Improve Security with Real-Time Data and Digital Twins

MICHAEL KRIGSMAN: We’re talking with Kurt John, the chief cybersecurity officer at Siemens USA. The conversation is going to cover the use of real-time data in cybersecurity at massive scale. Before we start, I want to say a huge, enormous shoutout of thank you to Redis us for making this conversation possible, so Redis, thank you very much. Hey, Kurt. How are you doing today?

KURT JOHN: Good, Michael, good to be with you. How are you?

MICHAEL KRIGSMAN: I’m all right. Kurt, tell us about Siemens USA.

KURT JOHN: So Siemens USA– the way I would say, it’s the world’s largest industrial software company. It’s a tech company. If you just look like volume of software, we’re actually number eight overall, and we’re in everything. We’re in smart infrastructure, grid edge, building automation, process automation. We’re in digital industries, and so automation process, automation, and we’re also in transportation, right? Not only do we build trains and the software that go on those trains, but we also help with infrastructure management when it comes to trains. So we call it mobility management– and everything in between.

MICHAEL KRIGSMAN: Now, you are chief cybersecurity officer, so can you tell us about that role and the scope of your responsibilities and your activities?

KURT JOHN: Yeah, sure. So in the US specifically, we are about a $25 billion business, about 50,000 employees, and so myself and the team are responsible for all of that. So that’s for our infrastructure, our products, our services that we deliver to customers, and so we try to keep Siemens safe internally as well as ensure that the products that we deliver to our customers are as secure as possible.

MICHAEL KRIGSMAN: Cybersecurity cuts across every part of business these days. We’re focused today talking about the role of data. How does data come into play in cybersecurity?

KURT JOHN: Excellent question. More often than not, what people would typically know is telemetry. In other words, it’s how much data from systems from the devices that our users use– laptops, mobile phones, servers that are helping the business to meet its objective. How much of that data can we collect, can we correlate, analyze, and then respond in the cases of anomalies? So predominantly, that’s where data is used in cybersecurity.

But there are other areas as well, which I suspect we’ll get into a little bit more detail later on, where for Siemens, being a very large company that delivers these really interesting technologies to our customers, a big part of data, actually, is in research and development as well. So for example, digital twin for cybersecurity– that’s where we actually make a digital representation or recreation of a physical object, not just a model of it but an actual– from the bolt to whatever widget should be included in that physical representation is replicated in cyberspace.

And one of the cool and interesting things about that is that you can do anomaly analysis, right? You can determine if something is not acting right because of an engineering issue or because there is an actual threat to whatever it is that we have replicated in the digital world. And so the data that is important for cybersecurity is, of course, in real time operation and protecting our infrastructure, but it also serves a great purpose when it comes to protecting our products and thinking ahead of what we might be facing in the future.

MICHAEL KRIGSMAN: So you’re collecting data, telemetry data that you use in your operations, and you’re also using this data to construct the digital twin. Let’s talk first about telemetry and then switch over to the digital twin. So when you say “telemetry,” what do you mean by that?

KURT JOHN: Let’s start from the very edge, as we would call it in cyber. So let’s talk about mobile devices and laptops, which is the predominant way that most users would interact with the resources at work that they need to in order to perform their job. From the patch status of that device to emails that are being opened, so logging of whatever emails are being opened, links that are being clicked, if we have– and we do deploy software on those devices that would help to stop malware from running. If it does stop malware from running– sending a message back to our Cyber Defense Center and saying, hey, on this laptop at this time, someone attempted to open up a link that we feel 90% certain is malicious. We stopped it. Here are some more information for further investigation.

So from there all the way to our servers that users might access– so in other words, if there are vulnerabilities that were discovered during our regular scanning process, that’s sent back to our Cyber Defense Center or to our vulnerability management team so that they can stay aware of what threats exist on that machine, along with, let’s say, strange behavior of applications. So if we’ve fingerprinted an application or a group of applications that act in a particular sort of way, for the most part, day in, day out, and then all of a sudden, it deviates significantly from that behavior, that’s also what we will call telemetry, right? And “telemetry” is just a fancy word for data, data which would come back to us that we can analyze and say, that is strange behavior. Let’s dig a little bit deeper.

MICHAEL KRIGSMAN: So correct me if I’m wrong. It seems like you’re working with two different types of data. You have the real-time data that is coming in as machines encounter or devices encounter threats.

