August 16, 2022

EP 9 – Living and Breathing Telecom Trust w/ Thomas Tschersich, CSO of Deutsche Telekom and CTO of Telekom Security

If you’re in the business of collecting consumer data these days, you better be in the business of protecting that data. Or you could find yourself with no business. On today’s episode, host David Puner talks with Thomas Tschersich, Chief Security Officer of Deutsche Telekom (parent company of T-Mobile) and Chief Technical Officer of Telekom Security, about the new rules of data privacy and protection and how telecommunication providers must live and breathe trust as they operate critical infrastructure. 

[00:00:00.000] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:23.790] – David Puner
We are all carrying computers around with us at all times. We call them phones, which takes away from the reality that these devices hold or can unlock some of our most sensitive personal information. When our phones are casually unlocked throughout the day, while we browse news, book rides, and buy stuff, personal data can be thrown around like candy falling out of a just cracked, overstuffed piñata—virtual piñata, that is—massive troves of consumer data have become the backbone of both legitimate and criminal enterprises in recent years.

[00:00:58.950] – David Puner
But, as consumer trust dwindles and regulators step up data privacy protections, the tides are turning, and individuals are gaining back control over their data and digital interactions. Today, if you’re in the business of collecting consumer data, you’d better be in the business of protecting that data, or you could very well find yourself with no business at all. From consumer standpoint, the companies we trust, whether we think deeply before providing them with that trust or not, must continuously work to maintain and deepen our trust.

[00:01:31.580] – David Puner
On today’s episode, I talk with Thomas Tschersich, who’s the Chief Security Officer of Deutsche Telekom and Chief Technical Officer of Telekom Security. Deutsche Telekom is the parent company of T-Mobile, among others.

[00:01:45.450] – David Puner
In conversation, Thomas gets into the new rules of data and how telecommunications providers must live and breathe trust as they operate critical infrastructure that’s widely used to communicate and store large amounts of sensitive data. In Deutsche Telekom’s case, we’re talking about data involving nearly 250 million mobile customers worldwide.

[00:02:07.730] – David Puner
Thomas also talks about the computers we all carry around with us everywhere. He seems pretty passionate about all of it. It’s an interesting talk coming from a global perspective with a guy with a high-pressure role. Roles, really, for a company that’s practically everywhere. Thomas, by the way, is German and lives in Germany, and he beamed into our conversation from his office that’s also in—you guessed it—Germany. Let’s get into it. I hope you enjoy the conversation.

[00:02:51.590] – David Puner
I read on the Deutsche Telekom website that the company is present in more than 50 countries, with a staff of over 200,000.

[00:02:59.990] – Thomas Tschersich
Yeah, absolutely. This is a accurate number. When we started as the incumbent, the local telecommunication provider in Germany, a couple of decades ago, we have mainly 200,000 employees here in Germany. Meanwhile, we have still 200,000 employees, but we have operations in more than 15 countries across the planet, with the main spots in Central and Eastern Europe but also in the US. As a global carrier, we do have operations nearly everywhere.

[00:03:38.520] – David Puner
248 million mobile customers, 26 million fixed network lines, and 22 million broadband lines. What does a typical day look like for you in your role overseeing the team?

[00:03:50.240] – Thomas Tschersich
I’m not so sure whether there is a typical day or not, because it’s often-

[00:03:53.840] – David Puner
Yeah, right.

[00:03:54.720] – Thomas Tschersich
-Often days with surprises, but mainly on Fridays as attacks always almost starting on Fridays. That’s somehow Murphy’s law, I guess. My team, as well as I describe my role upfront, I split it into two teams, actually, which we’re closely connecting. When it comes just to the numbers how many people we have for protecting our group, ourselves, our assets, it’s roughly around 600. Five hundred directly related to me and another 100 or 150 or some more in the different entities in the local operations.

[00:04:38.700] – Thomas Tschersich
Twice as much we have in the external operations, serving our external clients with digital security services. Like, we have customers out of the banking sector, out of transportation, out of chemical; where we run our cyber defense centers, penetration testing, and all these kind of things.

[00:04:58.460] – David Puner
What is the most challenging aspect of the role? Then I would say, secondly, what part of the role do you enjoy most?

