以下为atsec德国同事Gerald Krummeck发表的Blog中文翻译:
退休了。终于。
比原计划迟来了四年多——恰逢我与atsec的23周年纪念日——我最后一次踏入慕尼黑办公室,交还了笔记本电脑、手机和办公室钥匙。
再也没有项目了。再也没有要回复的邮件了。再也不用参加进度会议了。再也不用撰写报告了。从现在起,只有与家人和朋友共享的时光。
除了这最后一篇博文——萨尔想让我谈谈,我是如何将整个职业生涯都奉献给了信息技术(IT)安全这个领域,尤其是奉献给了atsec。“信息技术安全”一词看似枯燥乏味,实则恰恰相反。这段经历是充满激情、收获颇丰的,有时甚至让人心潮澎湃。想来能为自己撰写“悼词”一类的东西,实在是一种奇妙的殊荣。可坐下来回望过去这23年,我却有些意外地发现,这篇回忆的焦点根本不在于我自己。
我从未独行
当我回首往事,脑海中浮现的一切——每一次成功的评估,每一个我们参与制定的标准,每一段建立在信任基础上的客户关系——都是团队合作的成果。不是我个人的团队,不是我个人的成就,是“我们”共同的成果。
我的这些感悟,来源于与慕尼黑、奥斯汀、斯德哥尔摩、罗马以及北京的atsec同事们一次次的讨论碰撞。我们卓越的服务品质,也得益于与客户的深入交流。他们鞭策我们更深入地思考,勇于承担那些无人敢为、甚至被视为不可能的任务,比如我们第一次做Linux的评估。我们的专业能力渐长,是因为我们这群人真正热爱自己所做的一切,是因为我们对彼此直言不讳,总是利落大方地指出某件事还不够完美。
这种文化——这种真诚、彼此尊重、技术严谨较真的合作文化——将是我最怀念的。
信息技术安全的本质
当其他行业的人听到“信息技术安全”一词,往往想到的要么是坚不可摧的城墙堡垒,要么是灾难性的数据泄露。然而真实情况要有趣得多,依我所见,也更有人情味。
在atsec,我们做的就是检验可信度。我们把目光投向那些复杂的产品和系统——操作系统、加密模块、网络设备——然后发问:它们真的像宣称的那样吗?安全措施有没有文档记录清楚、能不能正常实施、到底可不可测试?能通过独立验证吗?
这些问题至关重要。对政府重要,对公司重要,对那些数据流经我们评估系统的普通人,也同样重要。atsec 参与制定了这些问题的相关标准,从通用评估准则(Common Criteria),到FIPS 140-3,再到新的欧盟通用评估准则计划(EU Common Criteria scheme)——对于这一事实,我感到由衷的自豪。不是我个人的自豪,而是对整个团队的自豪。
我们真正的创造:信任
我刚才提到,我们做的就是检验可信度。请允许我稍作展开,我觉得如今它的重要程度远超我职业生涯的任何时刻。
我们的工作不只关乎技术专长,更关乎信任:客户,以及客户的客户对我们评估结果的信任。当我们协助获得认证的产品得以推出,企业所做的便不止是在销售产品的技术参数,更是在传递和加码一份信任——这份信任贯穿于产品的设计、开发、测试和维护人员,流经我们实验室的评估人员,流经维护认证体系并颁发证书的认证机构,最终送达至用户手中,而用户可能一辈子都不知道我们的存在。这是一个环环相扣的链条,只有每一环都足够牢靠,才能确保整个链条值得托付,确保从中产出的产品载得住信任,也经得起审视。
这绝非空谈。我们正活在一个信任饱受侵蚀的时代,全球各方的势力都在蓄意削弱人们对各种机构的信任,包括标准制定机构、认证体系,甚至独立验证这一理念本身。他们的目标是创造一个无人能够信赖任何未经亲身验证之物的时代,一个复杂的决策将变得毫无把握的世界。
这样的侵蚀是十分危险的。信任并非奢侈品,在人类无法彻底理解万事万物的情况下,信任是避免我们陷入一味怀疑、维持正常生存的机制。没有人能逐一验证所使用的每一个产品、所依赖的每一个系统、每一个可能对我们产生影响的机构。我们将这些判断托付给了值得信任的架构——而我们之所以信任他们,是因为他们靠着独立、靠着正直、靠着长期一贯经得住检验的言行一致赢得了这份信任。
atsec用了26年,赢得了这份信任。不是靠嗓门大,而是靠经得起推敲的工作。我们独立于供应商,这不是一句宣传口号,而是结构性的保障,确保我们的判断只忠于标准和证据,不忠于任何个体。这保证了我们在整个产业链中的价值。我离开时深知,这条链条依然需要认真对待它的人。而我也感到高兴,留在atsec的各位,正是这样的人。
