Interview: Prof. Sebastian Schinzel on startups, entrepreneurship and future security issues

I have known Sebastian since the early years of my former company Virtual Forge. He has been teaching and researching applied cryptography and system security for many years and is co-founder of the Institute for Society and Digital (GUD) at Münster University of Applied Sciences. He was also North German Champion, German Vice Champion and Team World Champion in Biketrial. 

The interview with him turns around:

  • Stay creative with solutions, as no one can say how attacks will evolve
  • Staying authentic as a founder and entrepreneur
  • Strengthening the security industry in Germany and Good Ol' Europe
  1. Sebastian, you have witnessed the transformation of Virtual Forge from a group of idealists to a company. What influenced you the most from this time?
    Back then, we came to Virtual Forge from the Capture The Flag (CTF) team of the TU Darmstadt and therefore approached the first customer projects more like a hacker competition than a consulting service. Those were exciting and educational times. Then, when the CodeScanner CodeProfiler was developed, the transformation from a consulting-heavy pentesting company to a product development company began. This was indeed an upheaval, as product development requires completely different corporate structures. Penetration tests are very creative and usually relatively short projects, while product development requires years of structured development that only bears fruit after a longer period of time. I was shaped by experiencing this and being able to apply it to my current entrepreneurial activities.
  2.  You have already founded companies yourself. What goals did you pursue with them?
    The goal is to promote Germany as a business location and the IT security industry in Europe. There are many good people here, good training, many good ideas, but often too little courage to try the step to self-employment. This is probably one of the main reasons why Germany lags behind the USA in terms of innovative IT companies, for example.
  3. What makes a start-up successful for you and why can it go wrong?
    You need a good idea for a solution to a concrete problem in the market, a good team and customers with a concrete need for the solution. And a lot of stamina and a bit of luck. And preferably not a pandemic!
    Can you elaborate on that point a bit?
    For corporations, the pandemic often seems like a good excuse. It can be used as an argument for just about anything: Restructuring, downsizing, etc. For a startup, it's detrimental because funding is difficult, customers are unlikely to jump at new ideas, and it's also hard to bring people on board who are currently more concerned with job security (vs. going into a more risky startup).
  4. What is your opinion on the topic of "we stay as we are" vs. growth?
    One does not exclude the other. You can absolutely stay "as you are" and still grow. I guess it comes down to self-image: what is one? Do I want to improve the world by making computer systems more secure? Or do I insist that I can only improve the world through this one service or product? The latter may prevent me from improving the world because the service or product will not catch on permanently.
  5. And finally, a technical question: which topics are suitable for you, as a "security professor", for a start-up?
    Cybersecurity will continue to be relevant, even if other topics such as AI are currently dominating the funding landscape. Companies are constantly learning and therefore are a "moving target". While penetration testing was very innovative 10-15 years ago with few specialized vendors, today almost every consulting firm has penetration testing in their program as well. Founders should ask themselves: what service, what product will companies be asking for in 2-5 years? If you have a good idea for this and at the same time have some innovative companies with buying interest up your sleeve, then you should consider founding a company.
  6. Derived from this - which ones will it be in the next 5 years?
    Many companies have learned that preventing cyber attacks, e.g. by looking for and closing security holes, secure software development, etc. is not enough. If employees open the wrong attachment, the attackers have a foot inside the company and can spread from there. The current extortion Trojan gangs are highly professional and have high profit margins. Pure prevention through protection is no longer sufficient. Companies need to ask themselves:
  • How do I detect successful attacks in a timely manner?
  • How do I know the extent of the attack?
  • How can I stop the attackers from spreading further?
  • How do I reliably throw the attackers out of my network?
  • And of course: how do I rebuild my IT infrastructure if an attacker had already penetrated deep?

These are questions for which one needs specialized personnel, possibly also with on-call duty etc.. Most companies cannot handle this. Some of this can be outsourced to Managed Service Providers (MSP), but some of this knowledge must also be available internally.

Image source: Münster University of Applied Sciences, Wilfried Gerharz

Functional training

Most people don't move enough, which inevitably leads to misalignment and pain. In times of home office, this can even get worse. Even if you do sports, such as cycling or jogging, problems can arise if you lack body stability. Strength training is therefore essential in my view. The aim should be to get the body so stable that you can move without pain in the long term. In addition, having good muscles helps you burn more calories, making it easier to control your weight. I used to train in studios(Kieser or Venice Beach), but then at some point I stumbled across functional training1.

When training with equipment, muscles are targeted and also trained in isolation. You go to the lat pulldown to train the latissimus. You go to the leg press to train the thigh muscle and the large gluteal muscle. Etc. For many people, this is enough because they value shapely and well-defined muscles. But this will not help to get the body holistically stable.

