The Critical Role of Consultants in Cybersecurity with FTI Consulting's Peter Fischer

Samad Masood: Welcome to The Professionals where we discuss how to survive and thrive as a professional services executive. I'm Samad Masood from the Infosys Knowledge Institute, and today I'm here with Peter Fischer, Senior Managing Director and Head of Germany Cybersecurity for FTI Consulting. Hello, Peter. Welcome.

Peter Fischer: Hello, Samad. Thank you for having me.

Samad Masood: Thanks for coming. So, tell us a bit about your background, your career so far. How did you get to where you are today?

Peter Fischer: Yes, I'm working in cybersecurity for more than 25 years. I started my professional career in investment banking environment, being responsible for the IT infrastructure, very passionate about the cybersecurity aspect of this. So, I later changed into a big German bank, being responsible for information security. After that I started my own consulting company for cybersecurity.

We've been on the market for 12 years, having mainly banks and insurances as clients, and our consulting company was acquired by one of the Big Four. So, I moved into the Big Four, becoming a partner for nine years, being responsible for cybersecurity. And since last year I'm responsible for cybersecurity and developing the practice for the DACH region for FTI Consulting.

So, my experiences are mainly around advanced cyber defense, meaning setting up CMs and SOCs, and also part offensive security, identity access management, and setting up cybersecure strategies for clients. So now I'm building the practice for FTI with a strong focus on cyber readiness and incident response.

Samad Masood: In this podcast we like to ask you a bit about the moments that really made you. You've had quite a varied career there. Tell us, as a consultant, what's the thing that you think back, that really was the moment where it clicked, and you realized something that has helped you be a successful consultant today?

Peter Fischer: Yeah, being a consultant means being under constant pressure and it has this, think about working overtime, working on weekends and so on, and having no private time. And there was one moment when our small consultancy was having the first big projects and one of the clients, we did four assessments for him, and he demanded the reports to being finished on close of business, 15th of December. I clearly remember that date. And it was really very stressful to finish all of it. And I was working until four o'clock in the morning to get it all done and send it out so the client would find it in his mailbox in the next morning. I was very happy and then tried to relax over Christmas having some vacation.

And then when I spoke to the client again, end of January, I asked him, "Did you like the reports that we made and are there any measures that you want to take?" And he said, "Oh, well I didn't have the chance to look at it." So, I realized there might be some deadlines that are really, really hard and tough, and some are not really to take too seriously. So sometimes it's good to take a step back and really to challenge the deadlines and the pressure. Is it really necessary? Is it really critical? Or is it not, and there are some things that maybe can wait a little bit more?

Samad Masood: I suppose that requires a very two-way, open conversation, doesn't it? Because when you're the supplier, as it is, you feel very much under pressure to please. But that example you've just given, often the client isn't really thinking through their requirement, their decision, and I guess you've got better now at challenging, maybe, or politely pushing back on a deadline.

Peter Fischer: Yeah, absolutely. It's really necessary to challenge those deadlines and to make the client clear this means that people are going to work overtime, people are going to work on weekends. We have a lot of senior people that have families, that have small children, and they are willing to work overtime and to work on weekends, but is it really necessary? Is it worth it? And often if you talk to the clients and they are realizing it might not be that important and it can wait one or two days more, so, yeah. And sometimes you make a bad choice. That's part of the job, to manage this and to get rid of this.

Samad Masood: Your industry, the consulting industry, does have a bad reputation for overwork, working weekends, and it's great to hear that more positive view. But what is the upside do you feel? There are those negatives having to deal with clients, I mean, having to push back and challenge those sorts of things. But, on the positive side, what are the things that you feel that have helped develop you?

Peter Fischer: Yeah, being a consultant is really something special because I had a boss once at the Big Four where I was working and he said, "It's really, really wonderful to have the client ask us to solve the most complex and most interesting problems." So, I realized this is really, really a challenge. I mean, the people that are working in the companies, they have their day-to-day business and then they occur new problems, new challenges, new situations, and they need to cope with it. And they're asking us, as consultants, and this means we are the ones that they trust to solve these new challenges. We are faster and we have more experience, we have a broader view on things, and they also demand maybe more work in shorter time. And this means there's a high demand, but it's really satisfying to be able to deliver with those expectations.

