Now we have Max, so you sort of see a bit of a logic. It needs to be an MA to be here. Max is the Global CISO from BitPanda. He will talk about Security 3.0, what we can learn from Modern Medicine. Difficult to talk about Max without being cheeky. Max is in the industry for 20 years, a lot of security experience and for somebody who is working for the same company now for 26 years, it's amazing and impressive to see how Max is doing the opposite and moving between companies and industries.
He is leveraging his huge experience but also his experience and making sure that he contributes to the overall community rather than one company. So, Max, thanks a lot for being here and the stage is all yours. Thank you very much, Carsten, and good morning, everybody.
So, my talk will be a little bit different than probably all the others that you've seen so far, but I ask you to encourage it. Sorry, I still have the wrong footer in there. As you can see, I was in Riyadh last week and spoke at Black Hat also about the same topic. Apologies for this. I'm still a bit sleep-deprived, but we get there.
So, I want you to take a look at the next couple of pictures that I'm going to show you and then try to express internally what you feel about those and what you are coupling your emotions with those pictures. So, in the last four pictures, you saw the four main causes of death in over 80% of the adult population in the whole world that are not smoking. Important to note on top of that. And why are we looking at these pictures and why are we talking about this?
Well, because I'm talking about security 3.0, something that I coined, so to speak, and the learnings that we can take from modern medicine and longevity. Now, again, why are we talking about this? I've sadly had a bit of a past experience with these diseases and these causes of death within my own family. My mother died of cancer. My uncle very recently as well. My father got diagnosed with dementia two years ago, and that all basically led me into really looking into modern medicine. What are there in terms of developments on how do we tackle these diseases?
What is happening in the world of medicine to tackle cancer, to tackle dementia or Alzheimer's? And while I was looking through different kinds of books and different kinds of doctors that publish papers, I came across the doctor area. And Dr Adia has coined the term medicine 3.0 and his concepts for longevity and longevity by no means doesn't mean living as long as possible, but living in good health as long as possible. So there's a differentiation. It's not about getting to 150 years old, but it's getting to maybe 80 years old, but in a very, very healthy kind of living situation.
So the period of life spending good health and Dr Adia has written a book about this called Outlive. I highly recommend it for everybody to read.
And again, in here he is displaying the four horsemen of death. He calls them again. It's cardiovascular diseases. It's cancer. It's neuro degenerative diseases such as Alzheimer's and dementia and metabolic disease, including type two diabetes and obesity. And because Dr Adia was a former cancer surgeon in the US, he had pretty vast experience on these four horsemen of death. And what he recognized during his work is that within the current field of medicine, what we do is we tackle these problems when they're there. And then in most all of the cases, it's already too late.
We may be able to achieve a couple of additional years for people who suffer from these diseases, but in the end, they will all be the causes for their death. And so he thought about what can we do to change this, right? What can we do in our field of medicine to not tackle these diseases once they're there, but before they are there, what can we do in terms of preventive measures? And that is exactly what he then came up with his approaches and concepts. It's basically really all about a preventive and evidence based personalized strategy on how you're tackling your own health.
Of course, very important. It's also exercise, right? You need to have some endurance, muscular exercises, stability and flexibility, because also once you're hitting a certain age and you're falling down, you're breaking a hip. That is very often the point of no return for a lot of people because they can't really get back to a stable state where they're still pretty much stable or flexible. And then everything trickles down. Sleep is so highly important.
Luckily, it gets better and better in terms of research and recognition for that topic. But really, and I'm talking to security people here, right? And I know exactly what I'm also talking about, but eight hours of sleep every single day is nearly impossible for all of us. I would presume. I just had maybe six hours last night. Michael had probably even less. But sleep is so highly important for our internal organs, for internal system to work against diseases.
It's highly important for our brain to work on everything that we've done throughout the day for our long term memory and short term memory. So sleep as a whole, really, really a chapter in itself and stress management also preaching to the choir here, right? As security people, we are under a lot of stress constantly and very, very highly as well. So what do we do in terms of stress? There are some forms of meditation, mindfulness that we can practice and then diet and nutrition.
