hi everyone and welcome to the Hands-On ceso podcast my name is zy and today we'll be talking to hoger sonag hoger

has been working around or in security Hands-On for about 23 years mostly on an

international level in internal departments as well as on the vendor side currently he's the ceso of PR an

international wealth management provider H great to have you how are you doingthank you great to be here and I'm doing great how are you perfect excited for

this conversation so before we get into anything else I'd love to hear how did you end up in security how did you get

into the field it's actually well it's a long story but I'm very short um I've always

been kind of interested in technology and in security and I guess this comes from different angles as well um uh I

guess one one of the the the main angles is uh the the concept of solving puzzlesand the the idea of just having this this this thing that you don't

understand and you kind of want to want to break into it and break it down and understand what what it means in detail

and security just offs a lot of that um the thing is uh youknow there there are roughly three different categories of of people who work insecurity uh those that do it because it changes something it does something goodit helps people who just don't have the understanding or don't want to cancannot cannot get there in in terms of knowledge um uh the second group is the

people who who are in it because uh because of the the you know the nitty-gritty details of things and you

know putting things in place and and the certain people who are in it because it's a very well-paying job and I'm I'm

sort of the first category where we feel like I it's it's a way for me uh just to

to to make things a little bit uh more easy and a little bit better for for people who just don't have the knowledge

or the understanding of how to how to do it by themselves so I see there obligation also my side a little

bit interesting so you've been both in like companies as ciso but also you wereon the vendor side how does that like what are the differences in thedaytoday it's a completely different task on the vendor side I was I was more on BusinessDevelopment pre-sales U and Consulting and I mean that the Consulting bit kindof carries over where you are becoming sort of an internal consultant if youwork inside of company interal Department um uh and that's really the

cut over the difference is then on the internal side you have a lot more of the the the daily tasks you know audits

monitoring uh you know adjusting alerting rules all these kind of thingsand if you work on the vendor side it's really a lot more custom action and uhthe difference between a consultant and an internal uh Personnel is in the end alittle bit the the the ongoing doing so not not the initial setting things up

and then you know the consultant helps to set things up and then he goes away and the dayto day having to live

with it this is kind of the the difference I guess the biggest difference interesting so what you'redoing now you're in a fintech company would you say that affects the type ofthings you do significantly or is or different companies tend to have similarceso roles from your experience company yeah so um I cannotspeak for all Industries I I just don't know uh all of the industries wellenough what I do know is especially in the area where we are present um whichis southeast Asia Bay Area and little bit in Europe Europe is simple but um

there are a lot of regulations and laws that uh our our customers have to abide by and consequently uh we have to also

uh understand and and uh work with that means we have a lot of audits we aregetting audits every few weeks from some customer

and uh there is a lot of requirements that we have to understand that we have to fulfill and I guess this could be one

of the major major things that um you know banking working with banks working

with insurance companies this kind of data is just extremely protective and that means that we also then have to

make sure that we fulfill our part in this and uh also guessing that comparedto a I don't know industrial en M that our security requirements are probably alot higher and uh this then also means of course that um yeah we we we just

need to have a bigger investment in it we have to understand a lot more laws around it we have to uh make things

click a little bit better certifications like ISO 2701 Etc than really just anormal thing to have in this industry whereas I guess if you are um a sees ofa of a a saw mill it's probably not that important I'm guessing I don't knowmaybe it is yeah I think I think like each industry hasdifferent things but the regulated Industries seem to be the most like dataprotective let's put it that way like health and financial cool yeah how do

you stay updated in this field that is really like changing ing so fast every other day you have this breach this

technology like everything's happening how do you stay updated I think uh this is something

that I hear a lot and I really think like you have to separate the fields there are some things that will not change like you need anoint protection

you need a firewall things like this this will be the same this was the same 10 years ago it will be the same 20

years in the future uh probably um it's just what is underneath that is changing

and um if you work with vendors uh for firewalls and P protection and you kind of see what the technology brings uh

then you will very this part is very easy to stay up to date with because some of it just manages itself you have

a firewall with a firewall vendor you have a testing system you push the patches regular to the test you see if

it works if it doesn't work if it doesn't work you don't and if it works then you assist date so this is this is

