Rasmus Holst is the chief revenue officer of Wire, an open source, end-to-end encrypted collaboration platform. Throughout his career, Rasmus has delivered growth, exits, restructuring, strategic direction and customer retention across start-ups and established multi-million-dollar businesses. He joins Wire from Huddle, where he served as the company’s Chief Operating Officer. Rasmus has served in senior leadership roles at Syniverse, Oracle, Intec, Digiquant, and Nokia.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Ringsted, Denmark — a rural city 50 km outside of Copenhagen — with my younger brother and we had parents who were both school teachers. This was an age before mobiles and I didn’t have my first until I was 26 and started working at Nokia. I remember that I got a 5110 and a 15 Commodore 64 with a tape station, needless to say, my youth was spent outside and I probably tried any sport that I could get my hands on.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I am not sure that cybersecurity was an inspiration per se, but I “grew up” in telecoms working with prepaid network systems and later roaming. It was at this point that I became painfully aware of the amount of monetary fraud that was perpetrated against telcos globally.

So my “inspiration” was really finding out that telco fraud or ransomware always just ended up in the pockets of criminals or bad state actors and knowing that the problem was just growing at enormous rates. I ran a personal sanity check on how much money could have been used for “good” purposes and it eventually became a mission and driving force on what I wanted to do in my career. Now, I am happy that Wire is helping governments secure their communication and if we can be known for helping organizations like a hospital lower taxes or funds by saving them from being victims of a ransomware attack — that would be the ultimate inspiration.

Can you share the most interesting story that happened to you since you began this fascinating career?

I think there are lot of fascinating stories along the way — and they have gone from sleeping on the floor waiting for a 750m USD acquisition to go through, sitting and manually keeping a demo alive for a country launch of internet with billing, being on stage as Darth Vader for a sales kick-off, having an IPO run off a cliff when the market crashed in 2000 or bringing the first commercial product to life in Wire.

I have been so fortunate to have challenges ranging from strategy over market, sales, product, support to development — and I am so grateful for all of those. To broaden the horizon I have had the opportunity to manage a hundred million dollars business starting with no revenue — I think that gives a unique perspective on scale and being humble for every little piece of business.

I actually think soner of the most interesting stories are the ones about perseverance and believing that you can change the status quo and in many ways that is what characterizes my most interesting experience(s) — that it can be done. If it was a small rural Danish billing company believing Cisco would invest — they did, if it was convincing Oracle executives together with Trent Lund and Eric Lagier that we should have a a Service Delivery Platform offering, if it was building a partnership with Mastercard and Jamas Davlouros from scratch or now taking Wire from zero revenue past a B-round financing and 300% YoY growth — those are all fascinating — and in my Danish Hans Christian Andersen terminology “Ugly Duckling” stories of believing you can make a change and seeing it happen — the amount of times it has happened against odds has yielded the most interesting moments of my career.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I have plenty of people to thank throughout my career and I am always learning from people even as I approach turning 50.

Apart from having worked with Morten Brøgger (CEO of Wire), I also wanted to call out my first ever manager Svend Lauszus for believing in a fresh out of school engineer who just ran 6km to the job interview as the car would not start. He literally looked at me and said “I can take this one of two ways, either you are super unprepared or you are really amazing at solving a tough situation,” this is a perspective that I have since adopted personally. Svend also set up a phenomenal team of seasoned veterans and eager “youngsters”, which I am so grateful for since I learned tremendously from everyone and it is a model that I strive to build in my teams today.

I am also very grateful for my family and especially my wife who has been an integral part of my success. This is now the third country we have lived in and there is no way I could be here without having them here to confide and share concerns, dreams and hopes to find my strength.

Are you working on any exciting new projects now? How do you think that will help people?

I am really excited about the work we are doing in transforming collaboration within governments to be more secure, private, and data sovereign. It is clear that instant communication is here to stay, but so is the threat of hacking, cyber-espionage, etc.

I’m also excited about the fact that this work combines so well with Wire’s mission of delivering federation through Messaging Layer Security (MLS). The notion of different nation states having their own data sovereign instance and connecting that with an international organization or other government organizations would be a fantastic outcome. Rather than having these large valuable databases, we can encrypt them into the smallest payload — making it data sovereign and then connecting backends. I am proud to say that many of our government customers share that vision.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I think it is about setting goals all the time, that there is always something new to achieve and to not believe that there is an “end goal”. The goals don’t have to be massive or life changing, in fact it’s great to celebrate little wins more often. After all, running a marathon with no finish line will burn out even the best of runners. Make sure to also come out of your “COVID”-study and connect with your loved ones as much as possible.

