Security Expert Interview Series: Juergen Stueckle
Today, we are excited to have the opportunity to bring you our interview with Juergen Stueckle. Juergen is an experienced Senior Security Architect with a demonstrated history of working in the financial services industry. He is skilled in information security, M&A due diligence, cyber threat management, IT strategy, data protection, and enterprise architecture. Let’s learn more about his insights on our questions some of which revolve around security challenges for 5G and data protection.
1. Can you give us an introduction about your professional background, Juergen? Your journey and how you ventured into the cyber security world?
My professional career spans a wide spectrum of IT, starting with DB and server engineering, architecture, team, project, and program management. In this environment, security has always been an essential issue. Later I was responsible for the IAM of a complex DWH environment and various programs in the security environment (e.g., reorganization of the operation model). After that, the opportunity arose to take over the responsibility as a security manager for midrange systems. There I was a pilot for many cybersecurity programs and shaped the whole spectrum of security. After that, I changed to Security Architecture, where I had even more possibilities to design the Sec environment.
For the last 2 years, I have been working for BearingPoint as a Security Advisor, where I am heavily involved in Merger & Acquisition and the execution of Vendor or Tech Due Diligence. We also perform security assessments and support companies and the government in security projects and reorganizations. I can bring all my architecture and security experience to bear and generate added value for the companies in this role.
2. As you are holding the position of Cybersecurity Advisor, we would like to know what motivates you to keep pushing ahead every day in the security field.
Based on my many years of experience, I would like to bring sustainability to our customers’ security. Security is often seen as a preventer, but security must be seen as a service provider and support every employee in the company. Likewise, the cost is a big issue in the security space. It motivates me in every project to achieve the necessary implementations and still have the costs under control.
3. What was the most important cyber security lesson you learned in 2020?
I learned that people think very short-term, which has become apparent during the pandemic. Although the probability of a pandemic was 100%, many governments and companies were not truly prepared. Due to the pandemic, companies are starting to move in the direction of digitization. But there is the risk of major cyber incidents, the probability of which is also 100%. If the same mistakes are made with digitization as with pandemic preparation, this can have a far greater impact on companies than the pandemic. The risk of bankruptcy is much higher. It is already foreseeable that some companies are not properly prepared for cyber incidents. Thus, the Lesson learned: Learning from painful experiences is not always enough.
4. Home working is attractive to many employees to attain greater work life balance, however it appears to be inherently riskier from an information security standpoint. Is this so? And if so, what can companies do to protect corporate critical information from theft or misuse?
Data protection cannot be solved by technical means. If employees want to circumvent data protection, there are many ways to do so without even being able to identify it technically. The best example is photographing the screen. Of course, this is easier in the home office than in the office. In principle, however, there is no technical way to prevent this.
Organizationally, there are some controls that can be put in place, such as vetting and background checks. Technically, there are various controls to monitor the most critical data holes. These controls should be implemented to make unwanted data transfer as difficult as possible. In the end, however, one of the most important points is that employees feel connected to the company. This must be exemplified by the management.
5. One of the areas you are specialized in is data protection. What are the greatest challenges that a small businesses has to overcome in relation to the EU GDPR?
Costs and know-how are the greatest challenges, the knowledge of own employees as well as from the consulting side. First, the implementation of GDRP requires external expertise until a certain level is reached, after which an internal and competent employee with a CDO role is needed to review and develop GDPR implementation compliance. As every company needs this CDO role, but there are not enough employees with the know-how, there will surely be bottlenecks or not complete GDPR implementations.
6. Now let’s talk a bit about technologies. What are the top security challenges for 5G??
I would divide this question into two aspects. One concerns industry, the other private use.
For industry, 5G can be of great benefit by handling and thus simplifying the control and operation of, for example, highly distributed devices via 5G. Likewise, entire industrial plants can be controlled using 5G instead of a network. The big risk, however, is the security of all the systems. Today, attackers try to harm companies and usually choose malware to penetrate the enterprise. This is the best way to go, as firewalls around the internal networks usually protect productive systems. With 5G, there is a new attack vector. If it is not fully understood, designed and security is not properly implemented, attackers can take over, paralyze or manipulate entire industrial plants.
In the private sector, as in the automotive industry today, more systems will rely on data transfer via mobile systems in the future. These systems are then not connected via the home network, as is the case today, but send out uncontrolled data to the manufacturers.
The refrigerator-as-a-service model could be such an example. With micro and a 5G connection, the household can then be bugged and everything that is spoken in the kitchen can leak out. People who work in a security-sensitive area, e.g. the military, should never purchase such a system. Here it would be urgently necessary for the legislator to define clear rules on how the handling of data is regulated to protect the population.
7. In 5 years, where do you think we will be with 5G?
In 5 years, the discussion about 6G will already be in full swing and the first systems will already be geared to 6G. The first 6G satellite has already been launched into space. The deployment of 5G will also be decided on cost. If the costs are too high, the spread of 5G will be limited. In principle, 5G will push the penetration of IT into our everyday lives even more strongly.
8. What are some of the trends emerging in IoT and IoT security?
The number of IoT devices will grow tremendously, which leads to increased complexity in security-testing and operating these systems. In other words, there will be more and more individual systems from countless providers to make our lives and work easier. Simultaneously, it is becoming increasingly difficult for companies to keep these IoT systems under control or operate them. For private individuals, it is even more difficult because they must rely completely on the manufacturer. Each manufacturer collects data and is vulnerable to an ever-increasing number of hackers. Thus, the danger of personal details falling into the wrong hands is rising.
9. In your opinion, what is the best way to secure IoT?
The safest way is to cut the power supply. As already mentioned, IoT security must already be implemented in the hardware, software and maintenance processes. I doubt that all manufacturers guarantee this in the long term. Current experience shows this too clearly. The legislator should create clear rules that protect the companies and the citizens.
10. What would you like to say to someone who is thinking about a career change to become a cyber security specialist but worries about it being too late on in life?
In the coming years, security will become an increasingly important area in IT. We are only in the early stages of what still needs to be done. Security is such a broad field, so many different roles and experiences are needed. If someone has not yet dealt with security but is very knowledgeable in one area, this specific know-how can be a perfect complement to security. And either way, security should be a part of everyone’s daily work.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.