This is different with functional training. The idea here is to build up strength using your own body weight or suitable aids in movement sequences that are close to natural or sport-specific movements. The exercises involve several muscle groups and joints. I have considered here so far:

I always alternate between these training approaches or mix them - on the one hand, to avoid boredom. On the other hand, to always provide different muscle stimuli (they otherwise also get bored and the training effect stagnates).

1 Michael Boyle: Functional Training. ISBN-10 : 3742301489, 2017

... about this blog (my mission statement)

My mission statement is based on Simon Sinek's slightly expanded Why-How-What circle. It's likely that I'll continue to refine this over time, but here's the first pitch.

Why? My articles are aimed at entrepreneurs and those who want to become entrepreneurs. I assume the entrepreneur wants to make an idea big and "come out ahead". Such people who have a clear, entrepreneurial goal are my target audience. Entrepreneurial success means making few mistakes or correcting them quickly. The management of the company should be conscious and active. It is about working out what to offer to whom(marketing) and how(sales). It is also about setting a strategy and bringing it to fruition. Finally, it is important to constantly reinvent the company and adapt it to the market. The best example here is dealing with the pandemic, which by no means everyone survives if they don't adapt their company.

How. I follow two basic perspectives: 1) improve the company itself and b) improve the entrepreneur. Both need to be in harmony to ensure that an idea ultimately becomes a product in demand and this then leads to success. Both perspectives have different facets that need to be systematically captured and continuously improved. After all, standing still means taking a step backwards, as the competition never sleeps in an attractive market.

I like to start with a 360° view of the company. In doing so, I apply a multi-dimensional model that I developed and refined with my mentor. The dimensions considered include: Customers, Market Approach, Employees, Plan and Actual Numbers, Product Roadmap, etc. Once this is captured, I look with the entrepreneur to see where the bottlenecks are and what operational steps can be derived. A consistent review of the success of the measures rounds this off. I apply the same system to the entrepreneur. The dimensions here include: entrepreneurial fitness and physical fitness. It is also about internalizing the phases of entrepreneurship (growth, sale, exit, life after).

Ishe allowed to do that? As a former company founder, CEO and Managing Director, I walked a rocky road for many years, growing my company through various stages to 120 employees and a leading company. I also actively sought growth capital, negotiated and eventually sold the company. I am now happy to pass on the experience I gained along the way.

(1) Is it "the" or "the" blog? Ask the dictionary!

About me ...

My name is Markus Schumacher, born in 1973, and I live in the Bergstraße district (Hesse). In this blog, I exchange ideas on topics that have literally "occupied" me for many years: Technology, Entrepreneurship and "Toys". This post outlines how I got into it.

Computers have fascinated me since I was a child. The conscious starting shot of my nerd career was in 1985, when my parents gave me a Commodore C64. Besides playing games, I quickly became fascinated with designing with a computer and still do today. By the way, I still have the C64 (see picture).

This hobby led me to study electrical engineering at the TU Darmstadt. When I couldn't find a reasonable job during the semester break in 1996, I decided to participate in a programming internship to learn the then new language Java . After Assembler and C in my studies, this was a completely new experience and set the course for the future. Equipped with this knowledge, I quickly got a job at an advertising agency in Frankfurt to design the first applets for websites of financial companies.

Java 1.0 Desktop Reference (original)
This is my original copy of the Java 1.0 Desktop Reference.

Thus infected, I decided to stay at the university and do my doctorate. I started this in 1998 at the IT Transfer Office (ITO) , an organization of the Department of Computer Science at TU Darmstadt that kept itself alive exclusively through externally funded projects, initially sponsored by the Digital Equipment Corporation. This awakened the entrepreneurial streak in me. The creative freedom, but also the entrepreneurial risk (no project, no job, no PhD) of this time had a great impact on me. It also made me aware early on that technology alone is not enough to sell products or services on the market.

Without teaching duties, however, I lacked contact with the students. Therefore, building on my childhood experiences with computers, I created the Hacker Contest . The goal was to investigate current technologies (new at the time: WLAN, Bluetooth, etc.). In teams the participants took the role of attacker and defender. This initiative was continued for many years, even after I left the university.

In May 2003 I successfully completed my doctorate "with distinction". The topic was Security Patterns, a topic I have been dealing with for many years. Patterns originally come from architecture. The idea is that no architect can learn how to build beautiful houses. You need experience to do that - and that's what is captured in a pattern. The idea was transferred to software (sgt. Design Patterns) and I then adapted and described it for security.

One of my pioneering topics: Security Patterns was a new topic that had a lot of momentum in the design pattern community.

