It’s been claimed from time to time that I actually sabotage lifts in order to ensure some face time with someone. But I put it down to just bad luck. A bit like how Bruce Willis in the Die Hard films always ends up at the wrong place at the wrong time.

Today, sharing my luck of being stuck in a lift is one of the most best trainers in all of Europe, Mr Kai Roer.

I am:

Kai Roer

My career:

I established a consulting company in 1994 in order to finance my studies at the University of Oslo. Services were Internet and Multimedia, and pretty soon I decided to drop out of university and only work. Made perfect sense back then.

As I saw Internet as a marketing and communication tool, I soon realized that it mean information management – as in controlling what to put where, who has access, and also who did actually access the information. This, combined with my playing around with modems and colored boxes back in the ’80s, made it easy for me to focus on security.
I worked with some of the largest multinational corporations in Europe, within Oil&Energy, Telecom and defense.

I have messed with boxes, cables, building boxes, soldering, programing and just about any side of ICT. I have a gift of understanding how to best use the technology to achieve my goals. And I still use this gift when analysing and designing systems.

Before I became an infosec professional I wanted to be:

Famous I played in a band early ’90s, and I’ve always been writing things. Don’t believe anymore that I will take part of the next Rolling Stones, but I will continue to write!

Describe Infosec in a few words:

The understanding of valuing and securing information.

The best thing about being an infosec professional is:

Meeting so many great, insightful people. There are so many extremely smart people in this industry that it never seems to amaze me. In addition, you get to know threats, technology and solutions long before anyone else.

The worst thing about being an infosec professional is:

Sometimes you can be a bit too paranoid

The biggest misconception about infosec is:

People think it is about technology. It is not. Infosec is about information – what value does it have (to us), how important is it to keep it private, how should we go about to protect it.

Given, a major information carrier is based on technology (ICT), thus many security tools are based on the same. But – Infosec is about information, not technology.

The next big thing in infosec is:

You, perhaps?

I believe that Security by Compliance will loose its inflated impact, and that infosec will go back to be about securing the company information. I also believe that both the technical info sec people, and management will grasp that infosec is about their own company, their own information, and that best practices are not necessarily the best practice for their company.

I see the next big thing in infosec being companies starting to realize that infosec is about protecting their own value proposition, and not about yet another cool box with blinking LEDs to put in the server room for the ICT-guys to drool over.

My favourite saying is:

Infosec is about information, not technology.

Infosec’s greatest weakness is:

The focus on technology. This takes away focus on what is important – to propperly value and secure the relevant information of the organization. First you must know what is of value to your organization. Then figure out how important it is. Then start protect it.

The focus on technology makes too many start in the wrong end, wasting time, money and efforts on technology they do not really need.

I never go into a meeting without:

Myself.

Seriously, I try to be prepared at all times. And I hardly ever go anywhere without my iPhone.

The analogy I use most when describing infosec terms is:

KISS – Keep it simple, stupid.

So many people seem to have a need to complicate things. It is like they are affraid that other people will deem them stupid if they offer something that is simple. I try to do the opposite. My experience tells me that the simpler the solution is, the easier it is to maintain. Thus, my only best practice is to keep things as simple as possible.

The weirdest security question I’ve ever been asked was:

“Do we really need to write documentation?”

It never ceases to amaze me how:

IT security people compain about not getting the money they want for the latest, coolest box to light up their server room, while they never cared to align the investment with the business requirements of the organization.
Equally, I am amazed with managers at all levels who do not realize that their job is about risk assessment, evaluation and making desicions to reach the organizations goals. And that this process is very similar to what security is all about.

The last time I was truly amazed was:

I took my son to ride the rollercoaster Thundercoaster at Tusenfryd in Norway. He is seven. The coaster is huge. Fast. Noisy. Scary even for me. And I love rollercoasters. When we got out, he was flying. Eyes glowing. Don’t think I ever saw him like this before. He seems to get the same interest for coasters as I have!

I’m fascinated by:

Motivation. As in what motivates people to do the things they do, and act like they do.

The most common assumption people make about me is:

That I am a great sales person. I am not. I hate sales.

To contact me or find out more about me:

Visit my Blog: Roer.com
Connect with me on linkedin: http://www.linkedin.com/in/kairoer
Or follow me on Twitter: twitter.com/kairoer