Oct 21, 24
Episode Description
hi
Watch On YouTube
transcriptAdi (00:01.154)
Hi everyone. Welcome to the Hands on CISO podcast. My name is Dede and today we'll be talking to Constantinos Hyalopoulos, which I practiced saying a few times. I hope it was good enough. He'll tell us in a minute. Constantinos has been in IT and security for the past two decades in the highly regulated pharmaceutical industry. Today we'll talk about his journey becoming CISO, cybersecurity in general, and specifically in the pharmaceutical field. Constantinos, how are you doing today? How was my pronunciation?
Konstantinos Argyropoulos (00:29.872)
Great. Hello Adi, how are you? Thank you for the invite. I'm very happy to be here. The pronunciation was great. Don't worry. You keep it... You keep it... Sorry, let's do that again.
Adi (00:33.036)I'm great.Adi (00:40.578)
Thank you so much. don't think it was.
Adi (00:46.574)
It's okay, we'll just cut this small section in the middle. But I wanted to say thank you for being so nice. I don't think the pronunciation was so great, but that's okay.
Konstantinos Argyropoulos (00:58.79)
It was great, just fine. Thank you.
Adi (01:01.166)
Perfect. So let's get straight into it. You're in group CISO today. How did you end up doing this role? How did you get into security?
Konstantinos Argyropoulos (01:12.787)
Well, I think it's something that just came along the years. So I started as an IT guy in a pharmaceutical company. So through the years, I felt that my heart felt differently when I was doing security things, you know. So I tried to work a lot of that field, even if not...
named security, you know, we were just doing the job. But it wasn't, you know, it wasn't like this right now, which is everything about cybersecurity. We didn't say the word. We're just doing what every IT guy had to do, fix computers, fix networks, systems, and trying to do its best so it works correctly.
patching everything. So, that was the job.
Adi (02:17.238)
And then what were your roles after that? Cause if you started in IT, I'm assuming this was like, was there a step in time where you realized this is more, this is something different or was it really like super gradual?
Konstantinos Argyropoulos (02:35.506)
I think that was just an evolution of what I was doing. eventually, year after year, I was getting more into security stuff. I remember about 15 years ago that I had to do a project about hardening systems with an external company that we had to...
create policies, write procedures and try to harden the operating systems of the company. So that was the first, I could say, project on security.
Adi (03:25.125)
And what does your day -to -day look like now? Like what are the tasks you have to do?
Konstantinos Argyropoulos (03:31.25)
It's a lot different than that project because now the role has to do a lot of things, mostly create culture. We have to create culture in the organization. We have to make aware of the people that there is danger out there. The cyber threat is there. We have to inform.
top management about what's happening and how we can mitigate that. So this role has a lot of hats to wear and it depends on the organization and the industry.
Adi (04:21.474)
How much would you say your time divides between things that are actually implementing security solutions, for say, versus communicating, education, teaching the company, talking to management?
Konstantinos Argyropoulos (04:40.208)
Yeah, it depends, as I said, it depends on the size of the team. It depends on the industry. It depends on the incidents that you have that day. Some days there are some incidents that you have to lean over and resolve them. Other days are better with less stress and then you can do what needs to be done about communicating about
educating people. This is a perpetual process. You never stop, every day.
Adi (05:20.576)
Interesting. And what do you think is one thing that people find hardest to understand about security? Like people who are not from the security field. What is one thing?
Konstantinos Argyropoulos (05:33.605)
Yeah, human beings really understand what's material. You can touch it. Everything you can touch, you can understand there's there. Everything you can see, smell, hear. Threads are not always materialized. It's something that you cannot see. It's something that's there, underneath. So that's a difficult thing. So you have to make them understand that no matter what,
The threat is there. So you have to lower your attack surface. You have to be more constant, more aware and be vigilant. You have to think what you click, think what you do.
Adi (06:22.2)
Do you ever have to be like the bad cop guy, the person who's saying, can't do that.
