Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. This is a very special edition of the KuppingerCole Analyst Chat. Three weeks ago, four weeks ago, in the middle of November, we had the inaugural instance of our new cybersecurity conference entitled cyberevolution in Frankfurt. And we want to take a look back on this event. And since it is boring to just talk to those people who created that, we invited two participants, two attendees at this event for this podcast and the two people who are responsible for this event, responsible for agenda and the speakers. And without further ado, I would like to introduce all the participants with a very quick round and then let them introduce them. I have Steffen Nagel, I have Emilie Van der Lande, I hope I pronounced that correctly. I have Christopher Schütze from KuppingerCole and Berthold Kerl who is our CEO. But let's start with a quick round of introduction, starting, of course, with the lady. Emilie, could you please introduce yourself quickly, briefly.
Thank you, Matthias. Yes, of course. My name is Emilie, and I have three years of experience in cybersecurity, specifically in identity and access management, with a legal background and a very fond fascination for artificial intelligence. So, that’s me.
Right. Handing over, of course, to Steffen.
Hi, I'm Steffen. I'm working as Head of IT Infrastructure and Security at Frankfurter Volksbank, which is, as of now, the second largest co-operative bank in Germany. But next year, we will be the largest one since we will merge with another bigger institution. And then we will be number
Sounds good. Handing over to Christopher.
Yeah. Christopher, I'm Practice Director for cybersecurity and responsible for, or part of the agenda team for the cyberevolution.
And finally, our CEO, Berthold.
Yeah. Thanks for having me. I'm Berthold, you already mentioned it, CEO of KuppingerCole since more than three years. And together with Christopher, we thought about this event, but it actually was a bigger team who was involved from KuppingerCole as well. So the two of us are only, let’s say, the spearheads of it.
Right. So if we look back on this event, we had a cybersecurity event before that, which was more a traditional cybersecurity conference way back in Berlin. It was the CSLS. But now we thought of changing something. But if we look back on that, maybe to all the four of you: Is there something that you can share that was your most memorable moment from the cyberevolution and why was it important for you? What makes it worth remembering, maybe starting with with Steffen.
that. So, so can I just name one?
you can take five if you want to,
Okay. Because there were several. So from the presentations I would of course name are Surviving between the Cyber Frontlines by Alexander Klimburg, which was very scary on the one hand but also like shifting the attention to the things that that are really important in the in the space. And I would also like to name Paul Lukowicz on AI Ethics, which was really entertaining and also sort of myth busting in ways and also focusing on the real issues And yes, a memorable moment or situation was all those guys in the Capture of the Flag thing, like working in that sort of lobby area and you could like literally see the steam evaporating from their brains. And it was such a focus and concentrated situation there, and I really did like that quite a bit. Yeah.
Right. Capture the Flag. Of course I need to hand over to Christopher. That was your brainchild, I assume, and it worked out quite well. Was this your memorable moment as well?
It was a very memorable moment for sure. And it was not only my child, it was, again, a group idea and supported by Sebastian Schlesinger. And for sure, we had 52 participants. And I mean, for them, hopefully it was as well as a highlight. But it was not my only highlight. What was also very honorable for me was shaking the hand with Peter Beuth, the minister of Interior and sports, when he joined. Yeah, and all the interesting presentations Steffen already mentioned some of them, especially Alexander Klimburg’s was also one of my favorite presentations. But honestly, for me, the most impressive moment was - not there have been two, the first one was when I walked onto the conference floor the first day, so on Monday before the conference, really seeing what we achieved, what we prepared and how does it look in real life. And the second one was when closing the session together with Berthold and Jennifer, that was really impressive. And was a lot of fun.
I think one talk that took my breath away was a talk by Florian Jörgens about being hacked in 72 hours. So what happens when your when you're hacked, when you're a CISO and literally the world turns upside down and what happens in the three days following that. And I think that working in cybersecurity, it’s often - I compare it a little bit to my friends in the Army who say that they practice, they rehearse every day a play that they hope they never actually have to play. And it's really valuable, I think, to get the very tangible human insights of what that looks like in practice, like what actually happens in cases that we always talk about. So and really very practical tips that sound really normal, but you need to think about them from first, second or third hand experience. Like do you have enough notebooks, physical, actual written notebooks to write things down, and do you have beds in your office for the IT team and food and stuff? It's yeah, that was really good. I very much enjoyed that.
