Johnny Beverton
In our latest episode, Empiric’s Toby Nevett spoke with Dr Tim Sattler, cybersecurity leader at Jungheinrich and board director at ISACA. With over 25 years’ experience spanning consulting and in-house leadership, Tim has built and led teams responsible for protecting complex, always-on industrial environments.
Watch the full interview and recap of the conversation below.
[ YOUTUBE EMBED ]
A career shaped by constant change
Tim’s route into cybersecurity was not a straight line. Originally trained in physics, he moved into information security early in his career and has remained there ever since.
“Information security has been developing so quickly and so dynamically over the years… it never got boring. New challenges, new technologies coming along, new threats. Every day, you never know what to expect. It’s not just the average nine-to-five job, it’s really a passion.”
Why diverse thinking matters in cybersecurity teams
Tim is clear that the strongest cybersecurity teams are rarely built from identical backgrounds.
“Some of the best people that I had on my team, in the past and also nowadays, are the ones who didn’t have a linear career path. I have someone on my team who is in charge of security awareness training and has a background in the tourism industry. A completely different career path than you would expect for someone working in this field.”
For Tim, hiring decisions should focus less on credentials and more on how people think and learn once they are in the role.
“Expertise is also something that you learn on your way while you are working on the job. What I’m always looking for is that people are eager to learn, agile in their thinking, adept to new ideas and new technologies. That’s something you cannot do afterwards, you need to hire for that.”
Cybersecurity as a business responsibility
Tim is clear that cybersecurity can’t sit in isolation from the business it supports.
“Security is not just a cost centre or a tech issue, but it’s really a business enabler. Without cybersecurity nowadays, you cannot do business because everything is digital.”
That shift changes how security teams operate inside organisations, “We as information security see ourselves as kind of trust advisers, who are in the role of advising the business on how to implement digital technology in our products, but also within the company. That’s not just security, that’s also the responsible use of technologies, that’s transparency. So digital trust as a whole.”
Ownership shifts as a result, “It’s not about thinking that there’s a security department and they will take care of security. It’s a shared responsibility among the different business units to make the company secure.”
Operating cybersecurity where downtime is not an option
In always-on manufacturing environments driven by automation and robotics, the tolerance for downtime is minimal. For Tim, “communication skills are more than 50% of the game”, particularly when working closely with engineering teams and understanding their requirements, because “it doesn’t help you if you have a great tech expert who is not able to bring across what is important”.
In these environments, cybersecurity is not only about stopping incidents but about keeping the business running when they happen. As Tim puts it, “it’s not only about prevention and containment… it’s really this idea of resilience, how to keep the company alive, how to keep production running if you have a cyber incident”.
That focus on resilience requires a deep understanding of how the business actually operates. “You need to know how you can support the business in keeping processes running when parts of the IT infrastructure are not working the way they’re supposed to.”
The same thinking applies beyond organisational boundaries. “If a major or critical supplier gets hit by a cyber incident and you don’t get the parts that you need”, production stops. Even when internal systems are secure, “you also need to look at the supplier side… how to secure the supply chain… because if we don’t get the parts we need, we can’t keep production running”.
Thriving under pressure in high-risk environments
As attacks become more targeted and professionalised, Tim points to mindset as a defining factor. “You need to bring a mindset for threat-informed decision making… bringing this attacker’s perspective as well”, rather than relying purely on static controls or assumptions.
Operating in this space also means accepting uncertainty. “You will never have the complete information”, and being able to live with “ambiguity and volatility” becomes part of the job when decisions still need to be made under pressure.
That pressure is not abstract. “Cyber incidents are always very stressful situations”, particularly in environments where the impact is immediate and visible. Being able to cope with that stress, and continue to make sound decisions, is a core part of operating effectively in high-risk roles.
Alongside resilience sits continuous learning. “The threats are evolving constantly”, which means “you need to know what the latest techniques are and how you can adapt”, rather than relying on what worked in the past.
Changing security behaviour through storytelling
Tim believes security culture is not built through policy or process, but through behaviour. “Changing the culture is basically changing the behaviour of many people… one single person at a time.”
That same thinking carries directly into how he approaches hiring. Rather than focusing on certifications or technical credentials, “Ask people for their stories… how did you change the security behaviour of a particular person?” Those stories reveal far more about judgement, communication and impact than a CV ever could.
Being able to describe that change matters, because security work depends on influencing people outside of the security function itself. “You need to be able to communicate with the business”, particularly when explaining why something matters and how behaviour needs to change.
The same approach carries into day-to-day security work. “Start with the why… explain why you’re doing it… give examples of near misses, incidents that you had.” Real situations make the consequences tangible and help people understand their role in keeping the organisation secure, rather than seeing security as something imposed from the outside.
AI, efficiency and digital trust
For Tim, AI does not fundamentally change the nature of cybersecurity threats, but it does change the pace at which they operate. Attackers will use AI “to become more efficient”, improving phishing campaigns, deepfakes and malware, much of which is “already happening today”.
That efficiency cuts both ways. While attackers gain speed and scale, the defensive fundamentals remain familiar. “The controls that we need to defend against these techniques don’t really change”, even as AI is increasingly used to support detection and response and make teams more effective.
Where AI has a more profound impact is in trust. How organisations use technology, and how transparent they are about it, becomes visible to customers. “If your customers don’t trust you and the way you use these technologies, they will move on”, making digital trust a differentiator rather than a purely technical concern.
Rethinking where cyber talent comes from
Despite constant discussion of the cyber skills gap, Tim believes a significant part of the answer is often overlooked. Many organisations underestimate “the importance of having an internal pipeline of candidates, people within the company that you can develop”.
That view ties back to how he thinks about potential and suitability. Rather than focusing solely on narrowly defined CVs, he sees value in broadening the definition of what good looks like. “Bringing in people that may not have the well streamlined CV for cybersecurity, but that may bring in other skills that you need on the team”, opens up a much wider pool of capability.
With the right investment and development, that potential can materially change the landscape. “The cyber skills gap would really, really become much narrower if we would use this potential”.
Building resilient teams with Empiric
Across the conversation, one message is consistent: strong cybersecurity teams are built around judgement, communication and resilience as much as technical capability.
At Empiric, we work with organisations operating in complex, high-risk environments to help them build teams that can perform under real-world pressure, not just on paper.
Learn more about our work and request a callback here.
Be sure to connect with Dr Tim Sattler and Toby Nevett and to watch the full Empiric Insights episode or explore more conversations like this, follow Empiric on LinkedIn and visit our blog.
