Secret CSO: Jan Andrascik, Trezor

Name: Jan Andrascik

Organisation: Trezor

Job title: Chief Information Security Officer

Date started current role: November 2021

Location: Prague, Czech Republic

Jan Andrascik is Chief Information Security Officer at Trezor Company. Prior to joining Trezor, he worked in various cyber security roles in banks and consulting companies.

What was your first job? I started my first job at the age of 19 when I started at a university and I joined GE Money as Recovery Administrator for overdue debts.

How did you get involved in cybersecurity? By accident. I used to work a regular IT job on the service desk. And when I finished my Bachelors degree, I wanted to challenge myself so I applied for an IT auditing job at Deloitte. However, based on my IT experience I was redirected to a cybersecurity consulting and have been doing that ever since.

What was your education? Do you hold any certifications? What are they? I was interested in IT since I was a kid so after elementary school I attended IT focused high school and then continued with my studies at Prague University of Economics and Business where I finished my Masters degree from Information management.

I also hold various certifications - CISSP, CISA, CISM, CRISC and CDPSE.

Explain your career path. Did you take any detours? If so, discuss. I started working as a recovery administrator at GE where I improved internal processes by writing macros. And after that I moved toward a full IT job. After I left GE, I moved to a local service firm providing service desk support to a Swiss energy trading company, Alpiq, which I then moved to. After leaving Alpiq, I moved to Deloitte where I performed security consulting and audits focusing more on technical aspects of cybersecurity. I stayed at Deloitte for over 7 years working across the globe on various projects mostly for financial services companies. After leaving Deloitte I moved to yet another consulting firm, Accenture, focusing on more process related security. After Accenture I moved to Raiffeisenbank taking care of ISMS of the Bank. Then I shortly moved to Ceska sporitelna, a Czech bank belonging to Erste and after that, in 2021, I started at Trezor.

Was there anyone who has inspired or mentored you in your career? I’ve met many security experts throughout my career but I can say I only looked out to two of them - my manager at Deloitte and manager at Accenture.

What do you feel is the most important aspect of your job?  Finding balance between security and usability.

What metrics or KPIs do you use to measure security effectiveness? Primary metrics now are the vulnerabilities found in our products. We perform penetration tests of all the services we have but still have a bug bounty program for everyone to participate in. And we are happy to see the number of vulnerabilities is low.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? As the whole Czech republic is experiencing a shortage of any IT personnel overall, so is Trezor. And in our industry, we need especially skilled secure developers who know about software vulnerabilities and secure coding principles and that happens to be challenging in current market conditions.

Cybersecurity is constantly changing – how do you keep learning? The change is the challenge. I always try to attend interesting conferences or talks, I read through new legislation and try to implement new security features in my private cloud.

What conferences are on your must-attend list? Here in the Czech republic it is the IS2 and Qubit from time to time.

What is the best current trend in cybersecurity? The worst? I would say security regulation, at least on the EU market. It is making or soon will make even small companies think about security aspects of their work and secure their data.

Growing amount of spear phishing targeting individuals within companies making them provide access to attackers.

What's the best career advice you ever received? Never give up, never surrender.

What advice would you give to aspiring security leaders? Get to know the risks your organisation is facing and address them in a timely manner.

What has been your greatest career achievement? Designing a security feature for a mobile banking application.

Looking back with 20:20 hindsight, what would you have done differently? I would have tried even harder to get into more technical detail with regards to cybersecurity.