a a simple task where you don't really need that much information aside from what the vendor anyway give you where it

becomes more complicated is of course vulnerabilities uh Etc um breaches

things like that does affect us and this is really more along the lines of risk management uh with vulnerabilities um we

work a lot with the generally vulnerabilities breaches attacks we work a lot with external threat uh um

intelligence providers uh some are directly connected into our CM others uhwe have as additional information for enrichment and um if something biggerhappens I've found one of the two best sources to quickly get uh code Snippetsfor running PC's for detecting if this affects you in any way shape or form are

uh Twitter and GitHub I mean of course you always need to check these scripts you shouldn't just copy paste them but

um aside from that um you this is where the security Community comes togetherand really quickly shares information and hey uh uh this affects this and I tested it on

a couple of systems and you can run the script and then you go into your testing chamber sandbox you test what it does

and then you you run it in your environment you you have essentially saved like I don't know a couple of hours of work right there and you're

much faster than comption so this is kind of the the way we kind of keep up withthings interesting so have you noticed different kind of

cultures regarding security different companies you've worked at oh definitely um not just worked at but worked with um

so I have actually built the security in two companies that I've worked in um andI worked in a security company where everyone was a security person and um mostpeople and um I mean first of all if you work in a security company where people

understand security then the the way people interact with technology is just completely different because they they

just leverage on from from a completely different mindset of what the computer can and cannot do and uh they understand

there's lot lot less communication needed to persuade them of things and on the other handum people uh that that like to leave their their laptops unlocked there's a lotmore things that will come at them but um if you work uh in in um so I I Ihave I have supported companies that have a very small very low security

culture and these this for some it was historical for some it was just something I never thought about and this

is difficult because if if there's no mindset that we need to do this now but the mindset is our customers require us

to have a policy then uh you can essentially forget it until the mindset

is set all you can do is write a policy and and make sure you stay away from the rest because it will never reach where

it needs to reach because people are not uh receptive they're not they don't they don't want to deal with it they don't

see it as necessary whereas in companies where the culture is already geared

towards we need security because it is important no matter how many people if you have some managers and some of the

staff in the direction you've already won the rest will just follow pursso I think that um building and understanding thatsecurity is needed is probably the most difficult and once you have thateverything else is kind of just budget discussions that's kind of difference

between the the companies I would say that some have this culture some don't but I don't think there's a difference between a a tech company a development

company and a a uh um V Tech company uh once they have the

same understanding about security only what they need is then different but this is anyway this is from company to company different they have different

processes yeah more about the culture less about the kind of companyinteresting have you ever had to like be the badcop I mean okay let's put like this I think um the user erroruh go that I think the user error comes from three different angles two of them

are definitely something where where security is involved the third one is something where legal is invol um and

the first two are essentially the mistake and the negligence right and I would say the mistake is something that

there is no bad cop here maybe you feel bit like a teacher sometimes but this is just a person who just doesn't know it

any better and they it's an honest mistake and usually this is more of an extended awareness training than

anything else else and I there is no bad cop there is just a a person who needs to understand something and wants to

understand it usually I never had the situation where someone said I don't care um usually it's always that they

quickly I sorry my mistake and let let's let's see what we can make how we can make sure this is kind of the most

common occurrence of this kind of interaction the negligence is very rare um it happens but it it's really rare

and of course when people get caught knowing they shouldn't have done something then they always feel bad

about it right this is just in human nature you don't like getting caught it doesn't mean they feel bad about having done it they mean they feel bad about

getting caught and let's put like this um I I have never experienced someonebeing negligent twice uh not because of how I deal with it but just because uh

they understand that these things get found out and then they understand that they feel bad about it and you don't need to be a bad cop you just need to

say hey what happened here can you explain and then you talk about I've never had luckily in companies I work

there I've never had a case of uh purposefulmisconduct um I I was involved in incident response cases where this was

the case um but I didn't do the communication there but this is then really not for security security just

figures it out and then hands it over to legal right this is then for the lawyers to handle because at that point you have crime and it's a whole different

story have you ever been part of a company or worked with a company that had a severe security incident no but I