[00:05:05.900] – Thomas Tschersich
I would say the challenging part of the role is that security was always treated as a roadblock in the past. My mission or the mission with my team was really to counteract on that. Really, to start changing the intended behavior of the security organization. We’re not the ones telling others what they can’t do. We were working very hard on becoming the ones telling others how to do things.

[00:05:37.260] – Thomas Tschersich
Instead of avoiding projects, we were the ones supporting projects by saying, “Okay, you can do it that way, then it might turn out into a disaster. But it can also do it in a different way, and then it’s saved.” So really transforming the security organization, which was treated as a roadblock, into helping hand for the business.

[00:06:00.390] – Thomas Tschersich
Fun fact about that, in the past, I had a lot of escalations going where my people were involved in projects because the impression was we were slowing down the development processes and so on. Meanwhile, I have a lot of escalations when I don’t have sufficient resources to support development projects. They escalating at me to get additional support, which really is a clear signal for me that we did a great job with the entire management team, really, to transform that mission or to transform also the attitude of the security people in the company. They’re motivating me to see that people requesting our resources here in their project. That’s-

[00:06:48.750] – David Puner
That’s really interesting. Because oftentimes you think of the security team as being the no team, rather than facilitators and partners. So it sounds like you’re approaching it a different way.

[00:07:01.790] – Thomas Tschersich
The security problems start with ourselves. Take the example of a password. The technical perfect password is containing out of a couple of hundreds characters, certain complexity, and has to be changed twice a day. That’s, technical-wise, a perfect password. But if you look on the entire process, the result will be that the user will note down the password on a sticky note and put it on the screen.

[00:07:34.350] – Thomas Tschersich
If you include the entire process and the perfect password, it’s a weak password, because it’s written down. If you take as the counterexample, and only six-character password, you block the account after the second, third or whatever wrong attempt to type it in, and you have the same level of security without burdening the customer. The differences in the first time, I talked about our clients as a user, and then the second attempt about the customer, and that makes really a difference.

[00:08:12.140] – Thomas Tschersich
Really see them as a customer and not as a user. A user, one, is allowed to use the technology. A customer is one you treat serious and you try to support and you try to give your best to make him happy. That’s the difference in the approach, and it’s resulting in different solution. It’s not the perfect technical solution, but the perfect end-to-end solution what matters at the end.

[00:08:38.800] – Thomas Tschersich
This really starts making the difference also in people’s minds. When you talk to your people, when you try to inspire your people in how to approach security, this is, for me, the most important thing really to treat your customers as customers and not as users.

[00:08:56.190] – David Puner
You had mentioned trust earlier, too, which obviously resonates pretty soundly with us. I know you’ve been with Deutsche Telekom now for around 20 years, and it seems like it was a little bit of an interesting career path. How did you get to where you are now?

[00:09:13.230] – Thomas Tschersich
I’m, honestly, more than 30 years with Deutsche Telekom-

[00:09:17.830] – David Puner

[00:09:17.830] – Thomas Tschersich
-Which I started as telecommunication technician before I went to university studying electrical engineering, which has absolutely zero to do with the job I’m having today, except the fact that if you do a mistake in high voltage engineering, it hurts in the same way than cyber attacks could hurt us today.

[00:09:42.940] – Thomas Tschersich
I started that path, and after studying, I came back to Deutsche Telekom Group to work in IP network engineering. I was part of the team doing the engineering for corporate network infrastructure, which is a large one, which you can estimate having more than 200,000 employees. I started working on that transformation projects from these old SMA networks to IP networks, all these old-fashioned technology like Token Ring, then transforming them to a modern IP world. This was in the late ’90s.

[00:10:25.030] – Thomas Tschersich
Accidentally, I came to security because we have an incident those days. My boss was looking for somebody to start writing a security policy and really trying to build up a security organization. Those days, X.500 was the hot topic.

[00:10:51.300] – David Puner
What was that?

[00:10:52.140] – Thomas Tschersich
X.500 was directory services. It was called identities, directory services. The colleague of mine and myself, we were both pitching for getting the responsibility for that X.500 services. My boss said, “No, Thomas, you have to do the security stuff.” I said, “Oh, damn, tough luck.”

