hi everyone welcome to the Hands-On ciso podcast my name is a and today I'll be talking to mlen evv mlen is a cyber

security expert with more than a decade of experience in the the sector currently he's leaving the information

security at POF a business expense management platform and the first Bulgarian unicorn before that he was

working for companies like AWS and hulet Packer he's also heavily involved in the

local cyber security Community is president of the cyber security Association and regularly organizes

events and speaks at conferences like bsides ow ASP sopia chapter and cyber

security talks outside of Works he enjoys extreme sports like paragliding skydiving and mountaineering M Glenn how

are you today perfect thanks for having me ad of course so happy that you're

here before we get into anything else so tell us how did you even get into cyber security

a fairly long story about two decades long actually uh when I was you know a

teenager uh here in Bulgaria I think in most countries in the world where you couldn't afford a personal computer we

have these internet cafes where you could go play some computer games maybe chat with now old school Technologies

like IRC or or icq and socialize on web forums or tet groups it was uh really

really interesting uh at the time to you know use in your

advantage some hacks to uh get advantage in in Contra strike or other games so we

would playing in these forums to figure out how to use certain hacks to be better at it or you know make more uh

wins at the games and essentially I found these small pockets of communities

where they were talking about cyber security hacking in this case so it mostly a a bunch of curious teach

teenagers nowadays we call them script kitties they they'll find something on the Internet that works and they'll use

it in their uh benefit and they will def face websites take them down take over accounts things like that to impress

other people maybe you know take down websites put their name on it and say hey greetings to my friends I've managed

to do it and so on and so on so I started getting involved into that Community until I got a slop in the Rest

by the cyber crime unit because we were even recording like tutorials how to do

it and uh it would get to to large scale sometimes and it would affect uh let's

say small uh groups of people but what really got me inspired into the cyber

security world is uh two movies from the 90s that I watched at the time uh one is

well known with Angelina jul it's called hackers it's very famous i' say the the one is takeown with Kevin mnik uh and

there is this CH I actually didn't didn't enjoy that much the Kevin mnik role I enjoyed the other character uh

suo shimura or something like that and basically he was more of a cyber

security expert that helped to catch Kevin mittnik so he was like roller skating he was like this cool guy that

was like commuting to work on the beach and I like one day I really want to be that if if that would be possible but as

you can imagine at the time there were no such uh job opportunities I would say globally there were very few jobs and

you need to be very skilled not only technically so my career essentially

started with uh web development it evolved with CIS admin work I also was a

devops at some point uh when in 2014 I moved for to work for Amazon in Ireland

and this is where I started my first official cyber security jobs and I was

uh fortunate enough to work in a very uh interesting field with very advanced

Technologies and and learn from exceptional leaders and after that uh I decided after Co I decided to come back

to my home country Bulgaria where uh I was faced with a thriving community and

really interesting job opportunities in this case in the face of the company I work for today bayhawk I was able to

build the security team I am in now I was able to contribute to the community

which is really great I really enjoy dayto day

amazing and what does your day-to-day look like now did it look different in different companies you are in yeah

absolutely because I was having different type of responsibilities or different levels of ownership today uh

at PW I'm involved in all sorts of infos and it my team is a is a is a cross team

so we do both things at once uh but in other companies was completely different I would have like a very narrow Focus

where I would do very specific things let's say def SEC Ops or application security uh and nowadays I would say I'm

not a morning person so start a little bit late I uh would check out

operational things so tickets CM alerts if there is something exceptional or

something that needs immediate attention and usually I'll start commuting to work I have about 30 to 45 minutes right to

the office so usually consume a lot of content that will be either YouTube or podcasts like this one dark net Diaries

malicious life Risky Business and so on and so on there's so many amazing uh

stories and podcasts nowadays so you can really get inspired and by the time I'm in the office I have this very

interesting story or insights that I could potentially share or or I can have an ideas to what I can work

on when I get to the office usually we we have a chat with the team like a

stand up because as I said we are both uh it and security so we are a little

bit Project based but very operational so we would see what the day would look

like what we have open for the day and what projects we are currently ongoing there any blockers or anything that need

attention and then uh full on focus on on the task at end usually I try to

follow the well-known uh methodology getting things done uh can't remember

the order but it's very famous in the world so it's the way you manage work um

and basically you can divide it delegate it very quick task can be finished within two minutes but then you have

like these big chunks of work that you should focus on so I really enjoy uh to

focus at like large Chun to have like a proper flow so I Tred not to overwhelm

my time with meetings but I try to leave enough time for Meaningful work for

productive work not to for not to keep my myself just busy so on a day today might be different depending on like

what we have upcoming it could be related to compliance uh or it could be related to road maps or uh the team that I'm in or

it could be writing code some days I have that luxury as well and usually at the end of the day I

