goCIO Podcast on the topic “Cybersecurity without a headache” with Jannis Stemmann

Speaker: It is everywhere. It threatens humanity. It threatens governments. It threatens companies. Cybersecurity is extremely important in today’s times, and that’s why this podcast revolves around this sensitive topic. Here is goCIO, the podcast for the CIO and all those interested in digitalization, by and with Mathias Hess. In this episode, the focus is on the title “Cybersecurity without a headache. Why it’s worth staying calm.” Mathias, are you keeping calm today?

Mathias Hess: Absolutely. Cybersecurity is certainly an extremely important topic today, perhaps even a bit overheated. To discuss this, I have invited Jannis Stemmann today, Co-Founder and CEO of CyberCompare. Hello Jannis, nice to have you here!

Jannis Stemmann: Hello Mathias, thank you for the invitation. I am very pleased to be here today.

Mathias Hess: Jannis, perhaps you could briefly introduce yourself and your company so that the listeners can get a better understanding.

Jannis Stemmann: My name is Jannis Stemmann. I am 45 years old, married, and have two children. I have an engineering background and have already led two of our Bosch locations. I also have experience in consulting and am familiar with IT and OT topics from both the operator’s and manufacturer’s perspective in the IoT field. For a while, I was also a speaker in our management team. A little over two years ago, after an extensive market study phase, we founded CyberCompare, a subsidiary of Bosch.

Mathias Hess: Today’s topic is “Cybersecurity without a headache. Why it’s worth staying calm.” How do you assess the current cybersecurity market? In general, would you say that it is already overheated and that too much money is flowing into areas that may not necessarily be essential?

Jannis Stemmann: Partly, partly. I believe the topic is important. By now, probably even the last person has recognized this. However, we believe that one must keep things in perspective. It primarily involves economic risks that must be managed responsibly and appropriately. We do recognize that there is significant potential for savings to achieve a certain level of security with a limited budget. Budgets are not necessarily increasing. This is the main issue we deal with.

Mathias Hess:  I have found that when it comes to security issues, money often plays no role. Have you had similar experiences?

Jannis Stemmann: That actually does not correspond to our previous experiences. We now have over 300 customers, including some that are subject to strong regulatory requirements, such as banks, insurance companies, utilities, and critical infrastructures. In these cases, high budgets may indeed be necessary, especially when legal requirements must be met. However, in general, most budgets are under pressure, and the goal is to ensure the best possible security within the available budget. I hardly know any IT manager who does not have to deal with cost pressures.

Mathias Hess: Do you still see an increase in this area? Are there also customers coming to you who have not taken much action in this regard so far? Or is it more the case that most customers already have solid security measures in place and it’s just about fine-tuning? How would you assess the current situation and what are your experiences regarding this?

Jannis Stemmann: The situation is mixed. We have a wide range of customers from various industries in the DACH region, including companies with 300 employees up to over 50,000 employees. Therefore, it is difficult to make blanket statements. Customers usually come to us when they have two main questions. First, which security measure should be implemented next and where should the next euro be invested? Second, there are specific projects that need to be implemented.

This often involves comparing offers to find the best value for money among providers, solutions, or services.

Mathias Hess: One approach is to check what IT security measures the customer has already implemented fundamentally. Do you conduct some form of review?

Jannis Stemmann: Review is an appropriate keyword; we also call it diagnostics. We have already conducted this over 200 times and can evaluate it well. We take a pragmatic approach by looking at the entire topic of IT security from a 360-degree perspective through workshop-based discussions. Subsequently, we derive recommendations based on common frameworks. We evaluate what we consider to be sensible and how we can integrate this into a roadmap over time.

Mathias Hess:  When conducting this diagnosis, do you only consider the technical aspects or do you also take into account organizational measures? Does the company have a Chief Information Security Officer (CISO)? Does this person possibly have a team? Are employees trained in security matters and similar topics?

Jannis Stemmann: We certainly use existing frameworks, which are also helpful for companies, especially when they are speaking with cyber insurance carriers, for example. This diagnostics process really covers all aspects—technology, processes, and the organizational level. When looking at the recommendations, it’s often not necessarily the latest technical tool that should be at the top of our list but rather hiring an additional employee who can specifically focus on security matters. Sometimes companies are already paying for existing licenses but not fully utilizing them.

Mathias Hess: In the second phase, do you help your customers select the right tools and get the best contracts and conditions?

Are you specialized in specific areas or do you handle all recommendations included in the diagnostics? Do you take care of purchasing these solutions? Could it be formulated like that?

