Security Expert Interview Series: Thomas Zeulner
We recently had the opportunity to interview Thomas Zeulner who is a Chief Information Security Officer at TDK Electronics AG. Having worked for over 30 years in IT management, networks, IT service design, service transition, provider management, information security, and operations, Thomas shared his perspectives on several matters, like how companies in the electronics manufacturing industry can turn information security into an opportunity to differentiate themselves in the market. Read more about Thomas’s great insights and 2 pieces of important career advice below.
1. We would like to get some background information about yourself. What is your background?
I have now been working in IT for just over 30 years, both as a system and network administrator, IT trainer for companies, or as a system architect in various international companies. Here I was able to acquire a great deal of knowledge in the areas of IT management, virtualisation, networks, IT service design, service transition, provider management, information security, and operations. From the beginning, it was my ambition to put the topic of security in the foreground without losing sight of the business.
2. What is the most exciting part about holding the position of CISO in the electronics manufacturing sector?
I think the position of a CISO is always particularly exciting, no matter what industry it is in. The attraction of a manufacturing company lies in the combination of IT and OT. Here, it is important to build bridges not only between white-collar and blue-collar employees but also between the administrators of both worlds. The requirements in the Industry 4.0 environment are always a challenge.
3. In fact, manufacturing companies are increasingly under threat from cyber-attacks, and identity theft is known to be the most common threat to manufacturers. Please, tell us how manufacturers are fighting identity theft.
Unfortunately, digitalisation has contributed to a significant increase in the number of identity thefts in recent years. The amount of data left behind on the internet makes it particularly easy for thieves here. Here, too, training is extremely important; every individual should be very conscious of personal data. If people, websites, or e-mails ask you to do so, you should first question the necessity and sense of it.
Of course, appropriate security tools that protect our users are part of a successful cyber-security strategy, but also such unpleasant topics as a strong password policy, continuous patching of software and operating system, separation of user and privileged accounts, as well as information sharing according to the “need-to-know” principle, should be put into practice.
4. How companies in the electronics manufacturing industry can turn information security into an opportunity to differentiate themselves in the market and therefore, gain the trust of their customers?
Here I would like to particularly emphasise the possibility of certification. I.e. companies can emphasise the topic of lived information security in addition to the usual ISO 9001 and ISO 14001/50001. With certification according to ISO27001 or TISAX, one can gain certain advantages over some competitors.
A TISAX label is the entrance ticket to the automotive industry for suppliers; it is the basic requirement for them to be able to work with OEMs now and in the future – no business without a label. This certification confirms that the holder has a functioning ISMS (Information Security Management System) in place.
5. How would an organisation go about building a strong top-to-bottom cyber security culture?
The current threat situation is already worrying. Anyone who is on the Internet can become a victim of an attack, and the consequences are now more serious than ever before. Time is absolutely of the essence, and we must rely on the support of all staff. This is where the idea of “Security First” proves its worth and should be reflected in all areas of a company, no matter at what level, be it management, executives or employees. They all form the most important link in the chain of the security defence strategy.
This culture should be found in the actions of each individual, which means you don’t just think, you just do. Therefore, it is our task to build and promote this security awareness among colleagues. The security culture should be part of the corporate culture.
6. What is your biggest fear as a CISO and what actually gives you sleepless nights?
The biggest fear I have is a total blackout, which shows us how dependent we are on electricity, internet, etc. these days. You should always have a plan B ready, and also map processes that can be used to bridge the gap.
The thought that when you wake up tomorrow and hear the name of your own company in the press, that it has succumbed to an IT security problem that you did not have under control, or worse, did not recognise, would give me sleepless nights.
7. What are your 3 go-to-sources of information when you are stuck?
On the one hand, my network of international colleagues from various fields.
On the other hand, sources like thehackernews.com and the Cybersecurity Framework from NIST.
Last but not least, of course, direct contact with manufacturers and service providers in the IT security sector.
8. What are the 2 pieces of career advice you would like to give to people who are just getting out of university and are interested in a career in information security?
Here I can share the following two important points:
- One should always be open to new topics, the wheel of learning never stops turning and learn the ability to make risk-based business-oriented decisions – and of course to execute them.
- And the idea that there is never just one right solution. My goal is to find the best solution for today, but never stop looking for a better solution for tomorrow.
9. Lastly, what do you do in your spare time and how do you like to relax?
In my free time, I spend a lot of time in nature, be it hiking in the mountains or mountain biking. In particularly hectic phases, however, I also simply enjoy relaxing meditations and a good glass of wine.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.