Dr. Barbara Mandl - Endconsumerization Requires Agile Risk Management

So right now, I'd like to introduce to you Dr. Barbara Mandel, Dr. Barbara is from Daimler. She is well known in the industry and has quite a reputation for being a creative and insightful thinker. So I'm looking forward very much to hearing what she has to say today. So thank you, Barbara. Okay. So I already had a very interesting day and thank you for the invitation again. And I am always, I always have this problem when I prepare something for these keynotes that during the other keynotes in the morning with Oasis, I think I should change everything, but I will not change everything.

So we had an interesting discussion in the beginning, Martin Cooper, I was saying about the agile business. Now part of agile business is agile risk management. And so I will talk about agile risk management. I will not talk only about security risks. I do think security risks are very important. Don't get me wrong. This is one this conference, but I'm also thinking we're losing a site on other risks. So obviously I thought maybe nice to start with an NSA picture.

I'm not gonna talk about NSA scandal, but what I thought was interesting and I'm working currently on the cloud strategy in our company. And what I found so interesting is that in this article, it's some German journal. It says down there, and we tried to translate it into English, but the basic line there, which I thought that is weird, you have 13% postponed, already planned cloud projects of some companies. They looked at 11% even canceled existing cloud projects.

Now, my question to these people actually is whom I don't know is, did you do a risk assessment before you started these projects? Did you think about back to Martin about the data you were going to put in that cloud? Because obviously whatever you put in the cloud, you're still responsible for your own data. So if you haven't considered that, well, that might be bad, but maybe they did a big risk assessment. And they said, no, we can't do it. I don't know why am I talking about risk management? Okay.

The people who don't know me, I have a department at Dimar, which also does Mercedes cars for the people who do not know who Dimar is. And we have a governance part in our department. They do all the processes around authentication, authorization, certificate management, credential management, privilege, user management, all that stuff. And the other part of my department does the global services. So we do somebody from a company told me I should get my hands dirty.

Well, we do get our hands dirty. We have a large global platform, many of them for entity and access management based on several technologies and also enabling the technologies we have to use. We also do not only employees. And though the shift is large in the last couple years, employees, retirees, we do the suppliers, the dealers, and the end consumers. So we're really providing these services.

Well, why am I telling you this? Because it is an advantage that I have both in my department because people sometimes from a governance side, they will maybe give you processes. You can't really use. So my services people push back. Yeah. What should I now do? What should I do with this information? And on the other hand, the services, people get this information quite quickly. And as soon as they enhance certain services or built up new services, they will use that information as quickly as possible. What I did last year was I said, well, I'm still missing one component in my group.

And the component was corporate risk management. So like every big company we're obliged to do corporate risk management. And we also have to do this for the large it department. This is why I started looking into more the corporate risk management as well. So not just the risk management for IAM or, or cloud, but more in this way. And seeing these things that I think it's time to start changing the way we think of risk management.

Now, if you look at the challenges we have at corporations and just to get, you know, relax a little bit and not think about security all the time, I put some other risks on there. Challenges like, okay, we don't have the skills. Maybe that's bad for a corporation. If we can't get the skills in, we have legal stuff changing. We are global. So the laws change in some countries, some countries have very strange laws and you don't know what's coming up next.

What I like about this drawing is you might know your risks, but the problem is, and this is going back to the gentleman who spoke before me is that you have so many changes. So obviously also your risk assessments or your risk management, the likelihood of the risk, you first thought the likelihood that it will impact my organization is not so large might change very rapidly. So you might have to go back and look at the risks you assessed before and said, well, no, it's more likely, or it's less likely now what I've seen.

And it's ties back a little bit about the NSA and all that kind of stuff. We knew that supposedly we didn't know that this risk existed.

Now we do, what do we do? What do we do with this new information? And now I'm speaking as an it person. We built up beautiful systems, not only in IAM, but mail systems, et cetera. How can I now from a risk management perspective, get these people to rethink this, to put and add these certain risks in there. Also I've seen sometimes not in my company, but in other companies, which were so nice to show me their risk management risks in there. They've been there for 10 years and I go like, well, why is it still a risk? Did anything happen? Did you know anything materialize after that risk?

