asvin: Hello Matthias. Nice that you have time for an interview with us.

Matthias: It’s a pleasure, Stefanie. We haven’t been working together that long, but it’s going fantastic so far, even for the short time, and your input is tremendous.

asvin: Thank you very much. Yes, we are also experiencing the market very dynamically, and of course, we are adapting to that. The threats are not getting less – quite the opposite. And the opportunities to contribute our expertise to the IT security cluster are ideal.

Matthias: We’re glad about that because it’s about awareness for current and future cyberattacks on companies of all sizes. And your work to protect software supply chains is excellent!

asvin: As a member of the IT Security Cluster, we support information about cyber security and its challenges. From your point of view, where are we with cyber security awareness among members in general?

Matthias: We have a heterogeneous membership, from companies in IT security, IT system houses, lawyers, to universities and schools or the MINT LAB Regensburg. There is much catching up to do, especially with kids, as I keep hearing from the technical and vocational schools of our members. Companies in our sector, like those at asvin, are generally well informed about cyber security and the problems that attacks on systems entail.

asvin: Why do you think the young are not well informed about the subject?

Matthias: We have many conversations with members. In this context, we repeatedly hear that the students know how to use tablets and cell phones and what possibilities the Internet offers them. But what’s missing is an awareness of the data they generate, which then rushes through the ether. In addition, there is a lack of understanding that we have long since ceased to be sovereign over our end devices or that there is a world outside Apple & Co. exists.

asvin: What cyber security risks do you currently see, and what will the future bring?

Matthias: I would say that ransomware will continue to be a massive problem in the future. So I still see social engineering as a risk, where real-looking emails are used to grab passwords. There are also man-in-the-middle attacks, where an attacker can infiltrate the communication between two or more participants unnoticed and read out and manipulate information.

asvin: How do you see the danger of deepfake?

Matthias: This is also a real danger that is increasing due to the growing use of artificial intelligence. If AI generates images and sound, there is always a risk that they can be manipulated. For example, faces can be faked by overcoming biometric systems. These fakes can even be generated by non-technical people with little experience, leading to threat scenarios such as disinformation campaigns or targeted phishing attacks to extract data and information.

asvin: In discussions that are conducted digitally, disruptive fires are becoming increasingly common. This is also psychological influence, i.e. a kind of social engineering.

Matthias: Yes, from my point of view, if there are any trolls in the comment columns of successful websites, they are visibly controlled by a political agenda. They can hide behind funny avatars, suddenly scatter sensitive convictions, and blow up discussions with the exact pseudo-rhetorical phrases, which has a potential for danger.

asvin: How vulnerable do you think we are, despite all the attempts and mechanisms we put in place?

Matthias: It’s probably only a matter of time before the next qualitative hack comes along, and you can imagine what that will look like, given the possibilities of AI.

Threats are everywhere, and the situation is steadily becoming more complex than we now imagine. The BSI warnings are suitable for technical facilities such as 2-factor authentication, but that will certainly not be enough in the future. From my point of view, it will not remain the case that attackers mainly encrypt hard disks.

asvin: How does the IT Security Cluster support its members in cyber security matters?

Matthias: As an association, we have numerous opportunities to improve the situation of safety and security. Be it with events or workshops: We contribute to education and strengthen awareness not only among members. We have also developed an information security management system that defines a twelve-step process: CISIS12. The name stands for Compliance Information Security Management System.

This identifies risks and looks at the entire organization, makes documentation mandatory and introduces it according to our standard, defines roles and identifies protection requirements for processes, establishes access rules for buildings, practices emergency plans, and much more that contributes to security. In short, everything that has to do with the information in a small or medium-sized organization, be it an administration or a company, is looked at and regulated.

As a result, you can have the implementation certified by independent specialists and maintain CISIS12 cyclically and in continuous self-improvement: through binding audits and recertification after three years. The world does not stand still! In Bavaria and Saarland, for example, municipalities can receive funding to introduce CISIS. We practice this ourselves, and it works very well even with our few employees. Because the recommendations for action are easy to understand.

asvin: One last question, Matthias. How many passwords do you have?

