Andreas Rohr: The most convincing story for works council who were actually not there to prevent security or the company doing the right things, they're there to make sure that the data is not abused against the employee's rights. It's their mission, their task, and it's a valid one. When I was in a CISO position in such companies where there were actually a strong works council, the best relationship is if you're really being transparent to what you do, why you're doing that?
Speaker 2: Hello, and welcome to Security Visionaries. You just heard from today's guest, Andreas Rohr, CTO at DCSO. Aligning organizations on security requires many skills, most importantly, transparency. From establishing top-down communication to collaborating with work councils, transparency answers many questions along the way. Like, who has access to the sensitive information? What is an organization's appetite for risk? And how is the data of employees protected? Before we dive into Andreas's interview, here's a brief word from our sponsor. This Security Visionaries podcast is powered by the team at Netskope. At Netskope, we are redefining cloud, data and network security with a platform that provides optimized access and zero trust security for people, devices, and data anywhere they go. To learn more about how Netskope helps customers be ready for anything on their sassy journey, visit N-E-T-S-K-O-P-E.com. Without further ado, please enjoy episode 20 of Security Visionaries with Andreas Rohr, CTO at DCSO and your host, Mike Anderson.
Mike Anderson: Welcome to today's episode of Security Visionaries. I'm your host, Mike Anderson. I'm the Chief Digital and Information Officer here at Netskcope. Today, we are joined by Andreas Rohr who's joining us from Germany. How are you doing today, Andreas?
Andreas Rohr: Oh, very good. Thanks for pronouncing the name very nicely.
Mike Anderson: I'm super excited about this conversation today because when we think about cyber security, you've done some very interesting things around bringing people together in the DACH region and thinking about companies of all sizes as you think about the cyber topic. And so can you tell us more about DCSO, how it started, the mission you've got, what you're trying to accomplish and how you're working with companies?
Andreas Rohr: So DCSO stands for German Cyber Security Organization. So the D is for Deutsche, for those that are maybe familiar with the language. And what basically four companies in the DACH region; Allianz, BASF, Volkswagen and Bayer, you might have heard of, some of the largest companies in Europe, they saw that they should basically combine forces and get exchanging ideas with other peers of themselves to not reinvent always the security topics by themselves and bringing together their experts. Because they have one thing in common, which is 90%, 80% of what they're challenging and security is more or less the same despite that they're competing on the market. And second, the talents are not enough on the market. So bringing them together under one roof and tasking them with things they're all interested in, would make things even better. And resource enabled testing of new ideas. So this is one of the things. The second one is they all have their supply chain they're dependent on. And this was seven years ago, so supply chain attack as a term was not born back then, but they already realized that the weakest link basically is not their secure and their security team and the maturity of them, but their supply chain ones, which are most dependent on.
Andreas Rohr: And digesting or making things in a way digestible from their security insights and learnings, is what DCSO as a community-driven exchange to operationalize such insights and technology as what we also have been founded for, to find ways to make it easier to use and also to apply for those companies that do not have a huge security team or even any knowledge. So operationalizing with security services was the second task, basically during the foundation of the company.
Mike Anderson: No, that's great. And I definitely know that we've got so many open cyber roles out there today. Anything you can do to help companies combat the bad actors that are out there that wanna cause harm to companies. As you said, these are competitors in some cases coming together at the table to figure out how they can basically protect ourselves from the adversaries that live out there in the wild. So it's definitely a strong mission. Have you had other companies that have joined in as part of that? And you've talked about the four that joined originally, but have you had more that have joined in that mission as well?
Andreas Rohr: So that's a good question. So that's not only the four. We very early started this with around 16 of tax companies we're now about 20, 21 or so of like and a few family owned and likewise and size companies. And they basically steer DCSO's kind of development of the portfolio and what we should talk about and what you should research in terms of topics and directions and help us, in an advisory also so to speak, where to develop into. And the second one is what we also like to and actually achieve to implement is a very regular format where they learn not only with new topics, but also the existing things where they failed or how they solved certain challenges and what did not work out. So that's even more important to shortcut learning curves. And this is not only for the less mature companies, it's also amongst the mature ones. And this proves that bringing folks together, despite their competing on a market, actually useful, effective, and should not only be limited to the companies itself, but also to the relationship for authorities and maybe even also for these research institutes. So really bridging the different fields of expertise and insights, especially to also intelligence services. Makes sense in both ways to have a flow, to not make that visible to the takers or adversaries, as you said.
Mike Anderson: I definitely feel that need for that private-public partnership around exchange of intelligence and what's going on from a threat standpoint. Again, it kinda brings this whole concept that security is a team sport. It's not just the four walls of my organization, but it's the whole ecosystem working together. When you look at that, I'm just curious, when you think about the authorities that are out there, have you been able to influence policy or changes that would help companies have better guideposts or things to align to?
