In these security, cyber security conferences, we always end up talking about technology, latest threats, etc. And we sometimes forget about the reason why we are here. At the end of the day, we are here to protect the business. And I'm actually glad that we will now cover that problem, that topic, very well. And we will dive into the question, are the times really gone where the boards are seeing cyber security as a necessary evil? Or have they now an open ear about the problems of cyber security? How important is this?
And how do we prioritize the spend we need to make for cyber security against other important spends to grow the business? This and other topics I'd like to discuss with two guests. They're already placed here. The first panelist is a member of the executive board of Clearstream Banking.
So, for those of you who don't know what Clearstream is, everyone who has a share is probably more or less a client of Clearstream. So, it's important to keep your assets safe.
So, the institution manages over 300,000, that's what I at least researched, domestic and international traded securities. My guest began her professional career in consulting, then joined Deutsche Börse and moved on to Financial Market Service Bank, which is a transaction bank of Fibber Vereinsbank. Then moved back to Deutsche Börse or Clearstream as the executive director responsible for relationship management Europe in September 2012.
So, you're doing this for more than 10 years now. And she was nominated as the member of the executive board of Clearstream Banking, no, sorry, 2007 to Deutsche Börse Commodities GmbH. Please join me welcoming Martina Gruber on stage here. Thank you very much. Great being here. And my second guest is the chief security officer, not CISO, chief security officer, this is important, of Deutsche Börse Group. Like many of the security professionals, he started his career as an IT person at IBM, then moved on to, I know him offhand, so I don't even need the notes.
So, he moved on from IBM to Dresden, then to Deutsche, where he was a CIO in various roles. Later he was CTO, before he then even took care of some not so nice problem, the global finance crime investigations at Deutsche Bank, interesting times.
And now, obviously, as I already said, he's the CISO of Deutsche Börse Group. Welcome on stage as well, Hinrich.
Thank you, Berthold. Always a pleasure to be here. Thank you.
So, perhaps we can reorganize this a little bit so that I can see you. No, no, that's fine.
Obviously, Martina, the first question goes to you. These are all technical nerds. They don't look like, I have to admit. How tech-savvy are you? How what? Tech-savvy. How into technology are you? I would call myself the dumbest user on earth, I would say.
No, I mean, I'm not really a techy person, I have to admit. I can use my PC and I'm quite good on it, but of course, I need to rely on IT experts when it's getting to IT security, of course. All right. I think we will come to that. But then let's talk about business.
So, we heard that in Martina's presentation already. What, to your business, is the biggest disaster?
So, the biggest disaster, I mean, you mentioned it earlier. We are having 300,000 securities under custody. But we are, I would call it probably on the list, on the top ten list of all the hackers on this earth. Because we are infrastructure and whatever they would do to us, it would be really in the press everywhere around.
So, of course, it is critical if a university, and we have seen that here in Gießen some months or a year ago, if professors and students cannot talk to each other for a month or two or whatsoever. And for hospitals, it's even more critical because we are talking about human lives here. But for us as an infrastructure, it would be a killer, I would call it, right? Because we have an accessibility of 99.99% in average. And any damage would not only cause a severe reputational problem beside all the financial things. It would definitely, clients would lose trust.
So, the worst case scenario would be that we have an outage of our trading or clearing systems. And we cannot communicate with our clients anymore.
So, we are somehow cut. And as we are not a standalone infrastructure, we are connected to 60 markets. We are connected to the Bundesbank with the cash side, the cash leg of our transaction, for example, or to other cash correspondent banks.
So, that would definitely be a European problem, but it would also be a US problem and a UK problem and a problem for Asia. And in our vision, there's one word which is really super, super important, and that is trust. And that would definitely have a big, big damage on what we have in our vision and mission, trust.
So, I already found out that you're doing this job since 10 years or longer even. I remember when I worked for Deutsche Bank 10 years ago, we didn't even have CISO at that time.
So, how has cybersecurity changed also on board level since then when you started compared to now? Yeah, it has a lot. And actually, thanks to Hinrich and all the others, and we have quite a lot of people taking care of that, I can share with you one panic moment in my life. When I was sitting in Hong Kong, Europe was, of course, I think six hours behind us, and I was switching on my PC, and there was this email, you have been hacked, and your password is XYZ. And I thought, gosh, yes, he's right, he's right, and was super, super panicking.
