Marktkommentar #19: Secure Software Development (with and without AI) and NIS-2 Implementation

Is AI already causing clear-cutting of software development jobs? The number of job openings for programmers has plummeted by 50-70% since the peak in 2022 – whether in the US, Germany or Australia (see chart attached, source: Indeed / FRED / PragmaticEngineer). The decline is more serious than for other job categories, i.e. apparently independent of the general economy. Makes sense: Routine tasks of SW developers are about the interpretation of text (requirements on the part of product owners) and the generation of text (code) on the basis of many examples (public code repositories with documentation). We all know by now that AI can do this well.

To be honest, the same applies to managers and management consultants from my point of view: After ~25 years of experience in the field, I would like to say that in most situations in life, no flashes of genius are required, but the application of good practices and common sense according to “if…, then…” Schema. Fortunately, otherwise I would still be an intern in a sausage stand. Even with complex M&A topics, there are now so many case studies that a well-trained AI assistance system can certainly make better suggestions than the average consultant or department head.

What will remain, always be needed and well paid: responsibility for results.

In addition, for management personnel, there is of course conflict resolution in the interpersonal problem zone and endless rounds of negotiations (“coordination”) at the interfaces of the orgchart boxes of nested corporate bureaucracies. The partners at McKinsey, BCG and Bain will also continue to be needed – as sales machines, scapegoats and for the stamp of external validation. So, my forecast: entry opportunities in management consultancies and in-house consultancies will decline, middle management levels will be further reduced, management margins will increase. Amazon has already received the memo and has just raised the minimum of direct reports from 6 to 8.

On the other hand, there are many business cases that were previously not economically viable, but which suddenly pay off due to the lower development and/or operating costs. Each of us knows, for example, features in applications where development has not been worthwhile so far because they are special cases for a few customers. AI thus allows for a higher individualization of products, democratization of specialized knowledge and generally also a higher added value per employee.

Therefore, I suspect and hope at the moment that AI, like all other groundbreaking technical developments before it (telephone, radio, car, computer, robot, internet, smartphones…) Winners and losers in the labour market, but the bottom line is that they create a positive prosperity effect for most of us.

At the always entertaining Mysecurity event in Cologne, NIS-2 was a topic of discussion this time, a few statements by CISOs on implementation projects:

1. You can have the impact check carried out by lawyers or simply save yourself that and assume that you will be affected in case of doubt. Or you can also report to the BSI that you think you are not affected.
2. The main expense driver so far has been the mapping of legal entities to different requirements (!) in the European countries. In addition, the ability to provide information during audits (documentation) had to be significantly improved, contract adjustments had to be demanded from most partners/suppliers, awareness training for the GF and processes for reporting had to be introduced.
3. The early reports within 24 hours were implemented in different ways – for example, on existing procedures for emergencies (managers on duty) or for pre-approvals for some units.
4. What is the threshold at which reporting must be made, and when do the 24 hours count? => reporting is only necessary if the essential services of the organization have been significantly impaired. Time counts from the detection of the incident by the affected organization.
5. NIS-2 as the nail in the coffin for some smaller units that were already on the brink: The implementation would have increased fixed costs to such an extent that a merger or closure would have been more economical
6. No one was of the opinion that NIS-2 had led to a noticeable increase in the level of security.

M&A:

1. Armis (OT anomaly detection) acquires Otorio and thus also offers on-premise deployment and secure remote access in the future
2. Jamf (MDM for Apple devices) is taking over the IAM provider Identity Automation, which is probably strong in the education sector in the USA
3. The German cyber underwriter Cogitanda is bankrupt, but was taken over in an asset deal by DGC (full service cybersecurity provider incl. SOC, incident response, pen tests, etc., approx. 100 employees, based in Flensburg). Underwriters take care of the distribution and contract drafting of the policies. However, the actual cover is taken over by insurance companies in the background, in this case including the Württembergische and Sparkassenversicherung.
4. Skybox (vulnerability and firewall management) was liquidated due to weak growth despite high funding (~$300 million) and annual revenue (~$500 million). Tufin had previously treated itself to the customer register, but probably didn’t want to take over employees, development or support contracts.

