Interview with Fabian Topp – CISO Allianz Technology

At Allianz Technology, the Security & Resilience team is the partner which ensures that information is protected and security risks are properly managed, prepares for incremental changes or sudden disruptions, ensures business continuity management is in place and safeguards our digital identities. 

Let's discover more with Fabian Topp, the Chief Information Security Officer at Allianz Technology.

Fabian how do you manage your work life balance? 

I wouldn't say that I excel at managing my work-life balance, it is a struggle that needs constant care. I must say I too am guilty of getting pulled into work, so taking time for myself can feel daunting, but it’s important we reset and decompress. So one example would be that, from time to time, I simply head out early for a quiet walk just to clear my head. I can say that my biggest dream was always to have a happy healthy family, and that came true. This reminds me of a great movie, Shortcut to happiness, where Sir Antony Hopkins says while suing the devil, “there is no shortcut to happiness”, and I couldn’t agree more. 

When did you find out that you wanted to get into Information Security? 

Well, regarding how I got into security, it was luck. No, seriously: I was into security at a very early age when I started with computers, but I never thought about it as a professional career. And now that I look back, I see that a lot of things I did on the way have shown to contribute to my expertise tremendously, which is great. Information Security is more than IT Security. Broad knowledge and some common sense can help you to put security risks and opportunities into perspective.

Security is not only for the company or your online banking, but a part of your daily digital exposure. On one hand, people don’t want to think about security too much and on the other hand it is very relevant for most of us. I like to compare it to being savvy in financial matters: many don’t want to put any effort in understanding it, but it has concrete effects if you neglect it. In my opinion, a good balance would be: you don’t have to be super smart, most of the times it is enough to use common sense and some skepticism. 

Talking about being savvy in a domain, what has been your biggest professional adventure so far? Considering your substantial experience studying and working abroad.

Well, I have set up an information security system in China and it was an exciting experience for me in many ways. A specific achievement I am proud of was being able to persuade non-international people and in a foreign language why information security matters and, ultimately, to help them find their own local solutions to ensure it. We are not talking only about office workers in Shanghai but blue collar workers in factories of cities where there were no hotels, no foreigners. And to add to that, the multi-layer communication that happens when you try to translate your German message to English and someone else decodes it from English to Chinese, I can tell you that a lot got lost in translation. I have tons of stories to tell, but maybe sharing one unexpected observation: it was much easier to have people understand the context, side effects and train them to use a holistic approach, than here. This is very important if you don’t want to do security by compliance but by outcome. 

When you look back, would you see yourself as a quiet teenager or a wild-hearted one? 

That’s a difficult one. I would say both. It was easy for me to concentrate in school, but at the same time I can’t remember ever staying at home after school if that gives it away. 

Coming back to the present, could you describe a normal day in the life of a CISO in Allianz Technology? You can start with the morning coffee. 

Let me quote a colleague: Security is people business! In my case, communication is basically 90% of the day, keeping strings connected, setting priorities and managing stakeholders. Additionally, virtual and non-virtual coffees are always welcomed even if most of the time it’s difficult to disconnect from work and just enjoy the moment! 

How do you go about managing security in Allianz? How big of a role does planning play in your daily business?  

Let me highlight two aspects, knowing there are a lot more. First, you need to understand what is going on in the company, and by that I don’t mean only Allianz Technology or only Germany. When we understand what is the strategy, where are the critical projects and when the big changes are going to happen, we can set the right priorities and focus on the relevant developments. Second, we need all views: the interpersonal, the management and the process view, we also need to understand technology, our IT landscapes and architecture. We cannot do our job without taking into consideration everything. So if we do it right, we won’t give threats the chance to become dangerous, unless we don’t raise up to our own expectations. 

Do you foresee any instances in the future where security won’t be such a big concern anymore, where we’ve done all that’s needed to be done? 

In recent years, cybercrime became a fruitful way to make money, a lot of it and with low calculated risk to be caught and punished, which led to a professionalization and continuous maturity of our threat actors. To keep up with digitalization, we increased the digital footprints of our business, and at the same time regulators, customers and partners increased their expectations towards us. But with digitalization, cybercrime has more to target and together with the other factors, this increases the threat level. You see, it is a never-ending cycle. I don’t think we will ever be finished, it is rather an ongoing match where the bad guys need to score only once – but we need to score every time! 

Security and Resilience are two interlinked concepts. From your perspective, why is it important to equally focus on building resilience? 

Resilience is about proper preparation. We can never guess what is coming – a pandemic, an energy crisis, a war? But we can anticipate what we can do to improve our resilience, so that whatever hits us, we can still bounce back. 

In what ways are you and your team strengthening Allianz’s resilience to cybersecurity threats? 

To name a few – cyber crises exercises, which every year are the largest crises simulation exercises ever performed across Allianz globally to date, a Log4j lessons learned process, and many of combined challenges as Covid-19 and the Ukraine war. These always need to be managed from a crisis and resilience perspective, as well as implications that need to be considered from an information security standpoint. We are constantly preparing for such potential situations through horizon scanning, such as a potential energy crisis later this year.    

Thoughts? Comment down below.👇