And then we have a 24-hour IT hotline, and I called them, and they said, calm down, you are safe, it's all okay. So, that was for me the first really severe moment where I thought, oh, shit, this is really serious here.
And then, of course, it became more and more a topic in the board, and then we had the first CISO, of course, and they helped us to better understand what really the risk is. And we have started a journey since then. And then I also learned from Hinrich in one of his presentation where I was super shocked in a way that we are also going into the dark net, where especially in this case, the people must have found my password.
So, that was for me also a new thing and surprising, but also calming me down a bit, because now I know that there are so many layers. And even if I'm maybe not always cautious, but I now know that I should not use my company's password for Zalando when I'm buying shoes.
Yeah, Hinrich, I don't have to explain to most people who Deutsche Börse is, or German Stock Exchange. You as the Chief Security Officer, how do you interpret your job?
So, how do you make sure that, well, it is actually in the news every day, but hopefully not for the bad things. So, how does this feel for you? Is this stressful? I would say yes.
So, it is stressful. So, I think the definition is, of course, to secure Börse with all its entities and all this. I think this is really far and foremost.
And yes, we have, as all of you, a lot of threats being on the physical side, being on the cyber side. Obviously, the cyber side, a little bit more sophisticated, but don't underestimate as well the physical side of the house.
So, that is really the focus. And this is as well how I positioned me and my team quite strongly in the organization. There is a different aspect to that, and that is regulatory compliance. I learned within this culture of Deutsche Börse that this is very present.
So, we have the view of the regulator submits more and more regulations. We heard it this morning as well around DORA, of course, in front of us, and I think more to come. And this reaches a state a little bit where one or the other from us, I specifically doubt that this will really increase the security. But we need to comply, of course, actually to have the license to operate. And then we have the other side, I need to say, really to be cyber secure.
And this is where in my communications and all this, I put a lot of emphasis on not actually to afraid everybody and to get budgets by doomsday scenarios and all this, but really to point out why we are doing this. And overall, you asked about the stress. It is definitely a responsibility we probably all feel, and I join probably most of you as well into this, that you somehow are really happy with every day you experience without an issue. I think that is what the stress makes.
Martina, as a board member, how does the board ensure that cyber security is integrated in the overall strategy? I think, first of all, we have to consider that it is not only a technological topic, but that it is also mainly a cultural thing. And it needs to be lived from the top of the house. It needs to be understood from the top of the house, and it's a culture we are living. And it's not only about taking care of your technology, as I said. There is an operational risk, there is a financial risk, and I mentioned it earlier, there is mainly a reputational risk as well.
So also the board needs to take ownership. I mean, they need to agree on the framework. They need to also give power and budget to the people doing it. But they also need to give the trust in the people and to motivate them to come to the board and openly share where the risk and the threats are. So this is what I understand under culture. So nobody should be afraid, you know, that raising things might have a negative impact. So that for me is super, super important.
Also, communication is a key topic. I think it needs to be understood on all levels from the top until the very last employee in the chain that this is a topic which is serious and which really can damage and kill an institution, as you mentioned earlier. It's really very, very important and it needs to be understood by everybody in the organization. I think in former days, cybersecurity was always an afterthought.
Is this still the case or when you start a new, let's say also in most cases, this digital new initiative, a new business initiative, how do you make sure that cybersecurity is involved from the start? I think it's in all our heads now. So it's part of everything what we are doing. It's not always the first topic, but it's side looked, I think, in all what we are doing. And it's an integration part of it. We are doing fire drills also, so we are not looking in things after they happened, but we try to train it. And this is at least once or twice a year.
We do train also with the senior management what is to be done in case of such an incident. Henrik, how do you support the board in understanding the importance of cybersecurity when starting something new or growing things? First of all, I think how to communicate with the board. That's probably an art, because we all know everything what we are doing is extremely technical. And you can come up to the board and say we have X, Y vulnerabilities.
