Published on: September 24, 2024
Niels Hofmans is the founder of ironPeak, a Belgium-based cybersecurity firm. With over 9 years of experience in the field, including 7 years as a freelancer, Niels established ironPeak to address the growing demand for high-quality cybersecurity services in the Belgian market. His passion for learning and taking on diverse challenges has shaped the company’s mission to offer exceptional services across the cybersecurity spectrum.
In the SafetyDetectives interview, Niels outlined the company’s core focus on delivering no-nonsense quality through services such as mobile penetration testing, red teaming, and managed detection & response. He also highlighted the importance of embedding cybersecurity practices into the very fabric of an organization, stressing that security is an ongoing process rather than a one-time investment.
Can you introduce yourself and talk about what led you to founding ironPeak?
Hello there! My name is Niels Hofmans and I’m a cybersecurity expert living in Belgium. I’ve been in the cybersecurity field for over 9 years now, of which I’ve worked as a freelancer for over 7 years.
One of main occupations is leading my firm ironPeak. The reason why I founded ironPeak originally was that I saw a huge demand in cybersecurity work, but little to no qualitative workers being present on the Belgian market.
Next to that, I realized for myself that I wanted to have an enormous mix of work; I wanted to try 1000 things and learn about all other things. This just wasn’t possible, challenging and diverse enough as a regular full-time employee.
Since then, I’ve had several likeminded people join me in the quest to offer qualitative cybersecurity services to customers in need. It’s a nice counter to the overflow of purely profit-based consultants on the market.
We are different and rather take it slow, which makes a huge difference in the services to our customers. Only if they’re happy, we are.
Can you describe ironPeak’s core mission and the main services it offers?
Our goal is providing no-nonsense quality across the cybersecurity spectrum. This means from governance (NIS2, ISO 27001, maturity assessments) to very deep technical work.
Examples are:
- Mobile penetration testing
- Red teaming
- Security development work
- Attack surface assessments
- CISO-as-a-Service
- Managed Detection & Response
- and more
You’d think this is way too much to offer, but it actually is what I thrive upon. I get bored easily.
What are the emerging threats you see in the cybersecurity landscape, and how is ironPeak preparing for them?
One that we can’t ignore is the optimization of exploitation of already-known attacks, such as phishing. Everyone knows phishing is still a threat and passwords are horrendous, but it’s still compromising companies via BEC in 2024.
We see a much larger scale of attacks in that front targeting SMEs and Enterprises, but it’s also much easier for attackers to execute this on scale via Gen. AI and token stealing proxies.
On the other hand, complexity of current Tactics, Techniques and Procedures (TTPs) is obviously increasing because threat actors are actually getting better at what they do. Next to that, 0day exploit markets are thriving because they’re an effective way to establish a foothold on e.g. edge devices. But even not only on the technical front, but we also see mass misinformation campaigns via e.g. “doubleganger” news websites to influence public opinion. Those all do make you realize that we’re on a very different threat front compared to 10 years ago. We could talk hours about this.
What are some common security vulnerabilities you encounter when conducting system security assessments?
Interestingly enough, the most prevalent cybersecurity issues are still misconfigurations. When you aren’t a cybersecurity expert, it’s still difficult to try to figure out what a ’secure’ configuration is of your cloud tool due to the shared responsibility model.
And that’s on the industry. Think about it, Microsoft is only enforcing MFA for administrative Azure access in 2024. MFA should have been enforced years ago, and password abolished by now.
How can we expect companies without security teams to know what’s best if we can’t even sufficiently guide them to the right principles? We shouldn’t even be talking about MFA anymore, but passkeys. But yet here we still are.
With cloud infrastructure becoming critical for many companies, what steps should businesses take to secure their cloud environments?
Understand that you can’t lift & shift to the cloud. While it -can- be better and easier on the cloud, it also means you need to fully understand & adopt the cloud-native practices, e.g. cloud architecture and governance.
Dare to consume the already existing vendor tools that tell you what might be risky. A very important control which should be at your center is IAM. How are you going to manage cloud identities?
Try to only use specific roles per workload, disable default service credentials and cut short on long-lived access keys. The rest should be interactive logons which should flow through your usual SSO security controls and where you form identity risk calculations.
Once that’s one, define blueprints. How should a best-practice workload look like? Okay, and how are you going to keep live workloads according to this blueprint? Enforce on deployment level? Or maybe send alerts if you see deviations? (e.g. public S3 buckets)
If you have that setup, it’s already a great start. Now start widening the scope and looking at maturity frameworks such as CIS for your cloud provider.
What are the biggest misconceptions clients often have about cybersecurity, and how does ironPeak address them?
Security is not a one-off thing you just do every year. It is a quality process which should be embedded in your company blood, under resiliency as a whole.
It’d be much easier to just throw money at it once a year and forget about it, but sadly that’s not how it works. You really have to appoint a responsible and ask yourself “how secure are we?”.
If you don’t know, you know you need to work on your risk assessment. Once that’s done, look at your risk appetite. How much security do your crown jewels need and are you willing to accept?
Once that’s all done, you have a security roadmap to follow and to report to management along with budget and risk. Hooray, your first ISMS!
It’s not easy, but taking that first step into appointing a responsible is already -so- important because that person will evidently ask the right and scary questions; how secure do I want to be?