may attend events after work hours as I said we have a driving Community here in Bulgaria or I'll continue working

sometimes if there's something interesting I don't rush to leave the office immediately and yeah I'm very happy

actually that I have the power over my day which I really enjoy and I try to not over overwhelm it with

meetings amazing it sounds like your day is really like really revolves around

cyber security a lot beyond what you would I would say you have to yeah yeah

uh it's necessary to do the to eat your greens to do the ground workor that uh

it's related to reporting compliance and so on but also there are like important

things to you know talk to other teams about like how they're embedding Security in their road maps or their

process or their tools talk to customers sometimes because we as a business uh we

operate in a very specific Market Financial Market that's heavily regulated so customers need to do a very

uh indepth uh screening and due diligence before they sign up because

essentially we're managing their funds and data so we just ensure that uh they

understand how much we put effort in security and this is really important part of my

job interesting would you say that when you're learning new things when you're

like listening to podcasts or reading online is that is there a specific way

you go about learning about what's happening right now like any breaches that happen any new technologies any

anything like that or is it more just understanding cyber security in general really like the title of the podcast is

handson CIS so so I try to focus on on the on the details on the definitions of

the details not of uh the perceptions of orders so when there is like a bridge or

a vulnerability that's interesting a zero day or some sort I try to go to the source and figure out what really is

happening not what somebody's inter interpretation is or like what LinkedIn is buzzing about so that would be my

main approach I really throughout the years I've learned to avoid like hyp driven consumption of uh information or

uh there is a new term that was called uh infotainment so that you consume

content but for entertainment purposes not to understand the uh underlying

technology or how things have actually worked out and happened and I really

like uh Hands-On tldr kind of approach to the consumption like to be practical

and applicable and this is the way I would select the sources they need to be

very reputable uh they need to be very spot on uh and throughout the years I've

kind of collected a list of podcasts the ones that I mentioned but also mailing

lists or like weekly updates that I would cons like the Suns uh security podcast tldr SEC for example um there is

a very famous risky Bas uh weekly updates that includes the sources of the

information so that you can really get into the depth and details and really for example there was a recent Ubbi key

vulnerability in LinkedIn and the community really lost their minds over it but then it turns out that it's not

really as it looks like and you need a very complex equipment and physical access to the keys to do certain things

I'm not saying it's impossible but it's like so hard and so challenging you have easier ways to compromise the

authentication and get into a company then then than than buying a a very expensive equipment to bypass the

protection of uh specific Hardware that's used by the company so that's why I would prefer to be very selective at

the content I consume and if I don't see benefit in it and it's very high level

and very infotainment as I mentioned I try to avoid it because it just creates noise in in your head it doesn't ask

value interesting so back to the like the your

daily role I would say security a lot of the time is about understanding what you

can what you can do and what you shouldn't shouldn't do you ever get the bad cop name do you how do you view

that I try not to create a culture like that uh because I believe in good

intention in people most of the time so you should in this role apply some

emotional intelligence intelligence and approach people with respect and dignity and say hey uh this is why for example

this situation might be uh risky for the business and and us as a whole at the

end of the day the consequences are shared among us so we should have a shareed responsibility and and share

understanding about why certain things could cause problems and we also try to not in

create kind of a fra culture about it let's say if you forget your laptop unlocked somebody would go there and uh

put something funny in it or write a funny message in the common slack channels we try to avoid that uh because

I don't think it Fosters the right culture and the right respect to cyber security I think that's old school I

believe that if people have uh they understand their responsibility in the

overall security of a company they they could do better of course you have two options here one is misunderstanding

negligence they they just didn't know better so you should go with good intention and explain them why certain

things could lead to an incident or or something bad but also it could be

malice which has another work it's an Insider threat and it should be treated completely

differently how do you balance between on the one hand putting controls so no

anything that is done in Malice can't happen or or no mistakes can happen and

on the other hand education so like making sure people know what they can

and can't do I really liked because I've listened all the episodes of the podcast somebody

said that security should feel like a force field in Star Trek I really like

that comp person it is very difficult to achieve something like that in an

informational environment with many people and many systems and Technologies because everything is moving people are

adding new apps everywhere using various devices and so on but you should

probably strive for that I think it's the right approach so it should be invisible up to a point where something

unusual and it doesn't look right happens and you have the indicators for

that you should act according and to do that you should basically

monitor all possible digital spaces that you could uh in a way that they would

alert you if something malicious is happening and if you're not keeping yourself up to date on the news or

update on the technology or if you don't know how the technology works and that's

why I do believe that even a leader in the space should be Hands-On because if

you can constantly delegate uh some junior or even senior members of

the team might not fully understand uh the big picture or the overall

consequences so it's not bad for you to get your hands dirty from time to time and really ensure that the right

