We need to create a secure culture

Interview with Birgit Hess

Birgit Hess is the Cloud Security Awareness Lead Europe at SAP. A very interesting title, but what does it entail and what can we learn from her? I had the opportunity to check in with Birgit Hess after her participation at the SAP data kitchen in Berlin and ask a few questions.

What is your current role and what does it entail?

My current role is Cloud Security Awareness Lead Europe. The role means that I upper the awareness for security, support our sales team in how we make the cloud business secure, so they can pass this on to the customers.

But also, I talk to the customers directly. For the clientele that are new to the concept of cloud it can be a lot of information to take in. They often feel hesitant and need to know how we make the cloud services secure and protect their data.

I sometimes call myself a translator for the cloud security topic. Someone who stands between the customers language and the language of the regulations and technological terms.

I also provide the enablement for our presales team. They are the technical sales people who make the demonstrations of the solutions, explains the functionality and features to our customers.

Additionally, I give speeches. Inside as well as outside of SAP. My speeches aim to raise the interest and the awareness around the different aspects of security. I find this topic very interesting and I want others to see that too.

Let’s go back a little. How did you end up in this role? Was it something that you aimed for or was it something that you discovered along the way?

I actually stumbled over the topic. Originally, I am a bioengineer, which gives me an advantage then it helps me to think in structure and processes. When I was working with presales for solution for our cloud business, I received a lot of questions around technical measures around security.

From there I started to get curious and decided to educate myself in the field. Within the SAP network there is a lot of expertise available at your fingertips. So, I simply reached out and met someone very passionate about this topic. They started to train me and soon enough I fell in love!

Can you share with us what it is that you do and what a typical day looks like to you?

I have to say that I have no typical day. And for that I’m thankful since I’m easily bored without new tasks. Instead my job is very diverse. I often handle the requests from our sales team. That can be questions regarding solutions or details for the contracts. The actual contracts are handled by the legal department, but for the technical details I can assist and describe how we implement the requirements.

I give several presentations and I get invitations to speak internally and externally. Also, I get asked to participate in panels. Or sometimes I just get pulled into internal projects for awareness strategies or communication topics. Always new approaches and aspects to take care off!

 What would be your advice to someone that would be interested in getting where you are but are not really there yet?

 Don’t be scared. As you can see, I was completely outside of this role myself. Start by using the tools around you. In my case I had the luxury to have several experts inside my company but if you don’t there are a lot of opportunities to join networks, read articles and ask around. People with knowledge are often passionate about their topic and want to share.

 What have been the most career-defining moments that you are the proudest of?

 For me there has been three milestones where I felt that I wanted to be and that I was going in the right direction.

 The first one was when I first started to learn about the data security topic and talked to my colleagues who gave me their positive feedback. “You got that right! It is complex but you got it “ I realized that I could actually pick this up and that I was good at it. My ability to organize and structure my thoughts served me very well.

 My second milestone was the DSAG (German SAP User Group) conference where I was the moderator. Two days with over 2000 experts on data protection and privacy gathered to discuss all about the topic. During the conference I felt that I had a lot to learn but I also realized that I knew more than I thought. Afterwards, I again received a positive feedback. The participants told me how they appreciated a moderator that knew so much about and was well trained within the topic and that I really could give a good view for the Q and A section. This gave me confidence. Even being measured together with these experts I felt confident within my topic.

 And the third one was last year when I had the honor to be invited to the Ada Lovelace Festival in Berlin. I gave a workshop on my favorite topic, “I have nothing to hide”.

There I managed to inspire people to a topic that they thought was going to be dry. In their feedback I was told that they were surprised that there were so many things that they simply weren’t aware of, but also that learning more about data protection can be entertaining.

 To engage my listeners, I make sure to use real life examples that can occur in our everyday life rather than make it too academical. That communicates clearly that it is real. And that we need tools to handle the topic. I also discuss the fact the we need to better understand the technology that we use. For example, how to manage security settings on our laptops, home networks or mobile devices. For many of us this is new. Especially since the vast majority didn’t learn this in school.

 Therefore, I also give workshops for parents and kids together. The parents feel hesitant about the security but do not always understand the technology while their kids understand the technique but may lack of fear. Often the parents have a gut feeling, but not all have the explicit examples of why there is a reason to be careful with your data. I provide a joint language for the parents and the kids together to help them set their rules and to understand the need for caution.

 So, looking at this a bit more general. What is security to you and where is it needed?

 Security is the core for our digital future. We have to treat it with care, and we have to understand that if we don’t there can be high risks to our business and to our society. At SAP we realized that a long time ago and we do a lot of things to ensure that our company is as safe as possible. There is no place where it isn’t needed.

