We welcome Christoph Peylo, SVP Digital Trust at Robert Bosch GmbH, as a new CyberCompare Advisory Board member. In the following interview, Christoph takes us back in time to his physics class when he, upon laying eyes on an Apple computer, decided he wanted to gain a good understanding of IT. After experiencing his first culture shock in the form of a cyberattack, he learned to no longer take updates and patches lightly. Since then, the cyberspace has continued to develop – cybersecurity protection measures, Artificial Intelligence (AI), and the Internet of Things (IoT) play an increasingly important role in the cybersecurity market. And, a cyberattack can also be directed at a non-networked target.
Christoph, you have enjoyed a long career working in various sectors. What was your first experience with a computer and was there anything that happened during that time that you look back on fondly?
My first interaction with a computer was really like experiencing a whole new world. Our school had just gotten two brand new Apple (IIe) computers and our physics teacher allowed us (as a sign of doing us a very special favor) to take a look at them. And there it was. In the physics prep room: A brand new Apple IIe. With a green blinking monochrome display and friendly wording prompting the user to insert a floppy disk. I thought, “Wow! How did it know to do that? How does that work?” The mid-80s was that time when people-machine interaction consisted of knobs, switches, push buttons, or sliders – very sophisticated. And that’s when I made two important decisions: I’m going to have one of those, too! I’m going to understand how it works!
Security is just one of many topics. What are you and your team currently working on?
Maybe I need to quickly mention how I got into security in the first place. A system that I was responsible for was hacked. That was really kind of a culture shock for me. Luckily, nothing major happened. I was online at the time and so I was able to basically track what the intruder was doing. When they wanted to start uploading a compiler in order to compile some suspicious material, I kicked them out. Ultimately, we set up an entirely new system. And you know how they got in – through a vulnerability that we hadn’t patched right away. Since then, I take updates and patches very, very seriously.
What was keeping me busy then is something that is keeping all of us busy, still today: We want to ensure the security, resilience, and reliability of our products and services – the internal ones as well. And we want to do it with the least possible restrictions and inconvenience to our customers, partners, and colleagues.
As far as security is concerned, which aspects are particularly a challenge at Bosch in your opinion?
Actually, typical IT security was already difficult enough. When we talk about security in cyberspace today, it has taken on completely different dimensions. Today, you can’t really completely separate networked and non-networked systems anymore – a cyberattack can also be directed at a non-networked target. That’s how, for example, you can spy through the camera of a hacked smart TV to observe someone entering the combination to open a typical safe. Increasingly more things have an identity in cyberspace, but also in the natural world. Cyberattacks can also have great impact on the non-digital aspects of life.
What technical developments in the areas of IT or IoT security do you think are interesting?
I believe artificial intelligence is incredibly exciting, which is why I’ve also taken a closer look at it. While incorporating artificial intelligence into everyday products is in many aspects absolutely positive and desired, it doesn’t make it any easier to ensure security, resilience, and reliability. Luckily, AI can also be used to protect products and reduce complexity – which is also very helpful.
Are there any stocks of security providers that you would buy or short?
It’s probably better if I don’t say anything about that. The usefulness of my investment strategies as a guide would be very limited.
In your opinion, is consolidation in the security provider market likely? Will Microsoft, Google, and other big players be unbeatable in the future, maybe also because they will be able to use most of the data for optimizing security algorithms, such as for detecting anomalies?
In the organizations mentioned, there’s really lots of security know-how and expertise. The question is more whether the portfolio of a company really covers all its requirements. If I can really get all the services I need from the cloud-based products of a provider, then I am not only able to “outsource” my IT, but my security as well. I don’t know many companies for which this would be a feasible approach.
Overall, increasingly more budget is being spent on security, but at the same time, there is a rise in the number and severity of attacks. Do you have a perspective on this? Could a ban on ransomware payments or trade using cryptocurrencies be a potential approach?
With professional attackers, we’re basically dealing with the dark side of digitalization. Unfortunately, they are equally capable of applying scalable platform and service models that enable growth at very low marginal costs. I don’t think that bans, which are also difficult to enforce internationally, show much promise. Security measures that negatively impact the scalability of attacks are especially successful. If the costs per attack were higher, we would also be dealing with fewer attackers.
What misstatement or half-truths about cybersecurity do you hear over and over again?
That cybersecurity is simply a new word for IT security. Whoever says that still doesn’t truly understand the context in which we’re operating.
If you could send an e-mail to all CIOs and CISOs around the world, what would be your key message to them?
Cybersecurity starts with the software development and also involves system’s users. One key challenge is complexity and the abstractness of digital products and services. Humans are better equipped to deal with the haptic dangers of the world. This doesn’t apply with poorly maintained, unpatched systems, passwords written under keyboards, and insufficiently tested software. The better those risks and dangers are spelled out and made understandabl
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.