controls are in there but the way that we deal with most of things in cyber

security in other spaces not only there everywhere where there is involved risk

you should have a lot of like checks uh whether that would be like weekly quarterly whatever works for you

any sorts of checks if automated even better so that you can verify that the

controls that you have in place are actually meaningful and and they work and you could do that through many ways

uh internal external pen tests red team operations sofal engineering attempts

what we tend to do as a team when we have the luxury of time because it's

it's challenging to balance that well what we try to do is spend a little time on sofal engineering or approaching

alternative ways to access things and uh show our colleagues that uh for example

even in LinkedIn let's say if you're salesperson or an HR person and you actively use LinkedIn you could be

approached by a completely fake madeup Social Engineering profile and they

could lure you in a multi-step process where you could believe that a sale is

happening or you have a an amazing lead or amazing candidate for a role and at the last step they just like send you a

link to I don't know a malicious PDF or something that contains a malware or or

a fishing page where you should provide your credentials and if you're not very careful it's easy to fall into that

truck so I tend to believe that you should be proactive about ensuring all

these all these things and all these controls as much as you can

can you tell us about some of the security incidents that you've seen

throughout the years maybe the more extreme ones sure um I've spent a lot of time on

call maybe about four or 5,000 hours maybe more throughout my career I've

worked on hundreds and hundreds of incidents alerts investigations of All

Sorts even helped friends and relatives and other companies when they asked me

for because really enjoy it there are couple of incidents that I really can recall and they're very interesting so

the first one is actually an incident happened some time ago with a colleague of mine that was sitting few desks away

from me and they were intentionally using a available capacity in our

environment to mine crypto which is really stupid thing yes so I actually

accidentally uncovered that I wasn't really looking for it I've noticed high capacity usage and I was just Vigilant

it it didn't it didn't make any sense so unfortunately by the end of the day we had to let that person go um it's just

something that shouldn't ever ever happened it was obvious that they they were just uh malicious or stupid I don't

know um the other type of incident that I would usually deal with it's quite

common nowadays because of the darket Services where you can hire stress testers or services for where you can

buy a large number of compromised devices to use them for denial of service attacks so I was dealing with a

a DDOS that distributed denial of service attack a few years ago that was very sophisticated that kept me up one

night I don't usually stay up nights but that one kept me really up because it

involved hundreds of thousands of hosts and it was very sophisticated like when I was able to block one uh side or

approach on one layer they would go back and figure out another approach so it

was like a a little bit of a cat and mouse game essentially we restructured the infrastructure and we were able to

pH that without any human involvement but it took a little effort from our side to uh fight back the attack at the

time and it was very very sophisticated I'd say it was not it was not done by

Script kitties or maybe it was but it was very well prepared and well executed

and could you could you explain a bit more about that cuz like how did that

work how did that come to be it's fairly simple so if you go on any darket Forum

uh you could probably buy a bunch of uh infected hosts they're usually shared

and used for many malicious and illegal things but it could be from your smart

thermostat to your I don't know computer that you love for Goten in the garage

and haven't updated since uh 2015 and it's just there to control the Christmas

lights and essentially thread actors find those devices through search engines on the web like show them and

census they compromise them they may even fix the vulnerability so no other

thread actors can take them over so now it's their device not yours anymore and

they would use those devices they would you they would look like residential IP addresses that would look like coming in

from regular location from your garage or your home IP address and I have seen

in my past experience some very experienced people uh like Engineers

directors of engineering and so on that have had like a raspberry piie that manages their thermostat that was

compromised so nobody is safe essentially if you don't put effort even in your home network and they could

pivot to your device even in some cases but but in in in that specific situation

with that incident uh they would use those devices they would have a command and control server from where they would

send commands to those devices and basically they would serve as thousands

and hundreds of thousands of proxies of their request so they would amplify whatever command they sent it would be a

web command it would be a lower layer like tcpip fluting and so so on so they

could do whatever they want with these devices they can make them do uh whatever they want and essentially it's

not very difficult to scan a product a

device a company nowadays and figure out like where are this product or this

company weak spots and by weak spots means where are the pages let's say or

uh the functionalities that take large amount of resources to calculate let's say if you have like a scheduling

website and probably to playay the calendar for the year that's going to take a lot of resources from the system

if I intentionally uh focus on that area hundreds of thousands of uh requests

doesn't matter how much elasticity you have from the cloud and how much uh demand you could meet if you don't have

the right firewall rules rate limits controls essentially the product will

fall down and you're going to be uh unavailable so this is why what exactly these uh thread actors are doing it's

not very sophisticated you can literally buy this kind of compromised devices for I don't know 20 30 bucks for few hours

you just rent them and then do whatever you want with them and essentially they're asking for funds in crypto so