Konstantinos Argyropoulos (06:29.785)
No, I think that's in the movies or it depends how you want to proceed with your role. I think of myself more than a shepherd, you know, trying to guide the people in the correct way, teaching them not being the bad guy that will throw them in jail or give them a penalty. No, that doesn't work. That doesn't work. Usually on the people that...
they don't understand or they don't comply or maybe they comply but they don't understand it means that yes I will do what you say but I don't agree with that so these are the most dangerous people because on the first on the second time they will have to skip something they will do that because they haven't understood what's problem
Adi (07:27.566)
So you're saying that it is a lot about education because you need them to understand why things are.
Konstantinos Argyropoulos (07:37.456)
All the responses of the humans, every one of us, it's based on hardwired situations. We are born with that. We don't learn them in the way. We just learn how to mitigate those things and how to overcome them. An example. Social engineering is based on
principles of persuasion so they try to persuade you to do something that the attacker needs and he will use principles of persuasion which is fear
Konstantinos Argyropoulos (08:22.402)
I had some reconnecting so I don't know if the recording is okay.
Adi (08:29.113)
I'll mark the time and I'll check later.
Konstantinos Argyropoulos (08:31.104)
Okay, I'll try to say that again. So it has to do about the principles of persuasion which someone may use fear, someone may use power over someone, agency. So someone will try to use all of these to take you out of your comfort zone
So you don't think, you just act.
Adi (09:03.234)
Have you ever been in a situation in any of the companies that you've worked out where things were like on fire, there was an incident and you had to solve it at that moment?
Konstantinos Argyropoulos (09:17.008)
Most people and most companies will bring the alarm of urgency right away. Doesn't mean that all of those situations are urgent. Urgent is when something has terribly went terribly wrong and company cannot operate.
So when this happens, yes, you have to be calm, you have to assess the situation and give the best information you can in the top management and begin resolving. So stress in these situations and panic doesn't work, doesn't help and just prolongs things, doesn't end things soon. So a company needs to resolve what happens
quickly with the least impact possible.
Adi (10:13.758)
Was that always the way you viewed it or were you more stressed when you started out?
Konstantinos Argyropoulos (10:20.207)
Yeah, that's true. Great question. Yeah, when we begin, yeah, we are little bit newbies, if I may say the word. We are new to the job. We haven't worked enough on these cases. So case by case, you get tougher. So you get calmer. And you know what lies ahead?
when you have seen a lot of cases you know what's the process. many times you just skip the first steps and you go just directly to the resolution because you just know what happens. You put them everyone in place, you stay here, listen to me, I'll fix this, don't worry.
Adi (11:10.784)
Interesting. What would you say to someone who is maybe more in the beginning of their security journey and they noticed that something that I've noticed about security is that CISOs are always very on, like always ready for something to happen, ready for like anything to attack sort of. And like, what advice would you give to someone who is
concerned about that.
Konstantinos Argyropoulos (11:42.03)
That's true.Adi (11:45.585)Good luck.
Konstantinos Argyropoulos (11:46.478)
Yeah, that's true. The thing is that the attacks happen around around the clock, 24 -7. That never stops. because mostly are not computer made. people made it. It's a program, works, it's automated. So it doesn't have time, doesn't have to sleep. So every time, every day it happens.
security guys are always, always, on edge. It's, if I may use, because most IT guys are geeks, if I may use a word from Marvel Avengers when they ask Hulk, the Hulk answered, I'm always angry. So we are always on the edge. We are always vigilant.
Adi (12:49.376)
Interesting. Do you think the people that tend to get to the cybersecurity field and be attracted to it are the same kind of people overall, or is it a lot of different personas?
Konstantinos Argyropoulos (13:05.077)
There is a great variety of people in cybersecurity. We come from different backgrounds. There are guys that come from IT risk, from business risk management. There are guys that come from programming, guys that come from our ladies, sorry about that. People that come from programming, as I said, people that come from different...
levels like different industries or different background like sales. So and this is what the cybersecurity needs, needs diversity because we are what we have lived so far so different lives, different academic background, different business background brings diversity to this field that we need a lot.
Adi (14:04.16)
Interesting. And it's also a field that keeps changing all the time. Like there's a new breach, there's a new technology, things are always happening. And at the same time, it's already a lot of things to do. So how do you manage also learning about new things and what is happening now? And at the same time, actually doing the things that have to be done.
