“What makes something ‘more secure’ in people’s minds is often based on the wrong conclusions”

lucian constantin defcamp interview

Today we’re taking a look at cybersecurity from a different angle.

We’re going to peek behind the curtains and find out how one of the most respected infosec journalists in the industry developed his skills and know-how. What’s more, we’ll learn about the challenges of reporting on cybersecurity topics in a fair and balanced manner that creates constructive outcomes.

Our guide to all of this and more is Lucian Constantin, one of the leading journalists in the industry. He is a current or former contributor to publications such as Forbes, Motherboard, PCWorld, Computerworld, CSO, and others.

The reason his work is so prominently featured on such high-ranking websites is that Lucian shows a deeper understanding of cybersecurity issues than others. Thousands of people from all over the world read Lucian’s articles each week, relying on him to stay informed based on his well-researched, insightful reporting. Lucian never disappoints, if we do say so ourselves.

What triggered the spark

So what makes a journalist want to go into cybersecurity at a time when no one cares to even read about it?

As it turns out, it’s that time in our lives when we tend to go through some of our most memorable experiences.

I grew up in the late 1990s and early 2000s when IRC and online forums were very popular.

I got involved in various tech support forums and, to some extent, the management of a large IRC network.

Malware infections, IRC flood bots, exploits and other types of threats were something we had to help people with on a daily basis.

Many infosec specialists are self-made, having picked up the “bug” as they were exploring the internet in its early days, often actively contributing to spreading it. Lucian is one of these people, as he tells it himself.

I am mostly self-taught when it comes to computers and technology.

Even though I studied computer science in high school, the curriculum at the time was quite basic. I learned much more on my own by reading online documentation, papers, and tutorials.

Being part of online tech communities together with like-minded individuals who could answer whatever questions I had, helped a lot too.

Another important part for me was that I could actually apply what I learned because during college I worked as systems and network administrator for some local businesses, including two internet cafes.

The 3-part process

Learning, sharing, applying – these three key steps of the process of becoming a cybersecurity specialist that Lucian highlights keep are truly important. They’re the framework upon which the infosec community was built and the one we need to strengthen today so we can progress both as an industry and as individuals.

Since we’re on the topic of community, we wanted to dig deeper and asked Lucian how it actually helped him.

I would say the community as a whole played a big role in keeping me engaged and wanting to learn more.

Of course, back then, the infosec community was made up of a much smaller, tight-knit group of people. Information was much harder to come by than it is now, which forced people to form relationships and friendships with one another on a closer level.

The way Lucian describes the early days of infosec echoes our own experience, one we fondly remember. It stands true to this day that, when trying to find your way in an industry, it’s incredibly helpful to have someone to navigate all these challenges with.

So is the willingness to get involved and make learning a core life habit.

Long before I started covering infosec as a journalist, my involvement was in international tech support communities, which did have an infosec component. Those communities had Romanian members but were not Romanian-only communities.

A growing responsibility

Over the last decade, tech journalism started to fragment more and more, with cybersecurity following the growth in exposure that the entire infosec industry experienced.

We wanted to explore Lucian’s perspective of how the journalist’s role evolved throughout the last 10 years.

I wouldn’t say the role has changed much — a journalist’s role is to inform the public and still is — but the visibility has certainly changed.

When I started covering infosec in 2008 it was a niche specialization for a journalist. My stories did not get as much traffic or attention as those of my colleagues who were covering other technology topics like mobile phones, Windows, etc.

Since then, infosec has taken a much more prominent role in the minds of people and organizations in general. Today, there’s no serious online news publication that doesn’t have someone assigned to cover security and privacy almost exclusively.

As infosec has taken a larger role and focus in organizations, the whole industry has grown and so has the amount of research put out by companies, academia, and independent researchers. More content means journalists have to be much more selective about what they choose to cover, given the limited time and resources they have.

This last bit is always helpful to keep in mind, both as an infosec researcher or specialist and as a company representative.

Don’t let this alter your perception

If you’re in a different stage of your career, say a beginner, a core skill to cultivate is the ability to soak up and filter information. Knowing how to read the news plays a big role in that process.

So we asked Lucian which cliches could lead to drawing incorrect conclusions, so we all know to avoid them.

There’s so many to list and talk about, but I’ll pick one. 

I think one of the biggest issues is people taking sides when it comes to software security: Linux is more secure than Windows; macOS doesn’t have malware; iOS is better than Android, etc. What people need to understand is that all software has bugs because they’re written by humans — for now — and some of those bugs have security implications, so they are what we call vulnerabilities.

