Carolin Desirée Töpfer is the founder of Cyttraction & WhiteHatBuddyAI. She bootstraps towards a global learning infrastructure platform that makes risk training and knowledge management measurable and fun. Her motto for 2024 is “From Zero to Secure”. As Chief Information Security Officer as a Service, with her new B2B courses and the AI tool, she has set herself the goal of “nudging” as many companies as possible towards strategic IT security, secure data processing and new revenue potential – without any fear of complexity.
Recently, in an exclusive interview with Digital First Magazine, Carolin shared her professional trajectory, insights on how the cybersecurity landscape has changed over the last few years, the mission and vision of Cyttraction.com, her cybersecurity leadership style and approach, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Carolin, please tell us about your professional background. How did you get interested in cybersecurity?
I started with websites and digital community building during my teenage days 20 years ago and kept everything digital and technology a hobby. In student jobs and later in professional life I learned that it was still super hard for companies to implement digital structures and clear data processes. At this point I first got responsible for such projects and then in 2016 decided to start a digital transformation consultancy to help companies as an external consultant.
Running my own tech projects on the side, for one I needed more insights in data protection and cybersecurity, what lead me to IT forensics where I could connect well due to my experience with old school internet, network, and server infrastructures. I recognized that I bring a lot of needed knowledge due to my remaining skills and ongoing admin work and so got into cybersecurity training, helped many companies with achieving a higher security level and preparing certifications, started working on Cyttraction in 2020, before I ended up in the Chief Information Security Officer role.
According to you, how has cybersecurity changed over the last few years?
I see quite an interesting evolution of the cybersecurity industry since I joined the bubble. Being still far away from diverse, different perspectives and soft skills did not count that much, years ago. Then there have been many wake-up calls putting user training and cybersecurity awareness in the spotlight, while many tech suite providers shifted to the idea of one overall solution for everything cyber. Parallel, the discussion around resilience started – yet most companies using the internet still lack basic understanding and minimum cybersecurity processes. Especially startups and small businesses are often overwhelmed by the number of warnings on one side and offered solutions on the other.
Looking at the current vulnerability situation, that I also cover in my daily/ weekly newsletter, back to basic cybersecurity homework and being more open-minded when identifying potential risk scenarios will be important in 2024. Next to typical money-driven hacking, there are a lot more state-sponsored activities, but misinformation, disinformation and digital organized financial fraud are also risky for companies and institutions. At least every business falling under stricter EU/US regulations or planning to work with regulated corporations should at least have a basic version of an information security management system to manage and mitigate those risks on a daily basis.
What are some of the key components to succeeding as a CISO in today’s business environment?
Same as a CEO, a CISO is not selling ice cream. If you want to do this job properly, you first must communicate the “Why Cybersecurity?” repeatedly and to different peer groups. Keeping your own knowledge up to date and understanding the CFO and the sales rep’s perspective helps a lot. Being able to deal with challenges and conflicts is also necessary. From a technical perspective, everything is possible. Budget and people’s fears and behaviors make the job complicated sometimes. I also get more requests for personal guidance from tech professionals, as they face the same challenges.
The clear focus of the CISO role should be on improving the company’s security level, avoiding data leaks and hacker attacks as well as implementing solid response and reporting processes that prevent a worst-case scenario and allow operations to continue for the company and business partners. Therefore, it’s important to know your own standards and have an overview of your specific skill set. Everybody is an expert from A to B, maybe C. But never from A to Z. This is why cybersecurity is a team job and external support is a real need for all companies without a dedicated security team.
And then it’s all about remaining persistent, while staying agile enough to manage the daily threat situation. In best case with the support of the companies’ management board that understands the importance of risk management. Against them is not possible.
What is the mission and vision of Cyttraction.com? What sets it apart from other market competitors?
