Best of LinkedIn: it-sa Expo & Congress 2025

00:00:00: Provided by Thomas Allgaier and Frenis, based on the most relevant posts on LinkedIn about Itza Expo in Congress, twenty twenty five.

00:00:06: Frenis is a B to B market research company working with enterprises to optimize their campaigns with account and executive insights far beyond AI.

00:00:16: Welcome back.

00:00:16: Today we're diving deep into what happened at Europe's big IT security show.

00:00:21: It's an expo in Congress, twenty twenty five over in Nuremberg.

00:00:25: Huge amount of information came out of that.

00:00:26: Yeah, it really was packed.

00:00:27: So our mission really is to try and boil down those three days of, well, intense knowledge sharing into the insights that actually matter for you.

00:00:36: Right now.

00:00:36: That's right.

00:00:37: And this isn't just, you know, a list of new products.

00:00:40: What we saw, what people were talking about on the floor, it really signals a pretty fundamental shift, I think.

00:00:44: How so?

00:00:44: Well,

00:00:44: we're moving away from just like siloed technical fixes.

00:00:47: The conversation is much more about integrated security.

00:00:50: Security that's really focused on identity and critically driven by compliance needs.

00:00:55: Right.

00:00:56: So if you could make it to Nuremberg, don't worry.

00:00:58: We'll cover the spectrum from the big push towards zero trust right through to navigating that new stack of regulations in Europe.

00:01:05: It's quite a lot.

00:01:06: Okay, let's unpack this straightaway then.

00:01:09: Starting with what felt like the absolute number one topic, identity.

00:01:14: It's just... hotter than ever, isn't it?

00:01:17: Definitely.

00:01:17: Everyone, including folks like Patricia and Tony Acominato looking at Quest software stuff, was really hammering home that securing the user, the device, the actual data flow, that's the priority now.

00:01:28: Identity is the new perimeter.

00:01:30: Precisely.

00:01:30: That whole idea of the network perimeter is basically gone.

00:01:33: So identity has to carry that weight.

00:01:35: What's interesting is the big operational push for making things like passwordless access and MFA just the default control.

00:01:43: It's not optional

00:01:44: anymore.

00:01:44: Exactly.

00:01:45: And that often ties into standardizing on single sign on SSO and aligning with global standards like FIDO too.

00:01:52: The goal isn't just making things easier.

00:01:54: It's really about hardening privileged access, baking in zero trust principles like just in time access.

00:02:01: that reduces operational risk quite a bit.

00:02:03: And you could see how much more sophisticated the defenses are becoming around identity too.

00:02:08: Things like identity threat detection.

00:02:10: It's now being directly linked to, well, good housekeeping internally, directory hygiene, and getting that continuous posture score across these really complex hybrid environments.

00:02:21: Right.

00:02:22: Keeping track constantly.

00:02:23: Yeah.

00:02:24: And Sam Bay from BioID GMBH, for instance, he mentioned how foundational things like liveness detection and deep fake defense are becoming now.

00:02:32: that directly supports Europe's big vision for secure, you know, trusted digital identities.

00:02:37: And that flows perfectly into the whole zero trust discussion, which is clearly maturing.

00:02:41: Albin Sanash, who seemed really involved in the Congress side of things, he highlighted that zero trust.

00:02:46: architecture, ZTA, and the tech that enables it, like ZTNA and SASE, well, they're not just concepts anymore.

00:02:53: People are actually implementing them.

00:02:55: Yes.

00:02:55: They're being positioned as the necessary direct replacement for the old corporate VPN.

00:02:59: Using identity where policies, device signals, continuous verification.

00:03:04: It's a different model.

00:03:05: It really is that shift, isn't it?

00:03:07: Replacing trust in the network with like verifiable trust in the identity.

00:03:13: Dirk Hanneman put it quite bluntly saying the philosophy now has to be don't trust anyone.

00:03:18: Stark.

00:03:19: But accurate that

00:03:20: hole never trust always verify idea.

00:03:22: that seems to be the core change people were talking about.

00:03:25: it is and if identity is sort of the bedrock the foundation then the second huge theme AI is.

00:03:34: What's the accelerant that makes having that strong foundation absolutely critical?

00:03:38: Ah, good transition.

00:03:40: Because yeah, AI was everywhere in the discussions.

00:03:42: It really confirmed its dual role, right?

00:03:44: Both maybe the biggest threat and potentially the most powerful defense tool we have.

00:03:49: Exactly.

00:03:49: Vikas Pandey, who's often known as Mr.

00:03:51: OT, he reflected that AI is just being integrated everywhere now, enhancing pretty much every cybersecurity solution on the defensive side.

00:03:57: But the flip side, the threat side.

00:04:00: That seemed to really worry people.

00:04:01: Oh, absolutely.

00:04:02: That was a major consensus point.

