Qevlar logo
Product
Arrow down
Solutions
Arrow down
Resources
Arrow down
Company
Arrow down
Request a demo
Book a demo call with us
Cross form
Qevlar logo
Product
Arrow down
Solutions
Arrow down
Resources
Arrow down
Company
Arrow down
Request a demo
Cybersecurity

The Realistic Path to Cyber Defense Across IT, OT, and Cloud

Qevlar AI team
The Realistic Path to Cyber Defense Across IT, OT, and Cloud

Most enterprises have been trying to connect IT, OT, and cloud security for years, yet these environments remain stubbornly separated. The real problem is the decades of organizational legacy, company politics, and distributed responsibilities that keep security teams working in isolation, even as modern attacks move freely across all three domains.

In this conversation with Ahmed Achchak, CEO and co-founder of Qevlar AI, Daniel Kästle, who spent over a decade building unified cyber defense capabilities at Mercedes-Benz, reveals what it actually takes to tear down these silos. He shares hard-won lessons on governance, talent development, and why the goal isn't a single platform but rather data convergence and unified processes.

Read further to discover:

  • Why distributed responsibilities are the biggest bottleneck in enterprise security, and how company politics keep silos alive
  • What "unified visibility" actually means when the mythical all-in-one platform doesn't exist
  • Why you should start with processes, not tools, when connecting IT, OT, and cloud security
  • How Mercedes-Benz successfully built cross-domain expertise by training people from non-cybersecurity backgrounds
  • The critical governance question every CISO must answer: who gets to pull the plug on production systems?
  • Why team retention rates reveal more about SOC health than any dashboard metric

Why DO Security Silos Still Persist?

Ahmed Achchak: Today we're discussing the challenge of moving from silos to synergy in cyber defense. Large enterprises have spent years trying to connect IT, OT, and cloud security, but these environments remain largely separated. From your experience, what's the real reason they stay so isolated? Is it culture, tooling, or governance?

Daniel Kästle: I think it often lies in the history of companies and how their structures have evolved over time. Many companies don't have the luxury to start from scratch. They have existing structures that have grown over years or decades. Not just the structures, but also responsibilities have shifted over time, and from what I've seen, this hasn't always been intentional or strategic. Often it's driven by company politics, which is just the reality of how things evolve in big corporations.

In general, the further distributed these responsibilities are, the greater the divide and misalignment between these functions. If you want to unify them, the best thing you can do is move them under one umbrella. I'm not saying this is easy, especially on the political dimension, but I think that's the way to go. This should extend across governance and tooling responsibility, and should include fostering a culture of "we are in this together," because this is a challenge for the overall organization, not just a single business unit.

Is  Complete Visibility Across IT, OT, and Cloud a Fantasy?

Ahmed Achchak: Today, most SOCs have partial visibility. Great IT telemetry to a certain extent, but limited impact on OT, and the cloud side remains pretty fragmented with many different tools. What does truly unified visibility look like? Are there trade-offs we should accept to get there?

Daniel Kästle: Visibility is always an uphill battle. Even companies that say they have good visibility in their IT environments now, if they stagnate for three years, will that still be the case? I personally don't think so.

If you really want to achieve unified visibility, and I would argue it's probably not achievable at all, you would need one single solution across all these domains. But in reality, I have not seen that. A lot of vendors claim they can do it, especially the platform vendors, but I would argue they can only do it to some degree.

In Germany, we have this famous word for it: Eierlegende Wollmilchsau, which literally translates to "egg-laying wool milk pig." You kind of get it all from one single animal or solution, right? But it's a fantasy. It doesn't exist in the real world. And I think that's the same case here.

The stack, the processes, and organizational challenges in these different domains are so vastly different. I don't think there will ever be this one-stop shop. Therefore, you have to accept that your stack will never be completely homogenous. And I think ultimately that's also a good thing. But it's very important to have that acceptance.

That being said, what you should do is challenge whenever someone comes with a new tool or process whether it really cannot be done with something you already have in place.

Ahmed Achchak: So because these three realms are so separated, you'll need different vendors, each bringing unique expertise for each bucket?

Daniel Kästle: To some degree, that's true. Ultimately, what you can achieve from my perspective is data convergence, bringing things together on a data level and building unified processes.

Process First, Tools Second: The Path to Connecting IT, OT, and Cloud

Ahmed Achchak: IT, OT, and cloud monitoring involve completely different threat models, data formats, prioritization logic, and remediation approaches. If you were to build interoperability between these three layers without creating chaos, what would be the first step?

Daniel Kästle: I would always look at the most commonality between them. I would argue that being able to detect threats and respond to them in either a proactive or reactive way is exactly the point where you want to start.

I would start from the process side. How are threats being assessed? How do you triage them? How do you respond to them ultimately? Even though tools, interfaces, and people involved might be different, the process at a high level should be unified in a good way. Down the line, it might be helpful to have it all modeled and run through a central tool, though that might never be fully achievable.

Unifying things on a process level is where I would start. That will help foster interaction between teams and different functions, because all of a sudden they're able to speak the same language. They use the same terms and run the same type of process, even though there might be slight deviations.

On a more practical note, what can be quite effective is if you mix the people. Sending people from your IT team to the OT sites or to the OT SOC if you have one, and having them see for themselves what challenges they face day by day. That goes a long way and creates common ground.

