Sep 29, 2024
Episode Description
Holger Sontag, CISO of Privé Technologies, shares his insights on working in the field of security. He discusses his passion for solving puzzles and making things better for those who lack knowledge in security. Holger highlights the differences between working on the vendor side and in internal departments, emphasizing the importance of ongoing tasks and customer interaction. He also discusses the challenges of working in regulated industries and the need to stay updated in a rapidly changing field. Holger emphasizes the importance of building a security culture within organizations and the role of effective communication and awareness training. He shares his experiences with severe security incidents and the importance of staying calm and focused during stressful situations. Holger also discusses the balance between security and business, the challenges of remote work, and the future of cybersecurity.
Watch On YouTube
hi everyone and welcome to the Hands-On ceso podcast my name is zy and today we'll be talking to hoger sonag hoger
has been working around or in security Hands-On for about 23 years mostly on an
international level in internal departments as well as on the vendor side currently he's the ceso of PR an
international wealth management provider H great to have you how are you doingthank you great to be here and I'm doing great how are you perfect excited for
this conversation so before we get into anything else I'd love to hear how did you end up in security how did you get
into the field it's actually well it's a long story but I'm very short um I've always
been kind of interested in technology and in security and I guess this comes from different angles as well um uh I
guess one one of the the the main angles is uh the the concept of solving puzzlesand the the idea of just having this this this thing that you don't
understand and you kind of want to want to break into it and break it down and understand what what it means in detail
and security just offs a lot of that um the thing is uh youknow there there are roughly three different categories of of people who work insecurity uh those that do it because it changes something it does something goodit helps people who just don't have the understanding or don't want to cancannot cannot get there in in terms of knowledge um uh the second group is the
people who who are in it because uh because of the the you know the nitty-gritty details of things and you
know putting things in place and and the certain people who are in it because it's a very well-paying job and I'm I'm
sort of the first category where we feel like I it's it's a way for me uh just to
to to make things a little bit uh more easy and a little bit better for for people who just don't have the knowledge
or the understanding of how to how to do it by themselves so I see there obligation also my side a little
bit interesting so you've been both in like companies as ciso but also you wereon the vendor side how does that like what are the differences in thedaytoday it's a completely different task on the vendor side I was I was more on BusinessDevelopment pre-sales U and Consulting and I mean that the Consulting bit kindof carries over where you are becoming sort of an internal consultant if youwork inside of company interal Department um uh and that's really the
cut over the difference is then on the internal side you have a lot more of the the the daily tasks you know audits
monitoring uh you know adjusting alerting rules all these kind of thingsand if you work on the vendor side it's really a lot more custom action and uhthe difference between a consultant and an internal uh Personnel is in the end alittle bit the the the ongoing doing so not not the initial setting things up
and then you know the consultant helps to set things up and then he goes away and the dayto day having to live
with it this is kind of the the difference I guess the biggest difference interesting so what you'redoing now you're in a fintech company would you say that affects the type ofthings you do significantly or is or different companies tend to have similarceso roles from your experience company yeah so um I cannotspeak for all Industries I I just don't know uh all of the industries wellenough what I do know is especially in the area where we are present um whichis southeast Asia Bay Area and little bit in Europe Europe is simple but um
there are a lot of regulations and laws that uh our our customers have to abide by and consequently uh we have to also
uh understand and and uh work with that means we have a lot of audits we aregetting audits every few weeks from some customer
and uh there is a lot of requirements that we have to understand that we have to fulfill and I guess this could be one
of the major major things that um you know banking working with banks working
with insurance companies this kind of data is just extremely protective and that means that we also then have to
make sure that we fulfill our part in this and uh also guessing that comparedto a I don't know industrial en M that our security requirements are probably alot higher and uh this then also means of course that um yeah we we we just
need to have a bigger investment in it we have to understand a lot more laws around it we have to uh make things
click a little bit better certifications like ISO 2701 Etc than really just anormal thing to have in this industry whereas I guess if you are um a sees ofa of a a saw mill it's probably not that important I'm guessing I don't knowmaybe it is yeah I think I think like each industry hasdifferent things but the regulated Industries seem to be the most like dataprotective let's put it that way like health and financial cool yeah how do
you stay updated in this field that is really like changing ing so fast every other day you have this breach this
technology like everything's happening how do you stay updated I think uh this is something
