Information & cybersecurity: challenges, developments & recommendations

Michael Reiter

Michael Reiter is the CISO and Vice President for Security and IT Infrastructure at Rolls-Royce Power Systems AG. Rolls-Royce Power Systems AG is a leading global manufacturer of propulsion and power generation systems. Meanwhile, Michael Reiter has gained 25 years of experience in information and cybersecurity. As an ISO 27001 Lead Auditor, he audited corporate ISMS. He was also a founding member and leader of the UP KRITIS industry working group and driver in the development of the security standard (B3S). In the following interview, he looks back at his long and extremely successful career in information and cybersecurity. He talks about special challenges, the current security landscape, potentials in the OT and IoT environment as well as the connection between the spread of cryptocurrencies and the increase in ransomware attacks. His core message to CEOs is “Security is a success factor in the digital future”.

The interview was conducted at the end of 2021.

Michael, you have enjoyed a long, extremely successful career in information and cybersecurity. What specific challenges have you encountered along the way?

Certainly, one of the biggest challenges has been to make information and cybersecurity less of a topic for “IT nerds” and establish it as a serious business and social issue. And a lot of progress has been made in the past few years.

Today there’s much more awareness of cyber risks and their potential impact. Just recently, the discussion about weak points in Log4j even made it to primetime in Germany on the Tagesschau TV program. And in the 2022 Allianz Risk Barometer, cyber risk is again listed as THE top risk for companies, after it was briefly knocked from the top spot due to the pandemic.

I see other big challenges, too: the fast pace of technological development combined with the scarcity of content experts and the professionalization or institutionalization of cyberattacks.

Looking back at your own experience, what particular challenges have you encountered in this area? Are there any anecdotes from your professional life that still bring a smile to your face when you think about them?

I have to think for a minute – in my nearly 25 years working in information and cybersecurity, I have certainly had some interesting experiences.

Generally, I have to say that the environment continually poses new challenges, and you have to be flexible and dynamic in responding to them. In my opinion, there’s really no single big challenge. It’s about constant observation, questioning, assessment, learning, (re)acting, and developing further.

I do have to smile when I think about the skepticism and, in some cases, disbelief I encountered among IT colleagues in the past with my security concepts and requirements that insisted on comprehensively shielding systems based on the principle of minimal access – for example, by encrypting and limiting communication even within internal IT infrastructures – using arguments involving both external and internal threats. Today this approach is essentially the standard, as the “zero trust” hype shows.

What are you and your team at Rolls-Royce Power Systems thinking about most these days?

We do business globally – we are active in 175 countries and have customers in 12 different industries – so we and our customers are thinking about many topics. And they are probably the ones that other companies are thinking about, too.

First, there’s the enormous increase in globally successful cyberattacks and the threat they represent, along with the extreme professionalization among hacker groups (just think of Solarwinds or the prevalence of “cybercrime as a service”). Second, there’s a tremendous increase in regulation, both in different industries and different countries.

What security developments do you find particularly interesting from a technical perspective?

I feel a bit torn on this issue. On the one hand, I welcome AI developments and AI integration, for example in extended detection and response solutions. And I am especially happy to see that manufacturers have begun offering comprehensive solutions in this area for different operating systems – for example, by increasingly integrating open interfaces for manufacturer-independent analyses.

On the other hand, I don’t see really big innovations or revolutionary change happening, such as the replacement of unprotected, historically grown technologies like email. In my view, efforts to replace the use of passwords aren’t being pushed rigorously or comprehensively, either.

Rolls-Royce operates its own plants and produces equipment that is connected for purposes such as maintenance. In the long term, should we expect standardization in OT/IoT as well? Will the day come when we only use Microsoft to control machinery?

Interesting question. OT/IoT isn’t just about controlling machinery. I think that the challenge for cybersecurity and resilience has more to do with embedded systems, OT/IoT-specific protocols and interfaces, software integration into modern security technologies and its resilience in conjunction with them and, finally, supporting a full life cycle over 15 to 20 years. I see some positive developments in this area, but many unanswered questions remain.

