Siemens USA cybersecurity leader discusses how to select cloud-based security tools
(watch the full episode here)
Brad Anderson: Siemens has had operations in the US for 160 years. Today, there's 50,000 employees and it's all up to you to protect all those people, devices and IP. When you think about the move to the cloud that has been happening for the last decade, and it's just really accelerating now, what's your perspective on how using the cloud and how can that help you better defend the assets that you're responsible for?
Kurt John: I think cloud is inevitable. It's cost-effective, it lets you scale quickly, and it offers some really exciting, innovative security features. Now, not all cloud providers are created equal; so, it's really important that people are diligent and intentional in making sure that cloud offerings give you three important things:
- First, is flexibility. That's mostly a business decision to be able to scale and reduce as much as you need to in order to manage costs.
- Next, is control. You need to be able to exercise the right amount of security controls within the environment.
- And finally, you need visibility. You want to see everything that's happening in the cloud so that if you need to adjust, either because of business conditions or a threat from an adversary, you're able to do that.
Brad Anderson: There's always a great conversation between the CIO, the CISO, and the people operating the business units about how to store data – either on-premises or in the cloud. How do you make decisions about where data should go, and what do you need both places to do better?
Kurt John: I'll start with the latter. What we need in both places is an ability to extend what's in the enterprise into the cloud. And then from the cloud's perspective, to be able to push information back to the enterprise. What we want to do is make the relationship between the enterprise and the cloud as seamless as possible.
Now, on what's most important: How well does that cloud provider deploy security controls? And how comfortable does it make me so that if I were to encounter a threat or adversary, I can wrap my hands around it through detective mechanisms and good reporting?
Brad Anderson: I was curious to get your perspective on the diversity of attacks and tactics that you have to be protecting from. How important is having diversity in your team to ensure that you can protect Siemens?
Kurt John: That's a really good question, and I have two answers there. The most common answer you’ll hear from most CISOs is that diversity in the team immediately skyrockets creativity. When you have a team that's both physically and mentally diverse, it just does wonders what they can accomplish together.
For the other part of diversity, which is really important to me, it's social equity. Even before the pandemic hit, we heard numbers like 3.1 or 3.2 million unfilled cyber positions. So, for an industry like cyber, which has such drastic needs or critical positions to fill, it’s really an opportunity for us to contribute to social equity. So many people have historically not had access to certain economic opportunities or they're socioeconomically disadvantaged. For us to take what is a critical need and to be able to fill that need, while also contributing to social equity, I think it's a real opportunity and it would be a shame if we can't grab hold of it and leverage it.
Brad Anderson: I read in an interview that you mentor students from a few different universities. Can you tell us a little about that mentoring and about your mentors and mentees?
Kurt John: There's a myth that to be in cyber you have to be incredibly technical— and that’s just not the case. I recommend finding a discipline that intersects with cyber – it could be anything from cyber policy, international relations, all the way through to your traditional technical rules. Don't limit your thinking. Cyber is only as big as you can make it.
Now, for mentees, maybe this is advice for myself from where I first started out. You have to remember what it’s like to be just out of college. The world's your oyster, and you have that get-up-and-go attitude. So, you need to view these people as just a bundle of cosmic opportunity. And I think the world gets a little bit brighter every time we connect someone with an opportunity. The reason that I'm doing this is actually for my daughters. So when it's all said and done, I'd love for them to be able to be in a world that is a little bit brighter because they have access to a whole bunch of possibilities.
Brad Anderson: You talk about the Charter of Trust. Can you tell us about it?
Kurt John: The Charter of Trust is a collection of large companies who’ve come together and identified 10 principles, with the goal being to build up strength behind these principles and make sure that we keep everyone protected.
Brad Anderson: As you've looked at Microsoft 365, I just would love to hear your perspectives on things that we are doing that you find interesting in management, security, and cyber.
Kurt John: One thing I appreciate about Microsoft, and it's something I think security needs to nail, is you’re being as transparent as possible. This is important because you want to remove the complexity on the front end around security, and then orchestrate the back end. Users can then just focus on what it is they need to do, and not have to be the critical component between a breach and not having a breach. So, I appreciate the variety of ways Microsoft has given organizations the flexibility to engage with security in a way that best fits their needs, so employees and users can focus on actually developing and delivering value to their customers.
Brad Anderson: Thanks for chatting with me, Kurt. If people want to learn more about you and what you're doing at Siemens, where would they go?