Rafael, who originally joined Riscure as a security analyst in 2013, was one of the creators of Riscure Academy. After working for a while as part of a customer-experience team, teaching customers how to work with Riscure Tools and educating them on various security topics, he and his colleagues created a series of successful security trainings. That small unit grew and is now known as Riscure Academy, where Rafael is a principal trainer. We asked Rafael about his journey at Riscure and his views on security knowledge sharing. This is what he told us.
Why did you choose Riscure?
A colleague of mine from the university worked at Riscure as a security analyst. He shared with me information about this company, including that they worked with both hardware and software, which is quite rare. First, I did a project at Riscure to test the waters. After the project, I got a job offer and happily accepted it. I stayed at Riscure for so long as it is fun. Even though the definition of what I find to be fun has changed, it still is fun, and I find it very important to enjoy the place and people where I work.
How would you define device security?
Device security means that when you look at the security of a device, you don’t think about fixing one issue, you think of it as a whole product. For example, a TV remote has many buttons and different functions. So device security considers: “How does one use such a remote?” “What is valuable?” “What should be protected in this remote and evaluated from a security point of view?” These considerations are made to avoid harm to users or to device makers. Eventually, such considerations also mean giving the recipes and the knowledge on how you can make devices in a secure way.
It always looks easier than it actually is: the TV remote we talked about may contain encryption keys that can compromise the TV protected content, but perhaps this was not taken into account if you don’t think of “the TV” as a whole product. Years of experience are required to learn and understand how security works in various devices. As humans, we evolve in what we can do, and things that we didn’t think about now maybe are possible in the future when attackers improve. In short, device security is a lot of different activities summarized in the action point that needs to be taken to ensure the security of these devices.
How does one learn and advance their device security skills?
We have to learn. We are not born to be experts in anything. As such, when you want to do device security, the first thing is to be aware that you don’t know certain things. These topics are seldom taught in many formal studies and various university tracks. But the first step has to be evaluating what you don’t know, which can be some theoretical topics, in-depth topics, or engineering aspects. Once you enhance your knowledge in these areas, you become aware of what information you are still lacking to continue learning further. Once you have a solid foundation on what you know and what you require to develop skills, only then you start moving from the knowledge absorption stage to the skills development part. So before moving into implementation, one has to first become good and proficient in the knowledge required for making something secure. It’s a process.
How do you train customers on security matters at Riscure?
To describe it in a nutshell, I would first group trainees into two big groups regarding security expertise: beginners and experts. For the former group we focus mainly on knowledge transfer, as it aims to create foundations on what is the security language, what the commonly used terms are, and what you need to know to talk about security. Depending on the learner’s background, companies’ domain, and existing knowledge, training is adjusted to fit each team’s needs. Experts are people who already work in security but want to stay up-to-date with the evolving game. We always come up with new ways to challenge security. Therefore, we need to stay sharp in skills and knowledge. As a result, the training for experts focuses mostly on skills, development, and refreshing of existing knowledge.
For the perfect result, learners need to cover both steps of training. First, you need to build a solid foundation, but then once you know what you’re doing, you need to stay sharp on developments in the device security game. Riscure covers both training areas, and here we can help our students advance their knowledge and skills. On the one hand, we have many years of expertise that we can share with trainees to help them quickly develop a solid security foundation. On the other hand, we are always playing at the cutting edge, as we as a business also need to stay up-to-date on security changes: these learnings help the expert courses.
How do we train our own colleagues at Riscure?
The challenge that Riscure has is the challenge that all security companies face. An important part of Riscure’s business is the security lab. In order to do evaluations for our customers, we need to train our people. How do we learn as a company? We learn by doing evaluation projects, which can help us understand the emerging security challenges. Imagine we come across a new device. How do we go around it? We’re always playing on the cutting edge, and that’s where we learn. Looking at things that will become a security threat in between half a year to two years gives us an insight into the future of what will happen. We learn from our experience by highlighting learning points in all challenges we come across.
At an employee level, though, the learning and training process is a vital part of our onboarding of new employees. Although most people joining Riscure already have quite some knowledge of device security, they may sometimes lack a foundation in the specific areas Riscure operates in. Therefore, they would first take a few training courses, like the fundamentals of embedded system security. This training is very hands-on with hardware, which can be a great starting point for understanding how different areas of device security work. Following, we host some Q&A sessions that answer all the questions that may not have been covered in the course. Discussing such topics with experienced security analysts enhances the knowledge transfer and gives a clearer understanding of Riscure and its work. Security analysts then take some specialization tracks before they start working on customer projects to strengthen the knowledge. However, learning never stops, it just becomes more of a guidance by a principal or senior security analyst, helping new analysts become proficient. In its place, this proficiency drives research that is done at Riscure.
