How one moment can change your trajectory

Matthias Muhlert (ECSO CISO Ambassador, and CISO at Haribo) is a CISO with more than two decades of diverse security experience – from developing and implementing security processes for organisations, to leading governance programs and strategic development.

We caught up with Muhlert ahead of Black Hat MEA 2023. He told us how a single thought-provoking question changed his approach to cybersecurity, and why it’s important to set organisation-wide common goals to drive effective, collaborative security.

Could you briefly share your career journey so far?

“With over 23 years of experience in the field of IT security and information security, it is likely that certain aspects of my journey will be omitted for the sake of brevity. At the onset of my career, my focus was primarily on implementing security technologies such as firewalls, IDS, antivirus, and backup solutions. However, I soon came to realise that in order to excel at defending systems, I must also comprehend the intricacies of breaking into them. Hence, I pursued the role of a penetration tester in addition to my existing responsibilities.

“After juggling these two roles simultaneously for a considerable period, I felt compelled to become a teacher in the domain of cybersecurity. This decision forced me to contemplate security at a deeper level and enabled me to convey my expertise to others.  

“One moment that had a profound impact on my professional trajectory occurred while performing a particularly captivating penetration test on an oil platform (which, incidentally, was the only time I ever travelled to work via helicopter). During this test, I stumbled upon several systems with no administrative password set. In the ensuing conversations with the client, I was posed with a thought-provoking question:

Do you believe an administrator should remember their password if the platform was on fire?

“This simple yet profound query made me realise that information security is not merely about technology, but also about the people and processes involved.

“Since that moment, I have shifted my focus towards information security and have held various positions in diverse industries such as banking, telecommunications, and automotive. However, even to this day, I find it imperative to stay connected to the latest technological advancements. This allows me to swiftly evaluate critical situations and determine the associated risks for a company.

What's most exciting to you about your work?

“One of the most enthralling aspects of my profession is the diverse range of responsibilities that I undertake. My job allows me to engage with individuals across the entire organisation, collaborate with cutting-edge technologies, travel the world due to work requirements, interact with exceptional intellects, exchange ideas freely (as security is not a competitive subject, and information sharing is often mutually beneficial), keep abreast of emerging trends in technology, and so much more. I reckon that few professions can match the breadth of experiences that my role offers.”

What are the key challenges for international organisations to overcome - when they're working across national borders and in multiple languages?

“Drawing from my personal experience, working across national borders and communicating in multiple languages is not as daunting as it may seem, provided that a shared objective has been established.

“For instance, by setting a common goal such as cyber resilience, which involves bolstering an organisation's capacity to prepare for, adjust to, and recover quickly from disruptions, everyone can work together towards a common purpose.

“Admittedly, the working style and approaches taken may differ based on cultural differences and unique work environments, but the overarching goal remains the same. In my experience, it is crucial to hold in-person meetings at least once a year to share stories, experiences, and work methodologies to build a collaborative spirit that underscores the shared objective.

“However, when dealing with various authorities and third parties across different countries, matters can become a tad complicated, especially when it comes to responding to cybersecurity incidents. The differences in regulations and approaches to incident management can impose additional challenges that must be addressed in a comprehensive manner.”

How can organisations strike a balance between adaptive systems that enable each department to specialise their security, and an organisation-wide, collaborative approach to security? Can both systems exist (and be effective) together?

“I previously designed a model for information security called the dynaxity model for information security. In essence, the model suggests that the more dynamic and complex the environment in which a company operates, the less it can be governed by rigid regulations. Instead, the emphasis should be placed on providing guidance at the appropriate level rather than imposing stringent rules.

“What does this mean in practice? For example, rather than regulating the use of specific technologies, the focus should be on ensuring that the technologies employed possess the necessary capabilities to achieve the desired level of security. This approach offers two primary benefits: it enables different regions within an organisation to operate in a fast-paced environment using various technologies while reducing dependence on a single technology.

“Thus, it is feasible for both things to coexist, or to put it another way, to maintain parallel structures of guidance and rules, which can contribute to overall effectiveness, particularly due to the flexibility it affords. “

Are you worried about generative AI as a potential source of new threats?

“I am not entirely certain if ‘worried’ accurately describes my sentiments on this matter. In my opinion, whether it is generative AI or any other form of AI, it does not introduce new threats that did not already exist. The only significant impact of AI is that it makes certain attacks more accessible to a wider range of individuals and accelerates the pace at which such attacks can be executed. Therefore, we should concentrate on implementing controls that tilt the economy of attacks in favour of the defender. One effective way to initiate this process is through the use of deception technologies.”

Finally, why is Black Hat MEA valuable to you?

“Attending Black Hat MEA holds immense value to me for a multitude of reasons. First and foremost, the evident enthusiasm that permeates the event never fails to invigorate me.

“Furthermore, the attendees' open-mindedness towards a variety of topics and their unwavering ‘get it done’ attitude leave a lasting impression. Additionally, the inquisitive nature of those present, who eagerly explore novel technologies and methodologies, is truly inspiring.

“I always leave these conferences enriched, with new ideas and renewed confidence in my own approach. There is no better way to exchange ideas and engage in thought-provoking discussions than with some of the brightest minds in the industry, who share the characteristics.”

Thanks to Matthias Muhlert. Want to learn more? Register now to attend BHMEA23.