Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity.
The biggest challenge has been to drive a new mindset into the security teams. At most companies, security teams operate in such a way that they hinder rather than empower others. For example, setting policies in place but leaving the responsibility of security ultimately to the commercial and operational teams. Then, when something goes wrong, they blame others rather than their own practices. This is not how it should be and needs to change. The best way of doing this is having security work directly with the other teams to find a solution where everyone is involved in shaping it. However, this initiative should come from the security teams as they carry responsibility for this.
In most organizations, you typically see CISOs reporting to CIOs. The problem with this is that you are always relying on the priorities of the CIO to accommodate your information security concerns. When the CISO is mostly driven by the agenda of the IT team (ie. the CIO) then the likelihood of failure increases because the priorities of the CIO and CISO are ultimately different. For example, a CIO might want to cut down costs but a CISO will realize this could increase your security risk. To create an effective cybersecurity strategy, you need to be an independent advisor or be on the same level as the CIO or CTO and ideally report directly to the board. This allows you to align the security strategy more independently and adapt to the needs of the company. You need a direct relationship with the board to ensure security is a priority.
When a cybersecurity team is not acting as a barrier to other teams but is instead working together, the business will see an increase in efficiency. It is crucial for cybersecurity to become a business enabler rather than just a pure cost factor. This is what modern organizations have to understand to become successful. Other than that, keeping your infrastructure up-to-date is key. Many of the most successful cyber attacks happen partially because of a missing software update.
First of all, listen to the business and understand how it works. Then you can set up security measures that will really help the business achieve their goals and keep practices safe rather than just providing commercial teams with a security target and writing out policies. This is the most essential aspect to understand: with just a policy you are protecting nobody. Also, make sure to network with your peers and talk about breaches openly so no industry ever falls victim to the same threat twice. From time to time, you might be the first victim but other times you won’t be a victim at all because someone told you about the threat beforehand.
I would say most data breaches come from disruptive security measures. If I only implement procedures that are a burden to people and their productivity then they will obviously try to find a way around them. For example, if a policy required people to change their password once a week you would almost certainly have more people writing their passwords down and so the risks actually increase. Security executives need to focus on security measures that support rather than burden the user. This consequently reduces the number of threats as people are not motivated to find a way around measures anymore.