Cyber Security. Simply. Make it Happen.

Predicting train cancellations and thus avoiding what could amount to up to six-figure damages per cancellation. Or telling the purchasing department today which items customers are going to order the day after tomorrow. This is already a reality. Why do CIOs often know more about a company’s core business than the CEO or specialist departments—and know it sooner? Because digitalization—with the IoT etc.—gives them access to a huge mass of information about customers, machines and processes. This is what is new. Such information enables CIOs to prepare and make decisions better and, above all, faster—ideally in real time. Now more than ever, the CIO is the most important sparring partner and source of inspiration for the CEO.

A computer worm infests Iranian nuclear power plant systems, a cyberattack cripples sections of the Ukrainian electrical grid, intruders penetrate the German Parliament’s IT system and steal sensitive data. No longer merely the stuff of science fiction novels, cyberspace as a setting for security policy disputes and even a stage for conflicts, has long since become part of our reality.

Data protection is a fairly difficult phrase to unpack. The term implies that data requires a protective hand. It therefore comes as no surprise that it is often confused or used synonymously with other terms describing similar subject matter, such as IT security. The fact that this misunderstanding seems almost impossible to clear up is due in part to the unfortunate choice of words. Data protection is not about the protection of data per se, but about the protection of personal data in light of the right to informational self-determination and the preservation of the private sphere—which is why another term for it is data privacy.

When Deutsche Bahn CEO Rüdiger Grube in 2013 was quoted as saying that cybersecurity at his company was a management-board issue, not something left to the system administrators (see van Zütphen 2013), this was something out of the ordinary as cybersecurity did not count as a traditional board issue at the time. These days Grube is in the best of company, because the topic of cybersecurity is now on the management board agenda of an increasing number of enterprises. A group of CEOs from 23 German blue chips even discussed it at length at the 2014 Munich Security Conference (see Gercke et al. 2014).

Technology is the main way of ensuring that IT security—meets perpetrators on a level playing field with weapons of a similar caliber. But technology cannot solve the problem alone. The law can also play a part in IT security, although it is misguided to assume that legal sanction mechanisms will keep criminal hackers from infiltrating IT infrastructures and harming companies.

Modern CIOs handle a multitude of roles within their companies, from deciding the strategic orientation of the IT environment to keeping data centers and devices running smoothly. As if this wasn’t enough in terms of responsibility, CIOs also bear ultimate responsibility for the security of data, applications and the IT infrastructure. Although ensuring the safety of the company’s digital assets has long been one of the core elements of a security strategy, new adversaries such as government-backed hacker groups, cyberespionage teams out for a quick profit and politically motivated activists have resulted in a “red alert” status for digital assets. And yet, while the current threat from these numerous attack vectors should be taken deadly seriously, many companies still believe that antivirus software, a firewall or simply taking a hush-hush approach are adequate precautionary measures. Antivirus software and firewalls are of course essential, even though both systems only form building blocks of an overall security model. But the time has really come to drop the idea of seeing security as a taboo topic not to be discussed in public. “Security by obfuscation” used to be considered a legitimate security strategy: If we don’t publish any information on a topic, then we’re not giving away any useful data—right? Wrong! Pretty much every proprietary software or hardware has now been hacked, simply because attackers found a loophole that manufacturers had overlooked. Which is why open source software is considered more secure: The multitude of auditors and developers picking through the code maximizes the number of vulnerabilities detected and the speed of their discovery. Going at it alone, hidden away behind closed doors, is not how IT security works. Attackers recognized this a long time ago, of course. Since hacking is a collaborative, team-based effort, why shouldn’t the good guys do the same?

Data privacy has a very high priority in Germany. And yet data security is threatened by numerous factors—both internal and external.

From mid-sized enterprises to corporate giants, German companies consider IT security to be a key factor today—regardless of their size. In a survey of senior management at mid-sized and large companies, 92 percent of respondents stated that IT security has “high” or “very high” priority in the organization (see Telekom 2015). And they are right to do so: In the Industry 4.0 era, the rise in the intelligent networking of humans, machinery and production processes also increases the risk of attacks. Alerts, attacks and other threats must be countered successfully on a daily basis—and now in a matter of hours, minutes and even seconds. The key challenge here is that IT systems alone cannot win the cat-and-mouse game between hacker and target. Well-qualified IT security experts are also urgently required. So where do we find them? The market for specialists in this segment is exhausted—not least because Germany has yet to provide dedicated vocational training and degrees for defense and security experts. The handful of experts available are much sought-after and therefore very expensive. Long-winded tender procedures also cost time and money—and only provide short-term solutions to the problem.

Imagine you are a hacker suddenly faced with an insurmountable technical challenge: Your target’s email server has been well configured, its publicly known vulnerabilities have been eliminated and an as-yet undisclosed vulnerability is either unobtainable or much too expensive. Do you give up? No, you just ask for the password.

These days, companies from all industries and of all sizes—but primarily small and medium-sized enterprises (SMEs)—are required to deal with pressing questions. To remain competitive, they need to introduce and implement new technologies and take account of the demographic trend, globalization, and the continuing shift in the focus of industry to the services sector. This can only be achieved with the aid of digital processes. Digitalization provides a whole range of new possibilities for companies. In particular, the cloud is a cost-effective, simple, and more flexible option for competing successfully.

Companies hoping to successfully use the IT security technologies of the future need to rethink their strategy and shift their focus from a latent arms race aimed at protection against the outside world to detection within the enterprise. After all, every company needs to remember that an attacker will infiltrate its network sooner or later, as many recent examples have shown. The next step is to identify the attack as quickly as possible and remove the threat. In the future, smart data and artificial intelligence will be needed to provide this protection within organizations. Authorized users must be distinguished from attackers rapidly with easy-to-use or automated tools such as behavior-based analysis systems. Zero impact must be the goal. Yet, to understand how to get their company or any company to this point, executives always need to keep in mind how the current situation evolved.

Within a few short years, the Internet has fundamentally changed the way we live, work and perceive our surroundings. According to the German digital association Bitkom, using the Internet is now more or less a daily routine for most Europeans: “Three out of four EU citizens between the ages of 16 and 74 (76 %) go online at least once a week” (Bitkom 2016). In Germany, the average is actually 84 %. The Internet has thus become part of our everyday lives. We surf, chat and play. We book trips, buy insurance and transfer money. Digitalization has taken hold wherever apps have made services faster, easier and cheaper than classic providers.