A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Scaling Zero Trust
Season Two
· Episode
8

Scaling Zero Trust

In this episode, host Raghu Nandakumara sits down with Thomas Mueller-Lynch, Global Director Digital Identities at Siemens to explore Siemens' ambitious zero trust program. They delve into the challenges of implementation and the strategic benefits of zero trust in bolstering product security and streamlining IT architecture. Thomas highlights the essential role of identity management and the importance of collaboration between IT, cybersecurity, and business units in advancing zero trust effectively.

Transcript

Raghu Nandakumara 0:41

Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, a Zero Trust Segmentation company. In this episode, I'm joined by Thomas Mueller-Lynch, the global director of digital identities at Siemens, where he co-leads the company's zero-trust program. Today, we'll explore the challenges and strategic advantages of implementing zero trust, particularly in enhancing product security and optimizing IT architecture. Thomas will share insights on the critical role of identity management and the importance of collaboration between IT, cybersecurity and business units to advance zero-trust initiatives. Effectively, with 27 years at Siemens, Thomas brings a wealth of experience from various IT roles, including web and document management, and IT infrastructure technologies.  

 

And before we head into the show, a quick word from Illumio.  

Illumio, the leader in Zero Trust Segmentation, has just been named a leader in The Forrester Wave™: Microsegmentation Solutions, Q3 2024!

With the highest scores in current offering and strategy, Illumio is redefining how organizations protect themselves— stopping attackers before they can escalate threats.  

 

As Forrester notes, we're living in the golden age of microsegmentation, and Illumio is leading the charge. Learn why Illumio's platform and strategic vision lead the industry in enabling zero trust. Click the link in our show notes to download the report today.

Raghu Nandakumara 02:23

Today, I'm particularly excited because we have someone who's been very much at the front and center of one of the world's largest zero-trust programs. So, it gives me great pleasure to welcome to The Segment, Thomas Mueller-Lynch from Siemens. Thomas, Welcome to The Segment.  

Thomas Mueller-Lynch 02:40

Thank you for having me here. Great. I'm super excited to talk about our zero-trust program together with you.  

Raghu Nandakumara 02:49

It's a huge pleasure. So, Thomas leads Siemen's zero-trust program, alongside Achim Knebel and Peter Stoll, he's also the global director of digital identities, managing all identity systems, including Microsoft on-prem Active Directory, Enter ID, and an Okta-based customer identity solution. With 27 years at Siemens, Thomas has held various IT roles, including web and document management, and IT infrastructure technology. So, Thomas, sort of in the lead-up to this recording, I was reading a LinkedIn post that you authored to celebrate 25 years of your time at Siemens, and from that, it was very clear that you definitely didn't start in a zero trust leadership role 25 years ago, in fact, you weren't even in IT. So, a bit about where you started at Siemens and how you took your path to what you do today.  

Thomas Mueller-Lynch 03:46

Yeah, thanks for identifying my LinkedIn post on this. Well, in fact, I didn't even start directly at IT. I studied electrotechnics at a Technical University in Munich. I did some semiconductor development at the very beginning. Before then, I finally thought that maybe it was a good idea to change to IT because I was always excited from the very beginning about IT, about automation, and about development stuff in the very beginning. Where then I started with, in fact, I became a webmaster that was now, yeah, almost 20-25 years ago, or something like that. And from there on, I started really digging into lots of Microsoft technologies at the very beginning because that was also the system I was working with, Microsoft Information Server and SQL Server and things like that. From there on, it became over time because I was automating lots of stuff. It became boring for me before I finally changed into more infrastructure topics. I took over client topics, took over exchange at this time, exchange on-prem. From then on, more and more in the Document Management Area took over responsibility for SharePoint Online, or SharePoint on-prem at this time, not SharePoint Online Exchange. And then I finally ended up in security, in identity security. The last decade, I would say I was purely focusing on that. And if you run identity, and if you are responsible for identity, well, the path, or the path from identity to zero trust, that is obviously not, not too long, not so far. Before then, yeah, together with my two colleagues, we ended up in a zero-trust program, where we are super excited about that.  

