Below is an interview with Aldo Rodenhäuser, partner and co-founder of Arxio AG – a consulting firm that specializes entirely in cyber and information security. Aldo has been involved in information security for one and a half decades, especially in the areas of identity and access management, security architecture, and design as well as enterprise security based on ISMS and NIST CSF. When he is not busy with information security, Aldo travels to foreign countries to understand the information there, i.e. to get to know the local culture, people, and food.

1. How did you first get involved with information security, Aldo? Could you share a project or inspiration with us that prompted your involvement?

I would say the first real information security project was a mandate a bit more than 15 years ago at a large financial institution where we designed a client authentication solution, whose components were geographically distributed. It was a very exciting project as it included cryptographic protocol design, security architecture, defining the usage of hardware security modules, etc. and we had basically to document every bit and byte to get approval from the ministry of the country where we wanted the clients to authenticate from.

Of course, information security was implicitly also a topic before that when I developed software for the government and the financial sector. But that project was the decision point to focus on information security.

2. As a Security Enthusiast, please tell us what motivates you to keep pushing ahead every day in the information security field.

Good question – I think there are many different factors.

Information security is a field that still evolves day by day. Accordingly, it is extremely varied, every day looks different again and there are always unprecedented challenges to master. It’s a bit like traveling: You can travel for as long as you want and think today I have seen everything. But then, tomorrow, you are confronted again with a completely new situation. So, it’s anything but a monotonous job.

But probably the most important point for me is the interdisciplinary thinking and acting that is absolutely necessary. It is not enough to “only” have a sound knowledge of information security, but you also have to be able to understand all stakeholders – be it the business manager, operations, the project manager, the developer or even marketing. Only then an adequate solution will be found, and the project succeeds. As a result, you often become the centerpiece of a project, which makes the work incredibly exciting.

And last but not least, it is certainly also somewhat dissociative thinking. Because to design or even assess a solution, you have to put yourself in the creative mindset of the attackers.

So, maybe, in short, I would summarize the reasons for the motivation as follows: Its diversified, challenging, creative, it helps for a better world and it is satisfying once a product or a company is on the next security level and all stakeholders are happy.

3. In your opinion, what are the best steps that small and medium-sized businesses can take to raise security awareness?

Primarily, the topic must be supported and lived by the top management. Accordingly, a budget for cybersecurity should be allocated, a strategy defined and a roadmap developed about how to move forward. This way it is possible that security starts to get addressed continuously.

The responsible might start thinking about which assets need to be protected, what capabilities are required to do this and how can these capabilities be implemented – taking into account already existing measures, the roadmap can be derived.

Of course, the less the company is dependent on IT, and the smaller the company is, the more pragmatic the approach can be.

From our assessments, we see that many small and mid-sized businesses do not yet cover core topics such as appointing a responsible person to information security, periodic awareness training for employees, proper backup strategy, incident response planning, or making security clarifications mandatory for any product lifecycle.

4. Why is it essential to invest in an excellent cybersecurity culture?

As just mentioned, cybersecurity is not a one-time affair. Your own company is constantly changing and so are the attackers. Meaning that attack vectors change over time and therefore the cybersecurity roadmap implementation must be monitored and adjusted continuously and every employee has to contribute to it. Such continuity is only achieved when a cybersecurity culture has been established.

5. What significant changes do you see occurring within the information security market over the next 3 to 5 years?

On the one hand, attackers will continue to professionalize, and on the other hand, the home office or work-from-anywhere culture will be maintained to a certain degree. Cloud infrastructures will be used even more intensively than today, especially also for sensitive data. This has an impact on how we need to protect our data assets. Concepts such as zero-trust and AI-based security analytics will be further developed to achieve the required security level.

Digitalization is by far not finished today – many more applications will be reachable through the internet in the next years. This will especially also be the case regarding the Internet of Things (IoT) devices which today are in many cases not adequately secured – this might be a feast for the adversaries as it will have a real impact on our everyday life.

The general public will, hopefully, become more aware of the topic of information security. I assume customers will ask for certifications or at least assessment results accordingly. As a consequence, security will be measured better and security labels might evolve.

So, the market for information security has just started to take off.

6. What do future information security careers look like? Any strategies you would like reveal to future-proof a career in this industry?

In my opinion, there is no such thing as “the” career path. Many very good security experts used to do something completely different in earlier life and slipped into the subject consciously or unconsciously. What they all have in common, however, is that they did further education on the foundations of information security and possibly cryptography.

7. Last question: What advice would you like to tell our young readers who are pursuing their dreams in the security market?

It is as with all professions: The most important thing is to enjoy the subject and the second most important thing, as I said before, is understanding the foundation – in my view, this requires education at a technical college or university in the field of cyber security or related areas. This coupled with social competence will inevitably lead to the valued expert.

Besides the foundation, the studies also give an overview of the broad topic of information security. It will be worthwhile to initially focus oneself on a certain topic – on the one hand horizontally in the sense of the area (e.g. IAM, Software Security, IRP, ISMS, etc.) and on the other hand vertically in the sense one wants to rather work on strategies, designing solutions, implementing solutions or assess solutions (e.g. conduct assessment or penetration testing). After that, you can spread out as you like.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.