A

Welcome to cyberatthetop, a podcast from RSAC that unpacks real experiences, lessons learned and practical strategies from CISOs at some of the world's leading organizations.

B

As cybersecurity becomes more tightly linked to business performance, CISOs are under increasing pressure to explain risk and clear, measurable and financial, financially grounded terms. Today I'm speaking with Matthias Boucher, Group CISO at Heidelberg Materials. Matthias is a leader who has helped translate complex technical threats into business language by using risk quantification to standardize metrics, strengthen communication with boards and guide smarter investment decisions. We'll discuss why this work is so challenging, what's missing from today's measurement methods, and how applying financial rigor can reshape how organizations prioritize and manage risk. Let's see what we can learn from his experience. Matthias, welcome. Thanks so much for being here.

A

Great pleasure.

B

This is such a fun topic. It's the bane of the existence of many cybersecurity professionals I think, is this risk quantity quantification stock topic. But before we get into it, can you start by just giving us a quick overview of your role?

A

Yeah, we'd love to. So you. Thank you for the nice introduction here. So I'm at the group CISO at Heidelberg materials, that's a 25 billion US dollar company, 50,000 employees operating in 51 countries, heavy building materials, so boots to the ground I would say in a business perspective and we tend to do things different and we also did it in cyber like three years ago. We relaunched the organization around and I don't have a typical CISO setup you would expect, so I'm also directing enterprise digital risk. So all what's related to it, the classical CISO organization, including the SOC Security Awareness Program, security office consulting, as well as resilience and business continuity. And this gives us the possibility to really handle digital risk. Very cost efficient and at scale. This means from risk discovery to risk treatment, we have all in one organization, which is more unique in a setup, I would say, and per se. Security and resilience is not only a profession for me, it's always a kind of a passion. So I lecture at universities as well as serve on multiple advisory boards and in the context of cyber risk fortification. I'd also like to mention my friends from the Fair Institute as I was on the board of directors globally and we are pushing the topic very, very hard and relentless here.

B

That's fantastic. And Fayor has done such amazing work in this area. I think they really push things forward. It's such an interesting topic. It's always been a challenging area for not just CISOs for cybersecurity in general. Why do you think that risk has been so challenging to quantify in cyber?

A

I would say there's three dimensions I want to touch on on this topic in questions. So let's use something common and stay very, very lean and non complex here. We're going to go for people, process and tool dimension here and I explain a little bit what each kind of dimension is like. The challenge with. Let's start with the people challenge. I think you know, in cyber per se it's always people which make things happen. You need technology and process, but people are key. And let's be honest, for a lot of CISOs which were more technical, familiar with technology and let's say operational KPIs talking in million US dollar is not their home turf. This means this is not the natural habitat. And you see it also at RSA conference, you know better than anybody does here we are talking a lot of technology, right? Less sometimes the people dimension of things as well as the business output of things. But we see that clearly shifting. We are always talking about the topic now, right? Second, the process dimension. The process dimension is really many CISOs are embedded in the CIO IT office, right. And exposed to a limited amount of company value processes sometimes. So they don't really talk too much to the business stakeholders which are really responsible in a PL and they are more on their home turf with the teams left and right as well as the exposure which is missing to the stakeholders. The you don't learn and have this proximity to some topics and we need to get closer to other stakeholders than in IT where we are very well embedded. But this is really changing and CISOs are getting more leverage. But sometimes there's missing capability on that side like enterprise risk management integration. And this is just a piece of the cake, right, which you see here. So if you're missing the whole cake and you don't even have this department, it's very, very hard to accomplish. So you also have to honor that sometimes also let's say the preconditions for getting this quantification set with the enterprise risk management is crucial and is missing. And last but not least, tools. This is mostly the home turf of the CISO getting you know, things at scale, wants to drive things forward. You need always tooling, right? But the industry is really, really developing here. So there's very big players out there which can help the CISO to achieve the targets. But you know, a fool with a tool is still a fool kind of. So I always say you need to crawl before you run. So always encourage my peers, look into the methodology and the value first and then look at the tool landscape. Otherwise you could end up with wrong expectations. But I would think in this three dimensions you see a lot of tension and a lot of also preconditions you need to fulfill. This is why I can understand that some colleagues are really struggling to pivot to a new ground.

