For the time being I’ll keep doing all sorts of different things I find interesting.
09 October 2017
Author: Security Talent

For the time being I’ll keep doing all sorts of different things I find interesting.

When you complete the infamous Kerckhoffs master, a well renowned name in the security scene it's obvious that you will need a good challenge when you start your career. Erwin found this challenge at TNO where he started as a researcher and security consultant. Read how he got there and what kind of challenges he encounters in his work.
Erwin Middelesch
Researcher and Security consultant

University of Twente BSc Computer Science


University of Twente MSc Information Security Technology (Kerkckhoffs Master)


The Kerckhoffs Institute Master was a specialisation and partnership of 3 TU's


Researcher and Security Consultant, what does that mean?


As a security consultant at TNO I answer the complex questions on the subject of security for clients. Questions like “how can we make sure that our network is still as up to date 5 years from now as it is today?” Or the military knocks on our door asking how they can make a certain weapon system cyber secure. We start with getting our documentation in order before we begin our research. The core business of TNO is applying knowledge, bridging the gap between hard-core research and business. We do not engage in fundamental research but rather put the research done by others into practice. Taking elements of the more fundamental research and translating that into innovative concepts that can be put into practice. Often this kind of research consists of theoretical models that have not been tested in real life but only in simulations. We put those models to the test. I have a lot of variation in the kind of work I do. One day can be filled with brainstorm sessions while other days I’m visiting clients or really do research on a certain topic to get to the bottom of it.


What kind of projects are you involved with?


I mostly work for the banking sector, Ministry of Defence and telecom operators. I cannot discuss the work I do for the defence part in too much detail. That can be difficult at times because it is such an interesting client with a lot of exciting things to work on. You get to go to special places I would otherwise never be able to visit. That really makes my job interesting.


For the telecom operators I’m mostly busy with the development of patents and building demo’s. The demo’s are important to show that the patents we come up with actually work. This research is mostly done with my colleagues from TNO’s Networks department. They have built their own LTE network which we use to build our concepts on. It’s really unique in the sense that there is a special combination of people with different backgrounds that you can collaborate with at TNO. It allows you to quickly discover and learn new subjects. When I started at TNO I knew nothing about mobile technology and now I’m involved in developing new standards.


With regards to the projects we do for banks it’s a combination of research that is open and projects that have to stay behind closed doors. How their networks are designed and what kind of measures they have implemented to detect certain types of fraud has to be kept a secret. If criminals find out, those measures are not effective anymore.


Publishing research on detecting malware on networks is helping everyone and it’s not really secretive. One of the things we look at is what connections systems within the company network make. With the current security products, the focus is mostly on the connection to the internet. We think that this market is pretty saturated, with firewalls and intrusion detection products for example. There are so many different products on sale, but not yet products that focus on traffic within the network. So that’s why we do research on that subject. For example, checking if systems on the network suddenly start communicating with other systems within the network or that they go to fileservers that they normally would not go to.


I work with a lot of enthusiastic people that are experts in their field and are really high qualified. You can learn so much in such an environment, I don’t think there are much companies like this besides TNO.




Why did you pursue this career?


Cybersecurity caught my attention. The challenges that come with it, learning to hack a system and the variety of tasks. It’s a large domain but still feels compact. There are so many aspects to information security that make it challenging and diverse but you can still really dive into a subject. For example, malware detection is completely different from cryptography, the security of hardware or access to systems. It’s all security but at the same time every subject is an expertise in and of itself.


I try to do everything I like. If something interesting crosses my path I have the freedom to get started on that particular project. Some people like to really dive deep into one topic. They are internationally considered as the top experts on their subject. Perhaps I come across a subject I like that much one day, but for the time being I’ll keep doing all sorts of different things I find interesting.




Can you name a milestone in your career?


I think when I was on board of a Royal navy ship. Last year I spent some time aboard a naval ship to get an idea of the context of the assignment. Being with the people that work on them and really getting to learn the environment where the projects I work on find their way to was cool. Not just sitting behind a desk and coming up with ideas, but actually being there and getting an idea of the activities and helping the people there. It’s not a place you would normally come. A unique opportunity and experience.


How will your industry or job in particular change over the next few years? How do you keep up?


More and more tasks will be automated with machine learning and artificial intelligence, and new techniques will be applied to cyber security. The amount of available data will only increase up to a point where we cannot process it manually. Alerts from security systems will increase accordingly and we’re trying to figure out if we can find ways to cope with these developments. Trying to find out if there are smarter ways to contain the flow of information or deal with it in a more effective and efficient way.


I keep up by reading a lot. There is so much information available on the internet. You really have to put in time, reading news articles and blog in order to keep up. I started experimenting with computers as a little kid and eventually started with a study in computer science and consequently found a job in IT.


Also sometimes I follow courses on a specific subject. Last year I did a course on network security. If you work on a certain project and there is a specific relevant training, TNO always encourages and supports you to do that training. For example some of my colleagues are currently busy with OSCP, a pentesting course.




How did finding a job after your study go?


During my study I met someone who is now a colleague of mine at TNO. He gave lectures for one of the courses in my study. We got in touch and via him I got to do my graduation assignment at TNO. After that assignment I was offered a job and that’s how I ended up at TNO.


I think for a lot of my fellow students it went kind of similar. Most of them already found a job before they graduated. Also, looking at posts on LinkedIn I don’t have to worry about being unemployed in the near future. It’s not that everybody gets a job that easy though. You do actually have to be capable, otherwise you’ll be surpassed. There are high expectations, you’re really expected to bring something to the table. You’re expected to be able to contribute on many levels and various topics. Knowing just a little bit about crypto does not make you a security expert in that respect.


Do you have any tips for up-and-coming talent?

Try to do hobby projects. There is so much to be found on the internet. Courses and online tools to teach yourself skills that are useful for your career. You really get a head start on your competition if you gained some experience outside of your education’s curriculum. I think that I learned just as much useful skills online as I did in my entire study.

For the time being I’ll keep doing all sorts of different things I find interesting.