In this interview, we spoke with Christoph Koch (see his Linkedin profile here), Information Security and Risk Management Professional at TEMET AG, an independent Zürich-based Security Consulting company. Christoph shared with us the common security weaknesses he sees in businesses today regarding their data. Continue reading and discover his unique insights on data breaches and malware threats. Are you also wondering how security leaders can better help organizations develop a culture of security? If yes, then this interview has so much to offer, therefore make sure you do not miss the interesting insights Christoph shared.

1. Could we have you introduce yourself and tell us a little bit about your background as a security expert?

First of all, I would like to thank you for the chance to be your interview peer.

I started my professional journey back in early 1990 in the IT industry and since 2002 fully dedicated to Security related to IT, sourcing, and their business-related challenges. My experience includes SW development in the IBM mainframe environment up to Client / Server & Communication practice gained in US IT Outsourcing companies. From 2002 until today I have been working in roles like Security Solution Architect, SecurityConsultant, Information Security & Data Protection Manager in different industry sectors mainly in Switzerland and in Europe. Since September 2020, I have the pleasure to work for TEMET AG in the role of a Security Consultant.

2. You are holding the position of Senior Security Consultant. Could you please share with us what are the challenges that surprise/excite you in that role?

It is exciting and simultaneously challenging to engage with different customers and their organizations. As a security consultant and possible advisor, you need the best possible understanding of IT-related security and sourcing questions as well as of the customer-specific business environment. As there is no 100% Security to achieve, I do like to practice a practicable risk-based approach to meet customer expectations.

I believe we have got the similar or even the same Security problems as in past. The requirements of business and IT applications trigger the requirements of the platforms below and not vis-versa. As the underlying network and client/server technologies are often from the last centuries 80ies or even 70ies we will not get rid of Security-related issues soon. In today’s security operation, blue and red teams need to know those baseline technology issues from scratch. Companies with no or very few legacy technologies and the knowledge about how to develop, maintain and operate cloud-native applications are going to take the win in the future. Our role is to support our customers exactly in this challenging journey. Organizations and companies need to migrate applications from former logical and physical separated IP networks and VMs to cloud-native web-based applications.

3. How has information security evolved since you started your career?

There are many aspects to mention. Let me just stick to those mentioned above:

The shift from classical perimeter data centers and IP networks to the still ongoing and cloud-enabled any-to-any node communication in a fully connected world. That is one version of a possible future scenario. Concepts such as Security-by-Design, Privacy-by-Default, and Zero Trust will be required and are going to assure those companies with the right strategy and concepts in place for their specific business use-cases.

One target is certainly to migrate former applications from isolated IP networks and VMs to cloud-native web-based and mobile applications. If you may start from scratch – just stick to secure web applications and embed them into your secured corporate network.

4. What are the common security weaknesses you see in businesses today regarding their data?

From a technical side, you need to seek control over what is going on in your network context. A good starting point is to “know your (IP) networks” and their belonging “interconnected systems” as well as the “required applications” business and IT vise. A next point could be recruiting motivated and passionate people to serve in the Security ecosystem in the roles required to assure your business and security objectives.

Each individual human being in the organizational context is:

a) the most effective security vulnerability in the overall company security dispositive;

b) the most effective early warning system to fix all remaining technical, environmental and human security threats.

5. How can security leaders better help organizations develop a culture of security?

To facilitate Security Awareness for all staff members in the company combined with an encompassing security approach supported by the top management would be a very good way. The overall security dispositive should be embedded in all business processes – at least in the critical and in the best case in all business processes – including the underlying IT processes and interconnected systems in the required network context.

I believe security leaders need to have a broad and deep understanding of the technical and the organizational company context. The leader’s understanding of his or her ownership is key and what it means to properly identify, recommend and implement required security measures. Good leaders need to engage a proper current state analysis of the current security context of the company. This may include a phased project approach clearly communicating what is in- and what is out-of-scope regarding risk & security measures.

As soon as your company and business peers understand you assure the achieving of the objectives in scope, you will belong to the winning team.

6. What has been the most important lesson you have learned in 2020 through your work in information security?

It is more a general lesson I learned from my whole professional journey: Don’t get stopped by destructive and nagging people. Follow your and your team’s way to meet objectives. In case you fall over get up again.

7. What do you predict to be important trends in information security in the next 3 years?

Apart from interconnected applications using e.g. Artificial Intelligence, Machine Learning, or even Human-to-Technology-Interfaces, we as human beings end-users are supposed to stay in the center. To serve us best I believe we may use an integrated risk & security approach to assure application overall quality in times where we change our ways of working to continuous integration and deployment. Classical business processes may be outdated in the future – our response is our integrated risk & security approach for the sake of our customers.

8. What is your smartest productivity hack?

Don’t forget your humor – hard and challenging times with their unique challenges can only be mastered with smart and open-minded people. Imagine working for a cool team in cool project with a very cooperative customer. What else do we need?

9. What are your 2 go-to-sources of information or support when you are stuck?

There are actually far more than just two. Read not only books and internet media, listen also from time to time to foreign radio stations broadcasting from all over the world and: Find your passion and go your own way. Be curious and give it a try.

10. If you could give your 23-year-old self just one piece of career advice, what would it be?

Read, listen and understand. Learn, rehearse what you are passionate about and do not give up to follow your own dreams. Get up after you may fall down. Enjoy the success and live your life.

For German speakers: Try to achieve Security Certificates of Advanced Studies (CAS) in Swiss Universities (Fachhochschulen FH) or at ETH Zurich or Lausanne.

For English speakers: Think of going to study abroad, e. g. at London Royal Holloway University and go for the MSc in Information Security or even achieve the Ph.D. in Information Security!

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.