B

You put it so well. People process tools, but how do you link it to the business? Are you able to talk in terms of the business? Can you relate it? And I sit on several boards and I'm sure you've seen this with some of your peers too. It's so wildly different how cyber reports out to the board. There's not a common set of here's what we're measuring and here's, here's how we're getting better or here's why we need investment. It's almost like completely different company to company. And I wanted to ask you about this, like why do you think standardization of metrics will be so important and what's missing from the way that we're currently measuring cybersecurity programs?

A

Yeah, it's a very good question. So let me phrase it like this. I like to be very lean and non complex here. I would say every real profession has standardized clear metrics, right? Whether it's a builder, it's an architect, or even you know, in this company space, the chief HR officer. You know there's clear KPIs from time to hire, cost per hire, offer, acceptance rate, attrition, voluntary involuntary turnover, tenure, employee nps, workforce cost ratio. So you see there is very, very clear metrics which are used company and vertical agnostic. And this profession has really built out and when a chief HR officer steps up to the board and the scene is kind of set. So I hope you if a chief HR officer steps up to you, where you're a board of directors member, you see a similar kind of reporting set of KPIs and have a clear understanding and comparison verticals in security. As you said, we see a different picture and there's a lot of very operational KPIs which you see also sometimes in some board reportings when it comes to EDR coverage, meantime to detect, meantime to contain, they help to measure or is a compliance KPI's right. NIST score. You see that a lot in those boards and you know, it's not easy then for the board if you're Not a tech savvy person to connect this to the business outcome. When you would be like even not a HR savvy person and you hear cost per hire and you know this is triple the cost of in another company you say and can give advice and say we have to look into this and have to, you know, get this in a different direction and take it very easy. When you need a lot of explanation and engagement to explain the value of a KPI, it's mostly not a 2 fitting a KPI. Very easy example. You would step up to the board directors as a CISO and say hey, we need to increase our EDR coverage by 10% and this is US$1 million. And the benefits is we have better coverage, lower MTDD, lower MTDC. This is not very business intuitive, right? It just says okay, that sounds good, I trust you. Then you might have as a for profit company a tech savvy person, right? But value is measured different when you look at for profit companies. It's measured in order entry, revenue, rentability, profitability and market share. So how about not, not connecting that, right? You lose a big opportunity in my opinion. So we have to link those KPIs to drive better decisions. And let's take it in another way around. You would say as a CISO DAU, our EDR coverage plus 10% would cost us 1 million US dollar but would drive down our risk by 10 million which gives us 10 cents for the dollar which is in our vertical a very, very good value. So it's a good return on security invest and it also helps us in our insurance premiums around that. So In a nutshell, CISOs are technically good in more operational KPIs but worse in business KPIs. And this really drives and enables also non tech or SEC savvy board members of directors for understanding. Right? And this is what we have to look at.

B

You're so right about just the struggles in general with CISOs to communicate with the board in business terms and business language. And you know, you think about especially public boards, folks are serving on multiple boards and they're in completely different industries. They might be on the board of directors of a manufacturing company and then they're on the board of maybe a tech company and things are different for them. And so they're expecting commonality. And you brought up this HR example, which is a great one. They're probably going to see some commonality among their boards. How does this methodology of being able to tie cybersecurity investment to risk or buying down risk in financial terms. How does this help translate into a language that leadership can really understand?

A

Yeah, a little bit touched on this before, but you see most CISOs struggle due to complex KPI sets to link. They are operational KPI for non tech savvy board members. Right. So translating your programs into known KPI is a big plus like the CRHRO example as you can talk to a broader audience. You also mentioned that. Right, because you don't need to focus specifically on only the tech savvy board members and you get a better understanding and a buy in in those decisions as mentioned before.

B

And how do you think it helps chief security officers and even the board think about prioritizing investments? Is it just a straight return on security investment? I have these possible five things that I can do. This one has the highest return, thus we should do it. How do you think about prioritization?

