DefCamp #11: Gratiela Magdalinoiu on building a more flexible mindset and skillset

If you stumble on the topic of cybersecurity education at every “corner” of the infosec community, know that it’s still not repetitive enough. While us, the “insiders”, know why the industry needs fresh blood and people from diverse backgrounds, the message is yet to hit mainstream conversations.

You’ll probably notice the topic of (self-)education comes up in each of our DefCamp 11 interviews. It’s no wonder this happens when we, as a community, are still not making enough progress communicating the opportunities and career paths outside industry confines.

So it bears repeating that we need you in the industry which so many others depend on to run as smoothly as possible while navigating the rocky waters ahead.

Gratiela Magdalinoiu, President at ISACA Romania, Romanian Chapter, is our guest today, sharing her wisdom – and key numbers – that reveal the reality of cybersecurity, with both its sunnier and more shadowy spots.

We challenged Gratiela to choose a topic she believes we should talk a lot more frequently about in the infosec space. Here’s what she told us:

“It is a challenge to choose only one topic members of the infosec community (and not only) to talk about. There is indeed room for very hot pieces of regulation (both national & European), emerging security solutions, or automated risk modelling. However, I would go for the education topic first.

All the reports and statistics from the past years are showing concerns on filling the open security jobs or finding appropriate personnel with appropriate education and experience. Unfortunately, there are no significant improvements for current year: according to the last report of ISACA, State of cybersecurity 2020, 62% of the respondents (coming from 17 industries around the globe) said their cybersecurity teams are understaffed.

At the same time there is an interesting visible correlation pinpointed this year between the understaffed security teams and higher potential risk in experiencing more cyberattacks. And this strengthens the finding that only 51% from the respondents are highly confident in their security team’s ability to detect and respond to these cyberthreats during the pandemic.”

Building awareness is starting to pay off

But we still have a long way to go.

Gratiela highlights internal training as a core investment that must continue into 2021. While work-from-home (WFH) was all anyone could talk about last year, the challenge is not complete. We haven’t all magically levelled up to this new setup in perfect condition, especially cybersecurity-wise.

“A topic on anyone’s table in the infosec community (and again not only), is the work from home challenge.

According to ISACA’s COVID-19 Study released in April 2020, 92% of respondents say threat actors will increase cyberattacks on individuals and 87% of them believe that rapid shift to work from home increased risk of data privacy and protection issues.

Huge amount of resources has been already shared (i.e. 80% of responding organizations in the above study is actively doing this) and this is and should remain a continuous supporting and learning process together with a strong involvement of the security teams. In addition, a lot of investment has started to be noticed in implementing awareness programs for employees and management teams resulting in them becoming more aware of their role and responsibilities in cybersecurity strategies.

This is a huge effort and results will be proportional with resilience level, challenged to be balanced in a very dynamic context full of uncertainty.”

The calendar date may have changed, but our determination to make individuals, teams, and organizations resilient in face of changing cyberattack tactics must remain as strong as ever.

This tech combo might be cause for optimism

We all need more of it, don’t we?

The massive digitization effort that started in 2020 will certainly continue this year. Gratiela highlights the areas that could bring a significant improvement in organizational defenses simply by externalizing them to specialists who really own their offering and infrastructure:

“I would go for a bundle – AI, ML and cloud – betting on their potential, even though their adoption pace is rather slower than falling under “best advancements” tag.

Cloud is by far the most visible in terms of adoption level as more organizations are embracing software-as-a-service (SaaS) applications for critical business activities and continue to look to platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) solutions to strengthen or replace hosted resources, which might potentially lead to a shift or even a decrease in terms of number of attacks that directly target end-user computing environments. And even though this trend has been pretty steady for some years, the current change in business dynamics may bring a huge shift in externalization.

Apparently, AI and ML security solutions might potentially reduce attacks and increase their visibility. If the assumptions which led to those conclusions, based on the data of the ISACA report “State of cybersecurity 2020: threat landscape and security practices”, are correct, then even though organizations are reporting adoption lags in an increasing landscape of vendors providing solutions with AI & ML capabilities, there could be some promising signs in this area in the near future.”

Focus on becoming more flexible

One of our favorite questions to ask from guests in the DefCamp 11 interview series is for them to list three things they learned through hands-on practice that can help less experienced security specialists.

The answers are always insightful, unexpected, and inspiring.

Here’s what Gratiela offers for your mind toolbox:

“Real life and books are two different things.

Anything (i.e. incident) can happen to anyone (i.e. individual or organization).

The new perfectionist is agile, creative, ready, fast learner, authentic and (even) empathetic.”

This special focus on flexibility is something worth emphasizing as it’s bound to be one of the most valuable abilities for the future. The capacity to stay nimble, to keep learning, to give yourself the option of changing your mind, and to not punish yourself too harshly for being wrong (as it’s truly inevitable) are all abilities that will keep you progressing through your infosec career, no matter how many twists and turns it may have.

And it’s this flexibility that will allow you to “gracefully embrace it”, as Gratiela prompts us to do.

“2020 was about change. In our work and life. Totally unexpected and unpredictable.

It was like an abrupt set up scene of the ‘acceleration of digital transformation’ topic used to be on everybody’s lips in the last couple of years. Only that this time was for real and there was a visible switch between just plan it and really manage it.

What we can predict for the future is only the fact that we must recognize there will be no going back to the pre-COVID-19 life. And this might come with challenges, concerns, efforts and discomfort.

The option of not only remaining alive as businesses, teams, leaders but to be successful, is to work on a new mindset. And even more, to gracefully embrace it. To be sure words like agility, flexibility, reengineering, creating innovation are strongly embedded in our culture.

As for the last part of the question, I hope management teams are already looking more pragmatic on their strategies and business continuity plans, ensuring appropriate support and investments in protecting data, assets and people.”

On that high note, we hope you’ll carve out a corner of this industry that fits you and we’re ready to support you on your path. Keep close to the DefCamp community and you’ll find more friends than you might expect!

3 key takeaways to build on:

  1. building cybersecurity awareness is starting to pay off, but its compound effect is still to come, so we must persevere, whether on our own, as teams, or organizations
  2. cultivating flexibility is essential for building an infosec career and advancing it no matter how the world changes
  3. bringing your whole self to work is a good thing and can work to your advantage, especially when you need to connect to industry outsiders who need your guidance to make better, safer choices.

    Related articles​

    DefCamp #11: Cosmin Iordache (Inhibitor181) on the..

    BY andra.zaharia
    Seeing your business from an ethical hacker’s mindset can have an illuminating effect. Especially when that ..

    DefCamp #11: Ioan-Cosmin Mihai on the widespread ..

    BY andra.zaharia
    Many people who find that cybersecurity provides the challenge, diversity, and development options that suit ..

    DefCamp #11: Konrad Jędrzejczyk on ownership, ..

    BY andra.zaharia
    Nuance is what makes information security both fascinating and highly complex. The spectrum of choices, the ..