they would send you a ransom message and ask you for a payment if you don't pay you're going to be taken down if you

have the right infrastructure right people and the right processes it won't be a very challenging operation but if

you're a small business and you don't understand technology very well they could really keep you down for days

months or even completely bankrupt your business that's

crazy wow and you had another story that you wanted to say another uh but uh I

want to share another one yeah it's um usually in the social engineering

World there are various types of attacks that you could execute obviously through

email communication we call it fishing two different types of communication we call it differently SMS missing and so

on and so on and uh once we saw a very sophisticated it wasn't really an attack

actually uh I'd say uh because it didn't involv any special skills what they did

is somebody TR doctor they cloned a legitimate business that we and many

many other companies were operating with it was like a consultant company and they completely clone the website they

went so far that they open a legal entity a company with the same name in another country uh and they open a bank

account and so on and so on and basically they started researching the web who are the customers of that

company so they send them a ton of invoices fake invoices we call them business email compromise or uh chain

iban and so on and basically they sent an invoice that looks like the real thing if you look at it it comes from

the real company it looks like the real domain it's a little bit different but it looks like it's not you know those

like swap letters and and things it actually looks like the real thing and

uh the only difference is the bank is bit different the jurisdiction is a bit different but the company name is the

same so I would expect that a lot of people and probably they did fall for this trap I think it's a multi-billion

dollar uh illegal business specifically business email compromise and what happened is we

luckily the software that we use ourself and we produce when you change an ibon for a recipient it tells you hey this

doesn't look right so we track that we identify it we reported to the

authorities and soon that was taken down and they took legal action to find the

threat actors but usually they operate with uh Financial mules so they would find some people in various countries

they would not even explain to them like they would pay them certain amount of money and they would open the business or bank accounts on their names and then

they will use that those bank accounts to uh funnel funds to crypto or other means where they could potentially stay

hidden well in the financial world that's a little bit challenging but they still find ways to do

it wow interesting sounds like there's a

lot of things happening that where it's like stress is very high like you're very on the go have to deal with this

right now how do you do that like what's your mentality when it comes to everything's

on fire what do I do now that like everything on on fire in

the security World happens every other day probably so if you don't have like a strong mentality or if you're not

mindful probably going to burn out quite quickly and I don't I say that with

humility because uh I know that a lot of my colleagues are suffering from burnout

and there is a lot of stress in the sector and you need to be probably a very I wouldn't say ignorant but like

very uh receptive to these kind of situations and maybe be a little bit of

stoic when things like that happen and don't react too quickly at say so the

way that I would react when things are on fire and I love when things on fire

which sometimes is unfortunate but it's interesting it's exciting I try to prepare for it if you

haven't done the sometimes mundane and boring work of preparation and this is

standard part of all these fancy Frameworks that we follow the the one

from the National Institute of standardization 862 or other well-known security inent

response Frameworks um you may be in trouble but if youve spent some time to

play through I like to say imagine like if you have if you call like a the fire

brigade and they come on a scene and your apartment is building is burning and they have never ever being uh spend

their time you know taking down fires before and they just like started and

they don't even know how all these like Machinery works or how to take the people out they're going to be very

stressed this is the same with cyber security teams like if you don't know how the technology works if you don't

know what steps to take and sometimes even uh to make executive and business

decisions that may temporarily impact the business let's say in a Dos event you would like to take down certain

parts of the system so that you can keep like in Star Trek you can keep the vital

systems on uh you would like to do something like that in cyber security and the way I tend to do it is by good

preparation and doing the boring work as we call it or eating our greens so doing

a lot of insert response exercises to see how we would react on an event and when an actual event happens we are

comfortable we know what's that it's not something surprising we have read about it we're expecting it in a way so hey

now we should follow what we have written of course in the real world that never really happens I mean following

through a procedure that you have written step by step you usually from an

event to an event they may defer completely so I think building a good

team and putting the effort to prepare as much as you can and then whatever

happens happens like you need to react on it that's why really once again I'm going to reiterating that I really like

the title of the podcast and I really believe in it I believe that you should be hands on I try to be on the front

line uh with with my team to ensure that they're uh ready and safe and I can take

over at any moment and that's I think that that that's very helpful and of course there

are things outside of your control but you should do whatever you can to predict and prevent

it interesting so one of the things you said is the like having a strong team

how important that is how do you build a strong team cyber security that's a that's a difficult one

because in cyber secur you need to have a a complex Suite of skills not only

technical uh you need to have a lot of soft or leadership skills because it's

uh not only a technical job most of the people probably would agree with me you

need we're protecting not only technology we're protecting process and people so you need to understand that a

little bit uh the way I believe you build uh strong cyber security team is

first you put a lot of effort in hiring uh you ensure that Prof is Flawless then

once you hire those people you put a lot of effort in onboarding but it's not job done at that time you should

continuously strive to evolve the team for example now in my team uh we have

some new starters that are a bit more experience in certain areas so I've dedicated them a little bit time for

