‍The following is an interview we had with Matthias Muhlert, Chief Information Security Officer based in Germany. Matthias has 20 years of diversified experience in developing and implementing information security processes as well as leading information security governance programs, now seeking the opportunity to provide leadership and strategic development for information security services within an international organization. Now enjoy the full interview below.

1. Firstly, thank you for taking part in this campaign, Matthias. Can you share a little bit about yourself and how you got into information security?

It is my pleasure and thank you for the questions: I would consider myself as a dedicated and qualified IT Security Professional with a consistent track record of success spanning over 20 years of diversified experience developing and implementing IT security processes as well as leading Information Security governance programs.

As of late, my expertise lies also in identifying and mitigating security risks by conducting comprehensive business process reviews and developing appropriate plans and solutions to meet the highest of protection standards. So, in short: started with IT security (building and breaking it) and develop further into information security and cyber risk management.

2. As we noticed, you a were currently serving as an internal as well as an independent virtual Chief Information/Cyber Security Officer. What notable information security challenges have you overcome in those positions?

Security challenges in my opinion are not really changing that much. However, it must be clear to oneself, that the security challenges are of different importance for different companies. So, for example, if you work in the banking industry different security goals must be derived from the company goals than for example in the automotive industry. The main idea must always be understanding the company’s strategy and goals before you derive your security strategy and goals.

That is why – from a security governance perspective – I am now always going in the direction of an adaptive Information Security Management System (ISMS) to allow even within a company to have different security prioritizations and measures. A development department, the HR department and the sales department do all need a base level of protection, but it should be possible to individualize according to the specific needs of that department.   

3. Based on your experience, what are the most difficult upcoming security issues? IoT attacks? Cloud attacks? Blockchain and cryptocurrency attacks? Insider attacks? BYOD policies?

To be honest, the most difficult upcoming security issue in my experience is the same as it has been for quite some time now: complexity! Information security, on a principle level, has not changed much: Know where your crown jewels are, know who can access them and be able to prove the correctness of that. But what has changed dramatically is the complexity. All the things you mentioned are happening – from a timing perspective – in parallel.

Combined with interdependencies that are hard to comprehend and therefore increase the complexity to a vast extent. So, we do what we can and build for all these things different strategies, security architectures and processes (a tip here: try to reduce to one architecture). And this is an upcoming security issue and will stay so for quite some time. A simple example: let us imaging a software company being famous for one major product. To sell the same product we need to add to its functionality, otherwise, no one will buy it.

So, we add code and functionality, which is all changing (most of the time decreasing) the security posture of the product. Why do we seldom hear from bounties for reducing the code and securing it but only focus on the bug bounties?

I guess what I am trying to say is: All the topics you mentioned can be dealt with utilizing the right mindset from top management to the developer.

4. What are the most common misconceptions that you believe businesses have about information security?

Unfortunately, I would say, that information security is still seen as an IT topic. Let us look at information security in three parts: People, Processes and Technology. Only the latter is mostly dealt with by IT (Security). A lot of companies – also due to the last 2 years – are focusing on digitalization. Information Security must be the foundation of such an undertaking. However, it is mostly only thought of it in technical terms and must therefore run into a lot of hiccups and, therefore, security issues.

5. How can organizations adapt their security to be ready for novel malware attacks? Please walk us through your top recommendations.

First of all: Start with the goal of Cyber Resilience. Most important step!

As many people understand that differently, I will give my definition here:

Cyber Resilience should include the whole company with the aims of:

1. to prepare for and adapt to changing conditions (meaning legal and technology)
2. withstand and recover rapidly from disruptions
   
   

Once this is established throughout the company, the following security axioms must be understood and incorporated into every design of a security control:

1. An intelligent attacker will sooner or later defeat all defensive measures
   
   
2. Design defense to detect and delay attacks so you gain time to respond
   
   
3. Put layers in your defense to a) contain attacks and b) provide redundancy in protection
   
   
4. Use an active defense to trap and repel attackers after they start, but before they succeed
   
   

 Afterwards, it should be a simple execution of your cyber security program:

• Obtain support of the Management Board
  • Making Information Security a strategic topic
  • Transferring the competencies to the responsible
  • Granting enough resources
    
    
• Treat implementation as a project
  • Cyber security program implementation is a complex issue involving various activities and people from different departments
    
    
• Define the scope
  • Define the Legal Entities to be in Scope
  • Define the organizational parts of the Legal Entities in Scope
  • Define the Processes to be in Scope of the organizational parts
    
    
• Design the key areas of the Cyber Security
  • Define Key areas including objectives of the Cyber Security Plan
    
    
• Design the controls supporting the key areas
  • Define controls including capabilities for each key area
    
    
• Assessment of the key responsible and stakeholders
  • Identify the main stakeholders in your organization
    
    
• Determine Status of key areas and prioritize
  • Determine together with the responsible and stakeholders the status of the key areas using a risk-based approach
    
    
• Determine project organization
  • Set up and organize a project management approach
    
    
• Agree on Road Map
  • Define the responsibilities, milestones, work packages, and time schedule

6. There is a serious worldwide deficit of skilled security experts. Why is this?

Short answer: I do not know.

Also, one could simply ask if there is one? And how does it differ from other STEM disciplines related workplaces? Is there not also a shortage?

I think this is such a complex topic, involving not only the security community but organizations, governments and society, and there will be vastly different experiences on this. For example, last year the CISO position from Adidas was vacant. The job advertisement was taken offline after six days because the number of people who applied for was absolutely too much to handle. Then, on the other hand, you have job advertisements being held open for a year for certain companies and certain positions.  

7. What does this workforce shortage mean for our future if nothing more is done?

Actually, I do not try to focus on such questions. So, I more focus on – from a CISO point of view – what I can do. Basically, I started to rethink security and related processes on different levels:

1. Do I need this process?  We are not really good in stopping things but continue simple “because”
   
   
2. Can I establish a dynamic hiring process, where people will be placed, ranked and ultimately paid according to there performance in the interview/engagement phase? And not if they simply fit a job description with a fixed budget.
   
   
3. Can I engage with educational centers / universities to therefore engage with students?
   
   
4. Can I establish a “API” based security function, where mundane tasks are automated (and also sped up) freeing up time for the security personal to focus on interesting stuff?
   
   
5. Can I establish a “Do what you want to do day”, where people can more or less do whatever they want to with whomever, under one condition: Come up with a presentation the next day how to improve something or really anything!

8. What is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in information security?

SIMPLY DO IT!

This is of course such an individual question, that can only be answered individually. But from my experience, Information Security offers such a large range of jobs, tasks, responsibilities, experiences for almost every type of character. You want to deal with tech: Information Security has you covered! You want to deal with people: Information Security has you covered!

You want international opportunities: Information Security has you covered! You are an introvert: Information Security has you covered! You are an extrovert: Information Security has you covered! You want lifelong learning: Information Security has you covered!

So, go out, an experiment with Information Security and experience it. You will most likely not regret it and the skills, that you acquire there, can also help you in other fields and in your private life as well.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.