I don’t anticipate that all OT/IoT security measures will be implemented with the same solutions or manufacturers/providers used for enterprise IT, either in the short or long term. The requirements and general parameters (e.g., safety concerns) are just too different.

What I can imagine is companies monitoring protocols and incidents or keeping inventories of OT/IoT assets via existing standard interfaces. In some cases, classical players are launching solutions or modules like these right now.

Each year companies normally implement new security measures and can choose from new solutions. To turn a typical question around: If you had to stop one security action you currently take, what would it be?

This answer might be surprising at first, but I would eliminate all written guidelines, standards, and directives.

Please don’t imagine that I think an ISMS/CSMS isn’t valuable or necessary – quite the contrary! But for some time now I have realized that companies have amassed so many different guidelines, standards, and directives that no single person can even be aware of them all, let alone read them and comply with them.

I would like to see a modern, cutting-edge technological solution for this problem – one that has been rethought from the ground up. I have a few first ideas myself, but (for now) I’m keeping them for us! 😉

What’s still missing in the security landscape today (if anything) and where is the market already saturated?

Oh, I can think of a lot to say in response to both questions.

In terms of manufacturer-/system-independent passwordless authentication, I’m not seeing standardized innovations, widespread implementation, or implementation support (FIDO comes to mind).

In terms of secure communication, what’s missing for me is the switch from email to an easy-to-use solution that is encrypted end to end, analogous to a messenger service. I have been asking myself for a while why a consortium hasn’t had the idea to develop or propose a new IEEE standard based on messenger technology as a way to replace the IMAP(-S), POP3(-S), and SMTP(-S) substructure of email. But maybe it’s more complicated than I think. Anyway, if I have just given the push to start development of a great new innovation, I look forward to owning a share of it 😉

In addition, I think there’s still a lot of potential for specialized solutions and products in the OT/IoT context,

As examples of saturation, I see a lot of good solutions and products – with just nuances of difference between them – for many areas of antivirus/malware protection and threat detection and in the classical network/firewall environment as well. Sometimes one manufacturer takes the lead with its product, sometimes another one does.

Do you see a connection between the spread of cryptocurrencies (like Bitcoin or Monero) and the increase in ransomware attacks?

Absolutely. In the end, ransomware is nothing but a tool for classical blackmail. And we know that the weak point in any blackmail attempt – where there‘s a risk of discovery or arrest – is always when the money changes hands. With the spread and acceptance of cryptocurrencies, this risk has nearly evaporated overnight.

In other words, I believe the number of ransomware attacks would drop sharply if cryptocurrency were forbidden or no longer accepted worldwide.

Just about every company is looking for security specialists. Do you have any tips for quickly training new hires from related areas and getting them up to speed?

The labor market for security specialists, especially experienced ones, is indeed very tight. And I don’t expect things to get better in the short term.

But I do see an urgent need for completely new training concepts and development/retraining offers to at least improve the outlook in the medium term.

I find myself asking why schools still don’t (or rarely) make classes in IT/programming fundamentals mandatory for pupils in the early grades. And what career training as a software, data, or security specialist (outside of degree programs) is available? What accredited retraining or adult education opportunities are there?

If you could write an email to every CEO in the world, what would the subject line or main message be?

My main message would be: “security is a success factor in the digital future.”

In my experience, there‘s an urgent need at many companies for the leadership to bring information and cybersecurity out of the IT corner and develop a security culture top-down in which managers and employees perceive information and cybersecurity as essential prerequisites and enablers for their business and act accordingly.

To make such a culture sustainable and optimally distinguish themselves from competitors in this area, companies need to establish security as a success factor alongside quality, cost, and time to market, and be just as rigorous and ambitious in terms of security in their day-to-day business-side activities and KPI targets.

In this context, “security” can mean a number of things. The spectrum from classical IT security to information and data security/sovereignty is one part, but it can also encompass the availability and operational effectiveness of production equipment or the resilience of products and services.

Thank you, Michael!

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.