Students should take risks when getting into jobs & aspire for IT security experience: Dr. Kromer

An opportunity to collaborate on real projects

Professor Hämmerli, thank you very much for inviting me to address the audience on this wonderful occasion to celebrate the new school for IT Security at Luzern University.

I immediately agreed to participate in this function when I was asked to present my thoughts on IT Security education and the relationship between academia and the industry. First, SECUDE’s headquarters is right around the corner making collaboration very convenient. Second, I see a great opportunity to collaborate on real practical projects leveraging the school’s know-how as well as resources, and third, working together, we might be able to find real gems to hire into our R&D team.

SECUDE 2.0 – Deep diving into SAP data security

Permit me to skip introducing myself and get straight into the issues I care about. You could read my profile on SECUDE’s website.

I would like to state at the outset that I sold SECUDE to SAP in 2011. However, SAP allowed me to retain the company name, SECUDE, for further business opportunities. SECUDE has an excellent reputation in the SAP security market and leveraging this I decided to risk restarting SECUDE with a new idea – to protect downloads from SAP. SAP data are well protected inside SAP through Secure Server Connection (SNC), which, by the way, SECUDE developed. So one can say SAP is well protected. But, one must also recognize that as soon as data leaves SAP it is no longer protected and this is a risk enterprises cannot and should not accept due to the threat to sensitive information as well as for obvious compliance reasons.

As a result, SECUDE 2.0, focuses on data protection of SAP downloads. We started development around four years ago and launched the product, HALOCORE  two years ago. In the meantime, we created a powerful security accelerator and enabler which leverages Microsoft RMS & AIP for actual encryption. In a sense SECUDE evolved from a purely encryption company to a business process software company leaving the encryption part to Microsoft. Why did we decide to leverage our technology with Microsoft’s technology? The answer is simple. Microsoft Office 365 is dominating the global market and as RMS is an integral part of the Office suite, it is next to impossible to compete against Microsoft with any other RMS solution, let alone our own. Microsoft AIP will be recognized almost as a global standard, enabling us to reach out to the global market as we connect AIP to SAP and help secure downloads.

Intensify work and collaboration with IT security companies

I should mention at this point that Professor Hämmerli has been in our advisory board since 2003 and has been part of our strategy meetings to determine the technical future strategy of SECUDE 2.0. It is heartening to note how close SECUDE and the university’s IT department work together in a very practical way.

This brings me to my first point I consider crucial for the success of the new IT Security department. I believe that it is extremely important for students to learn how they can solve practical technical security issues on real products destined to become crucial in the security of data flows in today’s cloud and data streams. Without such ‘real’ exposure to challenges there can be no appreciation what security risks lay ahead in the real world. It is merging academic research goals with real practical solutions which lift the standard of learning to excellence. My advice for the school: Intensify the work and collaboration with IT security companies.

SECUDE-University Tango

Our collaboration with the University has also brought other tangible results. For example, we have been able to recruit students to work in our team and grow with us to management positions. One of the students is our R&D chief for the past few years after he finished his education. He now leads our R&D team to create three patented applications revolving around how we intercept SAP data and protect them. You can imagine that such creative engineering is not an easy task and it speaks for the quality of university education as well as the motivation of graduates entering work space.

This high-level know-how enabled us to gain market penetration and achieve orders from large multinational software and consumer product enterprises.

One project we are working on with the University is to deploy Artificial Intelligence – a learning engine – for SAP log file data classification. Our aim is to offer a complete and fully automatic classification engine that manages the entire security work in the background and thus eliminate manual work allowing users to work without any interference of the protection process. This assures a high level of productivity at user level while providing uncompromised data protection silently at the background. This automation is absolutely necessary not only to avoid user productivity loss, but also due to of acute manpower shortages in the IT Security field.

Manpower crunch in the IT security field

Recently, I had a discussion with a large global IT Integrator who gave me some alarming feedback, which is very important to understand and to put into context with this new IT Security department. The integrator is short of 20,000 IT Security experts – many of which are for SAP-related technologies.  They estimate that the number of unfilled positions will reach 200,000 (just for the integrator alone) by 2020. Globally, they estimate the entire market will be short of one million IT Security experts by 2020. If you put this shortage against the background of real IT threats hitting the industry every single day, combined with the cloud trend, Internet of Things and AI, autonomous vehicles, botnets, drones, and so on, how will we be able to solve the security dilemma without man and brain power?

I have experienced ‘brain power’ shortages as well over the past 16 years forcing me to set up our own offshore R&D center in India and to hire top notch people from the USA, Germany and Poland. Luckily, we managed to move forward despite shortages. I have great expectations that the university’s new IT Security school will enable us to pick up more top developers in the future.

Take risks. Learn more. Gain deep experience.

My next point is on the risk taking ability of students entering the work space. I find that students tend to take jobs keeping a keen eye on job security. That leads them to the usual basket of large enterprises in Switzerland and elsewhere. I believe there is no such thing as lifelong job security. Even to most established companies eliminate jobs as they need to adjust to the competitive environment or face the threat of elimination. Kodak, NOKIA, and even the Lehman Brothers are examples to note. So I encourage students to take risks and join smaller companies as these typically offer much wider and deeper experience and offer a challenging and interesting work environment than a narrow window of learning that large enterprises typically offer.

