Big interview with our cybersecurity researcher Veronica Valeros who leads the Civilsphere project protecting civil society against digital threats.
Can you tell us a bit about your backstory and how you grew up?
I grew up in rural Patagonia in the southwest of Argentina in the early nineties. What does it look like? Imagine a valley surrounded by forests and mountains with snowed peaks, houses and farms spread out across the valley. Our house, which sadly got burned in a wildfire in March, was on one of these mountain slopes. Living in rural Patagonia was tough and my parents worked hard to make ends meet. Part of my primary education was in a rural school that you could only access by crossing a lake and then riding a horse for an hour! Growing up in this environment taught me to be self-sufficient and to take ownership of my own education. How far could we go? This was entirely up to us.
After finishing high school at the age of 16, I obtained a scholarship to study Informatics Engineering. The road to graduation was not easy. Being away from home, living alone with a very hard financial situation were not the only difficulties. The biggest success in this stage as the only woman enrolled in the program, was enduring the bias, mistreatment, and often discouragement from a heavily male-dominated environment, and making it to the finish line. It was at almost the end of my degree that I discovered the world of cybersecurity, and I was hooked!
"Our Civilsphere project offers free services to activists and journalists to early detect privacy violations that can jeopardize their life and work."
Life took a turn in 2013 where I took a job as a cybersecurity researcher at Cisco in Prague, Czech Republic. Surrounded by a great team and leaders I was able to flourish and boost my knowledge and career. Since 2018 I took a leadership position at the Czech Technical University in Prague where I can apply my knowledge and experience to make a positive impact in the world. Our Civilsphere project offers free services to human rights defenders, activists, journalists, and NGOs to early detect targeted digital attacks, digital surveillance, and privacy violations that can jeopardize their life and work.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
The book by Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, was very significant in my career. The book changed my perspective and understanding of my own field of work and also inspired me tremendously to make my own research better and more thorough.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
During my early University years, my computer got infected with malware multiple times. I knew very little about computer viruses at the time. Later in my career, I learned that one of our professors was actually executing malware on purpose, to study them! I just found that fascinating, and that is actually one of the things I did in my first cybersecurity job!
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
Since the beginning, my first job required me to make decisions about the maliciousness of IPs, domains, files, behaviors. Many times, the available threat intelligence information on a given indicator was not enough, but I was still required to make a decision, malicious or benign. I made a mistake once in one of my assessments that would have caused millions of alerts in hundreds of customers. Luckily we had a very extensive set of checks in place that warned us before the damage was done. It was still a wake-up moment that made me realize the impact of the work I was doing.
"We already helped more than 400 individuals at risk, and with the AI VPN, we expect to be able to help thousands."
Are you working on any exciting new projects now? How do you think that will help people?
I’m currently working on a new project, the Civilsphere AI VPN, a tool that combines the traditional VPN with state-of-the-art machine learning detection algorithms to detect threats in the network traffic of users. This tool is an improvement of our Emergency VPN, which since 2018 provides human rights defenders, journalists, activists, and NGOs with a free security assessment of their mobile network traffic. We help civil society analyze their device’s network traffic to early detect malware infections, privacy violations, and signs of digital surveillance. We already helped more than 400 individuals at risk, and with the AI VPN, we expect to be able to help thousands.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
One of the most exciting things in our field is how diverse it is. There are so many different areas, that there is always something to learn and areas to explore. This is also a big advantage as individuals can move and find the niche that better suits their skills. Secondly, it is quite exciting to work in a field that is ever-changing! New technologies come in with new problems and new challenges. This forces you to keep up, keep moving, keep learning. And lastly, it is exciting to be right now in a moment when the field of cybersecurity is starting to mature. A decade ago, everyone was on their own. Every company had its own experts, with their own knowledge and practices. Now we are slowly getting things together, creating standards, methodologies, career paths!
"One of my biggest concerns is the disparity between cybersecurity products available to businesses and to individuals, especially individuals at risk."
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
I always say to newcomers that there is one thing in our field that is good and bad at the same time: it is always changing. The speed of things that happen, the incidents, the demand to keep up can easily lead to burn-out. It is an exciting field but also requires an extra effort on self-care to know when to push forward and when to slow down.
The second thing that concerns me is the still existing disconnection between development and security. It seems every time there’s a new technology we go back to the ’90 in terms of security and privacy. We are slowly making progress, but it’s frustrating to see how slow this progress is.
Finally, one of my biggest concerns is the disparity between cybersecurity products available to businesses and to individuals. There are so many advanced defense technologies for corporate users, but when it comes to end-users, especially individuals at risk, there aren’t even half as many. The work done by civil society defendants is critical to our world’s social sustainability, and I firmly believe that our tools should be able to protect them as well.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
The software supply chain has become a messily intertwined ecosystem, and it will become even more complex in the future. We are already seeing the impacts that supply chain attacks can have. Organizations should start not only preparing for these but actively taking part in securing them.
