Henning: Things like ransomware had not been discussed, and I think back then, nobody could really imagine what kind of "disease," also what kind of business, this could have become as it is today.
Caroline: From Cobalt at Home, this is "Humans of InfoSec", a show about real people, their work, and its impact on the information security industry. Today with me, I have a friend and colleague, Henning Christiansen, who is the Chief Information Security Officer at Ottobock. Henning, welcome. Thank you so much for joining me today.
Henning: Thanks for having me, Caroline.
Caroline: Henning, tell me about Ottobock. What is Ottobock? What sort of business do you do there?
Henning: We're actually producing medical devices like prosthetics, orthotics, wheelchairs, exoskeletons. So, a lot of stuff that helps people or specifically creates change in people's life. You know, there's maybe many reasons why or many, many, many risks and many, many dangers that lead to loss of parts of your body like legs and arms and hands. Like, for instance, as we've been speaking before, about the war in the Ukraine, that's obviously also something where people get hurt and injured. And, yeah, some of the patients that come to us, we are in a position to help them with prosthetics, and that actually feels well. I've been told many times, specifically during my job interviews, that obviously it happens very often that when people leave our building, patients leave our building, they're really happy about what has been achieved and what kind of support and help they've received from our products. But also not only the products, but also the people that help them use our products. So it's like it has a global footprint. We are doing business all over the place, I think 9000 employees, if I remember well, coming from Germany originally, founded in 1919, just one year after World War I. I've joined Ottobock last year in October '21. So, I haven't been too long with the organization, but I've never regretted the move so far.
Caroline: It sounds incredible. You know, I think for folks who are experienced in their careers and senior leaders, you know, Henning, you are now a head of information security, a chief information security officer for the third time in your career. You've, of course, done this at different organizations, different types of organizations, and I look forward to discussing those with you. But hearing you talk about Ottobock, it feels really good. It's so clear that the work that Ottobock is doing is making a positive change to people's lives. And how wonderful that the work that we do can help in that way. I'm thrilled to hear it. Henning, I wonder if you would actually tell us a little bit also about the other companies that you were head of security for. If you would tell us a little bit about what your experience was, and in particular, if you notice any big differences between the industries because you are not only medical devices CISO, you are not only a media CISO, you're not only a transportation CISO, actually you have quite a diversity of experience in terms of the types of organizations that you have been defending and protecting.
Henning: Where to begin with? Yeah, the first time I became a CISO, that was basically for Bombardier Transportation, known for manufacturing trains and train equipment, also signaling. And maybe interesting to hear how this came along. I joined Bombardier Transportation in early 2000 as an auditor, as an IT auditor, senior IT auditor. And one of the first assignments that I had was to audit the information security, IT security in that organization. And I think it's not unusual that usually, when you do audits, your findings, and in this case, as an auditor you have to write recommendations, and then you find people who would take accountability for management action plans because whatever your recommendations are will have to be agreed and accepted by the management. And they will have to agree to a due date to implement those measures. And there was not really somebody in place at this point in time dealing with information security at Bombardier Transportation, and so I wouldn't say I was told, but maybe that was the case. The question was raised, "Well, if you know how to do it," because I had written the recommendations, "Then why don't you do it yourself?" And that was actually when I became responsible for information security for the first time.
And it lasted for about 10 years at Bombardier. Of course, I love trains. I loved trains as a kid, when I was playing with them, but also the idea or the notion that I'm still based in Berlin, and I was based in Berlin back then, and knowing that all the trains that you're seeing in Berlin have been built by this company, by this organization, Bombardier Transportation, was special. It made you very proud. And whenever I was traveling with friends that don't live in Berlin, that have come to see me, then I would try to look for indications saying this has been built by Bombardier, and I was simply overwhelmed. And I was trying to impress also the people that I was with, again. And the organization as such, I think that was really the first time that I was working for an international organization, Bombardier had like...by the way, it's been acquired in the meantime, by Alstom so Bombardier Transportation as such is not really existing any longer. But back then, I think it was 45,000 employees working all over the place worldwide. Also global footprint, we were working on all the continents.
