Cybersecurity Leaders – Florian Haacke, Former SVP, CSO / Head of Group Security innogy SE
Share the Interview
Florian Haacke, MSc, CFE was CSO and Head of Group Security of innogy SE from April 2016 until September 2019. From 2013 – 2016 he was CSO and Head of Group Security of RWE AG. From 2007 to 2013 he was CSO of METRO GROUP and prior to this he held senior Security Management positions at Deutsche Post DHL. He holds a Masters degree in Security and Risk Management from University of Leicester, UK. He is Lieutenant Colonel (res) of the Cyber and Information Space command, German Armed Forces.
From 2009 until 2019 he was Member of the Board of the Security Association NRW. In addition, he was Member of the Board of the European Energy – Information Sharing & Analysis Centre (EE-ISAC), Member of the advisory board of the scientific research project “IT security in critical infrastructures”; Member of the World Economic Forum working group “Cyber Resilience in Electricity”; Member of the working group Cyber Security/Security of the Federation of German Industries (BDI) and the Economic Council Germany. He is lecturer at Frankfurt School of Finance & Management and European Business School. He is the editor of the online service “www.sicherheitsmelder.de” of Richard Boorberg publishing company.
Florian Haacke and his team were awarded the Cyber Security Leader Award 2019, the Outstanding Security Performance Award 2015 and 2019, The Security Innovation Award 2018, the CSO50 Award in 2018 and 2019 and he was selected as one of the Most Influential People in Security in 2016.
Since January 1st 2020, Florian is the CSO / Head of Corporate Security at Porsche AG.
Are there any common traits as to what makes a successful security program?
Successful security programs are simple. They are easy to explain, despite the ever-increasing complexity and dynamics of the topic.
The close interrelation of prevention, detection and reaction whilst the disciplines are professionally evolving at the same time. Successful (cyber) security programs are based on solid and sustainably implemented security hygiene.
They are characterized by close integration with the company’s digitization strategy and enable innovation, not least through the required pace of the security organization, for example through the use of agile working methods.
How can security executives get the “buy-in” from the top?
A proven advantage is certainly the direct allocation of the CSO outside of IT, directly reporting to the executive board in order to be able to talk to the CIO and the business responsibles “at eye level”. After all, the CISO is not only responsible for IT security, but also for information security and, in companies with production control technology and processes, sooner or later also for the convergence of IT and OT security, which is already and irreversibly taking place in different forms.
Top management usually works with numbers. In order to continuously get on the top management agenda, it is imperative to collaborate with process owners to be able to measurably assess the cyber security risks which are increasing due to digitization. Those who also have a high degree of transparency regarding the maturity of their security measures are able to show the executive board the gap to target and generate long-term attraction for the topic. Measurement is key!
In complex corporate and international business environments, what do you think is the role of a cybersecurity awareness program?
The human factor plays an important role in addition to all technical and system preparations. It is therefore particularly important to raise employees’ awareness to the potential threats and ways to avoid them. Awareness campaigns such as the ‘’human firewall’’ actively and repeatedly engage employees in various formats, e.g., training videos, live hacks, online training, intranet articles, Lunch´n´Learn formats and much more. The regular distribution of phishing emails to employees and the subsequent measurement of click behavior allow training successes to be measurably proven. Pure awareness measures will always be needed as part of basic hygiene and prevention. But even today, modern companies are finding that this is not enough.
The large number of successful attacks requires new and more advanced methods, necessary in order to be successful in the future. Already today concrete training of employees in the detection and defense of attacks just like the training offered in cyber ranges such as CyberRange-e for the energy sector, are a key factor. In cyber ranges, employees are trained professionally and continuously in a practical manner by using realistic scenarios in order to prepare them in the best possible way to handle attacks. Especially due to the irreversible convergence of IT and OT, such trainings are indispensable to practice, practice, and practice the concertation of business operations, IT and security before an incident occurs.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
“Security is for sharing” is the right slogan, I think. It must be clear to all of us that cyber-attacks are a global phenomenon and that, therefore, state or corporate unilateral action cannot be expedient. An ever-improving network of enterprise security among companies in the same industry, e.g. via industry ISACs, but of course also with other sectors and industries as well as with domestic and foreign security authorities is therefore a time-consuming but worthwhile undertaking.
For example, linking and connecting the SOC to various MISPs is not a one-off, but a permanent process in order to be able to initiate a professional vulnerability remediation. Networking therefore remains indispensable for security managers. And although it is so important to listen to what is going on outside, it is essential not to let yourself and your programs be distracted by constant noise changes. Sustainable security successes in big companies can never be achieved in the short-term as successful measures unfold their effects gradually.
Digitization is a double-edged sword, offering incredible benefits but also entailing serious risks. What are your thoughts about this inevitable development?
Many industries are experiencing technological change, which requires continuous support in terms of security technology and organization. The success of digitization also depends to a large extent on reconciling security and functionality. Applied correctly, security enables and opens up opportunities.
Not sufficiently considered, the topic can become a risk to the existence of the company – in particular for digital business models. In this respect, security creates indispensable foundations for digitization to be successful and sustainable. The security integration of new components poses a challenge for every industry and the recognizable decentralization and digitization of many companies create new and additional attack vectors. Good cyber security is therefore not a hype, but a decisive component for the performance and success of every company.
Could you offer any advice on how CISOs and CIOs can work together effectively?
In my opinion, it is important to have discussions “at eye-level’’ To effectively integrate the CIO‘s digitization roadmap with the CSO‘s/CISO‘s security roadmap, beside regular 1:1 meetings, formal decision-making bodies can be established. Such a cyber security board could be led by the CSO/CISO in co-lead with the CIO with further participation of important functions with voting rights from IT (e.g. Head of Infrastructure and Architecture) and Security (e.g. Head of Information Security and others) as well as the business as the internal customer.
In this way, the important digitization projects can be jointly discussed and the necessary security measures mutually agreed, but also the necessary tracking of implemented measures can be carried out together in a transparent manner.
Cyber security is not a hype: The success of digitization in enterprises also depends to a large extent on harmonizing security and functionality. Security establishes indispensable fundamentals and is therefore an essential component for the performance and success of any company. The large number and dynamics of attacks against companies clearly demonstrate that almost any economic operator can be affected. So it is no longer the question “if” but “when” a company will be hit by cyber-attacks and how well prepared it is for such attacks.
Therefore, detection of and response to incidents are becoming increasingly important. Cyber-attacks are certainly easier to manage for companies where security is regularly put on the top management agenda, as resources and budgets are decided here. In order to get on the top management agenda, it is necessary to be able to measurably assess the cyber security risks and to have a high degree of transparency of the maturity levels of security processes. And even if there is no 100% security: A central organization for the topic of (cyber) security is not just helpful, but crucial when it comes to monitoring security risks in a 360 degree view and not only in fragments, and when company processes are to be protected end-to-end.
Cybersecurity Leaders – Florian Haacke, Former SVP, CSO / Head of Group Security innogy SE