Better Safe Than Sorry: People-Centric Information Security

all right good good morning everybody it's so great being here seeing how big besides has become the reason for me wearing blue today I see how hard we are hiring do we have a clicker do this where is it that one I don't worry that's all right I can do my intro without it thank you so today's talk is about letter safe than sorry and the reason for choosing that title is pretty simple I'm an acetal role and I'm talking to various people around the world and what all of them respond to me is that we do not talk enough about the problems and we do not talk about enough what we can do together how we can collaborate how

we really could solve issues together as a team so to me information security means we need to bring people together we really need to put our strangers together we really need to think about how could we become a union we are always talking about things we are always talking about what can our or what can we as an individual what can our companies do to solve customer problems but out of my perspective it's way more important than talking about customer issues we should way more talk about what can we do to solve the issues we all have as individuals so as I really do not like to talk about myself there's only one sentence I want to

mention I did nothing different than information security my entire career and whilst I'm just running through different information security stories really talking to people is what is key to me and I'm traveling like to around 200 days per year to various countries and I'm I'm in a good position ready to talk to companies as well as people I do talk to priests I really do talk to our variety of people and it's really interesting that we all have the same problems so information security is really a thing which does affect all of us and this is which brings us to the point that we really need to stop talking about IT security and start talking about information

security who of you is wearing a SmartWatch can you please raise your hand one two oh that's very last who of you does have a smart speaker at home like Amazon Alexa or something one two Wow so the problem is I'm really happy with you having those things but you as every years do you bring those things into your companies and that really does change the attack vector of companies I'm always saying we can't win the information security battle anymore what we can do is to create a proper roadmap to survive and IOT really has become a big problem a huge attack vector so IOT out of my perspective is an IOT anymore it has become vulnerable

ities of things the reason for calling a burner abilities of things is because everything which is smart is automatically vulnerable and as I'm talking to so many companies none of them really has a good IOT strategy they're always trying to bring their systems into the cloud they're always trying to get rid of their legacy systems they do always try to bring more new features into their business to make the employees happy but they do not know what this really means to the information security landscape and Internet of Things is a thing which is new but in the same way we do have problems which are really all like Hardware burner abilities we all do talk

about software vulnerabilities patching things making sure that our or s system is up to date that the programs we do use our up-to-date but by talking about information security from a more software perspective we really do not think anymore about what's the attack vector for my more hardware perspective and sometimes it's way more easier than finding a software vulnerabilities it's very much easier just to plug in a cable and use a microphone into whatever record what somebody is talking so Internet of Things is also or the problem behind Internet of Things is also supported by a really good hardware from China or from wherever which can be easily used to really do weird stuff have one of you ever heard of pleading

bid can you raise your hand no just one good one so like four to five years ago I was sitting together with German Telecom and we were talking about drone attacks and I told them drone attacks will be an attack vector of the future and I was also talking that to a couple of people and half of the people were laughing at me and they were like no drone attacks won't be an attack pectoral attacks won't be something which will really affect companies nor individuals what we do experience today is a different story sure we all know that we can use drones to attack them with a gun to fight with them but in the same way we can put TNT

on the drone and fly it into whatever facility to blow it up this is really a bad scenario but it shows how fast the entire thing has developed you know we can use a simple thing which is easy to use for each and every one of us and can do really bad things with it but not only by putting TNT on the drone we can also customize a drone with a smartphone and we can use this smartphone and a very smart hacker that's a friend of mine he's living in Israel we can use the smart phone which is equipped under the drone and connected to a laptop and then we can fly it up to the 27th floor basically

that's the inside view and that's a few over Tel Aviv which is really nice city so if you want to throw that or do it it's really interesting right we can use the drone equipped with a smartphone to attack a networked device in this case what they did they attack the nirupa IP and it took them just three minutes to attack it use a one-er ability flash the system and got access to the company's data and by just thinking about what that means information security all the threats behind information security has become very common and easy you know it's just drone which was like 400 bucks a smartphone for another 50 bucks some drag-and-drop stuff to put in to put an

act together and then they just use it and by slashing that aruba device they were able to run man-in-the-middle attacks and basically they were able to just collect manipulate or whatever the entire company's data who have you news him can you raise your hand mmm only just one two three four five six people so this is an all AI news anchor even the model isn't really the model is rendered by just a couple of CPUs and this news anchor is telling you whatever you type in just by using a voice like Amazon Alexa was the story behind the news anchor isn't that I do not support those technologies but what what does it mean it means that information security