And yeah, as I said, that was really the first time that I was working for a company with an international mindset. Main language in our headquarter was English, and French also, to a certain extent. Bombardier is a French-Canadian organization. Yeah, it was no longer German. And I had to deal with people from India, from Africa, from South America, from Canada, from the US, Mexico. Just an incredible experience and something that I would definitely never forget. And that is also something the settings, something which made my decision to change from Bombardier or to move from Bombardier to another company, Axel Springer in this case, working in the media business, really, really difficult. But, you know, after 10 years working in the same company, in the same organization, things are wearing off to a certain extent, admittedly. And it's definitely worthwhile to reconsider whether you wanna broaden your experience maybe by changing to another organization. Though it's always connected to risk, whatever you've built up in the company that you've been working for before, it's something that you then need to give up. And you never really know where you're going to arrive and whether you will be able to build the same backing, build the same network, have colleagues to the same extent that you've been before. So, that is definitely something that you always have to bear in mind.
But, yeah, Bombardier, that was manufacturing. So, cybersecurity and manufacturing, back then, I think it was not as obvious as it is today that cybersecurity, and back then nobody really called it cybersecurity, to my knowledge, is of importance. It's necessary. We have discussed so many things which are common sense today, but back then few people thought about it. And it hasn't become as problematic or as risky as it's today, so things like ransomware have not been this constant. I think back then, nobody could really imagine what kind of "disease," also what kind of business this could have become, as it is today. But really, if you ask me, I think that was really the beginning of cybersecurity. Then we moved on, or I moved on, rather, to a media company that had to deal with a different challenge. Media company mainly selling newspapers, paper copies of newspaper, and an organization that had to realize and understand that significant parts of their business are offered by the internet for free. Also, that was, I think, part of the fault of the media companies, that they were offering the content of the newspapers on the internet for free. So, all the readers were used to getting or gaining information from the internet for free, and that made it very, very hard for them to introduce concepts like paywalls. That was one part.
And the other part is, all of a sudden, you had much more competitors who were actually born in the internet and who understood much more of the technology than a newspaper company could do. That was also a change and transformation that we had to go through, and at the same time understand that the more you do on the internet, the more you have to bear in mind or take into account the risks that come with cybersecurity. And that was also one of the reasons for me to move from a manufacturing company, train manufacturing company actually to a media company which was working and was highly visible on the internet, and also a company that was publishing newspapers or tabloids which some consider famous, other consider infamous. You become much more visible and automatically you become subject to attacks because there are people around you that don't share your view and that do not like you and that would try to shut down the information that you're providing or the articles that you're writing.
I just remember a case in which one of our tabloids was describing the leader in Turkey as a dictator. All of a sudden, we were facing DDoS attacks, which were originating from Turkey. Not from any official state organizations, but rather from people who felt offended by these headlines and amateurs in terms of cybersecurity, but amateurs who tried to attack us. And that's something that I haven't really come across before. And then, that is probably something that newspapers in general with internet presence haven't had to face before, which they simply had to prepare for. That was part of the challenges, part of the risks that we were facing. And there's many, many more. You were asking specifically, what is the difference between the industries, and what actually was the major motivation for you to change from a manufacturing industry to a media industry. Actually, I was looking for the risks and I was hoping that the more obvious the risk is, the more obvious it is for top management also to invest in cybersecurity measures.
And also, I was expecting that it would become more easier for me to defend cybersecurity measures within top management or for top management. And I was probably also hoping to become more visible. I was definitely hoping that cybersecurity and the role as a CISO would be more accepted as this might have been the case in a manufacturing company. I guess, that being open and honest and very frank, I think that was part of the motivation back then to also decide to make a move to another organization, make a move to another industry. You could maybe also argue, you can develop in different areas, you can develop and in the same company, you don't have to leave a company, but I'm really into security. When people ask me, "What is it that you are doing?" I always tell them I've been doing cybersecurity for 20 years now. And it's the only thing I can do. But at the same time, it's also the only thing I wanna do. So that is maybe one of the reasons why I think 10 years, a decade is a good time spent, it's a good time period where I'm also changing positions or moving to other organizations.
