Interview: Fabian Topp
I recently interviewed Fabian Topp, CISO of Allianz Technology SE. We discussed his role and leadership style and I was keen to find out what the most important issues they are facing in 2020!
How would you describe your role as the CISO at Allianz?
The CISO’s mission is not yet fully defined and can vary widely. In terms of the organisational structure, I report to our COO and my job is to address difficult and painful issues. Alongside information security, I am also responsible for business and IT service continuity management. In this regard, we provide our asset owners with advice, we define processes and operate governance.
What are the greatest obstacles?
It’s a very stressful job. IT operates constantly up in the red zone and I believe that this is even more pronounced when it comes to information security. But you have to keep things in proportion and accept that there’s not always a technical solution for every problem – the human factor is often underestimated in our job. I always try to provide mental support for my managers and their challenges, while still keeping an eye on our stakeholders’ interests.
That sounds like quite a ‘benign’ leadership style. Does that work?
Of course. Trust forms the very foundation of how we work together. It’s the only way that leadership can function in a highly complex and fast-paced business like ours. After all, I want to concentrate on what we’re actually doing and not get lost in the minutiae of control. To achieve this, I need a concept that provides me with quick and valid information as a basis for decision-making.
How do you identify the ‘crown jewels’ of your highly fragmented IT landscape?
As Allianz Technology(the globally operating shared services company of Allianz SE, editor’s note), we’ve taken the trouble to precisely define our assets, catalogue them and enter them in a structured form into a configuration management database – CMDB for short. Any IT service can, therefore, consist of several hundred configuration items (CI). These range from the description of our customers’ business processes, the contractual design of the respective IT service and right down to the last individual server. These services are regularly checked and updated semi-automatically. This is then used for a risk-based analysis to identify what’s currently most important.
Medium-sized industry in Germany has been dragging its feet for a long time on the issue of cybersecurity. What recommendations would you give to your colleagues from other companies?
We see a certain imbalance here. It’s true that a large part of our economic performance is provided by small and medium-sized enterprises as well as hidden champions. However, most of the financial investment in cybersecurity is still being made by the big players. That doesn’t really add up. Politics and business must come up with some kind of compromise!
Many SMEs see cybersecurity as a challenge that can only be met with high investments. Can managed security services help to reduce the workload of internal IT, or would you argue for leaving the security issue in-house?
When we talk about responsibility in our company, we differentiate between accountability and responsibility. Someone who is accountable is liable for his asset; in other words, he’s a manager. His responsibility is not divisible and cannot be delegated. Someone who is responsible, on the other hand, is the person who ultimately has to do something. His tasks can quite easily be outsourced to managed services. This was exactly what we had in mind when we co-founded the cross-sector provider DCSO (Deutsche Cyber-Sicherheitsorganisation – German Cybersecurity Organisation).
What are the most important issues you are dealing with in 2020?
The concept of ‘attack-as-a-service’ is already a reality. We must therefore minimize our vulnerability, boost our expertise and cooperate even more closely. Each individual needs to define what digital sovereignty means to him or her and how it can be defended. Alongside the ‘business as usual’ we all must deal with on a daily basis, we’re still trying to be that proverbial one step ahead. That’s why we are cooperating, for example, with a renowned German university and across our own networks. At an international level, we represent the insurance industry – for example, in the ‘Charter of Trust’ initiative – and deal with issues such as education, the value chain, certification and efficient governance in the context of information security.