Security Expert Interview Series: Carlos Arglebe
We recently interviewed Carlos Arglebe who is holding the position of Head of Cybersecurity at Siemens Healthineers, a leading medical technology company headquartered in Germany. Carlos has previously worked as a Chief Information Security Officer (CISO) for 5 years. Swiss Cyber Institute truly appreciates his willingness to contribute to the Security Expert Interview Series where Carlos discussed communicating an ROI for security investments to other stakeholders, the shortage of cyber talent in Europe, and further topics. Enjoy the full interview below, we promise it’ll be insightful.
1. Firstly, thank you for taking part in this campaign, Carlos. Can you tell us about your professional background and areas of interest?
Thank you for having me. I am honoured to be part of this campaign, as it enables new generations of cybersecurity defenders to join the cause. Creating more interest with insights in this exciting area helps make personal decisions. The diversity of the job truly amazes me every day.
After my legal education, I jumped on the train of Quality, Regulatory, Risk and Process Management. Healthcare and in particular medical devices require in these domains a strong legal, regulatory, and organizational knowledge with a strong technical affinity. Each one of us is or may become a patient and in need of clinical diagnosis or care. So, the number one interest you have is not to get worse and suffer from a patient safety incident such as receiving the wrong treatment, medication, being injured by a device including radiation, etc.
You want to get well, right? With the growing digitalization possibilities of electronic patient records and other interconnected systems, you want your information to be protected as it’s nobody’s business what you are going through. It is personal. Speaking legal and regulatory, learning business and customer needs, I became a translator, enabling others to apply their specialist skills. Early on, I developed a special interest in risk and change management. I was learning so much every day.
This opened the door for me to enter the security space. First, I was trusted with the CISO role as a growth area for me. Coming from a quality and regulatory domain in healthcare I quickly saw the opportunity to further connect the dots and grow an integrated and holistic security approach with the company. Information is mainly processed in IT systems across a company and enable the development of wonderful medical devices, which increasingly consist of software. These solutions get deployed, operated and serviced in the environment of healthcare providers to benefit the patients. Security, therefore, became the front line for me to enable patient safety and privacy.
Today I am honoured to be a member of the global community of cybersecurity. Today the cybersecurity responsibility includes Information Security and the Security in Products and Solutions. It is a highly collaborative task to guide and enable security across the company and the full supply chain. Early on, I never knew this job existed. Following my personal interests as an enabler, risk and change agent have taken me where I am today. I feel I have grown with collaboration in teams, not with titles.
2. You have been in security-focused roles for over 6 years now. In your recent years as a Head of Cybersecurity, what are (were?) the biggest challenges in the role??
This may sound funny, but my biggest challenge is to make cybersecurity understandable for others. To achieve this, I need to understand the diversity of this domain to make it part of everyone’s responsibility. Cybersecurity is part of so many areas and is highly relevant. On all levels of the organization and even society. Cybersecurity is not new as it is based on general security controls and needs that exist way earlier than in the roman empire. Information has always been the fuel for growing and emerging societies.
As security now can not be seen as something isolated or an area for specialists only, we rely on everyone’s contribution to secure operations. At work, at home or on the move. Making cybersecurity part of everyone’s priority is a key challenge, as people already have so many priorities they need to focus on. So, it comes across as “cyber is competing with the others”. Bolted on or simply put on top. Sometimes as last consideration. That is not meaningful, effective, or sustainable. After all, cybersecurity relies on the inclusion of people, processes, and technology.
Then there is the challenge of shifting the security framework from policy and compliance centric (security gets approved) to a commonsense approach. Tell me what I need to do to get this application approved is a question we often heard. Well, we do guide and enable to protect the individuals and the organization, but this requires more knowledge about security across the organization and the supply chain. We are working with great experts in IT and R&D. Most are focused to get things going and making the functionalities operational.
What we still need to develop is the curiosity and ability on what can go wrong, how to shut down a system, process or infrastructure to prevent further damage. The bottom line for my major challenges is to enable people to understand the risks, take the right actions and embrace cybersecurity as an opportunity that protects them, their community and beloved ones.
3. According to you, what are the top skills, both technical and soft skills, that are greatly needed as a Head of Cybersecurity?
I am still learning. Every day. Resilience requires an ability to listen, learn and adapt to the changes we are exposed to. As head of cybersecurity, I need to be trusted. Trusted that I understand the needs, know about the risks and threats and can help in enabling to mitigate and hopefully avoid them. The title and authority are worthless if the trust is not earned on a daily basis.