一家无可比拟的公司
我不会假装每天都很轻松,也不会说每个项目都很顺利,但我还是想说:与我共事的都是一群正直的人,这点我从未怀疑。
atsec的理念是秉持诚信行事,只专注于安全评估,并保持完全独立——不隶属于任何硬件或软件供应商;除了专业知识,绝不销售任何产品。这绝不只是一纸宣言,23年来,我亲眼见证同事们日复一日地践行着这一理念。
这种独立非常难得。它赋予了工作一种自由:你可以给出诚实的答案,而非敷衍了事。它也让我们与客户建立了一种信任,这种信任难以建立,却又极易失去,而我们从未失去过它。
我觉得更难以言喻、但同样重要的,是这份承诺中孕育出的企业文化。没人刻意栽种过。没有哪次外出开会专门讨论过我们想成为什么样的公司。它就那样自然地生长了出来,只因每个人都在努力做正确的事,而做正确的事,又反过来影响了大家的行为方式和彼此之间的相处之道。
最直观的一点:在atsec,同事审核你的工作,不留一点儿情面。没有丝毫委婉,没有因为你是前辈就嘴下留情。文档写得不够好,那就是不够好——不管是新人写的,还是在场最资深的人写的。外人看来或许有些简单粗暴。反馈直截了当。有时甚至尖锐。我自己也曾“深受其害”,自尊心受挫。但后来,我对此真心感激。因为这种严厉的审阅本身就是一种尊重,它意味着:
“我足够重视你的工作,才愿意花力气跟你死磕。我与你分享我所知道的一切,不是为了照顾你情绪,而是为了帮你把事情做好。”
那个把你文档批得体无完肤的同事,也是那个报告一旦完善,就会在客户面前替你据理力争的人。对内批评毫不客气,对外捍卫一条心——这种理念的结合绝不是哪条规章制度强行建立的。它几乎无法人为干预,只可能油然而生。而在atsec,它就这样生长出来了。
接下来会如何——对你们,也对我
老实说,我有点羡慕我的同事们。
不是说我不想退休——我当然想退休,时间正好,孙辈们还等着我呢。我想说的是,这个领域正再次焕发生机活力。这种机遇,一个人的职业生涯里也就能遇上一两次,而我赶不上了。
人工智能(AI)工具即将彻底重塑我们这类工作的可能性。当下,我们审查证据的时候——查几百份文档和测试结果是否一致、完整、可溯源——我们只能处理样本。我们挑出有代表性的部分,由此做出推断。我们虽然做得谨慎、专业,但也深知,还有更多我们没有看到的东西。这种局限并非由于懒惰,而是人类处理信息的能力所受的客观限制。
这一限制正逐渐打破。如今涌现的工具,能帮助评估人员更全面地梳理证据,而不只是取部分代表;能标记出成千上万页文件中的矛盾之处,这样的即时工作记忆是任何人类团队都无法比拟的;能像现在评估人员审视单个文档一样,对整个文档集群进行审查提问。评估工作的质量上限将大幅提升,而atsec的同仁们,将在真实而复杂的评估场景中探索这些工具,迎来非凡的体验。
但是,我必须要强调这一点,非常重要:工具终究只是工具,仅此而已。
我之前描述的信任链并非通过软件维系。维系它的,是那些经过时间的沉淀赢得信誉的人,是那些独立性经受住得考验的机构,是那些可能遭受质疑、挑战,却依然捍卫自己判断的专家。AI可以帮助专家更加严谨细致,但无法取代专家。这并非因为这项技术不够强大——它的确非常强大——而是因为信任作为一种社会和制度机制,需要人类为此担责。必须有人承担责任,必须有人切身利益攸关。
在可预见的未来,这个人就是我们。是那些名字写在评估报告上、职业声誉和签名结论绑在一起的人类专家。把他们从链条中抽走,流程不会更快——而将彻底崩溃。
所以我离开的时候,心中并无忧虑。工作内容会变,工具会升级。但对于那些凭自身实力赢得他人信任的人,社会对他们的需求并不会消失。非要说的话,在一个AI生成的内容无处不在、制度性信任被架在火上烤的世界里,这种需求将只增不减。
这个变化还有一个后果,我觉得值得提出——因为它所指向的,远不止工具的改进。
如果AI工具能让评估实验室把证据梳理彻底,那制造商也能借此做到这一点。如果供应商在整个开发过程中系统地使用这些工具,就能在评估人员看到安全文档之前,持续验证其一致性和完整性。开发和评估的界限,就开始模糊了。