Okay, is it now good or bad? Even that interpretation, you need to deliver with it. And as Martina just said, at that point you are probably at the trust side, how to evaluate, how to report the security posture to the board and have the communication with the board is definitely another very big challenge. And I would say still in evolution, because we can talk about financial risks and you see big calculations and Monte Carlo simulations on risk and all this. So financial risks are really some sort of, I would say, sorted.
Non-financial risk and cyber definitely the biggest here is somehow still not sorted, how to bring this forward. So it really is, I've tested as well a couple of KPIs, does it resonate, does it ring a bell then with my counterpart on the business side and all this. And then you find the right mix of things where you say, you bring your message across, you really have some sort of a good representation of your security posture and there is some sort of mutual understanding.
But there will be and always will be a gap, because if you then ask for certain investments and then they look at it and say, what's going to change now? And I think that remains, that continues to remain a challenge, but I would say, as Martina just said, in our group it's really very high priority and I think there's a willingness as well on the business side to learn about this, to bridge the gap between the tech speech and the business understanding.
I think, if I may, communication is really key. For me this is, I mean, you asked me at the beginning, am I an IT person?
No, I'm not. So for me it's, I would say, something I really do not understand properly. So someone needs to explain it in a way I understand it. And not only me, the regulator needs to understand it, the client needs to understand it and all the employees need to understand it. But of course, as a board member, I first of all have also the responsibility to set the cornerstones and to sign it off and sign off the framework and all that. So telling me what the right balance is between where are the risks, how serious are they and what needs to be done and what does it take to close the gap.
I think we are all on one page, we'll never close everything. I think what business people are used to is the typical return on investment calculation.
I mean, they are always difficult, because when talking about the future, it's unpredictable to some extent. But in cyber, they are particularly difficult. Do you try that at all? You have now to spend, I don't know, 10 million on that thing and then you will get this and that. Is this how it works? Actually not. We tried a couple of things on really quantifying risks and all this. I think you all know, I think there's the FAIR method. It had always some shortcomings and it's really extremely difficult. So after testing a couple of things, that is not mainly the driver.
It is really telling the story coming from the threats that are hitting us. And the idea of the continuous investment. Martin just said, get rid of your old tools, absolutely. Because I need to say the tool landscape is not very pleasant in security overall. It's always a hype which covers something and then it drops down and something new comes up. So a permanent investment is required. And at the moment, it's not really quantifying the risk and creating a return on invest conversation. It's much more storytelling of now there are new threats out there.
Our current capability doesn't cover it anymore. Let's move on. I think that's pretty much where it's based on.
Martina, in your experience, what is perhaps personally the most effective way for CISOs to communicate? Perhaps first with you and then perhaps also with your colleagues. So first of all, I think it is to have a better understanding of what are the threats, what is our risk appetite and where is the right balance. What is the framework around it? And very important is openness, honesty and trust. So someone who's coming to the board needs to have the guts, let's put it that way, to really say, okay, this is not working, we need to fix that.
And you always have to have a kind of objective dashboard. So I find a dashboard helps me because that is what I clearly understand. I understand the traffic light, I see is it green, is it yellow or is it red? And important is also to see how things develop over time. So are they improving or are they not improving? And where is the sign for a board to react? That is super important. We have a dashboard where I see how many penetration tests have been done, the number of incidents, what was the incident?
And Heinrich hinted to it, it's not only IT related, it's the possibility if someone walks behind you into our building, that's an incident. Or an employee sending out data which is super confidential, so things which should not happen, but we all know they do happen as long as you have human beings there. So the development over time is important. It is also important to have regular trainings for everybody, not only for boards, but also for supervisory boards. They need to understand what they have to control. And secondly for employees and everybody who is somehow working for the company.
Also important is that ad hoc messages should be possible. So whenever there is an incident, we receive, this is the incident that has been taken care of. And what I can say is, what is very valuable for me is also when I bring someone from IT security to my clients and show them how good we are and to have an exchange of expertise. Talking again about your expectations to the CISO, perhaps to the broader security people, you already mentioned a couple of things. How important is it for you that these people, or certainly the CISO, understands the business, understands business language?
Super important. So I think you said, you know, are there IT nerds out there? This is certainly not the profile that CISO should have, right?
Of course, someone who is in the job needs to have a better understanding of IT than I do, that's for sure. But equally important is to understand the business.