Equipped with this know-how, I decided to go "out" after my doctorate. I had been offered a junior professorship, but that was still quite new at the time and not very attractive to me. I therefore used my ITO contacts and quickly found a job at SAP as a product manager for security. At that time, SAP was another project partner of the ITO and had taken over the Lab in Karlsruhe with which we had cooperated. During this time, the "old" SAP base in NetWeaver (Release 640+) and I was able to learn a lot about the different SAP technologies during this time, most recently during the conversion from an idea to the generally available product SAP Business ByDesign.

The topic of security was and is a matter of the heart for me for many years. However, I have not understood it in the sense of a function for protection, like logging something in with a name and password. Rather, it has always been more exciting for me to understand what gaps a system has, how to exploit them, and what you have to do to be "bulletproof". Since I also noticed that SAP customers do a lot of their own development, the next step was bound to happen. When programming and when systems are complex, gaps are almost bound to occur. So it was clear that I would leave SAP in 2006 and, together with a business partner I met at SAP, I founded the Virtual Forge GmbH together with a business partner I met at SAP. Incidentally, I recruited many of the first employees who then carried out SAP-focused penetration tests from the cohorts of participants in the Hacker Contest.

I had some ideas in my luggage about what can be done in the SAP environment that is not offered by the SAP standard. This resulted in another pioneering topic: scanning SAP ABAP code for security vulnerabilities. The resulting solution CodeProfiler for ABAP (version 1.0 presented at the SAP TechEd in Berlin in 2009) is still a market-leading solution today. During this time our book "Secure ABAP Programming" was published. It has not lost much of its topicality, because although there are some new programming constructs in the SAP environment, "old-school" ABAP is far from being at an end.

SAP ABAP - but secure! In 2.000 lines of code 1 critical security hole. Until today the benchmark.

Virtual Forge was the practical introduction to business management for me. Exclusively self-financed, we have managed to reinvent the company over the years to stay ahead in the market and survive. As CEO and Managing Director, I spent many years looking after sales (how do I sell the value of technology), marketing (which customers do I target and how do they find me) and administration. All the while, tough decisions had to be made and my own compass readjusted: this included the company strategy and its implementation. With about 120 employees, we decided in 2018 to go in search of growth capital so we could be strategic (vs. reactive). This eventually ended with the sale of the company(mid-2019) to market competitor Onapsis, where I was an employee for the first time in many years as General Manager Europe.

Since the beginning of 2021, I am now self-employed again with the idea of sharing experiences I have gained on the path to entrepreneurship outlined here. It goes as written at the beginning all facets of entrepreneurship and technical topics. I will always describe "toys" besides the job. By that I mean things that you can afford to do as an adult and that are one thing above all: fun.

You can find me on LinkedIn and XING, among others.

KNX-based Smarthome with Hager Easy

In my current building project, I had some requirements (more on this in other articles), including that I wanted to make the house "smart". As it was largely a new build, my choice fell on wired KNX technology. This was completely foreign to both my architect and electrician, so for now I was looking for an expert substitute to run the wires. In addition to the KNX lines, the network cabling was also an issue, but that's another story.

I looked around for solutions at Light + Building and the Hager Easy approach seemed to me to be the right one. Why? I was told that an upgrade to "native" KNX was possible and that there was also an IOT integration. With that info, the bus was then set up in the house, the actuators and sensors and switches ordered, and the switches ordered. With the Easy solution (configuration server TJA665), the elements are then identified quite comfortably and virtually wired together. This went quite quickly and was then displayed on a Hager display using the Domovea Server (TJA450). With the IOT Controller (TJA560), HUE components could also be integrated.

So far, so good. But then came the big disillusionment for me. Unfortunately, it is not quite as flexible as I had thought, as non-Easy elements cannot be integrated without further ado (e.g. air-conditioning units, heating and domestic ventilation). Hager also announced - just after I had finished - a new Domovea series. And with that, any further development of the visualisation server and the IOT controller was then also discontinued.

So I quickly decided to bring forward the move to "native" KNX (after just 6 months) and to look for a generic Smarthome platform. The KNX migration went relatively well after obtaining the ETS software licence, I got myself an extra online course for this, which I will also describe separately. I investigated ioBroker, OpenHAB and Home Assistant as platforms and decided on Home Assistant for various reasons.

My conclusion: the decision for KNX was right for me, I would do it again. The decision for Hager Easy was only partly right, because it was a) too limited for me and b) I did not like the upgrade or change policy (there was probably none). I recommend to plan and implement immediately via ETS, because you can draw from the complete range of KNX providers and expand the system well.

P.S.: In the meantime, my electrician no longer relies on Easy, after he saw that the ETS programming is not sooo wild, if you deal with the matter conscientiously. Of course, it requires more planning in advance, but that's exactly what pays off in the long run.