这意味着评估实验室的角色将转变。我们将减少重复执行制造商早已完成的检查,而将更多时间去提出另一套问题:这些工具的应用是否合理?它们在整个开发过程中是否得到全面且一致的使用?管理这些工具使用的内部流程是否可靠?以及至关重要的一点:所有这些信息的记录是否完善,以便能够对基于人工智能输出做出的决策进行审查和验证?
换言之:评估员,在某种程度上会变成过程的审核员,而不仅仅是产品的测试员。所需的专业能力并不会减少——只是换了种形式。而支撑着信任链的那份独立和正直,仍然至关重要,甚至可能比以往更关键,因为被审核的那些流程,将会比纸面上的测试结果更难被察觉,也更难被质疑。
在我最后参与的项目里,有幸与德国BSI的同事合作,共同制定德国处理机密信息的 IT 产品国家认证方案。他们早在几年前就预见了这一转变,搭建出一套框架,并把这些新要求落实得很成功。因此,我觉得它值得更广泛的国际认可和采纳。仅供参考……
至于我呢,我要和挚爱的妻子一起去享受旅游、徒步和骑行的乐趣。我要花时间陪陪我的孙辈们,干点儿让他们母父抓狂的傻事,还要去见见我的老朋友们。我要亲自下厨,就着美酒,把堆了好多年的书一本一本啃掉。我还希望,在慕尼黑漫步时,能偶尔去办公室拜访atsec那帮亲爱的同事们。
一切都会好起来的。真的会很好。对我们所有人而言都是如此。感谢大家所有人,让我与你们共度了这段如此美妙的时光!
-杰拉尔德
以下是此篇Gerald Krummeck编写的Blog英文原文:
Retired. Finally.
Over four years later than originally planned—and exactly on my anniversary of 23 years with atsec—I came one last time to our Munich office and turned in my laptop, my phone, and the office keys.
No more projects. No emails to answer. No status calls to attend. No reports to write. Just time for family and friends now.
Except for this last blog entry that Sal asked me to write about the experience of dedicating my professional career to the seemingly boring and dry subject of IT security, and to atsec in particular. And, conversely, how it wound up being anything but boring, and instead was exciting, rewarding, and at times just wild. It is a strange privilege to write your own eulogy. But sitting down to reflect on those 23 years, I found something unexpected: I don’t see this being about myself very much at all.
Nothing I Did Alone
Everything that comes to mind when I look back—every successful evaluation, every standard we helped shape, every customer relationship built on trust—was the result of a team. Not my team, not my achievements. Our work.
