“AI doesn’t really change much in cybersecurity.”

Mr Bachmann, what’s at the very top of your security to-do list?

Ransomware. Not because I’m worried about individual devices, but because of the risk of a full-scale attack that compromises an organisation’s Active Directory. That’s something you really don’t want. More broadly, I always recommend starting with an honest look at yourself and getting the basics right. Companies need to know their systems and assets, give employees clear, actionable rules and support them at their current level of technical understanding. Put simply, without proper patch and vulnerability management, there’s no point commissioning an advanced penetration test—it will always find something. 

You’ve seen large-scale attacks first-hand?

Yes, I’ve been doing this for quite a few years and spent a long time in consulting. When production facilities are hit or a company suddenly can’t send or receive e-mails—losing a huge chunk of its communication—those are existential challenges. And they don’t end once the immediate incident is resolved. That’s actually when the real work begins. In most cases, you’re rebuilding the IT architecture from scratch. Even if you know which lock the attackers picked, swapping it out isn’t enough because you can never be sure where else they might still be hiding in your systems.

What did you learn from those incidents?

After one attack, I ran a workshop with a CIO that has stuck with me. We wrote down the ten most important issues and then he asked me to sort them by price—most expensive first.

Why?

Because he wanted us to tackle them in exactly that order. After an attack, companies are suddenly willing to spend on measures they’d usually postpone. 

And what’s usually the most expensive?

It depends on how mature the organisation is in terms of cybersecurity, but typically, planning, building and operating a Security Operations Centre for comprehensive and continuous IT monitoring is right at the top.

Not every company has one, though.

No, because there’s a saying I really like: “There’s no glory in prevention.” That’s the big problem in security. Even contrived KPIs like Return on Security Invest don’t help. They’re too hard to explain. How do you show how much money you saved by preventing something that never happened?

SOCs increasingly use AI, but AI is also making attacks more dangerous. How does it change the threat landscape?

That’s actually my favourite question of the past two years or so. In my view, AI doesn’t really change much in cybersecurity. 

Really?

Yes, because it helps attackers and defenders equally. It’s the same old cat-and-mouse game. The rules have changed for everyone, but it’s basically a zero-sum situation. For me, the overall threat level hasn’t fundamentally shifted. I think we only notice cyberattacks more because they’re getting more media attention. I have a lot of respect for the BSI, but does the narrative really have to be that things get worse every year? 

Doesn’t that help open doors with decision-makers?

Honestly, in my experience, real awareness only comes when people feel the impact themselves. I’ll give you an example from my IT career. After countless meetings, I finally sat down with a CFO again. He told me he couldn’t get a rental car at the airport because the provider had suffered a cyber incident. Suddenly, the issue was on his radar. His reaction was clear: “That must never happen to us. And it must never happen to our customers.”

So how do you make sure it doesn’t?

As I said at the start, do your homework. It’s like real-world break-ins; there’s usually a window left open somewhere. Criminals walk down the street looking for the easiest target. It’s the same in cyberspace most of the time. Rarely is a company singled out deliberately. Everyone gets probed at once, and the easiest target is the one that gets hit.

You mentioned employees earlier. What role do they play? 

There are two schools of thought: either they’re the human firewall or the biggest risk. I lean towards the second, but I’d never include all employees in that. I’m thinking more about admins and software developers. They know what they’re doing. Seeing every employee as a security risk is, in my view, unfair.  

But companies need their employees to play a role in cybersecurity …

Absolutely. Organisations need to involve everyone and make it as easy, quick and straightforward as possible to report an incident. Then maybe one or two devices are affected, but the bigger picture stays intact. Attackers usually don’t act immediately after gaining access—they’re rarely poised to strike the moment a device is compromised. The most important allies, though, are boards and senior executives. They need to take cybersecurity seriously and understand it. As the examples showed, their support is absolutely crucial.

Let’s shift from people to technology. What’s the single most important measure in your view?

If I could only pick one, it would be an interactive disassembler on every device—or IDA for short. That used to be called antivirus until someone went and changed it. It shows me exactly what’s happening on laptops, desktops and servers. The telemetry it produces is incredibly valuable.

As CISO, you carry a lot of responsibility. Do you sleep well at night?

Absolutely. If I exaggerate a little, I only know two states: zero and one—asleep or awake. My job keeps me motivated because I know I can make a difference, protect something and help a company succeed. That’s a very positive picture. Sure, it brings stress at times, but without stress life would be half as exciting.