Cybersecurity ist Chefsache – Der Podcast! with Simeon Mussler

Intro: Cybersecurity is a matter for the chief. Take control of digitization and cybersecurity! This is the place where all experts from the industry come together to discuss their experiences, the latest topics, and practical applications of and with the expert in digitization and cybersecurity, Nico Werner.

Nico Werner: Hello and welcome to a new episode of “Cybersecurity is a Matter for Top Management – The Podcast!” Today with Simeon from CyberCompare. Hi Simeon, how are you doing?

Simeon Mussler: Hi Nico, I’m very excited to be here and looking forward to a good discussion with you.

Nico Werner: I’m particularly pleased for those who are not yet familiar with Bosch CyberCompare. In my previous position, I had a lot to do with you and perceived you as something like the Check24 of the cybersecurity world. I was also involved in many tenders at that time, so I find it fascinating to see how your company has developed. Today, we have an interesting and rather rare topic in this podcast series. Our community couldn’t agree on which topic to discuss. We had three exciting options: the opaque security market, the topic of OT and IT security, and the topic of CISOs under pressure. In fact, all three were equally rated. As a guest, I now have the honorable task of deciding which topic we will address. Since the opaque topic of the cybersecurity market particularly appeals to me and I have gotten to know you in this regard, I suggest we start with this one. However, before we begin, could you perhaps briefly introduce yourself and explain the role you play at Bosch CyberCompare?

Simeon Mussler: Thank you very much! Yes, I had to smile when I saw the tie with 33 percent for all options on LinkedIn – I think that’s good. Of course, we can also look at the other topics; all three are interesting in my opinion. A little about myself: I’m Simeon, started as a production engineer at Bosch and brought automation technology and new machines into the Bosch plants. Over time, I also dealt with the topic of OT and OT security, so to speak as a lateral entry. After a period in consulting, the opportunity arose to build up CyberCompare within the Bosch Group, which was then still small but has since grown significantly. That’s what we did, and we have been working on it for two and a half years now. My daily work consists of unraveling the jungle for our customers. This includes the classic procurement of security solutions, i.e., comparing offers. Of course, there are also cross-cutting issues. In addition, I am responsible for part of the marketing, but always as a team effort. But I would estimate that about 60 to 70 percent of my time is spent on customer projects, quite traditionally.

Nico Werner: If I may pick up on that – that’s how I got to know you back then. In my previous company, you took on the task of organizing the opaque security market. Your initiative provides companies with the opportunity to tackle challenges in cybersecurity and find suitable partners. You act as a mediator between companies with specific requirements and partners in the cybersecurity sector. This reminds me of comparison websites where you search for something and can ultimately choose a suitable provider. What fascinated me particularly back then was that you approach this very technically. Even though I can’t go into detail about customer projects, I was impressed that you even conduct tenders. Is that the reason for your impressive growth in recent years? What, in your opinion, makes CyberCompare’s success story, apart from not just being a classic intermediary but also being technically engaged?

Simeon Mussler: We believe that the crucial point lies in the added value for the customer. In the age of comparison platforms, there is already the possibility to compare at a higher level. Our approach may not seem revolutionary by simply putting products side by side, but our goal is to find the best or the best value for money for the customer. We always take into account the individual needs and existing infrastructure of the customer. The cybersecurity market is evolving rapidly, leading to improved defense mechanisms, but also increased complexity and fragmentation. In comparison to other sectors where there is more transparency, the cybersecurity market poses a challenge. Especially for the upper middle class with 2000-3000 employees, our most common customer size, this proves to be complex. Often, this segment only has one to three people who can deal with IT security and do not have the full market overview. Our approach is to unite these two worlds: understanding the market and guiding the customer through the entire decision-making process, both technically and commercially. Together, we identify the best possible solution for the customer. Originally designed for the middle class, we have found that our approach also works for larger companies. They appreciate not having to handle the implementation themselves, especially since cybersecurity is often renewed only every few years. With multi-year contracts, it is not worthwhile to build up expertise internally. Therefore, our approach is not only effective but also efficient.

Nico Werner: Recently, we’ve all noticed that the market, especially in the OT sector, has grown tremendously. Considering this, where do you currently see the biggest challenges for companies? You’ve already emphasized that you focus on being there for your customers and providing solutions. Specifically, where do you see the hurdles in this dynamic and opaque market?

Simeon Mussler: In the rapidly evolving information security market, there are numerous challenges, some of which are not to be underestimated. A fundamental aspect is the need to maintain proven procurement hygiene. Comparable offers should be obtained, and companies should compete with each other, similar to what is practiced in other categories. Often, there is a tendency to be familiar with a product and based on that, create a specification sheet, which, however, severely limits the scope of solutions from the outset. Another crucial factor is understanding the market and adapting to various distribution models. Especially in the realm of reseller structures, it’s important to create an effective competitive situation. The diversity of distribution models and structures requires careful consideration to ensure that the selection meets individual needs and requirements. The distribution structure of solutions, including managed services such as Security Operations Centers, is often based on long-term partnerships. Although trust in the security industry is crucial, it should not serve as the sole criterion for selecting services. A comprehensive comparison is essential to ensure that the solution is based not only on trust but also on efficiency and individual requirements. Finally, it should be noted that a considerable amount of resources are invested in marketing and sales. These expenditures often focus on a small group of customers, which is not always ideal for efficiency reasons. We consider it relevant that resources are used effectively. Money should be invested in product development to offer innovative solutions, rather than putting it into an inefficient sales process.