KURT JOHN: Right.

MICHAEL KRIGSMAN: And then you have the analytical data that you’re using for evaluation, assessment afterwards, after the fact.

KURT JOHN: Exactly, yes. That’s a great way to look at it, and actually, if I have to on the fly categorized the primary difference between the two, I would say real-time data is more so how do we raise the flag of an anomaly or something’s just not right as quickly as possible so that our team is aware. And then the more passive data, as I will call it, serves the purpose of delving deeper, analysis, further investigation to determine whether or not this flag should become an incident or if it’s a false positive.

MICHAEL KRIGSMAN: Well, since you asked the question, how do you raise the flag, let me ask you, how do you raise the flag in real time?

KURT JOHN: Excellent question again. So we have on our servers– and I keep using those because I think that will be most relatable for users. On our servers and on our endpoints, we have software that’s running 24/7, for the most part cannot be disabled, and it’s constantly monitoring to see users’ behavior.

Now, don’t get me wrong. In terms of addressing the privacy issue, we do not pay attention to what users are doing. We simply pay attention to if there’s an activity that threw up what we call an Indicator Of Compromise, IOC. Then that’s where the software steps in and streams that data immediately to the Cyber Defense Center and says, hey, it looks as though we have an indicator of compromise, and you may want to look more deeply into this.

MICHAEL KRIGSMAN: So the data collection is taking place on the device. It’s gathering that IOC, that Incident Of Compromise, but the data analysis is instantly sent to the server where it is examined. And then some response comes back from the server. Is that the correct sequence?

KURT JOHN: I love your thinking and the question you’re asking. So yes and no, but it’s yes and no because I left out a little bit of detail. You can think of the software that’s on the actual device more or less on the lighter side in terms of what it’s able to do. Don’t get me wrong. It has a log of indicators of compromise, and if there’s a pattern match, it quickly says, hey, we may have an issue here.

But in addition to that, in terms of broader correlation, because when it comes to cybersecurity particularly, with cyber defense, strength lies in the volume of data that you can collect. So there is a cloud-based solution that that application communicates with as well. That’s a combination of real-time and passive data, right? So it streams the real-time data there to our Cyber Defense Center, but then it combines it with passive data to try to track if this is a known adversary or if this might be something novel. But because we spot, let’s say, A, B, and C, we never have seen this indicator of compromise before, but it’s close enough where we’re going to raise the flag.

And so there’s real-time data going straight to our Cyber Defense Center in order to raise that flag as quickly as possible, but then in the cloud and with other data that’s coming in from that endpoint device, there’s passive data as well so that the analysts can go say, OK, this is a flag. Let’s go look at the logs to see what this person– the type of activity the computer may have been doing at the time, or what type of link was clicked? Or when the link was clicked, what type of web address did they go to? Is that a known web address where we’ve seen threat activities before?

What type of file is downloaded? Let’s go and analyze that file, the structure of the file. Well, that’s something we’ve seen before. This is definitely a compromise.

Or maybe it’s not. Let’s delve even a little bit deeper to see if this file attempted to call out to someone. So there are varying sort of levels, or there’s depths depending on how confident we are in whether or not something has potentially happened where you either can stop the analysis, or you continue leveraging more and more passive data until you come to a conclusion.

MICHAEL KRIGSMAN: So the real-time data is used to do a very quick analysis, I’m assuming then, in order to get really fast turnaround to interrupt that potential attack in progress. And then a passive data analysis in combination with a human analyst may look at it later in order to figure out more comprehensively what’s going on and track down whatever they need to track down. Is that correct?

KURT JOHN: Perfectly said. Perfectly said.

MICHAEL KRIGSMAN: How much data are you dealing with? You guys are a huge company.

KURT JOHN: We are, and if you think about it, 300 employees worldwide, 50,000 in the US, different time zones– so that means that any time of the day or night, there’s someone working, and if someone’s working on a machine, on a server, a laptop, phone, it’s going to be streaming data. And so we’re in the petabytes of data when it comes to that type of telemetry.

MICHAEL KRIGSMAN: So all of this data is analyzed in real time with supporting passive data analysis as you were describing earlier.

KURT JOHN: Yes, that is absolutely correct.