Learning and Development but not only for theirs only but also for them to

share to the team their knowledge so that we can spread it around it's not just sits with

them and you just try to share with the team as much as possible I really

believe that uh and I try to engage my team in the local community because I

really love the local community I'm really vital part of it so I try to push them to present to talk to participate

to go on events to go on cyber security conferences to do Capture the Flag

whatever they want to do something some form of training or

if they would like to exper experiment with something I'm really always uppr or

if they need some that training platform because nowadays there are really amazing training platforms like hack the

Box try hack me pest slabs and so on and so on and they have amazing courses that

are really Hands-On like you can really touch things and test them and compromise virtual machines in a safe

environment or investigate events in various systems so I'm really supportive

of this kind of Hands-On experienced training because it really gives back uh

but also historically I think security teams have been a little bit divided siloed if

you wish so I try to push my team and myself to always be out there and engage

with other teams communicate with them so we're not isolated and standing on the side and doing the bad cop things

but we are involved into all other teams and all other businesses and we talk to them regularly and we engage with them

this all this not only helps for my team and to be more understanding of what the

business needs how these teams operating what risk they could introduce if they

introduce an application or some sort but also helps them to have humility and understand for example what are the

struggles of sales marketing and Engineering teams and how we could probably help them with something and

and there's so many things that we can collaborate on because as I said we are a mixed ID and security team so we have

a lot of cross functional and cross team collaborations so that really really helps but I think really being close

with the team and and uh um helping them to learn as much as they can so sparing

as much as possible at the end of the day we are we're here to do work it's business but helping them to uh learn

and develop continuously because the cyber security world is constantly

evolving and if you don't learn you start to be left behind a little bit so

we try to stay on top as a team we we do lunch and learns uh at the office as

well we as a team we like to participate in uh capture the flags those are really

fun events that we do sometimes uh we just order pizza stay at the office and

play till till we are called out to go back

home that's really cool sounds like there's a lot of um just like a togetherness of like the

mission yeah I I truly believe in that I as I said it's business uh it's some

people in the corporate world they say oh we are a family I don't believe in that we we're a team we're more like a

sports team we have a common goals and missions of course we're individuals so

we should be uh we we have different needs and also I think and that's one of

the things I've learned from uh one of the previous leaders I worked for that you should strive to

build a diverse team as much as possible in all meanings if you wish uh not only

in terms of origion of people but also in their mindset because different

people could bring different value to the team you don't want to just bring copies of you or specific team member

and then obviously if you lay them down as a as a matrix you they're going to have exactly the same gaps or exactly

the same things that are missing in their knowledge or understanding and if you have a team that comes with a

various backgrounds let's say they've worked in different all jobs throughout their career but they then switch to

cyber security or some of them were like me the whole life was evolving around cyber security all of them can bring

something very valuable to the team to make it more uh Advanced if you

wish interesting do you remember any leadership or security decision that you

made in the past that turned out to be maybe not the best and then how did you

deal with that I mean everybody makes mistakes uh

in cyber security in these interesting Frameworks that I mentioned

we have the uh idea of a postmortem where we review what went wrong and we

do it in a blameless culture we try to find a ways to prevent it from happening in the future improve education process

technology whatever we can and I being also the reasons for some incidents and

events that's normal uh I could share at least two things one during security

events where we had to act really really quick and Implement fire firewall rules

or protections it might have been uh to uh the rules that I implemented were

too strict so they might cause an additional impact at the time so we had to go back revisit them figure out what

that was the problem so that's inevitable sometimes when you try to be balance between being very very quick to

save the overall business availability but you could also cause some a little

bit of harm it's inevitable in some situations and on the leadership side

because I don't have Decades of experience as a manager I even with the

many many interviews I've done and and hirings and uh working with various teams I also make leadership uh mistakes

as well uh in terms of like hiring hiring mistakes that's also happens and

when it does happens you just have to admit it and and figure out what you could do in the future to prevent it

whether you should adapt your hiring process or the way you look at things

are you too soft in the hiring process are you overlooking culture because that's like a person could be a very

exceptional in their technical capabilities but they may be lacking some important leadership skills that in

the long run they may not contribute or fit in the team as you may wish they may

be a lone wolf or a person that doesn't like to uh be included and and help

others so i' I've done this kind of mistakes too but we just admitted

improve the overall process take note and move on it's inevitable interesting and you were

talking about the business side earlier what would you say how do you balance

between enabling the business as much as you can and still remaining security

sort of balancing them out because I would assume they do you know sometimes it is one or the

