The day cybersecurity suddenly became a top priority
Structured risk management in an international network company
There are those dates that stick in your mind. In my case, it was a board meeting on a Tuesday morning. There was an item on the agenda that initially sounded like a "regulatory update". In fact, it was about the impact of the NIS2 directive and therefore a decision that was much bigger than a pure compliance issue.
As a CISO in an international network company, I have a duty here. More than 20 network nodes worldwide, over 4,000 routers in around 250 customer networks, plus a team of over 150 employees who look after business-critical SD-WAN and SASE environments. Our customers expect their global connectivity to always be stable, performant and simply secure. Period.
The board's question was soberly formulated:
"Are we NIS2-compliant - and what does that mean for us specifically?"
A simple question. The answer was not.
Reality instead of gut feeling: the IT examination
It quickly became clear to me: we need facts. No PowerPoint assumptions, no "it will fit" attitude. So we commissioned RIEDEL Networks to carry out a comprehensive IT examination. The aim was to obtain a structured analysis of our IT security architecture in combination with a clear regulatory classification. Why? To have a reliable basis for decision-making.
The results were direct. Sometimes unpleasant. But that was exactly what we needed: we received a clear assessment of where we stood in regulatory terms. We also received a detailed technical inventory of our current security level and very specific recommendations as to which issues we should tackle directly and which should be secondary. The clear prioritization according to risk and feasibility helped us enormously to maintain an overview and not just vaguely deal with the results.
The bottom line was clear: we are clearly operating in the relevant environment of the NIS2 requirements. Our security landscape worked - but it was not aligned with the target level that is expected in the future. After the presentation, I sat in the room for a moment and thought:
This issue can't simply be solved via patch. This is structural work. And it needs to be done properly.
The crossroads: in-house SOC or managed security?
This raised the strategic question: do we choose the DIY approach and set up our own Security Operations Center, or do we go down the route of a managed security service provider?
An internal SOC sounds like maximum control at first. In reality, however, this means 24/7 shift operation, staff requiring regular training, a completely new tool and monitoring architecture, including a lengthy analysis and selection phase with license commitments that sometimes last for years, and many other stumbling blocks that made the topic a nightmare even in the theoretical planning stage. In particular, the independent design of playbooks, rules and processes for incidents and the associated compliance documentation were quite daunting for me and my team. It was clear to us that the key to successful cybersecurity lies in the ongoing development of the entire structure - not just for one year, but permanently.
I did the math. Several times. Realistically, we would have needed twelve to eighteen months to set up a professional SOC. At the same time, this would have required considerable investment and a solution to the well-known shortage of specialists as an additional risk. To be honest, that was simply too hot for me as an additional project. I said to the Management Board at the time: "You don't buy a SOC. You build it. And that takes years. The only question is whether we have that time."
You don't buy an SOC. You build it. And that takes years. The only question is whether we have that time.
Time was precisely the critical factor. The regulatory pressure was there. So was the risk. So we made a conscious decision not to build it ourselves and to introduce RIEDEL Enterprise Defense [R.E.D.].
Four weeks that changed a lot
What happened next surprised even me. R.E.D. was implemented in our global infrastructure in less than four weeks. Close coordination with our internal teams was the key to success. Sure, it was intensive, it was chaotic at times, but above all it was targeted.
More than 20 international network nodes, over 4,000 routers, around 250 customer networks, all of our employees' endpoints and our entire corporate infrastructure were connected. In other words, basically everything that is critical.
The onboarding phase started at the same time. And here it became clear that we were not just introducing a new technology, but taking a big step towards resilience. Together with the RIEDEL team, incident playbooks were defined, escalation levels established, responsibilities clearly defined and reporting formats tailored precisely to my requirements as CISO.
I still remember exactly when I first really felt the benefits in day-to-day operations. That was on the very day when I reviewed and archived the individual reports from the last few years that I had previously collected in painstaking detail. In comparison, I now have a truly correlated picture of the situation. No more fragmented individual reports from different tools, or eternally long e-mail chains with descriptions and processes. Instead, I have a fixed contact person who can create reports for me on request and retrieve data in real time. This may sound banal at first glance, but it's not. It massively changes the quality of decisions.
From reaction to control
Before the introduction of R.E.D., our security was largely reactive. Individual reports, selective assessments, lots of manual coordination. Today, a managed SOC monitors our infrastructure around the clock. Events are analyzed, prioritized and escalated to us in a structured manner.
I receive regular reports and KPI documentation to pass on to our management and, if necessary, detailed incident analyses with clear recommendations. This gives me complete transparency about the current threat situation, our response times and the quality of incident handling and any trends that arise. This is a huge relief for me, as I can report to the Management Board with a clear conscience. Based on facts and figures and without the uneasy gut feeling and the question at the back of my mind as to whether we are really aware of everything. I know what is happening and how we are reacting. That's a difference that you only understand once you've experienced it.
ISO 27001:2022 - suddenly feasible
Another milestone was our successful certification in accordance with ISO/IEC 27001:2022. What used to seem like a mammoth bureaucratic project became a logical consequence of the new structure. Processes were clearly defined, measures documented, workflows demonstrably introduced and responsibilities clearly defined. We were therefore able to present an integrated security framework to the auditors instead of looking at a hodgepodge of individual tools that we didn't really trust ourselves. Without the previously established SOC and SIEM structure, certification would have been a lot more difficult and certainly not possible as quickly, I'm pretty sure of that.
Focus on the core business
We operate complex SD-WAN and SASE infrastructures for our customers. Our product promise is based on connectivity, performance, stability and service quality. Cybersecurity must not be allowed to slow down this promise, but must help to guarantee it.
Today, IT security can be calculated, measured, scaled and audited. The topic is no longer characterized by operational uncertainty. The costs are clearly calculable. The processes are defined. The risks are transparent. And let's not forget the very important human side: we sleep more soundly at night. Not because there are fewer threats. But because we know that nothing will go unnoticed. At least very probably nothing.
Looking back: The actual decision
Looking back, the decision not to have our own SOC was not a question of our technical expertise. It was a management decision. We asked ourselves where we could best deploy our resources. Where our real competitive advantage lies. Which risks we want to bear ourselves and which we should have professionally managed.
With the IT examination and the introduction of R.E.D., we have created regulatory security, built up operational resilience and reduced our very own cybercrime risk in a structured way. For me personally, the role has changed noticeably. In the past, I was often the one who issued warnings. Today, I provide reliable figures, structured reports and a concrete basis for decision-making. Security is no longer just a cost factor for us. It is a strategic stability factor. And that was the ultimate goal.
Conclusion
The introduction of [R.E.D.] following the IT examination by RIEDEL Networks was not a classic IT project for us. It was an entrepreneurial turning point. We used the regulatory pressure to create strategic clarity and dismantled old structures and habits through the now integrated security architecture.
And I can proudly say today:
We have not only achieved compliance. We have gained real control.
