Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 115
Afternoon Cyber Tea with Ann Johnson 9.30.25
Ep 115 | 9.30.25

Lessons from the Frontlines of Industrial Security

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I'm excited to be joined by Volker Wagner, Chief Information Security Officer at BASF. Volker has been the Chief Information Security Officer at BASF since 2021. He joined BASF in 2018 and was initially responsible for corporate security. Prior to this, Volker held various management roles at Deutsche Telekom. In total, he has more than 30 years of leadership experience in security, finance, sales, controlling, and auditing. Welcome to Afternoon Cyber Tea, Volker.

Volker Wagner: Thanks, Ann. I'm glad to be here. Actually, it's 5:00, tea time in Germany, and I'm ready for the cyber tea.

Ann Johnson: Excellent. Do you have a tea preference?

Volker Wagner: Maybe Earl Grey is my first choice.

Ann Johnson: I try to drink lemon ginger before these recording sessions just to get my throat ready to go.

Volker Wagner: And so I.

Ann Johnson: So I'm absolutely thrilled that you joined us today. You have been a key voice in shaping cyber strategy across all of Europe and beyond. I know how influential you are, and I'd love to start with your journey. What first drew you to cybersecurity, and how has your leadership philosophy evolved over time?

Volker Wagner: Like for many of us, it was an incident which brought me into the cyber arena. More than 20 years back, I worked with a German telecommunications company in internal audit, and my team and I, we received the assignment to identify why the internal control system did not work when we had an incident, when we had a breach in one of our systems. It turned out, like always in many, many other cases, that we had a lack in basic security, a lack in a proper operation of identity and access management, something which was there more than 20 years back, still we face issues, but I got more and more attracted in that time, and so I thought, you know, when you're in audit, you have sometimes the impression you do the controls, you do the audits, but you are more or less in the backseat. I wanted to go to the front seat and have more of the steering wheel in the hand, and so it's a bit coming from the reactive to the proactive side and a bit more from the, I would say, from the control perspective to a security by design perspective, and I think it reflects a bit what we all have achieved as cybersecurity experts and leaders in the past couple of years, that more and more we developed ourselves, that we are more in the front row, and so here I am now and looking very much forward to our talk today.

Ann Johnson: Excellent. I think that I appreciate the journey, right? Coming from, you know, the reactive side, as you called it, to the more proactive side. It's great that you took on that challenge. I'm not sure that many other people rush to take on that type of challenge and be the actual cyber leader, so credit to you. So I'm sure that some of our listeners have some knowledge of BASF. You used to have really interesting commercials that ran, at least in the U.S. market. But can you give us a quick primer on the business? And then take that in the context of cyber. What do you see as the most urgent threats facing global enterprises, specifically the industrial and chemical sectors?

Volker Wagner: Well, BASF literally stands for Chairman-Based Aniline and Soda Factory. So our roots of the company are ingredients for colors and washing powder. So the most famous product in the early days was artificial indigo for dying blue jeans. I think great success story. We all love our pair of jeans. Nowadays, when you look around, many of the products in your environment are from us. So let's take the spandex fibers in your clothes, the fragrance in your shower lotion, the cushion of your seat when you have a look at your car, the battery materials, the catalysts, the coatings are from us, and then we have an agricultural business with vegetable seeds, fertilizers. And if you are a sporty guy, maybe the boost sole in your running shoes are from our performance materials. You can see BASF and chemical sector is more or less the industry of the industry. So we have B2B business and we are more or less in every principal product involved with the color, with some ingredients. So it's quite interesting because you learn a lot about the industry. So if it comes to threat situation for us, I would say it's lots -- it's related to the numbers we have in our group. So we have more than 110,000 employees spread over 150 countries in the world. Among them, more than 10,000 researchers, and we spend about $2 billion each year on research and development. So which means at the end, a large digital footprint, including some high-value targets, the ground trail tools in the innovation section, and a large scale of production plants with industrial control systems, SCADA systems, let's say a huge surface to attack. If you ask me about what are the most concerning threats, the most serious risks which I'm concerned about, for sure number one is espionage or APT attacks on our business secrets, on our ground rules, and secondly, more and more we see destructive attacks, ransomware attacks on our systems, on our plants, on our supply chains, but on the basic infrastructure of IT as well.

