Sep 29, 2024
Episode Description
In this episode of the Hands on CISO podcast, Adi interviews Miglen Evlogiev, a cybersecurity expert with over a decade of experience. They discuss Miglen's journey into cybersecurity, his day-to-day responsibilities at PayHawk, and the importance of continuous learning in the field. Miglen emphasizes the need for a positive security culture, the challenges of incident response, and shares real-life security incidents that shaped his career. The conversation also explores the role of AI in cybersecurity, the future of the industry, and advice for aspiring professionals, highlighting the significance of storytelling in bridging the gap between technical and non-technical stakeholders.
Watch On YouTube
hi everyone welcome to the Hands-On ciso podcast my name is a and today I'll be talking to mlen evv mlen is a cyber
security expert with more than a decade of experience in the the sector currently he's leaving the information
security at POF a business expense management platform and the first Bulgarian unicorn before that he was
working for companies like AWS and hulet Packer he's also heavily involved in the
local cyber security Community is president of the cyber security Association and regularly organizes
events and speaks at conferences like bsides ow ASP sopia chapter and cyber
security talks outside of Works he enjoys extreme sports like paragliding skydiving and mountaineering M Glenn how
are you today perfect thanks for having me ad of course so happy that you're
here before we get into anything else so tell us how did you even get into cyber security
a fairly long story about two decades long actually uh when I was you know a
teenager uh here in Bulgaria I think in most countries in the world where you couldn't afford a personal computer we
have these internet cafes where you could go play some computer games maybe chat with now old school Technologies
like IRC or or icq and socialize on web forums or tet groups it was uh really
really interesting uh at the time to you know use in your
advantage some hacks to uh get advantage in in Contra strike or other games so we
would playing in these forums to figure out how to use certain hacks to be better at it or you know make more uh
wins at the games and essentially I found these small pockets of communities
where they were talking about cyber security hacking in this case so it mostly a a bunch of curious teach
teenagers nowadays we call them script kitties they they'll find something on the Internet that works and they'll use
it in their uh benefit and they will def face websites take them down take over accounts things like that to impress
other people maybe you know take down websites put their name on it and say hey greetings to my friends I've managed
to do it and so on and so on so I started getting involved into that Community until I got a slop in the Rest
by the cyber crime unit because we were even recording like tutorials how to do
it and uh it would get to to large scale sometimes and it would affect uh let's
say small uh groups of people but what really got me inspired into the cyber
security world is uh two movies from the 90s that I watched at the time uh one is
well known with Angelina jul it's called hackers it's very famous i' say the the one is takeown with Kevin mnik uh and
there is this CH I actually didn't didn't enjoy that much the Kevin mnik role I enjoyed the other character uh
suo shimura or something like that and basically he was more of a cyber
security expert that helped to catch Kevin mittnik so he was like roller skating he was like this cool guy that
was like commuting to work on the beach and I like one day I really want to be that if if that would be possible but as
you can imagine at the time there were no such uh job opportunities I would say globally there were very few jobs and
you need to be very skilled not only technically so my career essentially
started with uh web development it evolved with CIS admin work I also was a
devops at some point uh when in 2014 I moved for to work for Amazon in Ireland
and this is where I started my first official cyber security jobs and I was
uh fortunate enough to work in a very uh interesting field with very advanced
Technologies and and learn from exceptional leaders and after that uh I decided after Co I decided to come back
to my home country Bulgaria where uh I was faced with a thriving community and
really interesting job opportunities in this case in the face of the company I work for today bayhawk I was able to
build the security team I am in now I was able to contribute to the community
which is really great I really enjoy dayto day
amazing and what does your day-to-day look like now did it look different in different companies you are in yeah
absolutely because I was having different type of responsibilities or different levels of ownership today uh
at PW I'm involved in all sorts of infos and it my team is a is a is a cross team
so we do both things at once uh but in other companies was completely different I would have like a very narrow Focus
where I would do very specific things let's say def SEC Ops or application security uh and nowadays I would say I'm
not a morning person so start a little bit late I uh would check out
operational things so tickets CM alerts if there is something exceptional or
something that needs immediate attention and usually I'll start commuting to work I have about 30 to 45 minutes right to
the office so usually consume a lot of content that will be either YouTube or podcasts like this one dark net Diaries
malicious life Risky Business and so on and so on there's so many amazing uh
stories and podcasts nowadays so you can really get inspired and by the time I'm in the office I have this very
interesting story or insights that I could potentially share or or I can have an ideas to what I can work
on when I get to the office usually we we have a chat with the team like a
stand up because as I said we are both uh it and security so we are a little
bit Project based but very operational so we would see what the day would look
like what we have open for the day and what projects we are currently ongoing there any blockers or anything that need
attention and then uh full on focus on on the task at end usually I try to
follow the well-known uh methodology getting things done uh can't remember
the order but it's very famous in the world so it's the way you manage work um
and basically you can divide it delegate it very quick task can be finished within two minutes but then you have
like these big chunks of work that you should focus on so I really enjoy uh to
focus at like large Chun to have like a proper flow so I Tred not to overwhelm