Raghu Nandakumara 05:38

Awesome, and I think, again, going back to this LinkedIn post, to sort of paraphrase something that you wrote, you said, "I basically solved all of the problems that I've been given, and I then went to my management, and said, ‘Okay, well, what is the next set of problems I can go and solve?’" You've been a problem solver pretty much throughout your career and have also brought a lot of automation and innovation to how you solve those problems.

Thomas Mueller-Lynch 06:11

Well, if a little bit about our leads to our zero-trust program. So, we are three program leads. I'm the IT guy, Stoll is the cybersecurity guy. Achim is the business representative, and he's also very, very close to a cybersecurity role within the business. But now, coming back to your problem solver, person, or statement, well, I'm always trying to focus on solving problems with existing technology. When I say that, I'm not one of these strategic-thinking people. Nevertheless, for me, it was always important. You have a problem; you need to solve it somehow. And specifically, to zero trust, which is a high-level architecture, or it starts with a high-level architecture. It is, compared to all the other big initiatives I was able to run at Siemens, that was maybe one of the biggest changes, I would say, because for all the other things, it was either the way to get there was maybe complicated and extensive, but it was kind of clear where the target is. Or you have the other way around. But for zero trust, at least for our defined architecture or vision, it worked both ways were not clear, nor was it clear as a with which technology we can maybe achieve that vision. And second, if you don't even know the architecture or the technology, you obviously also don't know exactly how to get there. The combination of these things, yeah, that created on the way, lots of headaches on the road, to finally find solutions. But, yeah, that's what I like to do — getting things done.  

Raghu Nandakumara 08:00

I love how you summarize that, right? It's kind of zero trust or adopting a zero-trust strategy, and then executing on it posed unique problems in the sense that you didn't necessarily know how to get there, you didn't necessarily know what technologies to leverage. You didn't know what the results would be. So, you had all these unknowns, and yet you plunged into it. You read about a lot of other peers, etc., in other industries and other companies who struggle to even get started on a zero-trust program for exactly the same reason. So, how did you overcome those hurdles and get going?  

Thomas Mueller-Lynch 08:47

I mean, it started around four years ago, where some smart people were going to the Siemens board; that was not just me. In the very beginning of the zero-trust program, it was even other people really finally going to the board. But together with Peter, we already paved the way to zero trust, as we have implemented with Microsoft technologies for our workforce, the Microsoft ecosystem. We didn't call it zero trust but effectively what we did. We implemented for the workforce and for Office 365 usage, we implemented the zero trust architecture. And that was the tipping point, the starting point where we then finally said, “Okay, we need to continue this.” Well, long story short, some smart people went to the board, to the Siemens board, and explained quite transparently and quite clearly, "Look, we protected ourselves in the past, mainly on perimeter-based security." So with the assumption, if you're on the intranet, everything is good and fine, and we always wanted to protect this perimeter to ensure that bad actors from outside don't come in. But finally, that was one of the main arguments. That assumption is not true anymore, so due to all of the cloud activities which we already triggered at this time, so we had cloud first initiative, we had this and that. More and more things went to the cloud Office 365. More and more things went to the cloud, that means that we have put many, many holes in our perimeter, and this assumption that we can control this perimeter in the best possible way, that was simply not true anymore. So, long story short, we convinced the board that it makes sense to look into zero trust because that addresses from a very high level that topic. And we also didn't tell them any stories like, you know, now we're going to do a two-year program, and then we are finished, and then we have zero trust. We said we believe that this is the right way to address the topic. We went there, and we got the approval for one year with a budget for one year. And we also told them, Look, you can stop us at any time if you believe that this investment doesn't make sense after one year or even in between. And we now did this for the fourth year. So year after year, we said, “Okay, this is the current status.” And to be very honest, in the very first year, we did pure architecture, and we convinced all different levels in the in the company. And as you can imagine, it was not only some IT leaders in the company. It was business leaders, it was it was cybersecurity, it was lots of people. This was this time when everybody started talking about zero trust, but it was like a buzzword. Everybody knew this term, but nobody really understood what this really means in practical means to implement this. So, one year, we tried to pave the way with communication, doing architecture work, and thinking about what makes sense and whatnot. Also define the scope, finally, and this is maybe also which differentiates a bit what we are doing from maybe other companies we defined ourselves, or the targets of us, not only in IT, so to do the typical horizontal it stuff like protecting some applications with, I don't know, policies, you name it. But also, I mean, Siemens has, in total, almost 120 factories. And we said, “Okay, we also want to bring zero trust into our factories in OT.” What does it mean to bring zero trust in OT? And we even went further, which is the most ambitious target, if you want to call it, how can we transform or bring that idea of zero trust architecture in our products? What does it mean even to have zero trust in a Siemens product, in a Siemens train, in a Siemens automation system, in one of these controllers? What does it mean? And obviously product life cycles, that's a completely different story. And as you talk with different people, you talk with different stakeholders, timelines, you have different arguments to convince people to think about. Then, if you talk with an application manager owning a modern web application, so this is how we started one year architecture.