Ann Johnson: I think that given the, I guess, scope of the business that you're in, it doesn't surprise me that there are obviously high-value targets, but there's also a broad base of targets as you identified. We often talk in cyber about resilience. I'm curious how you think about resilience because, as you know, you and I have talked about this, it is a strategic imperative, but when you think about cyber resilience across all of your businesses, what are the key pillars of your strategy and how are you trying to achieve it?

Volker Wagner: Yeah, I think which we always try to revise, but basically I have three elements in mind. Number one, and I think this is the platform on which we stand, do the basics right. So we adopted the so-called NIST framework and ISO 27001. So we focus in the identity area that we have, we know our assets, we know our risks, that we have our threat intelligence in place. In the area of protection, we have technical measures in place like web application firewalls, organizational measures like proper identity and access management, and human-related measures like awareness trainings and educate people to make them cyber safe in the culture. From the detection point, keep your SOC running, have all your assets connected to the CM system, and for the area of response, run your playbooks, have your incident playbooks in place. And one thing, if it comes to the basics, I really want to underline we have not only to introduce the controls, we have really make sure that the controls are working. This I find quite often that things are designed and then they are not in place or not properly working. So do the basics right, this is, for me, number one. Secondly, I think it's essential to have a cybersecurity ecosystem in place with technology partners like Microsoft, and I really, really appreciate and a big fan and supporter of your collective defense approach. We met each other this year in Germany, in Munich. We met in London with other multinationals from Germany and Europe. I can see that you are driving this heavily. So it's absolutely necessary. We have it with our technology partners like you. We have it with the security authorities like the German cybersecurity authority, BSI, or with the federal criminal police and other law enforcement units, and for sure with other multinational companies, with our peers, the CISOs and cybersecurity folks from our friends in the industry. I will come to the third element because I think still it's not enough, because even if you have reached a certain level of maturity, we see that attacks are still increasing in numbers, in frequency, in sophistication, so we decided to change our paradigm and we introduced our so-called Zero Trust strategy. And we talked in the cyber community over years about Zero Trust and I think it's really needed to make this tangible. So we deploy the three basic principles, assume the breach, so you have to accept, and I told it to my board of directors, that we never ever can go for 100% prevention. We have to assume that already some elements of our networks might be compromised, that we have compromised devices or vulnerable applications, which brings us to other elements and principles, never trust, always verify, have your controls in place, and provide least privileged access, try to reduce the damage potential. And I want to make this a bit more tangible for our listeners, because I think there have been a lot of theoretical papers on Zero Trust. We try to introduce this very, very practical, and I want to elaborate it maybe in four domains. Let's take the domain of identity. Think about a regular employee usually goes to work between 8 and 9:00 in the morning and back 5, 6 p.m., and has a typical user pattern, and now he goes to a conference, and from tomorrow on, because he's on the conference, he tries to log in the system from another location, and then we said, okay, in this case, we want to have as an additional marker. We want to have an MFA. We send a one-time password to his smartphone and then he has to identify himself that he's working just this week from another location. Well, let's take the example in the infrastructure area of the devices. If devices are not patched on the latest operating system version, we don't grant access from remote anymore. Certainly, segmentation, we have micro-segmentation in place for our research centers. We have our production plants segregated. And lastly, and I think especially in times where we have more and more customized code, we introduced scanners like DeepGuardian in the GitHub platform, and this makes it for us a bit really practical and tangible, and so we believe with these three elements, we prepare ourselves and make us more mature in the future.

