Michael Oberlaender is an eight-time global CISO and currently provides CISO consulting services for organizations worldwide. His thirty-five-year career in IT and security have centered around the development of strategic, enterprise-grade security programs that empower business growth.
We recently had the chance to speak to Michael about his thoughts on the industry, his start in cybersecurity, and what it means to be a CISO - now and in the future.
How Did You Begin Your Career in Cybersecurity?
Michael Oberlaender (MO): I was very interested in IT during my youth: software development, networking, infrastructure, databases, everything.
That led me to be curious about how things worked. What I discovered was shocking. These systems were built on sand (back in the early 90’s): so much there but so little protected. I couldn’t believe it.
At the time, I started doing what we very commonly do now: setting up firewalls, spinning up antivirus solutions, defending against whatever worms were targeting us at the time. I started doing this on the side, but soon it became full-time.
By 1999 I was CISO at Europe’s largest sugar manufacturer, where we built the security program from the ground up. To this day, the work our team did there 25 years ago has held up: to my knowledge, they have never experienced a major breach.
How Has the Role of CISO Changed in the Past 15 Years?
MO: Technology always changes, as AI has shown us yet again, but not much has changed in the role of CISO. The core principles are the same and are mentioned in my book, Global CISO – Strategy, Tactics, and Leadership: How to Succeed in InfoSec and Cybersecurity.
First, your character must be built on absolute integrity. If it is not, you cannot perform security or be responsible for your organization's security.
Secondly, you need executive skills. Critical thinking, the ability to challenge what you see, and the ability to make the best judgments based on your observations. This requires executive leadership and a strategic mind.
Third, you need to be a talented communicator. You are the liaison between the boardroom and the cabinet room (where the battle plans are drawn). You must communicate your strategic vision to the rank and file. You are responsible for effectively explaining and changing culture. This takes time, consistency, and clearly laid-out plans.
Fourth, you need to be an expert in cybersecurity. Many people today would disagree with this statement, arguing that the CISO is nothing more than a leadership-driven executive position. But you cannot guide a strategy you do not understand; deep cybersecurity knowledge and expertise are what set CISOs apart from other board members who stand on the outside, looking in.
What Are the Biggest Challenges a CISO Faces?
MO: There are two: building a culture and getting teams to understand that security is not a one-off process.
Building a cybersecurity culture
Building a culture where every team member feels that security is their responsibility takes time. But it is also worth the effort.
Do this, and your work will pay dividends throughout the company’s lifespan. Don’t do it, and you’ll be fighting for funding and cooperation your whole time there.
Building a culture goes beyond sticking a slogan on a wall. It requires changing behavior, which comes down to constant watering, education, and business alignment over time.
Convincing companies that security is a process, not a project
Many organizations assume that cybersecurity is a point-in-time project: you hire a CISO, fix the problems, and go on your way. This is not the case.
Once you hire a CISO, the real work begins. That CISO needs to be empowered, given resources, given access to key stakeholders, and then given the time to accomplish their goals. This will take years, and will never stop, because attack methods, technologies, and environments are always evolving.
Plus, you can’t fix in a month what years of bad IT have built.
What Are the Biggest Threats the Security Industry Is Concerned About Now?
MO: AI, of course, and quantum cryptography. We’ll leave AI to the side for now and dive into quantum.
Quantum cryptography is no longer theoretical, or even something vaguely on the horizon. It could happen tomorrow, and many nation-states are already making unsettling progress.
Within a maximum of ten years, attackers will have the technology to break in seconds what would have taken billions of years before. At that time, every organization currently secured with RSA or any other industry-standard encryption will be vulnerable.
In my book, Premier CISO – Board & C-Suite: Raising the Bar for Cybersecurity, I call it the “quantum Y2k” (or Q2K, if you will).
The technology to prepare is already out there, but there is a lack of action. CISOs looking to do their homework should ask:
Where do we use encryption?
Which encryption algorithms do we use?
What kinds of keys do we use?
Who is in charge of key management?
Then, stay up to date on the latest developments and be ready to act.
What Is Something Companies Still Get Wrong About Cybersecurity?
MO: Two things come to mind. One: thinking that CISOs don’t need direct board access. Two: thinking that CISOs can be outsourced.
CISOs need access
To do their jobs, CISOs need access to the company's top brass. This means anyone in the executive suite all the way up to the CEO. What a CISO does depends on their ability to understand the company's highest priorities and gain visibility and insight at the highest levels.
Separating CISOs from this level of contact ties their hands and prevents them from doing the job you paid them to do.
CISOs must be internal
As a CISO myself, I can always sniff out when a company has hired a vCISO or vCIO to do a deal. They do not understand the nuances of the company as a real CISO would, and the security program will reflect that lack.
If you can’t afford a CISO or CIO, you can’t afford a security program.
Any Advice on How to Handle a Data Breach?
MO: You need to be the calmest one in the room. A CISO sets the tone for your organization during a data breach. In my first book, C(I)SO – And Now What?: How to Successfully Build Security by Design, I go over how the post-breach process has been handled at various companies (all anonymized) and show that the cool heads prevail.
I’ve helmed multiple crises at various organizations over the years, and regardless of how I feel on the inside, I do my best to project an image of calm on the outside. Now is not the time for panic: focus, reset, and start by bringing the most important people in the room to tell them what you know.
The most important thing is to learn from the breach. This allows you to prevent it in the future. If you don’t, you’re just waiting until the next time you get hit.
What Keeps CISOs Up at Night?
MO: The unknown unknowns. If I understand we have a problem, even if I don’t fully know what to do yet, I can study it, prepare, research, and eventually find a solution.
But when I don’t know what we don’t know, there is no way to do anything but sit and wait and hope. This is a common problem among CISOs, and losing sleep thinking about it is a common occupational hazard.
For the time being, we are forced to work with what we do know and keep moving forward.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