Right. And I like the comparison between the Army and us being cybersecurity defenders on the front, so that this is a sometimes a disturbing analogy. But in the end, it's true. Berthold, what was your only thing that you - if you are allowed only to mention one thing, what would be your favorite thing to mention? When you think back of cyberevolution?
I think some of you already mentioned the selected speakers. It's hard for me to really select one. I think we had eighty speakers in really a variety of topics, from technologists, scientists, but also very senior CISOs, like Thomas Tschersich, for example, from the Telekom. You already mentioned Alexander, and I would also add Sunil Yu, for example, and a couple of more. That's really hard to pick one. And they really shared their insights with all of us. But now back to your question. What is the most important thing for me in such a conference is always the exchange between people, right? And that is, of course, the exchange between participants and speakers, participants and the vendors who were there. I think we had a lot of very innovative companies there, which were worth talking to, but also the people amongst each other. And you also mentioned the young people who also enjoyed to talk to people who already work in enterprises. So all of this created a, I would call it the vibe which made this event very memorable for me.
Right. If we move on a bit. So these were the things that we remember from a formal perspective, from what really stood out from speakers perspective. If you think of topics, of areas covered during this event, maybe also due to the character of that being a more modern and more novel approach towards that. Are there any topics that you heard the first time there that you think will change our lives for the upcoming years as well? Is there something that that you took away that will stay with us and that is not yet solved and should be covered in the future as well? Maybe starting with Emilie.
Good question. One talk that gave me quite a few new insights was a talk by Jonathan Blanchard Smith with the SAFIRE framework and specifically, very, very specifically, the comparison of the trees. So in that session, after half an hour, we had the whole audience asking questions in terms of oaks and willows and different kinds of trees and... Yeah, the redwood. And the funny thing is, we still all know exactly what we're talking about because it was such a memorable thing. And I think that something that is very important is to also keep the political climate in mind when talking about cybersecurity and to look at maybe some broader aspects of security than only technology and the people. So that would be my main takeaway, something that didn't click before that, now really was brought up.
I think this, what Emilie just said, this experiment, I would call it, even with the SAFIRE scenarios. SAFIRE scenarios, for those who did not attend, are scenarios from the European Union to predict, anticipate the future. And we use this as a basis to understand what would come from a cybersecurity perspective. So that was prepared by something we did with KuppingerCole Analysts before, then we invited some really senior CISOs to participate in an exercise. And finally we had the round of workshops at the cyberevolution itself. And then the outcome of that was presented by, Emilie mentioned it already, by Jonathan. So that was - for us, it was an experiment. But also it was fun. It was entertaining and valuable.
Okay. Same question to Steffen. What will stick with you is that the the the ubiquitous AI? What else is what what you see in the future as well and coming back and not going away.
I mean, okay, the discussions about the AI things are not really new anymore. So you have been asking for things that are new in the space, of course, this will not go away. And it's here to stay. But one word on the SAFIRE thing. I get it somehow. But I'm still kind of struggling with what we are going to do about the outcomes then in the end. So I will probably wait for you to finish the white paper and study it and see what I can get out of it for my work, for my daily business. Which leads me to the thing that I think will influence my daily work and my daily business the most in the next time. And that is definitely the Cyber Defense Matrix by Sounil Yu, I attended the workshop and to me it was really, it was an eye opener. And it showed me some ways like to tie everything together. Like, you know, the regulations, the tools, the people like every layer of the whole landscape. And this is really to me, it was new. I never heard of that before. And I will try to sort of implement it or use it as a guiding line to tie everything together in our organization. I think this will help me personally quite a bit in the near future
Also, the different scenarios from my end are really interesting. When we had the first discussions about that topic, it was maybe beginning of this year, so 2023, it was such an abstract model. So like Steffen mentioned, it's difficult to understand at the beginning the, the framework itself, but also the outcome. What do I do with was the stuff we developed there. I was also confused, but now I really have a picture and really see the benefit of that because basically comes back to preparation and you have something to prepare. And I mean, you cannot forecast the future on a detailed level, but the way we are driving through, this is something you can prepare. Based on external things regarding the environment, governmental stuff, security stuff and all that things which have been basically part of the conference. Another very important topic from my end, which was this time more a side topic on the interactive part, was regarding to virtual reality. So we all knew the new Meta glasses. Apple announced their classes for next year. How will this impact the way we work in the future? How will this impact our cybersecurity? Our security stuff, maybe highly related to identity stuff? Also this NFT stuff, all this thing. I really think there is a lot of potential for discussions within the next years to see how we can use this, maybe even for virtual events. You start with participating with such classes and work through a virtual booth and not only on a computer really like augmented reality and stuff like that.
