We’re lucky enough to share an office with our sister company, Syndis, and get access to their experience and expertise in the security industry. Their team lead/security engineer, Bergsteinn, used to be a police officer here in Iceland and we were interested to pick his brain about the similarities between “physical” security and cybersecurity. Bergsteinn worked in law enforcement for ten years and then completed a BS in computer science alongside continuing to work in the police. As someone with his background, he wanted to pursue a career in security and when a job became available with the security consulting firm, Syndis, he jumped at the opportunity to tackle security from new angles.
Bergsteinn says that of course many aspects of his job at the police and his new career as a security engineer are different. When working for the police there are strict rules and obligations to follow, as one would expect. Working as a security engineer, however, he has more flexibility to be creative in how to do the job, for instance by developing tools and solutions to make things better and more efficient. The pentests and security assessments that take place in the world of cybersecurity are also not very relatable to police work.
That said, a lot of what he learned in the police has helped him with his career in cybersecurity. He says that you get certain insights into people in general and how they act under pressure. This has helped him deal with some of the incidents he’s encountered since working at Syndis as he can go beyond the technical aspect of his job and also provide some psychological first aid to employees of companies experiencing a data breach and help to calm and neutralize the situation.
But despite the differences in the daily aspects of the job, the overall mindset and need to think critically is much the same. He iterates that it’s important to take an evidence based approach to incidents and that preventative education is a key part of reducing the likelihood of a breach in the future.
Bergsteinn says that how he approaches his work as a security engineer is very similar to his approach in the police. It’s important to take an evidence based approach to the situations he encounters at Syndis as well as thinking critically. These are skills that all security engineers should have, but for Bergsteinn this mindset was already developed.
He says that his security work around data breaches and incident response is not very different from forensic work in the police. At the end of the day, they are trying to uncover and tell the story of the crime, while keeping the integrity of the evidence. It’s essentially fact-based detective work. You need to investigate and find the root cause of the issue and address that before anything else.
It’s also important to be cynical at times, a healthy dose of cynicism. If you get an application to test that seems really good and is said to be 100% secure by it’s manufacturer, you still take it with a grain of salt. It’s your job to find what is wrong and where the vulnerabilities are, even if it seems perfect. The real worth is seeing the application for what it is rather than how it’s presented by those who wrote it.
At Syndis they often have customers who have experienced a breach. One of their jobs is to give them recommendations on how to mitigate similar incidents happening again down the road. Bergsteinn says that it’s not that different to when he went to kindergartens to teach kids about road safety.
If you take traffic accidents, for example, one of the jobs of the police is to inform the public about what can happen and what to do to prevent them as best as possible. It’s similar with security engineers, they know what kinds of things can happen through experience. When things happen people sometimes call in consultants like Syndis, so they’re always learning more and more about potential threats. That means they can also educate people, along with the help of Adversary, so that they can be better prepared to prevent incidents in the future.
Bergsteinn emphasizes that you can’t truly be secure by just having a 3rd party do a pentest every 10 years and ticking a box. Of course doing that is one of many actions you can take, but companies become secure by making it relevant and making people know it matters. It’s important for everyone to understand that it’s a group effort and each and every employee is involved.
Let’s take the example of fatal car crashes here in Iceland. They’ve gone down a lot simply through preventive ads and preventive work. That’s key.
“What Adversary is doing is preventive work. We’re basically teaching people how to wear a seatbelt. If everyone’s wearing a seatbelt, there’s a much better chance of getting home safe.”