Shaping Information Security Together – Experiences of a CISO

Marcel Lehner

Marcel Lehner has been shaping the cyber, information and IT security industry for over 20 years – in line with the motto “Shaping information security together”. For the past 10 years, he has passionately led the internal cyber security organization of Mayr-Melnhof Karton AG as Chief Information Security Officer (CISO). In this role, it is especially important to him to pass on his gathered experience.

In the following interview, Simeon Mussler, COO Bosch CyberCompare, and Marcel Lehner talk about his activities and experiences over the past ten years as CISO at the Mayr-Melnhof Group. In this context, he elaborates the past, current and possibly future situation of the company.

What is fundamental to cybersecurity or information security? How was the outsourcing and cloud migration from an on-premise environment carried out? How was the issue of tendering addressed? What security solutions have been and will be implemented? What are the company’s next milestones?

Drawing from his experiences, he makes recommendations to other CISO’s and companies.

Below you can find the official interview (option to play subtitles and read 🇬🇧 English translation):

Welcome, Marcel Lehner. We really appreciate you taking the time today to share your experiences and discuss and to discuss some issues that I think are relevant to many others as well. Maybe we’ll start by introducing yourself so that the others know who we’re dealing with today.

You’re welcome. I would also like to thank you for the invitation, Simon. I’m also happy to be here and I’m also happy to be able to tell you a little bit about myself and our security.

Short background story: I’ve been working in the IT security sector for 20 years now, more than 20 years. And for the last ten years I have been working for the Mayr-Melnhof Group as CISO and have been able to experience a lot over the last ten years.

Perhaps a few words about the Mayr-Melnhof Group. We are Europe’s leading producer of cardboard and folding boxes. We have 53 locations, so you always have to look, we’re pretty much on a shopping spree right now, we’re expanding massively, but by 2021 we had around 53 production locations on three continents – six of them carton and 46 packaging locations. We now have about 13,000 employees, but we are constantly growing. One can see that we are already very well represented, also no longer the smallest company and this fragmented lineup in the different countries, also a fragmented IT of course, I’ll talk about that later, makes life as a CISO very, very exciting.

Exactly, we also discussed the fact that you did a pretty comprehensive outsourcing and cloud migration and out of what is likely to be a relatively fragmented and typical on-prem environment. What made you decide to do a kind of “leapfrog”, not to proceed incrementally, so to speak, but to really take such a big step to actually convert the more or less entire system landscape within a few months?

If you look at the Mayr-Melnhof Group, this may also have something to do with our change in the Management Board. We are a traditional company, an Austrian one, with slow but steady growth.

However, we had a change of management about two years ago, two and a half years ago, and the new management board is on an expansion course, as I just said. We have purchased a few plants over the last few years. There are now already some again for acquisition.  That means we have to be flexible and we have to be able to escalate quickly and that was with the on-prem team – of course it works somehow – but if you have a business partner or several business partners, this has certain advantages. Advantages related to scaling, challenges related to security. But for the scaling, that was definitely one of the main reasons why we have decided, to do this change so quickly in the last two years from on-premise IT team to managed service outsourcing cloud partners.

And in addition to the fragmentation and the growth, which you have already mentioned, what were the other prerequisites that you found at the start and how did you actually get into the planning?

If you look at the Mayr-Melnhof Group, we now have very strong centralization, also in terms of IT, even prior to our outsourcing strategy, we were already running a lot of services in-house, for the plants. So, we acted as an internal service provider, and of course we still do that now, but we have now given everything to the partners.

I think the biggest challenge now, if you deviate a bit, for me or for this change as well, the biggest challenge we had was to find the right partners in a very short time, because we are represented worldwide. We made sure that we had international partners who are also on-site for us in other countries, even though we do a great deal centrally now. We also had to go through a certain cultural change quite quickly, because you can imagine the IT colleagues, especially those who have been here for 10/20/30 years and have worked on-premise and worked on the systems themselves. That’s a massive change if you don’t do it yourself from one day to the next, but simply hand everything over to the partner, that you actually go from being an IT technician or an IT administrator to a service delivery manager, and this cultural change was also received positively, of course, but also not so positively to some extent, but that was also a big change for us.

So, we’ve had some challenges here, also from a security perspective. We had of course put our entire ISMS, as we are certified to ISO 27001, very much on on-premise because we had little or not much focus to put on service provider control, we didn’t have to look too much at SLA, we didn’t have to document many interfaces, because we had everything in-house. And of course, the response time, sometimes much faster. We had to take everything into account now. We had to rewrite the ISMS, we had to write service provider specifications, i.e. security specifications for the service providers, and recertification is due in one or two months. It will definitely be very exciting with so many service providers. We don’t just have one now, we now have several and exactly this interface topic, this contract topic, SLA topic is definitely very very exciting and will continue to keep us very busy in the future.