my time with meetings but I try to leave enough time for Meaningful work for
productive work not to for not to keep my myself just busy so on a day today might be different depending on like
what we have upcoming it could be related to compliance uh or it could be related to road maps or uh the team that I'm in or
it could be writing code some days I have that luxury as well and usually at the end of the day I
may attend events after work hours as I said we have a driving Community here in Bulgaria or I'll continue working
sometimes if there's something interesting I don't rush to leave the office immediately and yeah I'm very happy
actually that I have the power over my day which I really enjoy and I try to not over overwhelm it with
meetings amazing it sounds like your day is really like really revolves around
cyber security a lot beyond what you would I would say you have to yeah yeah
uh it's necessary to do the to eat your greens to do the ground workor that uh
it's related to reporting compliance and so on but also there are like important
things to you know talk to other teams about like how they're embedding Security in their road maps or their
process or their tools talk to customers sometimes because we as a business uh we
operate in a very specific Market Financial Market that's heavily regulated so customers need to do a very
uh indepth uh screening and due diligence before they sign up because
essentially we're managing their funds and data so we just ensure that uh they
understand how much we put effort in security and this is really important part of my
job interesting would you say that when you're learning new things when you're
like listening to podcasts or reading online is that is there a specific way
you go about learning about what's happening right now like any breaches that happen any new technologies any
anything like that or is it more just understanding cyber security in general really like the title of the podcast is
handson CIS so so I try to focus on on the on the details on the definitions of
the details not of uh the perceptions of orders so when there is like a bridge or
a vulnerability that's interesting a zero day or some sort I try to go to the source and figure out what really is
happening not what somebody's inter interpretation is or like what LinkedIn is buzzing about so that would be my
main approach I really throughout the years I've learned to avoid like hyp driven consumption of uh information or
uh there is a new term that was called uh infotainment so that you consume
content but for entertainment purposes not to understand the uh underlying
technology or how things have actually worked out and happened and I really
like uh Hands-On tldr kind of approach to the consumption like to be practical
and applicable and this is the way I would select the sources they need to be
very reputable uh they need to be very spot on uh and throughout the years I've
kind of collected a list of podcasts the ones that I mentioned but also mailing
lists or like weekly updates that I would cons like the Suns uh security podcast tldr SEC for example um there is
a very famous risky Bas uh weekly updates that includes the sources of the
information so that you can really get into the depth and details and really for example there was a recent Ubbi key
vulnerability in LinkedIn and the community really lost their minds over it but then it turns out that it's not
really as it looks like and you need a very complex equipment and physical access to the keys to do certain things
I'm not saying it's impossible but it's like so hard and so challenging you have easier ways to compromise the
authentication and get into a company then then than than buying a a very expensive equipment to bypass the
protection of uh specific Hardware that's used by the company so that's why I would prefer to be very selective at
the content I consume and if I don't see benefit in it and it's very high level
and very infotainment as I mentioned I try to avoid it because it just creates noise in in your head it doesn't ask
value interesting so back to the like the your
daily role I would say security a lot of the time is about understanding what you
can what you can do and what you shouldn't shouldn't do you ever get the bad cop name do you how do you view
that I try not to create a culture like that uh because I believe in good
intention in people most of the time so you should in this role apply some
emotional intelligence intelligence and approach people with respect and dignity and say hey uh this is why for example
this situation might be uh risky for the business and and us as a whole at the
end of the day the consequences are shared among us so we should have a shareed responsibility and and share
understanding about why certain things could cause problems and we also try to not in
create kind of a fra culture about it let's say if you forget your laptop unlocked somebody would go there and uh
put something funny in it or write a funny message in the common slack channels we try to avoid that uh because
I don't think it Fosters the right culture and the right respect to cyber security I think that's old school I
believe that if people have uh they understand their responsibility in the
overall security of a company they they could do better of course you have two options here one is misunderstanding
negligence they they just didn't know better so you should go with good intention and explain them why certain
things could lead to an incident or or something bad but also it could be
malice which has another work it's an Insider threat and it should be treated completely
differently how do you balance between on the one hand putting controls so no
anything that is done in Malice can't happen or or no mistakes can happen and
on the other hand education so like making sure people know what they can
and can't do I really liked because I've listened all the episodes of the podcast somebody
said that security should feel like a force field in Star Trek I really like
that comp person it is very difficult to achieve something like that in an
informational environment with many people and many systems and Technologies because everything is moving people are
adding new apps everywhere using various devices and so on but you should
probably strive for that I think it's the right approach so it should be invisible up to a point where something
unusual and it doesn't look right happens and you have the indicators for
that you should act according and to do that you should basically
monitor all possible digital spaces that you could uh in a way that they would
alert you if something malicious is happening and if you're not keeping yourself up to date on the news or