MICHAEL KRIGSMAN: Without naming vendors or talking about specific products, what kind of infrastructure do you use to manage this scope of data, this volume, and the speeds at which you’re having to deal with it?

KURT JOHN: It’s a combination, and so from the analysis perspective on maintaining that data, we use a combination of open-source and homegrown applications because– people may not know this, but Siemens’s first cybersecurity organization was established in 1984. And so we’ve been doing this for quite some time, and even before the market became as mature– or maybe if someone disagrees with “mature,” maybe it’s as many options as there are now– we had to find a way to meet the needs that we had, and so a lot of open-source and homegrown applications, of course, with some support from some vendors that you would expect. And so that’s the structure that we’ve put together in order to manage the speed of that data– it’s actually quite quickly how things move– and then manage the volume of data as well but then also be able to, because of the volume, perform analysis on data as quickly as possible. And so we found ourselves having to do some really interesting innovation and some cool homegrown applications to manage the speed and volume.

MICHAEL KRIGSMAN: It sounds like using data to solve business problems such as cybersecurity is very much embedded in the cultural DNA of Siemens USA.

KURT JOHN: Of course, 100%. One thing that’s so interesting– the way we handle data from the business to IT to cyber and then throughout, we try to keep as much as possible in terms of the culture this threaded approach where we understand that different types of data at different points and in different areas have different value that it presents to a particular user, right? So for example, there’s some data that’s super time sensitive such as that real-time data that we mentioned. We need to raise the flag.

But then there are other data that’s not time sensitive but deliver a lot of analytical value such as that passive data. And depending on the age of the data, its location, when it’s accessed, who accesses it, the way in which they access it, the value of that data really shifts ebbs and flows, which is a fascinating concept. And so I think it started, of course, in the technology that we deliver to our customers, but since 1984 when we did start our cybersecurity journey– and by the way, now have more than 1,200 experts, cyber experts worldwide– we really have taken this sort of multifaceted approach to data and understanding its value that it delivers.

MICHAEL KRIGSMAN: Has there been a shift over time in the way Siemens thinks about data?

KURT JOHN: Yes, there has, and I would contend that it’s not just a shift that Siemens. But it’s a shift within the industry. I think when people started to do automation either on the micro level– so let’s say someone is trying to automate a particular process that they’re doing, such as, let’s say, opening up emails and saving it to a local drive– or if it’s more on the macro level, trying to automate an entire accounting process or automate a particular cybersecurity process, the focus initially was on efficiency, efficiency of time, efficiency when it comes to cost.

And with this digitalization journey that Siemens has embarked on and we have been for quite some time, the value of that data has shifted from a byproduct of that efficiency to an absolute treasure trove of insights into our operations, our products, market feedback, and the list goes on and on. And so it’s really cool to observe and see as we continue to transform into this tech company how data is being sort of repurposed or put in the center of what we do because it’s through that that we really get some interesting insights that could help us deliver more efficiently what our customers are looking for.

MICHAEL KRIGSMAN: So the role of data then has shifted beyond efficiency, which, as you said, is saving time, saving money, to innovation, if I can put it this way, which means doing something better, delivering better service, product, outcomes for our customers.

KURT JOHN: Agreed, and by the way, not just delivering better products, which 100% agree. It’s trying to deliver better with less or in an even more efficient manner, so creating that feedback loop and data being the underpinning resource that helps us to perform those insights and analytics so that we could deliver an improved product in less time with less resources and with more intentionality.

MICHAEL KRIGSMAN: Ah, the CIO mantra or command or demand– let’s say demand. No, let’s say mantra. Do more with less.

KURT JOHN: Yes, exactly, exactly.

MICHAEL KRIGSMAN: This notion of driving innovation– does the digital twin you were talking about earlier come up into that?

KURT JOHN: Oh, absolutely. I was having a conversation earlier today with our head of research about digital twin, and we were talking about security and the digital twin. And I’ll try to make my example relevant to that, and for that, the audience should know– and I mentioned it before– digital twin is a digital representation of a physical object as closely as possible to that physical object. As a matter of fact, it’s supposed to be an exact digital replica. Simulation is putting that object into a set of scenarios or simulating certain variables or activities so that you can see how that object performs.