Exciting, great. And maybe an interim question at this point: How did you approach the topic of tendering, did you form an overall package and then subdivide it, or did you do it step by step and then each specification, tender etc.?

We thought of “waves”, we now have a wave for the data center, a wave for the endpoint, a wave for security, so we kind of applied that in waves and for each of these waves the providers were able to apply for.

Small specification catalogs were created, a tender catalog and then we sort of advertised that for tenders, yes.

How did you make sure that they fit together?

There was a superordinate coordination function, which was also an external support.

And now the area of cybersecurity: You’ve already said it a few times, but to what extent have you already built it into the architecture and design of the waves and to what extent is it a core component or one of many? Cybersecurity is sort of a part of the whole, often not the main part, but how did you approach embedding that?

Maybe I can split this into two parts because, as I said, we also have a wave security that is still running. Well, two years ago I have set up a completely new IT security strategy with a three to five-year plan, if you can plan that long, but with an approximate outlook.

We have also outsourced parts of security. In other words, mainly the operational issues, such as a SIEM/SOC, for example, or vulnerability management. That was the security roadmap, which means it was pretty much separate and independent of the other projects.

As I said, for the other projects we have our ISMS set of rules, so we already had these specifications, also to a certain extent for existing partners, even if only on a smaller scale. To be honest, you have to say: Due to the speed that we had here with this outsourcing, security, as it is often the case, was perhaps not always placed at the very front – let’s put it that way. Of course we were involved, but the most important thing was, on the one hand, that you get the systems up and running with the partner, and of course we are already refining them, so we will figure it out, okay, maybe one forgot a little something here, forgot a little something there, but the most important thing for me was that as security, if you are not actively involved, you have to proactively approach the teams and make a complaint yourself, even if the teams don’t always like it because if you buy the security, it also means a little more work now and then.

But rather consider in advance the security with a little more effort than to retrofit it afterwards with even more effort.

Often more expensive. Security is always one direction, a trade-off decision, you just have to make a risk-based decision. Are there maybe a few examples where you just had to make trade-off decisions between features, usability and security and how did you handle it or how did you decide?

Let’s put it this way, we didn’t have to do that many trade-offs because the budget was given. It’s not always so commonplace that you get the security budget you need. But thanks to our new board and our new team leadership, they are also very security-savvy and support security very strongly, this basis was given.

We had some topics, such as a SIEM/SOC, that we hadn’t even had before. We started here on certain topics from scratch. We didn’t have to do big trade-offs here. On the contrary, we were even able to see with the existing partner where there are synergies, which partners integrate well, and which work well together.

Of course, now you might find out about one or the other topic afterwards, you also have to be quite honest, where we say “okay, maybe we shouldn’t have put this know-how outside.” We have even reached the point where we are now bringing certain topics back into the house after all. A classic example, as it is here now, I can also talk openly, is the vulnerability management system. Of course, the external can do the scanning, but we hoped that the external could also guide the internal patching and so on. But you have to understand such a complex group and such a complex IT infrastructure better, and that’s where we had to learn: “Okay, we can’t give everything to the partner. Some parts have to stay with us.” Now we are looking at vulnerability management, for example, that we let the partner do the scanning, the simple things, I would say, which are partly automated, but then do the whole patch management, the vulnerability management, keep the resource in-house. But all in all, I have to say that we didn’t have to make any major compromises here.

Great, cool. It’s probably also because you thought about it from the start, which is of course the big advantage, because often the experience is, you do something, and then you have to collect it afterwards and then you have to make the trade-off, because then features were released, of course, which will then have to be reverted. This is the worse way, the more unpleasant way.

And now, perhaps, looking back also at the last few months and now already years in this transition. What are the elementary points for cyber security or information security that you noticed along the way and that are also relevant for others to have on the screen right from the start?

One thing is, but I think I’m speaking from the heart of every CISO, that’s no longer a secret these days, is to take a holistic view on security. We didn’t look at it holistically until recently. For example, we left the OT, i.e. industrial safety, to the plants because it was simply a clear interface that IT had. After some internal discussions and persuasion, we agreed that OT security will be also moved to Group Security. Because it is simply important that you look at the whole system infrastructure or IT and OT as a whole. It’s merging more and more. You get the BI, the analytics, get more and more data from the OT area; the OT area gets production data and production orders from IT. It’s becoming more and more connected. That’s why I think the key is to look at security holistically. And now of course with all the partners and with the outsourcing partners and then, of course, with the cloud in the future, you also have to get the partners on board more and more.

 So, I think that’s one of the most important points – this holistic view. And of course, to integrate security at an early stage – the earlier, the better, the later, the more expensive. These are my two main takeaways over the last few years; I also had to learn a lot myself.