My insights came from discussions with atsec colleagues across Munich, Austin, Stockholm, Rome, and Beijing. The quality came from intense exchanges with customers who pushed us to think harder and to take on tasks that nobody else dared and that were even deemed impossible, like our first evaluation of Linux. Our expertise grew because we were a group of people who genuinely loved what we were doing and who didn’t hesitate to tell each other when something wasn’t good enough yet.
That culture—a culture of honest, respectful, technically rigorous collaboration—is the thing I will miss most.
What IT Security Actually Is
When people outside the industry hear “IT security,” they often imagine either impenetrable fortress walls or catastrophic breaches. The reality is more interesting and, I think, more human than that.
What we do at atsec is examine trustworthiness. We look at complex products and systems—operating systems, cryptographic modules, network equipment—and we ask: does this actually do what it claims to do? Is the security documented, implemented, and testable? Can it be verified independently?
Those questions matter. They matter to governments, to companies, to the ordinary person whose data flows through the systems we evaluate. The fact that atsec has been part of shaping the standards that frame those questions, from Common Criteria to FIPS 140-3 to the new EU Common Criteria scheme, is something I carry with genuine pride. Not personal pride. Team pride.
The Thing We Actually Produce: Trust
I just said that what we do is examine trust. Let me stay with that thought for a moment, because I think it matters more now than it ever did during my career.
Our work is not only about technical expertise. It is about the trust that our customers—and their customers—place in the results of our evaluations and assessments. When a company ships a product carrying a certification we helped earn, they are not just selling a technical specification, they are passing along and adding to a piece of trust that runs from people designing, implementing, testing and maintaining the product, through the evaluators in our labs, through the certifiers guarding the scheme and awarding the certificates, to the end user who may never know any of us exist. This constitutes a chain where every link must hold to ensure its contribution to the overall trust in the product under scrutiny remains valid.
This is not abstract. We are living through a period in which global actors—state-level and otherwise—are deliberately working to erode trust in institutions. In standards bodies. In certification schemes. In the very idea that independent verification means something. The goal is to create a world where no one can rely on anything they haven’t personally verified, and where complex decisions become impossible to make with any confidence.
That erosion is dangerous, because trust is not a luxury; trust is the mechanism that allows human beings to function in an environment they cannot fully comprehend. None of us can evaluate every product we use, every system we depend on, every institution whose decisions affect our lives. We delegate that judgment to structures we trust—and we trust those structures because they have earned it, through independence, through integrity, through consistent and verifiable behavior over time.
atsec has spent 26 years earning that trust. Not by being the loudest voice in the room, but by being the one whose work holds up when someone looks closely. Our independence from vendors is not a marketing claim—it is the structural guarantee that our judgment belongs to no one but the standards and the evidence. That is what makes us a meaningful part of the chain. I leave knowing that chain still needs people who take it seriously. I am glad the ones who remain with atsec do.
A Company Like No Other
I won’t pretend that every day was easy or that every project went smoothly. But I will say this: I never once doubted that I was working with people of integrity.
atsec’s philosophy is to act with integrity, focus solely on security assessment and evaluation, and remain completely independent—not affiliated with any hardware or software vendor, never selling anything other than expertise. That’s not just a mission statement: in 23 years, I watched my colleagues live it, day after day.
That independence is rare. It creates a kind of freedom in the work—you give the honest answer, not the convenient one. And it creates a kind of trust with customers that is hard to build and easy to lose. We never lost it.
What I find harder to describe, but equally important, is the culture that grew from that commitment. Nobody planned it. There was no offsite workshop where we decided what kind of company we wanted to be. It simply emerged, because everyone was trying to do the right thing, and doing the right thing turned out to have consequences for how people acted and treated each other.
The most visible one: when a colleague reviews your work at atsec, they hold nothing back. No diplomatic softening, no deference to seniority. If the document isn’t good enough, it isn’t good enough—regardless of whether it was written by a newcomer or by the most senior person in the room. That can feel, from the outside, a little rustic. The feedback is direct. Sometimes blunt. I, myself, have been the victim of it, scratching my ego. But I learned to be truly grateful for it. Because the intensity of the review is itself a form of respect. It says:
“I take your work seriously enough to engage with it fully. I am sharing what I know with you, not protecting you from it.”