Andreas Rohr: Yep, definitely. That was one of the things which I basically learned from the States. So I've seen the NCFTA, where the FBI and other law enforcement and industry was working together. I think as the early years, in the zero days of 2000s and also other formats for which something that's state-driven. But in general, I like the idea a lot that there's a fluent relationship where the necessary things to help each other is actually exchanged. And this drove also my way of influencing how we do that, and in fact, we have a very good relationship to the Ministry of Interior who actually is responsible for being the advisory function and the supervision of the federal police of the BSI, the federal office for information security, and also the one who's protecting the constitution. Not sure what that translates to English. So having those authorities that have all their own insights from [0:07:13.7] ____, from their peers at the FBI for instance, or from other law enforcement or intelligence services, and making sure it's getting passed on via DCSO as a trusted clearinghouse if you want to, where they can trust this will not leak to the public, especially to the attackers.
Andreas Rohr: But helping companies to find certain things where they have no clear indication that a particular company is threatened by a particular actor. But in general and helping to identify if those attackers are active in those networks, has proven to be very valuable because we've helped also the authorities to find out that a particular group was active by us operationalizing the information they gave us in a trusted way. And we could basically tell them back, "Okay, look, this thing you gave us, we have no idea where it came from, but we have seen that here." And so we help the law enforcement and also the intelligence services to have their targets to be better monitored when they have no sensors, because on the domestic side, the authorities are limited to what they can do in contrast to outside of Germany. And the same thing on the other hand, companies who are sometimes maybe very conservative on letting authorities look into their networks could use us to make sure there's only those things that are actually necessary to fulfill to each individual mission is passed on. And having basically us as a bridge to also cover then not always giving trust in the beginning.
Andreas Rohr: So it's developed into something where there's a more trustworthy exchange where those initial fears, they have not vanished, but they're definitely lower than before. So this helps in the end everyone. Not getting pathetic here, but also helping to get a better protection of the democracy itself where you have influencing parties out there.
Mike Anderson: Well, it sounds like you said lack of no trust, so it sounds like zero trust. So it seems like that's a common theme everywhere. I see a lot of organizations trying to align to it. Look at guidepost, like in the US and even beyond, sometimes we see people aligning to the NIST controls that are out there because the insurance companies which; that'll be a topic we'll talk about a little bit later, they're using that as a guidepost. Auditors use it as a guidepost. What do you see as the guidepost for companies that you're working with today? What is that guidepost that they're trying to align to?
Andreas Rohr: So it's not so much NIST-driven, that's just treated in nature that we are in Europe and trying to sometimes, invent the wheel ourselves instead of putting our forces together. But anyhow, so the guidepost here is more the ISO 27000 or something which is similar to it. It's a very German version of it. They all try to go after making sure that you manage your security correctly. And even more in this, the developer of the last years, the maturity level of those control implementations matters more than the actual compliance of it. So think of having compliance things first and then maybe 10 years ago where they started to implement those things, the effectiveness of that is what matters. So there's actually a shift, and what I like with the NIST and also other frameworks, is that they try to get more into the direction, how effective are you actually protecting yourselves and not necessarily only are you managing basically your risks and having controls. And this is where actually things should develop further into. So compliance is needed, but it's only a necessary condition, its not a sufficient one, 'cause a sufficient one is being effective. And effective actually matters more than the full compliance. But this might be not be cited to a regulator, please.
Mike Anderson: Well, it's interesting, 'cause what I see a lot of times is people will acquire tools because the auditors say you need to have the tool. But as you said, the effectiveness is actually, are you using the tool to accomplish the objective that you want to accomplish or drive the business outcome? And a lot of times that's a missing link because people collect tools to satisfy auditors, but they're not getting the effectiveness they need. And so they're now exposing themselves for business disruption from whether it's ransomware, they're exposing themselves to a data breach in their organization.
Andreas Rohr: Yeah. That's something really that the auditors and the regulators should think differently maybe in future because they drive this development by how they put their regulation. And there's a good change, which I saw was a local security guideline that actually became effective or will get effective fully in 1st of May in Germany, which indicates that you need to have... Like in the ISO 27000 new version, that you need to have systems for detecting attacks. That's what they call it. So basically, ISO detection mechanisms and also response. And this is really the things which you also refer to. It's not only a tool thing, they also mandate that you organizationally need to make sure that you are able to analyze those things, in a human and making sense of that, whether that's something serious to go after or not. And then even more important, being able and having things implemented to react. So it's also organizational-driven thing that you need to have 24/7 ability to, to do something about. If there's an indication of a ransomware group being at an early stage. Because you might only have a few hours or at max, days left to prevent the max damage.
Andreas Rohr: And having these organizational things on top of the tooling and the integration and making use of that in an effective manner is where the regulation should... Like insurance companies actually do, they'll rather look for whether something is effectively secure or not. And this is where it actually needs to develop into. But the regulator, for them it's easier to say you need to have a SIM, you need to have a network detection monitoring. So if you have an own data center and what not. But in the end it might be a good advice also to the regulator, maybe that's one of the next missions of DCSO to influence that to be more practically relevant what they actually tell them. And there's a good example for the national security law that was released two years ago in Germany.
Mike Anderson: No, that's great. You mentioned about managing the impact. I remember a peer of mine at a global consumer package goods company said that when NotPetya hit, it infected their entire network and all their systems within 15 minutes, globally. And so I think that thinking is the traditional, "How do I get things as quickly as possible from point A to point B, to C to D, and around my corporate network." That whole thing has to be rethought because then if I get compromised in one node, can it quickly just take over my entire network and bring my entire business down?