You need to maintain your private and work life — if you only have objectives in one you will not thrive — find the balance.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

I am super excited about the fact that cybersecurity has now moved up the importance ladder. The World Economic Forum listed cybersecurity in the top 3 issues facing humanity alongside the environment and health crisis and a lot of world leaders have now stepped up to the plate with early plans of getting a new infrastructure in place. I am especially excited about the three different approaches from Biden, Macron, and Merkel that will each have an effect in creating a new cyber-infrastructure. Biden is focusing on zero-trust and immediate action, Macron is investing into programs 5–20 years out on the horizon, and Merkel with a data sovereign approach to combat data hoarding practices from tech giants. These three things are really exciting to see since I absolutely believe that we need new approaches to cybersecurity.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Ransomware attacks — Ransomware have continued to be an ever evolving cybersecurity threat, across a variety of industries. This type of cyber attack can have a detrimental impact on ongoing operations, team productivity and ultimately your company’s bottom line, given its ability to encrypt essential information, for a substantial amount of time. Over the past year ransomware attacks have continued to climb in number and severity, with global ransomware recovery costs doubling from an average of 761,106 dollars in 2020 to 1.85 million dollars in 2021. The latest ransomware attacks on the Colonial Pipeline and most recently on Kasaya, have only continued to demonstrate that this problem is not at a risk of slowing down in the near future. It is critical that IT leaders, Chief Security Officers, and managers safeguard their data against ransomware by pursuing a new security-first infrastructure that is composed of Zero Trust elements such as end-to-end encryption, and decentralized data storage and protection.

Phishing attacks — Phishing attacks are one of the most common cybersecurity threats that can impact an organization. A series of research reports have shown that 91% of successful cyberattacks start with a phishing email, wherein bad actors often coax users into opening malicious links embedded in the body of the message.If you or someone in your organization comes across a phishing attempt, it is always best to report these to IT teams, or a cybersecurity officer, who can then choose to combat this in two ways:

Invest in technology that provides a secure environment. While “open” email systems are cheaper and more common, the risk they pose is not worth it — especially if you are a large enterprise or government organization that deals with mission- critical, confidential data everyday. Instead of using email, businesses should use a secure (end-to-end encrypted and invitation-only) platform to communicate and collaborate, particularly when sensitive items are being shared. Secondly, businesses should implement mandatory cybersecurity training for employees. Even in the best case scenario where a company invests heavily in cybersecurity technology, the whole system can still fall susceptible to human error. This is why it’s crucial to educate employees on how to identify and defend against potential cyber attacks.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I am not doing operational cybersecurity per se, but I think that what we are doing at Wire is changing the information architecture approach from large databases to smaller encrypted payloads. I think this is the only way we move on from massive breaches and ransom payments, we need new infrastructure.

We all admire Elon Musk for trying to make transportation more environmentally friendly, we need to come together to do the same in the cybersecurity community. We need to find a new sustainable infrastructure that starts to cut the massive growth in cyber crime.

Right now, I feel that the team at Wire is trying to do just that and we are working with amazing companies in IETF to bring about MLS. My main takeaway is that we as a community need to really rethink our core architectures. We need the same impetus and urgency to act now, similar to the actions taken with green energy or the vaccine programs of COVID.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I don’t use them for the reasons above..

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

When selecting an over the counter software, it is best to opt for one that is built out with E2EE encryption capabilities, and takes a decentralized approach to data storage.

Security is something that you should always be looking to improve because threats are always evolving; so it is critical to ensure that your softwares is upgraded on a rolling basis. Having a Chief Information Security Officer to monitor for system updates, administer awareness training, develop safety protocols and crisis management, should be an essential role of any company.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Suspicious emails — Always vet suspicious emails with caution. If the message is embedded with incorrect links , it more than likely is a threat. When encountering these issues, it is always best to report them to IT staff, in your organization, before proceeding to open them.

Unusual login attempts — Multiple reports of unusual login attempts, are often a tell-tale sign that an outside perpetrator is attempting to gain access to your organization. It's always a good practice to keep passwords up to date on an ongoing basis to ensure that sensitive data is not at risk of being breached. If there are multiple reports of unusual login attempts, it is best to take precaution, and update the passwords across your organization immediately.

— Multiple reports of unusual login attempts, are often a tell-tale sign that an outside perpetrator is attempting to gain access to your organization. It’s always a good practice to keep passwords up to date on an ongoing basis to ensure that sensitive data is not at risk of being breached. If there are multiple reports of unusual login attempts, it is best to take precaution, and update the passwords across your organization immediately. Ransomware Messages — Encrypted files, locked devices and web browsers, are glaring warning signs of a ransomware attack. These fatal symptoms are often accompanied by a message, requiring you to provide financial compensation in order to retrieve encrypted data. Unfortunately, by the time you receive these messages, your data has likely already been compromised, which is why it is critical to have preventive measures in place, before they can occur.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Disclose the data breach to customers — If you have suffered a data breach, the number one step is to disclose the severity of damage of said breach, to all stakeholders and customers that have been affected. Customer trust is one of the most valuable assets that can be difficult to replace once ruptured. To minimize any further damage or loss of trust, it is best to be upfront about the severity of the attack, detailing to what extent the data was breached, and how you plan to compensate users for jeopardizing their data.