00:04:03: Antonio Vera Santos pointed out that AI is widely seen as the number one global cybersecurity threat now, purely because of how much it empowers attackers.

00:04:11: And the speed is just, wow.

00:04:13: Yeah, we heard some really startling stats.

00:04:15: Levent Tas Demir shared one from a Palo Alto Network's talk, apparently, creating functional ransomware.

00:04:22: It now takes about three hours.

00:04:24: And they think that could soon drop to maybe fifteen minutes.

00:04:26: Fifteen minutes.

00:04:27: All thanks to AI just accelerating the creation of malicious code, phishing campaigns, you name

00:04:33: it.

00:04:33: That speed is frankly terrifying.

00:04:36: It makes you wonder, if the attackers are moving that fast, is the defense just constantly playing catch-up?

00:04:42: Or is it ebbing out?

00:04:43: Well, that's where the defense and, crucially, the governance side have to kick in.

00:04:48: Yes, the defense is getting smarter.

00:04:50: Antonio Vieira Santos also mentioned how companies like Siemens are using AI and their operational tools, like Sanix Security Monitor, to proactively spot vulnerabilities and boost protection, especially in industrial settings.

00:05:03: OK, so AI fighting AI, essentially.

00:05:05: To

00:05:05: some extent, yes.

00:05:06: But the sheer speed of the threat evolution means governance, the rules and regulations has to evolve just as quickly.

00:05:13: And that's driving all this new regulation we're seeing.

00:05:15: Exactly.

00:05:16: Claudia, I could observe that we're seeing this new regulatory framework emerge kind of based on twin pillars for industrial and enterprise security.

00:05:25: You've got ISO, forty two thousand one, which is the new standards specifically for AI management systems.

00:05:30: Right.

00:05:31: And then you have the Cyber Resilience Act, the CRA.

00:05:34: That's the big EU law mandating security by design for basically all digital products sold in Europe.

00:05:40: Hillary milk confirmed the CRA was.

00:05:43: in Aller Monday.

00:05:45: Which means?

00:05:45: Oh, sorry.

00:05:46: Yeah.

00:05:46: Basically, that it was the topic everyone was talking about.

00:05:49: You couldn't avoid it.

00:05:49: Got

00:05:50: it.

00:05:50: And there's another layer to this AI thing too, right?

00:05:52: Beyond just being a tool.

00:05:54: Yes.

00:05:55: This is really interesting.

00:05:56: Bogdan C brought up the idea of agentic AI.

00:05:58: This is where AI stops being just a script or a tool you point somewhere and starts becoming more like an agentic teammate, a system that can act autonomously.

00:06:06: Okay.

00:06:06: That sounds potentially powerful, but also risky.

00:06:10: Usually risky.

00:06:11: Think about AI systems having autonomous access to sensitive APIs, for example.

00:06:15: This really forces the need for zero trust by design, specifically focused on securing the AI models themselves, their control planes, and all the data they're trained on and interact with.

00:06:25: Wow, okay, so.

00:06:26: AI is reshaping identity needs, and it's driving regulation, which brings us neatly to that regulatory burden itself.

00:06:33: Absolutely.

00:06:34: If we connect the dots, the sheer volume of rules, NIS-II, DORA, the CRA we just mentioned that formed the next major theme, Dr.

00:06:41: Philip Radlansky highlighted that just harmonizing NIS-II across the EU remains a central challenge.

00:06:47: It demands really close collaboration between legal, technical, and business folks.

00:06:51: It's definitely not just an IT problem anymore.

00:06:53: It's a boardroom issue now.

00:06:55: Liability.

00:06:55: for sure.

00:06:56: But it was encouraging, actually, to see solutions popping up quickly to help companies actually do this stuff, to operationalize compliance.

00:07:03: As we get Comoroff, for example, his company, CBA Cybersecurity, is only about sixty days old.

00:07:07: But he was already showcasing AI based tools specifically designed to help demonstrate compliance with NIS-II, Dora, and ISO-II, seven thousands of one.

00:07:15: That kind of speed from vendors is definitely needed.

00:07:18: It

00:07:18: is.

00:07:19: But that speed also highlights a pretty critical gap, especially on the legal side.

00:07:24: Karsten Eubartels, who has an LOM, he emphasized that IT security law is becoming incredibly relevant, but it's hitting a lawyer market that's largely unprepared.

00:07:34: So digitalization is racing ahead without the right legal backup?

00:07:38: Often, yes.

00:07:39: Particularly without specialized legal advice on the IT security aspects, which, you know, creates massive potential exposure down the line if something goes wrong.

00:07:48: That's one gap.

00:07:49: But there's also this internal readiness gap, isn't there?

00:07:52: Especially for smaller companies, SMEs.

00:07:54: Yeah, that's maybe even more worrying.

00:07:56: Ilge Freund cited a Cisco study, apparently less than two percent of German SMEs feel they're optimally protected.