Digital twin has been absolutely transformational on two fronts. The first is efficiency in engineering. So you can think of it as instead of having to build and rebuild and then rebuild again multiple prototypes to test how it interacts with– let’s say it’s a turbine– with the way it moves through air or the way that it generates electricity, you simply build a digital twin of that turbine. And you can run all of your tests, simulate all of your tests on that and therefore reduce your engineering costs or your production costs significantly.

Now, when we move that a step closer into the cyber world, what does that mean? That means– let’s use the turbine again as an example. If the digital twin says, based on these 10 variables, your engine should be running at 3,000 RPMs. It should be outputting this amount of heat, and so on and so forth.

And by the way, in this scenario, we’re further along in the engineering process where we’ve actually built a physical copy, and so we have our digital twin. And when you look at the physical copy, instead of the temperature being at 300 degrees, let’s say it’s at 500, and instead of the RPMs being at 2,500, let’s say it’s at 6,000. With digital twin, when it comes to security and performing anomaly analytics, we can determine with a certain degree of confidence that this is or is not a cybersecurity impact.

Now, in my example, I used it as a pre-production example, but can you imagine if we’ve completed production? We are selling these devices. They’re installed at customer locations, and there’s a physical device that’s still running. And within the room that the operators are using, there’s actually a digital twin as well.

And with that digital twin, the idea on a normal operating day is that the digital twin equals to physical device, but then all of a sudden, your physical device starts to act really strangely. Now, if you look at the digital twin and it says it should be one way but it’s not, then with digital twin for cybersecurity, you can, again, to use a term I used before, perform analytics in real time and find out whether someone is actually compromising this device or if the likelihood is that there is some type of mechanical failure. And that really gets the operators to enter responsive mode as quickly as possible should it be the former, that someone’s attempting to compromise that device. Very long winded, but I hope I was able to explain how critical digital twin is not just from a cost and efficiency perspective but also from a monitoring and cybersecurity perspective.

MICHAEL KRIGSMAN: Very clear answer. I once did a video conversation with Dr. Norbert Gaus from Siemens, who, of course, is a world expert on this topic, and one of the things that he said is that you’ve got the combination of the physics and the data coming together. And I am not clear how this works when you’re talking about a digital twin of cybersecurity.

KURT JOHN: Great question, and so what I mentioned there was probably the most practical approach to digital twin when it comes to cybersecurity. But another approach– so that sort of cybersecurity is a secondary monitoring, let’s say, or analytical approach in comparing a digital twin with a physical device. But if you move them into a cyber range and you were able to deploy a digital twin within a cyber range and then you were able to, let’s say, simulate a smart building– so let’s say there’s maybe solar panels on the roof. They’re digital circuit breakers. There’s building automation. There’s automated HVAC and automated doors that can open, close based on whether or not there’s an emergency. So let’s say it’s this really well-functioning ecosystem within a smart building.

The digital twin, when it comes to cybersecurity, can simulate the entirety of that ecosystem and then be able to determine whether or not something is going awry. So has an attacker compromised our building? So the example I gave you before is the analysis of just one physical object with a digital twin, and you’re seeing if this is compromised. If done right with enough processing power and so on, we can actually simulate an ecosystem so that if something happens on this side of the building, again, response time would go down significantly if the digital twin is able to determine, hey, those sets of doors are not working properly.

MICHAEL KRIGSMAN: And so what are the business outcomes that this use of data that you’re describing in the digital twin creates? What’s the benefit that’s created for your customers as well as for your folks internally?

KURT JOHN: I love these questions, Michael. Great question. And so from a Siemens– it’s very similar between what we’re able to do and what our customers are able to do because remember we’re a business-to-business. So a lot of our customers, they actually build things on manufacturing lines that they deliver then to their customers, and they might deliver to another business or to a consumer, TBD.

But within Siemens, if we are able to leverage a digital twin in our development process, it means that we don’t have to– our time to market decreases because then if we need to test new variables on a particular object, we can do it in the digital world versus the physical world. And so time to market decreases. Cost decreases because we don’t need to obtain a bunch of raw materials to constantly build, test, build, test. That cycle is reduced.

And so our customers then get a device or a product that is hopefully not as expensive as it otherwise would be, and then it’s working very well. Now, when our customers receive that and then implement that device along with multiple other devices into their manufacturing process, the exact same thing happens. If they’re able to leverage our software to create those digital twins, it can help with, again, reduced time to market, reduced cost.