Nico Werner: You’re speaking my mind. In the security sector, it often feels like we’re playing bingo – sometimes artificial intelligence is the hot topic, sometimes it’s other emerging trends. It’s really difficult for customers and companies to keep track and find the right advice or solution partners. How can a company decide if a provider is good or bad, if they fit or not? The security market shows that it’s enormously lucrative. We all know that many positive developments are happening, even within the framework of laws. But we’re aware that the actual number of security issues is much higher than what is publicly known. What’s even more concerning to me is the fact that some try to profit from the fear of others. They exploit these fears to make money in a way that is not recognizable to those who need help. That’s one reason why the security market often feels like an opaque jungle. There’s a lack of transparency, and that’s why I find the approach of neutrally approaching the search for solutions very interesting. In the end, we all want our share of the pie, that’s clear. But the central question is: What’s best for a company? And from that perspective, I see it the same way.

Simeon Mussler: I believe it’s about creating transparency in both directions. On the provider side, cooperation works well with us because they know they are in competition with each other. This leads to them wanting to position themselves better but also to think clearly about what the customer really needs. It’s inefficient if a salesperson, for example, tries to sell a SIEM solution that the customer doesn’t actually need. Therefore, we often use a concept we call “neutral target definition” upstream. So, in projects, we ask ourselves: What does the customer really need? Let’s take the example of Managed SOC. Which solution fits the customer best? Is the customer an enthusiastic Microsoft user with Defender? Then a Sentinel solution might make sense, possibly supplemented by 24/7 monitoring. Or is it a company with high decentralization and strong regulatory requirements that wants its own SIEM solution but also needs a Managed SOC solution? Or perhaps the customer has only a small security department, limited budget, and only needs a log collector for data transmission and evaluation of alerts with action recommendations. This upstream concept significantly reduces complexity in the tendering process. If every manufacturer tries to speak directly with the company, it becomes overwhelming and possibly inefficient. Therefore, it’s important to make these preliminary considerations to simplify the process for all parties involved.

Nico Werner: Do you think that your focus is not only on matching Partner A with Customer A, but rather on focusing on preparing both sides? I got the impression that you take the time and also offer a kind of consultation to ultimately achieve a good result. My first impression of your team was that you’re not just superficial workers, but actual experts like yourself who are knowledgeable in the field. You conduct analyses to understand how best to approach the topic and don’t just take the classical route of simply facilitating from A to B. At least, that was my impression back then.

Simeon Mussler: Exactly, that’s very specific. When a customer says they’re at the beginning of their journey and don’t have a clear idea, we start with the basics. I think that’s part of our service, and by now, we can handle it efficiently. In the consultancy field, it always sounds like it would take 20 days just to create a concept. But typically, we need one to three workshops to create the necessary clarity. It’s not productive to define every last detail; rather, it’s about clarifying the points that will later serve as differentiators in a comparison of offers and in a tender. For example, with a SOC, I can ask if it’s available 24/7. That’s important, but even more important is understanding how it works and what it exactly does. How many analysts work per shift there? How well is the SOC compatible with my endpoint solution? What experience does the SOC have with such solutions? Such details are of great relevance. We focus heavily on these differentiators because they are efficient to work with and help us understand the customer’s needs. Our goal is not just to present a good offer but to select a partner who not only convinces in terms of value for money but also offers high chances of success for the project. We use feedback from existing projects to increase these chances of success. Ultimately, we can’t actively intervene once the project is running, but the groundwork and discussions we have beforehand help us increase the overall project success. Our goal is not just to get a good offer but to maximize the overall project success.

Nico Werner: Regardless of CyberCompare, what advice would you give to our listeners – some of whom might also be potential customers or interested in this topic – what fundamental tips would you recommend to navigate this complex field? Based on your experience with customers, what basics would you recommend to provide some guidance in this jungle?

Simeon Mussler: There are two aspects I would address: cybersecurity and procurement. In the procurement process, I believe it’s important to adhere to basic principles by obtaining comparable quotes, disclosing results, and putting comprehensive effort into creating the specification sheet. It’s crucial to gather quotes from different providers and compare them, which is often overlooked. In the field of cybersecurity, the starting point is often a risk analysis, weighing organizational and technical measures. An emergency plan is always important. When it comes to technical aspects, an EDR (Endpoint Detection and Response) solution would be state-of-the-art nowadays. A mandatory penetration test should also be conducted regularly. Subsequently, company-specific aspects need to be considered, such as dealing with OT (Operational Technology), critical infrastructure sectors, and other individual requirements. Finally, I believe that both organizational and technical aspects are of great importance. One should not leave any vulnerabilities open by investing, for example, in technical solutions like NDR (Network Detection and Response) or SOC (Security Operations Center) but at the same time neglecting fundamental aspects such as employee awareness, ISMS (Information Security Management System), and emergency plans.

