12.11.2026
09:00 - 09:45 Uhr

Vortrag
Processes & Workflows

Stage 2

Dr. Thomas Liedtke
Freelancer

Making Cybersecurity Auditable: Structuring Requirements, Work Products, and Evidence with GSN

With increasing regulatory pressure from initiatives such as the **Cyber Resilience Act (CRA)**, organizations must not only implement cybersecurity controls but also demonstrate, in a structured and auditable way, that risks have been adequately addressed across the product lifecycle. In practice, many teams struggle to connect high-level requirements with concrete engineering activities and verifiable evidence.
This talk presents a practical approach based on **Goal Structuring Notation (GSN)** to systematically build and maintain a cybersecurity argument for complex products.
After a brief introduction to GSN, the session focuses on its application in a **real development project**. The example shows how cybersecurity arguments can be structured **vertically**—from high-level goals down to concrete evidence—and **horizontally** across different security domains such as secure architecture, vulnerability management, and secure development practices.
A key aspect of the approach is the **direct linkage between GSN elements and actual project artifacts**. Typical work products such as risk assessments, security concepts, test reports, and vulnerability management outputs are mapped to the **argument structure**, creating clear traceability between requirements, activities, and evidence.
Beyond documentation, GSN is used as a **practical project management tool**. The argument structure helps identify missing activities, derive required work products, and track progress. In the presented project, GSN elements were linked to ticketing systems, enabling teams to **actively manage cybersecurity tasks** instead of treating compliance as a purely documentation-driven exercise.
The session concludes with **lessons learned** and observed benefits, including improved transparency, better communication between stakeholders, and increased confidence in demonstrating regulatory compliance.
Attendees will gain a **concrete understanding** of how to transform abstract cybersecurity requirements into a manageable, traceable, and auditable engineering workflow.

Dr. Thomas Liedtke, Freelancer

Dr. Liedtke is a cybersecurity and functional safety expert with more than 25 years of experience in the automotive and software industry.
Automotive SPICE®, and the implementation of security management systems, with a strong emphasis on risk management and process improvement.
He has held senior positions at companies such as Magility Cyber Security, Vector Consulting Services, Kugler Maag Cie, ICS AG, and Alcatel-Lucent, and currently works as an independent consultant and author.
Dr. Liedtke is actively involved in shaping industry standards and best practices. He serves on the advisory board of intacs, leads the Cybersecurity SPICE working group, and contributes to VDA, ISO and ZVEI cybersecurity initiatives.
He is a certified Automotive Cybersecurity Manager, Automotive SPICE Provisional Assessor, ISO/IEC 27001 ISMS Auditor, and Professional Scrum Master. He holds a PhD in Computer Science/Mathematics from the University of Stuttgart.