Konstantinos Argyropoulos (14:28.529)
This is in a calandrum. This is something that if you find the solution, tell me. We're doing the best. We're doing our best. The first thing that a security guy, CISO, whatever you call it, needs to do is to get and be informed about what's happening right now and what's happening in the next days, next months. You have to be aware of your surroundings.
Of course, you have to be aware of your industry. Of course, you have to be aware of your organization. And you have to somehow create, make a great management, time management and fit everything in your 24 hours. And you have in the 24 hours, you have some time to sleep. Yes.
Adi (15:20.502)
and hopefully some time to do anything else.
Konstantinos Argyropoulos (15:24.369)
Yeah, we have to do that. We have lives, families, yes, we do that.
Adi (15:31.232)Interesting. So.Adi (15:37.59)
If you look at the way that you view security right now, how much of it has to do with leadership? Like when you talked a lot about building a culture and how does that even work?
Konstantinos Argyropoulos (15:54.785)
dealing with people it's really a difficult part of this role because computers just configure them they will do what you type them it's fine but by communicating with people you have to be aware
Konstantinos Argyropoulos (16:20.509)
You have to be aware of their background, of their work they're doing, their role, maybe how they woke up in the morning. Everything plays a part on this. So it's really difficult, but I think that the whole situation gets easier if you are just beside them, not opposite them. Okay, not behind them, just beside them.
hold their hand, inform them, educate them. So helping them, I think, is the best way and being able to talk.
they understand, not in your way, not how you understand things, but how they understand things. yeah, if you're talking their language, they will understand.
Adi (17:17.848)
Do you see the CISO as someone who has to have a stronger business skill side or more technical?
Konstantinos Argyropoulos (17:27.067)
It's as I said in the previous question, since we come from different backgrounds, everyone can provide something to this role.
Konstantinos Argyropoulos (17:41.524)
It depends. It depends if you have an internal team, external team, you have to do it yourself. The title is hands on CISO, as you said. So many things that are required are made by us. So it's an amalgama. It's a portion of everything that we have to do. We have to be leaders. We have to be IT guys. We have to do programming.
We have to be network guys. We have to do a lot of things. Yes.
Adi (18:14.656)
Interesting. And how do you balance between the business needs and the security needs? Like when...
Adi (18:28.46)
I would assume that you are the person who tells the business, is the risk, this is what we can do and can't do, but how much of it is...
Adi (18:41.398)
I guess it's a question of it depends again, but like how do you view that? The how much risk is okay.
Konstantinos Argyropoulos (18:50.165)
This is a question that I would say, yes, depends. It depends where you come from. If you're coming from a pure security background, you only think about security. don't think, usually don't think operations. You don't think business. You're strict about that. You say, okay, security comes first. So maybe you're biased over this. So your decision or what you suggest is biased over security.
me, I have a diverse background. So I come from IT, I have come from business, I have come from a lot of projects I've made. So personally, I understand operations, I understand business. So I understand what needs to be done for the corporation, for the organization to work. So I always try to be balanced between disruption and operation.
I would try not to disrupt business as long as it operates with security in mind. I would guess it depends. Nothing comes first. Both have to operate. Both security and operations, both business and security have to come a long way and nothing will disrupt the other.
Adi (20:18.112)
Interesting. And you've been mostly in the, or all in the pharmaceutical industry. Do you think that's different significantly that I know that any company that is like of that space is a lot more regulated and there's a, the data is much more critical than if you were in, you know, a regular so -called tech company. Is there.
are the things you have to do in that kind of company significantly different.
