tl;dr

After many years in the field of computer vision, I switched focus to cybersecurity, more or less by accident. Inside the same company.

From computer vision to device security

In 2018 my job role suddenly changed from computer vision and image processing to managing development of data loggers. The scope of the project I joined was to develop a small temperature logger working offline most of the time and sending collected data via BlueTooth on button press. The device was 80 % finished and some one asked me to put “some security into it”. One brilliant engineer from a different team already had already proposed a concept with asymmetric encryption, private / public keys per device, certificates and an internal certificate authority, but he could not sell it to the development team or the management, so my role was more like understand both worlds, translate between tech and management and finally approve the concept. The implementation on the microcontroller was difficult due to restrictions in RAM and storage. But with the right libraries it finally worked out.

First steps to standardize

In parallel to the development project another internal project was launched to define internal security standards for future products. But due to some interesting changes in management, the involved team fall apart. After a review of the very abstract ideas of the former team, I proposed to integrate “security” into our existing development process by some simple steps:

  1. Write some basic security requirements on a level that all developers can easily understand and QA can easily test, e.g. “Use TLS 1.2 for all HTTPS connections”
  2. Integrate these requirements into the project template sucht that every new project hast to implement or at least check applicability.
  3. Add a mandatory “IoT security concept” to the early development phase which describes how to implement the requirements and which is approved by me.
  4. Add the step of a security analysis (risk assessment) to the development process to discuss remaining risks and assess them.
  5. Add the mandatory approval of CDO (and me) to the final product release

More than devices…

From that time on, everybody asked me for my “expertise” or even opinion when it comes to “security”. So for example, when customers sent questionnaires about “Security”, those were directly forward to me, great. These customers were using our cloud software, and they did a vendor assessment, asking many details about the security of the cloud software itself, but also also about our internal security processes. Answering these vendor assessments, I learned a lot about what we have in place, and even more about what be should have. From some colleagues I heard complains that we need some “governance”, they were missing an instance giving clear rules and direction. So we proposed our CDO the idea of an “information security governance team”. In February 2023 this ISGT was founded and in April I was appointed as the ISO for the company. To get up to speed I visited different gatherings and so I learned about NIS2 in July 2023 Ok, now my mission for the next year or more was set: NIS2 compliance.