This topic is quite complex. What makes something “more secure” in people’s minds is often based on the wrong conclusions. 

Let’s take the hypothetical case of two unnamed pieces of software from different vendors that serve the same purpose. Vendor A has a mature secure software development cycle, a vulnerability disclosure program, maybe a bug bounty program publishes regular advisories, performs internal and external code audits, etc. The other vendor, Vendor B, does not do any of these things and only fixes and discloses vulnerabilities when they’re reported to them.

If you’re a buyer, you might easily be misguided in your purchasing decision, because you see stories about vulnerabilities in vendor A’s software appear much more often than in Vendor B’s and you might draw the conclusion that Vendor B’s software is “more secure,” whereas the other way is actually true.

The real differentiator should not be the number of publicly disclosed or patched vulnerabilities, or how often a piece of software is in the news, but how a vendor deals with flaws when they appear — fixing the root cause and not just one particular bug, their response time, defense-in-depth measures, how it interacts with the bug reporter and the infosec community in general and so on.

This is a difficult problem to solve because making a truly informed decision about a product’s security requires a good understanding of many aspects, often subtle ones, that beginners or outsiders simply don’t see or know about. 

A lot of infosec news is focused on the negative aspects: vulnerabilities, attacks, breaches. And sure, those are important to report on and attract the most traffic, so it’s understandable why that’s the case. But as journalists, if we want to truly serve the public, we should strive to also highlight the good decisions and behavior that some vendors adopt and be honest about a vulnerability’s impact. Don’t hype it to get more clicks, and always include mitigation advice.

Just telling someone there’s an issue without actually giving them remediation options — if they exist — doesn’t help anyone.

These writing tips are not just for journalists. We could all use them and ask ourselves who we’re writing for and what we could do to help the readers help themselves.

Ask yourself these questions

You may say that the news is full of stories about breaches and that doesn’t really help anyone. So we sought to understand things from Lucian’s perspective.

How do you write about the 123932503th breach? How do you choose what to highlight?

Lucian gives a straightforward explanation that also includes questions worth using as guiding posts in more than just reporting.

You don’t write about the 123932503th breach.

I’m kidding, but just to some extent.

It’s a good question that touches on a bigger issue: security news is often repetitive. Deciding if and what to cover is a process that can differ from journalist to journalist, the publication their work for, the audience they have and so on.

In general, reporters have to always ask themselves:

How is this different?

What can people learn from it?

Is there a lesson here that hasn’t been highlighted by other breaches?

Is there something valuable I can add aside from just telling people it happened?

Is there something else that seems more important that I can cover instead?

Put those limited resources to good use.

This goes beyond reporting on cybersecurity issues and stories. Having at least basic cybersecurity knowledge, no matter the topic they cover, has become important for journalists worldwide.

Lucian explains why:

I would say journalists should have more than basic cybersecurity knowledge because they are a target for many threat actors, especially nation-state ones, and have an ethical obligation to protect their sources, a privilege that is also protected by law in many countries.

The job of a journalist requires building relationships that are based on trust and that’s a difficult process. Unintentionally outing a source who gave you a tip or confidential information in the public interest, but asked to remain anonymous, can compromise all that hard-earned trust and negatively impact your career.

Not only should journalists learn to protect themselves and their devices, but they should also teach their sources on how to do the same and use secure communication channels.

Proceeding with caution

Speaking of sources, we couldn’t help but ask how open companies really are to talking to infosec journalists. Organizations often make the news painted in a fairly negative light – usually post-breach – so the relationship with cybersecurity journalists and the community itself is sometimes strained.

Infosec companies have the interest to talk to infosec journalists because they want the good PR: they want to promote their research, products or experts.

If we’re talking about companies who have been victims of a breach, the reverse is true: many want to talk to infosec journalists because they want to avoid bad PR and do damage control.

Not commenting when you’ve suffered a breach is worse than being open about it and assuring your customers you’re doing your best to resolve the situation.

The hardest companies to talk to are those that don’t have anything to gain from talking to a journalist. For example, it’s hard to do case studies about technology deployments or get CSO/CISOs to talk on the record about how their organizations are handling various aspects of security and compliance.

Some might be concerned about exposing their internal practices and giving attackers information about their defenses. Others might know they’re not doing enough and don’t want that message out there. Others don’t want to criticize their infosec vendors and complain about their products or interoperability issues openly because they don’t want to ruin those relationships. And then there are typically non-disclosure agreements that govern contracts, whether those are business to business or business to employee.