Konstantinos Argyropoulos (20:51.209)
This question has an answer depending on the country. The regulations are different from country to country. So yes, pharmaceutical is a really deep regulated industry, but mostly regulated regarding patient safety. So everything has to do about from the start to the beginning, from the raw materials.
to the end product has to do with patient safety. Pharmaceutical has to create a product that will not harm. That's the point. The point of drug of medicine is to make good, not bad. yes, regulation is over there on the patient safety. Regarding cybersecurity, in contrast to what you were saying,
most pharmaceuticals, not the global ones like the big names but more the countryside didn't have this on their mind at first yeah because technology and cyber security wasn't part of the production process so there was no impact
No, not the impact of top, sorry, let's rephrase that. Cut it over. There is less impact than other industries that has more merge between production and technology. Okay, so they have come to understand that cybersecurity is important because in 2024, as we have seen,
Cybersecurity and technology are very intrusive in the operation and the business. So almost nothing happens right now without technology. yes, right now pharmaceuticals have come a long way to adopt cybersecurity in process.
Adi (23:04.814)
Interesting. How would you say cybersecurity changed over the years? Like two, five, 10 years ago versus the way it's viewed now?
Konstantinos Argyropoulos (23:16.743)
Cybersecurity is among the fields that has significant growth and significant changes happening. It changed a lot in past few 10 years and usually the changes come after disruptive events. Let's not forget the COVID. Let's not forget main events like military situations.
war that's right now happening in our earth. So all these are a catalyst for the evolution of security. Back in the early days or 20 years ago, as I said, there are few people that were working in the field. This number has substantially increased, but
I could say that this increase has happened mainly in the past two years post -COVID.
Adi (24:27.47)
would you say about AI?
Konstantinos Argyropoulos (24:33.224)
AI, yes. AI is both enabler and disruptor. It can be used by both sides, both attacker side, both defender side. AI is a catalyst. It's the one that said before, it's something that will change a lot things, how they happen. We are...
now starting to see what's happening. We're not even in the middle of things. There is adoption, not great one. I will definitely see more adoption in the following years, months and years, both on both sides. As I have read that right now AI is doing by itself attacks, selling products in the blood market.
So, yeah, it's here. The only fear I have is when people start to believe that they cannot work, live without AI. That's my fear. When we start depending on AI.
Adi (25:49.718)
Why is that your fear?
Konstantinos Argyropoulos (25:52.078)
because then we will be subdued to AI. We are not free people. It will not be a tool. We will be the instrument of AI.
Adi (26:05.194)
And just saying, can you say that about computers today?
Konstantinos Argyropoulos (26:11.014)
Yeah, we are victims of technology. You can see it around us. And you can see it depending on the age of the person. If it's around 15, 20, 30 years old. In contrast with guys that are the fifth or sixth decade of their lives. It's not necessarily bad thing.
when you have it under control and you balance it.
Adi (26:45.65)
It's interesting how AI is, on the one hand, creating new sorts of attacks and is problematic. And then on the other hand, it's interesting to see what the positives will also be once it's sort of controlled, I guess. Do you think, what do you think?
Konstantinos Argyropoulos (27:06.023)
You have a great background noise. Do you want to repeat that?
Adi (27:12.79)
Is this? There's a, this is really weird. think they're building something. It's very sad.
Konstantinos Argyropoulos (27:14.534)
Hummer.
Konstantinos Argyropoulos (27:23.642)
Do you want to stay a few minutes to see if it stops?
Adi (27:28.271)
Yeah, let's just wait a second.
Adi (27:38.446)
It stops and then it comes back. Let's see if...
Adi (27:49.592)
Give me two minutes, okay? I'm gonna see if this is something that's continue.
Konstantinos Argyropoulos (27:53.551)
No worries. No worries.
Adi (28:13.314)
Okay, looks like it's over.
Konstantinos Argyropoulos (28:19.567)
Can you give me one minute to wash my hands?
Adi (28:22.956)Yes.
Konstantinos Argyropoulos (29:21.029)
Okay, I'm back.Adi (29:25.154)Perfect.
Konstantinos Argyropoulos (29:26.558)
Sorry about that, I broke a red pen and I messed up here
Adi (29:29.984)
That's okay. This is all good. Lucky technology lets us cut things out. Okay, so what were we saying?
Konstantinos Argyropoulos (29:38.649)
to
Okay, the last one, let's do the last question again.
Adi (29:47.742)
Do you remember exactly what it was?
Konstantinos Argyropoulos (29:49.285)
No. Okay. Let's do the go. Let's go to the next one and maybe we got it.
