How did you join Riscure?
I was working in a research institute called TNO, where I was doing chip security testing in a group of 10 people. One of those people was Marc Witteman, who eventually left the company to start Riscure. After a few years working at TNO I realized that I was not performing at the technical level I wanted. At the same time, I was interested in the customer side of work. So I made a shift into project management and then sales. When I was looking for another job, I reached out to Marc, who already started Riscure a few years prior. One thing led to another, and I joined Riscure to start the sales team. I was the only salesperson for a while, but then we continued growing and are still growing to this day with a sales team of over 20 people.
What is Riscure like and how has it changed over the years?
When I joined Riscure, we had about 15 people. While the company, where I worked before was much bigger than Riscure, our team was similar in size and vibe. And as most small groups of technical people are, we all liked hacking, talking about it, and doing all kinds of projects that no one ever did before. So it wasn’t a big shift for me in the internal culture when I joined Riscure. Since then, Riscure grew much bigger. There is a big difference between working with a group of 15 people and 200 people based on three different continents.
As Riscure was growing, many changes were coming up, including the need to become more professional. More structures have been introduced, which is not always easy for everyone. We all understood that those procedures and structures were needed in a larger company, but it took some time to get used to them. Still, Riscure has a very strong and unique culture. I am still often amazed and enjoy seeing how strong the team spirit can be, and how people are standing up for one another.
How would you define the device security industry?
Device security may entail two parts. On the technical side, it often refers to attacks and countermeasures on the hardware and software within the device. If a product contains enough countermeasures to stop the attackers then you have achieved an adequate security level. This is where device security is often confused with absolute security.
In my opinion, the required level of security depends on the device itself, its assets, and its application. The absolute, 100% security is not attainable and not affordable. Instead, our goal is to support our customers in bringing their security to the level required for their business, their application, and their users, while we continue our innovations to help them stay ahead of the constantly evolving security threat landscape.
What is the role of certification in security?
Certifications provide assurance against a specific requirements threat level, therefore validating the security of specific components. In the certification process, products are certified against certain assumptions and certain requirements depending on the industry and product. So, Riscure supports its customers to provide evidence that they meet the requirements of the certification program. People are often surprised that certified products can be broken, but certification never implies that the device is unbreakable.
How has the security industry evolved over the years?
Back in 1993, when I joined the security industry, I was doing hardware security testing of the first-generation payment chip cards. At that time, there were little to no security requirements. There were no international working groups, but only a few labs around the world testing the security of those chips and applications. Since then, the industry has matured a lot. If the devices that are produced now, were tested 30 years ago, I’m sure we would not have been able to break them. The security level of secure microcontrollers has increased significantly.
While some markets, like payment, have improved the security of their solutions, other markets did not even exist 10 years ago. For example, Connected Smart Meters. So, when new markets appear, they make similar mistakes as the existing ones did when they started. Following the pattern, those smart meters are now much more secure than 10 years ago. The same happens in every market. They all go through the same learning curve. After so much learning in the industry, newer industries catch up faster.
Another current trend is the rise of certification, especially in IoT. There are all kinds of certification programs popping up. There are new schemes, like SESIP and PSA Certified, and obviously older ones, like Common Criteria. At the same time, the availability of evaluation resources is not growing as fast. If you look at the number of labs around the world, it is not rising as fast as the demand for certification. They are growing slowly because people need to be trained and get experience.
This rapid rise in certification demand comes from the fact that the world is becoming much more connected. People are becoming more concerned with their privacy and the security of their assets, which makes companies and governments concerned as well. Certifications play a vital role, as they enforce the required security level of products within the industry. Otherwise, devices can be tested in different ways that show incomparable results. So I think certification, in general, creates a sort of structure, that all products in a particular category are all measured and compared in a similar way.
How do you see the future of the security industry?
In detail, security developments are unique for each industry. In payment, for example, the mobile phone or tablet is becoming the next point of sale terminal. The next step could be using biometrics or even your car to make a payment. These developments don’t yet have specific standards or certifications that they need to follow, but in the future, these may become important and have their separate certifications.
However, a general trend is a growing need for security in all markets that utilize connected devices, such as IoT, medical and automotive. We are addressing this by scaling our security knowledge. We are developing test tools and combining them with our services, such as pre-silicon SCA and FI testing. As classroom training does not scale, our focus is on online and hybrid learning programs. The demand for innovative learning will further increase and Riscure Academy will find ways to keep innovating.
As a lab we need to stay relevant in the market, to drive security forward. There are customers that are committed to security, and in our partnerships, we test beyond certifications to help them achieve the highest level of security. However, certifying products is also vital, as it increases the security of the overall market, and we want to contribute to that. So with the changes I expect in the future, Riscure will not really have to change its ways, but we will continue to stay on the front line of innovation, so we will keep up with the latest security techniques in our services, tools, and training.