Nikola Medic, Director of Sales Certification at Riscure, has been helping customers find the best way to meet their product deployment objectives for more than 5 years. In this interview, Nikola shares his experience with Riscure and explains the significance of Common Criteria certification.
How did you join Riscure?
It is a bit of an unusual story. Some of my friends, who work at Riscure, concluded over a beer that I could be a perfect match for an open position Riscure had at the time. I was referred for the job, and the next day there was already a meeting invitation in my inbox. The interview process was more of an open discussion on what Riscure does, what the industry is all about, and the impact that we make, rather than responding to typical career questions. Interestingly enough, I was the one asking most of the questions in the first interview. After the meeting, Pascal, my manager, gave me a book to read to see if I found the material interesting. I found it fascinating and, of course, had even more questions after reading it. A couple of meetings later and a full day of assessments, I was offered a job. Five years later, quick reading skills and willingness to ask the right questions are still proving to be very useful in day-to-day operations at Riscure.
What is Riscure like?
My first impression of Riscure was influenced by my previous professional experiences. I was used to a very formal business setting. For a serious company moving the existing boundaries and setting new standards, I found Riscure very relaxed and kind. To me, Riscure’s culture at first seemed a bit like a hippie village. The culture is changing now, which is to be expected with its growth. I think it’s moving from creative to active, trying to add structures that will support the knowledge and skill sets we have. Every development and change will naturally carry some negative aspects, but the ‘hippie village’ mentality, creativity, raw power, and knowledge that got me to enjoy my journey at Riscure are still present.
Which teams were you part of at Riscure?
I started my Riscure adventure as an Account Manager for one of our top customers at the time in the Media and Entertainment business team. I was interested in investigating what kind of relationship we wanted to build with media operators and how to boost cooperation internally with other departments. This part of my journey was interesting as I was learning all the intricacies of how communication works in the security industry.
In early 2018 I was introduced to Common Criteria evaluations, and part of my time was dedicated to further developing Riscure’s presence in that market. I quickly realized that operating in formal programs brings additional layers of complexity we hadn’t faced before. Moreover, the Common Criteria certification space had large players with a decade of experience advantage compared to Riscure. Most of the time it felt like entering the MMA ring with a well-seasoned fighter that holds a grudge against you. My Common Criteria ride was bumpy from the start, with some serious hiccups from time to time, but there is a saying a wise man in my previous job shared: “The worst thing that can happen to you is to succeed the first time you try something.” I think that this perspective did help along the way of reaching the current status Riscure has in the Common Criteria field, which is reflected in the fact that in June 2022, more than 50% of ongoing campaigns in the Netherlands were being executed by Riscure.
Tell us more about Common Criteria
Common Criteria is one of the leading IT security evaluation and certification programs in the market. The standard was developed a while ago by leading experts with the focus on creating a language and a framework that allows for good quality security evaluations. The standard focuses on security principles and supports the evaluators in covering more ground when evaluating concrete security functionality in the product. Common Criteria is still relevant as it was designed to support the changes in technology and target functionalities, which is something that some of the modern programs are missing.
An interesting fact is that almost all of the new standards that are seeing traction in the market have been built on the base of Common Criteria, usually by removing assurance classes that do not bring an equal set of value compared to the investment that is made to meet them. For many market participants and newly added team members, it is important to distinguish Common Criteria from security requirements. Common Criteria can be best described as a language, while concrete security requirements for a specific product come in a form of Protection Profile documents. In order for users and the wider market to use a specific set of security requirements or Protection Profile document, it usually needs to be developed and agreed on by industry-wide consortiums and most relevant stakeholders, which incentivizes wider collaboration in this field.
What is it like to work in the device security industry?