00:08:04: But, and this is the kicker, a staggering eighty four percent are overconfident about their current IT setup.

00:08:10: Wow.

00:08:11: That disconnect is dangerous.

00:08:13: It

00:08:13: really is.

00:08:14: That failure and self-assessment is arguably worse than just not knowing, because it stops them from actually budgeting or investing in the controls they desperately need.

00:08:21: So what's the answer then, if they're overconfident but underprepared?

00:08:25: Well, that's why so many experts at the show were stressing that, forget the fancy AI or complex compliance for a second, you have to get the operational basics right first.

00:08:34: That's the foundation for any kind of real resilience.

00:08:36: Exact

00:08:37: to fundamentals.

00:08:37: Exactly.

00:08:38: Mirko Von Schlachta.

00:08:39: from KPMG, he really crystallized it down to three crucial non-negotiable things for incident response planning.

00:08:48: First, have a true air-gapped offline backup, not just another network share, truly offline.

00:08:55: Right,

00:08:55: untouchable.

00:08:56: Second, implement clean network segmentation.

00:09:00: Specifically, he mentioned tiering for privileged access management.

00:09:02: P.M.

00:09:03: Keep those critical systems isolated.

00:09:05: Makes sense.

00:09:05: And third, make sure your endpoint protection, whether it's EDR or XDR, has rapid automated response capabilities built in.

00:09:12: You need to stop the bleeding fast.

00:09:14: These are the things that actually work when the worst happens.

00:09:16: Okay, solid advice.

00:09:17: Let's shift focus slightly now because getting those basics right is absolutely critical in operational technology, OT.

00:09:24: The impact there can be, well, physical and potentially catastrophic.

00:09:28: Absolutely.

00:09:29: Whipkey Reuter from Siemens really emphasized that modern threats don't care about the ITOT boundary.

00:09:36: They impact the entire infrastructure.

00:09:38: So organizations just cannot afford to focus only on IT security when their OT systems to things controlling power grids, water supplies, manufacturing lines are the actual backbone of their operations.

00:09:49: So what were the key strategies people were discussing for OT security specifically?

00:09:54: A

00:09:54: lot of it was about visibility, extending asset discovery, You still can't protect what you can't see, right?

00:10:00: So the focus is on going beyond the IP network to map out everything in the PLC and SCADA environments, often using passive methods like fingerprinting, so you don't accidentally disrupt these sensitive systems.

00:10:10: And identity governance comes back in here too.

00:10:12: Oh yeah, big time.

00:10:13: Especially managing third-party access vendors, maintenance crews.

00:10:17: The key there is using things like time-bound credentials, so access expires automatically, and having full session recording for auditing and accountability.

00:10:24: Okay, so... Tech, regulation, OT, quite a lot covered.

00:10:30: But zooming out from the purely technical, there was another strong theme, wasn't there, about the people, the community.

00:10:38: Yeah, absolutely.

00:10:39: The consensus, almost universally from the post we saw, was that the actual engagement, the networking, the community feel that was the real value of being there in person.

00:10:48: Selina Mund and Christian Reimann both called it a vital class reunion.

00:10:52: Right, which highlights just how important that personal exchange is in this field.

00:10:57: Sharing experiences, building trust.

00:11:00: And that loops right back to something Sam Bey said, that cybersecurity is as much about trust in people as it is about technology.

00:11:07: The best tools in the world are kind of useless without the right culture and the right people using them.

00:11:11: Exactly.

00:11:12: Which is why it was good to hear from Philip Jurer that security awareness programs are finally, hopefully, moving beyond just those passive, click-through annual trainings.

00:11:21: Port something more engaging.

00:11:22: Yeah, if you're loving to include things like real-time coaching.

00:11:25: interactive life hacking workshops.

00:11:27: Things designed to actually anchor security culture up within the company's DNA make it instinctive that human firewall needs to be constantly reinforced.

00:11:36: That feels like a really good place to synthesize everything.

00:11:38: Technology, regulation, and, crucially, the human element.

00:11:42: If you enjoyed this episode, new episodes drop every two weeks.

00:11:46: Also, check out our other editions on cloud insights, sustainability in green ICT, digital products and services, health tech, defense tech, ICT and tech insights, and artificial intelligence.

00:11:57: So I think the key message coming out of Nuremberg, the provocative thought maybe, is that the security architecture is genuinely shifting.

00:12:03: Technology and regulation are now completely intertwined.

00:12:06: The real challenge for you, listening now, isn't just about picking the next AI tool or ticking the boxes for NIS II compliance.

00:12:13: It's about ensuring the human element your team, your company culture, and yes, your legal counsel is actually prepared and empowered to act decisively and act resiliently when you have to assume a breach will eventually happen.

00:12:24: Fantastic analysis.

00:12:26: A lot to think about there.

00:12:27: Thank you for joining us for this deep dive.

00:12:29: And don't forget to subscribe.