that I hear a lot and I really think like you have to separate the fields there are some things that will not change like you need anoint protection
you need a firewall things like this this will be the same this was the same 10 years ago it will be the same 20
years in the future uh probably um it's just what is underneath that is changing
and um if you work with vendors uh for firewalls and P protection and you kind of see what the technology brings uh
then you will very this part is very easy to stay up to date with because some of it just manages itself you have
a firewall with a firewall vendor you have a testing system you push the patches regular to the test you see if
it works if it doesn't work if it doesn't work you don't and if it works then you assist date so this is this is
a a simple task where you don't really need that much information aside from what the vendor anyway give you where it
becomes more complicated is of course vulnerabilities uh Etc um breaches
things like that does affect us and this is really more along the lines of risk management uh with vulnerabilities um we
work a lot with the generally vulnerabilities breaches attacks we work a lot with external threat uh um
intelligence providers uh some are directly connected into our CM others uhwe have as additional information for enrichment and um if something biggerhappens I've found one of the two best sources to quickly get uh code Snippetsfor running PC's for detecting if this affects you in any way shape or form are
uh Twitter and GitHub I mean of course you always need to check these scripts you shouldn't just copy paste them but
um aside from that um you this is where the security Community comes togetherand really quickly shares information and hey uh uh this affects this and I tested it on
a couple of systems and you can run the script and then you go into your testing chamber sandbox you test what it does
and then you you run it in your environment you you have essentially saved like I don't know a couple of hours of work right there and you're
much faster than comption so this is kind of the the way we kind of keep up withthings interesting so have you noticed different kind of
cultures regarding security different companies you've worked at oh definitely um not just worked at but worked with um
so I have actually built the security in two companies that I've worked in um andI worked in a security company where everyone was a security person and um mostpeople and um I mean first of all if you work in a security company where people
understand security then the the way people interact with technology is just completely different because they they
just leverage on from from a completely different mindset of what the computer can and cannot do and uh they understand
there's lot lot less communication needed to persuade them of things and on the other handum people uh that that like to leave their their laptops unlocked there's a lotmore things that will come at them but um if you work uh in in um so I I Ihave I have supported companies that have a very small very low security
culture and these this for some it was historical for some it was just something I never thought about and this
is difficult because if if there's no mindset that we need to do this now but the mindset is our customers require us
to have a policy then uh you can essentially forget it until the mindset
is set all you can do is write a policy and and make sure you stay away from the rest because it will never reach where
it needs to reach because people are not uh receptive they're not they don't they don't want to deal with it they don't
see it as necessary whereas in companies where the culture is already geared
towards we need security because it is important no matter how many people if you have some managers and some of the
staff in the direction you've already won the rest will just follow pursso I think that um building and understanding thatsecurity is needed is probably the most difficult and once you have thateverything else is kind of just budget discussions that's kind of difference
between the the companies I would say that some have this culture some don't but I don't think there's a difference between a a tech company a development
company and a a uh um V Tech company uh once they have the
same understanding about security only what they need is then different but this is anyway this is from company to company different they have different
processes yeah more about the culture less about the kind of companyinteresting have you ever had to like be the badcop I mean okay let's put like this I think um the user erroruh go that I think the user error comes from three different angles two of them
are definitely something where where security is involved the third one is something where legal is invol um and
the first two are essentially the mistake and the negligence right and I would say the mistake is something that
there is no bad cop here maybe you feel bit like a teacher sometimes but this is just a person who just doesn't know it
any better and they it's an honest mistake and usually this is more of an extended awareness training than
anything else else and I there is no bad cop there is just a a person who needs to understand something and wants to
understand it usually I never had the situation where someone said I don't care um usually it's always that they
quickly I sorry my mistake and let let's let's see what we can make how we can make sure this is kind of the most
common occurrence of this kind of interaction the negligence is very rare um it happens but it it's really rare
and of course when people get caught knowing they shouldn't have done something then they always feel bad
about it right this is just in human nature you don't like getting caught it doesn't mean they feel bad about having done it they mean they feel bad about
getting caught and let's put like this um I I have never experienced someonebeing negligent twice uh not because of how I deal with it but just because uh