Jannis Stemmann:  Let me explain this in more detail. Our name “Compare” already indicates that comparing is a central aspect of our services. The first aspect I mentioned regarding diagnostics refers to comparing security measures. This means we analyze which measures we consider most sensible for the customer and where they will get the greatest security benefit per euro invested from our perspective. The next step involves comparing technical solutions, services, and providers. This also includes comparing offers in terms of content, technology, and conditions.

Our goal is always to achieve the best value for money. You asked earlier if we specialize in specific segments. In fact, we have now covered a wide range of security categories in IT, OT, as well as IoT.

Mathias Hess: This means you also support your customers in the classic RFP process.

You help clarify requirements and identify companies that can best meet them. Then these companies are compared with each other. Could it be imagined like that?

Jannis Stemmann: Exactly right. Initially, we support with Requirements Engineering, which involves creating requirement catalogs, specifications, and performance descriptions. We don’t start from scratch but rely on proven practices, whether at Bosch or one of our 300 external customers. Subsequently, we accompany the entire RFP process and can also manage it. This could be a Europe-wide tender for a large authority, but just as well a straightforward bid comparison or market research.

Mathias Hess: This means you’re not starting from scratch. That sets you apart from the classic consultant mentality, without wanting to be negative here.

Classic consultants naturally earn their money by providing comprehensive support. In your case, however, you draw on proven experiences and approaches from the past, which allows you to save a significant amount of effort. Am I right?

Jannis Stemmann: If you allow me, I’ll elaborate a bit more. Feel free to interrupt me if it gets boring. But it’s exactly as you describe. From our perspective, the cybersecurity market, to put it colloquially, is completely crazy. This applies to both the provider side and the customer side. On the provider side, the biggest cost block is not in product development or artificial intelligence, but in marketing and sales. Nearly half of the revenues in the cybersecurity sector, as can be read in the annual reports of large companies, are spent on marketing and sales. This affects around 7000 providers worldwide.

On the customer side, we also see suboptimal situations. There, we have employees who are already completely overloaded in IT. This is because nowadays companies cannot carry out any project that is not connected to IT. In such a situation, the employee acquires, in addition to their daily tasks, a new EDR tool or a Managed SOC service. This is usually the first time in their life that they do something like this. How do they proceed? They search for information on Google, read Gartner Magic Quadrant and peer-to-peer reviews, invite system integrators, and finally create an Excel spreadsheet. The system integrators always bring their preferred solutions with them, where they have the highest margins. Subsequently, competence related to this project is built up in the company, but it is never discussed again, as it is related to cybersecurity and considered strictly confidential. If we look at this from a societal perspective, we have realized that this doesn’t make sense. We need to address the biggest cost block, and we do that as a purchasing partner. There we bundle demand and knowledge, just as you described.

Mathias Hess: How can we envision the purchasing process more precisely?

Jannis Stemmann: Quite pragmatically, our approach is based on the customer’s initial situation. There are customers who already have an offer on hand. In such cases, they simply need two comparison offers. They are interested in which providers we can recommend, which options we consider costly or not necessarily essential from our perspective, and what criteria they should pay attention to. Our goal is always for the customer to receive a clear basis for decision-making in order to make informed decisions.

Mathias Hess: I am more familiar with this from the software procurement area, for example with CRM or ERP systems, where it is often difficult to compare offers for various reasons. In such cases, experience is of course crucial to conduct tenders optimally and ensure better comparability. How does it work for you?

Jannis Stemmann: This naturally comes easier to us because there are certain project categories that we have already accompanied up to 30 times. This allows us to better understand how a specific scope of services is named at provider A and whether at provider B it is an additional option or already included. In the cybersecurity field, there are no standards and anyone can invent new terms like “Advanced Threat Hunting” and “Threat Intelligence.” Content-wise, this always relates to how expensive it ultimately becomes. Therefore, we are gradually building price databases and can assess the offered prices very well. This strongly depends on sales channels and the competitive situation.

Speaker:  The market seems crazy. That’s what our guest on the podcast defines today. Here is goCIO, the podcast for CIOs and all those interested in digitalization, and our guest is Jannis Stemmann from CyberCompare. He says almost half of all expenses in the cybersecurity provider sector worldwide are spent on marketing and sales. How are credible product investments depicted there? He says that many in the market offer solutions and encounter overloaded employees in purchasing departments. Today is all about finding new ideas. Mathias Hess surely has another one.

Mathias Hess: Let’s talk about colleagues from purchasing and IT. As I experience it, they are often left out and are not necessarily unhappy about it because they don’t know much about it anyway. What’s your experience with that?

