Interview: Prof. Sebastian Schinzel on startups, entrepreneurship and future security issues

I have known Sebastian since the early years of my former company Virtual Forge. He has been teaching and researching applied cryptography and system security for many years and is co-founder of the Institute for Society and Digital (GUD) at Münster University of Applied Sciences. He was also North German Champion, German Vice Champion and Team World Champion in Biketrial. 

The interview with him turns around:

  • Stay creative with solutions, as no one can say how attacks will evolve
  • Staying authentic as a founder and entrepreneur
  • Strengthening the security industry in Germany and Good Ol' Europe
  1. Sebastian, you have witnessed the transformation of Virtual Forge from a group of idealists to a company. What influenced you the most from this time?
    Back then, we came to Virtual Forge from the Capture The Flag (CTF) team of the TU Darmstadt and therefore approached the first customer projects more like a hacker competition than a consulting service. Those were exciting and educational times. Then, when the CodeScanner CodeProfiler was developed, the transformation from a consulting-heavy pentesting company to a product development company began. This was indeed an upheaval, as product development requires completely different corporate structures. Penetration tests are very creative and usually relatively short projects, while product development requires years of structured development that only bears fruit after a longer period of time. I was shaped by experiencing this and being able to apply it to my current entrepreneurial activities.
  2.  You have already founded companies yourself. What goals did you pursue with them?
    The goal is to promote Germany as a business location and the IT security industry in Europe. There are many good people here, good training, many good ideas, but often too little courage to try the step to self-employment. This is probably one of the main reasons why Germany lags behind the USA in terms of innovative IT companies, for example.
  3. What makes a start-up successful for you and why can it go wrong?
    You need a good idea for a solution to a concrete problem in the market, a good team and customers with a concrete need for the solution. And a lot of stamina and a bit of luck. And preferably not a pandemic!
    Can you elaborate on that point a bit?
    For corporations, the pandemic often seems like a good excuse. It can be used as an argument for just about anything: Restructuring, downsizing, etc. For a startup, it's detrimental because funding is difficult, customers are unlikely to jump at new ideas, and it's also hard to bring people on board who are currently more concerned with job security (vs. going into a more risky startup).
  4. What is your opinion on the topic of "we stay as we are" vs. growth?
    One does not exclude the other. You can absolutely stay "as you are" and still grow. I guess it comes down to self-image: what is one? Do I want to improve the world by making computer systems more secure? Or do I insist that I can only improve the world through this one service or product? The latter may prevent me from improving the world because the service or product will not catch on permanently.
  5. And finally, a technical question: which topics are suitable for you, as a "security professor", for a start-up?
    Cybersecurity will continue to be relevant, even if other topics such as AI are currently dominating the funding landscape. Companies are constantly learning and therefore are a "moving target". While penetration testing was very innovative 10-15 years ago with few specialized vendors, today almost every consulting firm has penetration testing in their program as well. Founders should ask themselves: what service, what product will companies be asking for in 2-5 years? If you have a good idea for this and at the same time have some innovative companies with buying interest up your sleeve, then you should consider founding a company.
  6. Derived from this - which ones will it be in the next 5 years?
    Many companies have learned that preventing cyber attacks, e.g. by looking for and closing security holes, secure software development, etc. is not enough. If employees open the wrong attachment, the attackers have a foot inside the company and can spread from there. The current extortion Trojan gangs are highly professional and have high profit margins. Pure prevention through protection is no longer sufficient. Companies need to ask themselves:
  • How do I detect successful attacks in a timely manner?
  • How do I know the extent of the attack?
  • How can I stop the attackers from spreading further?
  • How do I reliably throw the attackers out of my network?
  • And of course: how do I rebuild my IT infrastructure if an attacker had already penetrated deep?

These are questions for which one needs specialized personnel, possibly also with on-call duty etc.. Most companies cannot handle this. Some of this can be outsourced to Managed Service Providers (MSP), but some of this knowledge must also be available internally.

Image source: Münster University of Applied Sciences, Wilfried Gerharz