We had a good example on the ground. So we had Stefan Würtemberger and from Marabu Inks who brought his examples, if you want, to the conference. So he had his glasses with him and was able to demonstrate how Marabu Inks is using the Metaverse already in their day to day practice to reduce travel to improve the quality of their services, etcetera, etcetera. So that was - I personally thought that's just still an entertainment kind of thing, right? So the kids use for whatever reason, but this was really the first time that I saw this with a real examples. And of course the implications for cybersecurity are also obvious.
And I think to add to that, that was actually my second real take home experience. I actually got to try the Oculus firsthand. And it was a real, you know, I mean, we've been talking about augmented reality and extended reality in virtual reality for a while now. But I think it's up until the moment that you really try it and you put those glasses on and you really experiment with it, that you start, that connection starts happening, and that you really understand, like you understand what we're talking about. For instance, I remember the workshop host of Marabu Inks who was actually had glasses on and he was doing weird things with his hands. And for us newbies, it was like really strange. Is he hallucinating or something? He was, obviously. But it's still very distant to us. It's not exactly used in our reality, but the moment I put them on, I was doing it and there was only one headset and other people were looking at me a bit strangely. And it's, I think it's important to have these hands-on experiences to really understand what we're talking about.
Right. And as we said, this is a novel event, a premier, the first time of this new kind of event, this hands on, I take this as a feedback is something that is very important in doing this differently. What are other things that you think made this different, and maybe we can expand upon because this was the inaugural event was the first time. What makes it different and what should be even enhanced in the future?
Yeah. That goes into the hands on directive. So you should maybe think, this goes also to Christopher, to somewhat evolve the capture the flag thing. I would really like to see that a little like broader. It was really entertaining but I think just watching these guys work, maybe there are options to make that a little more interactive for the rest of the attendees or something. But you should definitely do that again and try to like feed some new ideas into it. Yeah.
Yeah. So I think that... so two things. I really am very insistent on the hands on thing, and on the war stories. I think that in the end of the day, the stories are very tangible elements, are the things that you seriously take home. It’s, what have you really experienced instead of what's happening on the distant cloud, how do you predict the future? No, like how how are you using this today and what are the issues you have encountered already? So that's one part. And the other part, I think the charm in these conferences, it's also in the people that you bring together and the connections that happen between people and ideas. And I think that an element that could considerably enhance this is to also open up the attendees and maybe the speakers to some more deep level diversity. So I'm talking about people with maybe a bit of a different background. I know that one of the speakers had a social working background and I found that that added a lot in the dimension of the discussion. And it added a lot because we keep talking about cybersecurity and how, you know, it’s just as strong as your weakest link and that it's a human layer and that there's a human story. But what I find in many in many such events is that it's very, very restricted by the technology often. So I think it could be charming to have some people with different backgrounds as well.
That's a really good point, Emilie. This year we had basically one presentation that was a little bit different in that case, maybe two, maybe Jonathan regarding the SAFIRE scenarios, I mean, the framework is very generic, we applied it for cybersecurity. And one presentation I also really loved was, I don't have the names in my mind, the two guys from an investment company, who thought a bit about how to profit or capitalize cybersecurity, the market in general. This was also a try to have a look a little bit more on the left and right direction and not only being the technical guys. But really good feedback here and I think is something we will handle.
That really segways me to the question that I want to ask, of course, only to Berthold and Christopher, this was the first time that we did this. A look behind the scenes, were there any events, any parts of the event, any part of the sessions that worked much better than you expected and where there are some that just did not work at all, where there's some things happening behind the scenes that were challenging while we were doing that.