If we were to summarize Lucian’s depiction in one word, we’d say “complicated” is an appropriate choice.

How following the right people makes a difference

Lucian’s ability to navigate this complexity and to bring clarity to topics that span industries and disciplines are just two of the reasons you should read his articles and others like them.

We recommend those who aspire at an infosec career to go beyond their usual sources of tech know-how to cultivate a well-rounded perspective.

If I understand the question correctly, these are complementary sources of information that serve different goals.

You are not going to learn how to perform a penetration test or compliance audit, or to use certain tools, from a news story. However, news articles can help you discover new tools and sources of information that you weren’t aware of, or new techniques or attacks that someone presented at a conference with links to the paper, slides or the recorded presentation itself.

They can also help you identify trends in the attack landscape or learn about attack vectors you hadn’t considered, and not just theoretical but observed in the wild.

They can help you learn about the mistakes that other companies have made so you can avoid them in your own organization.

More generally, they can guide your career path and determine what’s “hot” at one point or another in the industry. And being informed about what’s going on in your field of work helps you take better decisions.

Speaking of information sources, Lucian emphasized the wealth of information available now compared to when he started to take an interest in the field.

There are top-rated universities that have published their courses online. There are paid services that offer courses and training. There are community websites where people answer questions. There are many conferences that make their recordings available for free. There are podcasts, specialized publications, online archives for research papers and so on.

There’s just too much to list or recommend, even if I wanted to. There’s no shortage of information really or people willing to share it.

For now, Lucian has his interest set on issues specific to large organizations:

Some of the topics I follow are influenced by the audience of the publications I write for.

Right now, my focus is on enterprise security, but I also wrote for consumer publications in the past.

I’m interested in cloud security, DevSecOps, enterprise IoT, ICS and of course exploits and vulnerabilities in products used by enterprises, as well as real-world attacks against companies and organizations.

This may be one of the reasons why Lucian has been attending DefCamp for years. Or maybe it’s just because he likes us a lot. 🙂 I guess we’ll have to ask him this year to find out.

The value of getting involved

Until then, here are Lucian’s thoughts on DefCamp and what we’re all trying to do as members of the infosec community:

I think DefCamp, which I’ve seen grow from the early days, has been instrumental in bringing the Romanian infosec community together by linking the smaller and independent groups of friends that already existed. 

I’ve met many knowledgeable Romanians who work in this field at DefCamp whom I probably wouldn’t have had the chance to meet otherwise. Some have become sources for my stories, but many others have shared their thoughts and knowledge on various topics when I needed guidance, which has helped me write better-informed articles.

We can’t ignore the fact that other countries have had big infosec conferences long before Romania did, so from that perspective, the Romanian community is “younger.” But infosec is one of those topics that exceeds borders and DefCamp itself is an international conference with speakers and attendees from many countries, so it’s hard to draw the line between the Romanian and international communities.

That said, it’s great to have local events that are accessible to Romanians because not everyone has the resources and opportunity to travel to other countries to attend bigger conferences that have been running for 20 years or more.

In a way, we’re striving to create those opportunities to meet the people we wish we could’ve met 10 years ago when DefCamp started or even earlier than that, when Andrei, DefCamp founder, started tinkering with ethical hacking.

We’re thrilled when we see people making friends at the conference and forging relationships they carry way beyond the event. It’s what matters most to us because that’s where change and improvement – both personal and professional – begin.

Lucian’s interview will stay with us for a long time not just because we know and respect him but because his words of wisdom are evergreen in a world that’s moving incredibly fast.

If you want to join us and experience what getting involved in the community has to offer, meet us at DefCamp and let’s start there! Together.

This year, we’re taking DefCamp to the next level with the help of our main, long-time partner, Orange. With support from IXIA – a Keysight Business, Secureworks, UiPath, Bit Sentinel, Thales, and other selected tech companies that value the power of community, we’re building valuable, hands-on learning experiences for 2000+ attendees from all over the world!

Join us to educate, secure, and change the world!

Meet our DefCamp 10 partners 2019

    Related articles​

    DefCamp 2019 – Live blogging from Bucharest

    BY ioana.rijnetu
    It’s finally happening!! Our 10th DefCamp anniversary starts today and we’re super excited about this ..

    “We generate so, so much data that we’re ..

    BY andra.zaharia
    One of the best things about cybersecurity is that everyone brings their own flavor, experience, and ..

    “See as much of what’s going on in the InfoSec..

    BY andra.zaharia
    It’s often the things you don’t see or know that cause the biggest anxiety when you’re trying to figure ..