Over the years, I’ve seen many different companies experiencing the same pitfalls. Most of these problems are already known to Riscure and therefore we try to highlight them to help companies, and especially our customers, avoid mistakes done by others. Knowing these mistakes makes the process a lot shorter. Instead of getting up to speed in three or five years, you get up to speed in one year. It is a huge advantage when you’re playing in a competitive market, and that is where we make an impact. We then enable the market to keep up with the challenges that attackers pose. We indeed drive the security forward, as our logo says. For me personally, I also see it from the perspective of a user. When I buy a phone or pay with a bank card, I trust the security of the devices more, as I have personally trained so many teams working with such devices.
What is your most memorable training with Riscure?
One of the most interesting training courses was the first one I ever delivered at Riscure. That course was about side channel analysis, which teaches how attackers exploit unintended leakage of sensitive information from real devices after they have been manufactured. Our customer openly shared with us they did not know much about security. But they were eager to learn and wanted to grow in this domain. It was quite a challenging course, because we had to close quite a gap in knowledge. But, by the end of the course, even with all the struggles, I saw that they gotten a strong foundation for the growth they wanted and needed. After the course, I didn’t hear from this customer for a long time.
At Riscure, I am always looking for new security targets to use in our training courses. So, I found a random device on the Internet. It turned out to be one of the best devices I have ever tested, security-wise. It was extremely well secured. After some digging, we found that the device was made by those people I trained a few years prior. As a trainer, it gives me a happy feeling to think that I have contributed a bit to the world. These people started from zero and built one of the best devices I’ve seen to date. I am honored to know that I helped them in their growth and progress.
What makes Riscure training stand out?
We talk and teach from experience. Our training courses are based on real expertise and previous trainings that we have done. This builds some trust with customers because they see that we don’t bluff or sell smoke. We don’t want to hurt them or scare them, but we want to show them how to get to a solution. I think that’s the difference because we enable people to find solutions instead of just pointing out what is wrong. Once you understand something and why it happens, you come up with your own solution, which gives companies a competitive edge. Basically, we enable people to find the solutions from a structural point, not just patching things, because this is a never-ending game.
I always test the success of a training on whether trainees can answer what they have learned. If they cannot address the core questions, then this was a useless training. Based on the feedback we get at Riscure Academy from our trainees, this never happens with Riscure Academy customers. Our trainees gather knowledge that they can then apply in their development, which is clear from assessments and their feedback.
How has Riscure and its culture changed over the years?
Riscure changed quite a lot because it grew quite extensively. When I joined, only around 30 people were working here. Now, Riscure has over 150 employees worldwide. Riscure used to be a small family of just two mini teams. But it has also grown in teams and departments. However, the family feel is still there, just maybe on a team level now.
What are some of the major changes in the device security industry in recent years?
If I look at the grand scheme of things, I see two patterns. On one hand, I see security pitfalls as a result of a human error. For example, the security mistake can often be replicated again and again in each new device. We used to have smart cards that were very broken. Nowadays, your banking card is extremely safe and secure. We had set-top boxes or content players like your TV box, and their security was mediocre. Now it’s really secure. Now we have IoT internet-connected things, they are very broken, but they are going to get better. This is the first part of the process, which involves people starting something new. Apparently, we often forget what we have already learned about security. The nice thing is that we are shortening the cycle loop. Although some mistakes are repeated, we are not starting from zero. People are slowly starting to remember past mistakes and to avoid them in new developments. That’s one of the things that is changing.
The other thing is that governments or regulators are becoming more aware of the impact of security. Back in the day, almost no one was paying attention to cyber security attacks, and it has now become a serious concern as everything is connected. Security and especially lack of it suddenly impacts a lot of people. Regulators now act more on protecting users and introduce stricter security requirements. This process will still take time, but it is great to see that it is changing. There is a movement for a push for security. However, some companies are holding back as security can be expensive, and businesses prefer not to slow down their development process. But the benefits outweigh the struggles. So this is also an interesting situation that device security is currently in.
What kind of evolution do you expect in the industry and for Riscure in the future?
I think the cat and mouse game will remain. Attackers will be attacking, and defenders will try to keep up with defender games. It is an unfair game. Attackers need just one way in, but defenders need to protect all of the entrances. There is always a catching-up process that will stay. The difference expected in the future is in the hands of governments or regulatory bodies that are now more aware of security issues. Furthermore, as mentioned, the companies are not starting from scratch anymore, which gives them the chance to make their products more secure and development processes faster.
Things will be secured once security becomes a competitive advantage, once consumers choose Device A instead of Device B based on the device’s security features. When this is the mindset of society, then security will become quite mature.
With both industry and Riscure changes coming up, are you likely to change roles again?
I suppose, yes. Everyone now is desperately searching for people who know cybersecurity. The need is just growing, and the pool of people capable of helping is not covering the demand. Right now, my role is about enabling these structural learning paths. Once we have this in motion, the game may change its habits and rules once again. Enabling others to be able to “stay in the game and up-to-date” is quite a different challenge that may occupy my attention and interest in the future.