Interview with Oliver Kunz

Oliver are you enjoying the conference I really like it that's my second time here last year I spoke myself I presented my master thesis it was great this year it's even greater because I have not the pressure of being speaker myself I really enjoyed just come from a workshop it was great I come again next year for sure we look very much forward to seeing you next year as well thank you for any sincerity now so you you feel like being taught yesterday can you tell us a little bit about that yes yes well the highlights was that many people walked away I hope it was just because there was food no it was the last one of

the day right no was the first one no so basically in the past month and actually years I started to think about many different things so that's why we coined it very briefly a philosophical security talk it's about the phrase security as an enabler where I started to think about that phrase because I had encounters with friends in their work spaces but also in my work space with with people mostly project managers to come and say hey security is an enabler come on help me and so on and I am all for this I I in some projects I really helped I think as security we need to be open but I started to think about

security as an enable that is does that fit when you're inside a company or should it only fit when you have a product and you want to sell a product so as a USP and I came to do well sort of a conclusion I'm not finished I'm still thinking and reading up on Ross Anderson from Cambridge University not mistaken who wrote some papers on the economics of security so I'm reading up there and I'm starting to I want Ida to write an essay or give a talk on that and the essence is figuring out is the phrase security as an enable is it wrong is it good when is it good when is it wrong and my

feeling is sometimes people try to throw around the phrase or interestingly not many people knew the phrase but maybe you know the feeling the feeling when people come and talk to you like it's a quarter to five you actually want to go home you're tired and they come and say hey I need this firewall request now you need to help me if you're not here thousand people can't work tomorrow so you gotta kind of pressured into some stuff and I once had a had a person coming into my office at literally 5:00 p.m. and I wanted to jump to the Train and they said I need this five hundred people hi xx can't work otherwise and I

started to look at it and said yeah well that's great with my conscious that is not going to happen he wasn't very happy about that at the end but yeah that that's the important thing I think as a security professional you have to you have to keep your cool in that situation because everyone wants to to work for the business we all work for the bottom line without a business that goes well I don't get paid so it goes to that half half the conscience that you have to work for the bottom line but you also have to work for the security there is a trade-off we all know the trade-off and it boils down to two risk management at

the end and make sense well which reminds me of the Builder let's go the world room yeah so not sure if you want together and we were to interview people for security team and we had a guy had a PhD actually came and he came in and one question we asked him was okay so you're in a scenario where the CEO comes to you and says we were hacked what do you do and the guy was just said you know his reply was well tough luck and I'll build the war room checker you know that was his answer and you know there needs to be more to that place there needs to be what does the CEO mean by hacked the

Perry's phone is it something like there was a whole bunch of process that need to happen before build a war room and it's the exact same type of problem right you can just you need to keep calm and you need to put security on top of probably the all the priorities that you have at that particular moment and not well and not I really think it's about realizing daily where I am I act what is if somebody comes to me what is their goal what do they want from me and I mean I always worked in in small companies and I work in a larger company and I had to get used to the politics

sort of at the beginning I thought maybe they come to me because they think they can can play with me I'm not so known to the politics and but later on I realize now they come to me because I have quite creative ideas to help them because I do feel yes the DNA blur in me I want to enable the business to do things and there are many ways how you can do something in a secure way it just takes sometimes a little bit more time and patient exactly and one great thing is I worked with a with a project manager on a nice project and I went to him and told him look something is not right

here I we need to rethink this and he actually went back to the sponsor and told them we need more time and we ended up having I think five times the man days off of office as a similar project which which was interesting because a we had to defend there but we could defend it because I I kept track I kept track what I was doing I kept track why I was doing things I wrote I wrote risk assessments things that that that people really liked because it helped them understand what where do I come from I come from risk management at the end for me I think JP said it very good this morning it is it is about risk

management security is about risk management keep that in mind there is I see a lot of Pam test reports and I love the work these guys are doing but sometimes pen testers miss the risk management part of their work it's it's when when you have the urge to scream yes I I found something really cool you did but is it really that critical for the company and when you come back to the security as an enabler I do think that all the consulting work so Pam testing or security consulting and advisories they really are security as an enable because it's what I sell they sell security many companies if you work in-house in security you work more for

the trust the trust that clients trust in you you don't you don't really sell security anymore you sell trust to to to company s to clients especially if you work in the financial industries right side that boils down to you trust with your money that company and if a company is constantly hacked and this is not doing a good job it probably sees it in in the client numbers I think there's a problem there which is it's going against this nature right so you're you're saying that you know as a pen tester I have this thing of like I found something yeah you know and you don't think about risk management but the reality is that's

their nature like I get paid if I find more vulnerabilities that means I'll get called again that it girls like risk management will not beneficial solution absolutely they would have to fight against themselves I have a great story we when I was apprenticed I had a customer who who'd is really a good job and I had three days testing time so he was a short assessment and I was working three days like mad I couldn't find anything on the first day it's like okay yeah you have to get used to whatever is in front of you on the second time you normally start finding some stuff right and then the third day you find even

more and when I arrived at the third day I was I was really down I was I was depressed I was like that it can't be can't be I really don't have anything so some low-risk stuff yes cookies with you always fine but not really something that I can show off more often yes and there I think there is important to have a decent manager that that leads you and my manager told me look we are doing work with them for many years now it's you that's doing the assessment so we wanted to have a fresh pair of eyes on it I know that this shows is our previous work was yes and I had this

situation as a panther so you found something juicy and you were jumping up and down and you wanted to scream it from the top of your lungs because you found something and I did that as well I I really did that as well and I think you can you can defend it by saying well I don't see the inside of the company so I can't really tell what is the exact risk when I was apprenticed I always told the guys look this is the report this is what I see as a risk but please assess the risks yourself exactly I just don't know if if the companies really have the time for that or if they just

take take the report and and adapt to what you have a right in there I can think of many companies not having the time anymore because let's face it time is time is money nobody has time that is a big issue