has also become a thing where we need to think about what does other people or nowadays AI is talking about us and in the same way we need to keep in mind that information security is reputation or information security means to secure your reputation cuz there's only one reputation and now imagine someone is hacking the AI anchor and talking bad things about yourself your family or your company another interesting story I was attending blackhead in December last year and I took the photo on the left and I used it to share it on my social Sand the sentence below the picture was there is no security at Facebook anymore not even at their booth I tagged it with

fake news and joke but what Facebook did was to block me entirely so I got blacklisted I got blacklisted on Facebook thank you I got blacklisted on Facebook and Instagram I wasn't able to share pictures anymore I wasn't able to send out impressions even my photos weren't available throughout the entire network anymore so if I just pushed out something new you could go to my profile and see the picture down but it wasn't seen somewhere else so I opened the support case and imagine they never responded but what does it mean again information security has also become a topic but we need to think about do the things we want to share really reach our

peers can we still reach our customers or is someone blocking us is there a whatever algorithm algorithm which just filters out what we want what we do talk about can we really make sure that those informations we want to share to the crowd of people on chose to a smaller audience are really the one which we try to send over and I mean it's an interesting and funny thing but to me as an individual it took me over a month to again be able to share things and just only because I knew a couple of people working for Facebook otherwise I would be blocked entirely Fiverr and one thing which really hurts me is medical device hacking I was attending a

group of people last year and we tried to hack different medical devices one of the medical devices we hacked was a pacemaker and hacking a pacemaker means we were the one being able to adjust the heartbeat rate we were able to just bring it down to zero or push it up to a thousand beats per minute but in both ways information security has become a matter of life and death because we were the one deciding whether someone still continued living or whether he dies and medical device hacking really brought me to the point where I started thinking different about information security could show we are talking about software vulnerabilities we are talking about hardware vulnerabilities we are talking

about interesting things like drone attacks or sharing a picture on Instagram or Facebook getting blocked down but this really affects us as an individual this really can make the difference to us and this really medical device hacking really is the thing where I do want you to stand up and where I want you to really talk about all the things which are going wrong you know because my experience is that within your mindset there are so many things about information security but if you don't share them if you don't do not talk to your colleagues to your family members to your friends you can't just change their opinion the reason for me choosing my instagram handle or my

twitter handle society hacker the reason for that is exactly that one we need to open or we need to change people's minds we need to open their brains we need to put the information security knowledge right inside their brains because otherwise they can get affected and I don't want my family members to die just by someone playing God

and taking over the responsibility as well as knowing that we can't outsource our accountability really need to bring us to the point where we just force our companies to do the necessary things as well as where we need to make sure that we protect our families as well because it's our responsibility to ask for information security changes as computer security will be the security of the world people often try to find out what we at King Kong which is my company or what I personally do different and the thing I always respond is you need to follow your own philosophy and my philosophy is built on three different pillars to coach true to inform and to

secure and that means you need to coach yourself you need to transform yourself you need to secure yourself but in the same way you need to make sure that you coach your family that you coach your company and which is way more important than just coaching is transforming transforming means understanding different views and bringing different opinions together and that's what really can make the difference in the information security business most of the more technical guys really look at information security from a technical perspective and they don't want to understand the more ops perspective or the more management perspective and we always try to do information security as good as we can but sometimes good is

good enough and out of my perspective were just is second level of my philosophy information security needs to be people centric and people centric means that we really need to focus on the people let me give you some examples information security people centric means that think about what can make the difference and what we try to do is to share a free endpoint protection to each and every employee to just make them aware of what does information security means to you at home or people-centric please think about Starbucks what did Starbucks Starbucks created an area between home and work an area where you can just get yourself in touch with what's coming up or when you where you can calm down or

where you really can get in touch with whatever you need to do they created a feel-good area between home and work for instance and all of my perspective information security needs to be exactly the same it needs to become a feel-good factor for each and every one and as information security is there to protect your company assets but in the first line you need to protect the people it needs to be people centric you need to talk to them you need to understand them you really need to figure out what do the people need and as the world is our office that really has changed everything entirely they want to work from everywhere we need to

