We usually think of security only when something goes wrong – whether it’s a suspicious login we noticed, a strange pop-up we got while browsing, or a headline we read about a data breach. 

But behind the scenes at Opera, there’s a constant effort to prevent those moments from happening in the first place. Building products that are secure from the ground up is one of our top priorities, but equally important is how we monitor and respond to any potential threats or incidents. Our security team spends much of its time probing, investigating, and stress-testing features to identify vulnerabilities early and address them before they reach the real world.

Leading this effort is Pawel Kurzelewski – Opera’s Head of Security.

Meet our Head of Security

Pawel works at the intersection of security, testing, and product development to identify risks early and strengthen our defenses at every stage. 

We sat down with him to talk more about what his role involves, how security has been evolving in the scene of AI, and what it takes to keep millions of users safe while delivering smooth browsing experiences. 

Let’s dive into it!

Q: What does the role of Head of Security mean to you?

Someone can say that it’s about managing the security team, reacting to incidents, or helping development teams to build secure products. Of course that’s a big part of it, but in my opinion, it’s more about anticipating incidents. Knowing the current security practices, understanding the business, and having necessary information and good threat intel is a good base to identify problems and take appropriate steps to anticipate them before they happen. So, for me, being Head of Security means to observe, anticipate, and prepare. 

Q: What experience and expertise do you bring to your role as Head of Security?

I bring 20+ years of information security experience in senior roles at large, regulated organizations. Mainly within the banking sector, at UBS and the Royal Bank of Scotland – being responsible for risk assessment and data protection. I also worked within the pharmaceutical industry, being responsible for cyber defence at IQVIA (one of the biggest technology and service providers). I’ve been involved in all aspects of Information Security, from risk management and governance, through architecture and engineering, to hands-on incident response. My expertise lies in building and executing security strategies, developing high-performing teams, and solving problems.

Q: What does your typical day working in Security look like?

There is no such thing as a typical day in Security. Being prepared for the unexpected is the new routine. I divide tasks into two categories: strategic improvements and firefighting tasks. It’s critical to dedicate time and effort to both equally and not mix them. Otherwise, firefighting tasks like incident response will always take precedence over strategic improvements like the implementation of a new security tool, which detects and stops incidents before they make any impact. During my day, I try to dedicate my time equally to both categories, which ensures that we are not only firefighting but actually improving Opera’s security posture.

Q: What is the most challenging part of working in security?

I’d say the most challenging part is to keep up with a fast-changing landscape, especially in the AI-powered software development environment. Generative AI already introduced new risks and accelerated software development. But Agentic AI has changed the security perspective completely. Let’s imagine that overnight we have tens of thousands of new employees in the form of AI Agents. These “employees” might have access to data, production systems, code, and infrastructure. At the same time, as new agents, they are naive and may behave irresponsibly. 

Meanwhile, new products are being developed at the speed of light. Security must evolve at the pace of business to avoid hindering operations or leaving risks unmanaged. It means leveraging AI Agents to detect anomalies, auto-respond to incidents, and engage in the software development lifecycle through a Security-as-Code approach.

Q: Since you bring up AI Agents, some people are skeptical about how safe they are. How can we use AI Agents safely?

AI Agents are non-deterministic, hence we can’t treat them like systems, but like privileged human users. The only difference is they don’t have human feelings and they act much faster. 

When working with AI Agents developers should follow the least privilege principle. Access should be provided only for the time needed, and to the scope that is strictly required, without the ability for self-escalation. If you introduce AI Agents, always design for compromise by reducing the blast radius, and include human gates for critical decisions like deploying to production, deleting data, or making financial transactions. For AI Agents, similarly  to humans, behavioral monitoring and anomaly detection sound like the best control.

Q: In your opinion, what are the next big frontier threats we must prepare for?

Let me mention two. Any moment now, the time from discovering a vulnerability to exploitation will be reduced to almost nothing. This means that the world has  to shift from patch management to exposure management, through limiting the exposure, measuring potential impact, detecting anomalies, and deploying automated responses. 

The next threat looming on the horizon is quantum computers, which will shatter today’s asymmetric encryption standards (like RSA and ECC), potentially exposing decades of stored data, including bank transactions, crypto wallets, email correspondence, etc. Software developers must ensure it’s easy to replace traditional encryption algorithms with quantum-safe ones and I advise using the hybrid approach today.

Q: What does the regulatory landscape look like in the Security space?

The new EU Cyber Resilience Act (CRA) will be very impactful as it’s expected to completely change the way software products are released to the market. Each piece of software (a product with digital elements) will have to go through mandatory CE marking and conformity declaration (similar to how, for example, toys for children are marked today).

So there you have it! Today we wanted to give you a clearer, more transparent view of how we work to keep both our users and our products safe, every single day. We hope you learned something new and insightful, and if you have any questions you can find a way to contact us here.

As always, stay safe everyone!

---