Andreas Rohr: Exactly. And when you also search on that matter, think about, this NotPetya was something which most of the folks could have prevented by doing more hygiene on their patching. But before those things happening, at least with ransomware vectors, they make some noise in the network. So there's almost 100% of the cases which we have been involved, doing incident response, we saw enough signals that could have been basically analyzed and triggered action to stop the attack. It would not necessarily make them to remediate those systems and building things from scratch, but they could have prevented the entire damage that actually happened after a few days. And the same thing is also with NotPetya, if you could have patched those things that are known or have been known to be critical, and a few other good practices that actually mandated in those standards, you have mentioned earlier, then this is the homework, the necessary condition. And the sufficient one is to build on top of that a good net of detection that actually gives you the trigger to act. And, not sure whether it would've been worked out in 15 minutes, but in general there is a timeframe which is shrinking to be fair.
Andreas Rohr: But there's a timeframe where you could detect things and can assume that that not all protective measures will always 100% protect you. And it's either being a user click on something or you have not patched or there's unsecure configuration or whatever in there. But if you assume that's the case and you have a detection grid on top of it, that will tell you, "Okay, there's something you don't want to have here. Please have a look and take action." Maybe even in a very automated or predefined way to stop such attacks is what needs to be done for really good companies in terms of security state.
Mike Anderson: Yeah, I fully agree man. If it's manual, you're always depending on the person in the chair and with a skill gap that can become problematic. So exactly to your point, the automation. So I can take preventative measures and run my play as quickly as possible is critical. Going back on thinking about the security side, and I think about data privacy, everyone talks about GDPR. I always remind people, you think GDPR is tough, wait till you have to go in front of German worker council and talk about data privacy for German citizens. When you think about a lot of security tools, you're inspecting what people are doing. How are you helping companies navigate the German worker council to make sure that they can get the right protections in place, but also preserve the privacy of German citizens?
Andreas Rohr: That's a tricky question. There's no silver bullet to making this happen. That works council is happy with what's happening when massive amount of data is inspected, which is needed for detection, to be fair. But the most convincing story for works council who are actually not there to prevent security or the company doing the right things, they're there to make sure that the data is not abused against their employees. It's their mission, their task, and it's a valid one. And to get along with works councils... And when I was in a CISO position in such companies where there were actually a strong works council, the best relationship is if you are really being transparent to what you do, why you're doing that. So I was pretty young back then. I was not really good in arguing potentially, basically on their mission because they're also having the mission to protect the employees from harm. And this also includes cyber attacks or violations of data privacy and breaches, et cetera. So back then I should have argued, what I do now, that helping to prevent attacks by inspecting some traffic or acquiring certain data would've been the right avenue to go. And that's one of the things which they cannot deny if you know how the constitution basically works.
Andreas Rohr: If you tell them the only use case to use this data, where it's valid to use the data, is for detecting malicious activities and not tracking employees and whatnot, and if you give that in writing, that this is what you do and if you adhere to your own rules for that sense, then they basically will in the first place, put some stones in your way and see whether you behave or not. But if you do that constantly that way that you're only using it for detecting malicious things and by that preventing basically their constituents if you want to, then the next time let you easier pass the door than than before. At least I never failed with getting things through the works council. It's just the way how you put that and that you really adhere to most principles to not use the data for something else that you acquire them for.
Mike Anderson: That's great. Well, hopefully, that's a product line offering that you're offering it at DCSO.
Andreas Rohr: Whenever you buy managed services from DCSO, this is included. So we help the customer to get through the door of the works council and I guess we have a pretty good reputation. And since I've worked with works councils before in the Volkswagen world, but also in the utility where they have really strong works council and tell from my past with them and how good the relationship et cetera, then that's the other part of the story. So we bring our experience in and they like that typically and make their life easier in terms of helping them to argue with their folks. And then it's a matter of trust in the end, not like zero trust, it's really the other way around. So if you build a trust then you can do most things with the works council. And even if you give them just a small hint, a read-only account to the technology you are deploying, this also helps a lot. So they're left to have transparency and helping them to see what you're looking at and what you make out of that and how you comment cases, et cetera, this is also helping to build trust. So they might not grasp everything as they see, but this is where they do not have the feeling there's something in the dark that's happening, which might harm my people. And it's not a secret success ingredient, but it's something which if you adhere to it, that actually will get you likely to a good outcome.
Mike Anderson: That's great. I 100% agree with, transparency is what builds trust. When people don't have transparency, people are guessing and guessing doesn't lead to trust. And so that's a great advice there when dealing with German Worker Council, and just generally as a business principle. Transparency is what builds trust. If I look at the role you have today, and you talked about some of your roles, what are some of the learnings you brought into DCSO? You mentioned that you were a CISO in the past, and now the CTO for DCSO. Talk a little bit about that journey and how have things evolved in your thinking as you've transitioned into the role you have today versus more the practitioner and CISO type roles you had in the past?