And a few more notes from vendor briefings:

Siemens:

1. We took a look at the OT Security products SINEC Security “Inspector”, “Monitor” and “Guard” (can all be purchased separately)
2. Inspector:

1. 1. Asset discovery, vulnerability identification + malware scans (active scans)
   2. Based on Nessus, Nmap, McAfee virus scanner and some other OT-specific (“Siemens Siesta”) for Modbus, HART-IP, BACNet, CodeSys etc., all in a common user interface
   3. On prem Installation
   4. Not intended for a productive environment, but for commissioning / maintenance, acceptance tests

1. Monitor:

1. 1. Network Intrusion Detection System (signature-based, rule-based + baselining/anomaly detection), i.e., similar to Claroty, Nozomi, Dragos, Armis, etc.
   2. On-prem sensors (previously only with Siemens HW appliance) via mirror ports on switches + VM for evaluation
   3. Asset discovery (passive, supplemented by isolated active probing, but very limited) and above that vulnerability mapping
   4. Graphical representation of the detected network with connections

1. Guard:

1. 1. Vulnerability management, i.e., task definition and tracking to progress measurement
   2. Prioritization according to customer risk (not only according to CVSS) – but this requires manually entered assessments by the operator, e.g. zone criticality. Exploitability (via EPSS) is unfortunately not yet taken into account, but is on the roadmap.
   3. Inventories can be scanned or other scanners can be integrated (no scanning tool in the solution)
   4. SaaS only
   5. As an option, there is also a signature-based NIDS (which then comes with an on-prem sensor)
2. Accompanying services for evaluation up to 24/7 monitoring are already offered or are being rolled out

Rubrik (Update):

1. Backup & Recovery (“Cyber Resilience”), approx. 6500 customer organizations, reference customers in DACH including Mann+Hummel, Schaltbau, Steiff, Knauf, ZF, the ECB. Global including GSK, Pepsico, Honda, NVIDIA
2. Ransomware Recovery Warranty up to $10 million (proportional to the backend data volume after compression/deduplication, i.e., only $250k for 250 TB) if the recovery is unsuccessful in the attack. Terms+Conditions read reasonable to me, for example, the immutability setting must of course have been made. Monthly configuration checks are carried out by heading => that also makes sense. However, the compensation payment does not yet seem to be offered in Austria and Switzerland.
3. Storage: Appliances (on prem or as Cloud Data Vault), own file system
4. Files in the backup are searchable
5. With each backup, not only the data, but also metadata is backed up and scanned for entropy anomalies and malware
6. Automatic recovery tests in test environment based on workflows (order of recovery)
7. Good Azure/M365 integrations via agentless API calls (Microsoft is an investor)
8. Management of tape libraries as a 2nd or 3rd copy possible

Drivelock (Update):

1. German provider of preventive endpoint security, approx. 70 employees
2. Approx. 1300 customer organisations (from small to large), focus on the DACH region, references e.g. Bechtle, ElringKlinger, FEV and several hospital networks
3. Deployment on prem or SaaS. Agent on any device, so full protection even offline. Common Criteria EAL3+ certified

1. Core modules: Device + Application Control, i.e. alternative to Windows USB Control / Applocker, Threatlocker, Netwrix and of course features in many AV/EDR solutions
2. Vulnerability scanner as an alternative to Tenable, etc. In conjunction with the application control, it is then possible to (manually) restrict the execution
3. Response options such as automated shutdown of computers that have certain vulnerabilities
4. In addition, there are tools for system hardening, including management of Windows Firewalls or Bitlocker (instead of GPOs). In addition to less admin effort, the advantage is of course also the audit-proof evidence, e.g. continuous hard disk encryption in a certain period of time
5. Connection to common ITSM / SIEM systems, etc.
6. Free trial version can be easily downloaded via the website => If you are interested, just try it out
7. From my point of view, a further development would be obvious to harden operating systems according to CIS benchmarks etc. (similar to FB Pro)

WIDAS:

1. Swabian family business with IAM solutions and consulting services, focus primarily on Customer Identity Management (CIAM)
2. Approx. 150 employees, ~250 customers, including Hornbach, Conrad, Die Bayerische Versicherung, a few banks and even Indian startups
3. Workflows for authorization requests can be adapted and automated very individually depending on the use case
4. Adaptives MFA, passwordless Login etc.
5. Score not only with GDPR, but also with low prices => Definitely worth taking a look at if necessary

As always: Questions, suggestions, comments, experience reports and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received this email: Here you can register if you are interested or read in the archive.

Regards

Jannis Stemmann