For our blog series “IT Security”, today I met with Tilo, Squad Lead for Governance, Risk, Compliance (GRC) & Strategy Consulting. In this interview, he tells us how he and his team support customers in getting things running again after a security incident.
Tilo, you’re Squad Lead in Security Consulting for GRC & Strategy. What does that mean?
Tilo: All topics involving governance, risk, and compliance are our responsibility, together with strategic consulting for customers. When we talk to customers about IT security, the CIO or CISO doesn’t primarily talk about technology or what firewall they use, but instead about their overall responsibility for information security, the general framework, and processes. GRC is the common theme. Guidelines for leading the company, risk management, and adherence to standards. We bring these topics into play, evaluate action areas, provide assistance with processes, map the current IT against the valid standards, and support implementation.
What does your job typically look like?
Tilo: My job is very dynamic, because we are customer-driven. I’m responsible for the future-oriented development of the chapter and for building up the relevant technical expertise and methodological skills on the team. The development of our employees is very important to me. We in Security Consulting cover a broad spectrum, which means there are many opportunities to shape careers and establish a footing on other teams.
We have a great network, work closely together with customers, and are active in professional communities and associations. It’s important for us to be able to identify current topics and trends and to derive the right steps from them, to support our customers with the challenges they face.
What does your range of customers look like?
Tilo: Our customer base includes enterprise customers, such as DAX-listed companies, as well as companies from the mid-market segment. The public sector is another area. With their critical infrastructures, these customers are systemically relevant, which means they have to particularly prioritize GRC-relevant topics. We help here as well, reducing the risk potential through guidelines and a general framework to establish an adequate level of security.
What project are you working on right now?
Tilo: Right now our team is supporting a number of customers with recovery after a security incident. We support the customers in getting back to work and back to normal.
As to me personally, I’m preparing a number of workshops for different customers. I’m planning security assessments, in which we show customers where they currently stand when it comes to IT security and where they need to act. The strategic evolution of our portfolio is also a top priority for me, so we can address the current challenges our customers face and develop the corresponding skills quickly.
In addition, we are also preparing crisis management courses and emergency drills for various customers. In Consulting, we adapt to the customers, their needs, and their environments. Nothing goes “by the book”. A major, life-threatening finding for one customer might only be a minor vulnerability for another. It’s very dependent on the setup, maturity, and customer infrastructure and on how prepared the customer is to take risks. Two identical findings at two different customers can lead to entirely different action recommendations. That’s the exciting thing about my job.
Direct access to our complete IT Security Insight Series
#1 Tino: Cloud Security Consulting
#2 Alexander: Security Consulting und Incident Responce Service
#3 Karl-Friedrich: Security Consulting und der Aufbau von Security Operations Centern
#4 Daniel: Managed Cyber Defense
How large are your project teams usually and what distinguishes you?
Tilo: There are usually two or three of us on a project team. We split ourselves up in different specializations, such as ISMS, basic IT protection, critical infrastructures, and even strategic consulting. Depending on the project size, we might also visit the customer as a lone wolf and then fall back on the team when needed and coordinate with experts from other squads.
Flexibility, rapid adaptation to different customer situations, and taking responsibility are part of our everyday lives. We also support customers in crisis situations, facing the company’s top executives and IT managers, and have to provide the right action recommendations to guarantee a controlled restart. So you not only have to be a technical expert, but also be articulate and self-confident. The soft skills of a consultant are highly developed, we have to get along with techies and commercial managers alike and speak with them at eye level. And sometimes we have to convince a board that they have to make an investment to protect their company, even if it wasn’t planned in the budget.
What do new colleagues have to bring to the table? What skills are in demand?
Tilo: I rely on different skills and experiences. The important thing for me is that they have a passion and the lifeblood for the consulting business and for working together with customers. Strong communication skills, a willingness to learn, and the capability to work independently are essential for the job. Experience with conducting security assessments and knowledge of norms and standards are good skills to have. Or experience with critical infrastructures, ISMS, government regulations, and basic IT protection. The cherry on top would be recognized certifications like CISSP, CRISC, CISA, or CISM.
In my chapter, it’s not only about being an acknowledged expert, but also to have a lot of sensitivity toward customers. We give consulting career-changers a chance and support them through coaching and mentoring by experienced experts.
Tilo, that was a great insight into the everyday work of you and your squad. Thanks for that!
If we’ve sparked your interest in the areas of incident response and IT forensic consulting, you’ll find career opportunities at a number of entry levels at Deutsche Telekom Security GmbH.