Andreas Rohr: When I was CISO back then, I had the same challenge as most CISOs that also have technical teams. So I had a fortune to not only be responsible for the governance and the security management system, but also having an own operational security team and the luxury to play around with technology, et cetera. So what I started most was what that I had all those tools in place that does island wise an okay or even a nice job, but there was no coherent way of utilizing that for an entire picture. And I don't want to say single pane of glass things. So I mean this is often used, but making use of the strengths of the different technologies and combining them is what basically made me successful to be very cost efficient in getting actually the entire value out of the different technology I was employing. And also got my team back then in a position to do some nice things that have been not average to what teams can achieve. So taking this, like, a set of or different tools, an army knife, if you want to, a swiss army knife, then the team that's operating that knife actually matters most. So getting them to deal with different types of input technologies, streams, insights, and operationalizing the different capabilities and skills of the people to maximize the outcome and also helping to solve certain homework for our clients in DCSO, is what drove me when we developed the portfolio.
Andreas Rohr: So one of the things I didn't mention earlier was that I have been also tasked to come up with a managed security service portfolio seven years ago. So put yourself back to that time, there was not very common, having maybe an outsourced SARC or so, but not outsourced managed security services so much and solving homework to those organizations so they can focus on the most interesting and hard nuts to crack and not doing the day-to-day job and making this very efficient was possible because I was in the position before. And at the same time having not the speech to the customer saying, "We do that for you." And like taking your job away, which is really something which you get a lot of resistance from security teams which you try to do business with. But helping them, "Look, we know that you need to do that and it's sometimes painful and we also have been in the position before, so we would like to blend into your team, and just accept us being the one who does the super homework every day, 24/7 and why you no focusing on the interesting things?" And we give you all the ingredients for that. So that's one of the things which helped a lot from a CISO and also fear perspective of those mature teams and the customer space to accept that we bring in added value. So it's not a technical question, it's rather how you blend in and complement team skills and capacity. And this is when you are able to convince also the technical folks on the customer side.
Andreas Rohr: And this helped a lot building the portfolio, how we put it, and also getting the community part in each of the services into the game where they talk and exchange with peers, not only how they like us, but also how they solve certain problems in the real world in a day-to-day fashion without having a consultant in place who helps them to solve it in the one or the other way. But learning from the others facilitated to us is what actually makes our success possible. And this is also kind of unique. So we are not focusing only on numbers within customer amount for VC, but really going purpose-driven on that they can help each other and we do kind of their homework in the most innovative way we can. That's where my past actually helped to do a different kind of a portfolio set up.
Mike Anderson: No, that's great. I have to ask, one of the questions that I always get asked, and then I saw a debate going online yesterday on LinkedIn between CISOs about, how do you determine the budget for security? And the debate is always around, is it a percentage of revenue the company? Is it a percentage of the IT budget? Is it based on the risk posture of the organization and what they wanna invest around that? How are you... I gotta imagine that's a question you get all the time from companies. How are you answering that question?
Andreas Rohr: It's rather the CISOs should get a, if you ask me, a trusted, neutral advisor who has no own interest in selling something. Sometimes I actually find myself similar positions. We get hired from board of directors and basically looking at their estate, et cetera, and then knowing that I also sell those services, but tell them what's needed and what's... I'm not saying rubbish, but where they overspend things and being really frank and not only looking for benchmark and going, after effective things. So what is those things that you wanna protect most, which actually makes your business running? Like a business impact analysis. If you know you're 10%, you are most dependent on, and if you put all the effective security roles on top of that and do a medium job for the remaining things, is the better advice to go after, rather than looking for the, pure numbers. And either you wanna protect your business or not, the 10%. And this is the way how I talk to them, then, okay, what's needed for that? Obviously is the next question. And so how much is an appropriate amount of money to spend? While they're getting top-down first, I was the critical business processes and then bottom-up. What's needed for that? And, then say, "Okay, for the remaining one, I can use a benchmark." So this is how I would approach it.
Mike Anderson: Yeah, it's good advice if I think across the business. You talked about supply chain risk early on in the conversation. When I was at Schneider Electric, I would talk to our head of supply chain about, what's the security posture of our suppliers? How does that fit into our sourcing strategy? And it all becomes into this whole enterprise risk conversation, not just cyber, but what's the financial stability of that company that I'm working with? Security now becomes another question that's right alongside that because if I can't get steel, it's hard to manufacture products without steel. And so looking through that, so I think you're spot on with that. I would hope that would fit for most of the companies that manufacturing summit and that 10% that they're really focused in on, that they wanna protect.
Andreas Rohr: Absolutely. And we have learned the disruption of supply chain with the Suez Canal, which is a very physical event, now we had this pandemic thing, we have this maybe trade war and related things, and then we have this shortage of resources due to the crisis in Europe with the war and also with China maybe not being able to operate their factories because they can't or they don't want to. So whatever it is. So knowing exactly where your weak links are and managing them actually will basically, or have already reset our way of measuring risk. And we also should factor in, that's one of the learnings of last year, that not always the adversaries act rational. So having a risk management and evaluation based on rational behavior of others, this might true for most of the things, like the financial market maybe and other things, but not necessarily for states like Russia. And we should also assume that there is a disruptive way of acting without any obvious reward to those who do that, which would be rational. And this is one of the things where you should be more conservative in terms of evaluating those risks, rather than, "Yeah, that's so unlikely, so it will not happen." This is also something which we should actually take into account.
