Isabel Münch

Cyber Security Leaders - Isabel Münch, Head of Branch IT-Security Situational Awareness, BSI (German Federal Office for Information Security)

Isabel Münch is the Head of Branch IT-Security Situational Awareness at the BSI, the Federal Information Security Authority of Germany.

She started working at the BSI in 1994 and has been responsible for IT Security Management, IT Penetration Centre, Alliance for Cyber Security and Critical Infrastructures during that time. She is the author of many BSI publications on cyber security such as IT-Grundschutz.

Since 1999 she has also been a member of the ISF – the international “Information Security Forum” which exchanges information about best practices in Information Security. She is Fellow of the German Informatics Society (GI).

Where do you see the difference between Information Security, IT Security and Cyber Security?

Language shapes behaviour. It is therefore important to define terms precisely and to use them properly. In everyday life, however, we should also use them pragmatically. At the BSI, as the Federal Cyber Security Authority of Germany, we discussed these terms at length and defined them as follows in our standard publication, the IT-Grundschutz: “Since the electronic processing of information is omnipresent in virtually all areas of our lives, distinguishing between whether information is processed using information technology, communications technology, or on paper is no longer up-to-date.

The term “information security” instead of IT security is therefore more comprehensive and more appropriate. However, it should be noted that the term “IT security” is still frequently used in the literature (among other things, because it is shorter), even if “information security” is often what is meant. The field of action of classical IT security is expanded to the entire cyberspace under the term “cyber security”. This term includes the entire information technology connected to the Internet and comparable networks and also includes communications, applications, processes, and processed information based thereon.”

When speaking the language of business to their boards, are there certain phrases Leaders / CISOs should be using?

Speak about chances, not about risks.

Information security needs resources to prepare against things we won’t see happen. So our core business is risk management. But if you are talking all the time about risks this creates a defensive attitude in your audience. For this, try to explain the chances and opportunities growing out from security measures - e.g., creating a good image for customers and employees, being prepared when the unexpected happens.

How can CISOs / Leaders better understand a business’ needs?

A CISO who is new in his or her role should take a look at each area of the organization like an intern as part of the induction process, have the tasks explained to him or her and be shown the tools that are used to complete the tasks. Even one day in each department will give a CISO a good foundation in understanding how “the store ticks”, why certain methods were chosen, and also why certain security measures are not being applied or are being applied inadequately.

What should a company do if it suspects cyber attackers have been successful?

First thing is always: Don‘t panic!

For this to work, good preparation is essential. A contingency management system must be in place. There must be emergency plans for the various types of security incidents, which are also practiced regularly. Every employee must know what to do in the event of a security incident - even if it’s just whom he or she needs to inform.

When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?

As CISO, you need to work closely with the business. To do this, it is important to approach the business yourself, e.g., to invite them to regular forums for exchange. The CISO must also ensure that he or she is invited by the business to innovation meetings and project planning sessions. It is important to be perceived as a helper and supporter and not as a hindrance.

You’ve been in the industry for over 20 years. What are some of the biggest changes you’ve seen, not only in terms of threats, but also in how cyber security is viewed inside the organization?

The changes can best be seen in the development of the terminology: When I started in the field more than 20 years ago, what we did was “IT Security” and we secured single IT devices, typically working from within the IT department. Around the beginning of the new century, we realized that a broader, more holistic approach was needed, because our goal is to protect the information processed with IT, not individual IT systems.

Therefore, Information Security is our goal and our profession, doing this on C-level with and for the business. With the increasing importance of the Internet, “cyber space” became a common buzzword and with it “Cyber Security”. Now we are in the age of digitalization. Most people are nearly always online, the need for adequate cyber security is high.