And in this track, we will be hearing from three different groups representing completely different industries. And the first speaker will be presenting as a CISO of a large, well, let's call it a quote-unquote end-user company, a producer of wonderful and fantastic baking goods. But of course, he will be talking about fantastic cybersecurity. So welcome, Matthias Muhlert. Thank you. Thank you very much for the introduction. Thank you very much that you have enough energy after the dinner, after lunch to participate.
Yes, I'll be talking about CyberFantastic. CyberFantastic is a framework that I came up with. And I'm not going to run you, of course, through the whole framework in 20 minutes. That's not possible. But what I would like to achieve is plant certain seeds in your minds that might grow into something which I like to call CyberFantastic. And so the first thought or the first seed I want to plant in your mind is, isn't that the cutest logo that you ever saw for a framework in cybersecurity? Thank you. Thank you.
And yeah, so CyberFantastic, proactive paradigm for the future of cybersecurity. My name is Matthias Muhlert and I work for the Oetker Group. That's why the pudding references. But we also have Koppenrath & Wiese, which also does lovely cakes. But we also have Radeberger Group, so we do a fantastic beer as well. So you have everything in one go. Shout out to Benedikt. Benedikt is my working student and he pimped a little bit my slides, right? Because I'm a little bit old school and he took care that the slides are a little bit more pumped. But the content is mine, so don't blame him.
Always blame just me. Good. So let's talk about it a little bit. So I think that a lot of key words that are used also in this conference are resilience. And resilience is for me not enough. And that's where I came up with CyberFantastic. I think we need to go one step further. Do we need to do it straight away?
Maybe, but we should at least go in that direction. So what I would like to postulate, and Sunil did a fantastic topic and divided security into 10 years, decades, and we always need to move on. And that's why when we reach cyber resilience, we need to think of the next topic that we want to achieve, right? And not stop thinking that we achieved something because that will be a stopping point. And we don't need stopping points. We need evolving points. Embracing disruptions.
So if we come to a mindset where we actually embrace disruptions, where we say this is something good because we can learn out of it, that will mentally change the topic. This will mentally change how you approach things. This will help also your security organizations to deal with the situations better, right? So we're talking a lot about mental health nowadays, also in cybersecurity, right? So you should give them also the mindset that they should actually embrace certain disruptions, don't see it as a stress factor, right? And the Tudor principle is for me also important.
Use the strength of the opponent to your advantage, right? I mean, we all know the economy within a cyber attack, right? So simple as that. How many vulnerabilities as a defender do you need to find? All of them. How many do you need to find as an attacker? One. How much time does the attacker have? Endless time. How much time do we have?
Well, from nine to five, please don't hack us after five o'clock in the evening, right? So therefore, we need to see how we can actually use the strength of the opponent to use for ourselves. So Neil is working with Getty. Big shout out to Getty, of course. And Getty did a lot of things on deception technologies and deception technologies is actually something that we can use within the cyber realm. So what was my motivation? I thought it is really important that we grow stronger through attacks. So that's a little bit the mind shift that I would like to achieve, right?
That we not just so if you look a little bit at depending on who defines resilience, but most of the time within resilience, we are just trying to come back to a point where we are operation normally. And I think that's the step too short. I think we need to go on and say, well, we should be better afterwards, right? So if you think about it from, sorry, I'm mentioning you a couple of times today. But if you think about different body parts or different cells, right?
So if you broke your bone, the one area where you don't break your bone afterwards anymore is exactly there where you broke it because it became stronger after it grew together again, right? And that's a little bit the thinking about cyber fantastic. So grow stronger, leverage threats for growth, right? And that's also, I mean, mentally, I would like to achieve you a certain situation where you actually write a thank you note to the attacker and say, hey, thank you. I'm now more secure than I have been before, right? So that's a little bit the story behind the whole topic.
And I think Benedict did a lovely job with all these slides. And the only order I had was the elephant needs to be shown on every slide. Which makes the slide deck, I think, 50 megabytes. So content-wise, maybe 200 kilobytes. So withstand, so cyber resilience was withstanding cyber threats, right? Then cyber anti-fragility is a new concept. And what's your name again?
I didn't, Sunil suggested in his session, read the first 100 pages of Talim's book about anti-fragility. I completely agree with this assessment. The rest is rumbling. But the concept of cyber anti-fragility is really, it's not fragile, it's not robust. It's fragile, anti-fragile, which is the opposite. So we should get to that situation and that cyber anti-fragility. And for me, the last step is really harnessing those challenges to become even better, right? So that's for me, the cyber fantastic framework. Good. And now a little pun, sorry for that pun.