[00:11:12.340] – Thomas Tschersich
It turned out to be really good luck at the very end. I spent in different positions within security, took over the policy responsibility for Deutsche Telekom Group and took over a technical security service like penetration testing. Over time, I became the CSO. It felt almost like end of career entering the security path those days.

[00:11:39.900] – Thomas Tschersich
Those days, it was not that funny working in security. As we talked about earlier, it was always the ones who are the roadblocks in the company. This was my motivation to start to do things differently with the team and say, “Hey, let’s get out of it.” Meanwhile, cyber security is the latest shit, so to say. It’s the hot topic in IT. It’s increasing, increasing, increasing; becoming increasingly important. It’s also, meanwhile, a big source of revenue for Deutsche Telekom Group and not only an area where we have to spend money.

[00:12:20.700] – David Puner
I like the way that you put it about the roadblocks. It sounds like you’re basically a roadblock eliminator. When you hire for your team, is passion something that you’re looking for?

[00:12:32.460] – Thomas Tschersich
Yeah, absolutely. Usually, you can spend hours discussing with people, if you haven’t have an interview, an job interview, about technology, about their ability to code. But that, for me, doesn’t really matter. You can train them to code; you can train them technology, but what you can’t train them is the attitude. That’s, for me, the most important thing. Really, to have people here around me with the right attitude, with the passion, with the motivation. This is, for me, the most, most, most valuable factor when choosing people for the team.

[00:13:13.230] – David Puner
Great. Thank you for that. How are you thinking about approaching privacy and data privacy in your role? How is it similar, or how does it differ from how it factors into cybersecurity overall?

[00:13:28.030] – Thomas Tschersich
When you look or compare privacy and security from the end, it’s equally the same. It’s about technical security measures to be implemented in systems. But from the motivation, it’s different. The privacy is motivated from mainly the legal perspective on protecting personal information and personal data. Security is more motivated from a risk perspective. But from the result, it’s equally the same; therefore, it fits perfectly together. That’s the first statement on it.

[00:14:03.920] – Thomas Tschersich
The second one, as I mentioned, I’m working in a trust business. When I want our customers to trust us, I have to care on their data. Privacy is an huge driver for trust. When I guarantee the data are in good hands here; nobody can have access, then customers start really trusting in us. When I can prove that, then they trust in us, and then my business will grow over time. If not, there’s hardly no chance, really, to get growth in IT and telecommunication business. That’s one of my fundamental beliefs.

[00:14:44.370] – Thomas Tschersich
Privacy today, and maybe we’re a little special here in Germany because we have two totalitarian regimes here with the NSDAP, and also with the former Eastern German Republic, which were spying on the people living here. That created a different attitude around privacy and also different and maybe a higher demand than in other parts of the world. We treat here privacy totally different than, for example, our colleagues in the US.

[00:15:19.280] – Thomas Tschersich
Things which are possible in the US to deal with data and having always only the opt-out are totally different here. Here, it’s more from the opt-in. And it’s driven mainly by that experience out of the history we had here. That’s my belief.

[00:15:36.440] – David Puner
Obviously, privacy means different things in different places. But what you’re saying is that as an organization, there is one meaning of privacy to the organization, rather than treating privacy differently in different parts of the world.

[00:15:52.600] – Thomas Tschersich
No. I would say the regulation and how we deal with privacy is differently in the world, and how important we treat it is differently. The definition itself, it’s equally the same, I would say. But the way things we’re allowing with regards to personal data are different in the US compared to Europe.

[00:16:14.250] – Thomas Tschersich
We have the GDPI in Europe, which is mainly asking for opt-in. If you want to do something with data in the US, it’s allowed to do unless a customer is not opting out. That’s a different approach, how we approach it. But the importance of privacy, I believe, it’s everywhere the same, because privacy has also something to do with democracy. When I don’t have to fear that everybody knows everything about me, I can connect more as a free person.

[00:16:47.720] – David Puner
That’s really…Yeah.