The colleague who tears your document apart is also the colleague who will defend it in front of a customer once it is right. That combination—honest internal criticism, shared external commitment—is not something you can install as a policy. It is also almost impossible to formally audit. It has to grow. At atsec, it grew.
What Comes Next — For You, and for Me
I’ll be honest: I envy my colleagues a little.
Not because I want to stay—I don’t, the time is right, and the grandchildren are waiting. But because the field is becoming genuinely exciting again in ways that only come along once or twice in a career. And I won’t be there for it.
AI tools are about to change what is possible in our kind of work in a fundamental way. Today, when we examine evidence—checking consistency, completeness, traceability across hundreds of documents and test results—we work with samples. We pick representative portions and reason from them. We do it carefully and professionally, but we do it knowing there is more we didn’t look at. That constraint is not laziness; it is the simple reality of human bandwidth.
That constraint is lifting. The tools now emerging will allow evaluators to comb through the entirety of the evidence, not only a representative slice of it. To flag inconsistencies across thousands of pages that no human team could have held in working memory simultaneously. To ask questions of a document corpus the way we currently ask questions of a single document. The quality ceiling for evaluation work is about to rise significantly—and the people at atsec who get to explore those tools in the context of real, complex evaluations are in for something remarkable.
But—and this is the part I want to stress because it is so important—the tools are tools. Nothing more.
The trust chain I described earlier does not run through software. It runs through people who have earned credibility over time, through institutions whose independence has been tested and held, through experts whose judgment can be questioned, challenged, and defended in a conversation. AI can help an expert be more thorough. It cannot be the expert. Not because the technology isn’t impressive—it is—but because trust, as a social and institutional mechanism, requires human accountability. Someone must be answerable. Someone must have skin in the game.
For the foreseeable future, that someone is us. The human experts whose names appear on the evaluation reports, whose professional reputations are bound to the conclusions they sign off on. Remove them from the chain and you don’t have a faster process—you have a broken one.
That is why I leave without worry. The work will change. The tools will improve. But the need for people who have earned the right to be trusted—that need is not going away. If anything, in a world where AI-generated content is everywhere and institutional trust is under pressure, it is growing.
There is one more consequence of this shift that I think deserves to be named—because it points toward something bigger than better tooling.
If AI tools allow evaluation labs to comb through evidence more thoroughly, they also allow manufacturers to do exactly the same thing. A vendor who uses these tools systematically throughout development can continuously verify the consistency and completeness of their own security documentation—before the evaluator ever sees it. The boundary between development and evaluation begins to blur.
This means the role of the evaluation lab will shift. We will spend less time re-running checks that the manufacturer has already run, and more time asking a different set of questions: How sensibly were the tools applied? How complete and consistent is their usage across the development process? How robust are the internal processes that govern that usage? And critically: how well is all of this documented, so that the decisions made on the basis of AI output can themselves be examined and trusted?
In other words: the evaluator becomes, in part, an auditor of a process rather than solely a tester of an artifact. The expertise required does not diminish—it changes shape. And the independence and integrity that underpin the trust chain remain just as essential as before, perhaps more so, because the processes being audited will be less visible and harder to challenge than a test result on a page.
In one of my last projects, I had the pleasure to work with colleagues from BSI on their scheme for Germany’s national approval of IT products handling classified information. They saw this upcoming shift already some years ago and came up with a framework that implements those new requirements quite successfully. Therefore, I think it deserves wider international recognition and adoption. Just sayin’ …
As for me: I will enjoy travelling, hiking, and biking with my beloved wife. I will spend time with my grandchildren on silly things that will drive their parents mad, and meet old friends. I will cook, I will read the books that piled up over the years while enjoying a glass of good wine. And I will occasionally, I hope, visit my dear atsec colleagues in their office when I’m strolling through Munich.
Everything will be good. Really good. For all of us. Thank you so much for the incredible time I had with all of you!
-Gerald