update on the technology or if you don't know how the technology works and that's
why I do believe that even a leader in the space should be Hands-On because if
you can constantly delegate uh some junior or even senior members of
the team might not fully understand uh the big picture or the overall
consequences so it's not bad for you to get your hands dirty from time to time and really ensure that the right
controls are in there but the way that we deal with most of things in cyber
security in other spaces not only there everywhere where there is involved risk
you should have a lot of like checks uh whether that would be like weekly quarterly whatever works for you
any sorts of checks if automated even better so that you can verify that the
controls that you have in place are actually meaningful and and they work and you could do that through many ways
uh internal external pen tests red team operations sofal engineering attempts
what we tend to do as a team when we have the luxury of time because it's
it's challenging to balance that well what we try to do is spend a little time on sofal engineering or approaching
alternative ways to access things and uh show our colleagues that uh for example
even in LinkedIn let's say if you're salesperson or an HR person and you actively use LinkedIn you could be
approached by a completely fake madeup Social Engineering profile and they
could lure you in a multi-step process where you could believe that a sale is
happening or you have a an amazing lead or amazing candidate for a role and at the last step they just like send you a
link to I don't know a malicious PDF or something that contains a malware or or
a fishing page where you should provide your credentials and if you're not very careful it's easy to fall into that
truck so I tend to believe that you should be proactive about ensuring all
these all these things and all these controls as much as you can
can you tell us about some of the security incidents that you've seen
throughout the years maybe the more extreme ones sure um I've spent a lot of time on
call maybe about four or 5,000 hours maybe more throughout my career I've
worked on hundreds and hundreds of incidents alerts investigations of All
Sorts even helped friends and relatives and other companies when they asked me
for because really enjoy it there are couple of incidents that I really can recall and they're very interesting so
the first one is actually an incident happened some time ago with a colleague of mine that was sitting few desks away
from me and they were intentionally using a available capacity in our
environment to mine crypto which is really stupid thing yes so I actually
accidentally uncovered that I wasn't really looking for it I've noticed high capacity usage and I was just Vigilant
it it didn't it didn't make any sense so unfortunately by the end of the day we had to let that person go um it's just
something that shouldn't ever ever happened it was obvious that they they were just uh malicious or stupid I don't
know um the other type of incident that I would usually deal with it's quite
common nowadays because of the darket Services where you can hire stress testers or services for where you can
buy a large number of compromised devices to use them for denial of service attacks so I was dealing with a
a DDOS that distributed denial of service attack a few years ago that was very sophisticated that kept me up one
night I don't usually stay up nights but that one kept me really up because it
involved hundreds of thousands of hosts and it was very sophisticated like when I was able to block one uh side or
approach on one layer they would go back and figure out another approach so it
was like a a little bit of a cat and mouse game essentially we restructured the infrastructure and we were able to
pH that without any human involvement but it took a little effort from our side to uh fight back the attack at the
time and it was very very sophisticated I'd say it was not it was not done by
Script kitties or maybe it was but it was very well prepared and well executed
and could you could you explain a bit more about that cuz like how did that
work how did that come to be it's fairly simple so if you go on any darket Forum
uh you could probably buy a bunch of uh infected hosts they're usually shared
and used for many malicious and illegal things but it could be from your smart
thermostat to your I don't know computer that you love for Goten in the garage
and haven't updated since uh 2015 and it's just there to control the Christmas
lights and essentially thread actors find those devices through search engines on the web like show them and
census they compromise them they may even fix the vulnerability so no other
thread actors can take them over so now it's their device not yours anymore and
they would use those devices they would you they would look like residential IP addresses that would look like coming in
from regular location from your garage or your home IP address and I have seen
in my past experience some very experienced people uh like Engineers
directors of engineering and so on that have had like a raspberry piie that manages their thermostat that was
compromised so nobody is safe essentially if you don't put effort even in your home network and they could
pivot to your device even in some cases but but in in in that specific situation
with that incident uh they would use those devices they would have a command and control server from where they would
send commands to those devices and basically they would serve as thousands
and hundreds of thousands of proxies of their request so they would amplify whatever command they sent it would be a
web command it would be a lower layer like tcpip fluting and so so on so they
could do whatever they want with these devices they can make them do uh whatever they want and essentially it's
not very difficult to scan a product a
device a company nowadays and figure out like where are this product or this
company weak spots and by weak spots means where are the pages let's say or
uh the functionalities that take large amount of resources to calculate let's say if you have like a scheduling
website and probably to playay the calendar for the year that's going to take a lot of resources from the system
if I intentionally uh focus on that area hundreds of thousands of uh requests
doesn't matter how much elasticity you have from the cloud and how much uh demand you could meet if you don't have
the right firewall rules rate limits controls essentially the product will
fall down and you're going to be uh unavailable so this is why what exactly these uh thread actors are doing it's
not very sophisticated you can literally buy this kind of compromised devices for I don't know 20 30 bucks for few hours
