Interview with Robert Kallwies, Director Information Security, Wire
Secure communication simply makes sense. Networking and digitalization have given us a lot of opportunities and we can exchange information almost without limits, but at the same time the privacy we have is shrinking. Each and every one of us can counteract this by using secure means of communication.
In addition, there are of course special use cases, such as emergency management. I have already dealt with this extensively in my career and my experience shows me that it is particularly important in critical moments to be able to rely on a communication solution - and to be sure that no confidential information is leaked to unauthorized third parties.
Legislators have recently come to the same conclusion. Companies that are covered by the new version of the Network and Information Security Directive (NIS-2) must include secure communication and, in particular, crisis communication in their security concept, otherwise, they could face fines.
I have been involved in IT for over 30 years. It all started with a fascination for IT and computer technology. When I assembled and installed my first computer myself, my fingers started to tingle. Over the years, I acquired a lot of knowledge and eventually studied computer science. The first big topics I dealt with were network security, especially in terms of availability, and then the topic of Y2K. Y2K was the turn of the year from 1999 to 2000, when many companies thought that their entire IT would no longer work - a "doomsday scenario", so to speak... If you want to know more about it, you can find a lot of information on the Internet. I think this was the first major emergency scenario that would have affected many companies.
My approach to security is strongly driven by organizational and governance-oriented questions. In other words, questions about which protective measures are appropriate for a company, how to manage business risks that arise from the use of IT, emergency response planning or processes for secure software development. That's why I'm very familiar with regulations such as ISO 27001, the NIST framework and similar requirements.
I've seen a lot in the 20 years I've worked in the security sector since graduating. I spent 15 years as an external consultant and then worked for Deutsche Bahn for several years. I also restructured the IT emergency management there. I am also one of the co-authors of the BSI Standard 100-4 on Emergency Management.
For me, it is important to establish a common view of the topic. In my experience, the technical departments in a company often have a negative attitude towards compliance. And the business-oriented employees in the company often say that IT has no idea how the money is actually earned. My approach has always been to establish a common understanding of IT security within the organization. Nevertheless, some security issues are of course non-negotiable, such as the encryption of notebooks, security patch management or regular penetration tests of Wire Messenger components.
The best way to achieve targeted IT security is for everyone involved to understand IT security as a process that sets clear framework conditions and at the same time does not overburden the organization. In addition, all employees should be involved in the relevant topics or changes in good time. Our clear priority is, of course, to secure our messenger and confidential project data. Our customers rightly expect this.
Clearly the introduction of Messaging Layer Security (MLS). We are currently working flat out to enable our customers to use MLS in Wire. This makes secure communication even easier, enables larger groups and improves performance. And in the coming years, MLS could make a decisive contribution to cross-messenger encrypted communication finally becoming a reality. Read more about MLS in this blogpost.