Nisrine Jafri is a Senior Security Analyst and Evaluator at Riscure. After switching from academia to industry work 2 years ago, Nisrine has been mainly working on Certification projects at Riscure. We sat down with Nisrine to discuss her experience in the industry, perception of the role of certification, and journey as a woman in tech.
How did you join Riscure?
It was actually a funny story. During my PhD, I used to read a lot of research papers published by Riscure employees. There were some papers that I really like and some of them were even my main references in my PhD thesis. So I looked into what Riscure does and it appealed to me with the projects that aligned with my expertise, and research, and generally seemed like a lot of fun. However, at that point in my life, I decided to stay in academia and started a Post-Doc.
However, I was sometimes losing motivation, and working in academia can be very lonely, as you mostly work on your own. So when a recruiter reached out to me with an opportunity to join Riscure, I decided to go for it and just see if I can even get it. To my surprise, in 2 weeks I received an offer and that is how I was suddenly moving to the Netherlands and switching paths in my career.
What is Riscure like internally?
Right when I joined, I realized that Riscure was exactly what I was looking for. For me to feel good at work and be successful it is vital to get along with the people that I work with. At Riscure, with many people, you can also become more than just colleagues, but friends and I really enjoy it. It is also generally just a lot of fun.
At the same time, compared to academia, where one research can take years, the projects at Riscure are rather short-term. The quick turnover of certification projects keeps me motivated and excited to be working on something new every time.
What is device security?
Security is not an exact science. Device security is actually what the developer claims their device is secured against. This way, the certification doesn’t mean that the device is 100% secure, as that is also simply not possible. However, it means that it conforms to the scheme requirement for the specified certification level. For example, the certification can state that the sensitive data is protected in the device because it went through the full process that showed that we cannot extract this information. You may say that certifications are bound to the security objective and scope that is being tested during the evaluation process. These objectives and scope depend on the certification, its level, and requirements. So as my job, I evaluate devices to make sure that they respond to the requirements.
What certifications are there in the industry?
There are many different certifications, but I usually work on Common Criteria, SESIP, and EMVCo projects. All of these are different schemes. Common Criteria is one of the largest certification schemes and it is also recognized in many countries. SESIP is a sort of version of Common Criteria targeted for IoT devices. Common Criteria can be quite complex, while IoT devices are often rather simple. Therefore, SESIP was introduced as a certification with a simplified process that is also faster and cheaper. EMVCo is mainly created for payment solutions. Each of these schemes has its own requirements for products and evaluation processes. In these projects, I am usually involved in the evaluation and testing parts.
Who should consider certification for their devices?
At this point, certification is recommended for everyone. However, some markets have it as a requirement and in 2024 it will also become a European requirement for IoT devices. This means that to have devices in the market in some countries, devices will need to go through the certification process. It also refers to some specific components. If the device needs to get a certification, its individual components produced by a third party also need to be certified. For companies that are not required to get a certification, it is still recommended to go through the process not only to ensure that the device is secured against requirements but also to increase the success and reputation of the device in the market.
In the upcoming years, more legislation and regulation for certifications in different industries can impact the industry quite majorly. Right now, having a certification is often an advantage and a standing-out point for some companies. However, with it being a requirement, this advantage will be minimized.
One of the often discussed topics in the tech industry is Women in Tech. So what is it like being a woman in the technical industry?
I actually think that this topic is a bit outdated to discuss. Indeed, historically, the tech industry was male-dominated. However, over the years the industry has been becoming more balanced. I, personally, have never struggled to fit in during my studies or work, even though I was often the only or one of the few females around. The women in tech discussion started when the industry was much more unbalanced and it was vital to inspire other women to pursue careers in tech and balance the industry. But lately, more and more attention often has a negative effect on women in the tech industry. It is sometimes portrayed that we are only here because of diversity. However, we are here because we are equally smart and capable of doing this job.
Of course, there are still countries and companies where women face challenges to reach the same successes a man would. In my case, it was maybe a bit of a cultural difference from my home country, which is often very men-focused. Since I was young, I wanted to prove that I do as much as men do and more. This has motivated me over the years and has got me where I am. However, on my path, I have not come across challenges from the industry that could prevent me from achieving my goals.
What is the best thing about being a woman in tech?
I think what makes me the proudest is being an example to other girls. Many girls are told that they can’t achieve much or they are not smart enough, and I’m happy to show them that it is not true. That women are as smart and capable as men and that there is nothing that should hold them back from following their dreams. But you need to work hard. I achieved what I have by working and putting in the effort, and so did my male colleagues. Gender doesn’t define what we achieve, but the amount of effort we put into it does.