A

Yeah, I can tell you out of my own three year journey now in this topic and also stepping up to the board of directors twice a year. The discipline of cyber risk quantification and driving better decisions is a very mighty sword. So based on hard metrics it helps you to understand where you're investing and what's the burn down. So you have to be honest. Every CISO runs a massive security program with a lot of initiatives. So it goes from security awareness to security operation compliance. So naturally budget in a for profit organization is tight. So I don't know anybody who says no, we have infinite money to spend, that's, that's not given. So you always are tight on budget. Doesn't matter how good your company is doing because you want to also support the five targets you're out here. So and you have to distribute a certain amount of money and allocate it in the right way. And you know, often we do this on a gut feeling and why not do it by a clear business case? Because a gut feeling, you know sometimes humanity is very bad at predicting and we try to predict the cyber cyber things. We visit rsa, we have those discussions around it, right? And then you know, you make up your mind. But why not putting also hard numbers and skin in the game here. So and especially also I can tell you, I would say you want to also compare to your peers and benchmark to your peers in the industry, whether it's your competition or co competition to see what are they doing. Because when you not try to frame your cyber program as a business value, it's very, very hard to futurely also secure budget if you don't have strong quantification as well as standardization. Because the natural question I always get on the board of directors is how do others do, how is their spending, how do they allocate funds? And I have to have a question and if I say, yeah, the other party has like a 5% lower EDR coverage, the this is not really translating in business value. But if I can step up and say, and I do that on regular base, I spend lower than our next key competitor, you know, and I'm a cost center here. And we are heavy building materials company, we are not a tech company, we're not a security company designing security products. So every cent for the dollar to save there helps to position us better in the market. Either it's for the entry, revenue, rentability, profitability or market share. And this gives a very, very strong message towards those very, very senior people sitting on multiple Fortune 500 boards.

B

I gotta ask you about education in this context because one of the things that you mentioned earlier was you have to as a ciso, understand the business in order to be able to talk in terms of the business. What role does education play both in educating yourself as a CISO about the business? What are the key things that we care about? Something that's outside of the technology area, but really rubber meets the road inside of the business. And then what role does education play also with other stakeholders like the board, for example, how much time would you spend educating the board on, hey, here are these new trends that are happening in cybersecurity, these new types of attacks. How do you think about that in a whole ecosystem of players educating?

A

Yeah, you know, education is extremely important. I think it's in every topic, whether it's business or private life. If you don't understand something, you won't buy in or double down. You have to have an understanding. It has to be basic. Right? Complexity is really the enemy here. You'd have to try it very, very simple. You have to be very straight in your value proposition. I think we all know that. So and we have to be honest also, it does not matter how big your enterprise risk team or security team is, you have to drive those topics in general at scale. I give you an example. We have a decent sized team of around 50 people globally on the topic of cybersecurity. But we have 50,000 employees. And I can tell you, if I would double up the team and the board of directors would ask me to do so, I think the effect would not be as great as you would see because you have to bring people in that my personal bet is also that security and resilience is tightly linked to risk and it has to be a core job contributing skill in future which your whole organization has to carry. So for me, in my world, I would say everybody has to be on board in order to overcome this rising risk surface and end to end digitalization. We see globally this is a massive change of society and we should really be able and get ahead of the game and we will see decrease in the breaches. This is also my bet when we drain cybercrime for the first time now in the past years by having a strong educated society around it as well as in the company. Right. So we have to think broader into the value change and company borders get a little blurry. You talk a lot about third party risk management, but this is clearly the case. We see most material losses mostly not on incidents happening on our turf. It's more that a critical supplier is preached and a critical supplier is not mostly the supplier which is the biggest ones and you have the biggest cash out, it's in the value chain and it's sometimes hidden and then you're losing money. So it requires very strong collaboration and especially education across company borders and also investment of big players. You have to be honest, some small players can't afford a Fortune 500 size program. So a Fortune 500 size company which is clear value in the value chain has to help those overcome and therefore also making a core job contributing skill and also buying decision that you say if somebody is performing better in cybersec, I'm more eager to go for their product and for the next one it becomes really a competitive edge. And this is what we are all up to here. And this is why I always like to work always at RSA conference with those topics because I think this is a mighty sword where you can drive and populate education.