And, moreover, it's also you're looking into different sectors, looking into different companies. You learn to know different cultures in the companies. And in Germany we have those hidden champions, mid-sized companies that are global market leaders in their segment, and it's really interesting to learn to know them and how they are working, what they produce, what their part in the whole production chain is, and for the economy. So, these are things that are so challenging and so interesting and really keep me going on even after all this time.

Samad Masood: I think that's what inspires a lot of people to get into the practice of consulting, whether it's focusing on an area, like yourself in cybersecurity, or supply chain or whatever. You still get to see a lot. Is there a bit of a risk, though, that consultants, and in this podcast, we talk to all in the professional services, it could be auditors, lawyers, strategy advisors and such, that you do get a wide range of experiences, but you're also only ever seeing those companies and you're working very long hours, very stressful, for the specific problems. How do you ensure that consultants are still getting a wide range of understanding what's going on outside of their specific area?

Peter Fischer: Many different aspects. First is you can't choose the client projects usually. The clients come with their very specific problem. Sometimes it's really interesting what projects you win because the client has strange ways to find their provider. And of course, technology keeps evolving and developing so the solution that has worked in the past 10 years might not work anymore tomorrow. So, you need to come up with new ideas and new approaches to the challenges to be able to really solve the problem and get the client to solve the problem and keep on working, get into a new operating model. This keeps us very busy and very challenged all the time.

And also, it's a matter of managing the team and to see who's interested in which topic. Can we rotate people out of projects that are taking very long so they see something different, different clients, different topics? And as a young consultant you have the ability to become an expert in different topics. Maybe the usual career path is you start very technical and then you realize that most of the problems, the root cause for a technical problem, is not on the technical level, but on the organizational level. And you realize the most problems are in a higher abstraction layer. So sometimes it's that the organization of a client is awkward, and this results in the same kind of technical problem all the time, and you need to change the organization or maybe even the strategy and the roles and responsibilities in the company.

So, the usual career path is you start very technical and then you get more organizational. It is the same for me. I used to write assembler code and doing penetration testing. Well, I wouldn't dare to offer that to a client anymore. Maybe if they have a, I don't know, 20-year-old system, I could do it, but-

Samad Masood: But those basics still help. I'm sure they still help your understanding, sure, yeah.

Peter Fischer: Yes, because the principles stay the same, but the technology keeps evolving and it's really challenging to enter the area of strategy, cyber strategy, because this way you really set up the tool for an organization and help them tackle the problems that evolve throughout time.

Samad Masood: I think you've described it really well and it's an interesting challenge. I wonder if I can ask you, we talked about choosing clients and them choosing you, often clients are looking for a technical solution, but they need a cultural organizational solution. Any advice on how you take the client through that journey, convince them to pay you to do it, but also convince them that that's actually what they really need? Or do you need to focus on the technical stuff and then work towards it as a relationship gets stronger?

Peter Fischer: In an ideal world it's possible to convince the client that it's not only the technology. There's the saying, "A fool with a tool is still a fool," and my team members don't use this because, I mean, you're telling the client he's fool so it's not the ideal way to start a conversation. But every big transformation project, we try to enable the client to use the technology and sometimes the client is aware of this problem, but he can't get any more resources so he's really depending on the external resources. And sometimes the clients ignore the strategy around it. They only focus on technology.

I have one client and my counterpart, he's only allowed to spend money for tools and not for consulting, so he has a zoo of tools that he's not able to manage with his team and they weren't able to build the processes around it, the organizational structure around it. So, there's nothing you can do about it. And this is also part of being a consultant. You really have great ideas, and you know how you could help the client getting better and reducing the risk, but they're not able or not willing to use this.

Samad Masood: That's a great analogy. I can just now imagine a lot of wild animals roaming around the organization, no bars, no zookeepers. I suppose that view relates a bit to how you view AI, right? Because artificial intelligence, particularly in cybersecurity, is a big, big threat now, isn't it? And it's more than that. It's not actually just the technology that's a risk. Tell us a bit more about that.

Peter Fischer: First of all, AI is a tool, and it can be used on the offensive side and on the attacker side and also in the defense. So, it really can be a great help in getting rid of all the sheer amount of data that is existing in the companies, to analyze it, to detect anomalies and so on. So, it is really a help for defending a company or an organization against attackers.