From there, the second year, we started preparing our back-end systems. And what do I mean with back-end systems? We have some main technology partners where we started with. Microsoft is obviously one of them. We’re also a big Zscaler customer. We also prepared our Zscaler environment. We also went into the factories and looked into what kind of technology can be leveraged there and can be used there. So lots of back-end activities which didn't really result directly in a risk reduction or something which is tangible, which is, by the way, also one of the, I wouldn't say, learnings, but it was, it was a hard time in the second year because if you spend a certain amount of money, and it's not just two euro 50, and then you do this for the second year, and you are not able to, really, to show progress in terms of, I don't know, I have migrated so many applications. I have, I don't know, done this and that have enabled factories. Then people started asking whether this still makes sense or not, you know? But then in the third year, we really started in practical means. We showed progress in application enablement, in factory enablement. We had first progress in planting that very small tree in the in the area of product development, and from there on, we have a live dashboard where we can show up to senior management where we are in the total scope of all the different activities. Yeah, this is how we started and where we are.  

Raghu Nandakumara 15:09

I mean, that's quite an incredible summary, and I feel that there are about four or five different things that you've touched on, each of which we could dedicate an entire episode of the podcast to. So, let me actually go back to where you started about going to the Siemens board and having them essentially sign off on this program. Are you able to summarize how you articulated to them why pursuing the zero-trust program would provide such a benefit to the business? Because I assume that that was the crux of the argument, was being able to articulate the business benefits of doing this.  

Thomas Mueller-Lynch 15:57

Yeah, I mean, one of the main arguments, and it stays as the main argument, is that you can turn it around as often as you want. So, if you "only" argue always with a cybersecurity improvement, you might be successful with it because senior management understands if we are not secure, if our factories are getting breached, whatever it is, our business model is in danger. Without any doubt, this was one of the main arguments. However, there were also some more strategic arguments — how we convinced the people that this makes sense. It obviously, over time, we created such an extensive complexity in our IT landscape. One of the arguments was also: if we now treat everybody, whether he is working from on-site or whether he's working from remote or from anywhere, with the same set of rules, this is one of the basic ideas behind zero trust. It doesn't matter where you work. It doesn't matter where you are connected with. You are on the internet whenever any communication to any target is getting controlled by policy decisions and enforcement points. So, that obviously dramatically reduces the complexity of architecture. And senior management, obviously, is always interested in reducing complexity. Future proof that was also one of our main arguments. And finally, and that was one of the main reasons why our CEO, Roland Bush, we just had the pleasure, one of us, Peter, had the pleasure to talk with him some few weeks ago. People like Roland Bush and their senior management and management board of Siemens are also interested in product development or product enablement of zero trust. We believe, obviously, the security of our products is one main argument in selling products, right? Having zero trust enabled products, whatever that means, is, for us, a differentiation argument from our competitors.