you just rent them and then do whatever you want with them and essentially they're asking for funds in crypto so
they would send you a ransom message and ask you for a payment if you don't pay you're going to be taken down if you
have the right infrastructure right people and the right processes it won't be a very challenging operation but if
you're a small business and you don't understand technology very well they could really keep you down for days
months or even completely bankrupt your business that's
crazy wow and you had another story that you wanted to say another uh but uh I
want to share another one yeah it's um usually in the social engineering
World there are various types of attacks that you could execute obviously through
email communication we call it fishing two different types of communication we call it differently SMS missing and so
on and so on and uh once we saw a very sophisticated it wasn't really an attack
actually uh I'd say uh because it didn't involv any special skills what they did
is somebody TR doctor they cloned a legitimate business that we and many
many other companies were operating with it was like a consultant company and they completely clone the website they
went so far that they open a legal entity a company with the same name in another country uh and they open a bank
account and so on and so on and basically they started researching the web who are the customers of that
company so they send them a ton of invoices fake invoices we call them business email compromise or uh chain
iban and so on and basically they sent an invoice that looks like the real thing if you look at it it comes from
the real company it looks like the real domain it's a little bit different but it looks like it's not you know those
like swap letters and and things it actually looks like the real thing and
uh the only difference is the bank is bit different the jurisdiction is a bit different but the company name is the
same so I would expect that a lot of people and probably they did fall for this trap I think it's a multi-billion
dollar uh illegal business specifically business email compromise and what happened is we
luckily the software that we use ourself and we produce when you change an ibon for a recipient it tells you hey this
doesn't look right so we track that we identify it we reported to the
authorities and soon that was taken down and they took legal action to find the
threat actors but usually they operate with uh Financial mules so they would find some people in various countries
they would not even explain to them like they would pay them certain amount of money and they would open the business or bank accounts on their names and then
they will use that those bank accounts to uh funnel funds to crypto or other means where they could potentially stay
hidden well in the financial world that's a little bit challenging but they still find ways to do
it wow interesting sounds like there's a
lot of things happening that where it's like stress is very high like you're very on the go have to deal with this
right now how do you do that like what's your mentality when it comes to everything's
on fire what do I do now that like everything on on fire in
the security World happens every other day probably so if you don't have like a strong mentality or if you're not
mindful probably going to burn out quite quickly and I don't I say that with
humility because uh I know that a lot of my colleagues are suffering from burnout
and there is a lot of stress in the sector and you need to be probably a very I wouldn't say ignorant but like
very uh receptive to these kind of situations and maybe be a little bit of
stoic when things like that happen and don't react too quickly at say so the
way that I would react when things are on fire and I love when things on fire
which sometimes is unfortunate but it's interesting it's exciting I try to prepare for it if you
haven't done the sometimes mundane and boring work of preparation and this is
standard part of all these fancy Frameworks that we follow the the one
from the National Institute of standardization 862 or other well-known security inent
response Frameworks um you may be in trouble but if youve spent some time to
play through I like to say imagine like if you have if you call like a the fire
brigade and they come on a scene and your apartment is building is burning and they have never ever being uh spend
their time you know taking down fires before and they just like started and
they don't even know how all these like Machinery works or how to take the people out they're going to be very
stressed this is the same with cyber security teams like if you don't know how the technology works if you don't
know what steps to take and sometimes even uh to make executive and business
decisions that may temporarily impact the business let's say in a Dos event you would like to take down certain
parts of the system so that you can keep like in Star Trek you can keep the vital
systems on uh you would like to do something like that in cyber security and the way I tend to do it is by good
preparation and doing the boring work as we call it or eating our greens so doing
a lot of insert response exercises to see how we would react on an event and when an actual event happens we are
comfortable we know what's that it's not something surprising we have read about it we're expecting it in a way so hey
now we should follow what we have written of course in the real world that never really happens I mean following
through a procedure that you have written step by step you usually from an
event to an event they may defer completely so I think building a good
team and putting the effort to prepare as much as you can and then whatever
happens happens like you need to react on it that's why really once again I'm going to reiterating that I really like
the title of the podcast and I really believe in it I believe that you should be hands on I try to be on the front
line uh with with my team to ensure that they're uh ready and safe and I can take
over at any moment and that's I think that that that's very helpful and of course there
are things outside of your control but you should do whatever you can to predict and prevent
it interesting so one of the things you said is the like having a strong team
how important that is how do you build a strong team cyber security that's a that's a difficult one
because in cyber secur you need to have a a complex Suite of skills not only
technical uh you need to have a lot of soft or leadership skills because it's
uh not only a technical job most of the people probably would agree with me you
need we're protecting not only technology we're protecting process and people so you need to understand that a
