Written by Süleyman Yilmaz

Day in the Life: Thomas Heyman

Step into the shoes of Thomas Heyman, a dedicated cybersecurity consultant, as we explore a typical day in his professional life. Gain insights into his strategic routines, problem-solving skills, and his unyielding dedication to enhancing digital security. Join us in this insightful journey as we shadow Thomas through his daily tasks, discovering the measured steps he takes to safeguard against modern cyber challenges.

Today I’m visiting one of the sites of a client for an entire day of information security awareness sessions. I’m looking forward to this, as it will give me an opportunity to get feedback from the people that are involved with product development and customer support. Apart from informing the product team of all the recent information- and cybersecurity initiatives that are underway, their insights will be essential to gauge whether our corporate information security roadmap is still correctly focused.

Our security roadmap covers a broad range of topics. The primary goal is to ensure that we meet and exceed customer expectations for cybersecurity. That is not a trivial challenge. In today’s regulatory landscape with constantly evolving laws and regulations, sometimes the customers of my client don’t even know what they should be looking for in order to be compliant. Product development and customer support must be aware of these new requirements in order to efficiently respond to customer questions and requests. It’s part of my job to ensure that they have this awareness.

Read more on:

Given the cross-cutting nature of information- and cybersecurity, many people are involved and this day has been planned for a while now. First up is a general awareness session with some updates on “what’s new” in the world of cybercrime. After all, it’s hard to secure your products and services if you don’t know what you are protecting it from. Next up is a focused session on information security certifications such as ISO 27001, HITRUST, and SOC 2 audit reporting. We discuss potential up- and downsides of each, what a potential roll-out could look like, and I get valuable feedback from the support teams on what customers are most interested in.

Finally, we end with a focused session on threat modeling. Threat modeling is quickly evolving to be a mandatory activity for multiple regulations (just look at the latest FDA and EU MDR regulations for medical devices). Even though this is an initial introduction, the product engineers seem enthusiastic about the potential value that this can bring. The engineers let me know what cybersecurity risks they are struggling with, so I can take that into account for our corporate risk management and upcoming roadmap initiatives.

Read more on:

At the end of the day...

…this event took quite a bit of preparation and resources, but it was worth it. Days like today point out that information security management is about more than “making sure that we tick all the ISO 27001 boxes”. It’s about real teams building real products, and it’s our job to make sure that they can do this securely.