German companies and decision-makers are still hesitant when it comes to the digital transformation of their businesses. Especially in an international comparison, Germany is lagging behind. Innovations are only implemented when an (international) proof of concept has been provided. Where does this hesitation come from?
Neff: I don't quite share this opinion in practice. Often it is not obvious to the outside world in which stages the digital transformation is taking place. The big success is still the unachieved goal, but many sub-areas - even those of the public sector - are moving in this direction. Yes, in Germany we are perhaps somewhat more conservative due to regulations, governance and other legal requirements. But in all areas - and here at the forefront of security - digitisation starts much earlier. The approach here is to drive innovation forward, to preserve what already exists and to do so with little risk.
Are German companies above average attentive to security threats? According to the Deloitte Cyber Security Report 2018, 93% of all companies were already affected. This contradicts this assumption for the time being.
Neff: Cyber attacks also offer an opportunity to harden the system and don't always have to cause damage. Honey pot strategies, for example. Prevention is an important aspect of security, risk management and governance. I believe that German companies can keep up here in international comparison. Nevertheless, attacks are taking place on a daily basis, because everyone can now download and use the appropriate tools from the Internet. This 93% merely means that threats are latent 24/7 and must be taken into account. The damage they cause is a different story.
Haas: I believe that cyberattacks will always take place - and more and more frequently. It's more about how to deal with it: especially how quickly you discover attacks and what measures you have to take against them. And the Germans are already quite well positioned: They inform themselves and equip themselves because they know that cyber attacks cannot be avoided. There are solutions here that are faster, better and even more proactive against cyber attacks. Micro Focus can support you in this.
In your opinion, what would be the top 3 measures to ensure that incidents can be detected and stopped as quickly as possible?
Neff: On the one hand, this is the area of analytics to detect when attacks take place. Secondly, systemic prevention is applied to the users. Thirdly, these must be paired with a security policy that complies with compliance regulations. Almost all large companies have already implemented such prevention measures.
Haas: Exactly. And among other things there is the area "User Behaviour Analytics". Here critical incidents and critical constellations - including cyber attacks - can be identified via machine learning. Such solutions recognize, for example, when an employee suddenly downloads more than 500 documents per hour instead of his usual two - a very simple example - it shows in a simple way that attacks are often only noticeable in a complex combination of incidents. User Behaviour Analytics is an important initiative to be able to respond to very advanced types of cyberattacks. And this in three areas: How can I securely manage my identities? How can I securely manage my applications? And how can I securely manage my data?
Talking about solutions: How can a company that is well positioned in individual areas ensure that it moves from patchwork to a resilient strategy? How can such a strategy for a digital future be developed today?
Haas: A security strategy for digital transformation should be developed primarily from different perspectives. Always in focus: identities, applications, data.
Five steps can be derived for this purpose: First, you should have a Breach Defense strategy, i.e. a holistic security framework, to identify attacks at all, to protect against them and to be able to answer them. The next step would be to establish application security. So far, the focus has been on firewalls. The security of business-critical applications, which are constantly evolving, often fell by the wayside at the expense of rapid development of important features. The third area is privacy, i.e. the security of sensitive data. What are these and how do I protect them? Depending on the sensitivity, scaling measures are necessary. Then there is the topic of compliance: How can I ensure that I comply with all guidelines? Finally, there is the issue of governance. Implement policies that control how data, applications, and identities are protected.
These five areas should be considered when developing your security strategy.
In addition to the general challenge of keeping up with technological advances, other individual hurdles are emerging. What special circumstances, problems and obstacles do you see for the IT infrastructure internationally - and especially in Germany?
Neff: An important question is: Where is the data located in which data centers? This is a fact that I still see as an obstacle at the moment. Because it has to be guaranteed that all data is at the desired location.
For this reason, many people opt for their own hosting. Nevertheless, almost every company already has cloud applications - whether it's travel expense accounting or something similar. Hybrid environments are slowly gaining ground. Of course, this also depends to a certain extent on European laws, employee representatives and outsourced systems. These are fundamental questions that need to be decided first. Only then can safety issues be addressed.
Many companies are already working at full capacity to adequately secure their existing processes and infrastructures. How do they create the capacity to expand digitization in their operations?
Neff: For many medium-sized companies, the service aspect is at the forefront here. How can an internal problem be relocated to an external location and solved? The aviation industry, for example, is leading the way: When you see how quickly you can search, book and track flights today, it becomes clear how strongly the service concept has migrated into the mobile world. I believe that mobility is currently the biggest digital aspect in which medium-sized businesses find themselves: Speed up processes and digitize interfaces to customers. There are enough starting points here to save internal systems. As a result, many will no longer operate their core technology in-house, but will rely on hybrid worlds to provide capacities and performance - always paired with the aspect of security.
What is your top tip for securing business processes?
Haas: When you say "I don't have enough capacity", automation is always a sensible measure. As a result, new capacities are freed up for innovation, or more innovation can be driven forward with existing capacities.
Neff: The key aspect is that many companies are still too busy with administration. The time savings achieved in this way provide scope for innovation. How can I defuse administration, outsource or get advice? That should be the most important question. Because that's not only how you buy time, but also money.
Haas: The goal should be to achieve this freedom skillfully by maintaining and using what already exists. Instead of throwing everything out and re-implementing - including important applications - you should rely on the skilful use of existing systems. The time saved can then be used for innovation. For example: Many applications are written in the programming language Cobol. Companies don't want to leave these for various reasons, so you have to make sure that applications developed on Cobol are also available today on various platforms and mobile. Micro Focus can support you in this.
Mobile security is currently a big issue everywhere. Is mobile security a central area in the overall security cosmos - or is it just a side effect?
Neff: I think it's a key issue. Especially when they consider the current statements of the German government on the right to a home office or our children, who naturally use the smartphone as a "PC"/main device. The topic of identities is an absolute must for this. And I believe that these prerequisites are not side effects, but important core issues for the digitalization of the future.
The times in which all IT processes could be easily overlooked are also over with compliance and governance mandates. How does IT today ensure seamless monitoring and full attention to potential threats at all times?
Neff: Although there are secured core areas, every company still offers entry gates in some area. So I think the big picture starts much earlier: with SecDevOps. To what extent are the systems already afflicted with security aspects in advance? The fact that companies deal with such issues at an early stage is the big difference in digitization. Because many gateways only arise if these possibilities are not taken into account, e.g. security gaps in mobile apps.
SecDevOps thus becomes the basic IT infrastructure on the basis of which everything else is planned. What needs to be considered when introducing SecDevOps?
Neff: For me, the overall security consideration is an absolute must. There are many other variants, but holistic approach is the key word. Of course, there are many individual measures involved, but a comprehensive storybook is needed to be worked through.
In many companies, nothing works without the cloud. In many places it even becomes hybrid. Do you have any last tips for companies?
Neff: Managing hybrid environments in the cloud, including all security aspects, is one of the biggest challenges facing German industry. The faster companies prepare for management in these hybrid environments, the faster the implementation will be. From classic monitoring and deployment to the manageability of these cloud providers themselves - this flexibility is related to the agility and dynamism of the company to deal with these issues. No German company can avoid this topic any longer.
How do you support companies with a secure digital transformation at Micro Focus?
Neff: We at Micro Focus help companies by providing investment security and promoting digital transformation. We span the spectrum from mainframe to mobile, on-premise, off-premise, hybrid etc. in all areas. Always paired with security to do justice to the necessary agility. Our experience of the last 42 years will certainly help us.
Thank you very much for the insightful interview!