little bit uh the way I believe you build uh strong cyber security team is
first you put a lot of effort in hiring uh you ensure that Prof is Flawless then
once you hire those people you put a lot of effort in onboarding but it's not job done at that time you should
continuously strive to evolve the team for example now in my team uh we have
some new starters that are a bit more experience in certain areas so I've dedicated them a little bit time for
Learning and Development but not only for theirs only but also for them to
share to the team their knowledge so that we can spread it around it's not just sits with
them and you just try to share with the team as much as possible I really
believe that uh and I try to engage my team in the local community because I
really love the local community I'm really vital part of it so I try to push them to present to talk to participate
to go on events to go on cyber security conferences to do Capture the Flag
whatever they want to do something some form of training or
if they would like to exper experiment with something I'm really always uppr or
if they need some that training platform because nowadays there are really amazing training platforms like hack the
Box try hack me pest slabs and so on and so on and they have amazing courses that
are really Hands-On like you can really touch things and test them and compromise virtual machines in a safe
environment or investigate events in various systems so I'm really supportive
of this kind of Hands-On experienced training because it really gives back uh
but also historically I think security teams have been a little bit divided siloed if
you wish so I try to push my team and myself to always be out there and engage
with other teams communicate with them so we're not isolated and standing on the side and doing the bad cop things
but we are involved into all other teams and all other businesses and we talk to them regularly and we engage with them
this all this not only helps for my team and to be more understanding of what the
business needs how these teams operating what risk they could introduce if they
introduce an application or some sort but also helps them to have humility and understand for example what are the
struggles of sales marketing and Engineering teams and how we could probably help them with something and
and there's so many things that we can collaborate on because as I said we are a mixed ID and security team so we have
a lot of cross functional and cross team collaborations so that really really helps but I think really being close
with the team and and uh um helping them to learn as much as they can so sparing
as much as possible at the end of the day we are we're here to do work it's business but helping them to uh learn
and develop continuously because the cyber security world is constantly
evolving and if you don't learn you start to be left behind a little bit so
we try to stay on top as a team we we do lunch and learns uh at the office as
well we as a team we like to participate in uh capture the flags those are really
fun events that we do sometimes uh we just order pizza stay at the office and
play till till we are called out to go back
home that's really cool sounds like there's a lot of um just like a togetherness of like the
mission yeah I I truly believe in that I as I said it's business uh it's some
people in the corporate world they say oh we are a family I don't believe in that we we're a team we're more like a
sports team we have a common goals and missions of course we're individuals so
we should be uh we we have different needs and also I think and that's one of
the things I've learned from uh one of the previous leaders I worked for that you should strive to
build a diverse team as much as possible in all meanings if you wish uh not only
in terms of origion of people but also in their mindset because different
people could bring different value to the team you don't want to just bring copies of you or specific team member
and then obviously if you lay them down as a as a matrix you they're going to have exactly the same gaps or exactly
the same things that are missing in their knowledge or understanding and if you have a team that comes with a
various backgrounds let's say they've worked in different all jobs throughout their career but they then switch to
cyber security or some of them were like me the whole life was evolving around cyber security all of them can bring
something very valuable to the team to make it more uh Advanced if you
wish interesting do you remember any leadership or security decision that you
made in the past that turned out to be maybe not the best and then how did you
deal with that I mean everybody makes mistakes uh
in cyber security in these interesting Frameworks that I mentioned
we have the uh idea of a postmortem where we review what went wrong and we
do it in a blameless culture we try to find a ways to prevent it from happening in the future improve education process
technology whatever we can and I being also the reasons for some incidents and
events that's normal uh I could share at least two things one during security
events where we had to act really really quick and Implement fire firewall rules
or protections it might have been uh to uh the rules that I implemented were
too strict so they might cause an additional impact at the time so we had to go back revisit them figure out what
that was the problem so that's inevitable sometimes when you try to be balance between being very very quick to
save the overall business availability but you could also cause some a little
bit of harm it's inevitable in some situations and on the leadership side
because I don't have Decades of experience as a manager I even with the
many many interviews I've done and and hirings and uh working with various teams I also make leadership uh mistakes
as well uh in terms of like hiring hiring mistakes that's also happens and
when it does happens you just have to admit it and and figure out what you could do in the future to prevent it
whether you should adapt your hiring process or the way you look at things
are you too soft in the hiring process are you overlooking culture because that's like a person could be a very
exceptional in their technical capabilities but they may be lacking some important leadership skills that in
the long run they may not contribute or fit in the team as you may wish they may
be a lone wolf or a person that doesn't like to uh be included and and help
others so i' I've done this kind of mistakes too but we just admitted
improve the overall process take note and move on it's inevitable interesting and you were
talking about the business side earlier what would you say how do you balance
