I don't really need. Now is there value in broken eggshells? Is there value in a little bit of the flour that remains?
Sure, there is. But what you really actually want to know is not even actually what you don't, what you want is not even just the cake. You actually want to know how to make the cake. Because whatever you, the best threat intelligence in the world is that which you discover yourself. If you're getting someone else's threat intelligence, yes, there is some value there, no question whatsoever. And to the degree that we don't have an alternative, we should absolutely continue to do that. But let's go back to the original question.
If we are trying to defend against criminals and other actors that actually do not have that same constraint in terms of being able to share how they do certain things, then what we are fighting with very weak versions of shields that will ultimately be circumvented very quickly. We are trying to find a way to essentially work together. And there absolutely are very tight knit trust groups that I hope senior leaders at various organizations are a part of. But there is going to be a need to scale that, and that's really hard. Scaling trust groups is really hard.
Anybody who's been through a trust group and seen failures of that, you know how hard it is. But that's something that we need to figure out because the attackers have already figured that out and they do it at a pretty… And I think you have a really good point, because at the end of the day, I'm a member of an EMEA board for one of the biggest sharing communities in the world. And a discussion we had there recently was sort of on the German market where we're in.
German financial market, you have the big banks who have their threat intel function and all the knowledge base that you are talking about. And then you have smaller banks, even if you provide them threat intel, they wouldn't probably know what to do with that because they're just not skilled for it. They don't have the sort of mechanisms that we all have to do it. Some do.
I mean, N26 is not a big player, but different animals. So you guys do. But it's really around the knowledge that you need. That intel isn't enough. It's great. And I strongly believe that sharing is a big asset in our community. But I'm completely with you. It needs to be around knowledge. So if we think about that, and Max and Alex in a second, but if we sort of summarize what we've heard right now, we all believe sharing is important. Collaboration is important. It sounds like the way how we do that is the critical success factor. So some thoughts around that. How do we do that?
After what you heard right now, how do we make that a critical success factor? Yeah, so that follows up on the previous discussion. So three thoughts to that, which concludes with your question, I guess. So sticking with the recipe analogy, because I get stuck on analogies very easily. First of all, I'm not so sure of what we share is really just the crumbs and the eggshells. If you do that, then you're a bad actor. You're supposed to really share stuff that happened.
But I do completely agree with what you said, is that sometimes you're going to be sharing stuff that is in the US government, the term is no bus, it's nobody but us can use it. It's like it's too complicated. It's like we're and then you and or you tell yourself this is way too complicated, never going to understand it. That's why we don't share it, right?
So I, you're supposed to share stuff that is actionable. And normally, when you're in a group of peers, you're able to do that. The second problem is that very often the information in these trust groups does not go to the CSO.
In fact, I know people who when they become CSO step out of these groups, so they don't have conflict of interest, or reporting requirements are similar, because it's just too risky, right? So balancing for me, the biggest issue is how do you balance out the requirements of the individual who, for instance, sits in these trust groups, and does information exchange and his obligation to his employer, or maybe even the degree of responsibility to the investors, right? That one's very complicated. There's been attempts to square that, but I don't think it's really worked out.
I actually really liked what we were going with Max's point also, and what you mentioned in terms of what more or less the end stage could be in terms of the recipe. Maybe let's talk about the recipe. Is this really a good recipe altogether? Which for me would more or less imply, does this type of product mix work? And that's actually a lot more disadvantageous to the vendors, because it's vendor critical. It's about saying not only, oh, what do we think about, you know, XDRs and EDRs and CMs, it goes down and says specifically products.
So basically, what I'm thinking about is a trust group that excludes vendors, maybe even excludes the consultants, and only deals with the supply side, and they exchange the recipes. And you have to be rigorous about it, because if any one of those guys gets into it, you're going to ruin the cake, right? So analogy, cake, very good. I think the main message in that is context is king, right?
This is what it's all about, because we must have an established process to define what kind of context do we deliver with that kind of knowledge, so that certain parties can use what that recipe tells them, right? Because someone might have an oven that is electric, others with gas. So the heat must be different, something like that. But they got to be aware of that. So you got to deliver this kind of context while delivering your recipe. And I guess what you said, Carsten, with these interest groups, and how would we proceed further?
I mean, especially in our financial services industry, we have DORA upcoming, right? And DORA is now one of those very first regulations, especially in our market, that says there is a paragraph that states that it's got to be information exchange. I don't believe they have worked out the technical standard yet on what exactly needs to be shared and everything like that, because that will be a whole book in itself, probably. But there's one paragraph that will state this, and that will be live in 25. So we got to work on that.
How do we do this now, right now, and have hopefully also a system in place that is also usable cross finance industry? Because if we just do that within the finance industry, fine, that's nice. But what about everybody else who is kind of dependent on our industry as well? And so this got to be a solution that's really usable and also kind of efficient for other parties as well.
Yeah, and let me add, I think even with... So we have the desire to do this, but as I mentioned a moment ago, there are some both institutional and regulatory guardrails that limit our ability to do this. So I think in our dream world, we would have this well-functioning collaboration, even internally within our own bank, amongst AML, fraud, and cybersecurity, and the data privacy people, right? We have these four different functions that live even within the same organization that can't collaborate. What hope do we have across different organizations?