Forget the Unicorns: How Mercedes-Benz Built Talent from Non-Traditional Backgrounds

Ahmed Achchak: One challenge we hear about constantly is how difficult it is to hire seasoned analysts and keep them. If you're creating a cyber defense center that combines IT, OT, and cloud protocols, don't you need a structure to develop talent? Hiring analysts who understand all three seems like hiring unicorns.

Daniel Kästle: That's a difficult one, and it's been true for many years in the IT space. Hiring the right people is tricky. But what we did quite successfully at Mercedes was integrating people from within the organization who didn't have a cybersecurity background at all but showed interest. We trained them on security operations, cyber defense, and incident response skills.

The big advantage was that they brought very deep understanding of the specifics of the environments and a great network with them. By integrating people from the existing organization into the team, we reached a very good level of acceptance and understanding of the differences and challenges in those specific domains.

On top of that, some of the best hires I've ever made were people with non-traditional CVs. I wasn't just looking for people with all the cyber certifications or university cybersecurity degrees. You find good people there, but you also find good people with very non-traditional backgrounds.

Especially people who come from the OT side, from automation or maintenance, often bring very analytical thinking. Troubleshooting a problem until you really understand the root cause is a very good skill set in a cyber defense team.

And on the cloud side, every SOC team that doesn't have a person with a cloud/dev background is sort of missing out. These skills can be immensely helpful not only in incident situations but also to further automate processes and ensure you have a well-integrated and running tool stack.

One CISO, One Mandate: Who Gets to Pull the Plug on Production Systems?

Ahmed Achchak: How would a unified team deal with governance across IT and OT? These can have very different governance models.

Daniel Kästle: The days of classical IT security are long gone, even in OT-centric organizations like Mercedes-Benz. Nowadays, you have so many interfaces between traditional IT and OT components, and I still think we're only seeing the beginning of it. It will only further increase.

Cloud, as you said, there was never really this barrier. It's quite often within the IT function anyway and so interconnected with all the other IT systems that this artificial barrier didn't even make sense at all.

As I mentioned before, it should ultimately sit under one umbrella, and from my perspective, in most organizations, this should be the global CISO, unless these environments are really totally segregated, which I've hardly ever seen being true.

But not only just having it in a hierarchical structure under the CISO, the mandate must be very clear. This needs to be aligned with the leadership in manufacturing or in cloud. With mandate, one of the big questions you need to solve is: under which conditions is the cyber defense team or the CISO organization authorized to isolate or remove a system from the network? That's one of the core questions, and it needs to be answered in your mandate. This will enable you to have the right level of governance to respond to severe threats in a good way.

What Is the True Cost of Silos?

Ahmed Achchak: Having a more unified approach probably also makes the attacker's life more difficult, especially for attacks that start in IT and move to OT or vice versa.

Daniel Kästle: That's why I don't like these silos. I was on a mission to tear them down as much as possible. The only way you achieve that is by getting rid of these silos. Ultimately, you want to see threats in an end-to-end way and take risk-based decisions, which is only possible if you have that overarching visibility.

Threats like WannaCry have clearly shown why this is so important. The speed at which WannaCry spread and operated made it impossible to respond successfully without having a holistic picture of what's going on. Based on that picture, you can take the right decisions to reduce risk for the company globally, because as I mentioned, this is not really segregated or in silos. WannaCry, as no other threat before, really showed this to a lot of organizations.

Other threat actors we're seeing now are becoming much faster at exploiting weaknesses and carrying out sophisticated attacks, moving laterally. It's paramount to be able to catch up with your response activities and have a high level of readiness, because eventually everyone will get breached at some point.

The Magic Wish Every CISO Makes: Ending Distributed Responsibilities

Ahmed Achchak: If you could fix one organizational bottleneck that slows down enterprise security operations, what would it be?

Daniel Kästle: I'm going for the big one: distributed responsibilities. But I know that's more of a magical wish!

Ahmed Achchak: What's the hardest thing to standardize across a global security operation team? Tools, processes, or people?

Daniel Kästle: All of them. Just kidding, but kind of not, right? All come with different challenges. The answer ultimately depends on your organizational structures and where responsibilities reside. You could have everything unified in a hierarchical structure, but still getting tools from the IT team who decides on them. So you might be good on the people side but not on the tool side. At Mercedes-Benz, we struggled with all of them initially.

Why Retention Rates Matter More Than Alert Volumes

Ahmed Achchak: Imagine one of your regional SOCs calls saying they're struggling. What's the first metric or signal you check to see how deep the problem is?

Daniel Kästle: I come with a very unconventional answer: I would look at retention. That's something you won't find on a SOC team's dashboard, but I think it's quite often really telling of what's happening within a SOC. From there, I'd ask questions about why the retention rate is either so high or so low, or why it's stagnant.

I think in most SOCs I've seen, it's actually more about the people and not so much about challenges in tools or processes. People are likely to improve things. They want to do things better and not be annoyed by the same senseless alert or false positive. If you have a good level of retention, people will do a lot to self-improve and get better over time. But if you have a very unsteady ship where people come and go all the time and you need to train them constantly, then you won't have time for continuous improvement processes to kick in.

🎧Listen to the full episode on Spotify

🍏Listen to the full episode on Apple Podcasts

Subscribe to our newsletter

Get started with our pilot program. See results immediately

Book a demo
Soc
Qevlar AI
ProductIntegrations
Solutions
PhishingNetworkIdentityCloud
For MSSPsFor Enterprise
Company
AboutBlogCareers
Legal
Terms and conditionPrivacy policy
Book a demo call with us
Cross form
Book a demo call with us
Cross form