I have supported companies that had um how does that looklike uh they won a lot of people running around being extremely nervous notknowing what to say uh um hoping experts have a silver bullet to figure it out

realizing that uh if you have never put any sensors into your n work it's too late to do it once it happens um

figuring out how to deal with it without the the customers noticing it this kind of stuff day two um things have calmed

down a little most people haven't slept the whole night and are high on coffee and you're sitting in a room uh and

you're trying to then install things that help you clear out the network and suddenly the budget is just completely

open and buy the best thing buy the best thing buy the best thing um and from there kind of depends what the inent

includes I mean uh things get handled on a verydifferent level um especially when a lot of money is involved uh typicallysecurity is only uh making the report and then the rest is handled through avery different level of of authority um and when it's about datarecovery Etc then it really depends on what what the company is is uh wants todo do here or can even do here um but if a company is well prepared I've also had

one case where that was the case they had everything in place and we were essentially just coming in looking at

the the logs uh quickly being able to trace everything and the whole thing was was uh very well organized um we had a

room fully set up for this there was a local security very small company but they had a a guide dedicated for

security who knew everything who could help us with everything and this made the wholesituation really easy to deal with so it it depends if you have a goodsecurity posture incidents arean they're never a good thing right

but they're easy to deal with and uh or let's say more easily to deal with because you kind of know where to look

what to look for what happened it's easy to trace it's easy to to then uh mitigate it's easy to follow what

network or on the on the application or whatever if you have a bad security posture and you don't have anyone who's

who ever thought about it then you have a bunch of people running around headlessly and not knowing what to do and it's gets super complicated because

you first have to manage the people and you have to manage situation and then you have to figure out what you can do to actually you know get get ahead of

the situation so that's kind of how it is essentially how do you handle the stressof a situation like that um coffeeuh I would I would say um it is if so if

it was my own company I think I would be a lot more stressed about it if if I had a bad security let's say I'm day one

ceso something happens nothing is prepared and it's it's my responsibility then I would be very stressed out but if

you come in as a consultant you anyway already have the mindset that okay uh I I am here to tell these people how to

work with it and if they don't want it then I can go again you kind of you're bit more detached from the

situation and um and this gives you a little bit of this this this energy where you can just say um uh we can we

can work together on this and and uh let me just show you step by step and calm down people and this people management

thing then becomes a lot more easy because you are not directly involved it's not like your head is not on the

chopping board for this um uh whereas if it's if it's your own company it'sdifferent a little bit of a different story so I'm this is not an advice for cesos this is advice forConsultants um but if you a c so um I I mean I was not in the situation yet uhas in the position of a seesaw that I had that something that this happened umbut as a seesaw I think it is super super super important to always thenthat moment like think back to what you have what what you have in your hand andjust just calm down about uh uh the initial stress that something big might

have happened and you don't know what and go into the details of step by step retracing what happened and then you go

out to your communication once you have understood the situation and if it takes a bit longer it takes a bit longer but

it will take a lot longer if you first panic about it so that's kind of the way I I I would seeit perfect how do you manage the balance between security andbusiness well I mean um actually really in accordance with with with ISO 271

right I mean there is a clear statement on how security needs to support business and this uh this statement we

take very seriously and um this was built up uh U and is is updated

regularly whenever things change can security I think the better question is can security always support

business and I think oh uh but I think it can get very close to that there will

always be a there will always be moments of tradeoff and really saying moments because not all security tools are a

hindrance let's take uh password management if you use a password storelike a some some some centralized encrypted password

manager um then actually life becomes easier because people don't longer have to type passwords they just have to

click a button and it's all done for them so this is a security tool that makes business even more fluid so

suddenly we are not just supporting we are we are we are enhancing the capabilities of the business teams and

then a lot of things are just zero touch like having an endpoint protection EDR or something installed that silently

silently runs in the background does not disrupt business and disrupts no one it just have it installed and for the most

part no one will ever know about it I'd say what we use is somethingthat four or five people in the company have have had gotten in touch with while

since we have installed it right it's just so silent then firewalls block a few websites and people don't like that

and this is a little bit more iffy but then you have to communicate why these websites are and this is more about communication so it kind of depends on

the tool on the control on the process you have in place which which is disruptive which is enhancing and you

kind of to align that as good as possible well as possible with the uh with the requirements of the business

but in the end uh the the company culture has to make the decision what's more important whether it's more

important to follow a bit more security or to make business a little bit more

you know to to share this document with the whole company even though it doesn't to be that's kind of the trade off in

the end interesting do you remember any action or decision that you made in thepast that ended up being maybe not the best decision tomake in terms of security and then like how do you cope when the mistake is likeon your hand oh that's actually a tough question um so I I don't think I have made a verydire mistake yet you you always know when it's toolate right um I would have to think about this I mean

