By Julian Arango | August 16, 2019
We continue our conversation with Ricardo.
We threw him a question that was the source
of interesting debates at
Fluid Attacks some time ago.
Should a company invest in security awareness training?
"You have two options: hiring people with the skills you need or supporting people to acquire those skills. People skilled enough in cybersecurity are scarce today. My stand here is that companies should invest in this; people should have a baseline knowledge of digital risks and cybersecurity. Educators should seek to create learning experiences. In my case, I feel like playing when I set myself to learn something new, and I think that has been crucial for advancing in my career. Instead of lectures (or only that), I think it’s better to create simulations where employees face what could be a real threat, like a phishing scam over email, telephone, or SMS. One of the strategies I think is the most effective is to make training interactive. For example, by putting people to solve challenges, making the training process look like a game."
In cybersecurity strategy, what should organizations start and what should they stop doing?
"Companies should migrate to the cloud if they haven’t done yet. You still get to know some companies that remain reluctant to make that decision arguing cybersecurity and information risks. But the reality is that public cloud providers have better practices compared to the typical organization. I would expect that debate to end soon. + +
Second, people should start learning to code.
Everything is shifting towards coding.
We have software-defined networks,
infrastructure as code (
IaC) and many other instances
where using code makes everything so much more powerful and flexible.
You can see how this is gaining traction in
in which a single person performs a combination
of software development and infrastructure operations.
I recommend starting with the
Python programming language."
I’m pleased Ricardo pointed to the suggestion because cybersecurity will continue to be increasingly relevant in the global economy and coding is crucial. Everyone should learn to code. For instance, we have seen invitations to learn to program in medicine. Likewise, the recognized statistician Nate Silver said journalists should learn to code.
Now, concerning cybersecurity operations, what should companies start and stop doing?
"Often, people in cybersecurity are seen as the bad guys, as those who will disturb your peace by requesting fixes by pointing out errors. We have frictions because security is seen as a separate entity trying to show what is not OK. Cybersecurity professionals should be those guiding businesses in how to do stuff in a secure way instead of being perceived as those saying ‘it can’t be done that way’. + +
DevOps teams solve some issues
IT siloed teams usually have.
DevOps teams go further
by including security capabilities?
One way to achieve that is to have security people
working together with
DevOps teams usually have some professionals more skilled in coding;
others more experienced in infrastructure administration.
Security could be another ingredient
to provide solutions within
Old-fashioned developers usually think they finish their job
when an application is functionally running.
However, from a business perspective, that’s not true
if other aspects are still missing, like quality and security.
Organizations should start reconfiguring their
to create business resources covering everything in synergy:
functionality, quality, and security."
What cybersecurity providers are doing well? What is not so great?
"I can only say
Fluid Attacks is doing great stuff,
by reinventing themselves.
They started talking about
IaC around four years ago
mentioning the importance of organizations shifting towards it.
Benefits are so clear that it’s unthinkable for me taking a different path.
Here in Australia
IaC is unnegotiable,
it brings speed to service delivery, to development,
to infrastructure deployment.
Fluid Attacks is helping companies to automate the detection of weaknesses,
working together with development,
DevOps teams to infuse security the way I mentioned before.
If a cybersecurity firm is not into
they will soon lose the interesting customers."
Why do you think companies that know their weaknesses, do not fix them or do it too late?
"I’m pessimistic. Companies fix their weaknesses because they have to comply with some regulations. Most people don’t care that their software is unsafe. Those responsible for coding blame other people or wash their hands, knowing future issues will be fixed by a different developer down the line. + +
When accountability disappears, businesses sooner or later are forced to face setbacks. Newer costs might appear by detecting issues late, and hence other troubles might demand valuable business resources. Another reason for that inaction is that we tend to be very optimistic, for example, saying 'that happens in other companies, not here'.
A CISO told us something very similar. Want to read about it? Click here
What do you think are relevant misconceptions in cybersecurity?
"A big misconception is that companies
should protect primarily from individuals targeting your business:
“the attacker”, “the hacker”, “the terrorist”, etc.
A real significant threat is malware which works automatically,
not necessarily targeted to specific firms or people.
It is more an entity trying to enter any small digital breach.
You don’t need declared enemies
to protect your information and digital assets.
It is worrying that there is no concrete solution
to malware and ransomware yet.
The hope for some people are potential
like those tested at
CERN by our friend Andrés.
Another misconception is the notion people have about our field. Cybersecurity is not about detecting weaknesses. It is the opposite: to build robust systems, less likely to have flaws.
Security is a behavioral problem; you and I know that. What do you think is the most critical challenge in cybersecurity from a behavioral perspective, and why?
"I would say lack of curiosity or 'critical thinking'. I find this as a good countermeasure for simple mistakes we make that can have a huge impact, like getting caught by a phishing attack. There are other behaviors you and I have discussed like not fixing weaknesses, deploying unhardened servers or program without security practices. + +
Is hard for me to identify a broad reason why people behave as they do. But allow me to suggest this: a good way to move groups of people towards a better digital behavior is by making security more salient, by redefining security metrics. That’s like changing the incentives. Some security elements are not that visible, and security teams don’t enjoy a good reputation. So, by making security more salient, and signaling to some rewards from working towards well-thought security standards might be a trick to drive desirable behaviors."
We hope you liked this interview with Ricardo. We would be pleased to hear from you on these topics. Drops us a mail to [email protected] and engage with us!
To Ricardo, our gratitude!
Corporate member of The OWASP Foundation