We spoke to Dr. Swantje Westpfahl about security consulting and training.
Dear Dr Swantje Westpfahl, how would you describe Institute for Security and Safety GmbH in 3 quick-witted words?
Forward-thinking, effective, passionate
Please introduce yourself briefly and tell us something about your background.
I am the Managing Director of the Institute for Security and Safety and VICCON GmbH. I previously completed a PhD in the interdisciplinary field of linguistics and machine learning. I have experience in a variety of scientific methods, in the coordination and organization of research and educational projects, in consulting and analysis of processes as well as in capacity building. For years I have been giving lectures, seminars and webinars on various topics in the field of cybersecurity with a focus on security culture, regulation, BCM, AI and cybersecurity in international relations.
What distinguishes Institute for Security and Safety GmbH?
Through our involvement in international committees and cooperation with Mannheim University of Applied Sciences on the one hand and our strong involvement in industry projects on the other, we stand for the transfer of cyber security expertise into practice. Our interdisciplinary team brings a wide range of knowledge and a holistic view of cyber security topics to the organizational structure and thus works not only in a customer-oriented but also future-oriented manner. We pursue a holistic approach: comprehensive assessments of security culture, processes and management of information and cyber security at various locations, as well as consulting and training. One of our strengths is that we act as a translator between different departments within an organization, effectively advising companies on their security issues and thus building bridges between departments, people and different specialist areas.
How does Institute for Security and Safety GmbH help organizations?
We support companies on three levels on their way to greater security:
– Through security assessments, which analyze the status quo of security management in the organization on a technical, organizational and human level;
– Through cyber security training, i.e. customized, target group-specific training and further education, awareness measures and crisis and emergency drills;
– And through security management consulting with a focus on information security management systems (ISMS), business impact analyses and business continuity management (BCM), i.e. through customer-specific process support in the implementation of risk and information security management in the company.
What do you see slightly differently from prevailing opinions in the field of cybersecurity?
In my opinion, cybersecurity is mainly about communication: we need respect and mutual understanding in order to close security gaps together. By taking a holistic approach that considers all employees in a company, we can realize security efforts at different levels: In management, in the technical area and in the behavior of the employees themselves. In my opinion, it is only through transparency, respect and communication that we can achieve acceptance and support from all employees for technical cyber security measures and processes. This is the basis for building a security culture.
In your opinion, which security tool categories are over- or undervalued? For example, would you invest in an NDR or an EDR system first?
In my opinion, compliance is overrated and a genuine security culture is underrated. By this I mean that all areas are recorded, systematically analyzed and processed: Company processes, technical processes and human behavior must be given equal consideration. In order to embed security deeply into the organization and thus effectively ward off cyber attacks, it is worth not only complying with regulations and taking out insurance, but also establishing strong risk and security management.
What’s next – what’s on your technical roadmap, what are your plans?
We would like to conduct research in the field of forensics to detect manipulation by AI applications, as AI makes a lot possible and can therefore also cause a lot of damage. To this end, we are already giving a number of presentations on AI security, hacking tools, HackGPT and WormGPT to raise awareness and at the same time demonstrate the possibilities of AI for cybersecurity issues.
If you could send an email to all CISOs to address a security issue, what would you choose?
My security issue I would address would be the current geopolitics surrounding industrial espionage, which also impacts our security policy. I would inform people that nowadays there is no geopolitical event that does not affect us and our risk management. Our world is more digitally and analog networked than ever before. We should therefore not only keep an eye on the impact of international events on our supply chains, but also consider the significance of specific events for individuals in the company and how this can affect the company.