In my role, the technical knowledge grows over time and is required to connect the dots. Technology certainly is key. However, I rely on trust and respect the technical experts who enable me. We are not competing in knowledge and abilities. We are a diverse community that learns from different backgrounds, experiences, and perspectives.
My main required skills are communication and change management. Legal education has enabled me to think and act in systems. Fixing issues or fire fighting will not cut it. A systematic approach is needed to identify and remove root causes. Preventing occurrence or re-occurance with people. That is rewarding.
4. What is the biggest misconception about being a Head of Cybersecurity?
Knowing it all. A technical geek that breaks into secured networks with a smartphone. Being in full control and working in a multi-mega-display control room, acting a bit like M or Q in a James Bond movie. Sometimes it feels like being in a thriller. But we are in real life. We work with people and instead of knowing it all, we figure it out together.
5. What advice would you share with other security directors and CISOs when it comes to communicating a ROI for security investments to other stakeholders?
That is a good one. For security, the ROI can be calculated with sophisticated scientific formulas. Objectively it may all make sense, still, it may not be convincing. In cybersecurity, there are many ways to achieve the expected protection. So, I need to understand the risk appetite of the organization first.
Then, I try to convince the need to invest by highlighting the gap. Meaning the impact of the absence of the investment. No people for this area, not focusing on that topic equals risk. In other words, when stakeholders understand the need, they come along.
But it’s a journey, as in cybersecurity we need to grow the people and technical capabilities across the organization and not just in a central team. Use risk management as your language and method to support decision making with your stakeholders. Make sure you enable them to fulfil their responsibility with secured processes and services.
6. What are the most important steps for small and mid-size businesses to build the first line of security?
The first line of security is the people. Their actions determine the protection level. What they do and how they do it makes a big difference. We like to see people as our immune system in digitalization. In addition, we need to create an environment of trust and learning. That is easily said, as very often in security incidents we quickly see fingers being pointed and identify the guilty ones. People want to do the right thing. Learning, appreciation, reward and development are important to have them engaged as the first line.
Creating a risk framework that considers the nature of the business, the supply chain, customers and the market requirements is essential as it is the compass needle for all in the company. This way they can make the right decisions and support the business strategy.
As a third step, I am a big fan of transparency. A meaningful reporting system that gives transparency on the most critical risk areas. What you can not measure you can not improve, right? So start measuring the basic hygiene factors in your organization, starting with assets, patch level, exceptions, training, etc. There are many great examples out there. Translating them into your organization, regardless of the size is important.
Embracing the fact that cybersecurity is not an IT topic only, but instead, a strategic priority that requires all to contribute creates a solid first line of security.
7. How big is the shortage of cyber talent in Europe? What else should organisations be doing to find the right candidates to fill cybersecurity vacancies?
Very big. Finding the right candidate is hard. This is not only due to the lack of skilled people, but the people with skills may not see themselves “doing cybersecurity”. We have great potential in many areas that can grow into the cybersecurity domain. What I have learned in the past years about this fascinating area is that there are many standard jobs and required roles. But many really differ and can be developed accordingly.
As a young job family, we need to have the courage and bring in people with talent and make this an area of personal growth. Organizations should invest early in establishing and growing talents. Sometimes you need a top expert from outside, but the real heroes here are the talents inside the company that understand and protect the business from IT support, customer support, software development, training, communication, etc.
For this purpose, every organization needs to have a clear picture of what everyone needs to have, maintain a clear job family and develop a plan for cybersecurity. Where possible engage students, trainees or directly universities. This provides great opportunities throughout the year and reduces the pressure when one position needs to be filled or back-filled quickly.
8. How do you stay up to date with industry news and updates regarding information security and technology? Feel free to share the sources and websites with us.
My favourite source is the people. They forward me information about a specific hack, vulnerability, problem, social engineering case, etc. This keeps me connected to them as they share with me what they see. For that purpose, we have created an internal social media channel where people want to participate, share and learn.
All sorts of news channels are valuable to me and I use internal news monitoring lists to learn about geopolitical, regulatory and technology-related changes. External sources like the news from the vendors, CERTs, CISA, FDA, ENISA, BSI, FIRST and others are extremely valuable. For us, in healthcare, access to threat intelligence is very important and we are a proud member of H-ISAC that does a great job in fast analysis and distribution of sensitive information. In addition, I find the information provided by the CyberPeace institute valuable for me.
I have accepted the fact that I cannot know everything in a fast-developing environment. Taking time to learn and absorb information is key for my role and it feels like travelling on a massive river that sometimes is calm, then fast and even has some surprising whitewater sections. I just need to stay on course and in the flow. There are many reliable sources that empower me with information to generate trust across the information. Time and context matter. Again here the people help me to stay on top of information, timing and context.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.