other yes absolutely um it's not one of the one or the other there should always

be a way like cyber security shouldn't be always a a place where you say no to

things there could be a no but or there could be an alternative approach to do

things and still like reduce the risk I try to approach it there is a famous

triangle that has uh security functionality and usability in in each

angle and the idea is that you should balance somewhere in the middle obviously the most secure system is the

offline one so I try to do that with data metrics

and when I need to go to the leadership team and discuss implementations that

may cause some form of friction or they need resources I try to bring data and

just ify why uh and provide alternative Solutions because not every proposition

may be accepted that's normal as life at the end of the day we are here to do business and the main purpose of the

business is to be profitable but also we have a lot of regulations a lot of laws

a lot of responsibility and Trust of customers that we should ensure so we

should balance between all these things and most of the cases there is a way and

in some situations if there isn't a way let's say if you tell a engineering team that they shouldn't be using certain

technology because of this are done and they are not uh susceptive to your recommendations there ways essentially

sooner or later they'll find out I don't want to be that guy that was hey I told

you so kind of a person but sometimes it happens it's inevitable like people

don't take notes immediately as I said I don't try to be the bad cop quote unquote I try to just provide hey this

is how this company uh suffered from a incident or a breach that was caused because of a misconfiguration or

something minor that it look minor at the time uh so we could do that this is

the risk that we are taking if you're comfortable with that I'm not but if you are it's your call it's your decision so

if you're comfortable with putting the company and and the business at r cool it's up to

you interesting what would you say is currently the biggest challenge you're facing in cyber world well there are

plenty I'd say um I would say one of the things specifically in our space uh

where we operate as business is compliance and regulations uh because they evolve

rapidly and constantly they require something of you and and although it's

very very important and they bring most of businesses up to a very high bar of

security they have a lot of paperwork and a lot of administrative effort that

you should do as a team or a company that could be exhausting at times we try

to find ways to automate the evidence collection and controls implementation

but that's usually quite uh time consuming like the overall process and I

understand that this is a process that we we are suffering because the space that we are Financial regulated markets

Etc I know that some other our businesses are living in a very great world or other businesses that are more

b2c and they're more exposed to more sophistic sophisticated actors they have

different set of problems so probably different things are frustrating and challenging for them so at the end of

day it's not the end of the world it's just something that we have to deal with the other thing I would say is the very

very high cost of security products and services nowadays just because they have the security label uh or if they

introduce a AI label on top of that that would be crazy uh crazy crazy amounts

and we try to be very resourceful when it comes to that it's challenging nowadays because there are so many pay

walls When You Reach certain thresholds of users or people usage they try to

push you to an Enterprise grade licensing and costs which is very exhausting for any business I would

expect because at the end of the day the technology is not very complicated but just have this Security Premium label on

top of it and they try to squeeze as much as they can out of you one thing

that really frustrates me is that if all these like security companies and

vendors they really believe in that uh secur is right for everyone they

shouldn't put that many pay walls for simple services for example if you want to use uh

SSO and rely on your controls that shouldn't be expensive not sometimes not

free but not expensive not super expensive or when you like to use some

form of a provisioning or more complex Integrations with your security systems

that shouldn't break the bank it should be easy to protect your own your own uh

assets and the frustrating part here is because most of the businesses nowadays are

probably using a ton of applications sze based products

services and they don't talk to each other that much and there are no

centralized easy ways to manage them especially those that don't support proper SSO or provisioning or alerting

and you not need to manually go into those systems we need to invent and and

make automations that are clunky and hacky they do work but it's a bit

frustrating that for every system that we use there's no API or an easy way for you to connect and and communicate it

you need to do a browser automation or other hacky things to figure out your ways and that's not very pleasant but it

is what it is it's not the end of the world cool what do you think is one

thing that cesos don't pay a lot of attention to but definitely should

H I would say couple of things Insider threats definitely uh sometimes they're

underestimated because people do believe that everyone comes with good intentions

and I'm not meaning that we should be super Vigilant to our own colleagues and employees all of the time I just mean

that nowadays with all these like sophisticated threat actors and and governments that are putting billions

and millions and they have hundreds if not thousands of very sophisticated training Security

