• gallery_buildings_one
  • gallery_buildings_two
  • gallery_buildings_three
  • gallery_buildings_four
  • gallery_buildings_five
  • gallery_buildings_six

Kai Roer - Stuck in the lift with the Cynic

As I saw Internet as a marketing and communication tool, I soon realized that it mean information management - as in controlling what to put where, who has access, and also who did actually access the information. This, combined with my playing around with modems and colored boxes back in the ’80s, made it easy for me to focus on security.
I worked with some of the largest multinational corporations in Europe, within Oil&Energy, Telecom and defense.

I have messed with boxes, cables, building boxes, soldering, programing and just about any side of ICT. I have a gift of understanding how to best use the technology to achieve my goals. And I still use this gift when analysing and designing systems.

Before I became an infosec professional I wanted to be:

Famous :) I played in a band early ’90s, and I’ve always been writing things. Don’t believe anymore that I will take part of the next Rolling Stones, but I will continue to write!

Describe Infosec in a few words:

The understanding of valuing and securing information.

The best thing about being an infosec professional is:

Meeting so many great, insightful people. There are so many extremely smart people in this industry that it never seems to amaze me. In addition, you get to know threats, technology and solutions long before anyone else.

The worst thing about being an infosec professional is:

Sometimes you can be a bit too paranoid ;)

The biggest misconception about infosec is:

People think it is about technology. It is not. Infosec is about information - what value does it have (to us), how important is it to keep it private, how should we go about to protect it.

Given, a major information carrier is based on technology (ICT), thus many security tools are based on the same. But - Infosec is about information, not technology.

The next big thing in infosec is:

You, perhaps?

I believe that Security by Compliance will loose its inflated impact, and that infosec will go back to be about securing the company information. I also believe that both the technical info sec people, and management will grasp that infosec is about their own company, their own information, and that best practices are not necessarily the best practice for their company.

I see the next big thing in infosec being companies starting to realize that infosec is about protecting their own value proposition, and not about yet another cool box with blinking LEDs to put in the server room for the ICT-guys to drool over.

My favourite saying is:

Infosec is about information, not technology.

Infosec’s greatest weakness is:

The focus on technology. This takes away focus on what is important - to propperly value and secure the relevant information of the organization. First you must know what is of value to your organization. Then figure out how important it is. Then start protect it.

The focus on technology makes too many start in the wrong end, wasting time, money and efforts on technology they do not really need.

I never go into a meeting without:


Seriously, I try to be prepared at all times. And I hardly ever go anywhere without my iPhone.

The analogy I use most when describing infosec terms is:

KISS - Keep it simple, stupid.

So many people seem to have a need to complicate things. It is like they are affraid that other people will deem them stupid if they offer something that is simple. I try to do the opposite. My experience tells me that the simpler the solution is, the easier it is to maintain. Thus, my only best practice is to keep things as simple as possible.

The weirdest security question I’ve ever been asked was:

“Do we really need to write documentation?”

It never ceases to amaze me how:

IT security people compain about not getting the money they want for the latest, coolest box to light up their server room, while they never cared to align the investment with the business requirements of the organization.
Equally, I am amazed with managers at all levels who do not realize that their job is about risk assessment, evaluation and making desicions to reach the organizations goals. And that this process is very similar to what security is all about.

The last time I was truly amazed was:

I took my son to ride the rollercoaster Thundercoaster at Tusenfryd in Norway. He is seven. The coaster is huge. Fast. Noisy. Scary even for me. And I love rollercoasters. When we got out, he was flying. Eyes glowing. Don’t think I ever saw him like this before. He seems to get the same interest for coasters as I have!

I’m fascinated by:

Motivation. As in what motivates people to do the things they do, and act like they do.

The most common assumption people make about me is:

That I am a great sales person. I am not. I hate sales.