Otherwise, you are not able to identify where the risks and where the threats are. And also, you are not able to speak to people. So besides a technical and a business understanding, especially also of the infrastructure you are in, you also have high communication skills. Because if you are intellectual, brilliant, but you can't get the message across to the people, it's worthless. So let me summarize. The CISO has to be very good in terms of technology, understanding threats in society, be a good communicator, and understand the business. This is why these guys are so expensive, right?
How often are you at board meetings? How often do you talk to the board, Henry? So it depends on our group board. At the group board, Deutsche Börse, it's on the agenda every quarter. But I'm more often on there because there's all projects and here and there as well, regulatory finding, which needs to be mitigated and all this. So there are more frequent updates on this one. But a regular update around our posture and what we're doing and all this, that's on a quarterly basis as well to the supervisory board, not to forget. And then on the individual, we call it legal entity board.
So this is the structure of Deutsche Börse as a group overall with very strong entities. Actually, they earn the money. We have a network of people who are actually presenting there as well quite regularly. But I would say I'm looking around as well pretty much every month or so, specifically at the regulated entities like our Clearstream Bank in Frankfurt. So I'm there, I'm present. I'm not always presenting, but I think the exchange is continuously going. So let me test your communication skills. Okay.
Can you think of a good example where you were quite successful in translating difficult technical problems or threats to them to where you had the impression, oh, now they got it? I would say two things.
One is, of course, what I mentioned previously on the tooling. I think it is all around mean time to detect and respond. I think over the past years, I think we all have invested in SIEM and getting alerts and get a SOC working on it and elevate alerts up to the third. Here and there, the alarm bell rings, and then the entire incident management process kicks in. This is today simply taking too long. Okay. Another board member? We'll call him back.
Actually, to get this across, I think it's a game changer for us, all of us in the security, that the traditional setup and all this is not efficient enough anymore and that we actually need to put the reaction right on where the incident is. We see on the asset, on the server, on the host side, and so forth. I don't go so technical. Then I presented as well mean time to detect and respond in the classic kind of SIEM approach and how we do this with MDR, XDR technology and all this. I think that was the story told, and it was very well received.
We did the comparison as well, took some market data on how fast infections can spread and how we want to respond to that. With that, the investment was approved. It was not a five-minute story. It took a little bit longer, but in essence, I think that's a story to tell. By the way, if you all have questions to both Martino and Henry, please enter them into your app, and we will then read them out at the end of the session.
Martina, talking about regulation, DORA obviously is the dominant one relevant for you. Has this changed something?
Now, obviously, board members are personally liable. Has this now feared people off, or was this actually not a problem or not a difference? I'm not able to speak for the Deutsche Börse AG board, I have to say, but I'm able to speak for Christian Banking as we are a bank and a systemically relevant infrastructure. I'm used to that since many years. We are under strong regulation. We have to fulfil MI risk requests. CSDR regulation has put the central security depositories under a very strict regime.
For me, it's nothing new. I have to live with the fact that they cut my bonus in five pieces and every one year I get a fifth of it. There are a lot of liabilities. I sleep well at night, I have to say.
Of course, DORA is somehow, I would say, a little bit different beast, as it is very detailed and it changes the few coming more from an outsider into inside, but urges us to fulfil, I don't know how many tons of papers. Luckily, we don't have paper anymore, but it is really very detailed and this is unusual for regulation.
Usually, the regulator says, this is the regulation and you implement it as you like. But now, we are really on a field level. That was a bit of a surprise.
But since, as I said, we are under quite strict regulation, this is just a question of time and being busy around this topic, but nothing which concerns me. Asking you the regulatory question, knowing that out of experience, sometimes it helps, but sometimes it is also a burden. How do you deal with this problem? You must do something because the regulator wants it and you know things which should be done, but then there is no money left. Absolutely.
Conflict, which I mentioned as well right at the start. What I experienced, what we all experienced, is that very strong and very descriptive regulation is now coming in on all kinds of layers of security. I think we all have the onion model in front of us and they drive 100% on each of this, which is pretty much impossible to achieve because technology is an ever-changing beast. You cannot keep it up 100% at all times. The full front-to-back view with really what threatens us and are we protected overall, that is not missing.