Professionals that do social engineering attacks and they apply even to those companies and they go through interviews

and then they access their systems we should be very very Vigilant to Insider threats the way we provision access the

way we monitor the intra company activity because threats are not only

external I think nowadays Security leaders they put a lot of thought in the human factor it's

evident um but they could do more about the communication and internal

engagement with other teams I think there's still a little bit of a stigma between security folks and other

engineering teams and they could cooperate and engage more because at the end of the day it's for their common

good and last but not least to think about creative ways to embed security

into even mundane processing of operations you would be surprised how many things in the day-to-day life of

teams could potentially take a business down um from marketing teams managing

the uh integration of third party applications in the official website to

sell steams that have access to sensitive information and they primarily communicate through alternative

communication channels not the ones that you manage as a CES or a leader and I

here I mean social media like LinkedIn or other platforms because there we have very little control and they could be

doing that from their personal device their personal phone and so on so we

should really focus a lot more on on on the threats coming in from access and

activity that's pivoted through people and employees within the company uh than

before because it's the easiest easiest uh shortcut than just going through the

technology technology is advancing real quick and we have so amazing well

integrated firewalls protections detections monitoring system Etc but at

the end of the day there is always the human factor there the weakest link in the human machine collaboration and it's

still it's going to be exploited for the years to come so we should really really be

there as a cyber security person on any level and especially when you're really

leading the team you're always on you're always like you know you're ready for something to happen ready to

respond how do you deal with the stress of that like how do you disconnect sometimes do you ever disconnect how

does that work oh because I live and breathe in the space I don't think I disconnect that much but when I do as I

mentioned I really love extreme sports I really love flying uh as I droke with friends when you're risking your life on

the weekend there's not many things on the weekday that can really move you

because you already had like a lot of adrenaline and dopamine and you've done

very interesting things nothing really can matter and can

scare you uh on the work day but of course if again if you're not very well

prepared to face unexpected or unusual events or if you don't have trust in the

team or if you don't put the necessary effort for the things that you can

control this is a very Stak kind of a mindset at the end of the day you're probably going to be quite stressed

about it because you forgot to do something or you didn't prioritize right

so I Tred to do the boring and well-known risk-based approach to prioritization and we try to do the

first things first and then eventually some things may happen it's inevitable

that's why we have the large segment of security instant response in in this sector it's inevitable because it's a

moving Target everything is alive even when we're sleeping or during the

weekend when we're not busy at work thre actors are there and they're trying so

essentially you just have to accept that some things will happen and you hope I hope you have a good uh security

detection and monitoring system that will tell you about it and put a great effort in

preparation cool so we're kind of out of time do you have a time for a few more questions absolutely perfect okay so

um what do you think the field is going to look like in a few years and also how

do you feel about AI uh a love AI I use it on a day-to-day

basis for many things from writing code to summarizing documenting as I shared

with you I prepare even for the podcast with AI I just scraped all the previous episodes transcripts fed them into GPT

said hey tell me about the things that were not said and covered or what are the new trends or what are the new

things it's amazing AI could do so much and also could do harm in the in the

wrong hands but it's not that scary at the end of the day doesn't change the Paradigm I mean it's not making threat

actors more dangerous I'd say it's not bringing new people to the space whether

on the good or thead bad side it's just making certain things easier but it's

not the end of the world I may maybe I'm saying this that this thing for a few more times that I should but um it could

be used for a lot of good I would expect that in the next few years AI will be heavily integrated a lot of security

products not only from marketing perspective but also from productive and

efficient side um obviously could do a lot more with instant response in AI you

could make better decisions essentially uh take

considerations and take actions maybe and automated responses uh it could be

integrated in so many other fields one of the tedious areas that AI is very

heavily used is filling out security questionnaires it does amazing job

because you could feed it a very well um prepared set of questions and answers

and information and reuse it to fill out future questionnaires it's very efficient for

that so save security teams a lot of time and a lot of effort it can write basic code and if you're knowledgeable

it can actually write very good code like I wouldn't say Advanced but good enough especially to

automate mundane tasks so I would expect in the next few years that to come relevant and to be in a very high use in

our space then I would expect of course to Trad actors to use it as much as possible and figure out new ways to

abuse it but I really hope that um businesses and Company especially SAS

based Ones Will introduce more security features and options for you to

authenticate and protect customers like Pas keys and more ways uh to

authenticate which would be great and at the end of the day doesn't matter

how technology will change in our space and uh how much regulations will

increase and that's inevitable actually I think that's a good thing at the end of the day especially here in Europe we see that regulations are really driving

change and making companies do a lot in the cyber space invest a lot and I would

be happy to see that that's across the globe like in all countries and all

regions they align with the EU kind of a level of uh Frameworks and regulations

like n Andora um sorry n to Andora and so on

they they seems to be very very useful uh to bring awareness in those businesses because in in um historically

smaller businesses that were in a very sensitive markets let's say service providers and so on they didn't put much

effort in cyber security but now with all these regulations they are obliged to do and and they do it so the the it

helps them to do more and to deliver more secure products but at the end of the day I would still expect The Human

