Labour of love

For Michael Lardschneider, CSO at Munich Re, security is more than just a job, it’s a passion.

“We know that we cannot win the battles, but we can make it harder for the average attacker”
-Michael Lardschneider, Munich Re Group

Security and business continuity are two critical facets of business today that many organisations ignore at their peril. With the financial loss and subsequent damage to reputation being virtually incalculable, these last few years have seen the rise of a dedicated CSO to try and cover almost all operational eventualities. With 25 years’ experience in security at Munich Re under his belt, it’s safe to say that Michael Lardschneider knows a thing or two about warding off threats posed to the group. He currently works in the Integrated Risk Management unit in charge of the whole gamut of security and business continuity; a role in stark contrast to his early days when he worked on loss prevention strategies in the event of robberies and theft.

A few years after his early role the opportunity to move to the IT department emerged and Lardschneider grabbed it with both hands. “As a member of the IT helpdesk team I learned a lot about computer viruses,” he reveals. This part of the business became a passion of his as he got a taste for emerging cyber threats. “One Monday morning in 1990 I had to solve an issue with four PCs that did not boot anymore and my investigations, analysing the MS-DOS 3.2 Master Boot Record and the Partition Table, proved that some malicious code had caused issues with the operating system – the virus also infected me. From then, analysing virus code and investigating malicious behaviour of PCs became a favourite hobby of mine.”

He soon became Munich Re’s virus protection expert and later the Chief Information Security Officer (CISO) for the group’s worldwide operations before arriving at his current position. Down the years he has seen myriad threats but keeping one step in front of the bad guys is an uphill battle, admits Lardschneider. “Staying ahead of the criminals and hackers is nearly impossible. It may sound ridiculous but their big advantage is that they are not limited by laws in what they do – they just test exploits, attack and hack without caring for the existing laws.” Munich Re, like any other organisation looking to safeguard itself against attack, has to abide by strict regulations. These regulations apply to monitoring activity on the network, analysing log files or assessing vulnerabilities in systems.

“We know that we cannot win the battles,” he notes philosophically, “but we can make it harder for the average attacker.” One of Lardschneider’s tactics to outfox the villains is to build and maintain a multi-layer defence, which allows him and his team to react when the first or second layer is breached. This proves effective when an attack is perpetrated from the outside but it’s much more difficult to detect and stop attacks by insiders at the group. One such threat posed by malicious employees is their ability to walk off with confidential data that could be sold to criminal gangs. Memory sticks and USB drives are shrinking in size as their storage capacity increases. “You realistically cannot prevent this sort of thing from happening,” the CSO suggests. “Shutting down all the ports where one could extract data from an IT system whilst satisfying the need to communicate is not feasible in my eyes.” He says you need to put faith in your workforce. “The best way of minimising risk is to show, as an employer, that you have confidence in your staff. Letting them know, but not threatening, that their employment depends very much on the success of the company and keeping them happy and motivated is the best line of defence against this kind of incidents.” 

While there is little doubt that it is becoming easier for rogue employees to steal information, the nature in which organisations do business mean that defences are becoming increasingly harder to maintain. Ask any CSO or CISO and most will bemoan the fact that company perimeters are being stretched as more staff use mobile devices and connect to the network in all four corners of the globe. Indeed, perimeters are becoming harder to actually define nowadays. “It is a headache” Lardschneider confirms. “And the headache is getting bigger the more one thinks about how young people communicate today.” He says that the way that staff expect to do business and communicate, both internally and externally, has evolved dramatically. The next generation of the workforce is driving this trend.

“Youngsters use their email account if their instant messaging (IM) system does not work or the SMS of their telecom provider is out of order, so the kinds of communication available have changed dramatically from when we were young. In a few years they will be the ones hired and will expect companies to run IM and use social networks to communicate and do their business so you could say that the perimeter has already gone.” He continues: “More and more people have the ‘always on’ mentality so any second that one tries to fight against this development is a wasted second. We need to find solutions to cope with that development.”

Common dangers
While Lardschneider suggests that the human element to any business is one of the biggest threats, information overflow is another important aspect – something that Munich Re is all too aware of. “The amount of information we receive per day is tremendous and I sometimes think that it is more than the average person can consume without driving them crazy.” Filtering this avalanche of information, whilst adhering to the raft of regulations, is “a kind of art”, according this security chief. “I say this because we have to separate the valuable from the unnecessary and make sure that we follow the regulations with regards to retaining documents, as well as adhering to when to delete personal data and how to store confidential data.” Lardschneider could be accused of understatement when he describes the situation as “not easy”.

He continues by saying that one of the main technical risks that Munich Re is faced with at the moment are botnets and malicious software. “These can tear down your complete infrastructure for quite a while and cause a lot of insecurity. You need to assess whether the calculated results are right or do I mistrust them and calculate a second time in a different environment? Also, which bits of information have been disclosed by an incident?” Another challenge for Lardschneider and his team is cleaning systems and avoiding re-infections in a global network or by unknown built-in backdoors in web applications.

Second opinions
On the business continuity side, Lardschneider believes that the best ‘testers’ a CSO has is his peers in other companies. You can bounce ideas off one another and suggest weak links in the system and how things can be improved, he notes. “The magic words are quality and assurance; we are in very close contact with business continuity experts from other companies and encourage each other to ask critical questions, to evaluate and review concepts, and to discuss emergency plans. It’s the community that shows you risks and makes you think about different scenarios that you have not thought about before.”

Of course, being a reinsurance company means that Munich Re has to seek out third parties to check and assess how it operates, including emergency tests. This is then funnelled into “lessons learned sessions”, says Lardschneider. “This concept will never be perfect but we can be sure that we did our best,” he concedes.”  As for the road ahead, Lardschneider says he and other CSOs in other industries will be busy following how the economic crisis plays out and how it will impact on security and continuity strategies. Assessing crisis scenarios will, of course, feature high up on his agenda.

Lardschneider’s time spent in security has taught him that a CSO cannot afford to rest on his laurels because there is always more to be done. “I have been in the business for 25 years and I’m pretty sure that the next 25 years will continue to be very interesting and challenging,” he concludes.

Speed limits
Why business needs to stop thinking about security as an impediment
“Security all depends on the company, its kind of business and its size but in most cases my advice would be to ask top management this: ‘Do you know why your car has brakes’? The answer will probably be ‘So I can stop my car’. I would correct them by saying that the real reason is it allows you to drive faster. You cannot buy a car without brakes so basic security is built in but you can equip it with better brakes so you can go faster. This analogy shows that better security also means more chances to be successful. Unfortunately, many managers see security to be a road blocker or a hindrance to communications. This mind-set needs to change.”