People we meet outside of Riscure usually assume there needs to be a security checklist. I do not agree that such an approach covers all the important aspects, at least not yet. Security, for me, is not black and white, even though it is very often presented as such. Most of the time, our partners and Riscure with them are fighting against moving targets, trying to reach higher levels of quality than our rivals. Next to that, the landscape is constantly shifting with many boundaries being challenged. For example, we used to evaluate Trusted Execution Environments (TEEs) in mobile phones, and now the same technology is finding its way to be used in Automotive. These kinds of shifts allow us to extrapolate our expertise to new use cases and help more vendors provide better security to final users. What I particularly enjoy is that the majority of work at Riscure is done in cooperation with seasoned market players, helping them further elevate the security of their products. However, we also know that “hard-coded passwords” is still a prominent topic at industry events showcasing that the majority of developers still have a long way to go. Going forward, I believe that the mostly black and white world of security will really benefit from the additional colors Riscure is bringing to the picture.
What is the role of certification in the security industry?
I think the need for certification is the most natural need we as human beings have and understand. When we have internal talent development or training at Riscure, one of the first questions participants ask is: “will I get a certificate for this that I can post on my LinkedIn?” Most of the companies we work with are relentlessly investing into making their devices more secure. So naturally, they want to have that official piece of recognition that they can show to the market saying, “We’re doing a good job and our products are fulfilling these requirements.” That is what certificates are used for.
A side effect of well-established certification programs is that, over time, they influence the levels of security provided to the market. That is where Riscure’s key value comes into play. When a company evaluates their product with a partner with good customer orientation and security mindset, the company can continue improving the functionality and security of the product before and after they receive certification, usually benefiting subsequent product versions. Riscure’s focus is on developing long-term partnerships, where joint efforts bring developments not only on the security front but also on many others.
How are Riscure services different from other labs?
Certifying the product with Riscure provides a high level of security assurance and easy replication of certification activities with other approval entities and in different contexts. For example, when receiving a Common Criteria certificate in the Netherlands, it can be easily translated, with less time and effort required into Common Criteria certificate in Singapore or GSMA eSA or EMVCo or SESIP certificates, depending on the customer needs. Riscure experts are very thorough and knowledgeable in their work, and when it comes to security, critical things, and security fundamentals are always properly covered. That automatically translates into lower residual risk for our partners once the evaluation results are provided. We are also very hungry for knowledge, so every interaction and cooperation with our partners we use to further expand and share our knowledge about security and where it is going.
How do you come around to building a good strong relationship?
Well, I do believe it’s simple. The main thing is to actively try to understand what the other party is aiming to do and what prevents them from reaching their goal. And then you figure out what can get them there and how we can help. In the long term, it is very important to keep your promises, always promote open and clear communication, and over time people realize you are keeping their best interests at heart, even if helping our partners find the most optimal solution means not working with the Certification team at Riscure. For example, we sometimes realize that our partners or their subcontractors are very new to the security landscape, and an in-depth security evaluation would just tip them over the edge and discourage them from further progress. In these situations, they can benefit more from lower-level evaluations or automated code checks like Riscure True Code. Then when the code or the product is more mature, the customer is ready for an in-depth service project, and we help them prepare for the next steps.
What are the recent and future important industry developments?
The industry is developing very fast, and additionally, I believe Covid introduced one of the shortest learning curves in history, where everyone had to learn how to use technology in less than three months. This resulted, among many other things, in the proliferation of contactless payment solutions, moving the work environment and communication to solutions supporting long-distance connections. Next to that, if we look into everyday things: a car is starting to look more like a computer than it resembles a classical car, and a wallet looks like a mobile phone more than it resembles a classical wallet. Because of the additional complexity of new technology, the effect on security, in the short term, is positive. However, the attackers are developing at the same speed that vendors and we do. We already see quite some developments when it is possible to buy cheaper tools to perform attacks. We see quite a number of websites and internet repositories where you can find information about the attacks, which makes that knowledge easier to acquire for somebody with a malevolent mindset. We see that certification programs are following the advancements in technology, but we also need to make sure the efforts are aligned as we want to prevent the situation where we are going fast in opposite directions.