Educate employees on the repercussions of a successful cyberattack/breach . Educating employees on the weak points that led to the data breach, will be instrumental to preventing them in the future. Make sure to provide practical examples of how different roles in your business might come across risky scenarios in their daily operations, discuss what the repercussions are in layman's terms, and use real-world examples of how cyberattacks have crippled companies to illustrate this risk.

. Educating employees on the weak points that led to the data breach, will be instrumental to preventing them in the future. Make sure to provide practical examples of how different roles in your business might come across risky scenarios in their daily operations, discuss what the repercussions are in layman’s terms, and use real-world examples of how cyberattacks have crippled companies to illustrate this risk. Prioritize privacy over convenience going forward — In this era of digitization, it is important to remember that convenience often comes at a significant cost. While there are a variety of technological platforms to choose from that offer quick and efficient collaboration tools, it is more effective to select one composed of strong security foundations, such as E2EE capabilities and decentralized data storage. For example, a decentralized solution that uses double-ratchet E2EE allows for every individual call, message, and file to be separately encrypted on every device, with the keys generated from the device rather than from a central server. This protects the information to the smallest possible unit, and creates a system that grows more complex for hackers, with every message.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Wire was an advisor on GDPR when it launched, so our business actively supports a high level of data protection. I think a lot of businesses really had to review their policies and setups when it launched and still to this day many of our colleagues in the collaboration space are still not there according to the Berlin Data Protection Officer.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Lack of security training for workers — Cybercriminals are always searching for new ways to prey on human fallibility, which is why it is critical to train employees to diligently scrutinize everything that comes into their digital space, and require them to authenticate everything to the best of their ability. A few tactical examples of this, could be teaching them to be suspicious of domains, names, messages or subject lines that are slightly off or that they do not immediately recognize.

Consider employee training as a checklist, rather a culture — Employee training and awareness are essential to safeguarding your company from malicious cyberattacks. However, training sessions have traditionally consisted of isolated events, such as workshops, seminars, and quizzes, instead of being considered as an ongoing priority. In the long term, training initiatives such as these, will not be enough to defend against the ever-evolving cybersecurity landscape where cybercriminals are constantly figuring out new and more sophisticated ways to launch attacks. Instead, companies must strive to build a culture of security into their workforce that remains at the forefront of all operations. Employees need to be given frequent chances to brush up on their security skills, educated about the latest threats and tactics from bad actors, and provided with the broader perspective of how security aligns to the success of the entire business.

Employee training and awareness are essential to safeguarding your company from malicious cyberattacks. However, training sessions have traditionally consisted of isolated events, such as workshops, seminars, and quizzes, instead of being considered as an ongoing priority. In the long term, training initiatives such as these, will not be enough to defend against the ever-evolving cybersecurity landscape where cybercriminals are constantly figuring out new and more sophisticated ways to launch attacks. Instead, companies must strive to build a culture of security into their workforce that remains at the forefront of all operations. Employees need to be given frequent chances to brush up on their security skills, educated about the latest threats and tactics from bad actors, and provided with the broader perspective of how security aligns to the success of the entire business. Centralized data storage — Organizations open themselves up to a myriad of privacy and security concerns, while storing data in one centralized location. While it may be convenient to leverage cloud-based servers for access to information across various locations, these types of networks significantly increase the risk of exposing large amounts of private data to third party entities. For example, if an attacker is able to surpass those perimeter defenses and gain entry to those servers, all the data in that central hub is compromised. Rather than relying on centralized data storage, such as cloud-based solutions, organizations should take a decentralized data storage approach that protects data assets at the edge rather than in a central fortress. This architecture ensures that organizations have control instead of being subjected to any risks that may come from how a vendor decides to store their data.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

The number of cybersecurity threats have significantly increased since the onset of the COVID-19 pandemic. In fact, during the first four months of the pandemic alone, it was reported that cyberattacks spiked by an estimated 400%.

In many ways the pandemic has simply acted as an aggravator to many pre-existing factors, and security vulnerabilities of an organization. Not only did cybercriminals become more sophisticated and persistent with attacks, businesses were caught unprepared for the sudden massive shift to remote working, causing cybersecurity to get lost in the shuffle of priorities.

