Search for content, post, videos

No Security without Identity – No Identity without Security

June 2021: we’re looking back at a pretty bizarre year like we have never experienced before. At least we think so.

This pandemic has all the properties of a black swan event, just like the 9/11 attacks. A black swan event comes as a surprise but has major consequences. The COVID-19 pandemic has not only changed our personal life as we knew it, but our social life as well, including the way we travel, the way we interact with people in person, and so on.

It also has thoroughly shaken the foundations of cybersecurity, data protection and – in a broader sense – information security too! We have (finally) started to think differently about the ways governments, big tech companies, commercial companies, internet companies are handling our personal data.

It looks like the high impact of the pandemic on our personal life has forced us to think differently about the use of our personal data, and certainly how our data is (or was) floating around freely in the digital world.

After the generation of the internet (the “cloud” generation) we now see a new generation rising: the privacy-focused generation.

But there is no privacy nor data protection without cybersecurity. That has not changed, since the early ‘90s, when I discovered internet over a beeping 14.4k modem (remember the sound of dial-up internet?).

Looking back, looking forward

Having finished college in 1992, I continued higher education to become an industrial engineer (now master) in bio-engineering, driven by my family background and my interests at that time. But in the middle of the study program, the reorganization of the high school/university education system was rolled out. It changed to a bachelor/master level system and caused a redefinition of my study plan, leaning more towards chemistry, which was not my cup of tea.

So between the second and the third year of my studies, I shifted gears, did some extra study in electro-technical engineering during summer vacation and I started the third year into industrial engineering and electronics/computer science, which was rather an extension of my growing interests or hobbies. Frankly, it still is, after all these years.

When I finished school, many of my fellow students, if not all, had a work contract before the end of school, right in the middle of the big internet hype. That internet bubble burst in the early 2000s.

I had my first work experience in application development. Searching for new challenges, I moved into system engineering and systems management, more specifically the Microsoft infrastructure.

Due to the strong customer demand for certified engineers, I got the hang of security, where I specialized in security hardening and identity and access management. This was a niche market at that time (and still is) with a lot of new challenges and market developments crossing my professional path.

In 2005, I started using that security background to dive deep into the Microsoft Identity space.

The passion for community

The interesting part of identity and access management (IAM) platforms is that IAM cannot stand alone and integrates all core services of every company. So you’re not only required to master the identity principles and data flows, but you also need to dive into various systems containing the company business data, from Active Directory databases to HR and CRM systems, various mail systems, and operating systems.

Working with new, quickly-evolving, and challenging products always has been fun and I got in touch with a vibrant Microsoft technology community, online and offline, which ignited my passion for building community by sharing knowledge.

Working with these experts and minds thinking alike, enabled me to build a broad network of professional experts and specialists. Even now, it’s a blessing to turn to someone who knows better and that can guide me in solving my challenges.

In 2007, way too late, I started posting blogs with lessons learned that could help others to avoid the mistakes I had made. Now I use my blog as a personal external memory, to quickly retrieve interesting items I once looked up or found out.

It’s not so awesome (duh!) that search engines throw up your own articles when you’re troubleshooting a setup at a customer exposing your own mistakes you once made.

In 2008, for the first time, I got awarded the Microsoft MVP (Most Valuable Professional) title, which is a warm appreciation for “technology experts who passionately share their knowledge with the community.” They are always on the “bleeding edge” and have an unstoppable urge to get their hands on new, exciting technologies. Microsoft MVPs have a “very deep knowledge of Microsoft products and services, while also being able to bring together diverse platforms, products, and solutions, to solve real-world problems.”

Working with or working for Microsoft has been on my bucket list for a long time. And that opportunity came my way in 2012, when I joined the Premier Field Engineers, a team of technical experts in various enterprise products at Microsoft, supporting customers solving issues that no one else could solve.

Being at the core of the products and working with the international product teams closely was extremely awarding, even though the job could get hectic and very demanding.

I had a great time with the Microsoft team, but after 4 years I had to reconsider my choices for various (personal) reasons. I needed to re-check my career roadmap and take the next step. Because I had received a lot of demand from Microsoft partner companies to offer my expertise locally and during my time at Microsoft, I had been delivering a lot of workshops, I wanted to explore the teaching and training opportunities.

No identity without security – no security without identity

So I started freelancing in 2016. I focused on areas such as Microsoft Identity, identity and access management, security, cybersecurity, information security and data protection, privacy, GDPR, and the like. And now, looking back, I realize that the basic principles and foundations of security have not changed. In my early days, and still now, I have been working on enterprise infrastructures, data centers, and large server networks.

