We continue our conversation with Ricardo. We threw him a question that was the source of interesting debates at Fluid Attacks some time ago.
Should a company invest in security awareness training?
- "You have two options: hiring people with the skills you need or supporting people to acquire those skills. People skilled enough in cybersecurity are scarce today. My stand here is that companies should invest in this; people should have a baseline knowledge of digital risks and cybersecurity. Educators should seek to create learning experiences. In my case, I feel like playing when I set myself to learn something new, and I think that has been crucial for advancing in my career. Instead of lectures (or only that), I think it’s better to create simulations where employees face what could be a real threat, like a phishing scam over email, telephone, or SMS. One of the strategies I think is the most effective is to make training interactive. For example, by putting people to solve challenges, making the training process look like a game."
Fluid Attacks keeps learning through challenges, as Ricardo mentioned, starting at the hiring process. Take a look at our products, like asserts and Criteria.
In cybersecurity strategy, what should organizations start and what should they stop doing?
"Companies should migrate to the cloud if they haven’t done yet. You still get to know some companies that remain reluctant to make that decision arguing cybersecurity and information risks. But the reality is that public cloud providers have better practices compared to the typical organization. I would expect that debate to end soon.
Second, people should start learning to code. Everything is shifting towards coding. We have software-defined networks, infrastructure as code (IaC) and many other instances where using code makes everything so much more powerful and flexible. You can see how this is gaining traction in DevOps roles in which a single person performs a combination of software development and infrastructure operations. I recommend starting with the Python programming language."
I'm pleased Ricardo pointed to the suggestion because cybersecurity will continue to be increasingly relevant in the global economy and coding is crucial. Everyone should learn to code. For instance, we have seen invitations to learn to program in medicine. Likewise, the recognized statistician Nate Silver said journalists should learn to code.
Now, concerning cybersecurity operations, what should companies start and stop doing?
"Often, people in cybersecurity are seen as the bad guys, as those who will disturb your peace by requesting fixes by pointing out errors. We have frictions because security is seen as a separate entity trying to show what is not OK. Cybersecurity professionals should be those guiding businesses in how to do stuff in a secure way instead of being perceived as those saying ‘it can’t be done that way’.
DevOps teams solve some issues IT siloed teams usually have. What if DevOps teams go further by including security capabilities (DevSecOps)? One way to achieve that is to have security people working together with DevOps engineers. DevOps teams usually have some professionals more skilled in coding; others more experienced in infrastructure administration. Security could be another ingredient to provide solutions within DevOps teams. Old-fashioned developers usually think they finish their job when an application is functionally running. However, from a business perspective, that’s not true if other aspects are still missing, like quality and security. Organizations should start reconfiguring their IT teams to create business resources covering everything in synergy: functionality, quality, and security."
What cybersecurity providers are doing well? What is not so great?
- "I can only say Fluid Attacks is doing great stuff, by reinventing themselves. They started talking about IaC around four years ago mentioning the importance of organizations shifting towards it. Benefits are so clear that it’s unthinkable for me taking a different path. Here in Australia IaC is unnegotiable, it brings speed to service delivery, to development, to infrastructure deployment. Fluid Attacks is helping companies to automate the detection of weaknesses, working together with development, IT, and DevOps teams to infuse security the way I mentioned before. If a cybersecurity firm is not into IaC, they will soon lose the interesting customers."
Indeed, Fluid Attacks has a DevOps approach. Want to know more? Visit our Continuous Hacking service page.
Why do you think companies that know their weaknesses, do not fix them or do it too late?
"I'm pessimistic. Companies fix their weaknesses because they have to comply with some regulations. Most people don’t care that their software is unsafe. Those responsible for coding blame other people or wash their hands, knowing future issues will be fixed by a different developer down the line.
When accountability disappears, businesses sooner or later are forced to face setbacks. Newer costs might appear by detecting issues late, and hence other troubles might demand valuable business resources. Another reason for that inaction is that we tend to be very optimistic, for example, saying 'that happens in other companies, not here'.
A CISO told us something very similar. Want to read about it? Click here
What do you think are relevant misconceptions in cybersecurity?
"A big misconception is that companies should protect primarily from individuals targeting your business: “the attacker”, “the hacker”, “the terrorist”, etc. A real significant threat is malware which works automatically, not necessarily targeted to specific firms or people. It is more an entity trying to enter any small digital breach. You don’t need declared enemies to protect your information and digital assets. It is worrying that there is no concrete solution to malware and ransomware yet. The hope for some people are potential ML-based solutions like those tested at CERN by our friend Andrés.
Another misconception is the notion people have about our field. Cybersecurity is not about detecting weaknesses. It is the opposite: to build robust systems, less likely to have flaws.
Security is a behavioral problem; you and I know that. What do you think is the most critical challenge in cybersecurity from a behavioral perspective, and why?
"I would say lack of curiosity or 'critical thinking'. I find this as a good countermeasure for simple mistakes we make that can have a huge impact, like getting caught by a phishing attack. There are other behaviors you and I have discussed like not fixing weaknesses, deploying unhardened servers or program without security practices.
Is hard for me to identify a broad reason why people behave as they do. But allow me to suggest this: a good way to move groups of people towards a better digital behavior is by making security more salient, by redefining security metrics. That’s like changing the incentives. Some security elements are not that visible, and security teams don’t enjoy a good reputation. So, by making security more salient, and signaling to some rewards from working towards well-thought security standards might be a trick to drive desirable behaviors."
We hope you liked this interview with Ricardo. We would be pleased to hear from you on these topics. Drops us a mail to [email protected] and engage with us!
To Ricardo, our gratitude!
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting