How did you get into security?
In May 2000, I got a call from my university friend asking me to join him in the T-Mobile CZ security team based in Prague. Coincidentally, I had an opportunity to join Accenture as a consultant, which I turned down. Just like Helen (Gwyneth Paltrow) in ‘Sliding door’, I consider this a defining moment in my life. I have never regretted choosing security: cyber security is an ever changing industry, far from boring plus a good business to be in.
Do you still enjoy that it keeps changing?
Cyber security is like an iceberg; changing gradually, and the change is accelerating just now, mainly due to improved technology and ubiquity of everything online in our everyday lives.
What was the reason for establishing your own business?
When I decided to go on my own I was at a senior role with over 13 years of experience in cyber security. My boss was using external consultants and when I observed how consultants work, I thought I could do that.
Can something be 100% secure nowadays?
Short answer is no. J Now let’s get to a more elaborate one. If we want something to be usable at the same time, then the answer is unfortunately no. Security of a system, any system, is as weak as its weakest link. This may be technology, process or people. When assessing security of a business case, we look at this triangle: usability, cost, security. Naturally, it has to be usable in order to be useful. Security typically comes second if not third, unless of course you are NASA with an unlimited budget. Businesses don’t have the time or the budget, hence there is always a compromise. And that’s where my company can help tremendously. We advise on suitable controls for companies, suggest investments into specific types of protection or technology, or changes in processes and procedures. We never say no; we advise on how to say yes.
Do companies invest enough into securing their assets?
Some invest too much and some too little, only a small portion invests just right. Regardless of the investment, it is selection of controls companies choose to deploy. For example, five years ago a typical organisation was spending half of its security budget on network firewalls. The remaining 40% went into identity management and only 10% into data security, i.e. who owns what, how data flows through the systems and how it’s protected. On the other hand, I see new start-ups ensuring investment is flowing into data protection technologies. In addition to technology investment, companies frequently neglect their other assets: people. Most of the attacks succeed because of human error.
What was the most challenging project you’ve worked on?
The one I am working on now. Vulnerability management for a large Dutch company. It’s challenging as the company is really large and it has been part of a merger, which brings a changing environment. It’s not about technology but more about influencing right people and engineering right processes.
Why are you involved in the Cloud Security Alliance?
On a personal level I want to give back to the community. This non-profit organisation’s mission is to promote the knowledge about the cloud security, its challenges and benefits, and best practice. The UK is a huge market for the cloud, possibly one of the biggest in Europe. And yet, the knowledge about cloud security could improve, which is what the Alliance is doing.
Why should companies choose you to work with?
The biggest reason is probably our experience from the projects we have successfully delivered. Our motto is 'Securing your business'. That drives our methods; we simply recognise that security is not the primary function of the business. The controls we design must support client’s business, not hinder it. We offer a bespoke approach to each client. Big consultancies typically use a template approach. We go fresh to each client, identify what they need and offer a solution tailored to them.
What are you most proud of?
I am proud I’ve made it to the UK. It wasn’t easy, coming from the Czech Republic. First I moved here with T-Mobile when the Czech Republic was not part of the EU yet, so it was tougher. It’s a great feeling that my name is well known within certain circles. And in terms of projects we deliver, every one of them is a good achievement on a different scale.
Where do you see yourself in 10 years?
I’d like to build a boutique security consultancy with a focus on topics that interest senior management: assessing security strategies or how security can help in digital strategies. So not only focusing on technology implementations as I believe technology will be mostly outsourced. My company is focusing on addressing holistic security strategy.
Do you plan any expansion?
Expansion is a matter of resources – for example, in the US there is about 1 million security vacancies, and Europe is not far behind. Security is not part of universities’ curriculum - IT is, but I would argue that security is not only about technology. I see security as a combination of legal, business, technology, business continuity, it’s probably on the same level as MBA – it cuts across all business areas. I’d introduce an MBA in security. There are lots of people out there claiming they know security but they don’t pass the threshold of my interview.
How would you define yourself in three words?
Adventurous, optimistic and loving.
Are there any latest developments in your company?
I am currently working on a strategy related to a potential cooperation with Czech company CZ.NIC. They’ve developed a security router for small businesses and homes. My plan, if all goes well, is to enhance it and offer it as a product or service to UK businesses or internet service providers (ISPs).
Companies are getting compromised through other people’s PCs; hackers are clever; they don’t go directly and hack your business, they compromise lots of PCs of unsuspecting individuals in their homes, and attack from there. This is called the last mile security problem. If we secure it, we will make Internet a much more secure place. This router can do this - unlike the existing one you get from your ISP. I believe this could be a good benefit for people and smaller businesses. It could also help create productive relationships with ISPs.
Fine out more about Jirasek Security Consulting >>
By Tereza Urbankova, member of the CBCC Executive Committee
We are looking for more CBCC members to be interviewed! Please email tereza.urbankova@amecfw.com if you are interested.