Security Expert Interview Series: Marcel Rauthenberg
We recently had the opportunity to interview Marcel Rauthenberg who is a Security Program Manager at Google based in Zürich. Previously, he held the positions like IT-Security Consultant and Senior Cyber Security Consultant. Continue reading the full interview below to learn more about the trends Marcel foresees happening in the information security landscape during the rest of 2021.
1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Marcel?
Thanks for having me! I have been working in Cyber Security for more than a decade. I started out as a network security engineer hacking away on CLIs and later moved on to consulting and management as my fascination for the strategic aspects and a broader view over the Cyber Security landscape grew. I have always worked in security because it gives me the opportunity to do what is in my nature: Work with diligence and apply an analytical mindset.
2. You are holding the position of Security Program Manager at Google in Zürich. Is there a typical workday for you and more specifically, what are some of your primary concerns on a daily basis?
A typical workday for me includes lots of context switching and making sure I don’t lose the overview of everything that is going on. As a program manager, I am responsible for a variety of security initiatives that hold a number of projects and workstreams across different areas of the business. It is my job to organize these activities, to drive them, and to take care of the alignment between all kinds of stakeholders, from engineers to C-Suite. My primary concern is always on landing impact: what is an actual help to the organization versus what is security just for the sake of it?
3. Please, describe a way that you help your company understand the value of information security.
Helping a client to understand the value of information security is only my second step. I strive to first and foremost take off my security hat and gain an understanding of the company or business function and the field it operates in. Discovering the core assets for the business is essential for me to then get an understanding of security maturity levels and to map out key risks. Only then do I start thinking about the value that security can bring in.
Coming from this angle enables me to consult decision-makers as an advisor, rather than to push security from a heightened position. I believe a diplomatic, reasoned approach is key for security to succeed in finding the fine middle line between enabling the business and keeping it safe at the same time.
4. What trends do you foresee happening in the information security landscape during the rest of 2021?
The health pandemic has impacted Cyber Security and it has accelerated many trends that I expect to continue growing strong. Companies are busier than ever migrating their workloads to cloud providers, which shifts many security concerns away from the underlying infrastructure to higher layers like automation, orchestration, APIs, containers. Securing off-corp assets, in general, is an emphasized challenge these days. The trusted zone perimeter is more diluted than ever and zero-trust is no longer a buzzword that is optional. Companies will need to make sure that security controls can access any place corporate assets may end up at.
5. What are your main go-to-sources of information when you are stuck?
Frankly, I rely a lot on my colleagues. At Google, we have various systems in place to ensure an unobstructed exchange of information. Documents are in the cloud and easily made accessible to anyone in the company. Chat rooms across teams help to find an expert in most topics you may be looking for.
If I perform general research, I try to find light articles or whitepapers that are publicly available on the internet, or I look for more interactive instructions on Youtube. Sometimes having access to the resources of a professional organization such as ISACA can help and I also frequently look up frameworks that seek to standardize security, e.g. NIST or ISO. For more extended learning, there are great platforms out there, such as Coursera, Udemy, or CBT Nuggets.
6. Obviously, you are a busy person but how do you manage your work-life balance?
Work-life balance has a different meaning for everyone – to me, it is the freedom to do my work with as much flexibility around it as I need. I believe that the focus of work should be on the results, rather than on the way they are achieved. I aim to deliver the best possible results through integrating work into my life (not the other way around).
I like to work from different places, at different times, when I am at my best ability. I like to work long one day and short the other day. I like to work unsupervised with lots of trust in my ability to deliver. The freedom to work like this is the most important thing for my work-life balance.
7. How do you stay up to date with industry news and updates regarding information security?
My internal peers help me a lot with that. Our teams rely much on chat these days and most news and developments in the security world are shared and discussed in one or the other chat room, thanks to the large security organization we have. Besides that, I have curated an informative personal newsfeed on LinkedIn by following only those individuals that post relevant information frequently and blocking out those that are not of value. I can also recommend the NewsBites series from SANS that comes directly to your inbox and has handy expert commentary next to the articles. In general, I try not to overindulge in news at any time.
News can be a handy tool to identify trends but I do believe there is an inherent risk of developing a fear motivated mindset. After all, most news is about negative stuff. Especially in security, I believe we are prone to be biased in our decisions through all the bad stuff that is reported on a daily basis. So, I like to keep a healthy distance and maintain a balanced paradigm
8. Our last question: where do you go for inspiration or resources that you use in your own personal development?
This is a great question. I am a big believer in personal development as a requirement for a happy life but also for a successful career. There are obviously many areas one can develop in but my approach is always the same: Identify personal role models that have achieved what I want to achieve and that have a compatible worldview to mine. I then aim to find the things they put out there, such as books, articles, seminars, podcasts, coaching, newsletters, etc.
Once I find such a starting point, it usually quickly becomes a journey of discovery of further material to absorb. For example, one of my personal role models frequently shares book tips and I got used to reading many of them simply because our interests often overlap. One thing that really helped me get the most out of such books is the highlighting function in Kindle: after completing a book I go to the highlights summary, study them, draw my conclusions and move a few key items over to my to-do list, so I see them every day until they are mentally anchored.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.