Actually, funnily enough, not such a big topic in itself. Of course, it is important to also eat healthy, not to overeat, but in the end, it's not depending on if you're vegan or if you're just eating only meat diets, something like that. But it's just a stable diet that you should have. So not overeating, but then still have something of everything a little bit. And so while I was reading through these concepts and these approaches, and also again, the four horsemen, I kind of had the feeling of, hey, this is very, very much linked to what I do in security and what we all do in security.
On a day to day basis, we maybe do not have the four horsemen of death, but we have DDOS. We have ransomware. We have malware. We have the same approaches in security.
Sadly, that we're only acting on things once it's happened, right? Once an attack has happened, it's already too late. The attackers in our system. It's very much like our internal system. And we have to fight against it now that it's already too late and they're inside. So what can we do to further strengthen our security before we're sick, before we're actually getting hit? And so that's why I came up with that concept for cyber longevity security 3.0, where it's all about a proper state of resilience.
It's importance on cyber hygiene, because I think this is also still sadly to this day, a topic that we lack in a lot of fields and areas. And I think concentration on prevention should be prioritized more than detection and response. Detection and response are still also highly important, but I think we should definitely look at the areas where it's all about preventive measures. And so if we now take a more detailed look into those parallels that we have between security 3.0 and medicine 3.0, we can integrate these concepts pretty much into cyber security.
So medicine 3.0 approach is focus on personalized, preventive data driven health care for cyber security. It's exactly the same, right? We need to adopt similar principles for our proactive digital security strategy. What can we do before we're sick? And so we need to have these intersections of our modern approaches. It's always also a tailored approach. Don't believe anybody that tells you this is the golden needle. This is what you need to implement and then you're fine. It's not true because every company, everyone out there is different. That is the same in medicine.
Just because a doctor tells you this pill will heal you, that's potentially not true. Because there might be some other factors in your own internal systems that tackle certain medicine differently than for other people. And so we need to have a tailored approach for ourselves in security as well. Look at our landscape, right? Look at our threat and attack surface. This is all depending on how do we tailor then our strategy for our security going forward. And we need to have some early detection in place.
When I told you about my background and my family with these diseases and these deaths, what I basically did two years ago, I mean, back then I was still 34, so pretty young for someone to go to a doctor and tell them I want to be completely screened. I want to have all the checks done. I want to have a prostate exam. I want to have it all, right? Because I just want to know where I am in my current life and in my current situation.
Of course, there are people out there that are scared of these things and are potentially scared of the results that could be then given to them. But I think, and it's my own personal view, but I think if I have the view of what could potentially go wrong with me in maybe five or even ten years, I could then build a strategy on how to tackle that so I could have even more years because I also have family. I have kids. I want to take care of them, right? And I want to have as much joy of my own life as possible as well.
And so we need to really think about on security terms of things on these preventive cyber measures, right? Again, what is our attack surface? What are the threats that we're facing against? A financial institute has other threat actors that are targeting them than someone working in chemical or working in a completely different field. And all of these should really kind of serve the purpose on minimizing our overall risk and identifying exactly these topics and then tailoring our preventive measures against it. And we need to leverage data, right?
We're hearing more and more about AI every single day on every conference where we are or how we can reuse AI. But I think more importantly is, again, we should look at and identify what kind of data do we have that is available to us that could serve our purpose in, again, tailoring a better preventive approach to our security. Because we should be able to grasp all the data that we have in our environment and outside of our environment through threat intelligence, for example, to, again, build this tailored approach. They're doing this in medicine now as well.
They're not focusing only on single studies anymore where they're just looking at one certain disease, but they're taking into consideration also meta studies from other studies in other fields that could influence their own. So, in modern medicine, they have already seen that if they look above just their small field of expertise, they can potentially have a good impact for their own studies and for their own research. And so we should do the same. Get together with your business teams, right? Look at what data they are working with, what they have available.
If you have data engineers, they could help you pretty much in also maybe defining a little bit better how do you tackle security incidents or what kind of data can you take out of those security incidents so that you're better prepared then against the next attack. Build resilience for that. And we also need to think about that this must be something that is sustainable, right? In security and in technology, we always talk about PDCA, Plan, Do, Check, Act. Because we always need to reiterate on the things that we're working on and improving ourselves.