Cyttraction stands for “Cyber + Attraction”, the main idea is a globally available learning infrastructure platform that makes risk training and knowledge management measurable and fun. Nobody should be forced to do their further education or share their own knowledge. Putting client service, user experience and measurable learning outcomes front and center, it’s more complicated to build – and in this case bootstrap – the business. But this is the way intercultural ongoing training works in the future.
No investment also means no compromises in research and development. There are a lot of learnings from the first 4 Cyttraction online course generations on cybersecurity and course creation yet. It turned out that the approach is needed in many different business areas. And there are even parents who would love to see the final platform in schools. The upcoming “From Zero to Secure” courses including cybersecurity training and project guidance for setting up an information security management system as well as regular cybersecurity routines at a reasonable budget, will again lead to a lot of interaction insights and client feedback and be an important next step on the way to achieving my main vision for Cyttraction.
Security and Resilience are two interlinked concepts. From your perspective, why is it important to equally focus on building resilience?
First, we have to be careful with the term “resilience”. If we are looking at a well-trained sport superstar who suffers from an injury and heals in no time, this is understandable resilience. But most companies are no superstars when it comes to cybersecurity. Therefore, the option for resilience is far less given. You first need a certain cybersecurity level that helps lower reputational damage and financial losses in the case of a successful attack.
For companies it is most important to be honest about the status quo and then find a strategy that fits their business model, regulatory and client requirements – as well as manageable investment volume. When this puzzle fits together perfectly well and there are the right motivated people at the right place, then cybersecurity resilience becomes possible.
What is your cybersecurity leadership style and approach?
Transparency and communication are key factors for me. I don’t hide information and I explain complex topics in so many different ways, until the person I am talking to understands. This goes for cybersecurity and business topics. Transparency for me also means talking openly about unpleasant things, budget shortages or mistakes, like when a user clicked a malicious link. If there is a culture of transparency and open communication, everything else can be dealt with.
What does working in cybersecurity mean on a practical level, and what kinds of skills/personality traits are an asset in the field?
Discipline and commitment are needed. Routines make the job easier. One should be a curious IT admin with regulatory and business processes in mind and the will to solve problems until things work again – even when it gets frustrating and takes longer. It also helps to understand that there is no common sense and the whole cyber world looks different from different people’s perspectives.
What are some of the roadblocks you face to doing your job well? What do you do to overcome those challenges?
In the end of 2023, bootstrapping Cyttraction while working as CISO as a Service with clients from different industries got a bit challenging. I solved this by taking a step back, question my priorities and discuss client needs again. This led to process cuts for the Cyttraction content marketing. And I am only offering two CISO options for all clients and markets now – either my pre-defined cybersecurity kick-start package or a package of consulting days for the same price. Turns out this makes planning easier for everyone.
In your career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
I learn something new every day, from different sources such as books, videos, personal meetings, online courses and podcasts and from so many people. I don’t have a traditional mentor, but I have lots of smart friends and advisors, experts from different fields who provide support with specific questions. There is a lot of good advice in there. The most important takeaway is probably that exchanging ideas always helps you move forward and that you are never alone with your challenges.
Where would you like to be in the next 5 years?
I have a clear global playbook for Cyttraction with annual goals. They are mostly about community building, service content and supporting various startups and small businesses with my courses. Until 2030 I want to work with clients in all 10 identified target markets and open local offices in the most. I estimate that we will also have first global corporates using the Cyttraction platform then.
At the point where I reach my financial goals, I want to invest in other underrepresented tech founders. Women, migrants, refugees, and people from other stressed social backgrounds often do not have access to the needed capital, knowledge and support network. It’s time to change that.
What advice would you give other CISOs or hope-to-be CISOs?
Don’t focus too much on personal certificates, focus on interesting cybersecurity projects. It will also help a lot to build stuff and administrate IT infrastructure yourself. Seek personal online and real-life exchange with other CISOs. Have a clear set of work ethics for the job profile and make sure you work with companies and managers who align with your own goals.