B

So glad you think about it that way. We think about it like that too. How do we provide some of the best, most interesting, timely things that are happening in this space? But something that you mentioned earlier about the board caring what do peers do? It's so fascinating watching the behavior of people at the conference. They really, especially at your level, they really care about calibrating with each other. What are you doing, what are you seeing and how are you addressing this? And it's that camaraderie in the security space, that passion that's shared that's always so inspiring to me every single year. And you know, you mentioned something else which are people are at different stages of this risk Quantification journey. What if another CISO is just starting on this journey? So they've done the normal things. They've got edr, they've got their firewalls, they've got the basics. What's the single most important step that you'd recommend to move into this risk quantification led cyber approach?

A

It's a very good question. So what I would definitely say is you can't delegate this topic. It needs you as a CISO and as executive sponsor and leader. So you have to educate yourself around methodology and you have to beef up your skills around this topic and you have to be interested. Otherwise I think your organization won't succeed. Because in this particular case, you have to really lead that from the top and give that intent to your organization. Because if you are not, let's say, financial savvy and talking million US dollar in business cases, how should your people be if you don't lead by example here?

B

It's a great point. Gotta ask you this. Have you encountered any resistance to applying financial rigor to cyber? And if so, how did you overcome it?

A

Yeah, I like to stay easy. And Dean, I divided in three groups what I have seen. I would talk even about peers. So the fellow CISOs I meet at conferences like RSAC or anywhere around the world, the board of directors as well as my own team. Let's start with the peers. You know, I think this is most interesting because they're watching this podcast, so hopefully I don't bring any wrong information. Reach out to me anytime if you feel mispresented here. So some colleagues are not happy about those programs and the reason vary. So there is like also the community sometimes a little divided around does this really give us the biggest bang for our buck? It's a waste of money. There's a few people which also tried it and were not succeeding in that. And I would always advocate for it and try to overcome by clearly outlining values but also sharing common mistakes. Right. And this is what you should do. So I was also doing mistakes on those programs and you have to learn of it. And let's be honest, again, if you are a tech security savvy person, which is normally the role of the C, so it's very, very tech oriented. This is like a very uncommon and uncomfortable spot to be in if you have to pivot your skill set. So this is where I see most of, let's say, the pushback around those topics and sometimes I also experience that, by the way, it proves your program not wrong but misaligned. With, you know, from pure quantification perspective. So in some material loss scenarios, you have invested too much money and you have to pivot the investment to give you an overall bigger bang for your bucket. Also like a control of your program which could feel a little bit tangling. You know, I can understand my peers here, I had the same feeling. But I can tell you it's totally worth it because what I overcame, and I clearly can share that with you, I'm not struggling to go for budget with the board of directors because I have such a clear business case behind the initiatives. And I have also a good volume of budget where I can pivot. If some risk goes down, other goes up. So I can also line it out in the program. So again to my peers, don't worry about all the stuff which is coming to your table. Reach out if you want to hear something about the quantification piece. And I'm willing to help. Board of directors, brutally honest, no resistance at all. This is highly appreciated. So this kind of communication metrics, they were clearly sharing back, it helped them to grab the risk better and give better advice and supervision. This was the clear feedback out of it. It was kind of a gamble because I was 31 years old as I stepped up as a very, very young CISO to a forged 500 size board of directors and presented not the nine box grid. I was the first one going with million US dollars. So in my career CISO track, I've just used quantification and I was like, oh my God. And I was in the audit committee which before there was financial risk presented and all was in grids. I was really the off one out. And I was, oh my God, that's a big gamble. I hope I'm going to stay in the job, but I can tell you it resonated so well around it. And I really also appreciate enterprise risk management colleagues which were also embracing the fair methodology and also helping here. But I can tell you I got no resistance in the board of directors. So I can encourage you. Believe me, those ladies and gentlemen enjoy kind of this reporting because this is the numbers they understand. Give it a shot. Don't be afraid of that own team. Different story, very strong resistance in the beginning. And don't forget, if it's not the home turf of the ciso, how should it be the home turf of a SOC manager which is much more technical or the security officer than the ciso? So that's very natural. So it's very natural that those changes feel uncomfortable because they were always not Thinking in million US dollar they were more on how much more compliance, how much more operating KPI does this give to me. So I was very strong into tying all future investment decisions to quantified risk and a business case. We gave out templates, we made it very easy with the platform in order to do so. It took some time and a lot of engagement and also trust, I would say to embark on it because they saw the potential also where they mostly had problems to argue very new, fancy, cool tech things. And you know, even if there was budget cut in some areas, we could reinvest and open up there with our big decision cycle. So I could sign directly off. Very, very, let's say very good send for the dollar business cases. And you know, we are now in our third year and I can tell you the team as I see that internally they started more as followers I would say in these topics and now I see them leading, which makes me very proud, right that they are also openly talking about this in their communities, which really makes a change. But don't forget your intel team. They are as important as the board of directors because they make those things happen. And don't be afraid, you're not going to regret it. I don't know anybody which has built up a program which is very, very unhappy about those changes. But as we all know, change is not easy, especially if you have to lead and do it.

