About our interview partner
Nicolas Mayencourt is the founder and CEO of Dreamlab Technologies, a Swiss cybersecurity pioneer. Active in the field for more than 20 years, Dreamlab Technologies has played a key role in shaping today’s security landscape.
Hello Nick Mayencourt, you’ve worked in cybersecurity for about 25 years now. Could you share a few highlights from your career with us – maybe ever something that most people haven’t heard about before?
Actually, I have 35 years of experience – something very few people know – because I was nine when I got into IT. That was in 1985, when nobody cared about the Internet, or at least it was unclear whether the Internet had any practical value.
Even then I was convinced that the world was changing. I was young, enthusiastic, euphoric. I thought that we would build machines to do our work for us and we would all have fewer things to worry about. But it took another 10 years until the Internet was widely available.
And here’s a related anecdote: I was ready for college and wanted to study information security. But that wasn’t possible – in Switzerland or anywhere else.
So almost immediately I founded my own company, Dreamlab Technologies, with the goal of offering IT security to clients around the world. But the world didn’t actually change overnight, no matter how much I expected it to. It still wasn’t possible to officially study IT security – and what’s more, there wasn’t any demand for IT security in the first place. I offered pen tests but couldn’t interest anyone in talking about them with me.
In fact, our industry only really emerged when the dot-com bubble burst. To a certain extent, IT security is an anticyclical business: often, people pay more attention to security issues when the economy is doing badly. In the beginning, I spent a lot of time preaching about security and spreading the word, but I also helped found a nonprofit institute that established the Open Source Security Testing Methodology, the first of its kind. We were also members of the World Wide Web Consortium early on and involved in setting standards there. Real security has to be based on open standards – otherwise nothing is traceable and the whole business just becomes a game of reverse engineering.
When you look back: what mentors or other people you met were especially supportive?
I was very lucky to be born at the right time for a topic that fascinates me so much. I was always one of the first movers in a niche as it was emerging, and for that reason I had very few mentors in this domain – they simply didn’t exist.
But there are many people I highly respect – people who inspired me and who I look up to, including science fiction authors, scientists, and philosophers (such as William Gibson, Marvin Minsky, Aldous Huxley, Marshall McLuhan and Paul Virilio).
You built Dreamlab Technologies and now it’s highly successful, including as a security partner for government authorities in many countries. What are your thoughts on the cybersecurity market: will it consolidate further? Or will more and more niche players pop up?
I think there are two main scenarios. If we don’t make any fundamental changes or answer some hard questions, the market will consolidate further. Of course niche players will continue to emerge for new topics, too, as the technology keeps developing. But in this scenario we will essentially continue to have more of the same (“frantic stagnation”) – more government espionage, more Internet crime, and of course security products with faster response times and better features. The cat-and-mouse game will go on. Losses will increase, more companies will buy insurance against them, compliance rules will be tightened, and new laws will be passed. But the underlying problem will still be there.
Dreamlab Technologies believes in an alternative path and is fighting to make it happen. I like to draw an analogy to cars 100 years ago, which didn’t have any real safety features either. But now laws place clear requirements on the vehicles themselves and their drivers. And if you can’t prove that the driver and the car meet these requirements, neither one is allowed on the road. Rules like speed limits are also in place – cars‘ speeds are checked and drivers that exceed the limits are punished.
But as a society we still accept that software products may have security problems – and that manufacturers don’t accept any responsibility for them. Why do we let this happen?
If you were giving advice to a young informatics student today: what specialized area of cybersecurity would you recommend pursuing?
That’s a difficult question – the whole field is interesting and relevant. I would say to first get a broad overview and then decide.
One megatrend I see today that will come with an employment guarantee is AI-powered defense. It will be huge. So will the interface of IT, OT, and IoT – things are finally taking off there, and for good reason. Looking further ahead, the combination of bioinformatics and quantum security (or post-quantum security) is interesting. Topics related to zero trust and blockchain also look good for the future.
Sometimes I get the impression that fundaments like embedded coding are being neglected (key terms here are “machine language” and “multi-core approach”). We can’t afford to lose this knowledge.
Cybersecurity is an enabler for digitization: viewed the other way around, does this mean that business cases will become less convincing for many digitization projects – to the point that they may no longer be worth the effort?
