The Fun Side of Financial Services Cybersecurity

Financial services cybersecurity has its challenges – but it’s also interesting, varied, and just plain fun, says Jochen Friedemann, Chief Information Security Officer at Talanx, the Hanover-based insurance/re-insurance firm. Cybersecurity is also more impactful than it’s ever been, thanks to cyber’s importance to senior management, with more educational and career opportunities than ever before. So though the responsibility is heavy, if you’re thinking about joining InfoSec, this is a great time to have a good time in cybersecurity.

Transcription (edited for clarity) 

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Communications Officer at FS-ISAC.  

It's tough out there being a CISO today with ever-evolving threats and emerging technologies amping up their impacts, increasing regulation, challenges accessing talent, and more. But it's also a pretty interesting place to be. I spoke with Jochen Friedemann, CISO of German firm Talanx, about the upsides of being a CISO today. 

Elizabeth Heathfield: When I asked you what you wanted to talk about, you gave me such a refreshing answer, which was the positive side of cybersecurity. We spend so much time focused on the challenges and the threats and the risks and we very rarely take the time to really think about, okay, well, why are we all in this business anyway?  

Jochen Friedemann: There must be something to it.  

Heathfield: So let's talk about it. So just to get started, tell me why you thought it would be a good topic and what's the big upside? Why is it super interesting for you?  

Friedemann: So why did I think it is a good topic? Because of what you just said. We should talk about the positive aspects. We should talk about why is it great to work in this domain? Why are we doing it? There must be something to it, so let's talk about it. Also, I mean, it's more fun to talk about the positive aspects. So why should we sit together to complain about life?  

So why is it great to work in cybersecurity and information security? Basically because of the variety of the field. I mean, we always say it's people, it's processes, it's technology. So if you're very into nerdy stuff and you really want to dive deep into the technical aspects of security, there will be something for you. If you want to design a good governance system, a process which helps to make your company more secure, there will be something for you. And if you want to dive into the psychological aspects and understand people's behavior and why do people click on phishing links? What does this do to your brain? There's also something in it for you. You have to be able to bring all of this together.  

It's absolutely fun. It's the greatest in so many aspects and it's great to work on that. And you have the possibility to make an impact. Your work really changes the way things are being done. And if you look at it from the right perspective, you will find some small improvement every day. So basically, you have some small success every day. So — it's great! 

Heathfield: How did you get into it in the first place?  

Friedemann: I started my career after university at a consulting company, dealing with, I'd say, related topics. Then I moved into IT in an insurance company, more from the governance perspective, and got in touch with IT risk management, which goes in this direction, of what could go wrong and what we are going to do about it. I transitioned to the enterprise risk management domain from there, so out of the technology realm to a completely different perspective. Then I basically was asked to come back or I could go to the intersection of both domains and work in information security, which I did and haven't regretted since.  

Heathfield: How has the field changed over the last couple of years? What makes it specifically really interesting right now?  

Friedemann: How has it changed? I'd say there are several aspects which are really new, which hadn’t been there, let's say, five years ago. One is the awareness. So [cybersecurity is] everywhere now. You don't have to fight for attention if you're working in information security. Everybody has some kind of understanding that ‘this could be important — let’s discuss it with this guy.’ So it's all around you. And that's completely different. That's also fun because, you see, this is a hot topic and it's always good to be where the action is.  

Then there's a lot of innovation. In the cybersecurity domain, you have a vibrant startup scene, especially in the last few years. There's been a lot of things going on, there's a lot of new technology, there's a lot of fancy stuff out there. We came from, let's say, really simple signature-based virus detection to now AI-powered behavioral analytics on what's happening on endpoints and what could this mean. So there's a lot of things going on. There’s a lot of interesting stuff going on, there’s really a lot to learn.  

And this relates to awareness. There are a lot more possibilities for exchanging information, for knowledge sharing, for education, for getting better. Years back, there was hardly a chance to really learn something about information security at university or college. Now you will find some classes everywhere. People can make their degree in the domain. And that’s also a great development. 

Heathfield: Do you see that there's still a major talent shortage? It's something that we talk about all the time. But could that also be an opportunity for people who really care about it or want to get into it or whatever?  

Friedemann: I mean, that's simple economics. If there's a shortage and you have something to offer, it will be good for you. If you can offer some talent, that's going to help you. When we speak about the talent shortage in cyber, I'd say we have to ask ourselves, what are we really short of there? Are we short of sheer resources? I guess there's a lot of potential for automation to help us with that. We don't really need that many more hands. We can find better ways. Are we short of experience? Maybe, but also we tend to look for five years of experience with a technology which has existed for two years. That's not going to work. But if we look for experienced people in a certain technological field with some kind of professional judgment, they could transition to our domain. It's definitely possible. Again, it's a good time to start because yes, there is some kind of a shortage, you could say. 

Heathfield: You mentioned the attention, right? Everybody's talking about it. How are you seeing that translate into opportunity at the more senior levels? The boards care, the C-Suites care, there's increasing regulatory scrutiny. So how is that an opportunity as you develop into a more senior role in your career?  

Friedemann: Yes, there's far more visibility, far more exposure on, let's say, the board level than several years back. I guess that's true for most companies. And that's really good. First, that's good for the domain itself. Because this is going to help us get things done in the company, when we have top management’s support. It also means, working in information security, you have to find a new way of communication. Because you have a new group of stakeholders, you have to understand the business even better. This broadens your perspective. I mean, how should this not help your career? So again, yes, definitely, there's a lot of potential in that.  