Yeah, so basically Capture the Flag. We planned to have it more interactive. We had some kind of interactive sessions, but it didn't work on that level that we expected, honestly. So this is something we need to improve. We want to improve because we'd be heard in general, really good feedback about capture the flag. And for sure, the external circumstances like the announcement of the strike, the weather is something you cannot foresee. Still, a lot of people have been sick on a short information period and something like that. I think for the attendees it was really smooth. They did not realize all the stuff, but in the back office, not only Berthold, me, the whole team, we really had to play some Tetris with the agenda and then use our back up presentations because people are getting sick in November.
I would have said same thing. So that the one big problem was that we were in the middle of a, let’s say, of another little crisis from a health perspective. But as Christopher already mentioned, we had a plan B, but a plan B is always a plan B. So if I could, I would have a wish for next year I would wish for everyone who was invited to stay healthy.
I didn't notice a thing, so you did a really good job because it did not get noticed, by me at least.
yeah. I agree. Yeah, definitely.
So and then the other thing, perhaps if you allow, Matthias, in my opinion, and of course that was our concept, but I also had lots of discussions with both participants and vendors, etc. and I think it resonated with most people. So that structure we put in place like that Anticipate, Innovate, Together and Interactive, I think that was something we probably will continue. So Anticipate stands for looking into the future, see what's coming. Not all of that can be used immediately in the day to day practice of enterprises, but it's nevertheless, of course, what’s important, then the Innovate stream, we talked about the latest cool technologies coming from our technology partners, for example, also from others. And then, of course, the Together, Emilie mentioned the ransomware simulation, which we had and a lot of other examples which were very exciting for most people, where people could really take something with them at home and use it in the next day in the company. And of course, we already talked about the Interactive streams. So I think that concept, I believe worked out quite well.
Yes, if I may add, I also attended Florian Jörgens’ pitch there and it was really, you know, scary impressive and everything. And I used his document and translated it and made some, some things specific to our organization added it to it, and just like ask those questions internally here and you might guess that there are really like blank faces being confronted with those kinds of questions. And maybe one thing you could also do is to like actually - and here we are again in the in the hands on space - actually to do a tabletop exercise workshop or something like that. Like really playing scenarios. And that is something I think that is really added value for a lot of people.
That would be really cool. Yeah, I’d definitely jump on.
We are all experts in that field and the five of us are always looking at the market as this is our day to day business. So what would you expect from what you've learned since cyberevolution, maybe leading up to next cyberevolution, will be topics that should be covered when we look at the really constantly and more and more accelerating change in the cybersecurity world. I talked with Martin about the identities of AI and AI individuals, about bots and about machines in general and processes and their identification and their auditing. This sounds rather boring, but I think it's really important to make sure that we get a grip on that. Are there any other topics that you would like to see during a next iteration of cyberevolution?
I think that AI is - we're in a bit of a hype moment and there's a lot being talked about, there's a lot of theory and people are not all equally on top of the theories as one another, but I think it's a very it's a quickly evolving field and again, really goes into the hands on topics. But okay so what are the trends we detect and how are they really being used? I think that instead of really focusing on the new fluffy abstract ideas, it could be really good. I mean, it's good to do that. But I think it's extremely valuable to also really dig into how it is being used. What are the, how is the market currently reacting to these things? So AI is definitely, I think, one of the key things to keep in mind and hopefully also tangible. That would be my answer.
Yeah, definitely. Because I mean, why is artificial intelligence such a hype topic right now? It's because it's actually one year ago ChatGPT 3. whatever was released and people tried to play with that. They really see some normal people who started to see what it means to use in language model. What is the impact, what is the outcome. I can write source code even if I'm not a programmer. I can produce funny pictures, even if I'm not an Photoshop expert, something like that. And this is why it's more a hype. Steffen mentioned at the beginning of this podcast, basically, AI is not a new topic and it isn't, but it's now more in the broader field arrived. And I think challenge here is, and that's where I agree with Emilie 100%, is that the companies then also need to deal with this challenge. And what does this mean for them? I mean, we also had to see some presentations around AI governance. What does it mean? Which data can I use to put into this stuff? Do I need a private GPT? What about misinformation, disinformation and so on? And if you then put this into the we would just, take the intro video with Joe Biden at the beginning. I mean, it could be everyone. And how do you detect whether it's your chief executive officer announcing 40 days of paid vacation a year or not? And I mean that's the challenge here and will become the trend and future stuff.
