Self on Fr-ISO

Launch day

blog@evers-senne.de (Friso) — Wed, 26 Feb 2025 00:00:00 +0000

tl;dr

Today, I finally launched my “Blog and Website” project. Topics will touch cybersecurity, IT@home, ski mountaineering. Starting with two articles about me, but more content is already prepared.

Why these pages

On this website I plan to publish some articles about things I learned, things I am engaged in and topics of my interest. I am not using any social media very intensively and I want to control my own content, so I decided to do it as in the beginning of the web: create a personal web page. Other channels might be used to post updates with links.

Who is me

See the required Imprint for the most relevant details. My interests and connections will become visible with dedicated articles. In addition, my nearly unique name might be identifiable in other channels.

English or German?

So while my mother tongue is German, writing in English seems mandatory to me to address a wider audience compared to German only. Today’s web browser offer translations on the fly, but writing English text myself is a nice training I do not want to miss. So, if you need a different language, please use the translation feature of your browser.

No comment feature?

For now I do not offer a comment feature or discussions directly. Please do not hesitate to contact my by mail blog@evers-senne.de for any questions, corrections are need of discussion.

My sports and activities

blog@evers-senne.de (Friso) — Sun, 23 Feb 2025 00:00:00 +0000

Cannot live without

Over the years I developed a passion for multiple outdoor sports, and I took care to find matching sports for summer and winter. When living in north of Germany, road biking was sufficient: Summer and winter are nearly equally cold/warm, terrain nearly flat. But when moving to the Black Forrest, a hill region in south of Germany, more opportunities came along and the winters are not so nice for biking. So today it splits as follows.

Summer

Mountain Biking in the Black Forrest and sometimes in the Alps is very much fun. Long up-hills, fast or technical down-hills, not using shaped trails, the terrain is always challenging enough for me.
Road biking is like flying, at least in comparison to mountain biking. But the climbs can also be long and exausting.
Hiking, if all else fails, in the Black Forrest or in the real mountains. This is the activity which is most compatible with other people.
Sometimes: Climbing, Via Ferrata. Doing this to infrequently, the power and technique always fades away over the weeks and month of other sports.
Every now and then: Running, Trail Running. In summer this only fills the last gaps in my calendar.

Winter

Ski Mountaineering, as a tour guide and trainer in DAV, I organize multiple events and trainings per year.
Running is my replacement for cycling, when it is too cold out side. As long as there is no snow in the trails, I prefer trail running. But more or less flat around the lake is at least acceptable.
Some times: Downhill skiiing. Riding down pistes only happens once or twice a year. Going off-piste is preferred.

Tracking, not trecking

Since 2008 I use Garmin devices to record nearly all sportive movements. This gives a nice history of tracks and statistics, from home region and all trips.

Garmin: jfevers
Strava: Jan-Friso Evers-Senne

Visualizing tracks my self is a different story, will published later.

My way into cyber security

blog@evers-senne.de (Friso) — Sun, 23 Feb 2025 00:00:00 +0000

tl;dr

After many years in the field of computer vision, I switched focus to cybersecurity, more or less by accident. Inside the same company.

From computer vision to device security

In 2018 my job role suddenly changed from computer vision and image processing to managing development of data loggers. The scope of the project I joined was to develop a small temperature logger working offline most of the time and sending collected data via BlueTooth on button press. The device was 80 % finished and some one asked me to put “some security into it”. One brilliant engineer from a different team already had already proposed a concept with asymmetric encryption, private / public keys per device, certificates and an internal certificate authority, but he could not sell it to the development team or the management, so my role was more like understand both worlds, translate between tech and management and finally approve the concept. The implementation on the microcontroller was difficult due to restrictions in RAM and storage. But with the right libraries it finally worked out.

First steps to standardize

In parallel to the development project another internal project was launched to define internal security standards for future products. But due to some interesting changes in management, the involved team fall apart. After a review of the very abstract ideas of the former team, I proposed to integrate “security” into our existing development process by some simple steps:

Write some basic security requirements on a level that all developers can easily understand and QA can easily test, e.g. “Use TLS 1.2 for all HTTPS connections”
Integrate these requirements into the project template sucht that every new project hast to implement or at least check applicability.
Add a mandatory “IoT security concept” to the early development phase which describes how to implement the requirements and which is approved by me.
Add the step of a security analysis (risk assessment) to the development process to discuss remaining risks and assess them.
Add the mandatory approval of CDO (and me) to the final product release

More than devices…

From that time on, everybody asked me for my “expertise” or even opinion when it comes to “security”. So for example, when customers sent questionnaires about “Security”, those were directly forward to me, great. These customers were using our cloud software, and they did a vendor assessment, asking many details about the security of the cloud software itself, but also also about our internal security processes. Answering these vendor assessments, I learned a lot about what we have in place, and even more about what be should have. From some colleagues I heard complains that we need some “governance”, they were missing an instance giving clear rules and direction. So we proposed our CDO the idea of an “information security governance team”. In February 2023 this ISGT was founded and in April I was appointed as the ISO for the company. To get up to speed I visited different gatherings and so I learned about NIS2 in July 2023 Ok, now my mission for the next year or more was set: NIS2 compliance.

Trainings and Certs

blog@evers-senne.de (Friso) — Sat, 01 Jun 2024 00:00:00 +0000

ISMS Security Officer

In June 2024 I finished courses and exams at mITSM in Munich and got the title ICO ISMS Security Officer according to ISO/IEC 27001:2022

Check the badge by downloading (keep filename"!) and pasting here: “https://badgecheck.io/"