Raghu Nandakumara 18:14

That's fantastic. Firstly, I kind of love the product angle of it, right? Of being able to say we have invested in building the best security possible. Ball into our products, and we see that as a differentiator compared to our competitors. But also, taking it back to what you said about that simplicity argument, right? When you stop thinking about is someone or this workload or this connected device, is it on my network or off my network? Instead, say, "Well, if I just assume everything, I treat everything in the same way, and I have a set of rules, and depending on their attributes, I'm then able to assign them the appropriate security level and the access." Right? That simplifies. I mean, it's a journey to get there, right? But once you're at that point, from then on, it makes security decision making so much easier and so much more efficient. And I think that that, like you, encapsulating it that way very much, sort of encompasses what a zero-trust strategy is ultimately trying to get to, right? It's not about no trust. It's about providing that, almost providing that level playing field on which you can then assign the appropriate level of trust.  

Thomas Mueller-Lynch 19:36

Absolutely, yeah, I mean, in reality, and I don't want to in any case now lower that argument, but what we have seen in implementation and finally, I mean, yes, the rule set gets less complex. However, we treat everybody at the same exactly in the same way. Is it external people? Is it internal people? Is it whether they are on-site or off-site? I mean, there's a certain component, which is called technology, which comes into play, which not necessarily always supports this, and this, at least in the meantime or somewhere midterm. It doesn't necessarily completely reduce all the complexity. It brings certain aspects to consider into the play. I'll give you an example. So, one of the core arguments I'm touching on now is the applications space again. One of the core ideas behind zero trust is having policy decision point in between. And we do this criticality based. So, we have an asset classification process that Siemens. We say we have restricted applications or restricted data, which is the lowest level that we have with confidential data, and we have strictly confidential data. So, depending on the level, we do different things and have more security or a little bit less security. By the way, none of this is with no security. We have different levels. But now, if it and one of these signals, which we incorporate into the decisions, are always. Obviously, you want to have a good authentication. You want to know who it is. You want to have a strong authentication, MFA, multi-factor authentication, and things like these come into play. But you also, what you want to include is something, what we call device trust, or device compliance, you name it. And that works pretty much and pretty nicely if you work with internal people, because with internal people, you can do everything to ensure device trust. And then also quite new things come into play, by the way, which is new for the workforce of 320,000 employees of Siemens, which brings in real-time security. If you come back from a vacation, a longer vacation. In Germany, at least, or in Europe, we have a little bit longer vacations, and typically than you in US, for example. But if you come back from a longer vacation, your client might not be up to date, that finally ends up with maybe not having direct access to the most critical applications. That brings in real-time security. So again, that works pretty much easily for internal people, because this is exactly what we want. We want to have patched systems. We want to have everything enforced on that side. However, if you now combine the critical applications with external access, how would you ever include device trust and device compliance information from externals? And typically, technology works like you need to have an agent, something somebody needs to assess the compliance needs to send it somewhere. Would you agree that Siemens tells you, "Please install a Siemens agent on your PC because we want to work on a collaborative model to exchange some data? And I would like to understand, technology-wise, what's the compliance of your PC?" You most probably would say, or your company would say, "Never, ever will be an agent doing something on my systems." This is one of the things or central things I think the vendors need to answer sooner rather than later. We are in contact with Microsoft. We are in contact with lots of other companies on that topic, but this is, if you ask me, one of the unsolved problems so far to work seamlessly and with less complexity throughout all the different use cases on that topic.  

