So, we've learned about hacking, and how hacking starts and how it ends, and obviously one of the things that you would like to do to avoid that is threat monitoring. Brings us to our next speaker, Dr.
Lukas Ruf, he's the Group Chief Security and Risk Officer of Migros globally. Prior to joining Migros, he worked as Security and Strategy Consultant at Consecom AG, specializing in information security and risk management.
Lukas, welcome to stage. Thank you, Korsen.
Thank you, everyone. Thank you for your time and thank you for the opportunity, KuppingerCole, for giving this presentation. I'm really glad to be here as a second speaker, because Max and Michael set really the scene and clearly explained what are the problems. While they were speaking about reality, as you as well, I'm living within reality. And being CISO of Migros is a great task to cope with whatever complexity aspects we have within the world. So what I am going to do is I give a very quick introduction to what is Migros. Probably you know of it.
If you are in the southern part of Germany, then you have most likely heard about Migros or at least Tegut, which is a subsidiary of us. Then I am speaking what is the importance of having strong ties with other disciplines of your entity within Migros to cope with all the threats that you have to fight daily on your daily business. And then I go into the particular aspect of our practice, cyber defense, and speak how we deal with this. When I heard about Max speaking about his Pentium, I felt remembered at my time when I watched for the first time a great movie on cyber warfare.
It was back in 1984. And from that time, my only goal was to become a hacker, which I could then start with a simple modem. It was 300 baud when I started first, so 30 characters per second. And this lasted until my parents said or enforced the management decision because the phone bill was too high. And then I was stopped from hacking. And ever since then, I have living within the space of information security, cyber security, and had the chance to become group CISO of Migros and establish the discipline, the function of information security and risk management globally of Migros.
What is Migros? Migros is a huge conglomerate. On the one hand, we are critical infrastructure of Switzerland. We belong to six sectors of Switzerland critical infrastructure. Most people know that the retail stores, the grocery stores with 1M, 2M, or 3M, this is Migros. But Migros is much more. We are around 260 operating legal entities globally, and we consist of a quite funny structure. We have four strategic disciplines, food, non-food, finance, and health, where we focus in it.
And with the focus of healthcare, we are also part of the critical infrastructure of Switzerland since we are the largest healthcare provider of Switzerland. The whole situation of Migros can be most easily depicted with such a visualization. On the one hand, we are a federation of cooperatives, which means it's like a, I don't know the English term of it, a Verein, where we are working together with these 11 enterprises.
The 11 enterprises we see on the top level, which are the original grocery stores, the front business guys that own a huge set of subsidiaries globally from fitness studios down to restaurants, hotels, but also to many other parts like industry or some small retail functions for local area groceries. Besides that, we have then the central service, Genossenschaft, the cooperative Migros Genossenschaftsbund, which is basically the nucleus of Migros. There we are structured in a way where we have six, and since the beginning of this month, seven of these departments depicted here.
And also we have a huge amount of subsidiaries from vertical industries for food, for healthcare, for also elements like active fitness. We have, for example, a fitness store. This gives a huge complexity that we have to solve. And the challenge is that for us, we do not have only one IT department to cope with. We have within the Migros Genossenschaftsbund, we have the group IT, but it's only one of 80. And the figure of 80 significant IT departments distributed around the world gives an impression of what is the challenge to find the weakest link.
And whenever Michael tries to attack us, for sure he will find thousands of them, because we are a historically grown company that is now existing for 100 years. All these numbers, I took this visualization from my peer, the group CIO. They give an idea of what we have to cope with. For example, these 550 applications, this is just group IT. And besides these 550 applications, we have another 3000 applications within the whole area of Migros. How can we address this?
For me, one of the very lucky situations where we are working on is that we are all set up in an agile manner. And there we as a security discipline, we integrate into the agile framework and live with it. We provide there our function when it comes to the different quality checkpoints that we have implemented in the standardized processes. And there we hook in to clearly find out where are the weakest points that we need to keep our eyes on. And what do we need to take care to support our peers and our colleagues to make the technology more secure.
For me, the important aspect is my whole team works also in an agile way. We run our own agile release train, we call it security at risk. And we have there among 10 agile teams which really live in this agile spirit. This helps us to cope with the complexity, but also to fit into the common operating model where we live all within it. And this agility and having also the security team being part of the agile framework helps quite a lot because we are strongly aligned.
We have huge transparency whatever anyone is doing within the company and we have the opportunity to really stick on the well-defined quality gates and have there our influences from enterprise architecture down to secure AI. The important element for us is that when it comes to addressing the cyberspace in particular or information security in general, we have had the opportunity to build a strong team where we cover six different areas.
From information security and risk management down to enterprise architecture, we are closely aligned and work heavily together for communication with our peers where we always have discussions within the three lines models. What are you doing? We depicted this visualization where we say what is the second line function that we provide and where do we bridge the gap to the first line and support them? How do we enable them such that we have the scalability effect within our organization to cope with the fantastic world of information security?
For us, important is that we have a well-aligned and well-defined structure when it comes to integrating the different control mechanisms into one unique view to provide an aligned security function for the MIGRO. This helps us from defining the regulatory requirements that we impose as policies throughout the organization, but it helps us also to align our mechanisms when it comes for example to identity and access management or cyber defense in particular and see where to look in.