they understand that these things get found out and then they understand that they feel bad about it and you don't need to be a bad cop you just need to
say hey what happened here can you explain and then you talk about I've never had luckily in companies I work
there I've never had a case of uh purposefulmisconduct um I I was involved in incident response cases where this was
the case um but I didn't do the communication there but this is then really not for security security just
figures it out and then hands it over to legal right this is then for the lawyers to handle because at that point you have crime and it's a whole different
story have you ever been part of a company or worked with a company that had a severe security incident no but I
I have supported companies that had um how does that looklike uh they won a lot of people running around being extremely nervous notknowing what to say uh um hoping experts have a silver bullet to figure it out
realizing that uh if you have never put any sensors into your n work it's too late to do it once it happens um
figuring out how to deal with it without the the customers noticing it this kind of stuff day two um things have calmed
down a little most people haven't slept the whole night and are high on coffee and you're sitting in a room uh and
you're trying to then install things that help you clear out the network and suddenly the budget is just completely
open and buy the best thing buy the best thing buy the best thing um and from there kind of depends what the inent
includes I mean uh things get handled on a verydifferent level um especially when a lot of money is involved uh typicallysecurity is only uh making the report and then the rest is handled through avery different level of of authority um and when it's about datarecovery Etc then it really depends on what what the company is is uh wants todo do here or can even do here um but if a company is well prepared I've also had
one case where that was the case they had everything in place and we were essentially just coming in looking at
the the logs uh quickly being able to trace everything and the whole thing was was uh very well organized um we had a
room fully set up for this there was a local security very small company but they had a a guide dedicated for
security who knew everything who could help us with everything and this made the wholesituation really easy to deal with so it it depends if you have a goodsecurity posture incidents arean they're never a good thing right
but they're easy to deal with and uh or let's say more easily to deal with because you kind of know where to look
what to look for what happened it's easy to trace it's easy to to then uh mitigate it's easy to follow what
network or on the on the application or whatever if you have a bad security posture and you don't have anyone who's
who ever thought about it then you have a bunch of people running around headlessly and not knowing what to do and it's gets super complicated because
you first have to manage the people and you have to manage situation and then you have to figure out what you can do to actually you know get get ahead of
the situation so that's kind of how it is essentially how do you handle the stressof a situation like that um coffeeuh I would I would say um it is if so if
it was my own company I think I would be a lot more stressed about it if if I had a bad security let's say I'm day one
ceso something happens nothing is prepared and it's it's my responsibility then I would be very stressed out but if
you come in as a consultant you anyway already have the mindset that okay uh I I am here to tell these people how to
work with it and if they don't want it then I can go again you kind of you're bit more detached from the
situation and um and this gives you a little bit of this this this energy where you can just say um uh we can we
can work together on this and and uh let me just show you step by step and calm down people and this people management
thing then becomes a lot more easy because you are not directly involved it's not like your head is not on the
chopping board for this um uh whereas if it's if it's your own company it'sdifferent a little bit of a different story so I'm this is not an advice for cesos this is advice forConsultants um but if you a c so um I I mean I was not in the situation yet uhas in the position of a seesaw that I had that something that this happened umbut as a seesaw I think it is super super super important to always thenthat moment like think back to what you have what what you have in your hand andjust just calm down about uh uh the initial stress that something big might
have happened and you don't know what and go into the details of step by step retracing what happened and then you go
out to your communication once you have understood the situation and if it takes a bit longer it takes a bit longer but
it will take a lot longer if you first panic about it so that's kind of the way I I I would seeit perfect how do you manage the balance between security andbusiness well I mean um actually really in accordance with with with ISO 271
right I mean there is a clear statement on how security needs to support business and this uh this statement we
take very seriously and um this was built up uh U and is is updated
regularly whenever things change can security I think the better question is can security always support
business and I think oh uh but I think it can get very close to that there will
always be a there will always be moments of tradeoff and really saying moments because not all security tools are a
hindrance let's take uh password management if you use a password storelike a some some some centralized encrypted password
manager um then actually life becomes easier because people don't longer have to type passwords they just have to
click a button and it's all done for them so this is a security tool that makes business even more fluid so