Why do you still have it in there? Well, we don't wanna sun down it. We don't know. And that's another question. So you have a lot of garbage in this risk management as well. Things might never happen because my question is nothing happened after 10 years. So why is it a risk NSA scandal? That's the only one I'm struggling with. And I wanted to do the scope a bit smaller. What does that have to do with my clouds stuff? I'm strategizing and with I am. So that's a question I hope to get answered by you guys.

The one thing which is really disturbing and which is when you do risk management and you try to assess a solution, a big solution with risks is rumors. People will tell you, oh, that's terribly risky, but they don't really know. And then you ask them, did you assess it? Did you really look into it?

No, but everybody tells me that I, I don't know. I'm outing myself reading. I read vanity fair. Okay. So in vanity fair, there was an article, quite good article on Snowden. And three times in this article, they mentioned there was more to come more revelations.

Now, now me as a risk assessor or doing my whole, I am stuff. What am I gonna do with this rumor? I don't know what to do with it.

It's like, you know, telling me that some actress has a new boyfriend, because I don't know what I do with these rumors. So we have to be really careful. And especially in this environment to not start making ourselves and driving ourselves crazy, because maybe in your corporation or in your line of business, some things might be a risk, but you know, your risk might not be the same or the likelihood of that risk as the same as yours. So the best way is to have a good way and easy way to assess them and then say, okay, yes, okay, this is a serious risk.

Or this one might not be such a bigger risk at this moment. Ignoring existing risk is obviously a bad thing.

I mean, that's really hard and that's hard to convince people to go back and think about this again. The main thing I wanted to tell you here is though the probability of these risks changing. So people can live with the idea that there is a new risk, but they have it much harder in thinking, okay, this was a risk last year. Oh. And now the likelihood that it will impact us is much higher and we really have to do something. Or for the next two years, it might not be such a big impact. I have some teaser questions.

I mean, that's more for you to think about. I mean, obviously we cannot live without risk management. There's just no way.

I mean, first of all, we're obliged to do it, but other than that, you cannot do anything, any solution without looking at your risks, you're trying to resolve the problem though with risk assessments is how do you do your risk assessments? It's not so much yeah. That we have a process, but how do you assess your risks? And with the changing of this risk probability, you have to go over them again. Now make your colleagues do that. Not so easy. So please you have to have very simple assessments that they can fill out in the organization.

And now I'm trying to put the scope on identity and access management and cloud strategy. You have all these different players and stakeholders. One is obviously the market and one I'm obviously struggling with and Mr. Coopering are already started talking about it is end consumerization, big one in automotive, not just a light one. Then we have with the cloud. It's not so easy to put unstandardized stuff in a cloud. People forget that they think they can put it in the cloud. So if the first thing is whatever you put in the cloud, you have to standardize something. Organizational.

I talked about this about two years ago, that was something HR came up with and said, okay, we cannot attract enough young people. All right. So we wanted to bring them to bring their own devices. Three years ago, I had it on my plate and I talked about it about two years ago, the loops I had to make from a risk assessment point. It's not just security. Is it? It's with the legals, the licensing, it's the privacy, it's all that stuff you have to resolve.

And we finally came up with a really easy, we have an easy sheet, but one thing which amazed me and it was done with me and the legal department. And we said, okay, you just have to, and everybody knows this today, separate business data from personal data. And you know what, they're trying to do it.

They are, they, we are ready. We have bring your own device. And it's based on a couple of rules. The other thing, which is obviously enormously hard when you do risk assessments in these large, it solutions so complex. Like the former speaker said in very complex situation and the legal privacy, obviously the privacy laws are changing in Europe. They're different in the us, as we know, but there I have litigation in China. We have totally different situations. So we have to adapt to that again. And that's why I say I can only do this with a form of agility.

One thing I found on this journey in the last couple years is something which is quite provocative here. Probably I don't know is people have done data classification for years.