It can help with training for engineers, so instead of having to build again that physical device and then let’s say you need to– let’s say it’s a car manufacturer. And you need to then go look at the inner workings of this engine. In years past, you would actually have to take that engine apart and then maybe put together the part that you’re interested in training a particular employee on.

But now you simply put on– whether you’re sitting in front of a laptop, or you put on your VR goggles. And you have your digital twin right in front of you, and with simple movements of your hand, you can blow up the part that you’re looking at. You can take it apart and put it back together, so it helps with training as well.

The third way it helps is actually in the field, so again, can you imagine if you’ve deployed a field technician to the field and they need to then maybe take something apart? Again, in years past, you would have to flip through this hundred-page book to try to find the right part, and then hopefully, the pages are still in good order. And they haven’t been moved around.

But now, again, either with an iPad, a laptop, VR goggles, you can get step-by-step instructions with real-time augmented reality, again, using a digital twin on how to take something apart or fix it. You can indicate what the issue is, and you get step by step in how to remediate that issue. And the list goes on. We’re always finding new ways where how the digital twin is just completely transformative in that regard.

MICHAEL KRIGSMAN: And presumably, all of this relies on having a very large amount of very high-quality data combined with very accurate algorithms and calculations that properly reflect the behavior in the real world of these kinds of systems.

KURT JOHN: Absolutely.

MICHAEL KRIGSMAN: You’ve mentioned several times the Siemens Cyber Defense Center. What is that?

KURT JOHN: The Siemens Cyber Defense Center is– we have multiple locations around the world, one here in the US as well. It’s a brilliant group of folks who, 24 hours a day, between two continents, monitor our infrastructure. And not only do they spot anomalies, track anomalies, raise it for remediation as soon as possible. They also do what we call threat hunting. So instead of just waiting for the anomaly to come to us, they actually scour our infrastructure and look for particular threats that might be running around.

MICHAEL KRIGSMAN: All part of the data ecosystem that you’re collecting and monitoring all the time.

KURT JOHN: Agreed, and they’re actually an excellent example of the volume of data that we process. So the Siemens Cyber Defense Center globally processes just about 3 billion events per day. Now, not all of those events become incidents, but it gives you an idea of just the sheer volume of data that’s coming in that would be classified as an event, in other words, something for further analysis. It also gives you an idea of the infrastructure we have behind that because there is probably no group of people, regardless of how large, who can receive, analyze, and make a determination about the nature of those events in real time if they didn’t have a very sophisticated and automated infrastructure.

MICHAEL KRIGSMAN: It’s really fast infrastructure and lots of computing power, I would have to assume.

KURT JOHN: Yeah, oh yeah.

MICHAEL KRIGSMAN: Let’s shift gears slightly. What about cybersecurity in supply chain? A company the size of Siemens has got to have a very large and complex and potentially threat-ridden supply chain.

KURT JOHN: Yeah, so our supply chain is massive. Globally, we have about 240,000 suppliers. In the US, we have about 24,000, so roughly 10%, and the list goes on, right? Our supply chain goes from really critical widget for which, let’s say, a particular product cannot go to market to folks who deliver flowers and everything in between.

And keeping up with that supply chain is not an easy task, but I got to say the team is absolutely brilliant when it comes to that. And so how we approach our supply chain is almost like a three- or four-pronged approach. A number usually pops in my head, and I throw it out there. And it might be off by 1. Let’s see.

The very first is– and it’s a very nontechie topic, which is contracts, right? So we want it to be clear in our contracts with our suppliers how seriously we take cybersecurity as well as what their responsibilities are when it comes to cybersecurity, so we have very standard cybersecurity clauses that are included in our contracts with our suppliers. The second is an evaluation of our suppliers, and there are multiple aspects of that evaluation from ethics to financial viability and so on. But from my perspective, we’ll talk about cybersecurity, so doing an actual review of their operations and the way they process data and handle data, the way that they handle their communications, all of which allows us to arrive on an opinion or a risk level for those suppliers and how well they can fit into our ecosystem, whether they need to make changes before they’re onboarded as a supplier or if we feel comfortable enough with their mode of operation when it comes to security.