Adi (29:56.386)
Okay, cool. What do you think are the biggest challenges right now in the cybersecurity world?
Konstantinos Argyropoulos (30:09.838)
Great question. Cybersecurity field changes a lot, so we really can see very far in the future. But the most challenging, I think, right now is oneself. It's us. It's a field that constantly evolves, so we have to keep up everything. And the challenge is ourselves, how we will become better.
how we will become what we need to be grow into and evolve ourselves also. It's someone, as someone said, it's like cybersecurity and cyber threats is like trying to hit something and we're constantly moving, both of us. It's really hard. So I think this is the most challenging thing.
Adi (31:12.023)
And so it sounds like you're saying it's mostly the more human part or when you say that you mean on all the different fronts.
Konstantinos Argyropoulos (31:25.083)
It's the human part, yes, because technology is there. There are a lot of people, a lot of great minds out there creating great things and technology is there. So technology by itself doesn't do anything, people do. People configure it, people analyze it, people have to communicate. So yes, the most strong part...
the most strong chain and the most weak chain is persons.
Adi (32:00.268)
Interesting. Do you think most CSOs are aware of how much of the risk is actually in the people themselves rather than technical solutions?
Konstantinos Argyropoulos (32:18.632)
It depends on the incidents the person had. It depends on what he has lived so far. Not everyone understands that. Some people depend more on technology. So it's one of those questions that I would answer depends.
I strongly believe, as I said, people don't have to do anything because it's a tool. You have to work, use the tool as best as you can.
Adi (33:03.552)
Interesting. Do you remember ever making a security or leadership decision that ended up being maybe not the perfect decision? And then like, what did you do in order to fix that?
Konstantinos Argyropoulos (33:21.781)
Mistakes, we do them every day, okay? It's not something that we will miss in the future. We do mistakes, we learn from mistakes. We're people, we learn what we do. Someone would say that we are mistakes and make people, but you can turn it around. One...
mistake I remember that has nothing to do with technology but has to do with people is that I misjudged a person, a hiring of mine. So I thought that this person would be an added value to the company and the team, but instead misled the team and let down firstly himself because he didn't.
Konstantinos Argyropoulos (34:19.961)
grow as it should and didn't evolve and then let that in down.
Adi (34:27.682)
Hmm. And do you think if you're talking to someone who is in that position, who's trying to get into security and like, are the qualities or the knowledge that they should have or the way they should act?
Konstantinos Argyropoulos (34:43.518)
It depends on the role. It depends on the role. If you have in your team people that have to do penetration, you have to do a lot of hacking, then they have to be aggressive. They have to have the minds over how I will get in. If you are using people on the defense side, you have to also know how they...
position things but you also have to know how you defend. You have to have the defensive part built in you, growing into you. So I guess that a good security guy needs to own things. It's not something that you just go 9 to 5, you have to own.
this process. You have to feel it like it's your family. It's over... over placed. Can we cut this off? It's something that you feel it like your family. shit. Sorry. Let's cut off the family thing.
You have to own this, own this thing and you have to feel it like you need to give yourself into the process.
Adi (36:17.656)
So you're saying it's a lot of like being really into it, not just seeing it as a, just something you do like as a job.
Konstantinos Argyropoulos (36:27.861)
No, personally, I don't think that's just a job. It's something more. If you think it over, it's security. It's something that people need to have so they can feel safe. So in your hands, in your mind, you have the wellbeing of people. It depends on the industry. If we're talking about healthcare, literally, you have people.
lives in your hand in case of a cyber attack and also on the business side you have the well -being of the company so if you don't do correctly your work then there will be a disrupt on the company on the revenue and this is catastrophic.
Adi (37:20.662)
Interesting. Is that something that is like on your mind often where you're thinking it's not only the company that I have to keep secure, but it's all these different people's data and how it could affect if anything happened? Like, do you think that's front of mind usually for security people?
Konstantinos Argyropoulos (37:44.536)
Everyone thinks differently. my first, what comes first in mind is people and beside that, the business. So I have to keep everyone safe, everyone secure and people have to follow policies, have to follow procedures, have to be vigilant and have to...
always communicate something that they may have seen here. So our best and worst line of defense is people. So worst is when they doesn't talk, doesn't communicate. And the best is when they communicate and they inform you right away of something strange, something weird that they may occur.