between enabling the business as much as you can and still remaining security
sort of balancing them out because I would assume they do you know sometimes it is one or the
other yes absolutely um it's not one of the one or the other there should always
be a way like cyber security shouldn't be always a a place where you say no to
things there could be a no but or there could be an alternative approach to do
things and still like reduce the risk I try to approach it there is a famous
triangle that has uh security functionality and usability in in each
angle and the idea is that you should balance somewhere in the middle obviously the most secure system is the
offline one so I try to do that with data metrics
and when I need to go to the leadership team and discuss implementations that
may cause some form of friction or they need resources I try to bring data and
just ify why uh and provide alternative Solutions because not every proposition
may be accepted that's normal as life at the end of the day we are here to do business and the main purpose of the
business is to be profitable but also we have a lot of regulations a lot of laws
a lot of responsibility and Trust of customers that we should ensure so we
should balance between all these things and most of the cases there is a way and
in some situations if there isn't a way let's say if you tell a engineering team that they shouldn't be using certain
technology because of this are done and they are not uh susceptive to your recommendations there ways essentially
sooner or later they'll find out I don't want to be that guy that was hey I told
you so kind of a person but sometimes it happens it's inevitable like people
don't take notes immediately as I said I don't try to be the bad cop quote unquote I try to just provide hey this
is how this company uh suffered from a incident or a breach that was caused because of a misconfiguration or
something minor that it look minor at the time uh so we could do that this is
the risk that we are taking if you're comfortable with that I'm not but if you are it's your call it's your decision so
if you're comfortable with putting the company and and the business at r cool it's up to
you interesting what would you say is currently the biggest challenge you're facing in cyber world well there are
plenty I'd say um I would say one of the things specifically in our space uh
where we operate as business is compliance and regulations uh because they evolve
rapidly and constantly they require something of you and and although it's
very very important and they bring most of businesses up to a very high bar of
security they have a lot of paperwork and a lot of administrative effort that
you should do as a team or a company that could be exhausting at times we try
to find ways to automate the evidence collection and controls implementation
but that's usually quite uh time consuming like the overall process and I
understand that this is a process that we we are suffering because the space that we are Financial regulated markets
Etc I know that some other our businesses are living in a very great world or other businesses that are more
b2c and they're more exposed to more sophistic sophisticated actors they have
different set of problems so probably different things are frustrating and challenging for them so at the end of
day it's not the end of the world it's just something that we have to deal with the other thing I would say is the very
very high cost of security products and services nowadays just because they have the security label uh or if they
introduce a AI label on top of that that would be crazy uh crazy crazy amounts
and we try to be very resourceful when it comes to that it's challenging nowadays because there are so many pay
walls When You Reach certain thresholds of users or people usage they try to
push you to an Enterprise grade licensing and costs which is very exhausting for any business I would
expect because at the end of the day the technology is not very complicated but just have this Security Premium label on
top of it and they try to squeeze as much as they can out of you one thing
that really frustrates me is that if all these like security companies and
vendors they really believe in that uh secur is right for everyone they
shouldn't put that many pay walls for simple services for example if you want to use uh
SSO and rely on your controls that shouldn't be expensive not sometimes not
free but not expensive not super expensive or when you like to use some
form of a provisioning or more complex Integrations with your security systems
that shouldn't break the bank it should be easy to protect your own your own uh
assets and the frustrating part here is because most of the businesses nowadays are
probably using a ton of applications sze based products
services and they don't talk to each other that much and there are no
centralized easy ways to manage them especially those that don't support proper SSO or provisioning or alerting
and you not need to manually go into those systems we need to invent and and
make automations that are clunky and hacky they do work but it's a bit
frustrating that for every system that we use there's no API or an easy way for you to connect and and communicate it
you need to do a browser automation or other hacky things to figure out your ways and that's not very pleasant but it
is what it is it's not the end of the world cool what do you think is one
thing that cesos don't pay a lot of attention to but definitely should
H I would say couple of things Insider threats definitely uh sometimes they're
underestimated because people do believe that everyone comes with good intentions
and I'm not meaning that we should be super Vigilant to our own colleagues and employees all of the time I just mean
that nowadays with all these like sophisticated threat actors and and governments that are putting billions
and millions and they have hundreds if not thousands of very sophisticated training Security
Professionals that do social engineering attacks and they apply even to those companies and they go through interviews
and then they access their systems we should be very very Vigilant to Insider threats the way we provision access the
way we monitor the intra company activity because threats are not only
external I think nowadays Security leaders they put a lot of thought in the human factor it's
evident um but they could do more about the communication and internal
engagement with other teams I think there's still a little bit of a stigma between security folks and other
engineering teams and they could cooperate and engage more because at the end of the day it's for their common
good and last but not least to think about creative ways to embed security