The other part of this is our third line of defense, which for those in the industry would know that’s audit. And so we actually have an audit department which performs a review of our suppliers at random, others based on a particular topic. But they go and take a look at what we call business partners to make sure that, again– ethics, financial viability, and the list goes on– that our suppliers are meeting the expectations that we set out for them.

And then the fourth is very interesting, which is because of the size and complexity of Siemens and the things that we have to do just in our basic operations, we found ourselves in a very great position where we have a lot of knowledge about how to handle cybersecurity going from scratch all the way to very complex, and what we try to do as often as we can as we try to share that information and that knowledge with our suppliers as much as possible. And so while it’s not an official program, whenever we do perform a review of our suppliers or something has happened with one of our suppliers, we do our best to maintain strong communication, open-door policy, and share as many best practices as we can with our suppliers.

MICHAEL KRIGSMAN: So it’s clear that you exercise a great deal of control over the relationship when it comes to security with your suppliers. But what about instances where your supplier is attacked, and there is a downstream impact on Siemens? Do you get involved in that at all?

KURT JOHN: We do if it’s US/Pacific, or God forbid something happens globally, which we’ve been very fortunate– and maybe “fortunate” isn’t the word– but very intentional about our partnership with suppliers to prevent that. The best way I can say it is– and going back to my last point, which is that open-door communication and really trying to make sure that our suppliers work with us. We’ve been fortunate that we haven’t had any significant disruption, but I’ll tell you what, Michael. This is one of the biggest challenges that the industry is facing as a whole.

As you know, especially for companies like Siemens with so many suppliers, the tough part is you need to guard against everything through the entire supply chain, from third, fourth, fifth, all the way to end party. Meanwhile, the bad guys just need to find one way in. And in the recent news of this year and late last year, we’ve seen the implications of those types of activities, and so it’s something we are always paying attention to. For example, in those contract clauses, we have in there, depending on the nature of the supplier, that they need to exercise the same level of due diligence and due care with their suppliers and then pass that down the supply chain as much as possible. And so the best way to answer your question is it’s something that we work with our suppliers on, and then also, we do a root cause analysis and so that we could avoid something untoward happening again.

MICHAEL KRIGSMAN: And as you said, you have to be concerned with this very large footprint going out to n number of suppliers and their suppliers and their suppliers, whereas the bad guys only need to find one spot.

KURT JOHN: Just one spot.

MICHAEL KRIGSMAN: Now, you are a cloud-first organization. I’ve heard you describe it this way in the past. What does that mean at Siemens?

KURT JOHN: It means that we understand the value that hyperscalers bring to the equation, and I use the term “hyperscalers” to denote your typical– whether it’s Amazon, Microsoft, and the list goes on. And partnership with those hyperscalers where it makes sense allows us to reduce time to market, to decrease cost, and the list goes on. And so that means that wherever possible, if we can leverage cloud in order to meet those objectives– innovation, reduce costs, do more with less, and the list goes on– then we will take that opportunity to do so.

And that’s interesting from a cybersecurity perspective because then that means from our perspective, it’s not just on-premises systems that we need to be paying attention to and have an action plan for. It’s also those systems that exist in the cloud, and it’s even an ecosystem that is hybrid, right? And how do you as much as possible widen the aperture of what we do so that– again, it can’t go too wide. Otherwise, we’re drowned in unnecessary data– but widen it so that we are getting the right amount of telemetry from our on-prem systems, from our cloud-based systems so that we can maintain that level of responsiveness that we need to have?

MICHAEL KRIGSMAN: So you’re collecting data across all of these systems– on-prem, cloud, hybrid, wherever they may live– in order to be as comprehensive as possible regarding your security analysis.

KURT JOHN: Exactly.

MICHAEL KRIGSMAN: As we finish up, what advice do you have for business leaders who are listening and want to make more effective use of data in their business, whether it’s for cybersecurity or for general business purposes?

KURT JOHN: I’ll tell you what, Michael. This is such an interesting question. I think newer companies, smaller companies may have it a little bit easier.

There’s no data to back this up, but this is my general sense, because a newer company or a smaller company would not have these massive data leaks that are constantly being fed by years and years, if not decades, of systems that are out there. And so for the newer and smaller companies, you really want to be intentional with every technology step that you take. As a matter of fact, I would build into your technology roadmap and strategy actual callouts for what type of data you want to gather and tie that data to specific business objectives or business outcomes.