And then, obviously, we've seen a lot of attacks now utilizing AI, be it from generating deep fakes and also writing phishing emails that are really, really good. So, this is a very new and powerful tool, and organizations need to embrace the technology and understand it as far as possible to recognize the new threats that are rising with the use of AI on the threat actor side.

Samad Masood: But the way to solve it, I mean, there's still some very fundamental issues aren't there? Of course, the tools, even from the attacker side, but related to what you were saying earlier, the tools alone are not what you need to defend, right?

Peter Fischer: We've seen people, or organizations, spending a lot of money into AI without getting the basics fixed. We always have organizations and clients that struggle with the basic stuff like IT inventory. They don't know what kind of systems they have, how many systems they have, what their software versions are. That's something that they still struggle with. We have some regulations coming up that force the board members to take cybersecurity trainings with NIS2, for example, and DORA, which is really helpful because you need to understand the problems to really take the right measures and put the budget into the right places. But, still, those are such basic measures and AI is very elaborate and sophisticated and so that sort of gap that's opening up in the organization.

Samad Masood: In Infosys we talk a lot about AI readiness and how ready you are, and a lot of that is about being ready with the basics around your data and your processes and such. I suppose it's interesting that, at the board level, probably the two big things that are being discussed right now are cybersecurity, which has been for a while now, and AI. They're probably going on those AI trainings just at the same time they're doing their cybersecurity trainings. So, it'll be interesting to see how it all comes together. How do you see this changing your work, your career, the career of consulting, particularly around cybersecurity consulting? Are there going to be changes due to AI or is this another new phase and buzzword that fundamentally doesn't change anything?

Peter Fischer: First of all, I think it really will help for the consulting business, I'd like to say the simple and stupid work that we do like analyzing documents. When we do an assessment, we read all the documents and rewrite documents, and this is a kind of work that the AI might help us with, and it makes our work more interesting. And I think it's a great tool to concentrate on the things that really make our work interesting like finding innovative solutions and have new ideas and communicating with the client because it's a human business, it's talking to people and understanding and it's not an abstract problem.

Samad Masood: So do you think, because a lot of that work you're describing, it's been called grunt work sometimes, it's often the work that you give to more junior consultants, to go through loads of documents and that such, and you mentioned a good point about it's a people business really, and it gives you the chance to focus on that. But what does it mean for new entrants into the industry that might be... You were saying you started off as a programmer, basically, a lot of consultants start off doing that grunt work and it gives them... The belief is it's giving them that understanding and experience of business. Maybe it isn't, I don't know. What's your view on that for new people coming into the industry?

Peter Fischer: That's a challenge because some of the things that we think are basic lessons and educational steps that you need to go through to become a senior consultant, they're not necessary anymore. So, if we look at what the consulting business was like 40 years ago, the lessons that they taught, and they thought maybe copying some paper or bringing coffee to the senior executives would be very important, so you know your place, maybe things change, and the people start from a different level of learning. And, other than that, maybe we need to set up some artificial lessons, so they learn to understand the basics.

But when I started, yeah, as you said, I was programming in assembler and really, I knew how the process I was working. Is that necessary now? I don't think so. It's the same as 50 years ago you could, or even 20 years ago, you could work on the engine of your car yourself and, nowadays, you need special tools and it's all the people in the garage put a laptop on the engine to understand what goes wrong. So, do they really need to know all the basics and all the nuts and bolts? Maybe not. We are evolving and we are concentrating on the things that get more important.

Samad Masood: Like people and organizational and culture things you're mentioning.

Peter Fischer: Exactly. Exactly. And it's just, as I mentioned, the problems that the organizations are facing are not to be solved by an equation. So, it's many, many soft things that you need to understand, how people communicate, or how the organization is working. And technology is one big part of it, but to be able to use the technology in a proper way for this kind of organization, that's really the challenge.

Samad Masood: Peter, thank you so much. This has been a great chat. I've really enjoyed hearing from you and learning, and I think you've really solved a lot of the whole industry in the future here in this discussion. Thank you so much for your time, and I look forward to speaking again soon.

Peter Fischer: It was a pleasure. Thank you very much.

Samad Masood: Thanks for listening to this episode of The Professionals. It was produced by Yulia De Bari and Christine Calhoun. Dode Bigley is our audio engineer. If you want to hear more episodes, please like and subscribe. See you next time.