The CyberWire Daily Podcast 12.29.17
Ep 505 | 12.29.17

The German Cybersecurity Market with Gerald Hahn


Dave Bittner: [00:00:01:03] Thanks again to all of our supporters on patreon. The support we receive there helps us provide the daily news that you come to rely on. We hope you'll check it out at

Dave Bittner: [00:00:14:22] Our podcast team is taking a break this week from the daily news. But don't fret, you can get your daily dose of cybersecurity news at our website, In the meantime, we've got interviews for you this week - some interesting people we've talked to throughout the year so stay with us.

Dave Bittner: [00:00:36:16] And now a holiday message from our sponsor, Nehemiah Security. Twas the night before the board meeting when all through HQ, not a C-level was stirring, even finance was a-snooze. Reports were all stacked in the boardroom with care, in hopes that the members would not pull out their hair. The CISO, however, was pacing the ground, mostly because he had no real metrics to sound. And the head of IT in front of long log reviews had just settled his brain after full backup number two. When out of the seam, alarms started to fly, they looked at each other and did not know why. Away to the reports they flew like a flash, to see which malware showed up as a hash. If only they knew where exploitables lay, and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles, the RQ dashboard it came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations on threats, on exploits, financial justifications. To the top of the budget the CISO's report flew, smart cyber investments now everyone knew. To hear the rest of the story visit

Gerald Hahn: [00:02:10:05] We call ourselves a distributor for cyber security, but in our real life we are much more an incubator, which means we bring new companies into the German-speaking region and market.

Dave Bittner: [00:02:23:13] That's Gerald Hahn. He's the CEO of Softshell AG, a German company. Our conversation centers on the differences in the cybersecurity markets between Germany and the United States, and what companies should know if they want to try to set up shop and do business with Germans.

Gerald Hahn: [00:02:39:07] In the end, we earn our money with selling software to our resellers and they sell it to customers and companies but, mostly, we do marketing, sales and PR stuff for them.

Dave Bittner: [00:02:53:06] Take us through what is the current status of the German marketplace.

Gerald Hahn: [00:02:58:03] The German marketplace for cybersecurity is very dynamic. The market is very big; the biggest security market in the world behind the United States with an annual volume of €15 billion per year. We think this is, for historical reasons, Germans are very sensitive with their privacy and data. Germany is always leading the privacy and data privacy discussion within Europe so Germans are crazy with IT security. They buy a lot and they try a lot. In a connective way, and completely different to the mentality in the United States, the volume speaks for itself. It is a very great market and it is growing incredibly.

Dave Bittner: [00:03:55:09] When you say it's different from the United States, what do you mean?

Gerald Hahn: [00:03:58:12] I can only speak as an outsider. I can only repeat what our partners and vendors from the United States are telling us and that is in the United States companies/customers are giving new solutions a try. They buy a solution for one year and if it's not good they won't renew it. In Germany, no-one would ever buy something for test reasons. They always want to test it for free and then they want to play with it - not just a little bit, they are really going deep under the hood. They want to know every single bite, how it works, the source code, etc. This is a very engineering-focused country, which normally surprises US-based vendors because a United States' person cannot really succeed here. You always need a very technical sales guy; an engineer with a sales mentality who can really explain within the first meeting how the product works and which parts are used, etc. This is normally very unusual for a typical American salesperson.

Dave Bittner: [00:05:13:01] That's interesting. What is your advice for an American company trying to tap into that German market?

Gerald Hahn: [00:05:20:12] Focus on the engineering aspects. Be ready for really deep technical questions and if they can answer within the first conversation the better it is because this gives customers the feeling that there is somebody who is serious that he can rely on. Most IT personnel in Germany working for customers love the product. They play with it during the weekends and evenings and you can catch them if you give them technical motivation to find out more about it. A sales pitch normally really does not lead anywhere.

Dave Bittner: [00:06:06:04] We've got GDPR coming up in the coming year, in 2018. How is that going to change things for you all there? What is your take on that from a global perspective?

Gerald Hahn: [00:06:17:20] GDPR is really interesting, especially what cybersecurity vendors are trying to do with it. Everybody is telling customers that they have to do something otherwise they have to pay €20 million/final 4% of their annual revenue, etc., and they try to scare customers. However, the background is that the GDPR regulation was led by German privacy people, and most of the regulation within the new GDPR law was already here in Germany with the old data privacy laws so it is not really new for companies here and they always had to deal with these regulations. Therefore, nobody is scared and most companies are already aligned with the new rules. Most companies know that it has not much to do with technical solutions but with organization and structure within the company so there is not really more sales or up-sell because of GDPR, it more gave law firms new customers because everybody wanted to be sure that he really knows what's coming. Accordingly, the technical solutions and products are not really affected by the new law.

Dave Bittner: [00:07:51:10] That's interesting. Germany is already there. Germany is ahead of the game from their position as being a leader when it comes to these sorts of privacy regulations to begin with.

Gerald Hahn: [00:08:02:19] I think so, yes. Most US-based companies expect results within the first six or at least 12 months and this is very challenging. Not only because most companies are not really ready for an expansion. For example, no German website, no German collaterals, and this is something that the German market is expecting to have at least a few German papers they can read. Everybody speaks English but it feels much more comfortable reading it in German. Therefore, normally the companies need a month before they have a few German things online and then they try to enter the market through the UK. It is not because of Brexit, it is because the island is an island and it always was an island within Europe. It is really completely separated from the continent. The mentality there is much closer to the United States than they are to continental Europe. However, US vendors always set subsidiaries up in the UK and then they try to open Germany, France, Italy, Spain, Poland, etc and it is not working and, after a year, they are super surprised and they give it another try. Our suggestion is always set up a legal entity in Germany, hire a local guy and then they take you seriously. They know the company is really serious with the market and they have somebody to speak with in their own language. Over the last few years, we saw hundreds of vendors coming and going and also succeeding, but we never saw companies succeeding here with significant revenues without having a legal entity and German employees on the ground.

Dave Bittner: [00:10:03:02] It's really important to respect the locals.

Gerald Hahn: [00:10:06:22] Yes, I think so. But I think this has nothing to do with Germany. I think everywhere is the same. I never would try to expand to the United States from, I don’t know, Mexico or Argentina. I think this is a good comparison. You need to be in the country and you need to work with locals.

Dave Bittner: [00:10:33:01] That's interesting. It's also interesting to me how you say that we try to set up shop in the UK. I think that there is an odd thing with many Americans where we have a default respect for the British; we love their accent...

Gerald Hahn: [00:10:52:00] (Laughs)

Dave Bittner: [00:10:52:00] ...You know, so I think it works in that direction so I think there may be a false assumption that's the way we should go. That's a very interesting insight.

Gerald Hahn: [00:11:01:12] Yes. Finally, our experience with Americans are super positive. Most Americans we have dealt with are super open, transparent, and they hold what they told us, even if we don't always agree with each other. They are reliable and straightforward and this is what we really like when working with American companies and US citizens. They are really straightforward, honest and nice to work with. We have different experiences with other regions in the world, but this is what we admire most with Americans.

Dave Bittner: [00:11:43:07] That's Gerald Hahn. He's the CEO at Softshell AG in Germany.

Dave Bittner: [00:11:50:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out

Dave Bittner: [00:12:02:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben. Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thank you for listening.