Mike Anderson: Absolutely. I'm gonna pivot a little bit, as you talked about work with board of directors and others, when you think about security as a team sport, often times the CISO is the one that takes all of the... It's like probably one of the hardest jobs in the world, because there's no a dollar amount you can spend that's gonna protect you a 100%, and so it's always a risk-reward trade off. But it's also not just the CISO's job. How are you seeing, and how are you helping advise companies on how do they make security become part of the fabric of their organization and their people across the organization in all different units, business units and functions? How are you driving that and are you seeing that evolution occur at the pace you would expect it to?
Andreas Rohr: So the advice is to split it up into two different disciplines. One is more from a compliance perspective and getting the frame in place, and also the backing from the board for the most general things, which are not business-driven by itself. And the second one is making the teams end-to-end responsible. So the modern way of development and running applications is the DevOps team. So this has proven to be for most things the best setup. And adding security, and that one was the buzzword, DevSecOps, actually means that you embed the security for operations, but also for the developers in a very close loop. And this is the way how you actually make everyone aware what they're doing, what the impact is, and what in a best case should be implemented rather than a gateway centric development cycle. And by that you can react much faster on vulnerabilities, on insights, on things, attackers abuse, that it might be normal function. And this is the most modern setup you want to have in IT anyhow, and adding the security to it. And by that, also developing the developers and then the operations folks to know what they should do, because basically they have not been raised with that knowledge. And training on the job, so to speak, is the best way of implementing that in the most effective way.
Andreas Rohr: Don't talk down in terms of their skill in terms of doing that the right way. But if there's something sitting next to them having that thing and they're basically backing each other up on certain aspects, it's the most effective way to do. And this is the second one, which should be implemented. And the functional lead or the tribe lead, so to speak, for the subject matter of security should be with the CISO. So having a matrix organized way of implementing that, but they should be embedded in sitting with the developers and the operations folks, so as a normal security would be. So that's, in my opinion, the best way to do, there are industries where this does not work out, so where we need to act differently, but for IT driven companies, this is the best way to ensure that's happening. And maybe there, the security folks cannot be there 100% of their time because lack of talents as we know, but having this in general will implement it and swapping teams and making this possible is the way how it should go.
マイク・アンダーソン:それは素晴らしいことです。 そして、私がこれまでに見たもの... ITチームとデジタルチームについて考えると、DevSecOpsは間違いなく青写真であり、その流行語を使用するための道です。 財務部門、人事部門、さまざまなビジネスユニットについて考えると、テクノロジー組織や会社以外の人々の考え方にセキュリティをもたらすためにどのようなことが行われていると思いますか? セキュリティを組織の構造の一部にするにはどうすればよいでしょうか。
アンドレアス・ロール:これが実際にCISOだけの積極的な仕事であるかどうかはわかりませんが、それは完全に旅から始まる取締役会のようなものです。 そして、同僚や近くのターゲットの攻撃、そして昨年の攻撃者の破壊的な行動は、私の組織の隅で発生する可能性のあるありそうもないことから実際のものを取り除くのに実際に大いに役立ったので、それはもはや挑戦ではありません。 さて、私たちはそれを世話する必要があります。 それは統計的なことではなく、10年ごとに私を襲うでしょうが、それは間違いなく今後2年以内に私を襲うので、私はそれの世話をする必要があります。 そして、セキュリティは100%安全ではなく、すべてが常識であるのを防ぎます。 そして、これは人事や財務などにも当てはまります。 したがって、彼らとの違いは、彼らに目標を与える必要があるということです[0:31:15.5] __彼らがすべきこと、すべきでないこと、そして特定のことについて確信が持てない場合に尋ねる方法と場所。 そして、これはそもそも意識です、または... Netskopeも時々人間のファイアウォール用語を使用していると思います。 そして、基本的に彼らに助言し、教えることは良いことですが、彼らがそれを必要とする場合、彼らが不確かな場合に何をすべきかを彼らに助けの手を提供することほど良くはありません。 ですから、それはさらに重要なので、疑わしいものがあるかもしれませんが、彼らが一目で助けを得るなら、それはさらに重要になります。
マイク・アンダーソン:ええ。 あなたは人間のファイアウォールを育てました。 これは、ここラモントでのCISOの内部での大きなキャンペーンであり、セキュリティプログラムで最も弱いリンクは、毎日仕事をしている椅子の人々であると常に見ているためです。 私たちは、意図的な危害を加えたいと思う人々を見つけるためのすべての素晴らしいツールを持っています。 毎日偶発的な危害を加えるのは、すべきでないリンクをクリックする人々です。 彼らは使用すべきではないアプリを持ち込みます。 彼らはそこにあるべきではないそれらのアプリにデータを入れます。 それが私たちが対処しようとしていることです。 私が大好きな大きなことの1つは、より良いデジタル市民をどのように作成するかということです。 シャドーITは、今日ある概念として耳にします。 そして、今CEOに尋ねると、デジタルネイティブである新世代の労働者がいるため、よりビジネス主導のITです。 そして、どうすれば彼らが安全な方法で問題を解決できるようにするのでしょうか。 セキュリティ会社のCIOである私の人生の新しい使命は、デジタルネイティブの考え方を解き放つことができるように、椅子の人が安全な方法で問題を解決できるようにするにはどうすればよいかということです。 では、人々はそれをどのように進化させているのでしょうか? シャドーITは常に大きなもののようでしたが、多くの供給工場のように見ると、工場のリーダーは誰かを雇ってダッシュボードを構築するとおっしゃいました。 では、その考え方のいくつかはどのように進化していると思いますか?