support it they're gonna work on every device we need to support that but in the same way people want to look at information security as as it would be baked in so we really need to take over the lead and baking in security in each and everything we do and this out of my perspective is this the only picture which brings it to the point we did information security from a more coconut style we try to just work we try to create a shower which was and as hard as possible and we try to just make the ball bigger and bigger and bigger and then that one day cloud came up our tea came up and the wall isn't there anymore

so nowadays we need to do it more avocado style we need to protect our crown jewels and there needs to be a hard skin there as well a hard shell but in between those two shells they need to be a place for people where they can work as they want to work where we can support the technical guys but we also can make sure that the finance guys get the things they need but in the same way we still protect our crown jewels and to be fair crown jewels are the one we need to protect we do not need to protect every single instance every single server every single let's say Network component if we do have a proper strategy we do

not need to need to be the cocoanut anymore and talking to people and thinking about new strategies and thinking about new ways of enrolling information security we also need to talk about diversity and women in IT as I mentioned I'm traveling all over the world since a couple of years and Germany especially Germany is way far behind other countries we do not we do have two less women in IT we do have two less diversity but diversity and women is what makes and from what to me at least is what makes the difference you know if we bring in new fuse new perspectives new ways of thinking we can create new strategies we can develop ourselves we

can really just bring information security to a point where it is people centric as it is built by people and set of companies who try to sell you something and therefore we need to give information security at stage and I'm really thankful that I'm allowed to talk to you today but I want you to do exactly the same I want you to go back home to your family members or go back to your companies and I want you to read the InfoSec representative there I want you really to talk to the people because that is the key if we do not start talking about the things we do and if we do not explain what we do and how

we do things and why nothing will change so what to take home of Oscars I'm really messing up the time there is still not paid for stupidity and I can't provide your patch for stupidity but if we follow our own mantra and if we reload if we really set up an information security strategy which is more avocado style and coconut style I'm pretty sure we can make the difference because to me no security means no privacy and that in the end means no future thank you very much if you have some questions I'm happy to take them from the floor all right thank you so much I have a microphone for questions you're sure nobody no questions okay if

not I have a question actually so how do you convince your board of directors that's a good one so if people understand why to close the door at home they were closed the door at work if people understand why to use a 16 digit password at home they will use a 16 pass that's 16 digit password at work so if we explain the why and take the people in the loop they sure will take care of costs but if information security has become a business value no one will really be worried about the costs anymore because information security is a cost center and it will be a co center in the future that's for sure

but if we can create and deliver business value and that's the key for the Executive Board if we really create business value and deliver business value to the executive or to the board of directors to the lower management upper management and even to the to the co-workers that really will bring you in the position where money isn't the first question they will respond to you thank you how can we attract women to InfoSec so let's come back to the social point of view I don't want to say women do more social channel things as men but if we start changing the way we do present ourself if we start making information security sexy I'm pretty sure more and more women

will join the business the thing is as we did information security in the past we really I mean it's the IT security and information security thing if we can make information security sexy and basically this is the reason for me being here trying to make it a little more sexy by sharing all the informations about all these different topics I'm pretty sure it will make the difference you know other countries do the same and they do have onboarding workshops they have women and security days within their companies they try to be represented on Twitter Instagram LinkedIn and all these social channels if we do share what we do I'm pretty sure women will get more and more

interested into information security but as we still have that boring information security being between us and the women I think the first thing we need to do is to enlighten and enlightening them means at least to me showing how interesting information security can be I think what you're trying to say to make it more attractive to everybody here all right there was another one since we were talking I will come back to that since we're talking about women in IT since many times were a minority in the room is there any woman in this room who has a question for myself I would want to give priority to death if not I will go back there was one

question there where is there any question here since I was on that side of the room then I'm actually curious so there is an ever growing group of people that say that privacy is dead and what do you say to those people I a good one I do not think that data protection will be a big thing in the future I do think the more bigger thing will be data management and data maintenance because the world we all want to have or the future world we all want to have means systems are connected they to talk to each other and they can't talk properly if there are different platforms different languages if we want to have safe self-driving

cars planes and whatever we need to bring it down to one language one platform one thing and that automatically means that we need to combine information we need to bring different fuse together and privacy I mean it really can't work very well if privacy is the overall goal I think privacy is important and we need to make sure that there is a difference between public and private but it won't be the way GDP dollars telling us Thank You Marcel and that was the last question for a keynote speaker today thank you so much thank you