I I think there there are less optimal situations and more optimal situations and it also a little bit depends on what

you have at your disposal and I think the first company I workedwith we had a a bit of a hiccup with the anti virustool of choice this was just because the budget was too low and I had to take what wasgiven and I do regret that decision because today or even back then I knewthis was not the tool that could get the job done to my satisfaction

um how how was it I mean we we ran with it for for a little bit and then we changed it it was like it was not a huge

deal it was we had a free of charge tool back then a company was testing acentralized version of their of their their their tool we used it uh it didn'thave any huge impact um but a lot of the developers in the

company got a little bit angry because the tool was very invasive and so on um so it was more of a communic

internal communication issue at the end um yeah that I mean

otherwise you didn't I typically you don't just make a decision and run with it right you kind of evaluate what this

decision is and how it works so there's not really like if you do your homework right and you talk to the right people

and there's not really a situation where you make a massively di mistake that takes everything down this is just not

going to happen because there's so many steps in between and so many people you talk to and so many evaluations you do

Ian we don't just install software usually there's a big sandbox we we test the software it's it's safe to install

and so on a huge process that's kind of the reality ofit that's good I guess umperfect so what is what would you say are the biggest challenges in cybersecurity right now in general I mean I mean the biggestchallenge is always the user but um I I don't want to go that route

because I I think everyone has talked about that already it's kind of everyone knows it uh that's what I I think the

there's there's currently um I'd say two challenges that I've feel is maybe not Imay understood wrong most of the time or not talked about enough one in Europe is

for sure the upcoming two new regulations nis2 and Dora which are massively misunderstood because a lot of

people just don't want to read 100 pages of of legal text and I understand that neither do I but Idid um and uh there's a lot of misconceptions of what these laws do andhow they affect someone and so on and um uh I think the communication here

that customers understand that if companies are ready and how to how to distinguish between a company that's ready is not ready uh is is is is a very

big deal right now uh there's a lot of um very rough decisions being made based onassumptions that are just simply not true and the second thing is I mean a

lot of people talk about AI I have not yet seen AI hack a server or anything but what I have seen is that fishing

attacks get a lot more um pervasive pers persuasive right um so we we areseeing AI based uh uh voice messages and what coming through WhatsApp and stuff

like this that sound partially already quite good I mean you can still make a clear distinction and um there's a big

question of how to validate users in the future like if someone is on on a business trip and the timing is just

just right and he contacts you over WhatsApp from a new number from that specific country this is all stuff you

can find out uh and sends a voice message that sounds good enough then there's really very little you the

person can do to validate uh or to to to to get over this this this the belief um

if he's not schooled in so I think awareness training has to adapt uh tools have to adapt um we are going to publish

a white paper on this some short time where we have a couple of ideas abouthow to deal with this um but it's uh it's I think these are the the twotopics that are currently spinning around me most I wouldsay how do you feel about AI in general the tool I mean I I think AI is

one of the most misunderstood tools of our time uh I have heard people's imagination runs wild with this I have

heard the wildest Things of what AI is supposedly capable of I think it was like a a short video that circled where

AI supposedly contacted someone on Fiverr to to uh to solve a capture for

it and so on like this is all not what what I can do right it's a large language model it's essentially a very

complex database query um I use it a lot uh for for different as a tool fordifferent things not to write my texts but um to uh I mean for for development

for example our developers use it for getting code Snippets that they would otherwise need to get from um from stack