Sadly enough, we know now that in the fast adoption of the internet and certainly the massive growth of cloud services, security has not always been the primary focus of building new systems. And now we all pay back that faulty baseline.

Look at the ever-growing business of cybercrime!

Almost a decade or two later, the tide starts to turn. Security by design or security by default are (almost) accepted as standard. But due to the legacy we need to replace, there is still a long way to go.

Information security, cybersecurity, and data protection are good sectors to work in – for me, it’s more of a hobby than it is a job. Working as a freelancer, I was able to balance the consulting work with teaching courses in those fields.

By the way, if you think that teaching is a one-way communication job, you got it wrong. Having a very diverse audience is not always easy, but it is very rewarding. You can learn a lot from your students and participants and using the practical experience to spice up the theory with real-life examples brings these courses to another level.

The PECB partnership

That is about the time, in 2017, when I got in touch with PECB, first teaching their training courses, and later providing feedback to improve those courses. Over time I got involved in more activities, like reviewing courses, moderating events like the PECB conference in Brussels, presenting a series of PECB webinars on ISO/IEC 27001 (on information security management systems), ISO 27701 (on privacy information management systems), as well as NIST, CMMC, and so on. Check out the PECB webinar archive for more.

Data protection and/or cybersecurity and/or information security?

Early 2018, an MVP colleague informed me about an interesting opportunity as a policy advisor at the national Center for Cybersecurity Belgium (CCB), which is the central authority for cybersecurity in Belgium.

It was a great place to learn about the latest trends in cybercrime; to help and guide the government, as well as small and large companies to protect themselves against all these threats.

Over the years, it has become clear that businesses struggle to secure themselves. And if you can’t secure yourself, you can’t secure someone else. Some of the most common responses when you question the lack of basic security in an organization is “I’m not a security specialist, I need to run a business” or “My business is too small to get hit by cybercriminals.”

Reality has proven them wrong, too often to count!

That’s where I hope to provide added value with my experience and it motivates me to keep growing and to keep learning.

The desire to bring added value is a great motivator to keep sharing experiences in order to avoid the mistakes I and other people made. At first, sight it seems difficult and painful to get beyond the shame of admitting mistakes, but it must be clear that we all have a shared responsibility to protect each other. And that’s exactly the point where cybercrime and the pandemic meet, as mentioned in the introduction to this article.

The methods and principles to fight crime and COVID are exactly the same: start to protect yourself, keep yourself safe and secure, and help protect others.

Taking back privacy

Actually, before the 2020 black swan event, another black swan event has been impacting my professional life significantly, namely the various publications of an NSA system engineer, exposing espionage practices. You certainly must remember the quote from Edward Snowden about the ‘nothing to hide’ argument:

“Arguing that you don’t care about the right to privacy because you have ‘nothing to hide’ is no different than saying you don’t care about free speech because you have nothing to say.”

(You can read more about this interesting discussion over here.)

The right to privacy is now more significant than ever! Similarly, the battle for your personal data has become more aggressive than ever before. Look at the current “fight” and evolution in camera tracking, phone geotracking, browser tracking, and the usage cookies to find out what you’re doing.

It’s not done and over yet.

While for years the discussions has been dominated by a bunch of privacy nerds, ordinary people have finally started to realize how far data collection has gone, and due to the pandemic, how far it impacts their life.

You never walk alone

I’m very grateful where I stand now in terms of my career, even though I don’t know where the future will take me.

I could have never landed in the position and situation I’m in right now, in the middle of my professional and personal journey, without the help and the support of so many people. Of course, this is the result of hard work over the years, but I have come to realize more and more that the help and support of my peers greatly amplifies what I can do. Sometimes with hard criticism, sometimes with hands-on help, sometimes silently in the background.

First of all, a big thank you and a big hug for my wife, who has supported me throughout all these years, in good times, in bad times. A big thanks to my kids, keep up the good work, girls! Do better than me!

Thank you to my colleagues at Cyberminute, and my other professional colleagues! There are so many more people to thank, but I would rather tell you in person next time we meet! You’re doing a great job.

And last but not least, thank you to PECB and the entire PECB team for supporting me. You have been a great enabler.

Pay it forward

Allow me to close this article with a request to you.

You never can pay back the help, the trust, and the effort of your mentors, coaches, and guides in life. But you can pay it forward; use your knowledge and experience to become a mentor for the next generation.

Share your knowledge! You double the value of information by giving it away.

Get in touch!

And if you need some help with that, don’t hesitate to get in touch, because 1+1= 3. You can easily find me on Linkedin.

Be safe, be secure!


Leave a Reply

Your email address will not be published. Required fields are marked *