Ambizione Italia for Cybersecurity: interview with Microsoft expert Gaia Guadagnoli
Why is it important to involve both a company’s internal and external resources in the protection of cybersecurity? Because attacks will become increasingly sophisticated and evolved and will be linked to delicate geopolitical issues, but also because the human factor plays a crucial role among the elements of vulnerability. Cybersecurity represents an excellent professional opportunity for those beginning their careers, independently from their curriculum of studies. Onelia Onorati interviewed Gaia Guadagnoli, Privacy, Data Protection & Security Technology Specialist at Microsoft Italy, who has participated in two initiatives:
- Course organised as part of Programme Ambizione Italia for Cybersecurity (March 6-9-13-16)
- Career Orientation Jobtalk in collaboration with Cyber Strategy Initiative
According to the latest Microsoft Digital Defense Report, in 2022, there were 710 million phishing emails per week and 921 password breach attempts per second, up 74% from last year. Cyberattacks are on the rise, putting businesses and individuals at risk like never before. In your opinion, what are the reasons for this surge?
In recent years, the increase in cyberattacks is due to many factors, ranging from purely technological issues to human factors and opportunities. The rise of interconnected devices and the pervasive growth of the IoT has created a larger attack surface for malicious actors. Furthermore, the emergence of sophisticated and automated attack tools has made it easier to launch more or less complex attacks, exploiting economies of scale which therefore make it much more economically efficient to launch large-scale attacks. Finally, the lack of adequate security measures has also contributed to the increase in cyberattacks in many organizations. The human factor is therefore central both from a business and personal point of view.
In fact, the use of good security practices manages to block most of the standard attacks. Consider, trivially, the use of a double authentication factor, the systematic updating of the operating systems, and applications in use. It is therefore essential to pay attention to what surrounds us and what we are subjected to, developing our critical thinking. You don't need to be an IT expert to create a level of protection that allows you to feel more relaxed.
What are the most vulnerable points of a company, the ones that a cybersecurity professional must pay attention to?
There is no single answer to this question because every business context is different, both in terms of infrastructure and data. For example, there are sectors with a greater use of OT devices than others, and companies that allow the use personal devices for personal operations (bring your own device). These peculiarities differentiate the possible attack surface, which therefore may be more or less large. However, there is one element that all organizations have in common: the human factor. As I said before, the human factor is almost always the weak link in the security sector. It is essential to pay attention to this point in a particularly structured way because inattention (or, even worse, the malicious activities of any insiders) can lead to very serious consequences. And it concerns not only the implementation of technical measures, but also organizational measures and user awareness of IT risks.
On a technical level, it is also important to find a balance between protection and usability. It is in fact important that the users are not too limited in their operations, otherwise they might look for potentially dangerous "workarounds." Therefore, it is necessary to opt for measures that are as simple as possible (both on the back end and front end). Finally, it is possible to summarize what in my opinion is the most important point: "culture". In fact, technical measures, investments, security policies and procedures are nothing more than the derivative of a cultural drive dictated by management's attitude towards security. A crucial area is the economic factor. Unfortunately, we often see huge ex-post investments, only after the perpetration of a cyberattack. If these investments had arrived on time, however, great economic losses could have been avoided. Any worker operating in the security branch (from the more technical to the less technical) must keep in mind the economic factor and the so-called "ROSI" (Return on Security Investment) which, in fact, governs every type of decision in the organizational sphere.
What is the ideal path for someone who would like to work in this area? Are there basic requirements that you need to get started? Are there opportunities for individuals starting from scratch?
I have a three-year degree (BA equivalent) and a master's degree in International Development Cooperation, Political Sciences. Can you imagine something more distant from “cybersecurity”? Difficult. Then, I gradually discovered my true passion and decided to cultivate the one I had always known I had - in this case computer science - and to find an area that excited me. I'd be lying if I said I chose this field deliberately, because it actually happened almost by chance, but what I want to emphasize is that the only really important thing is to be interested in a certain subject.
Now let me give you an example that might make someone smile. One day, I was at home. My phone rang and it was a recruiter who, after seeing my LinkedIn profile (I still had several tech-related things to my credit, but absolutely nothing in the cyber field) had decided to contact me for an interview in the cybersecurity field. To me, "cybersecurity" meant long, complex passwords, and that's about it. So, I called a friend of mine who worked in the field and asked her to tell me about five super important things in this area, without which I would not have even remotely thought of passing the interview. It was unconceivable to have a holistic view of the whole subject in a few days, so I concentrated on the five areas that my friend pointed out to me and really studied them thoroughly. I passed that interview and my life changed. I wasn't an engineer. I wasn't born a pentester. I was just someone who had been presented with an opportunity and was willing to learn.
The truth is that computer security is an almost boundless area, and there really is room for everyone, as there are both more and less technical specialties. In my career, I have gradually approached more and more technical subjects, but this was a personal preference motivated by an interest that matured day by day. This is not a law that applies to everyone. I know people who are absolutely non-technical and in front of whom one can do nothing but bow down and learn, so yes, there really is room for anyone interested in the subject. Each one of us has peculiarities in his baggage that make them unique and that can bring added value to any cyber specialization.
It is natural that some sectors have very strict requisites, especially the purely tech side, but I repeat, you need not be "trained from birth," especially if you are beginning of your career. We are fortunate to live in a world where we have every opportunity and possibility to research and learn whatever interests us, so it's all about commitment and willingness to learn.
How do you think cyberattacks will develop in the coming years?
Cyberattacks are constantly evolving and do not depend only on factors of opportunity, but also on geopolitical factors. However, also based on the indications of the Microsoft Digital Defence Report 2022, it is possible to make some interesting forecasts. Ultimately, given the backdrop of recent years, cyberattacks are expected to become more sophisticated, targeted and organized. To begin with, it is believed that attackers will increasingly use artificial intelligence (AI) and machine learning (ML) techniques to automate their operations, which will include attacks on different sectors of corporate infrastructure, taking advantage of the growing attack surface available. By automating attacks, it will be possible for malicious actors to launch more sophisticated attacks with greater speed and accuracy. Additionally, attackers will be able to use AI and ML to create more targeted and personalized campaigns. They will continue to use phishing and social engineering tactics to gain access to corporate networks. By leveraging social media and other communication channels, attackers can target specific individuals and businesses. Finally, the attackers are thought likely to form more organized and professional groups, possibly even sponsored by nation states. These groups will be able to launch more coordinated and sophisticated attacks, making it even more difficult for organizations to defend themselves. As the digital threat landscape continues to evolve, it is important for organizations to stay up-to-date on the latest security trends. By proactively monitoring threats and implementing appropriate preventive and corrective measures, organizations can stay one step ahead of attackers and better protect themselves from increasingly sophisticated cyberattacks.