The increase in the number of AI-based services brings new challenges and possible threats. It is vital that organizations start thinking early about how to secure these algorithms, what possible impact could they have if hacked, how can attackers possibly manipulate them to their advantage.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
This is a tough one! The tool I use the most is Wireshark, a network packet analyzer available for Linux, Mac, and Windows. It is a great tool not only to analyze network traffic but also to learn everything at the network level. In a similar category, I frequently use the Stratosphere Linux IPS (Slips), a free software machine learning-based intrusion prevention system. Slips is fantastic when it comes to analyzing the behavior of network connections instead of the packets themselves.
I feel obliged to mention my favorite threat intelligence tools, which I use almost daily: VirusTotal, RiskIQ, and APKLab. Virus Total is an online service that aggregates multi antivirus engines to scan URLs and files for malicious behavior. RiskIQ threat intelligence portal offers aggregated intelligence on domain names, which is vital when it comes to making an assessment of the maliciousness of a site. Finally, APKLab is an online service developed by Avast Software dedicated to providing security researchers with thorough intelligence on Android applications.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Following my current focus on mobile users, there are a few things to watch for in order to suspect the mobile phone is infected with malware or spyware. These signs will vary depending on the type of malware used. Generally, users should keep an eye on their data and SMS usage. If they are spent too fast, then it’s good to make a security check. Other signs include overheating, sudden slow down of applications, and repetitive inexplicable behavior (pop-ups, windows open, excessive advertising).
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
In my opinion, the biggest mistake is waiting to grow to have good visibility in the organization in terms of cybersecurity. There is the misconception that having visibility involves expensive next-gen products. However, there are nowadays many frameworks and options to quickly and cheaply monitor a small organization. Having visibility should be the top priority of small organizations.
"I am delighted to see the progress made in the last 15 years. Things and situations that were ignored back then would be unacceptable today. We have, however, still a long way to go when it comes to equality."
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
I am delighted to see the progress made in the last 15 years. Things and situations that were ignored back then would be unacceptable today. We have, however, still a long way to go when it comes to equality. One of the biggest problems that need to be addressed is the pay gap, which may surprise many, but is still quite considerable in many countries around the world. Hand in hand with this is the inequality when it comes to maternity and paternity leave. Without paternity leave, we cannot expect to have equality in the workplace, as this affects the promotions, opportunities, and career growth options of many women.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
There are many misconceptions about the profile of cybersecurity professionals. This is a profession that benefits incredibly from diversity: diversity of personalities, of culture, of thinking. Do you want to be great in cybersecurity? Bring your authentic self.
Thank you for all of this. Here is the main question of our discussion. What are your 5 leadership lessons you learned from your experience as a woman in tech and why?
1. Find Your Authentic Self
The field of cybersecurity can be, and it usually is, very demanding. It is not possible to excel in such a demanding field when trying to be something else that you are not. In my career, I learned the hard way that being a woman gives me skills that no one else in my group had, and my culture gives me different insights and perspectives. Embracing who I was allowed me to really focus on being great at what I do.
2. Be Comfortable Making Decisions
Making decisions, owning those decisions, and being comfortable with the idea that those decisions may be wrong is not easy, and is risky, but it’s a great skill to develop. From all the other skills that you may acquire, this is the most likely to open more doors. There were many times in my career that the decisions I made were wrong: wrong hiring, wrong assessment, wrong timing. However, these decisions were also valued by leadership when I was assigned more and more responsibility because it’s going through these bad decisions that show what you are made of.
3. Surround Yourself With People That Think Differently
It is very easy to surround ourselves with people just like us. However, when doing cyber threat intelligence work, it is vital to have just the opposite. The teams that I led were always culturally diverse, which made us all check on each other, find biases, and at the end of the day, make better and more balanced assessments.
4. Take Risks
Our field is growing and maturing as we speak and there is still so much to discover. Letting yourself take risks is part of this discovery. Don’t be afraid of breaking things, of voicing different opinions, of using tools in a way they were not used before. Take the risk to invent, to fail, to innovate.
5. Have Your Personal 911 List
Our lives as cybersecurity professionals will be hectic. There will be times of excitement, discovery, heroism. There also will be times where things appear to be too much. I learned not so long ago about the importance of having your personal 911 list. This list features a shortlist of people to talk to when you are in crisis. Not only emotionally but also technically. Those who will be there in case you need to discuss something important. These people will get you through tough times, and help you make your career a great one.
Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why?
One of the great inspirations in my career has been Carla Harris, Vice Chairman of Wealth Management and Senior Client Advisor at Morgan Stanley. Her books and pearls have been key for growing my career and bringing my best self to work.
This interview was done by Jason Remillard from Authority Magazine as part of the series called Wisdom From The Women Leading The Cybersecurity Industry. The original interview is published on Medium. Find out more about Veronica Valeros on her personal page.