Ann Johnson: I really appreciate you breaking it down like that because I think a lot of folks get overwhelmed when they hear Zero Trust, right? And I also love your focus on going back to the basics because we know, the data tells us, that the majority of, you know, successful breaches are based on cyber hygiene. The actors are very persistent. A lot of us have technical debt and it's easy for the actors to exploit that. So thank you for being really clear. That's one of the things I love about talking to you is you're always super clear in the concepts and you make it really simple for people to follow. The business you're in, though, is very innovative, right? You have to be innovative, and innovation, resilience, cyber can often seem to be friction, right? People talk about how the cyber team can also create friction in that innovation. How do you see the promise and the risk of balancing innovation across your cyber organization when you're thinking about security and trying to support the business?

Volker Wagner: Yeah, I think innovation is key for every business function. I think it's the essence of our life and I think makes our lives interesting and fascinating, too. We try to explore, and not only try, we are heavily working on this to explore for sure AI tools and enabling our cybersecurity workforce. Maybe I can give you some of the examples what we are striving for. It's a journey we embarked with some of the elements we are a bit more ahead with others. We are in the early phase. Let's take, for example, the use case that we use AI for data labeling and classification. So in all the companies, we face the problems that people have to classify the confidential data, the strictly confidential data, the open data or the internal data, and most of the people fail, so it's not so easy. What we introduce is so-called auto-tagging that based on the content, and there are great tools now in the meantime available, you can identify, okay, this privacy-related data, medical data, or these are data which includes credit card numbers or something which has to have a high level of confidentiality, and then it's the system will label this data automatically and then we can deploy controls, which is great. Or let's take the area of cyber defense. Take one example. About three, four years ago, around Christmas, we faced the incident of Lock4Shower, and my initial call with the BSF experts, we had about 80, 90 people in the call, and we tried then to explore for three days in a row where we have this JavaScript in place and where we have to update our systems. I would say it's a perfect example to have incident playbooks augmented by AI solutions that you immediately can deploy a patch in your asset area. Or let's take the example of offensive security. We introduce AI-supported pen tests right at the moment we are struggling with the coverage of testing new apps because we have so many great developers. It's always a bit cat and mouse game that we have to coverage of every new introduction. Therefore, I would say this will help us greatly. Or think about awareness and phishing simulations, language barriers we can overcome. I think this helps quite a lot. Lastly, I would say one really valuable case is that in the third-party risk assessment, we streamline our questionnaires jointly with our peers and we use it for the elevation or assessment of the answers of our suppliers, and so we have less administrative work. One additional point is that in our SOC, the Tier 1 level is usually flooded with alerts, and in the past couple of years, so I'm now in this role for four years, we have now Factor Five the number of alerts in our SOC when I started. And so that's always a problem of the false classification. An AI tool is never tired, is less -- never less concentrated, and we can eliminate the human bias as well. So therefore, I would say some great use cases which help us a bit to become more speedy, more cost efficient, and to increase our coverage.

Ann Johnson: I love that. I think that there will continue to be innovation in cyber, as you know, and particularly with artificial intelligence and automation, and as leaders, we have to be prudent where we deploy it, but also leverage it for the best capabilities and also to help our staff, right?

Volker Wagner: And it's a fascinating story as well. I always tell my people, it's a kind of a once-in-a-lifetime thing that we are now able to design our future. We have it maybe every 20 to 30 years that there is something so special, so unique upcoming, and we can introduce it and make our world a better place, make our world maybe a safer place. So that's really a unique opportunity.

Ann Johnson: It is a unique opportunity and a great lead-in to my next question, by the way. In order to make the world a better place, we need collaboration, and as you know, we've had a lot of meetings where we've talked about collective defense and we've talked about collaboration. You've been involved, you know, as a leader, and not just in Germany, but in the broader CISO community, and you've really taken a leadership role bringing a lot of CISOs together. So can you talk about, from your point of view, what does meaningful industry collaboration look like, and how can organizations better support each other?