It depends on the length of the period you’re looking at. It’s like building a house: sometimes problems are covered up and you don’t discover them until later. A digitization business case that doesn’t consider security is covering up a problem – a fundamental aspect is missing. And a project like that shouldn’t be approved.
One example today is the use of ancient Linux systems with serious weak points in smart meter solutions.
What technical developments in IoT security do you think are especially interesting?
I am very happy to see that there’s a secure development life cycle for critical applications and that IoT security is getting more attention. But when it comes to security in many consumer devices and smart home/smart city or similar applications, there’s a lot of catching up to do. Sometimes the only thing developers and buyers seem to care about is the price.
In your experience, what security measures offer high protection against ransomware attacks but still haven’t been put in place by many SMEs?
The most cost-efficient measure – and yet the one used least – is building a sound understanding of the problem and good judgement. In other words, targeted training for employees, suppliers, and service providers.
Technical segmentation of business processes is also important (for example: so that if an HR employee’s device is infected, the consequences only affect the HR department). Virtualization or sandboxing can be used to make this happen. Another thing that anyone can afford is an effective backup strategy, including recovery with an offline backup.
And here comes a shameless plug: at SMEs in particular, IT security know-how and budgets are often limited. That’s why we wrote a book especially for them. It’s a low-cost way to make effective actions accessible to smaller companies. In other words, it helps them to help themselves.
In your publications, you often talk about “becoming invisible” in cyberspace. Can you tell us more about that?
You can’t attack something that you don’t see. Many companies are too visible. We help them to reduce their visibility to the minimum level required for them to operate. We also invented technology (Cyel) for this purpose. Thanks to rigorous IAM, even members of the company can only see limited network resources (and only for a limited period).
Cyel is an overlay network – a development that builds on the idea behind Tor. Cyel makes us the first company in the world to offer “moving target security,” with homomorphic encryption from end to end and hop to hop. The overlay network builds dynamic connections and assigns random IP addresses for each of them. In that environment, ransomware can’t simply spread. In most cases, an additional device is used to create the overlay system, so no changes to the existing customer-side network architecture are necessary. This approach works for OT networks too – or at least for everything that runs on the IP stack.
And what is Anonymiser?
Anonymiser consists of a global network of servers, similar to those from a Tor provider. While guaranteeing that we don’t store any log data, we hide network traffic and prevent identification of end-user devices and applications. Entry and exit points can be anywhere in the world. Applications can be opened virtually in the browser – and when the session is closed all data are absolutely gone. It’s a perfect setup for testing malware, for example. We provide extremely high bandwidth as well.
In your opinion, what’s especially important for SME managers in terms of cybersecurity?
There’s no company today that doesn’t depend on IT. Awareness of this fact is the first step.
Then they need to ask themselves the question: what are the critical pathways to keep the business running?
Hidden dependencies among IT systems often exist. You have to take an honest look.
We need to banish two myths from our thinking. First, there’s no such thing as a network perimeter these days. Smartphones and connectivity have eroded such boundaries. So many concepts like “defense in depth” no longer make sense. We need “security in depth” – every single asset needs Internet-grade security. The second myth is, “Nobody will attack me; I’m not important.” That may be true, but it’s your Internet address they’re after. The real goal is resources. And attackers always look for the path of least resistance.
Cybersecurity is the foundation for digitization. It’s not a cost factor, it’s a survival factor. And cybersecurity brings a competitive advantage. If a competitor‘s system isn’t available, customers can buy from them or their employees can’t do their jobs.
One last question: What are you planning to do in the future? What are the most important projects coming up?
Of course we want to continue to improve our tested (in some cases literally battle-tested) solutions, especially in detection, protection, and response. This year we established branch offices in Spain, Colombia, and Australia that we will expand, too.
Nicolas Mayencourt, thanks for talking with us – we wish you lots of continued success!
In our day-to-day business, as your independent partner we analyze customer requirements towards cybersecurity and identify suitable providers of products and services. Therefore, we have collected a significant number of interesting provider and solution profiles. Of course, this does not include any recommendations for products or providers. Also be sure that we do not receive any advertisement payments for the interviews. If you are interested in an interview with us, please send a short message to cybercompare@bosch.com.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.