Andreas Rohr: シャドーITは、柔軟なサポートを受けられなかったり、自分のデバイスを持ち込んだり、サーバーを立ち上げたりしないことから進化しています。 そもそも、より機敏な方法と、コンピューティングとストレージのリソースを取得するための信頼できる方法を取得することは、机の下にサーバーを持ちたくないため、このシャドーITの多くに役立ちます。 だから誰もそれを望んでいません。 彼らは必要な助けを得られないので、それをするだけです。 したがって、これを進歩的な方法で解決し、サーバーの管理に最適ではないというリスクを受け入れることもできますが、それでもシャドーITを使用するよりはましです。 そして、最初のこと。 そして2つ目は、たとえば、ユーザーが自分のものを持参し、衛生面で最も重要な問題を解決するのに役立つ小さな壁の周りに構築することですが、100%管理されたデバイスはありません。 したがって、これも役立つ可能性があります。 そして、ヒントがあり、タイムゾーンまたは場所からメールが届き、以前から干渉したこのセンターが正しくないか、異なっていると、「はい、このメールはあなたの組織外にあるか、これは異常な時間に送信されました」という小さなことを受け取る可能性があります。 したがって、基本的に、ユーザーが現在行っていることや直面していることをより注意深く見ていることをほのめかすことも、最終的により良い決定を下すのに役立ちます。
マイク・アンダーソン:いいえ。それは間違いなく素晴らしいアドバイスです。 ですから、少しシフトしたいのですが、これを未来派の質問と呼びます。 ですから、私たちが将来を見据えて、過去5年間を振り返ると、「私がそれを違うやり方でやることができれば、私はこのようにしただろう」と言ったであろうことがおそらくたくさんあることを学んだと確信しています。 5年後、10年後、たとえば2030年に早送りすると、セキュリティとITのリーダーは、2030年を振り返ったときに、今何に投資したいと思うでしょうか。
アンドレアス・ロール:2030年はかなり長い期間ですが、今後5年後としましょう。 それでも十分にやりがいがありますが、基本的に何が重要かを推測することは、行動しているパートナーのエコシステムに柔軟に対応することであり、これは制御されていないリソースの統合方法につながります。 データフローやサービスなどは、それらを接続に接続し、その非常に抽象的なレイヤー、パートナーを変更した場合、プラットフォームを変更した場合など、変更したい特定のポリシーやものを適用する非常に柔軟な方法でした。 そして、これはゼロトラストの原則につながり、2番目の原則はあなたが制御する種類のファブリックにつながりますが、時間の経過とともにモノリスではなく、さまざまなクラウドサービス、さまざまなパートナーネットワークなどを利用できるようにするのに十分な柔軟性があります。 そして、それらのものをプラグ可能にする能力に投資しないと、新しいセットアップのために市場に行くために必要な時間がはるかに多くなります。 そして、これは最終的に、競争上の優位性にあるか、そうしなければそうではありません。 したがって、プラグ可能な方法に投資し、ポイントを実施して、決定が正しい方法で管理されていることを確認するために、これがあなたが望むものです。 そして最終的には、ある程度、ゼロトラストです。
マイク・アンダーソン:それは素晴らしいことです。 では、ゼロトラストという言葉を持ち出して以来、サイバーについて考えることがよくありますが、なぜサイバーに投資するのですか? それは本当に侵害を避けることであり、ビジネスの混乱を避けることです。 では、ゼロトラストを見ると、それはどのように進化していると思いますか? これは、企業がデータ保護について考える方法にどのように影響しますか? 「明らかに、それがデータ侵害の観点から保護しようとしていることの中核だからです。
Andreas Rohr: ゼロトラストは、侵害を防止し、データフェンスに関するより良いガバナンスを得るという点で、ほとんどの人が考えているのとは異なる方法で実際に役立つと思います。 むしろ、アーキテクチャ、アプリケーションランドスケープ、パートナー、買収などを変更するときに柔軟性を高め、それによって変更に対応する時間を確保する必要があります。 そのため、アーキテクチャとデータ フローに多くの仮定を入れたくない場合があります。 したがって、ゼロトラストと非常にデータ中心のワークフローアプローチは、より柔軟性を維持するのに役立ちます。 そして、それに対する最良のサイトの利点は、そうすることに非常に優れており、誰がどの場所とデバイスタイプからどのデータサービスを使用できるか、そして認証レベルを制御することに非常に優れている場合、それを保護する上でより良い仕事をしている可能性があります大きな違反全体。 必要に応じて、さまざまな部分を管理するこのマイクロセグメント化された方法がある場合は、どちらか一方のシステムまたは一方またはデータを失う可能性がありますが、全体は失うことはありません。 そして、そうする能力はあなたに競争上の優位性を得るでしょう、あなたが側で私に尋ねるならば、あなたが良いガバナンスとセキュリティ運用でそれを正しく実装するならば、あなたはあなたのデータをよりよく保護するという副作用もあります。
マイク・アンダーソン:いいえ。それはいいですね。 それは素晴らしいアドバイスです。 少し考えてみれば、現在一緒に仕事をしているすべての企業、ゼロトラストは明らかにホットな話題です。なぜなら、RSAに行くと、すべてのベンダーがブースにそれを持っているからです。 今年も同じことが見られると確信しています。 あなたが言うと、あなたが今日一緒に働いているCIOとCISO、そして取締役会から聞いている上位2つまたは3つのことは何ですか? 今日聞いているホットなトピックは何ですか?
