In recent years, the digitalisation of German companies has progressed enormously. This makes it possible to work faster and more efficiently, but also opens up new ways for attackers to penetrate companies via IT. In order to identify weak points in the IT and ward off hacker attacks in advance, so-called security analysts regularly simulate attacks with the help of penetration tests. André Zingsheim, Security Analyst at TÜV TRUST IT, reveals in an interview how he became a “professional hacker” and why social skills also play a role in his daily work.
Mr Zingsheim, you have been working as a security analyst at TÜV TRUST IT in Cologne since 2012. How did you first get into this profession?
I had my first contact with the topic of hacking during a practical phase of my studies and was quickly fascinated by the entire subject. After completing my Master’s degree in technical computer science, I immediately focused in this direction and began my career as a professional hacker at TÜV TRUST IT. Here, the focus is of course on penetration tests, but I also carry out audits as part of certifications and support our customers with employee training and the big topic of awareness. This is also an important part of my work, because not only IT, but also humans are a potential security risk.
So, a security analyst is also in demand in the area of social skills?
Exactly. Of course, technical knowledge is absolutely necessary as a basis for this profession. But social skills should not be underestimated. Since the human factor is often just as big a security risk as technology, it is important to be able to put yourself in other people’s shoes. For example, a penetration test also includes social engineering measures, in which we try to obtain information from the company with the help of phishing e-mails or other manipulation of employees. It is very important to have an idea of how users react to such phishing emails.
Mr André Zingsheim Security Analyst TÜV TRUST IT
You also mentioned relevant expertise. In your opinion, what kind of expertise should a potential security analyst have?
Theoretical know-how is, as I said, the basis of our work. This includes good knowledge of all common operating systems as well as scripting and meta languages, and also network and programming knowledge. Some experience in the areas of reverse engineering and forensics can also be very helpful.
Comprehensive knowledge is therefore required here. Does your daily work offer as much variety as the broad range of necessary skills suggests?
Absolutely! Since we work for many different clients from all kinds of industries, there is never a dull moment in our working day. Every company is different and requires an individual approach to the respective situation. So, there is no such thing as working according to a pattern in my job. I like that very much. And, even if you don’t guess it right away, a lot of creativity is required in the practical work, despite the necessary theoretical basics. In order to identify all possible weak points, we often have to think out of the box and adopt new perspectives. That is always an exciting challenge in everyday life.
Thank you very much for the interview, Mr Zingsheim.