Matthias: Sigh, I’d say about 220 at the moment!

About Matthias Kampmann

Matthias Kampmann studied art history at the Ruhr University in Bochum. He earned his doctorate at the Albert Ludwig University in Freiburg/Brsg. on art in the Internet under Prof. Dr. Angeli Janhsen. After his studies, he learned newspaper making during an editorial traineeship at the Westfälischer Anzeiger, Hamm. He worked as an editor of freelance art critics, did research in the field of computer and media art and taught in the Kultur Media Technologie course at the Musikhochschule Karlsruhe. He then studied academic writing and reading in the EVELIN project to improve teaching and learning in software engineering. Since October 2019, he is in charge of research and development topics and their funding and the CISIS12 project at IT-Sicherheitscluster e. V. in Regensburg.

About the IT Security Cluster e.V.

The IT-Sicherheitscluster e. V. (IT-SEC) is an association of more than 120 companies in the IT industry and companies that use security technologies, universities, other research and training institutions and lawyers. Its core area is information security. This includes process-oriented methods for optimizing information security and the range of issues surrounding IT security. The association promotes start-ups and the research, development, application and marketing of technologies, products and services that contribute to increasing information security, functional or physical security and supports education and training.

The association is a nationally known competence carrier for information about security risks and promoter of technical/organizational solutions for awareness creation and management-based implementation of information security concepts, preferably in KMO. The content-related work further includes the continuous development of an information security management system for SMEs (CISIS12) over more than ten years, which has now been implemented more than 400 times in KMO and whose introduction is supported by the Free State of Bavaria and the Saarland. In addition, the supra-regional and European cluster is developing an assessment (ISA+ Information Security Analysis). These instruments and general questions concerning IT and information security are made known to a broad public through regular event formats, among other things.

The work areas develop from the competencies and interests of the members and the IT security topics that are in the public focus. IT-SEC brings experience in establishing information security management systems and data protection solutions to the table. It serves over 100 consultants and approximately 50 consulting firms implementing CISIS12, and is continuously expanding its network of expertise with contacts to subject matter experts in information security.

IT-SEC is represented in the BITMi Presidium and sends members to the Working Group Cyber & Data and the Focus Group AI of https://www.digitalsme.eu, Digital SME Alliance Brussels. IT-SEC promotes start-ups as part of the Digital Start-up Initiative Oberpfalz (DGO) funding program and acts across clusters with the go-cluster silver label and go-cluster funding in the goAIR project. IT-SEC is also a core partner in AIR – Artificial Intelligence Regensburg, an initiative of the actors in the AI sector of the city and region of Regensburg addressing the Triple Helix. Furthermore, the IT security cluster is co-initiator, project partner and jury member of the up@it-sa award, the start-up award, which is presented on it-sa, Europe’s largest trade fair for IT security.

About CISIS12

CISIS12 is an information security management system (ISMS) developed, published, trained and distributed by IT-Sicherheitscluster e. V.. CISIS12 is the result of ten years of development. CISIS12 is based on the experience of previous versions. The management system is structured simply and understandably and, especially for beginners, is comprehensible and logically structured in twelve steps. Results can be generated very quickly and are well suited to bringing a stable and robust management system to life in a relatively short time.

CISIS12 is the name for Compliance and Information Security in Twelve Steps. The framework enables organizations to roll out information security processes both horizontally and vertically in a scalable manner, from SMEs to large organizations. It is designed to be scalable and helps to set up and maintain a security structure in KMO that is understandable, accepted and appropriate in each case. CISIS12 is a multi-transfer standard. It can be used to demonstrate conformity with other standards.

Among other things, CISIS12 enables internal audits, risk management or management reports. So practised, CISIS12 follows the Plan-Do-Check-Act (PDCA) cycle. Once it has been established in KMO, it can be used independently, appropriately consolidated and continuously optimized. CISIS12 can also be used to address other security standards. In the German states of Bavaria and Saarland, CISIS12 is eligible for funding for municipalities and in Bavaria, also for companies.