Security Expert Interview Series: Cyrill Gössi

In this interview, Cyrill Gössi talked about his story of getting into cyber security, the things that motivate him to keep pushing ahead every day in the security field, and the most exciting innovations and impactful technologies within the information security space. Now, enjoy reading the full interview below and discover Cyrill’ insights on other interesting questions as well.

Senior Cybersecurity Expert interview

1. Can you tell us your story? How did you get to where you are today?

With a mix of inherent interests, decisiveness, and luck. Up until my last year in high school, I was a very non-technical person, with my mind set on studying mathematics or philosophy. However, just before graduating high school, a good classmate teased me by saying that I will never understand how compilers work.

That same day I by chance came across the advertisement for an IT apprenticeship targeting high-school graduates, covering the curriculum in 2 years instead of the normal 4. That day, I went home, wrote my application, sent it, and a week later was offered the apprenticeship. There, I really got into programming, developing communication protocols to program medical devices at manufacturing time. I was offered multiple jobs but decided to follow up with studying computer science at ETH Zurich, where I quickly found to be drawn to theoretical computer science and information security.

When I left ETH, I had taken all the classes you can take in the area of cryptography and applications thereof. For cryptography, I was amazed how the mathematics of simple integers manages to create powerful applications such as encryption. This aside, I also took all the classes and semester projects available in the area of compilers. It’s not like I wanted to prove my high-school classmate wrong, but compilers turned out to be exceptionally interesting subjects in and by themselves.

During the last year at ETH, I was hired by Bloomberg LP for a position in London to work as a quantitative developer across all financial asset classes. Thus, I didn’t immediately follow up with working in information security, but only got back into it when returning to Switzerland, taking on a position as an information security research assistant at the Lucerne University of Applied Sciences (HSLU).

There, I was fortunate to be involved in the development of the then-new CAS Cybersecurity Defence & Response, where I was responsible for the hands-on cybersecurity labs. With this responsibility, I learned a lot of practical cybersecurity skills in a very short time, and again by chance, due to a colleague being close to retirement, was offered to take over the lecturing of cryptography in advanced study degrees at HSLU.

With this background, I was then fortunate enough to be hired as a cybersecurity expert by Roche Diagnostics.

2. What motivates you to keep pushing ahead every day in the security field?

The feeling of contributing to the fundamental need of safety & security. For sure, we have information security where one aim is to prevent your personal data from being leaked or modified during e-banking. But with information technology enabling the Internet and other cyber-physical systems, the working or malfunctioning of these systems now directly affects the physical safety and security of people as well.

3. What do you believe are the most exciting innovations and impactful technologies within the information security space?

Not surprisingly, that would be cryptography. With encryption, cryptography provides a tool that allows for the confidential exchange of data between peers that have never met before. With hashing, cryptography provides a tool that can be used to assign unique, short identifiers to data, which can then be used to construct systems implementing the ever more powerful security goals of integrity, authenticity and non-repudiation. The last security goal, for example, allows for the construction of systems, where participants can be legally bound to data, down to a single bit.

For the future, two of the potentially more impactful ideas current research is working on would be quantum computers and homomorphic encryption. In quantum computers, quantum physical properties are exploited to exponentially speed up calculations. This enables applications currently not feasible with classic computers, but will likely also break some parts of classic cryptography currently fundamental to constructing security in information technology systems. Homomorphic encryption is exciting as it’s a type of encryption equally secure like classic encryption, but which allows for calculations to take place on encrypted data itself. This may solve the classic dilemma in information security where data privacy and financial cost efficiency are usually conflicting goals when looking at how to apply complex analytics to data. 

4. As we can see from your profile you are working as an Information Security Lecturer at the Lucerne University of Applied Sciences and Arts and giving lectures on cryptography and its applications thereof. What are your 2 most important pieces of advice to our readers to improve their understanding of the subject cryptography?

Powerful as cryptography is, it’s an utterly complex subject the deeper you dive into it. Fortunately, most of us will always be on the application side of cryptography. On that side, I found it to be immensely useful to think in terms of security goals of systems, such as confidentiality, integrity, authenticity and non-repudiation. Once there is a good understanding of the security goals required, the appropriate cryptographic tools can mostly be found quite easily.

Second, as most of us will never be actual cryptographers, we should never invent our own cryptography but should follow standards and recommendations such as the ones from NIST. There is the saying, that nobody was ever fired due to using the Advanced Encryption Standard (AES) cipher for encryption, with AES being a NIST recommendation since the year 2001.

5. What is one thing every young information security enthusiast should have on their resume that they may not realize, and why?

Everyone starts somewhere. In the beginning, it may be useful to accept a job where you can explore various different domains within the vast spectrum of information security. A basic understanding of the fundamentals will, later on, allow you to see or understand the full picture of required security solutions. However, at one point, it may be advisable to specialize in a certain subject. This is almost a necessity given the breadth and depth of information security and allows you to evolve into a subject matter expert. Ultimately, this is also how challenges in real-world systems of reasonable complexity and scale are solved – by a consortium of collaborating subject matter experts.

6. According to you, how are careers in the cyber domain changing and what will employment be like in the near future?

Not long ago, the background of people working in information security was hugely diverse, with many people moving into the domain due to fortunate opportunities arising from the increased use of information technology. This is still the case as can be seen with the vast number of participants in advanced information security study degrees at, for example, the Lucerne University of Applied Sciences.

However, many universities, including ETH Zurich and HSLU, have launched full-fledged bachelor and master study degrees specializing in information security and cyber security. This is not surprising, as information security and cyber security is now a fast-evolving, major field of academic study, which itself is owed due to the widespread availability and use of information technology. With this, it may be expected that people in information security and cyber security will be more and more specialized with respect to educational backgrounds.

Last, even without specialized educational backgrounds, information security and cyber security is probably always going to be a domain open to the curious and persistent, as these are qualities I observed in most of the successful people working in the domain.

7. Could you please tell us what the most important cyber security lesson you learned in 2021 was?

First lesson: Many businesses still seem to drive ideas for products and services purely from a business perspective. It took a long time to realize that besides developing products and services with only the business idea in mind, also security aspects need to be taken into consideration. Fortunately, the awareness to shift information security and cyber security left into earlier stages of the product development seems rising, indicating a first step-up in terms of product development maturity.

However, above the maturity level of information security and cyber security first likely lies another maturity level, the level where business ideas are perceived as transformers of data and if the data is personal data, the protection of this data is likely an obligation we have from a human rights perspective. The story may actually not even end there, as above the maturity level of a data protection first approach could lie another maturity level, the level where business ideas are driven by an ethics first approach.

Second lesson: Information security and cyber security is a very complex subject, and projects of reasonable complexity and scale are often developed by teams in the order of hundreds of engineers. To collaborate on this scale, and especially when faced with a complex subject like information security and cyber security, the language used to communicate about the subject is absolutely essential.

Information security and cyber security is a vast and global academic field of study, and as such has often very clear definitions of concepts and ideas. It’s important to realize that information security and cyber security is not a matter of personal taste anymore but requires at its core scientific rigour when dealing with it and precision in the language used to talk about it.

8. What would you like to say to someone who is thinking about a career change into information security but worries about it being too late in life?

Given you’re thinking about it, means you’re curious, and with it probably have already half the ingredients required to be successful. If you’re also persistent when solving problems, then just go for it! Maybe consider the answer to question 5, and keep in mind that information security and cyber security evolves every single day. This requires embracing change as an opportunity, which may also be a useful trait in other aspects of life.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.