Security Expert Interview Series: Tom Hofmann

The next professional with whom we had the opportunity of speaking is Tom Hofmann. Tom has recently been assigned to the position of Chief Information Security Officer, and he has over 20 years of security expertise, from projects all around the globe, with scientific knowledge and principles, to support people and organisations towards an innovative cyber-security. In this interview, Tom discussed human-centered security and how this concept is different from the traditional model of security. Besides that, we believe his story into the cyber security world will inspire you to step into this field. Hence, continue reading and uncover his insights.

Security Expert Interview Series #19: Tom Hofmann

1. Can you give us an introduction about yourself, Tom? How you ventured into the cyber security world?

My (ad)venture in cyber security comes from my always having been curious as to how things work. After my apprenticeship as an IT specialist, in the early 2000s, I joined the admin team of small software development company. We were only a handful of people, with no strict role descriptions. I took on the responsibility of the whole infrastructure, from physical cabling in the data center, to the LANs, WANs, Firewalls, VPN, PKIs, etc. From there I branched into cyber security.

As the company grew I had the chance to build up infrastructure worldwide, with projects in Japan, China, France and even close to the polar circle in Finland. This is how it started, and I just kept being curious and eager to learn. But the humble beginnings of taking Helpdesk calls, directly interacting with people, listening to them, their problems and needs – this was an incredibly valuable experience, which still influences my attitude on security today. 

2. What motivates you to keep pushing ahead every day in the security field?

It is my interest in how to design cyber-security. How can we address todays ill-defined, wicked problems in cyber-security? What will the future be like? What should we do to shape our reality and be prepared? I don’t mean just what is technically feasible but also, much more importantly, what is humanly desirable. I mean the empathy for the great people I work with or interact with in my private life. I mean the things I can learn from them, an engineer operating a hydro plant, an electrician wiring a smart home, our HR staff or my friends and families. It all drives me to create a more secure digital world.

3. Could you please tell us what was the most important cyber security lesson you learned in 2020?

It was that security organisations can be much more agile and flexible than they admitted. The COVID-19 lockdown was a truly disruptive change. While remote working had been promised for decades, it took a global pandemic to force people to reshape the way they communicate, collaborate, and work together. Security, and also managers, seem to always have thought that people cannot be trusted.

Today we see the opposite is true. People supported each other; old processes were replaced with agile ad-hoc solutions. It became clear that we don’t need a Tayloristic surveillance dystopia to enforce control. People can adapt and so can security. Which in the end allows the security department to evolve from a “blocker” to an “enabler”, truly collaborating with the people in their organizations towards a common goal.

“We must foster experimentation. We need people who try something new, who are curious and willing to do something.”

4. We know that you gave a talk at TEDxZuriberg in 2018 where you shared your views on how human-centered innovation can be leveraged to attain a joint optimization of complex technical systems. How long have you been interested in human-centered security?

In 2014 or so, during my time at the University of St. Gallen, I first stumbled across system theory, or more precisely socio-technical system design. Its theory states that teams, organizations, and even societies involved in design must address social and technical aspects in tandem. In cyber-security, and more generally when dealing with digitalization, the attitude is that technology can solve everything and that humans will adapt. Yet the opposite is true. This one-sided viewpoint is bound to result in unwanted and harmful effects.

A good example is shadow-IT. Security and IT departments may lock down all devices and block websites and apps, but in the real world, people will find workarounds. And it is precisely those workarounds, mostly unknown to the security departments, that end up posing the greatest risks, as with, for example, the unofficial use of WhatsApp or Dropbox.

This pattern, by the way, is neither new nor unique to digitalization. Similar observations were first made in 1949, as new technology was introduced into coal mining. The management expected productivity to rise. It actually declined, while absenteeism rose, and workers increasingly left the mines. In certain plants, management insisted that the workers were to blame, for yearning for the old days and not complying with directives on how the apply new technology.

The truth was that the new technology, as designed by office-bound managers, was unfitted for the actual job at hand down in the mine pits. So how can we address this dilemma? This is where human-centered design can help. Human-centered design is an approach to complex, wicked problems that, among others, focus on human-values, and embraces experimentation and radical collaboration.

Coming back to our shadow-IT example, our design approach would not be to deploy more controls, blocks, and bans. It would mean to invite the people concerned, to listen to why and how they use their tools and which problems they face with current IT and security controls. This empathic attitude helps to define the problem, and allows us to generate new solutions, and then to prototype and test them together with the people concerned.

This human-centered design – as a process, a mindset, and a toolbox – helps security departments in connecting with the other teams and also in shifting how they are perceived: no longer as blockers, but rather as enablers.

5. In today’s state of cyber security, how do you define the concept of human-centered security and how would you say this is essentially different from the traditional model of security that we consider?

There is a quote which, for me, perfectly describes conventional cyber-security: “The definition of insanity is doing the same thing over and over again and expecting a different result.”.

Despite all the resources we spend on technical cyber-security, we still observe shadow-IT, passwords on Post-Its, or credentials listed in Excel files for team collaboration. People simply cannot remember all the complex passwords security departments force upon them, and field teams under massive pressure to deliver will organize themselves by resorting to WhatsApp.

Mostly, IT will react with yet more technology, more endpoint protection, more device management, more policies – only to observe that people shift to private hardware and completely vanish from IT control. Yet if we start to acknowledge social aspects and leverage our people’s creativity and expert domain knowledge, we can jointly achieve better cyber-security for all of us.

To summarize in the words of Bruce Schneier “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”.

6. What are the necessary skills to enable the transition to human-centric security?

The core skill is empathy. We need to understand the people for whom we design – their needs, their worries, their ideas. We must foster experimentation. We need people who try something new, who are curious and willing to do something. Not more meetings and more slide decks. To achieve this, we have to give people the space to collaborate, to experiment and also to fail.

7. What made you want to start giving lectures first at the University of Applied Sciences and Arts Northwestern Switzerland FHNW around the topics of human-centered security and cyber security leadership?

I wanted to talk about cyber-security from a different standpoint, and to give the students a new perspective on the topic – not just in academic terms, but through real world examples, life experiments and interaction. We are quite good at teaching how to solve complicated problems – say, how to develop algorithms and how to combine technologies.

But all of this does not exist in a vacuum. The solutions have an impact on people.

People are also designers, with designs driven by experience and biases, and this is where I want to make an impact and create awareness and curiosity.

8. What trends do you expect to see in cyber security in 2021?

In view of the current situation, I expect an ongoing high level of attacks on remote workers – not a substantial increase in the quality of the attacks, but in the quantity. This includes phishing, scanning for misconfigured endpoints, accidentally leaked documents etc.

9. Last question: if you had to recommend one book to read for a beginner getting into cyber security what would it be and why?

It would definitely be Mike Cooley’s “Architect or Bee? The human price of technology”. Cooley offers a very critical examination of how we use technology and how it impacts us as people and as a society. We are directly exposed to the technology we develop and the systems we design. It is our responsibility to reflect on the consequences of our decisions and actions.

Machine learning can be used to detect cancer or to create a dystopian face recognition system to suppress minorities such as the Uyghur. We can decide to build drones to deliver organ transplants or to create a 24/7 surveillance system above our cities where everyone becomes a suspect. It is up to us to decide which way we want to go. Reading Cooley’s work can help us decide whether we are ready to pay the human price of our technical decisions.

Click here to learn more about Swiss Cyber Forum’s approach towards improving the digital safety and security of society and economy through events, education, and global conferences. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.