From tools to people: Building security culture from the ground up

When Stefan Baldus joined HUGO BOSS in 2006, the security landscape looked very different. Threat actors were fewer, and there weren’t so many vendors around either; and the role of the CISO was still emerging across industries. 

Over nearly two decades, Baldus has built the cybersecurity function at one of the world’s most recognisable fashion and lifestyle brands, embedding processes and resilience across global operations.

We caught up with him before he heads to Riyadh for Black Hat MEA 2025. We wanted to find out how his perspective on how cybersecurity has changed over the years, and why he advises early-career practitioners not to dive straight into security. 

Here’s what he told us.

You’ve been with HUGO BOSS since 2006 and built the security function from the ground up. What were the initial challenges – and how do they compare to the major challenges you face today?

“In the beginning it was all about getting the tools in and explaining why the company needs more than an end point protection and a firewall. 

“Later, that shifted towards processes and getting the people's attention. Although I don't think it's possible to get buy-in from every single employee, education and awareness are key components of cybersecurity these days. If people don't click on the wrong link all the time, we as security don't have to worry about if our defense systems really work.”

How has your perspective on security evolved over those two decades?

“Many years back I think security was easier. Not so many actors (good and bad), not so many different threats. Sometimes I think there are as many security tools and companies out there as there are threat actors; but in the end all the tools won’t save you. 

“You need a strong team with the right tools, not all tools, to make security work. Make sure the processes and procedures are in place and try to get your business units prepared too. As always, it is not the question of if – just when.” 

With issues of IP, complex supply chains, and retail operations – are there any risks that are unique to fashion brands?

“I think the mentality is quite different in retail and fashion. Especially in senior management; the focus is on the next fashion show, and sales of course. As the business itself is not really regulated except for GDPR and PCI to some extent, security isn’t on people’s minds as much as it would be in more heavily regulated industries.” 

You recently collaborated with Gartner to strengthen the cybersecurity program at HUGO BOSS. As a CISO, what’s the value of working with external partners?

“External insights from companies like Gartner or any other outside in view always help. Being so many years in a company, you know your strengths and weaknesses and how things are built. Sometimes a different view is needed and for this, external collaborations can be really useful.”

Finally, what advice would you give to an early-career cybersecurity practitioner as they work to carve out a career for themselves?

“If you can take the time, don’t start in cybersecurity right away. You need to understand how the world works to make it secure. To be effective in security, you need base knowledge in operation systems, networks, development, and how things work together. If you can try to see all of this just a little bit, it’ll help later on with the network or system engineers to also see their side of the coin; and it gives you some grounding for your arguments in the discussions to come.”

Thanks to Stefan Baldus at HUGO BOSS. Get your pass to attend Black Hat MEA 2025 and learn directly from the leading minds in cybersecurity.