suddenly we are not just supporting we are we are we are enhancing the capabilities of the business teams and
then a lot of things are just zero touch like having an endpoint protection EDR or something installed that silently
silently runs in the background does not disrupt business and disrupts no one it just have it installed and for the most
part no one will ever know about it I'd say what we use is somethingthat four or five people in the company have have had gotten in touch with while
since we have installed it right it's just so silent then firewalls block a few websites and people don't like that
and this is a little bit more iffy but then you have to communicate why these websites are and this is more about communication so it kind of depends on
the tool on the control on the process you have in place which which is disruptive which is enhancing and you
kind of to align that as good as possible well as possible with the uh with the requirements of the business
but in the end uh the the company culture has to make the decision what's more important whether it's more
important to follow a bit more security or to make business a little bit more
you know to to share this document with the whole company even though it doesn't to be that's kind of the trade off in
the end interesting do you remember any action or decision that you made in thepast that ended up being maybe not the best decision tomake in terms of security and then like how do you cope when the mistake is likeon your hand oh that's actually a tough question um so I I don't think I have made a verydire mistake yet you you always know when it's toolate right um I would have to think about this I mean
I I think there there are less optimal situations and more optimal situations and it also a little bit depends on what
you have at your disposal and I think the first company I workedwith we had a a bit of a hiccup with the anti virustool of choice this was just because the budget was too low and I had to take what wasgiven and I do regret that decision because today or even back then I knewthis was not the tool that could get the job done to my satisfaction
um how how was it I mean we we ran with it for for a little bit and then we changed it it was like it was not a huge
deal it was we had a free of charge tool back then a company was testing acentralized version of their of their their their tool we used it uh it didn'thave any huge impact um but a lot of the developers in the
company got a little bit angry because the tool was very invasive and so on um so it was more of a communic
internal communication issue at the end um yeah that I mean
otherwise you didn't I typically you don't just make a decision and run with it right you kind of evaluate what this
decision is and how it works so there's not really like if you do your homework right and you talk to the right people
and there's not really a situation where you make a massively di mistake that takes everything down this is just not
going to happen because there's so many steps in between and so many people you talk to and so many evaluations you do
Ian we don't just install software usually there's a big sandbox we we test the software it's it's safe to install
and so on a huge process that's kind of the reality ofit that's good I guess umperfect so what is what would you say are the biggest challenges in cybersecurity right now in general I mean I mean the biggestchallenge is always the user but um I I don't want to go that route
because I I think everyone has talked about that already it's kind of everyone knows it uh that's what I I think the
there's there's currently um I'd say two challenges that I've feel is maybe not Imay understood wrong most of the time or not talked about enough one in Europe is
for sure the upcoming two new regulations nis2 and Dora which are massively misunderstood because a lot of
people just don't want to read 100 pages of of legal text and I understand that neither do I but Idid um and uh there's a lot of misconceptions of what these laws do andhow they affect someone and so on and um uh I think the communication here
that customers understand that if companies are ready and how to how to distinguish between a company that's ready is not ready uh is is is is a very
big deal right now uh there's a lot of um very rough decisions being made based onassumptions that are just simply not true and the second thing is I mean a
lot of people talk about AI I have not yet seen AI hack a server or anything but what I have seen is that fishing
attacks get a lot more um pervasive pers persuasive right um so we we areseeing AI based uh uh voice messages and what coming through WhatsApp and stuff
like this that sound partially already quite good I mean you can still make a clear distinction and um there's a big
question of how to validate users in the future like if someone is on on a business trip and the timing is just
just right and he contacts you over WhatsApp from a new number from that specific country this is all stuff you
can find out uh and sends a voice message that sounds good enough then there's really very little you the
person can do to validate uh or to to to to get over this this this the belief um
if he's not schooled in so I think awareness training has to adapt uh tools have to adapt um we are going to publish
a white paper on this some short time where we have a couple of ideas abouthow to deal with this um but it's uh it's I think these are the the twotopics that are currently spinning around me most I wouldsay how do you feel about AI in general the tool I mean I I think AI is
one of the most misunderstood tools of our time uh I have heard people's imagination runs wild with this I have
heard the wildest Things of what AI is supposedly capable of I think it was like a a short video that circled where
AI supposedly contacted someone on Fiverr to to uh to solve a capture for
it and so on like this is all not what what I can do right it's a large language model it's essentially a very