And I say, well, you can't do it that way. So I'm trying to move. And actually they are moving to get a little less rigid and more agile also on how we classify our data. And that can only be done.

Now, Martin left the room. Martin Cooper are left, but you can only do this, obviously when you do this with the business, huh? He's to the restroom. Okay. All right. So you need to know your data. And this is something where Martin pointed out, this is not an it job anymore. And so I'm quite lucky because the legals are also quite worried about these situations. So they like to work with us to get these kind of guidelines together so that the business will accept it. So once more, why has my journey been quite nice at die Mar up till now, first I had to the problem, okay.

Employee incorporation on the right hand side of the slide. Okay. For sure. I have to protect them. I have to protect the Daimler assets, being data, obviously, and see that that is alright. And that the employee can use these data, but within consumerization and mind you, I don't make the difference between employee or an end consumer. Totally. Because also an employee wants to bring his own devices, but really end consumers. So people who use certain mobility services from us, they have their country specifics.

I mean, unless travel, if you, if you're in Europe and you say, okay, you, you can access, access these systems in such a way, or, you know, via Facebook or what have you not. Well, you come to China and they tell you, no, no, no, no. This has to be totally different.

So again, there we go again, we have to do a risk assessment to see what are the risks in changing this access method? What are the drivers, the current drivers from me?

Well, Mr. TEIA announced, so this is my, what is he C O of my company. He announced at a big automotive show a couple months ago that he was introducing something which is called Mercedes meat, which would be like an, or is like an umbrella for all the end consumer services. And there we go back to car. It other things I would skip because there with, you know, things which change in my company, that we have a lot of new staff, which are located in India.

So again, my probability for the risks are changing very rapidly. Okay. Now this is the last slide. Okay. So the disruptive services I had to tackle with and, and really changed our internal it way of thinking, because remember we were internal. It was to start off with, bring your own device to design a very simple assessment with the legals immediately. So not afterwards, I sat down, I took the guy to some lessons about bring your own device in the it realm. And we put it together.

The same thing with cloud and with cloud, I had a lot of help from Martin Kuppinger and Mike Small, and we made it more and more concise, and the people are actually using it and thanking me because they had been focusing to do something into the cloud on only security issues. And they had forgotten that they would have a lock in maybe, but that's on the first point with Mike.

So, and it's so easy that these people are really using it. And it's also in the procurement part. I'm still not totally ready, but it's right. And now my next journey this year is really the stuff Martin was slashing at that we cannot do car it and we can't do this stuff well, that's what we're doing with all the stakeholders of diamond.

Now, with all of the business, that's hard. What do I want from the cloud providers? So people here in the room who do cloud, please build a global cloud cloud and please take some of our risks of corporations and companies we all have. And the agility of the change of these risks, the whole time, take them off of my back, take the connectivity, get my 24 by seven, do some of the legal stuff. We all have to work with, get the security in, in a good average way, do that. And in an agile way.

So if it changes, if NSA comes by you change that part and I will do, because I do believe in a hybrid cloud, I will do on my side. I can, can do that, that those parts, which are really part of the corporation I work for at the moment and where the agility on the risk changes might not affect a company or pharmaceutical company, then I will do this. So I think that success in the future of your company would be that you're able to orchestrate this combination and that you obviously provided our cloud providers will do this part and how that will help you for your success.

That's how I hope that I could get some agile risk management. I'm done. Thank you. I'm sorry. This person. So Barbara that's I think the, the agile kind of references really interesting.

I mean, we have this set of understanding or expectations about what agile means in our software development. Do you have processes that look, anything like that or have been derived from it?

I mean, what does it mean to actually be Agile? Well that's so, so these three topics I mentioned, because nobody was doing it, I own these templates. So this gives me a chance to always sit in which we do regular basis go through this from a legal standpoint and the security people also look into it. So this is how we try as most as possible to get this standardized, however that works in the it department. And that works in, in with the legals very well. And they're very happy about that, but it's hard.

I mean, I still am struggling to, to get that overall accepted now, but that's my journey. Okay. That's wonderful. Thank you again. That was great.