You might not find it funny, but blame the Germans for not being funny. It's how to eat an elephant. So you slice it, right? You slice it into portions that you can actually digest, right? And that's why within the cyber fantastic framework, I tried to come up with different stages that you probably need to go through, right? So I started with ad hoc security and a lot of companies started with ad hoc security, right? They say like, do we need a firewall? Most likely we need a firewall. Do we need an antivirus system?
Yeah, most likely, right? But it's not really structured. It's not really well orientated, right? So the next step after this, don't get me wrong, each of these stages are important. They must be seen as an evolution, right? So I'm not dissing any of those stages, but they need to come. Then we have the compliance stage, right? Where we give that thing a little bit more in direction. And we also see that we are compliant against certain regulations. I've forgotten that there's something like NIST 2 or something like that coming up. You might have heard of it.
So that might be a good compliance stage, right? Or GDPR or what kind of things. The next step is then a risk-based approach, right? So when you have a certain foundation of your house and you know where to plant something, you can then make dedicated risk assessments and say, where do we need to add something and where do we don't need to add something?
And again, Sunil said it early on, you need to be business acumen, right? You need to understand where you actually need to protect something and where not. And sometimes it's a really hard decision to say, well, we don't need too much protection on that side. It's sometimes a harder decision to take to say, I don't protect something than to say, oh no, we're going to protect everything, right? Human psychology is really important. We're always on the way to say, okay, how do we save something and how do we not save something? Then we come to the stage of proactive cybersecurity.
It's good to think like privacy by design or security by design. Of course, there's a difference between the two. And to think about you as an ecosystem, right?
So for me, proactive cybersecurity is more about think as your company, not as a standalone island. Think of it as an ecosystem, right? And you're depending on this ecosystem. And if that bad C word teaches us everything is that global supply chains can break down easily, right? So think of that a little bit as well. And then there's, for me, the current final step, which is cyber fantastic, to get really into that mindset and say, okay, how do I become better through attacks? How do I actually achieve something in that perspective? Does that make sense so far? Okay.
Don't do an interactive session after lunch. Lessons learned. But that's important, right? You take your lessons learned and you take it to the next level, right? So what do I have? So cyber fantastic, I consider a current high point, right? But I'm looking forward to that person, and I think that person is in that room, who will then develop this even further, right? And come to the next point. And then one of the topics is then we kind of need self-healing and self-regenerating systems, right?
So if that is the perfect point, I mean, cyber fantastic can be, in my perspective, maybe be described also if you cut your hand, right? And you get a little bit of an infection, right? Your system is automatically, without your brain involved, is taking care of that. And you become better. Because from those infections, you will never suffer again. So that's a little bit the mindset of cyber fantastic. So and now comes a really funny thing. I will go a little bit more into detail about risk management. I'm the first one to put up his hand that I'm really terrible at risk management.
I overestimate my competences in that area totally. And there are certain things like the availability bias, right? So if we had an incident of a ransomware, we will, when doing risk management, we will, if you don't base it completely on facts and data, we will overestimate the risk of a ransomware because we have it available in our brain, right? So I think that if we come to a stage where cyber fantastic is there, you don't have the need anymore for risk management. Because if you become better through an attack, why should you do risk management?
It's a bit of a provocative thought, but it might be, also, I must say, I think you will have risk management for the pets, but you will not have risk management for the cows. Good. So I came up with a couple of building blocks on that. And by the way, cyber fantastic is online. It's a white paper. It's published on multiple websites. Just download it.
It has, I promise it has the elephant only one time, despite of this being overpopulated in this slide deck. So let me quickly, you know, put some ideas in your mind. So adaptive machine learning is, for me, a key point, right? So then decentralized identity management is, for me, also a key point, right? Install choke points where you don't really get away with that. Dynamic microsegmentation, what I was telling you early on with the cut on your hand, right? Your body is exactly doing that. It's just taking care of that little section, right? And therefore, you have the possibility.
Alexei was just pointing it out, right? So for the next topic, autonomous incident response, right? So why do we actually need to wake up at three o'clock in the morning if we can automate that much more, right? So take the human element a little bit out of it. Not out of control, but taking it a little bit out of this topic, so autonomous incident response. And predictive analysis. If we have an understanding where our next zero day shows up, you can already prepare for it, right?
