We use our own hacker tools to test systems, and then we write reports, which our clients can use to fix their problems and get a secure IT system. At the moment we’ve got 107 employees in Germany and Austria, but we do checks all over the world, and particularly for clients in the US and China. We also do talks on big IT security conferences. This year we are going to give a talk about hacking biometrics at the “positive hack days” event in Moscow, which is taking place on the 15th and 16th of May, 2018.

What are the most important factors an organization must look at when compiling a cyber security strategy?

It’s not easy at all to get cyber security running, as it is the most complex challenge of IT professionals today. You have to handle bad software, bad protocols that are being used, bad coding habits and errors that go years back. There are also big challenges such as digitizing old processes and constantly optimizing your performance. In our view it’s most important to check where the vulnerabilities are, because it makes you able to focus on the important points, and identify the weak spots so you can fix them. We work with IT security officers, who order our simulated cyber-attacks to test their systems. In some cases, it would not be the IT team who calls us but rather, an e-commerce who want to make their payment systems bulletproof, or other professionals within organizations that need this service to improve their defenses.

Cloud-based applications have introduced many new threats to both organizations and individuals. What are your views?

In terms of typical web application problems like cross-site scripting, OS command injections and other hacking techniques, there’s no difference if you’re hosted on-premise or in the cloud. We don’t approach the human problems but we like to do live hacking presentations to show people the real risks. Live hacking is a measure we use to awaken the employees to become more aware of the risks of malpractices, but our service is not to handle the human approach. In my view there’s no use in saying to employees: “don’t click on word attachments”, or likewise; most employees will do it anyway because they need to do their job. Hardening the employees wouldn’t solve the problem. We do pen testing workshops and specialized workshops about web application hacking and IoT hacking. We offer trainings, but that’s only a small part of our business. We do that mainly because we want to share our knowledge with our customers.

I think cyber is becoming more and more important but that’s not new. I have been running the company for 20 years now and I expect market growth to continue at the same rate as it has been in the last 20 years, so no strategic change on that front. IT systems may have become better today than they were previously, but nevertheless, the demand for cyber security solutions continues to grow. As for the long term future, only time will tell.