Volker Wagner: Yeah, I would say firstly it starts with our heads, with our own mindsets. So as security professionals, we have been educated over years that we have to keep everything strict, confidential, and we have to have our own castles within the companies. We have to open up. If we strive for collective defense, we have to go into partnerships. So what we started is that we are a foundation member of two drone-based associations. One is called the Cyber Security Sharing Analytics Platform. The other one is the DCSO, the German cybersecurity organization. One is primarily focusing on incident sharing. The other one is in securing our supply chain and helping the so-called medium-sized companies with solutions, which EDM will help us because we partner with them. We have them in our supply chains. What we said, we have to share not only threats and risks, but we really have to do, we have to collaborate real time in incidents. With this community of 16 companies in Germany, we have now a situation that my experts don't have to ask for approval before they consult the forensic experts or the analysts from other companies if they want to discuss and share IOCs or TTPs. I think this is great because this will help us definitely to overcome barriers. On the other hand, what we did is that we have now with our authorities, and I think this is something which had to overcome in the mindset as well, that there is more trust in public-private collaboration. So with our cybersecurity authority in Germany, we have now a so-called DAX 40 community with the biggest German companies. So we have our collaboration platform. We have twice a year meeting and the host of the next meeting. So on the agenda, among others, is the threat situation, how we can collaborate on third-party risk management and how we can enforce the interaction with [inaudible 00:19:22]. And on top of that, we plan, and with your colleagues of the Microsoft team for the DAX 40, a visit to Edmond for the CISOs of this company for a really well-designed, German market-designed executive briefing, which I like very, very much, and one thing is the technical exchange. On the other hand, I would say it's a matter of building communities of trust, and my learning is that you cannot say from tomorrow on we will trust each other. Trust will increase by shared experiences and close interaction. And therefore, once again, I'm really, really super happy that you initiated this collective defense approach and that we can partner with you here in Germany and Europe to bring all of -- enjoin our forces. Really, really practically, and I really like this.

Ann Johnson: I do think it's an important initiative and I'm proud of the work we're doing here, but it is going to take everyone to lean in, and to your point, I often say to my team trust is built in drips and lost in buckets, and we need to, you know, we need to put all the drips in the bucket so that we're all working together and people feel comfortable working together, which brings me to the human element. So human beings make cybersecurity work every day, independent of technology, working with technology, even with the latest technology. So what practices do you deploy and do you think are super effective in building high performing and psychologically safe cybersecurity teams?

Volker Wagner: Ann, I would say we have one major advantage, because in cyber we have an excellent foundation, and this is our purpose, how to attract people. We all know why we have to get out of the bed every morning, so this helps quite a lot, I think, for me and all the others, to have this intensive motivation to excellent performance. So if you are on a cyber hunt, it's so thrilling and so exciting, so I would say this is fascinating. And at the end, it's all about the team. You have to have the right mix of people in your team. So you need technical experts. You need strategic thinkers. You need communication guys. You need a kind of a hands-on mentality. What we did in BSF, we introduced our so-called winning behaviors, not only for cybersecurity, for the entire group, and this is always, for me, a kind of a very good guardrail. So they are structured in three areas. One is about accountability. I can give you one example. We give and take ownership and over narrow supervision, which I think it's absolutely essential. If there is a cyber incident, we have to go ahead and we have to guide and to navigate our business partners. Number two, speed. We prioritize speed over perfection. It's never possible to have everything in your risk assessment. At the end, we have to move forward and we have to come from the design into practical deployment. And number three, we fight for the best solution over compromises. We really want to accelerate and we want to have an improvement mindset. I think this helps from my perspective quite a lot. So therefore, I would say it's great to, besides all the technical elements, it's super great to team up in cyber and that you have your experts and your working team for collaboration.

Ann Johnson: That's really a clear explanation of the human capacity. I also talk a lot about how preparation and having a plan and making sure that humans are working the plan as opposed to trying to think of unique and creative ideas during times of crisis like a breach, how people come together, right? You want them working a checklist. So when your teams have faced real-world incidents, the coordination, the preparation you've done, and I know you're very clear on that, are key. Are you able to share a recent challenge that taught you something new about resilience or about the response readiness or the speed or just cross-functional coordination within your company?