Yes, absolutely, I would add to that and that resonates also with the great talk Emilie gave, actually. And I actually talked to Martin Kuppinger at the EIC and he had also a short presentation on deepfakes and stuff like that. And I asked him, what are we going to do about it? And he has, so his opinion is, okay, we will see a spike now, you know, we will see we will see that stuff increasing. But very soon we will have the technology that will be able to identify everything to catch that, just to really shorten that what he said. And I'm not so sure if this is really going to work out, if we have the technology to detect these things will be market ready and not all enterprises probably will be able to afford to buy such technologies and such solutions. And I think it's a bit scary. And I see people getting caught or trapped by really badly made emails and phishing stuff still, right? And then I look at that stuff that’s elaborate and very quite close to perfection. And I'm not so sure that we will be able to have technical measures to defend against the thing itself. So we have to somewhat build around this thing because yeah, you have to like increase your defensive capabilities around that. So you will have the fact, but you will have to still avoid that, if someone clicks something that it actually reaches the target. So that's sort of my, my take on that.
Yeah. Yeah, absolutely. I think it will remain a cat and mouse race, and that would not never stop, I think. So, I think Steffen, I agree with you. To your question, Matthias. So what, what can we do next? I think more than ever, cybersecurity has arrived in the heart of the companies. I think it is in the mind of the board, even, they treat the topic on a regular basis. They recognize that it is mission critical, perhaps even to say it even more drastically, it is important for survival of the companies. So I think next time it would actually be good to have one or more even CEOs also participating and sharing their views with us. So what are their expectations to the IT security guys and then have a discussion around money we need, priorities we should have, etc., etc.. That would be, I think, a nice move as well.
Yes. That's exactly what I meant with like the deep level diversity. I think that if you add a few sociologists, a few lawyers, a few CEOs, people from the business side and then have those panel debates between them in front of people where people can also participate, because it's in the point that Steffen was making as well, what we were just discussing. These are the kind of discussions that add real value according to me at least, I always really enjoy them. So yeah, I'd be very excited to see that in future events.
Right. Okay. That was a really lively discussion. Before we close down and if you are giving the, say, 30 seconds of some one suggestion that that could be in the next iteration of, of cyberevolution, I start out because I always ask questions and I don't give any answers. But my answer would be more to take away for the audience. Some kind of cookbook, some kinds of recipes, some kinds of distilled information that we as analysts do all the time. But maybe something that is really created on the fly during the event and learning from the experiences of the attendees, of the participants off the speakers, having that and taking that home with you to use that, just as Steffen used this this metrics for his purposes, I think that is something that we can add to a cyberevolution.
I think and this goes a bit in direction was Emilie mentioned the diversity is very interesting and from my end, as I was also moderating one of the panel, maybe we make the panels a bit longer. That is something I missed, because these internal discussions, very valuable, you have very interesting people and then limit it to 20 minutes is sometimes difficult because you started to dive into the topic. That would be my wish. Whether we are able to do it from the structure, we will see.
Yeah. What my number one wish would be to find ways to foster the community aspect of such an event. So that people talk even more intensively with each other but also that they take their new relationships back home and call them even after the event and ask questions and exchange ideas, etc., etc.. That would be my wish. If we achieve that, that would help security big time, I guess. Yes.
Well, there's not much to add, I guess. So everything you said holds true for me as well. Yeah, just some, some personal thing. I would love to see even more people on site next year.
True.
So stay healthy.
I will! I give my best.
And final words from Emilie before we close down?
Yes, I think more stories, so more success stories, more war stories from different kinds of people from the cybersecurity spectrum, that would really bring home the tangible aspects of it and also make connections. I think it's always interesting to hear from other people's experience.
Right. So I have to thank all of you for being part of this episode today. Thank you, Steffen and Emilie, who were attendees at the cyberevolution, and Emilie was also a speaker at the cyberevolution. Thank you, Berthold and Christopher, for making the cyberevolution possible. I will be there next time, in one or the other shape or form. I want to be there. I'm looking forward to that. And I know there will be another cyberevolution that has already been confirmed. So we are getting close to Christmas. So have a great Christmas and happy New Year. And of course we will all see each other at EIC. I'm quite sure. So thank you for being my guests today and have a great day and thank you and bye bye.
Bye. Thanks. Bye.