Caroline: It's absolutely incredible, you know, to be drawn to manufacturing and transportation and to look around and to know that the trains are something that now you have something to do with, to be in media and to be really on the forefront of just digital consumerism of information and the reactions that people have to the words that your organization puts out into the world. One of the things that I find myself noticing is both how thoughtful your career moves have been and how different from each other and how satisfying, I think, in different ways. I hear, when you describe the roles that you've had, the leadership that you have run, I really hear a deep sense of satisfaction, you know. And it's so nice to hear that. Henning, I wanna ask you a bit about, you know, now that it's clear for our listeners, you know, we have established your leadership, your expertise, I wanna direct our attention a bit to the beginning of your career. Because people may be asking themselves, "Wow, Henning, you know, his career, his jobs, they're so impressive, you know, but how did he get to this point?" And so, I wonder if you would tell us also about yourself as a young person. We know that young Henning liked trains. And how did you decide actually to study software development and get into that? And then to go from a developer to an auditor? Those are decisions that I can assume, from your LinkedIn profile, that I'd love to hear a little bit more about.
Henning: I'll do my very best, Caroline. You know, it's some time ago. I'm in my mid-50s now, and I'm not sure if I remember everything. But yeah, definitely. When I was finishing schools, there were also courses offered with regards to information science. Actually, those were the first ones. And I also attended those, though it was not mandatory, it was voluntary. Obviously, I was always interested in computer science, to a certain extent. At least, it was fascinating to have those devices and to use those devices. And when I finished school, I had a year of military service. And again, I was serving at a radar station, and there was a lot of computers around. And there was also position for people like myself, who had to serve in the military back then, where they could make use of their computer knowledge or know-how and could even extend it, so that was also very useful. And after that, after military service, and now we are in '89, if I remember correctly, I started my apprenticeship at a company, and then studied business information science. I don't know whether that's really the proper term. But again, that was the IT department that was fascinating me, that actually was the area in which I was specializing.
And while I'm speaking, there's a particular scene that comes to mind. Back then, we were working on the iSeries of IBM AS/400. I don't know how many of your listeners actually know what I'm talking about right now, but maybe some. And I know that some sites, people selling ERP software came around. I was so proud when I actually showed them that I was capable of recording, entering passwords and using the log-on mechanisms by just pressing a key, without really understanding and knowing that that fully compromised the security, the password security, user ID and password security of that system. At that point in time, I think security was nothing really that bugged me or that really was of interest to me. Yeah, so I finalized the apprenticeship, also, after three years, and then studied business administration. So, I wanted to have a diploma or master, as I would call it today, and we are the mid-90s now. Really moved away, I'd say, from information science. I was more focusing on accounting, on finance controlling, things like that, audit also, that did not have to do much with information science.
But when I completed my studies, when I had my master, it occurred to me that, well, finance accounting was maybe not what I was looking for. And so, I started as a developer in an organization software house for savings banks. But again, after 16 months, 18 months, I understood, maybe not the right decision. I was probably looking for something that has less technical detail. I was working in a very specific environment with specific languages and programming languages. Seems I wanted to avoid that I would have to do this all the time in my professional career. And at the same time, my girlfriend moved to Berlin and started to work for an audit company, one of the big four. And I was working in Hanover, and that was like, I don't know, back then I think it was three to four hours by train, and something that probably wouldn't work out. So, I was looking for another job. And yeah, I became an IT auditor with another big four company, PricewaterhouseCoopers, and did that for three years. And what was very fascinating in that job is that I was able to get to know much more people, much more environments, much more challenges and industries in a very, very short timeframe.
So, I didn't have to really deal with the details too much. I could ask some questions, pretend to be very clever, and pretend to know what the best solutions should be and could be and give some advice, or pretend to be a consultant and things like that. Yeah, I did that for, like, three years. And I think that was also the time when I understood that information security is something that will become very, very important. And defending things is also something that's maybe part of my character, if I may say. Also, I played soccer a lot when I was young, the European version of football, and I was more of a defensive midfielder. So, taking care or protecting the own goal. Well, I don't know whether that's maybe overinterpreting a little bit, but it seems that defense or defending things is out of my character, and that may be one of the reasons why I thought that information security, or security as a whole, but much more information security was looking very attractive to me. Now PwC, that I think was in early 2000s when I left PwC for an internet bank that was the predecessor of my preceding position for Bombardier Transportation, then things happened as they turned out today.