While working in a remote setting, employees fall under a greater risk of cyber threats, without perimeter-based security defenders such as company firewalls, secure internet access, and VPNs, for example. The ongoing challenge many remote-operating companies have faced is their ability to ensure their employees can collaborate and work together with ease, without compromising the integrity of data and digital assets.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1) Adopt a Zero Trust approach — Zero Trust is a dynamic and hyper-vigilant security model that employs continuous monitoring and improvement to systems as a proactive defense against cyberthreats. The zero trust approach operates exactly as it’s name entails, assuming that organizations should not automatically trust anything inside or outside its perimeters. Platforms that run on the zero trust framework assume that all data, devices, apps and users both inside or outside of the corporate network are inherently insecure and, therefore, must be authenticated/verified before being granted access. Adopting a Zero Trust approach, entails leveraging stringent protocols and technologies such as multi-factor authentication, end-to-end encryption, identity access management, orchestration, and other comprehensive system permissions and safeguards. Rather than lowering cybersecurity safeguards within an internal network, Zero Trust ensures that anything inside or outside a corporate network (including data, devices, systems and users) is treated with stringent security measures regardless.

2) Provide company policies around tools — Research has continued to reveal that the majority of successful cyberattacks begin with a phishing email, often arising from “open” email systems, such as Gmail, where messages are able to be sent and received from anyone. This type of open email system provides an environment where those who are not trained on how to identify the warning signs of a scam (or people who are trained but are moving too quickly to pay proper attention) become easy targets for bad actors. As email is a ubiquitous practice in daily business operations, it is essential to establish concrete guidelines around which communication tools are appropriate for sensitive conversations. Conversations that include references to company IP, customer data, or other types of sensitive information should be reserved for trusted security channels, and must be kept off platforms that are susceptible to known security and privacy flaws.

3) Invest in cybersecurity training — Enforcing cybersecurity training is a necessary procedure to help spearhead cybersecurity awareness across one’s organization. It is never best to assume that cybersecurity practices are common knowledge to your employees. According to a survey from software company LoopUp, 70% of business professionals said it was normal to discuss company confidential information on calls, despite the fact that many popular solutions don’t offer end-to-end encryption by default. In a fast paced world where immediacy and ease is highly valued, building a true culture of security means taking the time to thoroughly educate employees on the how and why of cybersecurity. Cybersecurity training should include, but not be limited to, educating employees on the weak points of cybersecurity, alerting them to the critical business and legal risks of a breach, providing teams with the right tools for sharing and discussing confidential information, and training everyone in proper protocol to defend against attacks (and recover in the event of a breach).

4) Update your tech stack — Chief security officers and IT leaders must not overlook the significance of reevaluating their tech stack on an ongoing basis. Ensuring that security technology is up to date on correct security protocols and protections is especially important, in our current era of hybrid work, where remote workers (and therefore your company’s digital assets) are more vulnerable to cybercriminals, while operating outside of traditional perimeter-based security protections. Consider shifting all critical communications — where sensitive data and information is shared — to a secure environment that offers end-to-end encryption and is invitation-only.

5) Prepare your teams for the worst — Even organizations that do their due diligence to educate employees and utilize secure platforms and systems can still fall victim to cyber attacks. Therefore, it’s important to understand how the business will react in the event of an incident, and develop a plan for action. When developing these procedures, some key questions to ask yourself can be: how will business continuity be guaranteed if corporate networks or systems are compromised? What are the roles and responsibilities of key stakeholders in a crisis event? How will secure internal communications function? At the end of the day, effective management and response to a crisis is just as critical as proactive measures and can be a key factor in minimizing damage.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

As I talked about earlier, I am concerned about the same three top things as outlined by the World Economic Forum: the climate, the health crisis, cybersecurity, and all the other topics on the list (poverty, inclusion and education).

If I were to start a movement, it would be called: “The things we share”

The tone of public debates, media, and social media has largely turned into a shouting match where we forget to listen to each other and stick only to critique our own set of opinions. It harms personal relations and the immediate reaction of social media allows for too much polarization.

So for the billions of people posting every day on social media, making at least one post that starts with “I share your view on…” or “I like the way you see…” would be the objective of my movement. I hope it would make the world understand that sharing can connect us together, rather than separate us. So, instead of “calling out” without even trying to understand, use the power of positivity and infuse it into the things we share to change the world.

To close the story, I have been so thankful that my career has allowed me to travel, learn, and connect with people from different nationalities, cultures, religions, etc. Looking back at my experience roaming in different countries and my upbringing in Ringsted, I realize that we aren’t that different from one another. I did not grow up with the veil of perfection, anger, and pressure from social media. As a father of two teens, I understand that the influence of this interconnected digital world can be harmful, but it can also be a force for good.