Adi (38:38.252)
Have you seen different cultures and different places, different companies you are in, in terms of how they relate to security?
Konstantinos Argyropoulos (38:46.045)
Yeah, I do. I do. It has to do with the industry. If it is a production industry, if it is a highly regulated industry, if it is just a retail shop, retail company, it has to do with that. Yeah, if it has to do with shipping.
diverse kind of people that some of them they care a lot about security, some they don't even know that it exists, they think that everything that just work, don't need to do anything. So yeah, I do see a lot of different people.
Adi (39:33.984)
Interesting. How do you think the field is going to change within the next few years?
Konstantinos Argyropoulos (39:43.433)
I can see very far. My feeling is that since we have a lot more integration into technology, this increases the attack surface of homes, of business, of people. So my guess is that this gives more opportunity for bad guys.
do their worst. So I think that this field of cybersecurity will increase. There will be a high demand of people. And I don't know if this demand will be fulfilled. But I think that this is what comes in next few years.
Adi (40:39.808)
I just think my next question has like two parts to it. On the one hand, I'd like to know what is the, like what excites you about cybersecurity? What made you go this route where it's like pretty stressful job. really, like, it's not just a job. It's really like being the, if I can say the protector of the company and all the data.
So what was something that got you like, yes, I want to be doing this. And then on the other hand, is there anything that like keeps you up at night where you're like, I don't know in terms of your everyday.
Konstantinos Argyropoulos (41:29.823)
So what makes me tick? Yeah, I feel it more like a service. I don't feel it like a job. I feel that I must do that. I feel really strong, feeling strongly.
rerun. What makes me think? Yeah, I feel that this is something I have to do. I was maybe I was raised like this. Maybe my my living, my situations I came into made me this. So I do feel that I need to protect people need to protect companies. Yes, I feel they're protector. So I'm
try my best not to fail them. And also at nights I think I'm really sleeping very nice because I know I have peace of mind because I did my things, I did what I have to do. We're not robots, we have to rest and be ready for the next day.
Adi (42:48.79)
Interesting. Was that, do you think that has to do a lot with the culture of the company? Like different people can have different levels of stress just because of who they're reporting to or the way the company is?
Konstantinos Argyropoulos (43:07.442)
Yeah, that's true. It depends on the situations that someone came, have seen it in their lives. So it depends on the role. If you have to do with money transfer, maybe, in the finance, and you just punch some millions, some zeros more.
Yes, and transfer them, yeah, it's stressful. But it also depends on how calm you are in the stress situations. So it's one of those depend things.
Adi (43:54.068)
It feels like in cyber security, most of the things are kind of like that, right?
Interesting. All right, so we're down to the last question. And before that, thank you very much for your time and just like sharing your knowledge around it. It feels like you're very connected to the role. Like this is something that is really important to you and it's fun to hear. My last question would be, what would be one thing you'd want to say to people who are already in security but are looking to, you know,
go up the ladder and become the security leaders of their companies.
Konstantinos Argyropoulos (44:37.277)
Great question is whatever I say to what people I meet and discuss with, it's just growing to what you like to be, what you think you are and what you see yourself in 5 -10 years. If you're seeing yourself being a leader, being a security guy, be the one that holds
people hands and educate them, make them aware, then go ahead, do that. Work your best. It's a hard job. If you can say the work job. You have to be vigilant. You have to learn a lot. You can stay still for a moment. When your incident happens, just stay calm, step back, take a breath.
and start all over again.
Adi (45:40.344)
Perfect. Okay, well, thank you so much. I was going to say your name again, but then I realized that that will be difficult. So I'll just say the first name. thank you, Constantinos. I appreciate you.
Konstantinos Argyropoulos (45:59.526)
That was great. That was great. Don't worries. You said it perfectly. Yes. Thank you for having me, having me, Adi. It was great. It was a lot of fun. I really enjoyed it. Thank you very much.
Adi (46:15.064)
Thank you. Okay.