Caroline: It's an extraordinary story. And I thank you so much for sharing it with us. As I've been listening to you speak today, I am also myself walking down memory lane and remembering when we and a group of colleagues were together in California. Now, this was 2018. So many years ago, it seems. And I am hoping that one day, I will find my way back to Berlin and perhaps we can have a cup of coffee. It's funny how these things work. Henning, I wanna ask you a final question as we wrap up our podcast, which is, you mentioned the stage of your life that you are in. What would you say if you were to meet a young version of yourself? What advice would you give to that person?
Henning: Interesting question. I usually try to avoid giving advice to younger people because I'm highly convinced that people need to do or need to make the experiences of their own. Every once in a while, I think if I was young, could go back in time, if there was something that I would change specifically, it usually turns out, no, I would not, at least when it comes to professional topics, professional things because I'm pretty happy where I am. I don't know whether I would be as happy as I am if I had done something different in the past. And I'm not saying I haven't made any mistakes, far from it. I think I've made a lot of mistakes. I think what you need to do is at least to be open to learn from your past mistakes. Well, first of all, seeing mistakes, understanding mistakes, and understanding that you could have done things in a different manner could have helped, and usually, that's helping a lot when you are facing similar situations. You have the opportunity to, again, deal with a similar situation. What kind of advice? It's hard for me, Caroline, for a proper answer.
Caroline: First of all, I wanna thank you for just telling me and telling us how you truly think about it. The questions that I ask in an interview like this one, they are simply a starting point to open up. And I think what I'm hearing, which I like perhaps even more than, you know, some advice specifically is, look, every person you've gotta just live your own life, right? There is a way in which perhaps a spin on or one interpretation of your response is to say you do not need to follow someone else's path, you do not need to follow someone else's advice. And to know that you will make mistakes along the way, and to simply be paying attention and to learn from them, and actually just to know that your life is yours and yours only, and it is no one else's to live except for you. And what a beautiful respect I hear from you about the boundary of your life and your decisions and your career versus someone else's, which is theirs to decide, and theirs to make and not yours, which I think that in and of itself, it's a beautiful philosophy, actually.
Henning: And it's maybe also because I really haven't been following career path very strict. Looking at friends or colleagues, there's many other people who have really been focusing on their career and really build a strategy around it. And yeah, admittedly, I do admire them for the fact that they did, and that they were able to do that, and also were showing courage and will to do that, that's definitely something which wasn't the case for me. But yeah, I believed in what I did. I was convinced and I'm still convinced about what I did. It's probably also the fact that I was very fortunate that I have a crush, if I may say so, for cybersecurity, and that it has become such an important and really major topic in our time. I know people have weaknesses on how to like other jobs. They do have other preferences which is not of equal, but even more importance, than people taking care of handicapped people or elderly people. I think this is something that is of utmost importance, in my view, but it's probably not being as recognized and certainly not being paid or rewarded as much as what I'm doing at the moment. So, that is probably also something that I can be very happy about. And that's probably also something that you have to acknowledge.
Not everything in your career can be planned and can be achieved the way you want to achieve it. At a certain point in time, you have to be at the right place and the right position. That is simply not plannable. In other cases, you also need to be patient. Even if you think that your career development has slowed down, don't get too nervous about it and don't try to expedite everything under all circumstances. In some cases, it's also helpful to...I won't say wait and see, but yeah, look around, look back, understand what's going on and, at some point in time, take your decision and move on. There's not much of a secret. I think it's more of an attitude. It's more something that comes from the inside and that is probably part of our characters. And like I mentioned the beginning, some of my friends and colleagues and people that I've been studying with have been much more impatient, but had a stronger focus and had a more profile target, I would say, in their life, and were also achieving very successful, maybe even more successful than I was, when it comes to the career perspective. And so, from that point of view, it's really hard to give advice to anyone, other than really accept yourself. Try to make sure that you find your way without really giving up on yourself, giving up on your character, giving up on what you are. It's not always easy.
Caroline: I agree. Henning, thank you. Thank you for sharing with us your story, your sense of adventure, your passion for this industry. I'm so glad that you are on our side. Thank you, truly. This has been such a pleasure for me.
Henning: Thank you, Caroline, for giving me the opportunity.
Caroline: "Humans of InfoSec" is brought to you by Cobalt. We are Pentest as a Service company, and you can find us on Twitter @humansofinfosec.