Studying a subject that hardly anyone has heard of? Alumnus Timm Korte did just that in the winter semester of 2000: as one of the first nine graduates of the ITS program at RUB, he helped shape the dynamic beginnings of this pioneering degree program. In his alumni story, he talks about the turbulent early years of the program, how he found his first job at ITS.Connect, and what happened next. Today, as Cyber Security Officer at ETAS (Bosch Group), he is responsible for the entire security development lifecycle as well as vulnerability, incident, and risk management.
You are one of the first graduates of the ITS degree program. What did your family and friends say when you told them that you were going to study IT Security?
At the beginning, the first question was always: “What exactly do you do?” IT security was simply not a well-known topic back then. But my parents found the course quite interesting, especially when I explained that it also involved a lot of electrical engineering. I’ve been fascinated by computers since elementary school, so the course was a natural choice for me and suited my interests well.
How did you experience the early days of the ITS study program?
The early stages of the program had a strong focus on electrical engineering. In fact, the first two semesters consisted entirely of traditional electrical engineering foundation courses. It was not until the third and fourth semesters that the first safety-specific content was added—including external lectures, which we followed in Bochum via video and audio transmission from Darmstadt.
Shortly thereafter, the first professors who gave actual ITS lectures moved to Bochum. Some lectures also took place during the semester breaks and were credited to us afterwards. In total, I changed my study regulations about seven times during my studies. Due to the many changes and the faculty’s lack of experience with this new degree program, we students had to organize a lot ourselves.
"In the past, IT Security was heavily driven by self-study and student-led interests. Today, Bochum is one of the largest IT Security locations worldwide." Timm Korte
When you compare the degree program from back then with the one today, what do you think has changed the most?
Today, the topic has reached the general public and regularly appears in the news. Back then, the topic was rather ridiculed and sometimes even labeled as “certified hackers.”
My most recent direct impressions of the program date back to around 2008. From what I understand today, the program has become significantly more comprehensive and much broader in terms of subject matter—both in terms of teaching and research. Today, there are international research projects, strong networks, and a completely different academic foundation.
In the past, IT Security was heavily driven by self-study and student-led interests. Today, Bochum is one of the largest IT Security locations worldwide —with start-ups, industry connections, and a mature ecosystem. The degree program and the entire field have simply grown up.
You graduated, meaning you were a “hacker with a degree.” What happened next?
For me, things actually moved forward even before the official completion. At one of the first ITS.Connect trade fairs, I came across a start-up that was specifically looking for graduate students. I applied there and ultimately wrote my thesis there as well.
The thesis resulted in a product that was successfully launched on the market. On this basis, I built up an entire product range and later even my own business division. I worked there for a total of around eight years, managing and developing this business division, which continued to grow even after it was subsequently taken over.
After that, however, I wanted to return to more technical work. I had recently been heavily involved in organization, management, and business planning, and felt the need to get back to IT security itself. That’s why I moved to another Ruhr University Bochum spin-off, where I worked for several years as a security consultant, primarily in the automotive sector.
What do you do for a living these days?
Today, I work as a Cyber Security Officer. In this role, I am the central point of contact for all cyber security issues at an international company (part of the Bosch Group) with around 2,500 employees, including over 1,500 in development. This covers the entire security development lifecycle, as well as vulnerability and incident management, right through to risk management at the business level.
In addition, I manage the entire internal product security organization. This includes security managers who work directly on development projects, as well as higher-level managers responsible for entire product areas. Together, we continuously discuss how we need to further develop our processes—both with regard to current and future customer requirements and regulatory developments.
Another key part of my work is providing internal consulting for our product teams. This involves assessing how much security and what type of security is appropriate and reasonable for a particular product.
My day-to-day work is correspondingly varied: group-wide coordination, regulatory issues, customer communication in the event of security incidents, audit preparation and implementation, and the placement of cybersecurity issues in the organization’s risk management.
What qualities do you need to be successful in the field of IT security?
The most important characteristic is the willingness to constantly familiarize yourself with new topics. Technologies are constantly changing—from IoT Security to Cloud Backends to AI Security. You have to be ready and willing to independently familiarize yourself with these topics to such an extent that you can classify developments and make informed decisions.
A sense of proportion is just as important, especially in industry. There is no such thing as 100% security. The key is to assess what is necessary, sensible, and economically viable.
Another key point is the ability to think like an attacker. If you want to secure systems, you need to understand how they are attacked, what patterns exist, and what trends are currently relevant. In a sense, this makes you what the WAZ newspaper once described as a “certified hacker.”
Last but not least, communication skills are crucial—especially when it comes to management and business. Highly complex technical content must be conveyed in such a way that even non-experts can understand the risks and make informed decisions. Only when risks are explained in an understandable way can they be consciously accepted or mitigated.