Bringing Information Security to the Core

Angelika Holl, Chief Information Security Officer, Zeppelin

Challenges of a CISO and how to be successful

With the rapid evolution of cyber threats and security challenges, the role of the Chief Information Security Officer (CISO) has become one of the most critical and challenging positions in modern organizations. I started in 2019 in my role as CISO at the Zeppelin group with 10,000+ employees and 6 business units across the globe.

What are some challenges you are facing as CISO?

Cyber threats have evolved significantly over the years, and as a CISO you must always stay up to date with the latest technology trends, security threats and risks. The evolution of cyber threats and security challenges has been driven by many factors, including the proliferation of remote work, an increasing importance for trustworthy and secure identities, faster development of new technologies, and the increasing use of cloud resources.

To be able to master these challenges successfully, a skilled and motivated workforce is key. Alike many of my IT colleagues, my area is equally affected by the shortage of talents. The demand for skilled cyber security professionals has risen dramatically in recent years, but the pool of qualified candidates is limited. Because of this I currently find it challenging to find and retain motivated and engaged employees with strong knowledge in cyber security.

What is your experience and what are key requirements for success in your role as CISO?

My experience of more than 20 years in information security management shows that the CISO must have the support and commitment of the senior management. This includes a commitment to security and a willingness to invest in the resources and technologies necessary to protect the organization. To get this support, it is essential to make threats and risks transparent to senior management, while also increasing awareness and fostering understanding throughout the whole organization, including all employees working with technology.

"It is essential to make threats and risks transparent to senior management, while also increasing awareness and fostering understanding throughout the whole organization"

In addition to a very strong understanding of the current threat landscape, this also requires the ability to communicate complex information in a clear and concise manner to different stakeholders and target groups.

The growing importance of Information Security at Zeppelin is reflected in its reporting line – having started in the team of the CIO/CDIO in 2019, I report today directly to the CEO of the Group. In addition to this, an Information Security Steering Committee with management representatives from the business units is regularly taking place. It ensures the role of IT security as a business enabler by mitigating risks for the business units through a targeted, tailored, and fast implementation of security measures.

For example, we replaced one of our project’s multiple antivirus solutions, which were implemented in different countries and business units, over time with a centralized modern solution. It now centrally detects sophisticated attacks across the globe, and is monitored by a managed security service that ensures 24/7 analysis and alerting. By getting all stakeholders involved and creating transparency on the current threats and benefits of a consistent and modern endpoint detection and response solution, the project was done successfully within a short time.

What are key success factors for a good collaboration with internal and external stakeholders?

Meeting the needs of an organization is a key success factor. As a CISO I must work closely with the CIO/CDIO to develop innovative and secure solutions that meet the needs of the organization. Security must be built-in as a matter of course, and it must be an integral part of all business processes, balanced with the risks.

In addition, the Information Security Officer can only be successful with a good, motivated team that has the right mindset and is motivated to implement security in a way that achieves business goals. With the right leadership culture and company spirit it is also possible to retain the employees and inspire other colleagues in the company for the topic of security.

How do you create understanding and acceptance for security threats and necessary measures?

Security implementation should be risk based. This means that appropriate security measures must be chosen which minimize risks and are acceptable to the business. This requires a good understanding of the organization's risk tolerance and the ability to balance security measures with the needs of the business. Security measures must also be adapted to threats and risks which change over time.

Another most important aspect is to sensitize management, employees, and relevant functions to the importance of security. This requires a strong focus on training and awareness programs that educate employees about the latest threats and how to mitigate them. From my experience I would say it is important to explain security threats not just in business context but how security threats are targeting the employees in private life. One must be available for questions, doubts, and challenges, especially when implementing security measures with impact on user convenience.