Imagine the chances that students take when joining a startup in Silicon Valley and San Francisco Bay area. Consider this job market and the overall number of graduates in context with the situation in India and China. Did you know that India cranks out 1.5 million IT graduates every year! Of these, about 20,000 specialize in IT Security. China produces around 2 million IT experts. I have no data on how many of them specialize in IT security. To this add the graduate output from regions such as Russia and Eastern European countries, in particular Bulgaria, Romania and Ukraine and Poland, and countries such as Uruguay, Argentina and the Philippines (to name a few), to the US IT job market.

Taking cognizance of the shift in job locations

It’s an open secret that SAP has moved all its security R&D to Bulgaria. Recently, Coca Cola too moved its security department from the USA to this country. Accenture has consolidated security delivery and management in the Philippines. This gives you an idea what is happening in the market due to resource shortages and how this impacts Swiss graduates and the demands put to the Swiss educational system.

Such global scenario drives home the fact that Switzerland can never compete in mass education, but must focus on ‘quality’ offering students the highest level of knowledge and enforce it with a strenuous learning and training program. Only the best will succeed. This is a real challenge for this new IT Security school.

Why is IT security a hot topic now?

Today, we observe an irrevocable trend to the cloud, the speed in which digitalization has taken over our lives, the increasing use of drones, the role of Artificial Intelligence and many more such phenomenon that are perceived to pose challenges in maintaining IT Security control. Many companies drift along and react, but do not consciously shape their IT Security strategies. Together with shortage of experts what evolves is a potent brew of problems in which defenders are fighting a losing battle against attackers.  What is becoming obvious is a glaring lack of qualified resources and, in many cases, the lack of political will to fight such a battle.

In addition to the above, is the war among countries for IT dominance. If one were to observe the amount of resources thrown at IT in countries such as China, India, USA and Russia it becomes clear that this is going to be the future battlefield. If you protect your data, you will win, but if you lose control, the war would be lost. This war is also fought by large multinational corporations among themselves and with the government on multiple fronts – technologically, financially and legally. We are aware of the legal tangle between Microsoft, the US government and companies in the European Union a while ago. This issue has been amicably resolved and, in fact, has provided a wonderful result in the form Microsoft’s Rights Management System and its cloud version, Azure Information Protection, which are today well received by organizations worldwide. There are many security concerns that I can list – one more being the security issues in embedded electronic chips and circuits by leading chip manufacturers. As manufacturers themselves do not intentionally make such mistakes, you could guess who may be behind such issues.

The cost of data loss

The damage from data theft has touched a colossal $650 billion last year. It is expected to touch a trillion dollars by 2020. McAfee expert, Steve Grobman states that cybercrime has become more efficient and profitable than ever before. This is reflected a previous study from 2014, in which the global damage had been estimated at $ 445 billion. The study focused on the theft of classified business data, online fraud and financial crime, insurance costs and potential damage to a company’s reputation.

Interestingly, the White House also stated recently that cyber crime in the US in 2016 caused $57-109 billion in damage. This has certainly increased dramatically in 2017 and again in 2018. By 2020, damage will be estimated at over a trillion dollars. A scary scenario indeed. Nothing really is safe. And just imagine when the Internet of Things takes off and grows exponentially – the individual is exposed. It would be like sitting in a glass bowl – zero privacy. This is another scary aspect.

Thus, from my perspective, there are plenty of IT Security jobs that guarantee a great future for our students.

In conclusion: What should IT security learn?

We are shaping business and business processes rather than just accommodating processes as was perceived just a little while ago. CIOs will move into CEO positions and it is going to be a whole new world out there in the coming years. I think the CIO will become the Chief Innovation officer. It seems inevitable. However, to grow into this role IT Security folks must accept higher risks and greater responsibility.

Remember this. If Artificial Intelligence is the rocket for the next revolution, it is the data that will fuel the rocket and direct all our R&D initiatives. This is also what is driving SECUDE’s HALOCORE solution – to make SAP application data safe.

I thank you very much for this opportunity to share some general thoughts that affects us here in Switzerland. I wish you all the best and luck in your endeavors to make the university’s new IT Security School a great asset to our educational system and to our economic success.

Related reading

[1] Letter from the Chairman

[2] The Industry-Academia Tango

[3] Perceptions of a Serial Entrepreneur

[4] Perceptions of a Serial Entrepreneur (Part 2): Afraid of being first? But isn’t business a race?

[5] Perceptions of a Serial Entrepreneur (Part 3): The ‘dual standards’ of quality

[6] Perceptions of a Serial Entrepreneur (Part 4): The outsourcing challenge and a close encounter

[7] Perceptions of a Serial Entrepreneur (Part 5): Cross-cultural issues in outsourcing and the perfect antidote

[8] Perceptions of a Serial Entrepreneur (Part 6): Beware! Your worst enemy is within

[9] Perceptions of a Serial Entrepreneur (Part 7): The Age of Electronic Intelligence

[10] Perceptions of a Serial Entrepreneur (Part 8): It’s all in the eyes of the beholder


[1] BusinessWire, ‘New Global Cybersecurity Report Reveals Cybercrime Takes Almost $600 Billion Toll on Global Economy’, 21 February 2018

[2] McAfee & CSIS, ‘Economic Impact of Cybercrime – No Slowing Down’, February 2018

[3] McAfee & CSIS, ‘McAfee and CSIS: Stopping Cybercrime Can Positively Impact World Economies’, June 2014

[4] Pierluigi Paganini, ‘Cyberattacks cost the United States between $57 billion and $109 billion in 2016’, Security Affairs, 20 February 2018