complex database query um I use it a lot uh for for different as a tool fordifferent things not to write my texts but um to uh I mean for for development
for example our developers use it for getting code Snippets that they would otherwise need to get from um from stack
Overflow so it's just a Google search essentially it's made a bit easier um I
use it for some detection mechanisms but of course you always have to validate the output because AI can also be very
very wrong and be very proud of it being wrong and um I use it uh with with somesome varability testing and Pen testing tools that we have uh inside the companyum but it's always just a an initial way to to to get a few more things done thenwith with non- AI based tools it's not really a tool that you can fully like I
made my pen test because AI set so right you kind of you do as initial poking around and then you you look at what
thei did and then you do the rest right um so it's kind of like that there's a lot of tools right now that are
especially in cyber security very interesting a lot are really more toys and something you can use but it's an
interesting insight into what people think could it could be used for so I'm always open testingby interesting what do you think is one thing that people who are outsidesecurity don't really understand about what it is that security people do or atall about I think it depends on the person Ithink what what most people don't understand about security if I have to to take one topic is thescope um I think for a lot of people the scope is kind of uh yeah security isinstalling an anti antivirus tool on my on my system
and then seeing what it does or it's you know I think in your in your questionnaire was a question about
fishing um I I also knew a guy who thought that security was just right incorrect code um I think these are just very I think some some misconception are
just like come from a place where people just do not want to understand what it is and this is then always quite
difficult to deal with but I think most people just don't understand the total scope of what security can include I
mean for example um uh um a good friend of mine very
technical uh has a very good understanding of the rough scope of security but even he is surprised
sometimes what all can be attached to this if you really blow it upso a complete Security System uh that you would install essentially tackles soso many topics um partially administrative process based or justpure toolage uh controls can be done in many different ways it tackles legaltopics uh it tackles stability topics resilience topics as just so many things
that people don't know is is also part of security I think this is the biggest Mis Inception this is scope
interesting how do you manage your attention between on the one hand actually taking care of the security
side then also having a team and managing them and also creating a
culture that is security aware to some degree like you have to have some communication I would assume with the
people in the company and then also communicate at all times with management
like what is happening and like understanding what they need what you need what is your focus going a daily
basis put it that way um okay so managing the tools managingthe team is the easy part this is management um but the thing is I have I
have not yet worked in big security teams so it's like 20 40 people and I will never because it's just not how I
work I am very Hands-On I also like to be Hands-On and if I work in a team even
though I I lead the team I I will be part of the team and we all have tasks in this team and everyone can replace
there's always enough people in the team to replace someone who's on holiday who's sick or whatever so there's never
a gap then there are certain strengths for example if have a guy who can pentest really well and he's going to do the internal pent test but um aside from
that if he doesn't do that then he's also supporting the monitoring auditing
um and the bigger the team grows the more the management will become management and uh it will be more around
figuring out where to put people and what to do with them and less actually being handson with the tools and um
that's kind of that aspectum what the rest of the question the question was how is yourfocus divided between um communication with leadership andside and team so um I have always worked extremely
autonomously and that means the communication with leadership is essentially a monthly meeting most of
the time unless something is really burning and we need a direct communication um and I I also this is
the way I have always worked in every company um I am very self-managed I never really uh enjoy to to to have
people walk around in my business um so and and it has always been uh it'salways output driven Etc um so the communication I I am I AMC
so I I am in charge of it is essentially only most of the time it's with Finance about uh budget additional budget needs
or budget cuts or whatever things like that whenever things happen right uh but um with my direct uh line manager who
the C CEO um it is really catching up on the current topics uh
regularly and if something happens we have an we have an extra call and if you see a un we go for a beer but that's
that's the whole communication when it comes to company culture all I can sayis use awareness training to make it interesting I have seen awarenesstraining where uh a company is invited
they listen to a couple of PowerPoint slides and afterwards uh they they get a they get a multiple choice test yes this
scales really well but everyone will be annoyed by it no
one will understand the purpose no one will understand the meaning no one will really grasp what it's about and you
will yes you will have done the checkbox for your ISO certification or so to certification but you will not have
actual a culture of security you will have people who have check boxes um but you can use the V training