Volker Wagner: Yeah, I think we have to be open and we have to share incidents, because at the end, we can learn from each other. Not everyone has to do the same experience. So when we got through it, I'm happy to give our experience that others don't make the same mistakes. But I can elaborate a bit. Ransomware attack we faced a couple of months ago. At the end, about 80 servers had been fully encrypted by the adversary, so more or less the whole environment. Luckily, this subsidiary was not connected to the corporate network, so it was an isolated network. At the end, we restored everything by ourselves. We didn't pay any ransom, but we had some lessons. My personal lessons learned four points. Number one, rely on your experts. Rely really on your experts, because one of my senior analysts, he identified the initial access vector within 24 hours. So luckily, this initial access was just seven days back, so we could use our backups and could start restoring. Second learning was for me, control your controls. The root cause was, at the end, an internet gateway without multi-factor authentication. The issue was that by design there should have been multi-factor authentication. The feature was available. It was not a lack of design. It was a lack of deployment, but one technician had, shortly before the incident happened, disabled the MFA, which brings me back to my Zero Trust approach. Never trust, always verify. You have to make sure that your controls are in place. And thirdly, my third lesson was collaboration with partners is absolutely essential, and I can only highlight in our talk, Ann, that I received from the Microsoft GHOST team such good assistance and support. They shared with me TTPs and ISEs from other events where they observed the same threat actor, which helped us a lot to identify the root cause and to bring the topic down, and very, very fast interaction, and this worked out because we did know each other. It was not a long ramp-up that we had to sign contracts. It was a very hands-on mentality, which I liked very much. And maybe coming to my fourth and final lessons learned, you have to communicate with your stakeholders. So three weeks, it took us three weeks for restoring, three weeks, including the weekends, every day. I did send out a status report to our stakeholders, to the senior leadership. We informed our customers, we informed our employees. Communication is, in such an event, super, super critical. We never should forget about this, and even if you're not able to communicate each and every thing, because you don't know everything, you have to start involving your stakeholders.

Ann Johnson: I think that last piece, it's all great, but the last piece in involving the stakeholders is one of the things we see CISOs getting better and better at, right? Not just being the technical security experts, but the folks who can actually communicate with executive leaderships, communicate with the board, etc. So that brings me to, you know, talking about the role of CISO, right? The role of CISO is evolving. The CISO is becoming more of a business leader. How do you balance the technical depth that you need with the board-level influence, the business alignment, talking to the key stakeholders across BASF?

Volker Wagner: Yeah, I am always considering that, before we start dreaming, we have to be modest and we have to stay with both feet on the ground to fix our basics each and every day, and probably this part of the work will never end. On the other hand, on the strategic side, based on all these geopolitical developments and tensions, I would say they are more and more, as we all know, influencing, shaping the cybersecurity landscape. Therefore, I would say digital technical sovereignty is more and more on the radar of policy and decision-makers. And as CISOs, we can and we must play a role to design safer, resilient, robust infrastructures of trust. This is related to operating systems, to collaboration platforms, to devices, to applications, to cloud services, to semiconductors. Sometimes I have a bit of the impression in the media that everything is reference to the hyperscalers, and I would say we should have the whole ecosystem in mind, because at the end, we have to be robust on all elements and all levers. Therefore, I think this might be something we should strive for, and once again, I think nobody can do this alone. We have to join forces, but this might be something for the higher good.

Ann Johnson: Yeah, I think that's an incredibly important statement. Security is an ecosystem. It's an ecosystem not just outside of your company, but it's an ecosystem within the company, and driving the security culture throughout the entirety of the company is the thing that will make you more safe and resilient. Can we look ahead for a minute? Let's talk about what you're thinking about. What's next for the cybersecurity industry? What trends are you watching for 2026? What trends are your peers watching for 2026?