Side to be to continue being exploited and because the space that we're

operating not only as businesses but the way we develop products we introduce a

lot of dependencies libraries vendors and so on and we rely on so many things

that would also continue to be a problem and that's a challenging area for a lot of business

uh I mean supply chain attacks risk management and due diligence for vendors so I would really hope and to see some

form of a standardization in that area that will really help us to evaluate

real quick and and and and be able to react real quick when things like that happen because it's not just like now

people technology and process but also vendors that we put a lot of the things that we do as businesses in their

hands and yeah last but not least actors will still be driving um obviously

complex geopolitical situations but not only uh so as we've seen for the last

decade decade and a half threat actor from certain regions have evolved so

much they're so undetectable they're so sophisticated that's going to continue

probably growing but I would expect that even like lower tiers of thread actors not only APS but like even in the last

um few years we're joking in the sector that yes we're thinking about all these

like uh Nation backed organizations that are behind major hacks but at the end of

the day we are just fighting a group of teenagers like the lapsis group that we're able to take down a number of

large corporations like Microsoft Samsung OCTA and so on so all of that

all these like Technologies Ai and generally speaking the the human

factor can still be very easily exploited with all these controls in place so that will continue happening

that's never going to change um the good side of it is there going to be more work the bad side of it uh we have such

a large Arena of things to think about uh it's a moving Target and the sad

thing is that we need to protect so many things obviously like so many digital

spaces people B technology and so on and the other side just need to find one

weak spot one vulnerability that's a bit exhausting but yeah it's also very

engaging and interesting it sometimes feels like impossible but we have to keep uh doing

our best the good thing is technology really catches up I remember when we

were very young and we were doing hacking and trip Kitty kind of activities you could do a skl injection

almost on every other website nowadays is not the case like we have so many sophisticated Technologies and firewalls

and so on so it's very difficult to compromise things through technology but

it's still fairly easy to do it through the Human Side

perfect on a more sorry on a more personal question what do you find so

interesting like what what gets you up in the morning excited to go to work and on the other hand what keeps you up at

night as a cyber security professional uh not much keeps me up

night maybe when we play ctfs and in the rare event when there is an incident

that's like very very rare but I have an on C page for that uh but what keeps me

excited is it's really interesting investigating

events and looking at interesting stories for for example the ones told in Dark Diaries they're really really

interesting and engaging I really love listening or reading about things like that it's so much fun when this is like

real life things that have happened uh so I really like the fact that we are operating in a in a sector

in an environment where things technology and threats are involving

dayto day there are new things almost every day so that's super cool it's never boring

it every day feels amazing so I love that I'm really excited about that and

that's going to continue for the days to to go because technology is going to keep evolving and cyber security is

going to be along for a very long time amazing so final question uh before

I ask thank you so much for your time I'm so happy that like you joined the show and I think your take is so so

interesting my last question would be what would be your um unusual piece of advice to

someone who's either wanting to advance in cyber security or wanting to even get into the field is thinking about

it there's so many great ways to start in cyber security I don't think there's

like a One Direction as I said at the other day we're like fighting teenagers that have read something on the Internet

that trying it against our business uh there are plenty of amazing resources that people could use as I mentioned

these amazing platforms that you could learn hacking and cyber security you

also there they're really good personal training road maps like Road map. s

shows you like a cyber security paths and things that you could learn but one unusual advice that I could give people

is to learn uh the ability to tell stories storytelling essentially because

it it helps you to bring to bridge the gap between Technical and non-technical people and and and Concepts uh as I

mentioned in cyber security we protect people process and technology and to be

able to focus on the most important piece people because the majority of cyber incidents are coming through that

Vector uh we need to be able to tell stories those stories that are actually happening in other companies or or

things that happened to us or things that could happen if you're able to tell that in an interesting and engaging way

to others if you're able to present if you're able to clearly articulate to

explain your point for example if you go to the board and you need a decision you

need help on something you need to be able to give a very good explanation why

we ended up here and what our options are and so on and so on and if you're not good speaker present Center you're

not good at storytelling you may not be very efficient at that and I do believe that very vital part of what we do in

cyber security so I highly encourage anyone that's in this sector obviously there are fundamentals like technical

skills and General Security skills that you need to learn but storytelling is

really important one of the questions that I asked at the interviews that I do for the team that I worked is for

example tell me how and why why would somebody compromise Us and how would you

do it and you could obviously have read and listened a lot of things and you

could know the technology and ways but if you don't have a way to articulate and really explain the concepts the

reason the motivation behind all of that you don't have like the you're missing the big picture you're missing the the

why what we doing all of this uh you're just like following something that you read or maybe like a hype uh that you

think cyber security is but there's a lot of uh a lot of Storytelling involved

here perfect so I know you do a lot of talks and you do podcasts is there anywhere our listeners can find more of

your content uh my website is very easy to find megan.com and usually there are

linked resources social media and so on so easy to find mig.com perfect

thank you so much for joining us thank you likewise appreciate it