to make security fun and interesting and now I sound like a real Boomer I make it fun now for you
but um I think that um that if you gointo discussions if you make the the test part of the training make it an
open discussion yes some people will just say something and then not listen to the rest but most people will
participate they they want to know they want to understand and once the discussion is rolling more IDE will come up and I have had extreme good success
it doesn't scale well but if you have the opportunity to not work in a 300,000 people company um but something lot
smaller then do this because this will build the culture a lot faster than you might think you do one run of awareness
training and people are talking about it and then if if the leadership team isfollowing a couple of of shining examples uh of you know you in a meeting
and then the CEO is just installing updates because they pop up now and this is more important this will sit this
will work and if this is if this is done on on a small scale everyone will followbecause they understand ah this is the way this works here it's not it's not
the the guy in sales who doesn't care about security and just wants to wants to do that stuff right it's
always the person who is under enough time pressure to just not understandanymore what's correct um because no one shows him that this is corcorrect this is always the problem with with the that's I say put some memes intoyour Wess trainings don't make them so dry make it fun make itfun perfect how do you deal with the stress of it's kind of like the question frombefore but as CIS so you're sort of you're always on like you're always okaylike I'm ready for something to to happen and then respond do you think
that affects you in any way or is it something that you kind of gotten used to and now is not really a thing pure
paranoia mode all day every day no um I mean I'm gonna be very honest I I thinkmost people who work in in in the field for long enough um will will kind oftell you the same thing that um you you get used to the possibility of an emailor an alert popping in in in many many different ways uh so much so that um
that it just becomes an everyday task you know like like an accountant looks at Excel sheets all day I look at alerts
all day and um you get a routine in it and how to deal with it there are processes that make it a lot easier you
can just say Okay first initial steps and you're not anymore like oh my God I
need to look at my phone right now because even though I am now currently on a Saturday on the walk in the middle
of the forest uh I I need to see if something is happening you will know the phone will vibrate uh and and then then
you will know so you kind of just ease yourself up about it and what happens happens and you also I mean let's put it
like this uh most not just most like by far the most alerts that come inare anyway false positives um uh or need readjustments or arelike make directly for false positives but nothing Nothing Dire nothing
problematic uh and are anyway mitigated so the tool is just telling you I I kicked out some software I didn't like
right and that's that's what you get then as an alert Al the firewall says I blocked the connection so most of the
stuff is anyway already done by the tools fully automatically so you kind of whenever an alert email or an alert we
have three systems where alerts go in and all three systems uh work independently of each other so we always
ensure that at least one of them gets the alert through and uh whenever you get then
those those three notifications they come through three different channels uh then you're already kind of in the
mindset of it's probably already taken care of it's probably already done and only when you look at it then and see oh
okay this is not yet done then uh then then things get serious but since most of the time phone vibrates laptop makes
the notification whatever then you're kind of like oh it's one of these you build a knowledspas on what that is what interesting what would you say isone thing that cesos probably don't pay enough attention to andshould I I don't know I don't know what el pay attention to but what I see whenworking with with other companies with other security teams is um especially umcertain situations he said I I really see that a lot of um emphasis is placedon documentation and not so much on
controls so everyone has policies and written down processes everything looks nice and yes we have that too of course
because it's a requirement for ISO but whether or not the controls thatyou put there are actually doing what you expect them to do I think um yeah soif if if if you do internal audits I'm sure lot of C do that but if you don'tif you do internal audits have a control check be part of the audit because I I I
have seen companies where it's just we have the policy we have the process we we bought an AV now everything's fine
it's not you have to test the AV you have to test whether or not it does what what you think it does because enough
times it just doesn't so this we have a we have a weekly checkup of all tools and dailycheckup a rough checkup of everything in the morning if it works um and I've come
across enough moments where something was just not aligned as it should have been and uh nothing crazy yet but this
alone tells me that these checkups are just essential I'm not sure if everyone pays attention but maybe maybe they do
they don't it's just your little piece of advice in case there in case there issomeone do it perfect
okay right so what do you think changed about cyber security within the last few years like what is different
today um I mean under the hood alot on the service level not so much uh I think that the parameter hasshifted a little bit I think especially the biggest change I see
where really think like this is really something where where we need new Concepts or we have brought in New
