6 minute read
Janakan Nadarajah in conversation with Koert Wilmink, Global IT Infrastructure and Security Manager, Fugro
by Secon
JN: Tell us a bit about yourself and how you came into information technology and security?
KW: I started my career in 1986, so it’s a long time ago. I started as a Unix engineer, I still remember it, AT&T System V Release 4. I also was introduced with TCP/IP. There was a lot of serial networking in those days. There was hardly any TCP/IP, so I was introduced in TCP/IP and networking. That’s how I started and grew in IT.
Advertisement
I did infrastructure security for many years, but for the last 25 years, it’s been more senior leadership roles, especially global roles. And I’m now five months with Fugro, it’s a very exciting company and security there is very important.
How I started with security in those days was with a book written by Clifford Stoll. I don’t know if you remember that from 1989. It was called The Cuckoo’s Egg. It was the first book I think there was about espionage and hacking and was about a German that hacked into American universities and military systems and sold that information to Russia, to the KGB. But in those days, hacking and security was already important.
I moved from Unix into networking because there was nobody there who knew anything about TCP/IP, so I was introducing security as well. I was in Silicon Valley with Netscape, and also with Internet Security Scanner, ISS in those days, and I think I was the first certified person in the Netherlands for the Check Point 1 Firewall, so that’s how I was introduced into security and a lot of the challenges are still the same.
I had the chance also to move into the SAP space and do SAP implementation in Europe. I like infrastructure security. It’s just fantastic, right? JN: You’re part of a large enterprise organisation with a global footprint. How do you make sure that security remains consistent across a global enterprise and how do you address the regional variations and requirements across different parts of the global estate?
KW: In my 25 years of experience in global roles, there are many areas, right? You have local laws and regulations you have to adhere to, so in some cases data needs to stay local. You have data retention policies and in some countries it’s seven years or some places it’s about 10 years. In most cases about security compliance, I’ve got legal involved, especially when I’m doing large contracts, it’s important. That’s a legal issue and these vendors understands that they have to adhere to local law, and I’ll make sure that’s covered in the contracts as well.
That’s what I’m doing mainly and it’s the experience of other vendors as well to help us out. That’s the main part and for the rest it’s setting policies, global policies as much as possible.
My previous company did growth by acquisition, so we had many small companies. I consolidated all infrastructure globally to be centrally managed. So, it’s all about setting the right policies and standards and only deviating by exception if it’s required because of local laws or local regulations.
In most cases it’s a regional approach. Actually, if you’re regional, you’re using maybe private cloud, you’re using public cloud, but you always need some local presence, especially in some countries.
JN: Secon Cyber has been in cyber security for over 22 years however as this industry grows, we probably have 10 new organisations joining the industry every day. As a consumer, how do you decide who is the right partner or make sure something is fit for your organisation?
KW: It’s talking to a lot of vendors, right? It’s about technology as well, but there’s also cultural fit which is very important. And as an example, you at Secon Cyber, there’s already a long relationship so there’s also trust and you share what you know, your knowledge, your experience, which creates a partnership, which is important I think.
When I’m looking what’s out there, I’m talking to a lot of vendors. I’ve got good architecture, and my team has got a lot of knowledge so they can challenge those vendors as well and understand if what’s they’re telling us makes sense.
But I’m looking at partnerships, I think that’s important, and not looking at vendors, because then we understand how we can help each other.
JN: Now looking to the future and one of the challenges that we see, and I’m sure you’ve also come across at this, is a scarcity of talent in this industry. Based on your experience, how do you prepare the next generation of cyber security professionals for where we’re heading?
KW: I was referring to that book The Cuckoo’s Egg, maybe please read that book! But there’s also more books available nowadays. There are many journalists that wrote books about military agencies and what’s happening with Russia, North Korea, China; there’s a war going on on the Internet. They try to get into companies, large companies, to get intellectual property or to know what’s going on.
I tell them to read what’s really going on, and then you’ll get excited, and you’ll understand the importance, and then you can tell a story to your stakeholders as well. That’s what I’m doing. I’m telling them, you know what’s going on out there, it’s just a matter of time, right? So we have to protect ourselves.
JN: On the same theme of what you’ve just covered, as a cyber security professional, do you see cyber security professionals as security or technology focused?
KW: It’s a good question. I think it’s more security related, right? So they need to understand hacking patterns and how hackers are approaching companies. They need to understand that part and then the technology part, deep technology part, if you need to do something on a switch or whatever, that’s technology. Security is totally different. You need to have that oversight and understand what’s going on and understand those hackers and what they’re doing.
JN: Focusing on the future and looking ahead into 2022, what’s your guidance for security leaders? What should they focus on in 2022 to make sure they’re solving those challenges? What would your recommendations be?
KW: There are many aspects of course for security, but I think it’s more and more important to train and educate our users or people. The amount of phishing attacks are increasing rapidly. Keep educating your people, training, doing tests. Ransomware attacks will increase as well so we have to increase our security posture, and use multifactor authentication everywhere.
One of the biggest challenges is operational technology. I think in the future, there are risks there and we should really be separating OT from IT. In many industries you still have industry devices or IoT devices running on very old hardware or old operating systems, so you need to do something about it, separated from the rest of your environment.
Look at your investment, build out your SCADA, ICS, and IoT security expertise. Get the right expertise in. I just published six vacancies on LinkedIn so I’m adding resources, I’m adding knowledge, expertise - OT, cloud, we need to invest there.
Also to start consulting with government bodies, a UFD industrial control system, and a cyber emergency response team; be proud to implement standards. Around that, it’s getting more and more important for the future.
Maybe some of the systems aren’t so important if they get compromised, but it’s still the name of your company that’s out there on the news. That’s the highest impact, so that’s not what you want.