Raghu Nandakumara 24:45

Yeah, absolutely. I think that, obviously, that point where as soon as the device, particularly, is no longer managed by your enterprise. Right. Then, effectively, that level of flexibility that you have all the various essentially levers that you have to pull on from an attribute perspective and a posture perspective go out the window, right? So, you almost have to sort of either make assumptions where you sort of put a very high bar, right, or you put some other kind of lower bar that you are sort of almost say, "Okay, well, I kind of accept the risk of this", right? But it's kind of a very binary decision versus a lot more continuous decision that you'd love to make.  

Thomas Mueller-Lynch 24:35

And unfortunately, these applications which we are talking about, they are not exclusively external or exclusively internal, because then it would be also easy. Often or almost everyone or everywhere, you have this combination of internal people with external people. So now either you lower the security for everyone, both internal as well as external, or you finally decide for having the highest security, but then what, what you're going to do with the externals? You can then provide, obviously, internal infrastructure for the externals, but that also has, then again, some cost impact and whatever impact.  

Raghu Nandakumara 25:16

Yeah, absolutely, right? And then you move away from, sort of that move towards much more sort of flexibility and productivity that we've been moving towards, and kind of almost moved back to what we had many years ago, which was, well, we'll manage all of the infrastructure. But I think you also were touching on another interesting point around zero trust, which probably hasn't been discussed often, I feel, which is really around zero trust in the context of third party and supply chain security, right? Because of some of the stuff that you're talking about here is about, well, it's not just our internal users—we've got contractors, we've got third party server service providers that are all essentially essential to how we operate. And we have to find a way to secure all of them, and I think sort of this third-party risk management and zero trust, application of zero trust to that is a is an interesting area to explore. So just coming on to something else that you said right when we're when you were kind of going over the entire sort of how the program originated, how it's developed, and how it's continued to mature. The other thing that you touched on was how Siemens has got such a big-picture view about what their zero-trust program touches and encompasses. Right from sort of your core IT infrastructure to business applications. And then the example you gave is that it extends all the way to your products, which are some number of, which are hardware products, like trains. So and one of the things, I think, in one of the presentations, I think it was at a KuppingerCole [Cybersecurity Leadership] Conference a couple of years ago where you said, it's very much this thing about "think big, but then act small and improve." So, you are thinking on a massive scale. But how are you able to then, kind of like, think about those tactical steps that you're going to make to sort of get one step closer to that dream?  

Thomas Mueller-Lynch 27:20

I mean, if you want to achieve strategic or visionary targets you need to, first of all, have those. Right? Mankind wouldn't have been on the moon if 1960 or something, somebody would not have thought about, well, let's go to the moon. Even at this time, nobody was thinking about this would ever be possible. So, thank goodness, I don't want to compare Seimens and zero trust with going to the moon at this time. So don't get me wrong, but you need to have strategic people thinking about, Okay, what could we do more of? So think big. On the other hand, you very easily lose traction and lose focus if you don't define these intermediate steps in between. And I, by the way, as I said before, already, I was always one of the guys and said, "Okay, we need to slice this elephant." Otherwise, we’re going to continue with architectural, whatever thinking for three, four years. And then finally, somebody from exec management will say, "Okay, now you've spent so many millions, without any tangible results." So money is closed, so done, and then we need to close it. And this is not what we want. So you need to show progress. And progress doesn't necessarily mean we have a new architectural document. So look, so that is our achievement. So that works for one year, maybe at Siemens, but it doesn't work anymore for the second year, definitely. And by the way, we didn't only create one single document, also want to get this right.