Volker Wagner: When we try to predict the future, I think it's always a good advice to hold on and reflect the experiences we made in the last couple of years. So in cybersecurity, we all are familiar with the term "CIA," confidentiality, integrity, availability of data. When I started my career in cyber, I would say the first decade we focused primarily on the confidentiality side. So information protection was key. So we tried to avoid any kind of leakages of data. This was the primary focus. Then I would say in the next decade, confidentiality stayed, but availability became more and more a concern because we introduced a lot of cloud services. We introduced more and more applications in cloud areas and opened up our systems from our own data centers. And on top, with the introduction of ransomware, with the encryption of systems, I think availability became the next big issue. And now we entered the stage of AI. I would say integrity of data will play more and more a decisive role for us in cyber, which means confidentiality will stay, availability will stay, but my expectation is that we have to focus more on integrity of data. I recently discussed it with my cyber defense team, with my SOC, and I said to them probably we will automate many of your current work with AI-based solutions, with anomaly detection, with automated detection response activities. But I believe a future role of the SOC might be a verification broker for our company because I think it's more and more essential that we know what is the value of the data, what is the quality of the data, can we trust in the data in itself, because we open up our systems. We don't use anymore only internal data. We [inaudible 00:31:42] data from our partners, and therefore, I would say this might be something for the future where we should have an eye on this.

Ann Johnson: I think that's all incredibly important, and I agree with you, by the way. What's current today is going to be current in the future, and we're going to see new and emerging threats and we just have to be prepared. I'll take myself back to the statement I made at the beginning about good cyber hygiene is still going to be our best defense. Two more questions. Before we wrap, I want to talk a little about your personal journey. What is -- and this is a question I ask a lot of folks, and I ask myself occasionally, but -- [laughter] trying to drive some self-awareness, Volker. But what is one piece of advice you wish you had received earlier in your career, and what do you hope our listeners are going to take away from your overall journey?

Volker Wagner: So I'm just reading for the second time the fascinating book, which I can heavily recommend, The Chip War from Chris Miller. This book describes how the IT sector and especially the semiconductor industry developed over the past six decades. While reading this book, I realized this has been more or less the last six decades of my personal life, too, or my entire life, but honestly, the biggest part of this development was and still is in the U.S. West Coast and in Asia. So as coming from Germany and being based in Germany, maybe I ended the tech world a bit too late. So my advice for all the young talents is go for your heart and follow your passion. Secondly, don't look for stable environments. Rather, go for companies, sectors in transformation. There you can design, there you can build, and you are not forced to work on administrative tasks. And lastly, I would say cybersecurity always gives a good purpose for work.

Ann Johnson: I love that advice. We spend so much time at work. Do something you love, right? Make sure you're doing work you love. I also close Afternoon Cyber Tea every week with optimism. I call myself a cyber optimist. I know that for every attack we see in the news, there's thousands we've defended against. So with that in mind, considering everything we've talked about, what are you optimistic about when it comes to the future of cybersecurity?

Volker Wagner: Yeah, luckily, by nature, I'm an optimistic person, too. This always helps, at least myself, in challenging times. On top, I recognize some very positive developments. Number one, I see that we are coming more and more from best of breed to best of integration, and when I reflect the time back, we tried to use, for every specific cyber problem, we introduced a specific tool, and at the end, as CISOs, we had to manage a zoo of applications and tool. My own -- my advice is let's go for standards and for platforms, and I think we are on our way. Secondly, I recognize a willingness for collaboration, a willingness for collaboration between the private sector and the public, so between companies and authorities, among CISOs, among ecosystem partners. Once again, I can only promote the collective defense approach from you Microsoft guys. Fantastic. Happy to join and to support and to promote this activity. And thirdly, and maybe might be even the most important element, so after the digital natives, I would say now the AI natives will join the cybersecurity teams. So with fresh blood and new ideas, we will bring cybersecurity to the next level. I'm pretty sure about this.

Ann Johnson: Thank you. I really appreciate that response, too. Volker, I appreciate you joining us today. You always have such a pragmatic view and really practical advice, and you have so much experience, and I know you're super busy, so thank you for making the time.

Volker Wagner: It was a pleasure for me, and always good to talk to you, and let's drive and shape together the cybersecurity landscape.

Ann Johnson: And many thanks to our audience for tuning in. Join us next time on Afternoon Cyber Tea. [ Music ] I asked Volker to join Afternoon Cyber Tea because he is a really pragmatic cyber expert who I know would bring practical advice to the conversation and he definitely did not disappoint. It's a great episode and I'm certain our listeners will get value from it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft