CSO Germany: The energy sector is increasingly becoming a target for cybercriminals. Experts and the Federal Office for Information Security (BSI) believe that protection in this area must be significantly increased. How do you assess the current situation?
Reiß: The geopolitical tensions we are currently witnessing are leading to an increased threat level. This naturally also affects the heating industry, in which Vaillant operates and which fulfills everyone’s basic need for warmth and hot water at home. Such sectors absolutely must be better protected. The problem is that the attacks are becoming increasingly targeted and complex. These days, we’re no longer dealing with less experienced script kiddies working in their basements, but rather with well-organized and professional cybercriminals. Their goal is to harm the company or the economy of the respective country.
Furthermore, the use of artificial intelligence within companies has lowered the barrier to entry for attacks on businesses and supply chains than ever before. This makes it easier, for example, to create targeted phishing emails or develop malware, which previously required significantly more effort.
How are you reacting to the changed situation? How are you currently protecting your company from cyberattacks?
Reiß: We pursue a holistic approach to information security. This means we examine every aspect from top to bottom and rely on a multilayered security concept. This includes both preventative and reactive security measures to enable us to react quickly and effectively in an emergency. We are aware, however, that no company can guarantee absolute security. Therefore, everyone should plan with the assumption that a successful attack is always possible.
We prioritize the security of not only our internal IT infrastructure, but also our global production and products for our customers. Protecting our end customers and adhering to high security standards are our top priorities — especially given the growing threat of ransomware attacks. Our focus is on proactively minimizing risks and ensuring long-term trust in our solutions.
And the employees?
Reiß: Cybersecurity begins with people. Thanks to Vaillant’s global network, we clearly focus on this when it comes to security. Through our holistic four-pillar approach, we rely on comprehensive awareness training for our entire workforce, from gamification approaches to practical compliance training. We also address topics from the private sphere, such as phishing examples from some telecommunications companies or parcel delivery services, to increase relevance and promote sustainable learning processes
What challenges are currently causing the most problems for CISOs?
Reiß: First of all, the role of the CISO has fundamentally changed in recent years. Previously, the focus was primarily on technical aspects and operational security. Today, strategic alignment and leadership skills are key qualifications. A modern CISO must not only manage technological risks but also act as a sparring partner for management, assess business risks, and embed information security as an integral part of the corporate strategy.
From my perspective, the biggest challenges currently lie in implementing new legal requirements such as NIS2, DORA, and the Cyber Resilience Act. I describe the whole thing as a regulatory jungle that first needs to be understood. We are operating in a complex regulatory environment that must be interpreted pragmatically and implemented with the right resources. Ultimately, it’s not just about ensuring compliance, but about increasing the security level throughout the entire company to create greater resilience.
Do we have too many safety rules?
Reiß: In the heating industry, the regulatory requirements are manageable, even though NIS2 and others are relevant. I generally welcome uniform standards, as they increase safety in Germany and Europe. The challenge lies in national implementation: Each country interprets the regulations differently, which creates considerable complexity for internationally operating companies.
The legislators behind NIS2 have failed to develop uniform and pragmatic security rules for implementation across Europe. While NIS2 was adopted at the EU level, it must be transposed into the local legislation of each country. This means that each country contributes its own interpretation. Organizations operating across Europe must therefore consider all relevant legislation in their respective regions. Ensuring a standardized procedure in this context adds further complexity and requires significant coordination.
Why are so many companies still struggling with implementation?
Reiß: Often, the interpretation of the regulations lacks clarity. Many companies — especially SMEs — don’t know if they even fall within their scope. Added to this are questions about resource allocation: Should implementation be done internally or with external partners? Who assumes responsibility — IT, the compliance department, or a dedicated security team? Furthermore, there is often a lack of maturity and awareness regarding where and how cybersecurity needs to be strategically embedded so that such topics can be implemented appropriately. These factors hamper progress and cost companies crucial time.
There’s no one-size-fits-all approach to regulations. I recommend that companies analyze their current situation, define initial steps, and get started. My motto is: Start, don’t wait!
See also:
CIOs and CISOs take on NIS2: Key challenges, security opportunities
NIS2’s cybersecurity value spreads beyond its expanded scope
No Responses