You don’t just need to look at ‘how to make’ something but also at ‘how to break’ it.
09 mei 2017
Auteur: Security Talent

You don’t just need to look at ‘how to make’ something but also at ‘how to break’ it.

Stein is a perfect example of someone who does not have a typical security study but found his way into the security domain through experience and a curiosity for the business. Read his interview to find out how he got to be the Chief Technology Architect at a succesful security startup.
Stein Welberg
Chief Technology Architect

Bachelor in Business Information Technology, Twente University

Master in Business Information Technology, Twente University

Chief Technology Architect, what does that mean?

It means being the lead architect of our platform and product. My job is to define the features for our product from a technical and functional perspective. I’m leading the teams that are working on the technical implementation of new features based on our strategy plan and different technologies that are used for the features and products. In the end my primary task is to make sure that our various products and features stay structured in a proper way instead of it becoming something like a spaghetti.


What kind of projects are you involved with?

The projects are very diverse. In my role as CTA I’m also the team lead for our mobile development team. We offer a server part and a mobile software development kit. It eventually means I lead the teams activities and I’m involved in the designing and building of projects and features. The features are being developed based on the questions that come from customers. It’s my job to make sure that we can go from a client question to a new feature that is useable and still fits with the product as a whole instead of it becoming a bunch of random features. When designing and building features we need to take many aspects into account: the product and the product strategy, the client’s question, and also to safeguard the technical implementation of new features. In practice I write and review code and implement features into the existing product. We start with the design of the potential new feature, then we look how it fits into the existing product. If it fits and the design is finished we’ll build it. An example of a feature we are currently working on is transaction signing.


Another important aspect is to consider the security, which is very important for our product because in the end it’s a security product. We have security embedded in our working routine. We are certified by iComply, a secure software foundation. They prescribe the desired way of working to build secure products. When you look at the feature you don’t just look at how to build it, but also how to exploit it. This means we test how to ‘break’ the feature and what steps we have to take to mitigate the potential security risks. While building on our product we map the architecture and write down every step of the way when we build it initially. By doing this we still know further down the line why we made certain decisions and why we built something the way we did in order for us to be able to adjust it. This way we can see if we have implemented a way to mitigate a certain threat. It’s a sort of document to track our steps and see if we implemented the right mitigations.


HSD Stijn low res1


Why did you pursue this career?

Funny question, I never actually set out a career path to become the CTA at a startup. It kind of came along and I just jumped on it. It just so happened that I was looking for a new challenge at the time the opportunity at Onegini came along.


I studied business and IT which has some technical elements in it but is not really a technical study. Security was not even a part of the study programme. But slowly I grew into it. When I started working my first job was in Identity & Access management. I was interested in technology and wanted to know the business. I wanted to be able to really understand the questions coming from customers and be able to talk to them on all levels. My personal interests and preferences resulted in me starting as a consultant. While being a consultant I got more and more into technology and development of features and products. Being in the job I am now is actually not because of a predetermined choice to do this but just kind of happened. But then again it kind of is my choice because I followed my interests and it got me here.


I started my career in Identity & Access management, that is already security related. But my engagement was from a higher level because as a consultant you don’t really design things. I discovered that security is sort of like a mindset. That you don’t just need to look at ‘how to make’ something but also at ‘how to break’ it. Breaking things is in my nature I guess. When I was young I took apart my sister’ ‘My First Sony’ but couldn’t put it back together. I want to know how things work at a detailed level. Not just that it works, but also how it works is interesting to fully understand something. That’s also an important aspect when designing and building a product if you are in the security business. It can break in places you didn’t think of in the first place and that can have serious consequences for your product.


But I think to summarise, why I got into security is because I was naturally intrigued in how things work. In security, you have to be interested in how things can be broken to keep it working. That’s how it is in line with my personal interests.


HSD Stijn low res4


Can you name a milestone in your career?

When I started working for Onegini! Previously, like I said, I worked as a consultant. I was already doing different projects for various customers. already security related that’s where I gained experience. But at Onegini I became responsible for building it. When I started at Onegini there was nothing and we really had to start from scratch designing and building our product in a secure way. For me that was a huge milestone. I really feel privileged to be a part of this, being involved in something from the start is not your everyday opportunity and I’ve leaned a lot from it.


How will your industry or job in particular change over the next few years? How do you keep up?

It changes a lot. You see people becoming more aware that secure is important. However, there is still a lot of ignorance, especially among customers. They underestimate the possibility that hackers can ruin their lives. You see that organisations are becoming more aware of security risks. Hacks are happening everyday, not just for information of businesses themselves but also to get customer data. Companies are becoming more aware of the risk and they will need solutions that actually help them. As I mentioned earlier this is not just technical but also human related as human factors are also a big part of security.


If you look at our product and what it does, right now our customers are mostly banks and insurance companies, because they are already focussed on security and aware of how important it is to be and stay secure. If you look at the rest of the market there are not a lot of mobile security solutions. I expect that over the coming years there will be more interest from different industries to keep their customer data safe and mobile solutions will play an important role in that. So, I think our product will become more interesting and in demand over the next years. Because right now I have the idea that a lot of mobile developers are not at all aware of security issues.


I keep up by reading articles, Twitter, visiting conferences, talking with people. For example, the RSA conference in San Francisco or reading about different attacks. By reading on security in general I try to keep my knowledge up to date. It's also important to not just rely on open sources, but also to participate in courses on security at conferences for example or other training.


HSD Stijn low res5


How did finding a job after your study go?

I was doing my master thesis at Capgemini, and initially I wanted to work for Capgemini after I graduated. Unfortunately, I failed the admission test and because the economy was in a recession in 2009 they couldn’t hire me. Looking back, I am very happy that this happened because Capgemini is a very big company and I very much like smaller companies which are more flexible and offer you more responsibility.


So, after I couldn’t get hired at Capgemini I went abroad for a few months for holiday and once I got back I started looking for a job and came across a job offer for consultancy in Identity & Access management. I applied for the job and got hired :).


Do you have any tips for up-and-coming talent?

The security industry really offers a lot of opportunities but it should be something you like. My tip would be not to focussed on your career but to look at opportunities and be open in what you want for yourself and be willing to take the challenge and do what you like. I believe that will take you the farthest, otherwise you will run into barriers.

You don’t just need to look at ‘how to make’ something but also at ‘how to break’ it.