DefCamp #11: Daria-Romana Pop on “The human element goes beyond cybersecurity.”

We jumped straight in on this interview with Daria-Romana Pop, Lab Validation Assistant and Administration Affairs Volunteer with the US Cyber Security Forum Initiative.

In a single line, Daria-Romana captures one of the hottest topics in information security. What’s more, this entire interview is packed with wisdom nuggets that can trigger your next a-ha! moment or lead you down a rabbit hole of professional and personal growth.

“The human element goes beyond cybersecurity.”

Before we dive in, you should know Daria-Romana offers expertise and insights straight from one of the most interesting organizations in the cybersecurity field: the Cyber Security Forum Initiative. This US non-profit works to “provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners.”

[Quick walk down memory lane: we’ve had guests from CSFI before at DefCamp, with Founder/President/Director Paul de Souza speaking at the conference back in 2014!] 

This means our guest today is plugged into pivotal cybersecurity decisions and actions in and around both public and private organizations and the many influencing factors that govern their m.o.

So let’s get back to that remark about the human factor. In cybersecurity, we often turn to it, but today we want to lead the conversation away from stereotypes (“the weakest link”) and move it towards realities that make a difference. 

Here’s the role that humans play nowadays in infosec, whether they’re defenders (in the making), attackers, or victims. 

“I think it is important to highlight that technological development is based on people creating different experiences to improve results. Among the three layers – people, process, and technology – the most visible impact is made by people, who further apply their vision and skills on technology and processes. We have seen an increase in the number of social engineering attacks, which could be eliminated through a more vigilant and better-prepared workforce. 

Moreover, prevention is also dependent on how we picture the adversary to understand its motivation and predict its next move. It is not the technology attacking us. It is the human mind using technology to orchestrate attacks against us. At the same time, cyberattacks are not targeting only the infrastructure; they target and manipulate the people controlling it. 

The industry needs to make future cyber professionals aware of the capabilities they possess and that they are the ones controlling the technology, not the other way around. The technological advancement, the cyber tools at our disposal, and the human mind are complementary and should not exclude each other.”

When you try to separate the tech layer from the human layer, it becomes clear that what the human mind devised also requires the ingenuity and unique human insight to counteract or solve.

For example, here’s one of the biggest security challenges that Daria-Romana is actively tackling and which is difficult because it’s rooted in the intricacies of human behavior and societal dynamics.

“One of the challenges that the cyber domain is facing is cyber attribution.

There are no simple technical processes that can help identify malicious actors and the tools and techniques they use to conduct cyber operations. The cost of entry for offensive operations continues to go down as cybercriminals share and steal tools, making it difficult to track their origin.

That is why cyber threat intelligence is imperative to construct accurate feeds and share them within the cyber community. Rigorous analysis of such feeds can provide a high level of confidence and further contribute to cyber defenses. Intelligence and forensics should go hand in hand and address both the indicators of compromise situated at all levels in the pyramid of pain and socio-political indicators to understand the context and reveal specific attack patterns.”

That is why spending time on creative work in cybersecurity is so important!

To devise adequate countermeasures and proactively set up security controls that anticipate future attack patterns takes a lot more energy and resources than you may realize.

At the same time, it’s the kind of work that stimulates your every ability and ounce of knowledge, expanding your positive impact on the industry and society at large.

The good part is that tech advancements are making it possible to automate more manual labour than ever, so cybersecurity specialists can carve out more time for that creative work that makes all the difference.

“While it is nearly impossible to eliminate persistent cyber threats, creating and implementing defensive strategies to detect and mitigate them is the main objective of cybersecurity professionals.

Artificial intelligence, although not fully implemented at this point, is playing a significant role in cybersecurity, with its capability to analyze large amounts of data, examine code, block attacks, monitor network activity, and limit the risks posed by human error, and the response time. Leveraging AI will also help organizations make improvements in cybersecurity at a larger scale and alternate them depending on the context.

As I previously mentioned, the human factor should still prevail, but the AI comes as an extra sense to help us make more accurate decisions and improve cyber resilience.”

Daria-Romana has a background of high-level studies in diplomacy and international relations but it was cybersecurity that she found the most interesting space where she can apply her expertise.

Naturally, throughout her evolution, she gathered valuable lessons about which skills to develop and what kind of mindset will help you advance in this field – and enjoy your path as you grow.

You’ll want to take notes.

“Cybersecurity is a very complex field and consists of several sub-fields, each requiring specific skills and knowledge.

One crucial aspect to keep in mind for people who want to excel in cybersecurity is having a solid foundation of cybersecurity principles to operate in real-world scenarios. Choosing a specific area of interest and mastering it would be an excellent option to grow and be confident in this field. This can be achieved by researching, finding a good mentor, and knowing your skills and what you can bring to the table.

Also, cybersecurity is built on strategic, operational, and tactical realms. This requires combining the knowledge gained through degrees and certifications with hands-on experience to master all these approaches.

Ultimately, patience is vital whether you are learning or practicing cybersecurity. Nobody will see results overnight; therefore, dedication, motivation, and commitment are key factors to become successful in this field.”

Patience – a valuable ability to cultivate, although this year’s been especially trying in this area of our lives.

However challenging the context, it’s also important to see the progress we’ve made, as an industry and especially in terms of cybersecurity awareness.

“2020 has undoubtedly brought more awareness to companies and the cybersecurity arena in general. Business owners and managers need to understand that every existent vulnerability will cause immense losses for them and huge advantages for the attackers from now on.”

Forget about end-of-the-year prediction articles. These insights from Daria-Romana come from her keeping one finger on the pulse of one of the focal points in cybersecurity at a global level.

“Cybersecurity will be among the top priorities for businesses in every sector, which means that they will likely invest more in cybersecurity infrastructure, equipment, and training to gain an advantage over the adversary and ensure protection.”

So what can you do to contribute?

Learn. Practice. Repeat.

But don’t just do it in your corner of the internet. Your voice matters – to the companies you work in/for, to the people in your close circle who don’t know what you know, to the institutions who regulate the internet, technology, and the fast-moving dynamic that binds it all together.

You have a role to play in raising cybersecurity awareness. Own it! We’re here to support you to speak up, to teach others, to inspire them to act.

“It is fundamental to understand that any business, regardless of its size, can be a target for cybercriminals; therefore, even the minimum cyber hygiene can improve cybersecurity and prevent and protect the organizations from malicious attacks.

Investing in the right technology and ensuring cybersecurity compliance should be the first changes to be made to improve the cybersecurity landscape.”

We hope this interview with Daria-Romana kindled your fire, that it sparked a flame to pursue an idea, a learning path, a project.

Whatever you’re inspired to do, act now!
Take that first step.

We know from personal experience that it makes all the difference!

3 key takeaways to build on:

  1. Humans control technology, not the other way around. This is true for defenders, attackers, and victims of cybercrime.
  2. One of the ways to advance in this field and gain confidence is to choose a specific area of interest and master it. To achieve this, find a good mentor, know your skills, and cultivate them and your know-how.
  3. Be patient when assessing your growth and results. While combining the knowledge you gain through degrees and certifications with hands-on experience is a great combo to catalyze your development, it still takes time to gather meaningful experience.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..