This is pretty much already well covered, but I just wanted to mention it once more because sometimes we tend to forget that we need to improve ourselves on all these fields. And that is happening now in modern medicine as well.
Again, it's about maintenance. It's about not just doing sports just once. It's not about January 1st, I'm going to the gym.
Yeah, I feel so good. Two weeks later, nothing. But I went to the gym once, that's all right.
No, you have to do this repeatedly, right? You have to keep on working also on your own personal health again and again and again. And it's the same for our long-term cybersecurity as well. Then we need to collaborate.
Again, in modern medicine, I already mentioned it. The experts are starting to share more and more of their own research and their studies in those completely different fields. We need to have this as well as a concept for sharing intelligence, for example. This is already coming up in future regulations. And I sadly have to say future regulations and not already existing regulations, but different topic. But threat intelligence sharing, for example, or security intelligence sharing is being requested from us as security experts and companies out there. But why?
Because if we see an attack somewhere happening, sharing that information with someone who is maybe not yet attacked, that then can prepare against this serves our overall purpose of being fitter and being more resilient. That is what it's all about. It's not just me in my own little state of affairs and just making sure that I'm secure.
No, I have so many supply chain actors that are working for me, that I'm working with. So I need to be fully aware that everything that happens with me or happens at them are shared. So we can all be more protected against these things in a collaborative kind of way. And it's also events like this year where we need to come together as security experts and work and collaborate on the things that work well and also share on what did not work well. Fuck up stories are highly important to tell.
So I encourage everyone to come up with a fuck up story in the future and maybe presented at a conference like this. Then ethical considerations.
Of course, this is always one of the topics that need to be mentioned. We have GDPR. We need to think about how do we actually use AI, for example, right? With what kind of data? We can't just throw everything in there. We have seen it in the past with other companies as well, who've had their IP being breached or personal information of their employees being used by the AI tools. So please just be aware of what you're actually feeding certain data into tools and using it with. And also that everything that you're following up with follows an ethical standard.
Medicine, it's, I would say, something that they have been doing for years and years and years already. We in security, of course, always concentrate on this very much as well. But with new technologies coming up, it's sometimes hard to really define on what we actually use it for and with. Then continuous learning and adaptation. I think this is also a relatively no-brainer for all of us because we need to continuously learn and adapt to new threats out there, to new technologies coming our way. We need to be able to train our people to sustain talent within our organizations.
And we can do that as well by giving them the possibility to grow and to learn. And that is something that we also need to continuously approach for a more resilient situation in security. Then anticipating the future. It's not about having a clear idea of what will hit us in the next year because that is not very probable. But at least look at the technology that is coming your way. We've just hit 100K on Bitcoin today. What does that mean for us in the future? What does it mean for me as a company right now that I need to protect?
We're probably right now getting hammered by potential customers opening up accounts. So our performance and capacity is something I need to consider very much. What about quantum technology? Just last month, the latest research that has shown that they were able with quantum technology to crack a 22-bit, it's not that high, but it's still a 22-bit RSA encryption. So it's evolving as well. It doesn't mean that it will hit us probably now in the next year, but it definitely means it's a topic that I should have in my view on the overall landscape going forward. AI is the same.
I think we will leverage AI all to a certain degree in the future. It will always be a hybrid model where we have still people, of course, in place, but they will also use AI very heavily for their work. And with that, I'm at the end of my time and at the end of my presentation. I thank you all very, very much. I hope if you haven't taken away anything from a security perspective now, I hope at least you have taken something away for your own personal health. Or if you have your next budget discussion with your leadership, maybe ask them, why are they doing sports?
Why are they going to the doctor? So they want to be healthy. They want to live as long as possible in a healthy kind of state. So why not do exactly the same approach for the health of their company and their security? Thank you.
Max, thank you. Thank you very much. This is great thought leadership. Looking at this from a medicine perspective and what we can learn, I think we need more of that. So thanks for being here. I know you will be around. So if there are questions on that really interesting way of looking at security 3.0, please reach out to Max over coffee.