[00:16:49.120] – Thomas Tschersich
Therefore, for me, it’s an essential part of our democracies that I’m in control of my data. That’s my basic understanding of democracy, that not anybody else is in control of my data. I’m staying in control of my data. I can decide what to do with my data. When we want to be successful, also in future business models, we definitely, as an industry—and I’m not talking about Germany specifically, but as an IT industry—have to treat it more seriously than we do it today.

[00:17:25.980] – David Puner
What are the unique, in your mind, the unique privacy challenges brought on by the work from everywhere era?

[00:17:33.740] – Thomas Tschersich
What is the unique privacy challenge? I’m not so sure whether there is a specific privacy challenge on it. It’s mainly a security challenge, I would say. It’s working in an untrusted environment, how to protect your data working in an untrusted environment you can’t control. That’s mainly the challenge. Coming out of, in most cases, out of the, what I call the garden fence principle.

[00:18:04.260] – Thomas Tschersich
In the past, we built a fence around our infrastructure. Everything inside the fence was the protected part and was all good and trustworthy. Everything outside was untrusted. All of a sudden, we got cloud and distributed services. Meanwhile, I have a lot of services which I need to trust out of my fence.

[00:18:29.280] – Thomas Tschersich
Working from home in the pandemia was working from outside of the fence. The fence was around the corporate building. Meanwhile, I stepped out of the fence, and at the same time, there was a need to be part of that trusted ecosystem. That means that the approach we did security in the past is not any longer the right approach for the future. It’s not any longer about building a fence around the infrastructures, the line of defense; it’s more bringing security to the identities, but also to the data itself.

[00:19:12.840] – Thomas Tschersich
For example, if you use digital rights management and encryption to protect the data, you can use at least any infrastructure to transport it because it’s encrypted. Then the only question is whether the encryption is strong enough or not. Then we come more about what a lot of people call the zero trust approaches. Don’t trust the underlying infrastructure, but protect the data itself; protect the identities.

[00:19:38.230] – Thomas Tschersich
If you look from an attacker perspective, I describe it always as a triangle. You have at the top of the triangle, the attacker. At the bottom, you have the identity or the system. The attacker always trying to attack one of those, whether it’s the system or whether it’s the ID. Once you get your hands on the ID, you get access to the system. Once you get access to the system, you have access to the system. It’s very transparent.

[00:20:06.690] – Thomas Tschersich
Therefore, we need to care on these both sides. There were a lot of mistakes by companies really forced to get into the work from everywhere because of the pandemia, not really taking care on how to protect the IDs.

[00:20:20.890] – David Puner
We talked about data; we’ve talked about trust. How can embracing trust become a competitive differentiator for telecom providers in the privacy era, essentially?

[00:20:30.570] – Thomas Tschersich
Look at what would turn it around. Think about what will happen if you lose the data of your customers. What would that mean to your sales department? They would have a hard job afterwards to convince customers to subscribe for your services. For me, it’s the essence. It needs to be build in. There’s hardly no other way around.

[00:20:57.130] – Thomas Tschersich
We see it’s becoming more, and more, and more, and more important. There’s one point really concerning me that we still, after more than 20 years building those infrastructures based on IP networks, we didn’t achieve, as a IT community, to get our systems under control. Issue number one is still the patch management issue. We don’t have a proper installed base here. We are not in the position that whenever there’s a vulnerability, we fix it immediately.

[00:21:30.970] – Thomas Tschersich
When you drive a car, and there’s an issue with the brake, and the dealer notifies you about that, I guarantee you within an hour, you’re with your car in the service center to get it fixed. Once there’s an issue with an IT system, and the supplier’s informing you, “Hey, there’s a serious issue,” I guarantee you the average time to be fixed is around 100 days. And that’s the problem.

[00:21:57.090] – Thomas Tschersich
Couple of years ago, what we observed in the internet was once one of the large operating system vendors, for example, released a critical software update, they were just saying, “Here’s a critical update within certain CVSS score, and that means an attacker could have, in minutes, administrative access to your machine. You should really, really implement those patch.”