So that's why then you need to find your partners, your technology partners, also implementation partners. So this is a huge initiative. Think about just to give you some numbers we have in the meantime, 8,000-something registered applications, which we are targeting. We have 100 almost 120-130 factories where you also need to go there, convince people, and tell them exactly what to do. If you go to a factory and ask them, "Hey, we are from zero trust. Let's do some zero trust architectural work at your factory", they will say, "Wait a minute. What does zero trust architectural stuff mean?" I mean, yes, for sure, I'm responsible for my factory. I want to get this secure. However, these people are mainly incentivized by producing products at the best cost option, what they can get. So they are super focused on resilience, obviously. They don't like disturbance. They don't like shutting down something because of implementing or even trying out something. And this is exactly you need to explicitly be super sure and super clear of what's expected from the business, from the application owners. And then you need to slice this elephant in tangible pieces. We very soon also started creating dashboards. Now, some people would say, "What's the what's the benefit of a dashboard? I mean, it a dashboard itself doesn't create any security improvement." But for us, it was a very important way how to show progress and also how to let this journey continue. If you're not able, as a program to show this progress by dashboards, by tangible things, where somebody can count, where somebody can look at, you lose confidence over time, with the ones providing the money. And this was, yeah, step by step, defining templates for all individual kind of application types. You don't only have modern web applications. You have on premise applications talking some weird protocols which are not SAML, OLTC??? Something completely different. What do you do there? We went into factories, looked into the network configuration there. Even if it sounds contradictive, we also worked a lot on network segmentation, again, in the factories, because we want to segment them a rest away from the from the rest of the big intranet. Things like that. Also implemented are things like remote access, such as how to do service from outside or inside a factory. Same architecture, again, applies to having somebody working remote from at home, like me. Accessing an on-premise application. So, from an architectural point of view, there's not a big difference whether I access, as a normal office worker, an application that is on-site or some service agent from external or internal access is some machine in the factory. In essence, it's the same thing. It has a different criticality, maybe in a different focus here and there, but in essence, again, simplifying architecture, it's the same thing.  

Raghu Nandakumara 32:28

Yeah, absolutely, I think, sort of topologically, the access is the same thing; just the attributes associated with that access are different, in which case, right? Because the security policy you apply to it is based on those attributes that then determines sort of what, maybe what level of access that that individual gets, or what they're able to or what they're able to do. And I really like the way you thought about dashboards. Dashboards allow you to measure progress, right? But not just allow you to measure progress and allow you to report on progress to those who are not necessarily day to day in the weeds of the program, but clearly have an interest in its progress. And it's sort of the value it is creating the ROI on it, right? And this is what dashboards allow you to communicate very clearly to then get, I guess, the next, the next round of the next round of funding. Yep. Absolutely, absolutely.

Raghu Nandakumara 00:00

So, let's talk a bit about...you're an identity expert, right? So, let's talk a bit about identity in the context of zero trust. And by the way, I love your shirt that you're wearing with your zero trust sort of logo on there, very, very, sort of, very appropriate for the conversation and also for what you do. Let's start with, what does identity mean in the context of zero trust?  

Thomas Mueller-Lynch 33:53

I mean, identity is, in fact, if you look into this zero trust architecture, that's even the central topic. Every communication between the sender and the receiver is identity-based. So obviously you want to know who the sender is, what's the identity of this sender, and you also want to know who is the receiver on which conditions this communication shall happen and in which not. So obviously, you need to have an identity on the sender, and you have an identity on the receiver, This is, again, coming back to the typical horizontal IT use cases, which is not necessarily something completely new. Some aspects come into play which is new, but I mean, you have an account, I have an account. I'm logging on my machine so the system knows who I am. MFA is also something not completely new, at least for us at Siemens, we started implementing MFA everywhere some few years ago. So everybody knows this. Whenever you enter the OT space and whenever you enter other areas which are beyond this normal end user, even if you enter the area of machine to machine communication, it starts becoming complicated, let's say, or different, because also there, it's not necessarily clear what's the identity of this functional account accessing some other back-end system there. So yes, you also have accounts. But everything that we do in zero trust is identity-based. So, that's why identity comes even intersect into, into the center of the of the zero trust architecture. Which is amazing, obviously, for identity, for the identity people like me, because I can tell you a story on this/ By the way, what comes to my mind, I'm now responsible for identity for about 10 years, a little bit more than 10 years, by the way. I once, I started back then with identity. Identity was a pure back-end topic. Nobody talked about identity. Nobody was even interested in identity things. Yeah, so if you if you're very responsible for AD on-premise AD as one of the big identity systems, obviously, everybody was happy with it once it ran and without any problems, right? Once you have problems, maybe then you will get some visibility. But then after you have solved this, you went back into the into the nowhere, and nobody knew about you. Now, up to the board level, interestingly, we have quite technical board members, like Roland Bush, who has a PhD in physics. They start talking about identity. Isn't that crazy? It's amazing. They discuss with you identity topics; authentication, authorization. So, identity comes from a pure back-end technical thing where some folks were talking about getting to a level where senior management talks with you or starts with you about identity, not about securing identity and why the identity is important. So that's that was even surprising, also for me, being with identity now for 12-13 years, that you now have discussions with your CIO, or even higher, about identity.