into even mundane processing of operations you would be surprised how many things in the day-to-day life of
teams could potentially take a business down um from marketing teams managing
the uh integration of third party applications in the official website to
sell steams that have access to sensitive information and they primarily communicate through alternative
communication channels not the ones that you manage as a CES or a leader and I
here I mean social media like LinkedIn or other platforms because there we have very little control and they could be
doing that from their personal device their personal phone and so on so we
should really focus a lot more on on on the threats coming in from access and
activity that's pivoted through people and employees within the company uh than
before because it's the easiest easiest uh shortcut than just going through the
technology technology is advancing real quick and we have so amazing well
integrated firewalls protections detections monitoring system Etc but at
the end of the day there is always the human factor there the weakest link in the human machine collaboration and it's
still it's going to be exploited for the years to come so we should really really be
there as a cyber security person on any level and especially when you're really
leading the team you're always on you're always like you know you're ready for something to happen ready to
respond how do you deal with the stress of that like how do you disconnect sometimes do you ever disconnect how
does that work oh because I live and breathe in the space I don't think I disconnect that much but when I do as I
mentioned I really love extreme sports I really love flying uh as I droke with friends when you're risking your life on
the weekend there's not many things on the weekday that can really move you
because you already had like a lot of adrenaline and dopamine and you've done
very interesting things nothing really can matter and can
scare you uh on the work day but of course if again if you're not very well
prepared to face unexpected or unusual events or if you don't have trust in the
team or if you don't put the necessary effort for the things that you can
control this is a very Stak kind of a mindset at the end of the day you're probably going to be quite stressed
about it because you forgot to do something or you didn't prioritize right
so I Tred to do the boring and well-known risk-based approach to prioritization and we try to do the
first things first and then eventually some things may happen it's inevitable
that's why we have the large segment of security instant response in in this sector it's inevitable because it's a
moving Target everything is alive even when we're sleeping or during the
weekend when we're not busy at work thre actors are there and they're trying so
essentially you just have to accept that some things will happen and you hope I hope you have a good uh security
detection and monitoring system that will tell you about it and put a great effort in
preparation cool so we're kind of out of time do you have a time for a few more questions absolutely perfect okay so
um what do you think the field is going to look like in a few years and also how
do you feel about AI uh a love AI I use it on a day-to-day
basis for many things from writing code to summarizing documenting as I shared
with you I prepare even for the podcast with AI I just scraped all the previous episodes transcripts fed them into GPT
said hey tell me about the things that were not said and covered or what are the new trends or what are the new
things it's amazing AI could do so much and also could do harm in the in the
wrong hands but it's not that scary at the end of the day doesn't change the Paradigm I mean it's not making threat
actors more dangerous I'd say it's not bringing new people to the space whether
on the good or thead bad side it's just making certain things easier but it's
not the end of the world I may maybe I'm saying this that this thing for a few more times that I should but um it could
be used for a lot of good I would expect that in the next few years AI will be heavily integrated a lot of security
products not only from marketing perspective but also from productive and
efficient side um obviously could do a lot more with instant response in AI you
could make better decisions essentially uh take
considerations and take actions maybe and automated responses uh it could be
integrated in so many other fields one of the tedious areas that AI is very
heavily used is filling out security questionnaires it does amazing job
because you could feed it a very well um prepared set of questions and answers
and information and reuse it to fill out future questionnaires it's very efficient for
that so save security teams a lot of time and a lot of effort it can write basic code and if you're knowledgeable
it can actually write very good code like I wouldn't say Advanced but good enough especially to
automate mundane tasks so I would expect in the next few years that to come relevant and to be in a very high use in
our space then I would expect of course to Trad actors to use it as much as possible and figure out new ways to
abuse it but I really hope that um businesses and Company especially SAS
based Ones Will introduce more security features and options for you to
authenticate and protect customers like Pas keys and more ways uh to
authenticate which would be great and at the end of the day doesn't matter
how technology will change in our space and uh how much regulations will
increase and that's inevitable actually I think that's a good thing at the end of the day especially here in Europe we see that regulations are really driving
change and making companies do a lot in the cyber space invest a lot and I would
be happy to see that that's across the globe like in all countries and all
regions they align with the EU kind of a level of uh Frameworks and regulations
like n Andora um sorry n to Andora and so on
they they seems to be very very useful uh to bring awareness in those businesses because in in um historically
smaller businesses that were in a very sensitive markets let's say service providers and so on they didn't put much
effort in cyber security but now with all these regulations they are obliged to do and and they do it so the the it
helps them to do more and to deliver more secure products but at the end of the day I would still expect The Human
Side to be to continue being exploited and because the space that we're
operating not only as businesses but the way we develop products we introduce a
lot of dependencies libraries vendors and so on and we rely on so many things