And part of the reason why we have both institutional barriers, but we also have regulatory barriers that keep those separate as well. And so we have two hurdles to leap over. So let's just assume for whatever reason, the regulatory barriers, let's go away.
Again, internally, we'll have this power struggle now in terms of who's going to lead that initiative to bring these people together. So I think it's an interesting challenge, but one that, again, we have to solve because the attackers have figured out, they know how to navigate AML, fraud, data privacy, because they don't care about any of those laws. They just violate them at will.
But then it's up to us to follow those laws and guidelines and as much as possible to eliminate or create the conduits for the proper collaboration across those different functions, both from a regulatory standpoint as well as from an internal standpoint. And from the Deutsche Bank standpoint, I'm sure you see this as much as I saw that Bank of America. Absolutely. So 10 questions that came up in my mind whilst you were talking and we can't tackle them all, but let's go on the last point you made.
The interesting bit is that if I look at the financial industry and how the financial industry is sharing, nobody sees that as a competitive advantage. We call each other CISOs and talk about something that we are seeing and we share that openly and we are allowed to. That's within the regulations. When it comes to internal, I mean, what you talked about literally is the concept of fusion centers that are coming like waves. Every bank is trying to do that once in a while and then recognize how difficult that is. That's internal politics.
Nobody wants to sort of give up their remit and probably it's because it's crossing boundaries. So that's why I like that concept of the financial industry sharing with each other. One more point and then over to you, Max. What you mentioned about that level of trust, in FSISEC we had an interesting discussion around we need to get the critical vendors more involved, also because of DORA, because they are part of DORA, so we need to get them further involved. But I think you need to sort of stagger that from a trust level perspective.
What we have started to do in Deutsche as well, we have smaller communities where we share. That's probably more where we share the cake than the eggshells. And then we have broader communities where you share but in a different meaning and probably then also involving the critical vendors. So what about those steps? Just to pick up on the FSISEC point, because I was a little bit confused, because I thought the whole FSISEC model was intended to tackle some of those things and it's now become too big sometimes for its own purposes. But this doesn't mean one can't build on it and improve on it.
And the standard practice in the industry, of course, is to have birds of a feather group and have your own small trust groups within those groups. And my experience is that they work really well. So it's just being flexible on this. And I think your point that you made before is the most important. How do we find a process where that is encouraged but protected, in particular, from regulatory legal encroachment? And in the US, they even tried to set up an entire government program to work with that. So of course, there's ISACs, the UK calls them warps, similar.
But they also try to create ISALs. And the whole point of ISALs was to work with these informal trust groups. But the trust groups just basically, to the extent that they had a person to talk to, just turned around and said, yeah, no thanks. Because the chances were just too high that they were to get fired, get put in jail, get sued. So in the end of the day, ISALs are still around, but there's something else now, and they just don't work.
And I think your question about how to deal with internal politics might be solved now with new SEC regulations that I talked about yesterday at quite some depth, the 8K reporting, the new 8K reporting requirements, which are pretty detailed and does do mean you will be sued on the board if you do not actually regularly appraise yourself of cyber risk. Not only the oversight of that risk, because that's been in there for a while, but you need to show that you yourself know what you're talking about, not just getting briefed. I don't know how they're going to test that, but it'll be interesting.
And it's in NIST too, for that matter. So it's already happening before DORA. And that's going to be, in some ways, our magic sword.
Although, frankly, it might end up being a magic needle, because none of these things really solves the problem completely. So I know this will happen. Thanks for the lively discussion. A closing word from everybody sort of around the chairs, because we're running out of time, and that usually happens if you get into a lively debate. But I did like how that was going with one question. We got you all excited. You want to start with the last words on the topic? So going back to Stanley Kubrick, I think we should all stop worrying about information sharing and love the DIKW pyramid.
I would say, because we had this topic just earlier, that even internal teams are sometimes not speaking with each other. So why bother of external parties talking with each other, which is why I sometimes refer to the CISO as the chief internal speaking officer, and not information security officer. But let's find a system that works, not just for certain industries, but is cross-usable.
And yeah, it's ultimately important. So I have a longer thought, but it can be summarized with ISOC, information security is basically Go and not chess. And it's quite simple that if you think about it in higher government or governance frameworks, you have things like whole of government, whole of nation, something called whole of system, different frameworks of cooperation. And one of the tricks I figured out when working together with government, because governments don't talk to each other, right? The ministers don't talk to each other.
The minister, the ministeriums don't talk to each other. The way you get them to talk to each other is you make it a whole of nation discussion. And when you do that, it's kind of amazing because I have done a whole bunch of these discussions. I run a framework. We call it boots, suits, sandals, and spooks. You get all these people together. And it's actually the government start talking to each other because like, this is great. We can finally talk to each other. We don't have a formal format. We have to make it about a whole of nation format to make it whole of government.
But yeah, so I would recommend to you CISOs, because this is what I've done at the World Economic Forum where I wasn't the head of the expert group. I was the executive in charge of the Center for Cybersecurity. This is what we kind of do, is that we try to externalize the discussion. We involve others, hopefully up, to encourage our internal communication. Because that, of course, is always the most important factor, and we will all agree about that. But see the external need to communicate as a possibility to improve your communication internally. That's my plea. Great closing word.
Again, thank you very much for the lively discussion. And we do a network break, so everybody has the chance to walk around to ask further questions on the topic to our three panel members, and then I think we will conclude again 10.45 or something like this. Thank you very much.