Concept also on surface level is during covid this whole work from homething um where the perimeter is now suddenly no longer a controlled uhcompany firewall network but the the perimeter essentially laptop of theperson um and the home network and you have to tell people not to go toStarbucks and stuff like that and I think that that yeah this I mean this
was always kind of there a little bit but the extent of it has just changed like before you could say there is a work from home policy and you can do
this if you have XYZ um now kind of everyone is expecting to work a couple of days from home um
and that and you can't tell a whole company of people to have to buy a rout that can segregate their home
network from private to company and so on so these things become a challenge now and I think this was the biggest
change that the perimeter shift shifted more to on device so you need a lot better device protection also for me
also for Linux every device needs to be protect properly the the attack vectors are different but a Macbook is not more
secure than a Windows device if treat it correctly uh big misconception on manyends you're not invulnerable to good attacks um but uh so you need you need
to take so it's it's I think it's important for companies to really really in invest in good endpoint protection
and we also saw what that makes sense to to evaluate first we saw it with crowdstrike right this you should evaluate what you buy pushing an update without testing itis not a good idea but there are of course Alternatives that are a lot better that do this a lotmore streamlined um but then EDR I think is necessary nowadays on end pointsthere's no way around it um it depends on on what the end does what the needs to
do perfect and what do you think is going to change within the next few years I think that the concept of work
from home is going to remote work is going to become a lot more a lot bigger still I mean we've not reached the
Pinnacle of that yet a lot of companies are still trying to get people back into the offices um and some are successful
some are not um I think uh um uh this also means that company culture is goingto be a big Topic in many companies I think that companies have to reinvent
themselves a little bit in terms of employer branding when it comes to um what how how they get people to be in
the office to build a culture in the office again um we are currently actually doing this quite successfully I
would say that we are getting the people to come back with with like there's a breakfast on Monday There's a nice get
together in the evening on Fridays and in between you know we have kind of little little thingsenticements um uh I it's also a little about communicationthat sense but it will always be important that that um uh mobile devicesmobile workspaces are really taken into consideration that topics like uh VPNlike not talking about like nor VPN I'm talking about like company VPN um thatum uh proper endpoint protection maybe evenum mobile small ad hog Network concepts are put into place so if you
have the money and you can afford it as a company it's a very good idea to to give people who work from home or work
remotely uh access points with 5G modules in them things like that that
they can just build secure networks at home um there's many ways to handle this right but I think that it's going to go
in that direction that security becomes mobile and no longer this big
infrastructure with your two huge firewalls that protect a thousand people but more of a how do I protect a single
person a single device in a single Network Amazing so we're down to thelast question thank you so much this has been really interestingum I lost my Chain of Thought but I'm really happy you joined us today and Ifeel like we like I learned personally so much so I would want to hear from youwhat would you say is one piece of maybe unusual advice you would give to someone
who is wanting to get into security or maybe is in security but wants to advance and like go up the ladder to be
SE so what would you say um do not Chasecertificates okay this sounds weird but um uh it's important to understand best
practices I'm not saying certificates are bad I'm not saying you should never have certificat I'm saying that a lot of people just try to to Grapple for
certificates uh wherever they can and not really for you know it's you have to
put the hands into the machine to understand how it works and not just into the book and projects uh secure
your own uh home network understand how things work understand what they really do understand what an IDs IPS system
really is and not just understand that you need it understand how it works what
it controls what it filters all of these things are so much more important if you know if you have already the knowledge
of what works and what doesn't work and you then go into certification to then get the administrative level in the the
knowledge of how to to work with it you're on a completely different level when you come out of them whereas if you
first just shovel in all the knowledge of this is needed and ISO requires this and this certificate requires that then
then you go into the doing you will realize that a lot of these things just work very different in real life and um sometimes you just need a
completely different tool to to solve a problem and uh this flexibility only can only come from a place of trying and
testing roughy said if you are in your home network running a Windows 11 devicewith uh standard uh pre-installed antimalware software behind a Fitz box
then you should probably reconsider working in security maybe whereas if you have a completely rigged upet where you
have a little L device being a sh wall fire wall or I fire fire wall that you
can configure and install by yourself you've just figured out a couple of vulnerabilities in your gentle
Linux Trel then you're probably the perfect person for security kind of in a very extreme way you can put it like
right have private projects be fascinated by it work on security andnot just insecurity perfect thank you so much foryour time yeah sure