For companies that are larger like Siemens– and Siemens is over 170 years old, almost 200 years– then our challenge is just what I mentioned before, right? We have massive and massive amounts of data. And in some cases, it’s actually easier to, let’s say, start from scratch with a new system or just sort of wipe out the data, and these would be typically for systems which require more dependency on real-time data versus historical data.

So for example, cybersecurity– if we were drowning in data from decades and decades of telemetry, it may make sense to just wipe that slate clean and start from scratch because cybersecurity is the here. It’s the now. It’s how do we respond as quickly as possible and maintain enough telemetry over a few days or maybe a few months, depending, so that we can get a good proper handle of what happened.

But then there are other parts of the business which require that historical data, right? So if you want to do– let’s say it’s finance, and you want to do market trends or market analysis going back 10 years to see over the course of those 10 years on product launches how was it typically received so that you can determine how you want to change your strategy for delivery of a new product to the market. Then historical data matters a lot more than real-time data.

And so I would say for those business leaders, you have to figure out where you are in the journey, which category you fit into, whether you need real-time data or historical data. Maybe it’s both. And then you need to, going back to that technology roadmap and strategy, actually be intentional and build into that strategy the callouts for data and how it’s going to help your business succeed.

MICHAEL KRIGSMAN: So being very clear about the data problem that you’re trying to solve, the types of data that are available to solve that problem– and then I’ll overlay the accuracy of that data as well.

KURT JOHN: Exactly. Well said.

MICHAEL KRIGSMAN: And then finally, where do you see the role of data in cybersecurity headed over the next few years?

KURT JOHN: Excellent question. I think there are two things that are going to happen, and permit me to speak about innovation for just a little bit. So there’s more or less two types of innovation, right? There’s sort of disruptive innovation, which are sort of your Ubers and your Lyfts and other companies of that nature, that really just repurpose existing technology, and they sort of disrupted an entire industry. Then there’s incremental innovation, right? And I’d like to think Siemens sits on one feet in each category.

Now, the reason why that’s important is when it comes to cybersecurity, I think we’re going to see more special purpose AI. And for my side cybersecurity colleagues listening to this, please don’t groan, right? AI is the bane of the cybersecurity industry because everyone uses it liberally when it hasn’t really lived up to the expectation.

But I do think because of how interconnected systems are getting, how quickly data is moving between systems, how much volume of data is moving between systems, and how much programming is going into decision points so that– and human beings are being removed not necessarily from the process altogether but just from decision points because you really need speed. And I guess the best example of that might be, for example, the capital markets where these robots that are doing these micro purchases and sales is the best way to conceptualize it for our listeners. And where I see data coming in– and more and more bad guys are going to try to disrupt that because disrupting those types of micro processes that are moving at light speed has the potential to have a bigger impact not just in general but, to go back to what we spoke about, within the supply chain.

And so I see data being leveraged more within cyber to continue trend analysis to see how the bad guys are trying to disrupt these types of micro processes and to safeguard those decision points that help make our everyday life run. And so the best way I can categorize it is sort of special-purpose AI, not the stuff that’s going to say, good morning, Kurt. Let me drive you to work, but the stuff that’s really specializes in this one particular protection of this micro process.

I think that’s what we’re going to see over the next three to four years. I think it’s going to result in a few things, hopefully better protection, but I also think you’re going to see more being done at the more technical layers, less people, and more data and machine learning and artificial intelligence at the technical layers of cybersecurity. And what that would do, which I’m really looking forward to, is free up very valuable resources so that those resources can focus on more and more complex issues that are plaguing us today.

MICHAEL KRIGSMAN: It sounds like what you’re saying is, in addition to the data, we’re going to have more sophisticated algorithms and machine learning, very specialized machine-learning models to make use of that data in very many narrow use cases. Is that a correct way of summarizing what you said as well?

KURT JOHN: I’ll tell you what, Michael. You have a talent for doing executive summaries. That is perfectly said.

MICHAEL KRIGSMAN: All right, so I need to go out and find a job where I’m doing executive summaries all day. All right, and with that, I want to thank Kurt John, chief cybersecurity officer of Siemens USA. Thank you so much for sharing your knowledge with us, Kurt. It’s really been great.

KURT JOHN: Thank you, Michael.