Security is not just about technology - it's about people, responsibility and a willingness to think deeply

Radka Grace for fi.muni.cz

One school assignment turned into a life journey. In a few years, Tomas Hajek has worked his way up from a Cyber Competition finalist to a member of a government security team. His story shows that cybersecurity is not just about technology, but about the courage to try new things.

Tomas, can you introduce yourself and tell us about your career path? What keeps you charged up when you're not sitting in front of a monitor?

I'm currently studying for a Master's degree in Cyber Security Management. I got into cybersecurity during my high school studies when I became a finalist through a Cyber Contest that started as a school assignment. Since then, I have been devoting myself to it full time. Thanks to the competition, I got into the Faculty of Computer Science at MU, majoring in Cybersecurity.

Although I study IT, I prefer to spend my free time actively, in nature and away from computers. I enjoy hiking, cycling or bouldering. It's a necessary contrast to the digital world for me.

In cybersecurity, you're most interested in penetration testing. What is it about "testing what a system can withstand" that fascinates you?

I've always enjoyed trying to crack systems the most. It was satisfying when I was able to get somewhere or solve a problem. Of course, these were always test problems, not real systems. I've also tried it at home, for example to secure my own Wi-Fi. It's the playfulness and the need to outsmart the system that keeps me at it.

How would you define ethical hacking? Is it the same as penetration testing?

You could say that penetration testing is a key part of ethical hacking. The point is to find vulnerabilities in systems and their settings before the real attacker discovers them. We use the same techniques and tools as the "bad guys" to do this, but our goal is to fix vulnerabilities, not exploit them.

An example of this is when I developed my own malware for study purposes to understand in detail how it works and how to effectively defend against it.

You are currently heavily involved in the INJECT project. What is your role there and how does it connect with your studies?

INJECT is a project that focuses on cybersecurity education through simulations in the digital web-based INJECT Exercise Platform (IXP). While it is largely a non-technical discipline, my role is to design and create exercises that have technical elements. This is a great opportunity for me to influence the project from the very beginning.

Plus, it was a natural fit with my academic career - I covered the topic of these exercises in my undergraduate thesis, Development of Tabletop Cybersecurity Exercises, which focused on the design and use of digital tabletop exercises in cybersecurity. I am now building my master's thesis on this topic.

Who are these exercises for and where is INJECT used everywhere?

One of the main partners and sponsors is the National Office for Cyber and Information Security (NCIS). The main focus of the exercise is incident handling, i.e. handling cyber incidents, which trains future security teams.

INJECT's partners include the Treasury Shared Services Centre, discussions with the Ministry of Defence and the project is also being delivered abroad, for example to partner university TalTech in Estonia, and there is also interest in Portugal and Canada.

How does such an exercise work in practice? What do we mean by that?

Participants receive information, which we call "injects". These represent the task or instructions they have to perform in the platform. This could be simulating an attack on ship navigation systems or dealing with a personal data leak.

Based on the action performed, participants receive feedback on whether they did it right. In this way, they sail through the story and the scenario. Occasionally, deliverables such as writing recommendations for management or users are also required.

Most often, a personal data leak is simulated and the participants have to coordinate a solution. It is a kind of "simulator" for crises.

In this context, there is talk of so-called tabletop exercises. Why should they be of interest to the average person who is not an IT expert?

Because every system - technical and human - will sooner or later encounter a crisis. Tabletop exercises are designed to prepare people to deal with a crisis, whether it is cyber or a natural disaster.

Most crises have the same recurring factors and patterns. The benefit is that the person goes through a similar situation "for real" and then has a higher probability that in a real crisis moment he will know what to do.

Safety is not a state, it is a skill that you have to practice.

Do other students in the faculty get to see these simulations?

Yes. For example, in the PV210 course, students have the opportunity to get a colloquium just for completing the three INJECT exercises. We try different approaches - sometimes we give students more freedom, sometimes we push them for time.

The goal is for them to experience different types of crisis situations and learn how to respond. The exercise is always followed by discussion and reflection.

In addition to INJECT, you also work at NUCIB. What exactly are you responsible for there?

I work in the government CERT (government security team). Specifically, I am in the penetration testing department and I investigate vulnerabilities in systems. A vulnerability is an unplanned flaw in software that can be exploited to take control of a system.

The National Cyber and Information Security Bureau (NCIS) has about 500 employees and handles technical security, but they also handle law, regulation, and have an exercise department that we work with on INJECT.

You also trained students at your former high school as part of the Cyber Security Seminars project with Google. How did the generation that basically grew up with a mobile phone in their hands react to that?

I did a training for my former high school. I wanted to show the students more than just theory. I prepared a simplified version of an exercise from INJECT where they dealt with a phishing attack in which login credentials were leaked and the attacker got into the system.

It was interesting to see their reactions. They hadn't encountered anything like this before, but they were actively engaged and thinking. The aim was also to motivate them to study.

How do you see attacks evolving in the context of artificial intelligence (AI)? Is it the biggest threat today?

AI plays a big role on both sides. It has made attacks much more sophisticated - for example, phishing emails are no longer full of grammatical errors and AI can faithfully mimic a voice on a phone (deepfake).

As part of a project, I tried to create malware using AI. While ChatGPT has strong ethical safeguards, models like DeepSeek are much more "open" and I was able to create a working virus using them in a closed virtual environment.

On the other hand, AI helps us defenders to analyze suspicious behavior on the network in a flash, for example.

But despite all the cutting-edge technology, they say the weakest link is always between the chair and the keyboard. Do you agree?

I'm sure you do. Humans are and always will be the weakest link. Attackers know that. Even the most secure system will fail if a user clicks on a fraudulent link at speed.

Two factors play a role: inattention and learned mechanisms. People want to get their work done quickly, so they automatically confirm dialog boxes without reading them.

That's why at INJECT we also simulate fraudulent AI calls to cultivate a healthy vigilance in people, called security awareness.

Do you have any specific recommendations for ordinary users, for example about passwords?

It's an unsolvable problem, mainly because of limited human memory. My advice is to use phrasal passwords. Instead of nonsensical combinations of characters, choose a simple but long sentence that you remember well.

Length is more important in security than complexity. And where you can, turn on two-factor authentication.

You mentioned you like to leave your comfort zone. What has studying and working in this field given you in your life outside of IT?

I think the most important thing for me is to not be afraid to try new things and to do things that are challenging, like speaking in front of people. Every time I do it, I feel better about myself and I know I can do better next time.

Moreover, studying at FI MU taught me a healthy humility: when things go wrong, the world doesn't collapse. The important thing is to learn from it and try to do better next time.

What are your plans after your studies?

For now, I want to stay at NUCIB and deepen my knowledge in penetration testing. In the future, I am tempted by the idea of owning my own company in the industry, or working in the security team of a large corporation.

I am not worried about employment - with new legislation and growing threats, the need for people in cybersecurity will only increase.

What message would you give to students considering cyber security?

Cybersecurity is great in that it requires a broad outlook. It's not just about programming. You also need to have an overview of sociology, psychology and law. And most importantly, don't be afraid to give it a try.

It's a field where you learn every day - even when you go to sleep, the world of cybersecurity never stops.

Thank you for the interview and we wish you the best of luck in conquering more digital and rock peaks!

Important Links:

More about the INJECT project

Development of Tabletop Cybersecurity Exercises