アンドレアス・ロール:最も差し迫ったことは、誰も100%まで身を守ることはできないということを私たちは知っているということです。 それは本当に[0:38:05.0]です ____基本的に、信号を十分に早く見ることができないという恐れがあり、基本的に平均ダウンタイムが弱く、その意味で数百万または2桁の数十億を失い、新しいビジネスを作ることができないと話さない人々によって。 ですから、これは本当にナンバーワンのリスクであり、彼らも保険の適用を受けるのに苦労しているので、それは彼らのコアビジネスの混乱であり、注意義務の面でも十分なことをしていないようなものです。 したがって、取締役会のほとんどの取締役は、この種の統計的リスクを無視することはできないことを知っていますが、それを処理する必要があります。 そして、彼らはまた、彼らが何をするにしても、もう少し焦点や予算で防ぐことができたものではないことを確認したいと考えています。 そして2つ目は、それに関連して、最も重要なサプライチェーンパートナーが自分たちと同じ立場にあることを確認したいということです。 したがって、必ずしも自社のシステムや環境のためではなく、サプライチェーンの人々が上流または下流であるため、ビジネスの混乱があります。 また、基本的に収益源を失わないようにします。 そして、これは実際に私が最もよく耳にするものであり、セキュリティはその間の共通点にすぎません。
Andreas Rohr: つまり、バリューストリームのデータフローをこのような攻撃に対して回復力のあるものにしているということです。 そして、残りのものはそれから派生したものとして来ています。 これは私が最もよく耳にすることであり、ゼロトラストは、申し訳ありませんが、これはより良くするためのより戦略的なことであり、今日彼らが実際に懸念していることの2番目の議題であるため、人工的なトピックではないものです。 したがって、これは3〜5年で問題を解決しますが、ゼロトラストは製品ではないため、必ずしも今日ではありません。 彼らはそれを理解し始めます。 そして、私は彼らにも「それが製品だと言う人に騙されないでください」と言います。 グリーンフィールドは新しいものであり、学習を行い、ニーズに適応させ、時間の経過とともに移行し、ゼロトラストが有効になっていない20%を受け入れようとします。 それを遺産として残し、その周りにいくつかの大きなフェンスを構築し、それらのものを制御し、物事を考えすぎないようにしてください。
マイク・アンダーソン:いいえ。それは間違いなく素晴らしいアドバイスです。 そして、「私の製品を購入すれば、今ではゼロトラストになる」と言う企業が多すぎます。 そして、あなたが言ったように、それは存在しません。 ですから、それは間違いなく素晴らしいアドバイスです。 あなたは保険について少し触れました、そして私が保険ベースについて考えるならば、私は多くの人々が言うのを見始めています。 私たちは自己保険をかけるか、保険に費やしたドルを取り、それをセキュリティプログラムに投資するつもりです。」 「彼らは、保険会社が国民国家の攻撃である場合は適用されないと言って国民国家を回避するなど、支払いから抜け出すことができる基本的な方法がたくさんあると感じているからです。 人々の考え方をどのように見ていますか? 人々が「あなたは何を知っていますか、なぜ私たちは自己保険をかけ、それを私たちのセキュリティプログラムに投資しないのですか?」と言っているのと同じ種類のことを見ていますか? あなたはそれを見ていますか? サイバースペースにおける保険の未来はどのように見えますか?
アンドレアス・ロール:基本的にサイバーリスクはそうではないと述べている大手保険会社があります... 保険会社の立場からすると、満期状態を実際に測定できないため、これらのリスクに保険をかけることはできなくなりました。 では、企業が攻撃に遭う可能性はどのくらいあるのでしょうか。 そして2つ目は、満たすべき前提条件が恣意的なページ保険会社である場合があることです。 それは異なり、それらのアンケートに記入することは実際には悪夢であり、時には私たちは彼らが戦略的に適切な場所で十字架を作り、間違ったことを述べないように助けますが、実際のことです。 「ええ、あなたはここでそれを述べました、そしてあなたはそれを順守していないか、実際にそれを実装していません。」 したがって、リスク管理の良い組み合わせでは、おそらくそれを保険するのではなく、おそらく自分のセキュリティに費やすと、古典的な管理慣行である保険会社に延期された方法が常に必要です。 だから私はそれをまったくしないことをお勧めします。 したがって、実際に物事が最悪の方法で何らかのコストやビジネスの中断をカバーするかどうかもカバーすることは合理的であり、絶対に理にかなっています。
Andreas Rohr:それが途方もなく高いコストの申し出であるならば、あなたは「物事に反応して検出する能力にそれを置くほうがよい」と考えるかもしれません。 そして、セキュリティイニシアチブのいくつかを後押しするかもしれませんが、私は一方を他方と交換しません。 建築的なことへの信頼と、自分で正しい宿題、完全な衛生状態を確実にすることに戦略的に行き、保険会社にあなたがセキュリティで良い仕事をしていると信じさせるように努めるべきです。 しかし、時間が経つにつれて、保険マークはサイバーリスクの保険に加入することに関して非常に有利な保険を提供しなくなると思います。 それが私の直感です。 私はそれを証明することはできません。 しかし、私が見たり聞いたり、統計的および質量の観点からそれをどのように測定するかを見たりすることは、私がプロとしてのキャリアを始める前の私の研究の1つでしたが、統計的基礎ではないため、実際に適切に記述するモデルで計算できるとは思いません。
マイク・アンダーソン:ポッドキャストの楽しい部分、つまりクイックヒットに切り替えます。 私はあなたにいくつかの質問をするつもりです、急速な火、そしてあなたがどんな答えを得たか見てみましょう。 まず、これまでに受けた中で最高のリーダーシップアドバイスは何ですか?