Overflow so it's just a Google search essentially it's made a bit easier um I

use it for some detection mechanisms but of course you always have to validate the output because AI can also be very

very wrong and be very proud of it being wrong and um I use it uh with with somesome varability testing and Pen testing tools that we have uh inside the companyum but it's always just a an initial way to to to get a few more things done thenwith with non- AI based tools it's not really a tool that you can fully like I

made my pen test because AI set so right you kind of you do as initial poking around and then you you look at what

thei did and then you do the rest right um so it's kind of like that there's a lot of tools right now that are

especially in cyber security very interesting a lot are really more toys and something you can use but it's an

interesting insight into what people think could it could be used for so I'm always open testingby interesting what do you think is one thing that people who are outsidesecurity don't really understand about what it is that security people do or atall about I think it depends on the person Ithink what what most people don't understand about security if I have to to take one topic is thescope um I think for a lot of people the scope is kind of uh yeah security isinstalling an anti antivirus tool on my on my system

and then seeing what it does or it's you know I think in your in your questionnaire was a question about

fishing um I I also knew a guy who thought that security was just right incorrect code um I think these are just very I think some some misconception are

just like come from a place where people just do not want to understand what it is and this is then always quite

difficult to deal with but I think most people just don't understand the total scope of what security can include I

mean for example um uh um a good friend of mine very

technical uh has a very good understanding of the rough scope of security but even he is surprised

sometimes what all can be attached to this if you really blow it upso a complete Security System uh that you would install essentially tackles soso many topics um partially administrative process based or justpure toolage uh controls can be done in many different ways it tackles legaltopics uh it tackles stability topics resilience topics as just so many things

that people don't know is is also part of security I think this is the biggest Mis Inception this is scope

interesting how do you manage your attention between on the one hand actually taking care of the security

side then also having a team and managing them and also creating a

culture that is security aware to some degree like you have to have some communication I would assume with the

people in the company and then also communicate at all times with management

like what is happening and like understanding what they need what you need what is your focus going a daily

basis put it that way um okay so managing the tools managingthe team is the easy part this is management um but the thing is I have I

have not yet worked in big security teams so it's like 20 40 people and I will never because it's just not how I

work I am very Hands-On I also like to be Hands-On and if I work in a team even

though I I lead the team I I will be part of the team and we all have tasks in this team and everyone can replace

there's always enough people in the team to replace someone who's on holiday who's sick or whatever so there's never

a gap then there are certain strengths for example if have a guy who can pentest really well and he's going to do the internal pent test but um aside from

that if he doesn't do that then he's also supporting the monitoring auditing

um and the bigger the team grows the more the management will become management and uh it will be more around

figuring out where to put people and what to do with them and less actually being handson with the tools and um

that's kind of that aspectum what the rest of the question the question was how is yourfocus divided between um communication with leadership andside and team so um I have always worked extremely

autonomously and that means the communication with leadership is essentially a monthly meeting most of

the time unless something is really burning and we need a direct communication um and I I also this is

the way I have always worked in every company um I am very self-managed I never really uh enjoy to to to have

people walk around in my business um so and and it has always been uh it'salways output driven Etc um so the communication I I am I AMC

so I I am in charge of it is essentially only most of the time it's with Finance about uh budget additional budget needs

or budget cuts or whatever things like that whenever things happen right uh but um with my direct uh line manager who

the C CEO um it is really catching up on the current topics uh

regularly and if something happens we have an we have an extra call and if you see a un we go for a beer but that's

that's the whole communication when it comes to company culture all I can sayis use awareness training to make it interesting I have seen awarenesstraining where uh a company is invited

they listen to a couple of PowerPoint slides and afterwards uh they they get a they get a multiple choice test yes this

scales really well but everyone will be annoyed by it no

one will understand the purpose no one will understand the meaning no one will really grasp what it's about and you

will yes you will have done the checkbox for your ISO certification or so to certification but you will not have

actual a culture of security you will have people who have check boxes um but you can use the V training

to make security fun and interesting and now I sound like a real Boomer I make it fun now for you

but um I think that um that if you gointo discussions if you make the the test part of the training make it an

open discussion yes some people will just say something and then not listen to the rest but most people will

participate they they want to know they want to understand and once the discussion is rolling more IDE will come up and I have had extreme good success