That is actually missing and that makes it a little bit difficult because if you get audited, they pick one or the other control and deep dive that this is really covered to 100%, which is not entirely productive. I need to say I specifically came in with the latest regulation. We talk financial institution language, so BIT and all this. Even prior to Dora, it came in that the view from IT and information security was merged into ICT.
Quite honestly, I personally think it does not help because to secure IT against any kind of issues on the IT side, you have something failing, you have not tested or whatever, it is completely in your own destiny and I think you have it under control separately. Information security is a completely different beast. It is really a lot influenced from the outside capabilities of the adversaries and all this. Now putting this all into one makes it really difficult to manage. I understand the idea from an outsider. As Martina as well said, you see, I do not care why it failed.
It failed and you see that is the only thing I am taking care of, but if you look under the hood, it diverts as well energy and all this and that makes it a little bit difficult. To your last point on the investments, I think specifically on the documentation side, we are forced into such massive documentation effort that takes significant capacity away from the real tasks, which we need to fulfill and I would really appreciate if the pendulum actually swings a little bit back.
We hosted a big conference, me personally with Claudia Plattner from the BSE last Thursday at Deutsche Börse and that was as well an ask going into this direction because she listens as well quite carefully in what the industry really requires and has this notion of doing it jointly together and jointly together is as well an open communication of what helps and what does not help. And I think we are connected here in different forms to give as well some gentle feedback back to the regulatory side, but of course there is no question asked. We need to comply. It is our license to operate.
But you see, after we strive for compliance, of course there is always room for another conversation. Before I continue, a question to Jennifer. Are there any questions from the audience?
Yes, we have questions from the audience. The first question is how much time or space security topics get on the board meetings?
A lot, I would say. The agenda of a board meeting has changed dramatically over time, I would say. Security is a lengthy report on a quarterly basis by the CISO, but security is on the agenda in each and every board meeting. And every second week we have a board meeting and depending if it is an incident or whatsoever, there is of course a new agenda item to cover that, but basically it is a high percentage of the board meetings in the meantime and that has changed compared to five years ago, even two years ago.
And the next question is what is your recommendation for a technical cybersecurity expert who would like to develop her career towards CISO, CSO roles? What skills are needed or roadmap? The question goes to me or to Ingrid?
Both, I think. I probably take this out, exactly.
Obviously, I see myself as a role model because somehow it did work and absolutely you need to have a very good foundation in IT. I think if you don't have really a good foundation in IT, I think it is really going to be difficult. And looking as well at different aspects, you see CIO, CTO would help tremendously and then create a passion for security. You need to be passionate and then up to the CISO level, it is what we just discussed. It is all around communication. The CISO of course drives the strategy with the support of the organization.
I am not the one who knows exactly everything, how it runs and all this, but drives the strategy into the organization and translates the need we have from the security side to the board level and back and forth, supervisory board, all this. The communication capability, I would say after a very good foundation, is absolutely key.
So, the ones who are coming completely out of a governance view and haven't really made their hands dirty on the IT itself, we see a lot of this movement as well into CISO role and that is an option. I think it needs to be the combination, because a pure governance compliance view into security has its limitations and I think just to say as well the opposite. I fully agree. Understanding the business is key, I would say. Be curious on what the company is doing for the company you are working for and stay curious on new things to come around the corner.
Being somewhere else in the company and having done several jobs would be ideal, I would say. The more you have seen, the better it is.
Yes, the audience has actually taken away my last question. But I have one very last one, probably to you, Henrik. What is your wish to the board, if you could raise one? Or to boards in general?
Yes, I think it is probably a good practice to stay in touch, to communicate and I think you heard as well that there is really a lot of exchange and CISO always comes with a wish list on some things that cost money. I think there is always a wish list and we need to discuss it and have an open ear for this. I think that is pretty much what I wish for. What we are looking for and I think that is absolutely key.
Martina, Henrik, it was a pleasure having you both here. Thank you very much for having us. I really know that this is quite a time commitment. You have other important things to do, so I am really honoured to have you here. Thank you very much. And for all the insights you shared with all of us. Thank you for your time.