And the goal as a CISO, of course, maybe a tip for the CISO’s as well, that you make your voice heard as a CISO. Away from this bogeyman role, one hears more and more, the CISO is also more and more the business enabler, also as security. It is definitely an important point that as a CISO you are also on good terms with the business, that you go out into the business and not only view security as an IT issue, as many still think, but as a holistic issue, a group issue.

We also have very important internal takeaways: Now the whole topic of tool selection, if you look at our infrastructure and our security infrastructure, I would say that in the past I probably (…) would have taken a partner more often now and then, who also helps us evaluate these issues, because this is where the big challenge really lies, everyone writes down that they can do everything, so to speak. Once you have the products, once you then compare your own requirements with the products, often you only then realize it in daily operation, “It doesn’t fit the way the salesperson, the key account manager, told us.” Here, I prefer to always go an extra loop meanwhile, if necessary, with external support to help us evaluate, since there are now so many different providers.

But that is definitely also a key takeaway: Please go an extra round, seem if the products are necessary at all, do you need them at all. We are also in the process of consolidating again very strongly, so many products, maybe I have a little twist when I give away a product, but I save myself the administration of ten different products and at the end of the day I have two or three. Well, you don’t need a whole house full of tools, you just need the right tools.

You have just mentioned the keyword OT. Am I then correct in assuming that you initially set up the waves with an IT focus, so to speak, and then subsequently or in a second step looked at how this fits with the OT after you have merged the responsibilities? Or was the OT already integrated beforehand?

No, it wasn’t integrated before. Of course, there was already a certain interface, because, of course, we already had certain systems connected here prior to this whole transformation, because we have already used production data, because we have already read out machine data. Yes, that was already there, but there was a clear OT firmware, that was the interface.

In my security roadmap for three to five years, we have of course already considered OT, so we didn’t know yet whether we would really manage to take responsibility for OT governance and compliance, but of course we then managed to do that with this holistic approach; was already part of the security roadmap and now, we have also implemented it technically.

And now, of course, you have a few things that are pending, of course e.g. adjustments, maybe look at responsibilities again, but what are the next steps when you have the three- to five-year plan, what are the milestones, that you have planned to do next?

Exactly, we have certain topics that we still have to implement, of course, and security is more of an ongoing topic.

But a very big topic for us now is of course the BCM topic, i.e. business continuity management, resilience topic, which also means that if something really happens, we will be up and running again quickly. So I think that’s one of the biggest issues. We are currently in the process of setting up a BCMS system, a business continuity management system parallel to our information security management system and then, of course, everything stored after that, restart plans, restart procedures and so on. Up to business impact analyses.

Another big topic is, of course, the whole issue of zero trust, which is now slowly emerging in our company. We’ll start here in the network area, which is ZTNA, which is Zero Trust Network Access, and then from next year on we want to expand this to the client and endpoint area. So definitely a big issue.

Crisis management is a big topic, which, of course, we are still expanding a bit in the course of the BCMS and where we are now still evaluating a bit, but which is definitely still a construction site, I would say, is the whole topic of identity management. We have a classic active directory, but we want to go further, we want to automate live sector management as much as possible, and of course we need a certain amount of tool support. These are the core issues that we will be focusing on for the next two/three years or one/two years.

Doesn’t get boring.

Not at all, no.

Exactly, and maybe, just finally looking back and saying again: If you look at the last two or so years, which it was, what would you do differently from today’s perspective and what would you recommend other companies to consider in their approach?

Well, I think the very very very most important thing, especially as soon as external partners come into play, is to have clear roles and responsibilities. We are still struggling with that today, although of course we have contracts, but if they are not properly structured, if the processes are not properly structured and, above all, the responsibilities and the contact persons are not properly structured, then you have to do a lot of extra steps afterwards and I think that is simply the most important thing, to clearly define who is responsible for what and, of course, write it down. Well, that’s my key learning from the last two years.

This not only applies to outsourcing, but of course also if you operate everything on-premise yourself. We have tried in the past to document everything as well as possible. Perhaps that has been somewhat lost in the course of this rapid transformation, because it’s always easier to say, “Yes, that’s what your partner does anyway,” but in daily doing you realize that it’s not that easy, that it is being done by the partner. The retaining organization must be strengthened, the retaining organization that stays in-house must be trained and that is, of course, still the main responsible entity. That is accountability, always remains with the company and that’s something that needs to be clearly regulated, and I think we still had a bit of a learning curve there, we’ve taken that into account and now it’s a matter of sharpening these issues. But I think that’s the most important thing, yes.

Exciting! Then I would have said, for now, thank you for your time, that you have shared experiences with us.

I think it’s probably worth listening back in a while to see how you’ve sort of taken the next steps and thank you very much for the moment and good luck on your way.

Thank you and thank you for the invitation. See you soon!

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.