Classic Studio Experience: Kieser Training

Once you realize that training is important and want to get down to business, you have to make a decision about how to do it. Train alone? With dumbbells or bands or??? Or go to the gym? At the time, I decided to go to a gym - and signed a contract with Kieser Training.

The reasons for this lay in the Kieser concept, which in my opinion is reduced to the pure purpose: namely the training. There's no radio blaring, no bar, no sauna, etc. there. I like it that way because I am very focused in that respect and don't want any distractions. Furthermore, I go to the workout to ... work out. Nothing more, nothing less.

Another advantage I see in the approach and the idea behind it to train the essential muscle groups effectively. The goal is the healthy body, without back pain, etc.. For this purpose, an individual plan is created, with which the muscles and the counterparts are systematically trained. Since most of the time the opposing muscles are underdeveloped, this stabilizes the body after a short period of time. Speaking of time: a workout can be completed in about 30 minutes - that is enough to load all muscle groups and since they are loaded to exhaustion, one is also completely served in a positive sense. It is also intended to check again and again via measurements how symmetrical the muscle build-up is and where there may still be deficits. Finally, it is possible to train with your studio card in any Kieser studio - I have tested several times and it works flawlessly. The training plans from the "home studio" can then even be transferred to the guest studio.

My conclusion: I see many advantages in the Kieser approach as described above. The disadvantage is perhaps that the plans become monotonous after a certain time, but then you have to talk to the staff and change the machines if necessary. Kieser is also not a cheap form of training, but those who like an efficient concept without frills, like me, will gladly pay for it. For this reason, I can answer the question of whether I would do it again with a resounding yes.

Later I went to Venice Beach, I'll write about that later. But then I discovered functional training for myself - which I still do today with success and a lot of fun.

From 130 to 79

A good friend of mine had after the birth of her children and various life circumstances 130 kilos on the scale with a height of 1.71. She used to do a lot of sports, but for many years then nothing at all. When we met, she was down to about 100 kilos through a lot of hard work in the gym. And there it has stagnated. One of the reasons is surely that cycling in the gym is one of the most boring things you can imagine. Another reason is that you should take a closer look at your diet and exercise.

When it came to diet, I clearly saw that there was a quest for (supposedly) good food. For example, muesli for breakfast. But then also two plates full. I didn't easily manage to dissuade her that she "needed" it. We then installed an app for her to log and analyze her meals and that was a real aha moment. Of course, one has to be careful not to be enslaved by such apps. Food is and always will be a pleasure, after all! But to see where you have enough and where something is still missing - they are good for that.

When it comes to sports, we started very small. With jogging. At first it was "I can't" or "I've never done that before". But then we just started. I ran slowly, at first only 1 km with breaks. That hurt her in many ways - there were blisters on her feet and the first sore muscles! But: she did it and tasted blood. With the time we were then at 10km (!). And that at a very acceptable average of 6:30 min/km. We are now in "give me more" mode.

We have supplemented the endurance with self-weight exercises. And we had and still have to this day the issue of maintaining the desired weight (today no less than 79 kg). Because maintaining a target weight is much more difficult than losing weight itself. Topics for the next articles ...

Going off the Rails on a Crazy Train

Allright now, as Ozzy always says. Let's get going ... as the life clock goes past 40, sport becomes more and more important from my point of view. And sport has to be different than it used to be.

Why important? I've always been athletic since I was a kid, sometimes more, sometimes less (college, new job, etc.) and I've always felt good about it. Because that's what it's all about: a healthy mind needs a healthy body. Of course, there are those who have never exercised, or haven't exercised for a long time, but have recognized the need, I've written some thoughts on that here. And then there are those who have never exercised and don't plan to - I'm not writing about them.

Why different? I don't know exactly when it started, but sometime around my mid-30s I realized that it wasn't as easy to maintain your figure with your previous workload. I put on a lot of weight during that time and I didn't like it - visually or in terms of feeling good. And then I set out to find options, which I will address in further posts. It's primarily about combining strength, endurance and nutrition in the right way, but also varying it. I think the latter is very important, as I find some variety essential for both the mind and the body.  

Even Ozzy (you don't have to like him, but he's one of my musical idols) does sport from time to time and has amazingly managed to continue to stumble through the world on two legs in relation to his lifestyle! All aboard?

Hello world!

Welcome asathor.com. This is the first post of a blog that is about the following topics in the life of an adult 40+: getting and staying fit & healthy. Becoming and staying successful at work. Becoming and staying an entrepreneur. And finally: sharing about things you don't need but enjoy.

Asathor, by the way, is the name of my company and is due to the fact that a) I like DC Comics (Thor), b) I've been interested in the Norse sagas for a long time and c) in my experience, the Norse are particularly nice people. Skål!