So that, for me, is one of the key points, right? Look into the future. See where something is coming up. Quantum resistant techniques. We all know that we are now, I think, 431 qubits within IBM. And they're becoming better and better. And dare I ask the question again, audience participation, who has a really good plan in place when quantum actually breaks our encryption?
Okay, one hand, and I'm not surprised by whom that hand came up from. But it's like, yes, we will adopt a new algorithm. But what is with the years of data that we encrypted beforehand? How do we deal with that, right? So then hybrid clouds are, from my perspective, a rather good thing to, you know, navigate the whole thing. And human machine collaboration, I think it will be staying important for quite some time. And now to that one slide that I'm dreading to show, but, okay, you're ready? All right. So don't die, use DIE.
And that's the only slide I did without the elephant due to the person who went with that lovely thing. But in my mind, it makes a lot of sense if you use that on your journey to cyber and to fragility, or if you use it as a journey to cyber fantastic, to say, distribute it, make it immutable, and make it ephemeral. That's really important. But Sunil explained it this morning. So fantastic. So I'm not going to dare to talk about this topic any longer. So thank you for not throwing anything at me. Good. So basically, a little bit from a technology drive of perspective from a cyber fantastic.
By the way, in the white paper, I describe also what kind of money is needed to implement it. I describe in the paper, how long you probably need to implement it. And I also describe in the paper, what kind of mental messages or preparedness do you need as a company to go through those different stages? Right? So feel free to look at that. Machine learning, we already talked about quantum computing. And then I wanted to put something in which thing like onion routing. So onion routing is normally associated with Tor, right? But in my mind, it can be used for so much more.
And I will go quickly into that in a minute. Then we have blockchain. Even if blockchain is now one of these buzzwords that should not be used anymore, right?
But it's, for me, also a signal to how can you distribute certain technologies, like authentication, authorization, and this kind of things. AI, machine learning, and then randomness. Good. To the last couple of points I will come to. So onion routing is always considered a little bit like a bad thing, right? So because you're in the Tor network, and you ordered an assassination on your neighbor or the neighbor's dog or whatever, right? But if you think about it, you can actually use that for privacy enhancement. You can actually use that for zero trust.
If you implement an onion routing principle within your company, and an attacker tries to attack a system, a node, but he doesn't have a route to it, how does he attack it? Imagine how many bank robberies there would be if there would be no streets.
Enough, because then you would do it on, it's a bad analogy, I grant it. But think about it.
If, you know, if you have a vulnerability in your system, and the attacker still has a route to that system, he can still exploit the vulnerability. But if he doesn't actually have a route to that system, it might actually be a completely different game. So just think about it, and think about how you can use certain tools also for your advantages. Using randomness. Anyone knows where these lava lamps come from? Sweden. It's like an online provider. So it's the one from Cloudflare. They are using lava lamps to produce randomness. But Sweden is a better answer, to be honest.
It might be, it might be. I'm not quite sure how many, do you get extra screws from IKEA to put them together, or do you need to assemble them yourselves? I have no idea. By the way, you guys, we're talking about cybersecurity, just as a small reminder. So what I'm saying is randomness, right? Randomness for me is an important topic. We are not in the possibility to choose when we get attacked. So this is a randomness. And the more you're prepared for randomness, the more you're prepared for an actual attack. So Neil mentioned chaos engineering early on.
And one of the most famous products, I would say, is Chaos Monkey that was produced by Netflix. So basically they introduced the whole concept of randomness, right? Switching off things randomly. And they learned to deal with that. Another benefit, they understood what is a pet and what is a cow. That's another benefit.
For me, it's the mental preparation that randomness is really a good thing. And you can do that in different perspectives, right? You can introduce random packet routing so that the attacker is completely obscured. Dynamic port association so that once he attacked one port, he can't really attack the same port again. Randomize certain encryption keys, random traffic analysis, et cetera, et cetera. But for me, it's really think about how your people will react in a cybersecurity incident if they're used to randomness. I think it can be actually a game changer. Am I running short of time? Okay.
Sorry. Preparation, quantum computing, we talked about threats from quantum computing. You can read about all these kind of things. Next slide I want to actually mention is the more you advance the steps that I pointed out earlier, right?
So, with an untalked cybersecurity, there's not really a possibility to do risk management. The further you go on, you can do more specific risk assessment because you have enough data for it. And you can go away from the general risk assessment. But what you can actually do is go to a stage where risk management is hardly necessary. Which would be, from my perspective, a really fantastic topic. Because who here in this room within their risk management has a KPI if the risk management actually works? Thank you. Thank you very much.