 For me personally it is the best place to be right now. It is my favorite place! We now experience changes on a daily basis. And therefore, we can no longer close our eyes, cross our fingers and hope for the best.

 How do we need to approach security in everyday life? As a company and individuals. Especially for the usage of Cloud.

 For companies it is important to have a really strong security strategy.

 At SAP we have asecurity vision, that I like “We continue to drive security into the heart of the application and to excel in secure collaborations for ultimate protection of content and transactions to efficiently help the customers to define, plan and execute measurements for their secure digital transformation.”

 It basically says that we thrive this from within ourselves and that way we want to ensure to make it as secure as possible for the customer. We use three pillars, secure product, secure operation and secure company.

 For our products we want a security by default where we aim for zero vulnerability. Where everything is set up as secure as possible from the beginning. We have the data of the customer, we do the transactions, but we don’t want to know anything about the data. This is about the architecture.

 Second pillar focuses on how to operate. And this is a change. In the past we sold the product and the customer was responsible to run everything securely. But with the cloud we have a shared responsibility. We have to ensure that we have infrastructure, secure networks and all our partners need to be a part of this secure ecosystem. We want them to run their operations and system as safely as we do.

To make this complete we have a third pillar; Secure company.

We need to create a secure culture. This is key, not only for SAP but for every company. Everyone needs to get involved and realize that there is no gate keeper by the end of the chain who can protect the whole company. I like to use the image of one single person with snow canon by the end of a glacier trying to stop global warming. That is not going to work.

For individuals I urge you to slow down and think. With very basic awareness you cover a lot of threats. A lot of people do already have a gut feeling, that they unfortunately ignore. Think before you click. Read before you agree to additional links and popups. Take your time to do a re- search. Even just a short one can be very useful.

My tip that I give to people in my surrounding is; Don’t share to much about yourself. Don’t make yourself a target. Maybe send your whereabouts to the people that you want to communicate with in an email rather than a public post. Think about if it is worth it? When it comes to cloud usage we need to see to our mindset and change the approach. A lot of companies when they take their first steps into the cloud, struggle because they try to transfer their current habits of running their current IT system into the cloud. That is very difficult. At the point where they are doing it all themselves, there is feeling of control. So, once they start to hand over to someone else, they experience that they are giving up that control. Therefore, they have to make the decision if this is something they want. But then there is a huge advantage if you have a good cloud provider with capacity, knowledge, bandwidth and experts. Business owners today are up against of a huge wall of regulations and threat landscapes. A cloud provider can step in and handle this. And once the companies starting to see that it is not about losing control but sharing the responsibility, they also start to see that the right cloud provider is a big advantage to them. And that is the core, that is what cloud should be.

What are the biggest myths about security? What misconceptions are you running in to the most?

For individuals I hear “I have nothing to hide” or “My life is so boring, why would anyone care?” But the information is out there and can be mis- used, we have to think about the results.

From a company perspective a very com- mon one is; “IT and security will fix it” But as I mentioned earlier, this is not enough. Everyone needs to contribute and stay alert.

What changes and challenges are you seeing?

Everything is getting more professional. It is getting easier to steal data than cars. The scale is also getting bigger. The criminal activity is no longer single hackers that are working alone, but organized crimes. The nature of threats is changing on a daily basis.

New regulations are popping up everywhere and they as well are more complex. Getting people up to date with this is a big challenge. We need more talent for this and so does the whole industry. Not being up to date will not only open up a risk towards illegal threats. Companies who are not making sure to handle their data properly in alignment with the GDPR also risk severe legal consequences.

How do you at SAP keep your employees up to date? Regular as well as security staff?

We have mandatory training sessions. For our awareness team but also for all our employees. Everyone needs to know how to handle the threats as well as their obligations.

A popular way to educate is to gamify. At SAP we have created a virtual escape room. In order to get out of it, our coworkers have to answer security questions and solve security puzzles. We have had a lot of good feedback for this. We have also arranged a hacker competition where SAP coworkers from all over the world work together to hack simulated situations. During these sessions the participants can share their knowledge and upskill each other. This is a good way to strengthen the awareness, the skills and the teamwork while having fun.

Is there anything you want to add before we round up?

Security is important, it is a shared responsibility for everyone. And don’t forget that this is fun and exciting field to work within. We certainly need more diversity.

There is still a lack of balance so I would be happy to see more females as well as people from different intellectual and cultural backgrounds approaching the topic. If you are currently in another field, you can always join in. Regardless of your background you can keep on learning. So, don’t worry if you are not an expert yet.

Thank you so much for participating!

The Interview was conducted by Emelie Gustafsson