Who looks after security in a company dedicated to providing security for others?
It might be something most people hardly think about, however this is clearly a legitimate question: when what you do is focused on securing protection and privacy for others, these become crucial requirements in every aspect of your work.
As Head of Information Security, Alexandre Quint explains what it’s like to battle for privacy on every front in this new appointment with our ‘My Career as’ series.
Alexandre Quint is Head of Information Security at Zama.
Alexandre has a background of more than 20 years of experience in CyberSecurity in various critical industries like smart card, network appliances, government agencies and software edition, covering a wide range of operational security aspects. A strong supporter of open source, he worked the last 10 years on open source products that are a great way to both share knowledge and learn from others.
“One mistake not to make with security is thinking you could delegate. Writing best practices is a good first step as it will give you a common reference document, but it is definitely not enough.”
Back in the day, I started studying Electronics and Computer sciences in a French Engineering School.
At that time, I was not yet well aware of computer security, but had a past of being fond of mathematical puzzles. My studies were a mix of learning to code in C & assembly but also designing hardware cards.
I started my career at Gemalto (Gemplus at that time), a French Smartcard company, as a new hire in the Security team, in charge of developing symmetric cryptographic algorithms for banks and telecom companies in custom assembly languages. After developing algorithms as a defender, we had to play the attacker role to evaluate the security and then document our findings to build a common security culture we were teaching to developers. This mix of practice and theory by building defense then trying to attack our products, learning things, then sharing good practices was really a great match for me. That’s why I decided to continue my career focusing on security. I had the opportunity to do some reverse engineering (to verify that the cryptographic robustness advertised by software vendors was actually what was implemented in their software), joined the team who was responsible for the network security engine in a French UTM provider, then joined a startup to launch a file analysis security product before ending up in my current job.
Today, as the Head of Information Security at Zama, I’m responsible for the cyber security of our organization and our products. For an organization like ours, this means first of all ensuring that our day to day work develops in a secure environment, protecting our corporate secrets, and preventing hackers from accessing our system and locking us out for ransom.
We also need to make sure our products are secured on all fronts: our users’ data are protected, our systems could not be compromised or taken down by an attacker, and our users’ financial assets are safe.
After almost 10 years of working in big organizations, I joined a SMB and then 2 different startups roughly at the same stage (where you could still all eat together). The two things I like the most about working in a startup, is that it is a highly flexible environment focusing on outcome: priorities could be changed, decisions are made quickly and all processes could be challenged. An important thing also for me was that long before COVID, realities like these already had a good understanding of the benefits of remote working.
Moreover, startups are places where you could easily extend your area of ownership and expertise as there are less employees. Typically, in security you could be the one writing a process to follow, but also the one implementing it or helping the team doing it.
These days, I mainly focus on three kinds of activities. I run routine checks of the security in place, making sure automated security alerts are only raised when an incident occurs, and I also brainstorm with developers on the security requirements of their next product, making sure the architecture will be designed with security in mind by doing some threat modeling. A big part of my job is to work on a new security workflow; assessing the open source or commercial tools we could use, thinking about the integration in our systems and describing it in a process draft that could be shared with other teams for discussion. Assessing security tools is really challenging as there is tons of overlapping software; that is where comparing with open source products could be interesting to really understand the benefit of commercial solutions.
One mistake not to make with security is thinking you could delegate.
Writing best practices is a good first step as it will give you a common reference document, but it is definitely not enough; you should also implement an automatic check to see if these best practices are followed. Having an automatic check rejecting your work because of a security issue is the only way to apply best practices, documents are just there for understanding the purpose of these security checks and how to pass them.
The most interesting part of security for me, is that it’s a neverending cat and mouse game. While a decade ago the trend was to add new security tools to the arsenal, a few years ago the trend evolved to coordinating all these tools to lead to more interesting (and time saving) results. The recent trend is as in all domains to use AI to go even further and try a first layer of analysis by an automatic agent before knowing what the human in charge should do.
In computer sciences in general, it is very easy to learn on your own online. For security, it is really important as you need to develop an intuition about where weaknesses could be.
It’s also important to stay curious and to try to understand how things are working from the inside. The good news is that there are tons of good resources for theoretical and practical learning, which I would recommend to anyone interested in learning more about security as a potential career option, or just in general as a topic to explore. The various Capture The Flag platforms that offer security challenges are free to try, then there are security blogs (Krebs on Security, Schneier on Security) and Twitter accounts from leading security researchers. Then of course there are security conferences such as Black Hat, Defcon and Hack In The Box, with a special mention for a French one named SSTIC that creates a new security challenge every year and showcases the best solution during one of the talks.
Obviously, privacy is a driving force for my work. I consider my personal data as sensitive as a password. I share some of them publicly but I like to know how they will be used, stored and that I have a way to keep control over them. That is the beauty of Fully Homomorphic Encryption (FHE): thanks to this technology, it will no longer be about trusting a company or a framework they have, privacy will be guaranteed by the maths, it will be by design.
If you’d like to know more about my job and the new frontier of privacy, you can reach me on X (@ch0k0bn) or on LinkedIn