Raghu Nandakumara 37:30

That's incredible. I mean, I can't even, I can't even imagine that conversation, because most organizations are really just struggling with, "Okay, how do I transform the benefits of my security, obvious security benefits of my security program, into how it benefits the business?" And here you're talking about conversations about identity at the CIO and the CEO level which is sort of a different level of appreciation of, I guess, technology at your organization. So, then when you think about, like, when you think about identity in all of its myriad of forms, how do you then make it sort of, and you say it's kind of very much at the center of any of any zero trust architecture. So how do you essentially agree on, okay, well, this is going to be the golden source for identity, whether it's a machine, whether it's a user or any other type of resource? How did you agree on that?  

Thomas Mueller-Lynch 38:35

I mean, at Siemens, we have a quite long history in, let's say, identity backend systems. You have the technical systems like the ones I already mentioned, like AD [Active Directory] and Entra ID, or formerly known as Azure ID, and things like these. But also we have, I mean, if it comes to natural users like you and me, we have our HR systems. Typically, identities are born there or for our external for our external people. We also have systems where you register these externals, where then they get a so-called GID global identifier, and from there, technical accounts and technical identities are created. So, this is the user identity part up to also all functional identity part. But whenever you come into the devices area, it's already getting a little bit diverse or complicated. I mean, again, you have identity, device identity systems, or metadata, metadata directories, which we have at Siemens, where all the devices are registered somewhere, and where we say, “Okay, this is the single source of truth of our device identities.” By the way, that also created some changes compared to the past. In the past, I wouldn't say, let's say only exclusively, but these, these device identity registration databases have been perceived by normal people or end users at the company, more as a as a burden, as something, well additionally, I need to register somewhere, but I don't see any benefit out of this, because somebody from Central wants to have this registered full stop. Also, there was no consequence, no real technical consequence, whether you have been registered there or not. It was more some database for maybe somebody doing some analytics, or some data stuff. Now with zero trust, we have again linked these different databases, also the device database, to consequences, to technical to technology decisions. If you're not registered there sooner than later, you're not going to have access to anything or any data. And this puts now, interestingly, lots of governance also on those systems and the owners of these systems or also on the business registering their stuff there. Same with applications, if you're not registered in one of these applications databases, you sooner than later, going to have problems in getting your application up and running. So also from the governance perspective, so CIO office, CISO office, zero trust architecture is a quite interesting thing to put their hands around about IT and about assets.  

Raghu Nandakumara 41:30

Yeah, absolutely, and we definitely see this as well across our customers. This is that the sort of getting on to a zero-trust program...well because of this dependency on having that single source of truth about sort of how they understand their assets and their users across their enterprise. It forces a greater discipline on the systems of record that more than previously may have existed, right? Because so much decision-making is based on the integrity of that data. So, it's essential that everyone is bought into keeping that sort of updated and evergreen. And actually, that brings me on to another question. At the beginning, you spoke about how essentially yourself, Achim, and Peter essentially had your three roles with yourself, very much focused on the IT side, Peter on the on the cybersecurity side, and then, and then Ahim on the on the business side, right? And I think that's really interesting because when we hear zero trust experts talk about the needs of a successful zero-trust program, it's very much in bringing these three disciplines together, right? Because it's very much a team sport, as opposed to IT doing their own thing, security, doing their own thing, and the business doing their own thing, right?  