The very close collaboration with enterprise security architecture and enterprise architecture gives us the hooks that we need to really embed and deploy our mechanisms, whether we implement them and we operate them or whether our peers implement them from IT throughout the world helps us to get the efficiency that we need. Now I go into one particular area, how we set up our cyber defense center during the past four years.
When I joined MIGRO, there was a very good team of three persons that were responsible for cyber defense of MIGRO and they had an external supplier, a near-shore solution where they worked with, but they were not in the situation to cope with the complexity of MIGRO, which I introduced before. And four years ago, I got the opportunity to really set up a strong and solid foundation to have just the capability to react against all these attacks, what we have around nine billions a day or so, all the security events there.
We came with a very traditional model and said, what are the capabilities that we need to really address these threats and had in mind that we were defining a solution that will last for quite a few years, need to be extensible and need to cope and increase with the effectiveness for all of the threats that will be arriving, whether it's IT, OT or SCADA systems, since we address them all with a unique manner.
While we were starting, of course, AI was just, it is how we call that, childhood and we were lucky with our solution that we chose that we can easily introduce our AI functions as add-ons to our traditional machine learning elements that we had in place from the beginning. For us, very important is the aspect that besides our processing of all these nine billion security events a day, we have very strong ties with some threat intelligence sources and this is on a national as well as a global scale, very important for us.
We provide information whenever we detect something to our peers, our competitors, as well as to our national bodies, since we have some sensors around the globe and whenever there we realize something, we can inform also our colleagues, as I mentioned before. This helps us, this collaboration helps us extremely also to be informed when something happens because the trust that we could establish within Switzerland with our colleagues, these organizations gives us the opportunity to benefit from their experiences as well.
Our cyber defense structure is the traditional cyber defense structure and the cyber defense as such, we have quite a lot of log sources and sensors and also actors, of course, where we work with. We are still on the way to deploy all our sensors that we need to really detect all the different threats that we need and then we are quite proud of our security analytics platform.
Right from the beginning, we defined the architecture, the way that we focused on a source situation or solution that we can extend and grow with whenever the attack increase and the number of attacks need to be processed more efficiently and that's also where we clearly hook in with our add-ons, we call it nowadays artificial intelligence. A few years ago, we called it machine learning and had the opportunity to detect and deal with all the different angles that the attacks are currently exploding.
For us, the important element is to realize that the attacker also benefit from all kind of machine functionality.
Not only we deploy artificial intelligence, but the attackers, they really make heavily use of artificial intelligence and while the training and the awareness of people is very important to me, it's really challenging to identify what is spam, what is phishing, what is scam because in recent days, for the past five months or so, we have been flooded by black buster attacks quite heavily with whatever Michael explained to us the same way and our people also made the same mistakes, of course.
We also have MFA deployed for all external access points, but nonetheless, irrespective on the level where you're working, the people, they just get somehow overhelmed by the number of requests they got, whether it was a C-level guy, there we have two of them trapping or falling into the trap or whether it's a traditional base worker, everyone is exposed to this one and also me all of the time when I get such a MFA app request, I'm always fearing that somebody is attacking me.
For us, these elements get us the feet to really continuously think of how to improve our cyber defense infrastructure as such. We built on a commonly standardized CMM model, capability maturity model, that we can relate with others. It's not shown here, Migros, where we are, but the situation is that we compare, of course, with whatever information we have available and this is what I recommend to you as well.
If you are building and operating your cyber defense center, whether you do it on-prem, in-house or with an external partner together, just continuously monitor what is the world doing, because improve where you need, where you have some deficiencies and clearly focus on elements that help you survive whatever is coming and looming around. This brings me to my last slide, what are the learnings, the conclusions that I'm quite open to discuss with you afterwards as well. What we have learned is having a strong foundation is crucial.
The strong foundation is not a vendor locked-in solution, but it's an open architecture where you can build on, where you can extend and you do not need to change everything whenever you need to add some functionality. The second one, what I had to learn being a technician by heart, is I need to get the business buy-in. I still am struggling whenever I had to articulate why I need to get some more money, increasing budget or so, and business doesn't understand why I need this, why the board I need to convince, because every day we read in the newspaper how important cyber security is.
You need to get the business buy-in and I had to accept business has no clue what I'm speaking about, so I had to change my language, I had to improve my communication and clearly express why it is important that they understand what is the importance of cyber security or information security in general. As I said on my last slide, as we realize, attackers are accelerating dramatically.
We see aggressiveness currently in the attacks, whether it's kids, whether it's an APT or whether it's some other form of attack, I don't care, honestly, because everyone exploits the same vulnerabilities and weaknesses that we have in our designs. So continuous improvement is so important for everyone. However is your operating model, just keep pace with the attacker and I'm a strong believer that your employees are the strongest weapon that you can get and embody for defending your company. Of course they make mistakes, but they shall not make mistakes all the time. Thanks.
Thank you, Lukas, quite insightful. I took away that sharing is important, continuous improvement, I can't agree more, this is really key to it.
Again, unfortunately, we're a bit out of time on questions, but you already offered it, so be around for questions if there are any.