Nico Werner: What I find particularly intriguing, and what I’ve also noticed through my experiences with various companies, is the topic of tenders. Often, due to their size or procurement guidelines, companies must conduct tenders, which is a central concern. As you’ve mentioned, for instance, the specification sheet is an important aspect. When a company wants to tender for a SIEM or a SOC, a Proof of Concept is crucial to me. Without it, it’s difficult to understand the framework. Here lies often the problem in cybersecurity: companies must tender, but they often lack both the expertise and the understanding of how to do this effectively. This is often reflected in the tenders, where as an expert, I frequently notice that some proposals cannot be submitted in good conscience. Either because of high risks or because it becomes clear through the tender that the proposed solution cannot work as suggested. This often leads companies to resort to service providers who advertise and offer help, but may not focus on the consultancy aspect or actual solution capability. Here, I see many issues in the cybersecurity market, especially in dealing with specification sheets, where difficulties often arise.

Simeon Mussler: It’s absolutely right that a Proof of Concept makes sense in hindsight, but it also requires a certain level of expertise to manage it. You need to know which scenarios are relevant for such a PoC. That supports your statement, and I don’t see it as a contradiction but as a complement. Two other aspects to consider are the offer structure and the issue of log volume, especially in SOC or SIEM tenders. It’s often difficult to answer questions like the required log volume, especially if you don’t have an existing SIEM. These questions often lead to repeated discussions and uncertainties, which are both frustrating and inefficient. It surprises me that in 2023, we still have to work with the same questions. In my opinion, this shouldn’t be the case. A PoC remains important to determine if a solution actually works. However, there are technical questions that often go unnoticed. For example, there are providers who don’t offer a PoC or impose contract penalties if you want to terminate the contract prematurely. Instead, we try to make agreements that allow for early termination, similar to a PoC. This flexibility is important to decide if the solution actually fits.

Nico Werner: So essentially, you practically support your customers in formulating their tenders. This means you bring in your expertise to show how to handle such situations, as you just mentioned. If a provider says there’s no PoC, you can include that accordingly in the tender to avoid unpleasant surprises in the end.

Simeon Mussler: Exactly, the more precisely you define it in advance, the more room there is for negotiation. The original offer is often negotiable, you can still get a lot out of it. But it’s mainly about comparability. This is often the first point where offers fail. If I request different offers but don’t establish comparability, I end up with ten PDF files with many pages of attachments that I have to painstakingly compare. Many organizations can do this themselves, but it requires attention to detail, establishing a solid specification sheet or standards, and then requesting offers on the same basis. When it comes to our handling of SIEM and log volumes, we often use a reference price. We provide our infrastructure and ask the providers how much log volume they can offer for certain capacities. This way, we have comparability instead of ending up in a mess of different figures.

Nico Werner: I find it particularly fascinating, especially the approaches you pursue. Thank you for discussing it in such detail. Transparency is important to me: You haven’t bought me, on the contrary, we have decided together to do something like this because I find it fascinating and your company truly interesting. I have worked with you myself, so I also find it interesting for listeners to know what collaboration with you might look like. If I’m a company interested, what would collaboration with you look like? And as a final question: Do you work with everyone? Could I, for example, as a service provider or manufacturer of cybersecurity, approach you? This might be interesting for all those who are faced with the decision: Do I do everything alone or do I also look at solutions like Bosch CyberCompare.

Simeon Mussler: From my perspective, there are two directions, depending on the customer group and the specific topics. When it comes to simple inquiries such as penetration tests or needing an external perspective, up to more complex topics like OT – be it OT backup, OT remote access, or developing a concept – you are welcome to reach out to us. We have already published a lot in this area and tried to give people a good start. Just visit our website or contact me directly. This approach works very well, regardless of the diversity of topics. On the provider side, it is basically just a matter of knowing what a provider has in their portfolio. These details can be brought to us, as we then act within the framework of the tender. Our expertise lies not only in the tendering process but also in market knowledge. Based on this, we typically propose a list of providers to our clients that we have already preselected. To enable this, we naturally need to have a broad knowledge of the market. So, if there hasn’t been any existing relationship or contact, don’t hesitate to reach out to us directly. It is highly likely that we have at least some knowledge of most providers.

Nico Werner: Thank you very much for your detailed insights. It has been really enjoyable discussing this topic. Given the indecisiveness in our poll, I suggest we take the time to address the other topics in future episodes as well. I think today’s podcast was very enriching. My gut feeling tells me that the market is enormously vast and offers enough space for all of us without having to fight against each other. There is enough of the cake for everyone, and it is crucial to satisfy our customers. That should be the top priority – offering them real solutions, not just rushing from A to B and then moving on. I admire what you are doing here. The idea is great, and I wish you continued success in the future. A heartfelt thank you for your participation, and have fun – we’ll hear from you in the next episode!

Simeon Mussler: Thank you, Nico!

Nico Werner: Until then, bye!

Listen to the podcast for free