B

And I think people will go and find you at this next conference because no resistance from the board of directors. Quantification, aligned teams. It's what you always want as a ciso. And I'm going to ask you just one more question while I have you. How does this methodology work for net new things that are coming into the business? Like I'm just thinking about how quickly AI, even from the board level is, hey, what are we doing to automate? I hear about all of our peers doing X, Y or Z. How does that translate into the same process? So somebody says, hey, let's start an AI project. Could be for employees internally, could be for some business process. Does the team now automatically think in terms of this is an additional risk surface? Let me try and turn this into dollar quantification and here's our first pass. Is that what happens?

A

Yeah, I can share that very open with you here. It's not a secret that in our industry we are losing a lot people and employees due to demographics and job families, you know, going away or kind of hard to hire. Right. And the funny thing is we are not struggling to hire digital People which work on this topic and also drive AI. We have quite a sizable AI team. I like it. We brought up this comparison and I also said, okay, how can we justify also investments around this very pushy topic. Everybody is on like, yeah, we have to do AI. It's going to be the Lord and Savior. Sometimes a little overhyped. I think it's overhyped for this point of time, but for the future it's even underhyped, I would say because there's so much possibility whether it's security for AI or AI for security. And we clearly looked at those models and you know, you have more data than you think. Also in this modeling, some people are afraid and say we don't have the data, we don't have the models. We are using a technology solution around it. So we started on Excel spreadsheets and really crawled before we run and we modeled those things and we got quite a sizable AI security program out of that. Because I said, okay, I didn't underestimate it. My gut feeling was reflecting also in the numbers and I stepped up to the overall committee which is bringing and designing the AI team and said if we want to double down on this, we should naturally bring in security because this is part of the business case and we need it. So I can tell you, even in this new field, you are able to justify a case and you speak the same language as the cfo, as the cto, as the CEO. And this brings you in a way different board level conversation and it brings you also in executive management in a much stronger position because they can clearly grasp and understand that you are on top of things. You're not saying no, you're just saying, okay, let's look at the full cost of this and not forget something around it. So even in very, very new and very innovative topics, you can do a very, very decent modeling and you also improving the model from time to time. So don't be afraid. It's not just historical data, it's always looking into the future and helping you.

B

Love it. That's fantastic. The fact that the business is now bringing you in and says, well, what does security think? Because we're used to both getting the quantification of the benefit to the business and and then also getting the quantification of the security benefit to the business that's needed. Matthias, thank you so much for just sharing your experiences for being here today and listeners, thank you for tuning in. Please keep the conversation going and our RSAC membership platform by visiting onersac.com membership and be sure to check onersac.com and for new content posted year round. Battias, thanks again.