it doesn't scale well but if you have the opportunity to not work in a 300,000 people company um but something lot

smaller then do this because this will build the culture a lot faster than you might think you do one run of awareness

training and people are talking about it and then if if the leadership team isfollowing a couple of of shining examples uh of you know you in a meeting

and then the CEO is just installing updates because they pop up now and this is more important this will sit this

will work and if this is if this is done on on a small scale everyone will followbecause they understand ah this is the way this works here it's not it's not

the the guy in sales who doesn't care about security and just wants to wants to do that stuff right it's

always the person who is under enough time pressure to just not understandanymore what's correct um because no one shows him that this is corcorrect this is always the problem with with the that's I say put some memes intoyour Wess trainings don't make them so dry make it fun make itfun perfect how do you deal with the stress of it's kind of like the question frombefore but as CIS so you're sort of you're always on like you're always okaylike I'm ready for something to to happen and then respond do you think

that affects you in any way or is it something that you kind of gotten used to and now is not really a thing pure

paranoia mode all day every day no um I mean I'm gonna be very honest I I thinkmost people who work in in in the field for long enough um will will kind oftell you the same thing that um you you get used to the possibility of an emailor an alert popping in in in many many different ways uh so much so that um

that it just becomes an everyday task you know like like an accountant looks at Excel sheets all day I look at alerts

all day and um you get a routine in it and how to deal with it there are processes that make it a lot easier you

can just say Okay first initial steps and you're not anymore like oh my God I

need to look at my phone right now because even though I am now currently on a Saturday on the walk in the middle

of the forest uh I I need to see if something is happening you will know the phone will vibrate uh and and then then

you will know so you kind of just ease yourself up about it and what happens happens and you also I mean let's put it

like this uh most not just most like by far the most alerts that come inare anyway false positives um uh or need readjustments or arelike make directly for false positives but nothing Nothing Dire nothing

problematic uh and are anyway mitigated so the tool is just telling you I I kicked out some software I didn't like

right and that's that's what you get then as an alert Al the firewall says I blocked the connection so most of the

stuff is anyway already done by the tools fully automatically so you kind of whenever an alert email or an alert we

have three systems where alerts go in and all three systems uh work independently of each other so we always

ensure that at least one of them gets the alert through and uh whenever you get then

those those three notifications they come through three different channels uh then you're already kind of in the

mindset of it's probably already taken care of it's probably already done and only when you look at it then and see oh

okay this is not yet done then uh then then things get serious but since most of the time phone vibrates laptop makes

the notification whatever then you're kind of like oh it's one of these you build a knowledspas on what that is what interesting what would you say isone thing that cesos probably don't pay enough attention to andshould I I don't know I don't know what el pay attention to but what I see whenworking with with other companies with other security teams is um especially umcertain situations he said I I really see that a lot of um emphasis is placedon documentation and not so much on

controls so everyone has policies and written down processes everything looks nice and yes we have that too of course

because it's a requirement for ISO but whether or not the controls thatyou put there are actually doing what you expect them to do I think um yeah soif if if if you do internal audits I'm sure lot of C do that but if you don'tif you do internal audits have a control check be part of the audit because I I I

have seen companies where it's just we have the policy we have the process we we bought an AV now everything's fine

it's not you have to test the AV you have to test whether or not it does what what you think it does because enough

times it just doesn't so this we have a we have a weekly checkup of all tools and dailycheckup a rough checkup of everything in the morning if it works um and I've come

across enough moments where something was just not aligned as it should have been and uh nothing crazy yet but this

alone tells me that these checkups are just essential I'm not sure if everyone pays attention but maybe maybe they do

they don't it's just your little piece of advice in case there in case there issomeone do it perfect

okay right so what do you think changed about cyber security within the last few years like what is different

today um I mean under the hood alot on the service level not so much uh I think that the parameter hasshifted a little bit I think especially the biggest change I see

where really think like this is really something where where we need new Concepts or we have brought in New