Jannis Stemmann: The best results are achieved when everyone works together. So when you involve purchasing and departments early on. Often there are also employees on the user side, from the department, who should be brought on board. It simply makes sense to do it together rather than alone. That’s also the basic idea at CyberCompare. One could say in a very old-fashioned way that we are a kind of purchasing cooperative where now more than 300 companies and public institutions have joined forces.

Mathias Hess: Yes, that absolutely makes sense. I often come across this when tendering for an ERP or CRM system or any system for that matter. Usually this only happens once or maybe a few times in one’s career. Often people try to avoid this process by seeking retirement when introducing an ERP system, for example. The experience in this area is often very limited, especially for those doing it for the first time. I find myself in this situation time and again because when you do something for the first time, it takes longer, you make mistakes, it’s more expensive. Therefore, I find the idea and implementation as you do it great. You help companies with your experience and obviously do so for the benefit of the customer. If I understand correctly, you are also moving towards standardization, although this is very difficult in the IT sector as you mentioned. Everyone tries to achieve this goal with more or less success as you also mentioned. There are no standards like in other industries; instead, everyone develops their own approaches. Therefore, comparison is often difficult.

Jannis Stemmann: Exactly, standardization is indeed an important aspect. It’s also interesting how you just mentioned that we represent the interests of the customer. Our independence from providers helps us with that.

Mathias Hess: But others would say that too, right?

Jannis Stemmann: What we learn from the market suggests that currently we are the only ones who can claim that. I find that quite interesting. In our case, customers pay us project flat rates and we do not receive commissions from providers, discounts on list prices, or similar incentives. We are familiar with this game but we do not participate in it. Instead, the customer pays us a flat rate which allows us to represent the customer’s interests as best as possible.

Mathias Hess: But you mentioned earlier that you bundle demand in a way that allows you to achieve better purchasing conditions.

Jannis Stemmann: Yes, that is partially correct. We do this especially in relation to the database, which allows us to conduct Price Benchmarking. Both the scope of services and the costs for specific scopes need to be considered.

Mathias Hess: Now, returning to the title “Cybersecurity without a headache. Why it’s worth staying calm.” The theme of “headache” is also one of your catchphrases, if I may put it that way. Do you actually experience that people in this market feel a certain level of despair or helplessness? Perhaps that’s a bit exaggerated, but do they at least feel somewhat helpless in this complex market?

Jannis Stemmann: The market is definitely opaque, and it is certainly helpful to have someone by your side who can guide you in a way. I think fear-mongering or despair is not the right approach. Our view is that one should proceed calmly and pragmatically. These are economic risks that can be managed appropriately.

Mathias Hess: As far as I know, no one has been harmed by neglecting this issue so far, and I am also not aware of any company going bankrupt due to insufficient cybersecurity, right?

Jannis Stemmann: Yes, that needs to be somewhat put into perspective. But as of today, we do not know of any healthy company that has been driven into bankruptcy solely by a cyber attack. As you mentioned, every year 2000 to 3000 people die in traffic accidents on German roads alone. I believe that so far, no one has been seriously injured or killed by cyber attacks. Fortunately. Let’s hope it stays that way.

Mathias Hess: You mentioned earlier in our conversations that the issue of ransom payments and this type of crime could be relatively easily stopped.

Jannis Stemmann: Actually stopping it, I cannot say for sure. But I do believe that if we look at other industries, there are concepts such as safety nets in the insurance or banking sector. I think a similar concept could make sense in the area of ransomware. Because in my opinion, prosecution in this area is difficult. Occasionally we hear about successes achieved by authorities, and I find it impressive how the police collaborate across borders. This is truly commendable. However, I often have the impression that extorting ransom is low-risk for attackers. If we had such a safety net and at the same time prohibited the use of cryptocurrencies for ransom payments, I could imagine that it would become economically unattractive for most attackers to even attempt it.

Mathias Hess: Indeed, the payment of ransom in cryptocurrency seems to be very popular, to put it that way. There are probably quite limited options for tracking or preventing it.

Jannis Stemmann: I am not an expert in this field, and I understand that cryptocurrency enthusiasts might be outraged. I also understand that there are good use cases for Bitcoin, Monero, Ethereum, and other cryptocurrencies, and I am a tech enthusiast myself. But I think the internet existed long before Bitcoin, and interconnected computers in companies have also been around much longer. My impression is that the issue of ransomware really gained momentum with the rise of cryptocurrencies. If we were to ban ransom payments or restrict the use of cryptocurrencies for such purposes, I do not believe it would have no impact on the attacks. Certainly, there are still state actors and other reasons for stealing data. But I think in the area of extortion, we could take a step forward.