Thomas Mueller-Lynch 42:55

We learned this from other programs. So, zero trust is maybe a very good example for that. You cannot run a zero-trust program just exclusively out of IT. You cannot run it also, not exclusively out of cybersecurity. And also, if the business, or at least our organization, which is quite big and lots of different business units, if everybody of these business units starts by their own something, it will also not work. It will only work as a team work altogether. So, IT typically brings in the services and the service operational model. Cybersecurity brings in the rules, and partly also kind of architecture as well as IT, by the way. And business obviously owns all of these assets. So if you don't have them on the same table, at the same table, it won't work at all, because then you have exactly these, these things where some central people from the ivory tower want to bring out something, and it affects, especially if you think about products, I mean, how would you ever from IT, or cybersecurity influence products, if you don't have on the same table, the businesses themselves?  

Raghu Nandakumara 44:06

Absolutely. So, I think as we kind of get towards the end of this conversation, I want to go back to something that you that you again said sort of earlier on, right? It's about how you're seeing the adoption of zero trust influence, what you do with your wide range of products, right from software to hardware, and about how you see that as giving you a competitive advantage, right? Can you sort of unpack that a bit more? Because I think that's fascinating about zero trust, providing an organization as a size of Siemens a competitive advantage and a reason for your customers, your partners, to do business with you.  

Thomas Mueller-Lynch 44:48

Well, we started talking with our business units, about zero trust architecture. And first of all, we needed to explain, I mean, it's not only about you cannot come to them and can say, "Okay, let's make your products more secure," or something like this. You first need to explain, what is this zero trust architecture? What is this all about? And by the way, also some regulations and some standards also help us on the way. You have the cyber resilience act, you have ESC rule around this, regulation around this, and with this. Where also our salespeople, then finally, are confronted with, I mean, that started now, the activity of thinking together with us, okay, what does it mean for our products? How could we ensure that these cybersecurity, cyber resilience act comes into our products. And then you start talking about communication. Then you start about identity, about giving a product an identity, how to onboard this or burn this identity into the products, if you think about our controllers and products like these. And then it's a slow progress, by the way, so it's not exactly it doesn't have the same, let's say, speed, as we would maybe like to see, and as we have it in some of the other areas, because it's new, and also it has different, let's say lifecycle turnarounds, right? So you won't, not easily change existing products immediately now with something new, which is called zero trust enablement, but once you talk about new products or new versions of a product, you then can think about and that's what we are doing as part of a consulting, let's say, and also training. What does it mean? How to overcome these regulations, or not overcome, how to address the regulations into the product architecture? And we already had some, some good examples, some few, honestly speaking, but some good examples where people have understood this makes sense for us. This is a differentiator for us, compared to the competitors, where we then can go to the market and get, say, “Look, this is best-in-class security.”

Raghu Nandakumara 47:07

And you know that when your salespeople get excited about it and want to use it as a way to generate more sales, you definitely must be doing something right. Well, I mean, Thomas, I feel like we've had such a fantastic conversation, and I feel we've just very much scratched the surface. I honestly, as I said earlier, there are so much you've shared, and we could have gone into deep detail on any of those aspects, so but I'm conscious of your time and respectful of it. So, thank you so much. It's been really enlightening to hear from someone who has done this, delivered, and continues to deliver a zero-trust program at a massive scale that is engaging the business and transforming the business through transforming security. Thomas, thank you.

Thomas Mueller-Lynch 47:51

Thank you very much. Appreciate the invitation. Thank you.  

Raghu Nandakumara 47:56

Cheers.