Heathfield: In the US, we are seeing that there's also a potential downside to having that level of exposure. Because you literally have legal liability or exposure, potentially. Is that the same in Europe? Are CISOs feeling that here in the same kind of way?  

Friedemann: I would say to some extent, yes, if you become a senior executive of a regulated company, you bear some personal liability. There's no free lunch.  

Heathfield: You talked a little bit about the broader range of skills that cyber people need. Let's talk a little bit more about that. There's some level of technical skills, but then there are all these other aspects to it. Do you want to go through that in a little bit more depth? What do you think a really successful cyber leader needs today?  

Friedemann: Yeah, I'll try. First, if you talk about the domain in general, as I said, it's a broad field. There are a lot of detailed, specific skills you might need in one or the other aspects of the domain. In general, technical skills will always be good. There are [roles] where you need less. There might be some where [technical skills] are mandatory. They are never going to stand in your way. So it's always good to have some technical skills if you work in this domain.  

If you look in the more general aspects, I'd say curiosity is a super powerful trait of character — just being interested in how this works. How does a certain attack work? Why is this possible? How could we break this? Why is this important for the business? What are they doing with this information that we are protecting? Why is it important to protect it? And really always being open to learning more about that. This is going to help you improve. What are people doing with that? As I said before, why are they clicking on this link? It must be obvious that it's not a good idea. Why does this still work? What's behind this? So really always trying to learn more and to understand and staying open-minded — that's definitely going to be helpful. 

You will need some kind of endurance; you should also have some kind of strength, so to say. There will be tough discussions. You will be in a position where you will have to say, ‘From my perspective, it's a no.’ And there's going to be others who are going to say, ‘But it's really important for us.’ And then you will have to find the balance. So you have to understand risk and you have to say, ‘OK, is this acceptable or not? Should we do this?’ You also need some kind of flexibility with that, because there's no one-size-fits-all answer. We have to really be able to balance different interests and try to find the best possible solution.  

Heathfield: When you say, ‘From my perspective, it's a no,’ but the business says ‘we have to do it’ — is that what you meant by that?  

Friedemann: That's the cliche point. Sometimes it might really be the case. You say ‘from a pure security perspective, it's not a good idea. I understand your point. I understand why this could be important from a business perspective.’ And as I said before, I'm a senior executive of this company so I'm not just advocating for security. I have to understand the whole picture. So I might even be willing to side with the business there, so to say, but making clear, ‘guys, you have to be aware we're taking a risk here. And do we really want to take this risk? Is it really worth it? Could you please explain to me why it is really worth it?’ 

Heathfield: So where do you see things going in, let's say, two, five, 10 years, if you're open to giving me how you see the field is going to evolve in the short-, medium-, and longer term.  

Friedemann: First I have to say, unfortunately, my crystal ball is a little damaged, so I might be wrong on this, but I believe it's going to normalize a little bit.  

As I said, as we spoke, there's so much attention focused on this now. There are so many people moving in the domain, people becoming more senior, more visible in their companies. There are so many vendors working on this, so much going on. [Cybersecurity] is going to normalize … many people are going to get used to it.  

We mentioned this before, there are people taking classes about this in university, but maybe just one class and they're majoring in some other field. I even know that there is [high] school education on things like how to build a good password. In two to five years, people who learned about [cybersecurity] in university will have graduated. In five to 10 years, thousands will have come out of school who were trained to this very early on.  

So it's not going to be so new and so fancy that we need some magicians to talk us through it. It's going to be normal. It's going to be part of daily operations and a lot of people will understand — at least, if we who are already in the field are doing our job right now — then we're going to have a different security culture in two years, an even different one in five years, and a wonderful one in 10 years, and then everything is going to be completely different than we have expected.  

Heathfield: That's the one thing that you can predict.  

Friedemann: That's the one thing I'm sure of.  

Heathfield: I've heard people say, ‘If I do my job really well, if security did its job perfectly well, then you wouldn't need security people.’ If developers, for example, develop things in a secure way, you wouldn't need a whole realm of security because it would already be built in.  

Friedemann: Security is always going to be necessary. Are an information security department and the CISO always going to be necessary? Maybe not. Maybe not.  

If you take a very small company where you basically have a self-employed person, he takes care of everything a large enterprise takes care of. He is his own CISO. He is his own CFO. He is his own CEO, he’s his own CIO, blah, blah, blah, blah, blah. He is all of this. He doesn't have it — he is all of this. And still works. And as you grow, you develop these functions and these departments and the larger the operation and the newer the [security] topic, the more likely it is that this [approach ]is going to be very prominent. This might change. There might be others who are doing more or less the same job. Will the topic go away? No, I don't think so. It's always going to be necessary. Does this mean in 10 years, everybody's going to have a security department? I believe yes. But if not, I’d guess security is still going to come up.  

Heathfield: So what would you say to a young person now who is interested in cyber and is thinking about going into InfoSec?  

Friedemann: I'd say, just do it. You're young. Give it a try. Seriously, as I said, there are lots of different potential ways of going into information security or cyber. Try to find something which comes close to your interests and look into some of the available resources and see if this could be a way for you. And then really just give it a try. Just do it.