As a young shooting star, are you taken seriously in the scene?
That is indeed a legitimate question. If you look at my professional colleagues, I’m generally rela-tively young compared to the rest of the industry, even if you can also attribute a certain amount of experience to my seven years of professional ex-perience. I started out at the age of 16, which was certainly a somewhat more difficult time for my credibility than it is now at the age of 24.
Perhaps we should focus less on age and more on previous project activities and the associated ex-perience. I looked after one of my first customers, a KRITIS company with a six-figure workforce, when I was 17 years old. A customer who, by the way, is still loyal to us as a partner. In the begin-ning, we had to prove ourselves as one of six suppliers in terms of quality and price. We are now the only partner for the company – we have proven ourselves against the six competitors. At the age of 19, I was an external IT security mana-ger for an ECB-regulated bank, and at 22 I worked for a group in the energy sector.
Ultimately, I still have a long career ahead of me. Whether this is ultimately enough to be taken seriously as a “young shooting star” in the scene is up to each observer. Much more important, however, is the question of whether we are “taken seriously” as a company. With customers from the KRITIS environment, the public sector and SMEs, as well as colleagues with an academic background and over ten years of professional experience, the answer is clearly yes!
What drove you to get involved with IT topics as a child?
Personal passion – quite clearly. I was fascinated by IT processes and programming languages from an early age. The endless possibilities, the constant solving of problems and the associated solution finding. You never get bored and you al-ways find something new to get to grips with. I came into contact with computers at an early age in elementary school, and that’s when the spark was ignited.
With your knowledge, you could certainly earn more money in the “less conventional” sector. How tempting is that?
What knowledge in the field of penetration testing is basically just a tool. I can use it to generate added value for society by finding vulnerabilities in software or using it specifically for data theft. The same applies to operating a car – whether I use it as a means of transportation, for example, or deliberately cause an accident with personal injury. It is more a question of one’s own ethical principles than of temptation.
What are the most common omissions that com-panies make when it comes to IT security?
It often starts with the company’s strategy. A ho-listic security strategy with a security culture, clear and recurring messages in the form of gui-delines: If password policies are not standardized, the assignment of passwords is correspondingly lax. Lack of use of multi-factor authentication and, in particular, outdated software solutions. The last point in particular is crucial, as vulnerabi-lities already known to the manufacturer and security researchers are marked with a CVE iden-tifier and listed in freely accessible databases. If patches are not applied in good time, an attacker may well be able to gain access to the system with the help of these “low hanging fruits”. In other words, via vulnerabilities that are known to everyone.
To summarize:
- Security culture (security awareness)
- Outdated software
- Weak passwords and lack of use of multi-factor authentication
What needs to change in education policy in Ger-many so that the next generation is introduced to IT topics?
In my opinion, awareness of the subject area al-ready exists. However, this is probably a problem of skilled staff. Many teachers are not trained in IT topics and the necessary infrastructure (WiFi, notebooks, tablets…) is also weak. Incentives should be created to provide existing teachers with further training in these topics and to specifi-cally promote computer science as a teaching profession.
You once said that you want to “change the image of hackers and attitudes towards IT security.” What exactly do you mean by that?
Hardly any other topic is as relevant to society as a whole and at the same time as mystified as IT security. The profession of penetration tester in particular has existed for over twenty years, but is hardly known to most people in our society. We want to educate, explain and demystify so that IT security can be understood, implemented and taken for granted by everyone. Only if we under-stand something and it is commonplace for us can and will we use it on a daily basis.
You are also a founder/entrepreneur. What can politicians do to improve the framework conditions for ambitious, young entrepreneurs with good ideas?
Less bureaucracy, greater use of new technolo-gies, i.e. process optimization at the commercial register and tax office and tax relief. Because new ideas thrive on agility and rapid implementation.
Hacking, IT security – all very technical, rational topics. Tell us about a very emotional experience you had in connection with your job.
I meet all kinds of people in my job and look for-ward to a new IT challenge every time. You won’t believe me, but even after seven years in the job, I still jump for joy and sometimes even do a little happy dance every time a project is accepted. So it’s emotional for me almost every day – in a posi-tive sense. But if you want to hear a story that I can’t get out of my head, it’s this one:
A few years ago, we once audited a BaFin-regulated universal bank. Within three days, we were able to remotely control the safe deposit boxes, take over fingerprint sensors, suspend camera surveillance… the IT manager in charge was blindsided. That was very emotional for me. Imagine you’ve been working passionately on something for over 15 years and believe you’re doing everything right and suddenly an external consultant comes along and points out serious shortcomings. This is frustrating and can some-times also scratch your own ego. This is where you need a lot of finesse and genuinely sincere, encouraging words.
The story may not be particularly beautiful, but even if you don’t realize it at first, it still has a beautiful meaning: the forester can’t see the wood for the trees. That’s why an independent outsider is needed from time to time. However, the saying also means that the forester is still the smartest person in the forest. Even if the IT ma-nager is shaken and blindsided at first, he will still be happy about the improvement in IT security in the long term.
Our assignments are sometimes emotional, but usually end well.
Thank you very much for the interview.
Philipp Kalweit