that would also continue to be a problem and that's a challenging area for a lot of business
uh I mean supply chain attacks risk management and due diligence for vendors so I would really hope and to see some
form of a standardization in that area that will really help us to evaluate
real quick and and and and be able to react real quick when things like that happen because it's not just like now
people technology and process but also vendors that we put a lot of the things that we do as businesses in their
hands and yeah last but not least actors will still be driving um obviously
complex geopolitical situations but not only uh so as we've seen for the last
decade decade and a half threat actor from certain regions have evolved so
much they're so undetectable they're so sophisticated that's going to continue
probably growing but I would expect that even like lower tiers of thread actors not only APS but like even in the last
um few years we're joking in the sector that yes we're thinking about all these
like uh Nation backed organizations that are behind major hacks but at the end of
the day we are just fighting a group of teenagers like the lapsis group that we're able to take down a number of
large corporations like Microsoft Samsung OCTA and so on so all of that
all these like Technologies Ai and generally speaking the the human
factor can still be very easily exploited with all these controls in place so that will continue happening
that's never going to change um the good side of it is there going to be more work the bad side of it uh we have such
a large Arena of things to think about uh it's a moving Target and the sad
thing is that we need to protect so many things obviously like so many digital
spaces people B technology and so on and the other side just need to find one
weak spot one vulnerability that's a bit exhausting but yeah it's also very
engaging and interesting it sometimes feels like impossible but we have to keep uh doing
our best the good thing is technology really catches up I remember when we
were very young and we were doing hacking and trip Kitty kind of activities you could do a skl injection
almost on every other website nowadays is not the case like we have so many sophisticated Technologies and firewalls
and so on so it's very difficult to compromise things through technology but
it's still fairly easy to do it through the Human Side
perfect on a more sorry on a more personal question what do you find so
interesting like what what gets you up in the morning excited to go to work and on the other hand what keeps you up at
night as a cyber security professional uh not much keeps me up
night maybe when we play ctfs and in the rare event when there is an incident
that's like very very rare but I have an on C page for that uh but what keeps me
excited is it's really interesting investigating
events and looking at interesting stories for for example the ones told in Dark Diaries they're really really
interesting and engaging I really love listening or reading about things like that it's so much fun when this is like
real life things that have happened uh so I really like the fact that we are operating in a in a sector
in an environment where things technology and threats are involving
dayto day there are new things almost every day so that's super cool it's never boring
it every day feels amazing so I love that I'm really excited about that and
that's going to continue for the days to to go because technology is going to keep evolving and cyber security is
going to be along for a very long time amazing so final question uh before
I ask thank you so much for your time I'm so happy that like you joined the show and I think your take is so so
interesting my last question would be what would be your um unusual piece of advice to
someone who's either wanting to advance in cyber security or wanting to even get into the field is thinking about
it there's so many great ways to start in cyber security I don't think there's
like a One Direction as I said at the other day we're like fighting teenagers that have read something on the Internet
that trying it against our business uh there are plenty of amazing resources that people could use as I mentioned
these amazing platforms that you could learn hacking and cyber security you
also there they're really good personal training road maps like Road map. s
shows you like a cyber security paths and things that you could learn but one unusual advice that I could give people
is to learn uh the ability to tell stories storytelling essentially because
it it helps you to bring to bridge the gap between Technical and non-technical people and and and Concepts uh as I
mentioned in cyber security we protect people process and technology and to be
able to focus on the most important piece people because the majority of cyber incidents are coming through that
Vector uh we need to be able to tell stories those stories that are actually happening in other companies or or
things that happened to us or things that could happen if you're able to tell that in an interesting and engaging way
to others if you're able to present if you're able to clearly articulate to
explain your point for example if you go to the board and you need a decision you
need help on something you need to be able to give a very good explanation why
we ended up here and what our options are and so on and so on and if you're not good speaker present Center you're
not good at storytelling you may not be very efficient at that and I do believe that very vital part of what we do in
cyber security so I highly encourage anyone that's in this sector obviously there are fundamentals like technical
skills and General Security skills that you need to learn but storytelling is
really important one of the questions that I asked at the interviews that I do for the team that I worked is for
example tell me how and why why would somebody compromise Us and how would you
do it and you could obviously have read and listened a lot of things and you
could know the technology and ways but if you don't have a way to articulate and really explain the concepts the
reason the motivation behind all of that you don't have like the you're missing the big picture you're missing the the
why what we doing all of this uh you're just like following something that you read or maybe like a hype uh that you
think cyber security is but there's a lot of uh a lot of Storytelling involved
here perfect so I know you do a lot of talks and you do podcasts is there anywhere our listeners can find more of
your content uh my website is very easy to find megan.com and usually there are
linked resources social media and so on so easy to find mig.com perfect
thank you so much for joining us thank you likewise appreciate it