[00:22:23.010] – Thomas Tschersich
Then nothing happened, and it took three, four, five months. After five months, we saw the first scannings in the internet, looking for that specific vulnerability. In the meantime, they reengineered the vulnerability, wrote an [inaudible 00:22:37] code and [inaudible 00:22:39] scanner, and then started scanning the infrastructure, the entire internet infrastructure, to find a vulnerable system. It was months between release of the update and the first public scanner.

[00:22:50.960] – Thomas Tschersich
Today, in today’s world, it’s hours. It’s not months anymore. It’s hours. When you see the popup, “Would you install the patch now or later?” If you push the Later button, then it’s too late. We should exchange these button, “You can start now or too late.” That would be the better description.

[00:23:11.200] – David Puner
I’m sure you instill that upon your team because if the team doesn’t have that mindset, then how can the rest of the organization?

[00:23:21.600] – Thomas Tschersich
People ask me, “Typically, what is keeping you awake at night?” When there’s something keeping me awake at night besides a very loud party in the neighborhood, then it’s that topic. That’s an hygiene topic. This is no rocket science. This really an high key topic.

[00:23:43.380] – David Puner
What are the top considerations when it comes to cellular network infrastructure?

[00:23:47.620] – Thomas Tschersich
From the cellular network infrastructure, itself, for me, it’s not a question about the infrastructure. It’s more a question about the usage of these infrastructures because people treating mobile phones like mobile phones. When we are talking about protecting mobile phones, it’s about a pin number or something like that to block access. But we don’t treat them like computers. There’s no security software on the mobile phones usually.

[00:24:20.290] – Thomas Tschersich
But at the same time, they’re connected with high bandwidth to the cellular infrastructure, in most of the cases, with higher bandwidth than the fixed lines. They’re idling around the entire day in the pockets, but still connected to the infrastructure, so perfect choice for attackers. This is the most underestimated threat in my view. Really, the mistake not treating mobile phones as computers is the biggest issue.

[00:24:47.120] – David Puner
When a new mobile phone is in development, do you have a seat at the table? Are you an advisor of some sort so you’re working hand in hand? Or is it more the product comes out, and then you need to evolve accordingly?

[00:25:05.240] – Thomas Tschersich
Yes or no, I would say here, and that is the right answer. We do have terminal security requirements—we call it—for our vendors, for the mobile phones we are selling to our clients. We ask them, for instance, to guarantee software update for a certain period of time and those kind of things. But—and here’s the but—you can buy a cellular phone wherever you want, plug in the SIM card and use it.

[00:25:36.960] – Thomas Tschersich
You can go to the retail shop around the corner, and there is no control. What we really need here is more responsibility on the vendor side, because as an operator, we can’t control. As a consumer, it’s hard for you to control. The only way is that we need to start early in the supply chain, and we need really these suppliers to take over responsibilities for the devices.

[00:26:05.810] – Thomas Tschersich
From the high-end devices, they do. Take the latest Apple iPhone or the latest Samsung as whatever device, they care. But there’s a lot of what I would call fire-and-forget devices. Once on the market, there’s no software update, no customer care. That’s the biggest issue. Even worse, think about IoT devices also using mobile and cellular networks, for instance, a webcam or a baby phone or something like that. Who is really taking care on those devices? Who is really come to the idea that there might be an software update available for the webcam? That’s an issue. That’s an issue where we need to deal with differently in the future.

[00:26:57.890] – David Puner
There’s fierce competition in your industry. How does that competition, speed and innovation, or maybe in some cases, even slow innovation? If that’s possible.

[00:27:08.200] – Thomas Tschersich
I would say competition always is driving innovations because you always try to be the leading edge here. That’s good. Competition is always good on the market side. The thing slowing us down more is regulation. We have different regulation all over the places. That’s a little bit part of the problem.

[00:27:28.160] – Thomas Tschersich
At the one hand side, we need to buy from global vendors, so getting the infrastructure built. At the other hand, we have local regulation in nearly any market. But it’s different than any market. That’s the challenge, which is really killing innovation. There, we need to find ways to deal with it for the future, I would say.

[00:27:53.430] – Thomas Tschersich
We achieved a lot in the standardization with 4G and 5G, which were really the first global standards in cellular networks. Before, we had an Asian one; we had a European one, and we had an American, a standard. It was a mess traveling around the planet as a business traveler. You were always forced to have three mobile phones with you.