Concept also on surface level is during covid this whole work from homething um where the perimeter is now suddenly no longer a controlled uhcompany firewall network but the the perimeter essentially laptop of theperson um and the home network and you have to tell people not to go toStarbucks and stuff like that and I think that that yeah this I mean this

was always kind of there a little bit but the extent of it has just changed like before you could say there is a work from home policy and you can do

this if you have XYZ um now kind of everyone is expecting to work a couple of days from home um

and that and you can't tell a whole company of people to have to buy a rout that can segregate their home

network from private to company and so on so these things become a challenge now and I think this was the biggest

change that the perimeter shift shifted more to on device so you need a lot better device protection also for me

also for Linux every device needs to be protect properly the the attack vectors are different but a Macbook is not more

secure than a Windows device if treat it correctly uh big misconception on manyends you're not invulnerable to good attacks um but uh so you need you need

to take so it's it's I think it's important for companies to really really in invest in good endpoint protection

and we also saw what that makes sense to to evaluate first we saw it with crowdstrike right this you should evaluate what you buy pushing an update without testing itis not a good idea but there are of course Alternatives that are a lot better that do this a lotmore streamlined um but then EDR I think is necessary nowadays on end pointsthere's no way around it um it depends on on what the end does what the needs to

do perfect and what do you think is going to change within the next few years I think that the concept of work

from home is going to remote work is going to become a lot more a lot bigger still I mean we've not reached the

Pinnacle of that yet a lot of companies are still trying to get people back into the offices um and some are successful

some are not um I think uh um uh this also means that company culture is goingto be a big Topic in many companies I think that companies have to reinvent

themselves a little bit in terms of employer branding when it comes to um what how how they get people to be in

the office to build a culture in the office again um we are currently actually doing this quite successfully I

would say that we are getting the people to come back with with like there's a breakfast on Monday There's a nice get

together in the evening on Fridays and in between you know we have kind of little little thingsenticements um uh I it's also a little about communicationthat sense but it will always be important that that um uh mobile devicesmobile workspaces are really taken into consideration that topics like uh VPNlike not talking about like nor VPN I'm talking about like company VPN um thatum uh proper endpoint protection maybe evenum mobile small ad hog Network concepts are put into place so if you

have the money and you can afford it as a company it's a very good idea to to give people who work from home or work

remotely uh access points with 5G modules in them things like that that

they can just build secure networks at home um there's many ways to handle this right but I think that it's going to go

in that direction that security becomes mobile and no longer this big

infrastructure with your two huge firewalls that protect a thousand people but more of a how do I protect a single

person a single device in a single Network Amazing so we're down to thelast question thank you so much this has been really interestingum I lost my Chain of Thought but I'm really happy you joined us today and Ifeel like we like I learned personally so much so I would want to hear from youwhat would you say is one piece of maybe unusual advice you would give to someone

who is wanting to get into security or maybe is in security but wants to advance and like go up the ladder to be

SE so what would you say um do not Chasecertificates okay this sounds weird but um uh it's important to understand best

practices I'm not saying certificates are bad I'm not saying you should never have certificat I'm saying that a lot of people just try to to Grapple for

certificates uh wherever they can and not really for you know it's you have to

put the hands into the machine to understand how it works and not just into the book and projects uh secure

your own uh home network understand how things work understand what they really do understand what an IDs IPS system

really is and not just understand that you need it understand how it works what

it controls what it filters all of these things are so much more important if you know if you have already the knowledge

of what works and what doesn't work and you then go into certification to then get the administrative level in the the

knowledge of how to to work with it you're on a completely different level when you come out of them whereas if you

first just shovel in all the knowledge of this is needed and ISO requires this and this certificate requires that then

then you go into the doing you will realize that a lot of these things just work very different in real life and um sometimes you just need a

completely different tool to to solve a problem and uh this flexibility only can only come from a place of trying and

testing roughy said if you are in your home network running a Windows 11 devicewith uh standard uh pre-installed antimalware software behind a Fitz box

then you should probably reconsider working in security maybe whereas if you have a completely rigged upet where you

have a little L device being a sh wall fire wall or I fire fire wall that you

can configure and install by yourself you've just figured out a couple of vulnerabilities in your gentle

Linux Trel then you're probably the perfect person for security kind of in a very extreme way you can put it like

right have private projects be fascinated by it work on security andnot just insecurity perfect thank you so much foryour time yeah sure