Mathias Hess: Do you also assist customers when they contact you and say they have been hacked and ask for help?

Jannis Stemmann: If a customer contacts us and reports being hacked, we try to quickly find a suitable service provider. For example, there is a list of certified service providers for Incident Response in emergencies from the Federal Office for Information Security (BSI), and we also know some others. We need to check which provider actually has capacities. However, our approach is more about helping our customers conduct emergency exercises in advance and prepare for emergencies. There is much to learn from this, and it can save a lot of time in an emergency situation. This is a measure that is often neglected but costs little compared to potential damages and brings many benefits. We also emphasize the conclusion of an Incident Response Retainer contract with a service provider who maintains capacities. This way, we do not have to start looking for a suitable service provider in an emergency who may not have capacities. Instead, we clarify this contractually in advance.

Mathias Hess: I definitely support the topic of emergency exercises. I have had clients who had expensive backup systems but when they tried to use them in an emergency, they found that the backups did not work properly, essentially leaving them without a functioning backup. That is truly frustrating and shows the importance of testing such systems when implementing them. But I think emergency exercises are also crucial. They not only serve to conduct technical tests but also to ensure that in an emergency, one does not have to start over and wonder how to proceed. That is the real purpose of exercises.

I think it is advisable to look at the various possible scenarios and consider how to act in these cases. An emergency exercise is a good way to do this. You don’t have to hide it; you can openly say, “We are conducting an emergency exercise this weekend to see how well our processes work and where there may be gaps that need to be addressed.” Gaps often exist, and it is better to discover them in an exercise than to be surprised in an emergency situation.

Jannis Stemmann: Exactly, that is the purpose behind it. One learns from such exercises and can then work on achieving continuous improvements. As you mentioned, it is important to bring all relevant stakeholders to the table, including representatives from the legal department and communication. In an emergency, one must notify employees, suppliers, and customers as well as communicate with authorities. In advance, one can review all reporting paths and decision-making processes. These are all processes and procedures that can be carefully considered in advance. In addition to the technical aspects you mentioned earlier, such as backups and recovery, prioritization in emergencies is crucial. We have developed templates for this over time, which are already being used by many companies.

Mathias Hess: How do you see the development in the coming years? Are there specific areas where attention will be increasingly focused?

Jannis Stemmann: In terms of emergency preparedness or security in general?

Mathias Hess: Generally regarding security. I remember that a few years ago, the general opinion was that the greatest security threat came from employees, and it was emphasized how important it is to train them properly to ensure they do not click on suspicious links. In my opinion, much progress has been made in this regard. The question now is what comes next. Are there areas where you see an increasing need?

Jannis Stemmann: The simple answer would of course be that it always depends on the customer. But I think there are some topics we can consider. For example, the whole issue of outsourcing 24/7 monitoring, referred to as Managed Detection Response or Managed Security Operations Center for 24/7 monitoring, is a trend that I believe is significantly increasing. There are also economic reasons for this, as scaling across many companies is possible and there are many providers in the market to choose from. Furthermore, we see that companies operating their own production or logistics, or manufacturing machinery and connected devices, are increasingly investing in OT Security (Operation Technology Security) and IoT Security (Internet of Things Security). This means that they are focusing their attention and priorities on office IT security or enterprise IT security, which is reasonable and something we would always recommend, but also becoming more active in the field of OT and IoT security.

Mathias Hess: Cybersecurity without a headache. Why it’s worth staying calm? That was our topic today on the podcast with Jannis Stemmann. Jannis, thank you for your input.

Jannis Stemmann: Thank you, Mathias, and all the best.

Speaker: So, there are no standards for awarding contracts and comparability is hardly given. Cybercompare says “We are ahead because we can advise independently of brands, produce cybersecurity for the many 100 companies in all industries that we serve.” That was GoCIO, the podcast for the CIO and all those interested in digitalization by and with Mathias Hess with the podcast title “Cybersecurity without a headache. Why it’s worth staying calm.” Today with Jannis Stemmann from CyberCompare.

Looking for the original Podcast?

Disclaimer: The podcast is only available in German

Find the Poscast on:
Spotify: https://open.spotify.com/show/2PN4l5io6QIBIXtkOxqgc5

Cyber Summit - Bridging IT & OT Security
18. April 2024 | 08:30 AM - 12:15 PM | Virtual Event