アンドレアス・ロール:それは私のプロとしてのキャリアの非常に初期のことでした。 そして、これは基本的にCEOが私に言った、「あなたが世界で解決しようとしていることの最高の主題専門家であっても、あなたはむしろあなたのチームの話を聞いて、彼らがあなたにどんな答えを来るかに驚くことをあなたに話します。」 そして、これはあなたが自分でやったほど良くも有効でもないかもしれませんが、もっと重要なことは、それが持続可能であることを確認し、基本的によりよく眠り、次の挑戦に行くことができることを確認する彼らの貢献です。 そして、それはとても本当です。 そして、あなたが物事に対する最善の解決策であると感じるものの90%はあなた自身の経験に基づいており、他の人は他の経験を持っています。 それは多様性にも当てはまります。 それで、彼らがその時聞いて驚く間、そして私は非常に頻繁に驚かされました、それは私が最も好きです。 ですから、ぜひ試してみて、チャンスを与えていただきたいと思います。
マイク・アンダーソン:間違いなく良いアドバイスです。 大丈夫です。 あなたの最後の食事は何でしょうか?
アンドレアス・ロール:インドやムンバイにしばらくいたので、隔月で2週間か3週間過ごしました。 そして、私は食べたいと思います、そして彼らは向こうでとても辛いものを食べます。 だから一番好きだったのは、スパイシーなチキンマサラとガーリックナンパンでした。 だから私はそれがとても恋しいです。 だから多分それは私が注文するものです。
マイク・アンダーソン:わかりました、最後です。 今年読んだお気に入りの本は何ですか?
アンドレアス・ロール:エリス・ミラーの本を読みましたが、それは実際にはすでにかなり古い本で、30年ほど前の本だと思います。 そして、それは「才能のある子供のドラマ」と呼ばれています。 そして、それは彼らが彼らの周りの期待に固執せず、彼らが望むことに適応して行うのではなく、むしろ彼らが本当に情熱を注いでいることを見つけてそれをさらに発展させる方法で子供を育てることです。 ですから、それは読んであなたの子供が自分の道を見つけるのを助けるのにとても良い本です。 だから私はそれがとても好きです。
マイク・アンダーソン: 私はそれを読書リストに載せなければなりません、4人の子供の父親として、私が奪うためにそこにいくつかの良いナゲットがあるでしょう。 アンドレアスに感謝します。 これは私たちが今日持っているすべての時間についてであり、私は会話に本当に感謝しています。 今日はアンドレアスと素晴らしい会話をしました。 私がこれから学んだ3つのことは、何よりもまず、アンドレアスが何度か触れたことですが、組織全体で働き、周囲を見て、エコシステムで周囲の人々を活用することです。 私が見ている2番目のことは、ツールを見るとき、ツールを収集するだけでなく、それらが統合されていることを確認し、組織で推進したい結果と一致していることを確認することです。 そして、私が私たちの会話から最後に取ったのは、組織のバリューストリームについて考え、組織内の特定のバリューストリームに関連する適切なリスク態勢を持つために、それにセキュリティを組み込むにはどうすればよいですか? 超洞察に満ちた会話とあなたがそれを楽しんだことを願っています。 セキュリティビジョナリーポッドキャストで近日公開予定の次のエピソードにご注目ください。
スピーカー2:セキュリティビジョナリーポッドキャストは、Netskopeのチームによってすばやく簡単に利用できます。 Netskopeプラットフォームは、どこにいても人、デバイス、データに最適化されたアクセスとゼロトラストセキュリティを提供します。 お客様がリスクを軽減し、パフォーマンスを加速し、クラウド、Web、またはプライベートアプリケーションのアクティビティに対する比類のない可視性を取得できるよう支援します。 Netskopeが顧客が生意気な旅に備えるのにどのように役立つかについて詳しくは、N-E-T-S-K-O-P-E.com をご覧ください。
スピーカー4:セキュリティビジョナリーの話を聞いていただきありがとうございます。 ショーを評価してレビューし、それを楽しむかもしれないあなたが知っている誰かと共有するために少し時間を取ってください。 隔週でリリースされるエピソードをお楽しみに、次のエピソードでお会いしましょう。
){kind=icon}