[00:28:17.510] – Thomas Tschersich
Meanwhile, we have that global standard. But I see a certain tendency that the world is, again, splitting in different tech spheres, that we end up in a more Western tech sphere and a more Asian tech sphere. That’s my fear at the moment.

[00:28:37.110] – David Puner
You just mentioned 5G, and we had talked about IoT a moment ago. How are you approaching the intersection of 5G and IoT? What are the opportunities and challenges?

[00:28:50.080] – Thomas Tschersich
First of all, I would say 5G is more bandwidth. That’s it. Looks easy from the first view. It’s not. There’s a lot more in and a lot more to come, like we get abilities to build private network called network slices based on a public cellular network. That’s really unique and creating a lot of opportunities because you can build virtual infrastructures on top of an physical infrastructures with different kind of service level.

[00:29:22.130] – Thomas Tschersich
All of a sudden, you get enabled to have an IoT slice, for instance, with low latency but also low bandwidth, because there is no need for high bandwidth. Being able to have on the same infrastructure an different layer with maybe low latency and high bandwidth and high security, nobody else could access those. So it will create a different way of networking for the future.

[00:29:48.170] – David Puner
I have one more question for you. Then I saw a little bit about the cyber defense and security operations center. What kind of work is going on there, and what is it?

[00:29:59.100] – Thomas Tschersich
It’s mainly monitoring what happens and modeling threat vectors and trying to identify whether they are happening in our infrastructure or not. This 24 by 7. There’s a lot of people working in threat intelligence, really trying to identify the latest threats. A lot of people then working on what we called use case engineering, trying to build use cases, or could call it detection scenarios.

[00:30:27.540] – Thomas Tschersich
With the increasing complexity of the infrastructures we have today, and we talked about defense approach, it’s not so easy anymore to build the fence around. As we know, the infrastructure is complex, and it’s not so easy to build a fence around, we need also to change the paradigm and how we deal with it.

[00:30:48.990] – Thomas Tschersich
The future wants the paradigm to try to avoid the attacker to get in. Now we’re more entering a world where the paradigm must be the assumed breach paradigm. With the assumed breach, it’s out of importance, we need to have these mechanisms to detect early on. Therefore cyber defense center is the answer. We need to have the detection capabilities in place, have also a lot of automation, machine learnings in place.

[00:31:21.710] – Thomas Tschersich
I avoid to talk about AI because it’s mainly artificial, but not intelligent yet. But having all these technologies in place to deal with a huge amount of data, trying to find the attacker and get him out as soon as possible again. Maybe there’s one thing we forgot in our conversation I want to highlight here, and that’s the topic of identities.

[00:31:47.740] – Thomas Tschersich
A lot of people now talking about the metaverse and going virtual. But what is when we do the same mistakes like we did in the beginning of the internet. We started the internet connecting everything because we could. Not because of it makes sense, not because of we were sure that it doesn’t hurt. We just connected it because it was possible to connect. We don’t really care on identities and ensuring that we know who’s talking to whom.

[00:32:23.420] – Thomas Tschersich
Now transfer that into the metaverse. Now put to the formula also deep fakes, like deep video fakes. Conversations like we have today are easy to be cheated in the future. How to avoid that without having a valid identity management in place? We really, really, really need to care on identities, on digital identities. Whether it’s for machines, whether it’s for services, whether it’s for humans, we do need to have those identities in place; otherwise, we will [inaudible 00:32:57] in the future.

[00:32:59.630] – David Puner
I feel like we could probably catch up again soon and talk about entirely different stuff because it’s ever-changing, and it sounds like you’ve got so much going on in your world and would love to do so. Thank you for joining us, and really enjoyed our conversation.

[00:33:17.190] – Thomas Tschersich
You’re welcome. It felt like being just only five minutes talking here.

[00:33:21.680] – David Puner
That’s how we want it. That’s perfect.

[00:33:28.680] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment—constructive comment, preferably, but it’s up to you—or an episode suggestion, please drop us an email at [email protected]. Make sure you’re following us wherever you listen to podcasts.