What is the role of the Operations Manager?
I’m responsible for the well-being of the certification team, starting from ensuring the fulfillment of customer requests on the operational side to making sure every team member is happy at work. My job is also to help the team get proper training and maintain the level of expertise required to complete projects. This also involves ensuring that Riscure as a lab adheres to the scheme requirements. On top of that, all the organizational questions, especially about staying in contact with the schemes and the customer, are on me. Although I have only been here for 2 years, the learning process at Riscure is quite quick, which helps me better support my team, enabling us to reach successful results.
What appealed to you to join Riscure?
Riscure is a knowledgeable company. I was searching for a smaller company with a good vibe and where knowledge is among the top values, and that is Riscure. I knew a few people who were working here, and I spoke to them. For me, it is also important that the people are the main driver and value of the company because that’s what I’ve been looking for. It’s like a family. For example, this morning, we had breakfast with the team because we love to be together and talk about different things and our diverse backgrounds. Everyone can find their way at Riscure, and everyone is so supportive of each other.
What is Riscure like internally?
Riscure is growing fast. Of course, for some people who have been here for a long time, it feels like the values are changing. But we do still have the family vibe. We do still have this connection to the people. As the company is evolving, we are getting more structured, and it is partly my responsibility as well. So with that, it’s my role to bring structure. We are all very passionate, driven, and a bit chaotic at Riscure. The structure doesn’t always fulfill our immediate needs. But if you want to have more impact on global security, we need to take certain steps. We might be changing a bit, but it is for good. And while we change, the core values remain.
How would you define the device security industry?
As I work in the certification, it is easy to answer: your device has to fulfill certain requirements of a specific scheme. It has to be up to a standard given by the industry, for example, Common Criteria, EMVCo, SESIP, or others. So in my work, not having security certification means that your development might not be on the industry level.
Currently, the industry is booming, and many IoT-specific certifications are appearing on the market. A computer chip is now in everything, our phones, cars, and cameras. We need to be sure that all these devices are secure. But developers don’t want to spend too much effort and money on such complex certifications as Common Criteria. In many cases, other schemes can be based on Common Criteria but focus on particular device aspects, making them much more specific, taking less time, but being sufficient for a specific development. For example, if you need to certify a web camera for $20, you don’t want to spend a million on doing that. So a developer has focused the effort on ensuring that specific components are secured. Although the standard is more focused, it is in line with the level of security end consumer needs.
That is what’s happening now. Newer, IoT-specific certifications are being introduced on the basis of Common Criteria, which puts Riscure in a very good spot. We started with Common Criteria, and now we can easily swim in the sea when new things are introduced. The reason behind this is that we understand the big picture, which makes it easier to reduce the scope to combine the project with other certifications if needed. Furthermore, it is faster and cheaper for us to complete such projects as working with Common Criteria taught us to work smart.
Working with emerging IoT-specific certifications, our team aims to secure the devices by focusing on the use case rather than lowering the security standards. These certifications, therefore, might not be enough for securing a phone chip but sufficient for a refrigerator that does not store much private information.
Does certification have equal importance in all markets?
It should be. I believe that certifications are a way to show the consumer that they are in good hands as the developer has considered the security of their product. So I think that everything should have a certain standard. How strict the certification rules are or how much testing is needed can differ from product to product, but everything needs to have a level of security certification.
What makes Riscure certification services stand out?
A few things come to mind. First of all – we care. Even though I think certification is important, it is more important that the customer is happy. And by the customer, I do not only mean the developer but also the end user. So if we see some flaws, we ensure that those are taken care of, even if it is not part of the certification process. Therefore, if in the certification team we see some problems with the product arise, we recommend that the customer works with our non-certification team or internally to fix these problems.
Riscure is also one of the very few labs that provide services for both high-level Common Criteria certifications as well as emerging IoT-specific ones. One of the reasons why we are able to pull off both the high-level and the new, more specific projects is we are smart in the way we combine things and help the customer reach all their goals, even if that includes covering multiple market needs. In other words, we are also very flexible. Our expert team makes it easier to approach the project puzzle in a smart way – and that is our advantage.
What does a regular certification project look like?
There’s never a regular project. But there are usually two main types of a customer. First, a big customer has already been through the certification processes and therefore knows what they want and what they need to receive the certification. They know exactly what they have to provide and what the scheme requirements are. So whatever happens, whatever we encounter during the process, the developer is ready, as they had done it before a few times. These are usually more smooth projects for all parties.
There are very few developers like that, though. Most of the customers are new to certification or only do it occasionally. Some of them may also need advice on what to certify exactly. So some projects start with the certification planning and process right away. However, other projects may start with the Riscure non-certification team, which helps the customer prepare for the certification. For example, Common Criteria is very broad and even considers communications and operations within the company; an average developer is unaware of that. So we have to support them. We must ensure that the processes are in place and that the product in question is ready for evaluation. And only then, after a long journey, the certification team comes in, and we start the certification process. In the certification process, my role is to be a facilitator. Riscure is in the middle between the certifier and the developer, and I ensure that the communication between all parties is clear and consistent.
In the Common Criteria, for example, there are three big milestones. For the first part, we have to show that we understand what the device is, how it’s built and how it works. This is important to illustrate that we know what security properties need to be tested and what actually will be certified. This first part is quite big and often involves a lot of reading and learning about the device. The second part is vulnerability analysis, where we see if the device is secure enough. In this part, we may find flaws, and we return to the developer with the completed vulnerability analysis and prepare for the device’s testing against the scheme’s requirements. After we agree with the certifier on the first two steps, we start testing. Honestly, we put our sweat and tears into testing because we want to ensure the device is indeed secured up to a claimed level when it goes to the market. We present our results to the certifier, which is when the project is concluded.
Sometimes the project can go wrong. There are a few ways we approach such situations. It happens that we may drop the project altogether. That is unfortunate, but one can not easily fix a flaw found in the hardware. Then the customer has to start the project from the beginning and come back to us, sometimes in a few years. This is the worst-case scenario, but I have never encountered it yet. Another scenario that happens more often is that we find a potential issue that can be fixed in a feasible time frame. Then the certification process is paused until the developer can fix the issue, and we help them in this process if needed. This pause can take a few months and is not easy, but it is sometimes necessary for achieving a certain level of security.
I also had one project we managed to do in 1.5 months. We had a very lean team of myself and two more experts. The communication with a customer was very direct. The customer was so interested, eager, and fast on fixing things. Working with them was very enjoyable because they were determined to receive the certification fast. Communication with the scheme was also very efficient as we had a good relationship and were very supportive and quick. Usually, such a project would take around 3-4 months, so we were honest with the customer from the beginning that their timeline can be challenging—basically a Mission Impossible. In the end, we had such a quick and successful project, as the collaboration was so strong on all sides.
What are the current and future developments in the security certification industry?
The good thing is that technology is evolving, and we have more things that support our lives as end users. At the same time, the challenge is the more technology evolves, the more vulnerabilities are available for adversaries to exploit. So as a user, you are becoming more vulnerable. Therefore, for companies like Riscure, it is a race to stay ahead of the bad guys. We need to learn quicker and quicker. We need to work faster and not only rely on our knowledge but also streamline and automate as many things as possible without tools.