Biljana Cerin: The ABCs of Cybersecurity
Last week we had the opportunity to talk with Biljana Cerin about a very broad topic of cybersecurity!
As always, if you missed it, you can listen through the whole conversation on our YouTube channel:
But first, a few introductory words about Biljana! Biljana is currently the CEO of Ostendo Consulting, a company that specializes in providing consulting services on risk management and compliance with complex regulatory requirements in the field of information security risk management, personal data protection, and information systems security. Moreover, Biljana has over 20 years of professional experience on projects for companies such as Fortune biotechnology company Amgen, Stanford University Hospital and Clinics, MGM Resorts International, Merck, and other leading financial, energy, IT, and telecom companies in Croatia and the rest of the world. Biljana is also a member of the Board of Directors of the largest international association of information systems security experts (ISC)2. It is safe to say that we have a lot to learn, so let’s dive into the conversation!
IT: The very concept of cybersecurity is extremely wide. Can you start by telling us about cybersecurity as a whole and what is it all about?
At the very beginning, Biljana explained to us that the sole concept of security in this field can mean different things to different people (Cybersecurity, IT security, information security, etc.). The thing we are talking about today is protecting information.
„Whether its information in our IT systems or the one we write on different papers, the fact is that information is the most crucial ingredient of all business processes and everything we do“.
Although modern terminology insists on the term cybersecurity professionals, Biljana prefers using the term information security professionals, mainly to avoid many common misconceptions that are in her opinion imposed by Hollywood movies: „When you mention a cybersecurity professional, the first thing that comes to mind is a hacker in a black hoodie sitting in a basement!“.
IT: There are a lot of misconceptions indeed! One of them is also about cybersecurity being only a technical thing, but it’s not, right?
It’s not all about technology at all, says Biljana. She drew us a picture of how she felt working in this field: „It’s like I’m trying to translate what technology people are talking about to business people and what do business people want to see from the technology people. There is a third party to this which is legal and compliance, so I’m trying to make sure all those three different types of people understand each other!“.
In this context, we can say that both people and technology play important roles when it comes to cybersecurity, but mostly it’s about awareness. „No matter how good technology you use, if you use multiple protective controls and over complicate, you make the whole thing very difficult – and complexity is always an enemy to good security!“, says Biljana. „If you don’t have exact awareness of how important cybersecurity is at the top management level, that is willing to spread this awareness to every single employee within your company, you are never gonna achieve cybersecurity“.
Biljana also pointed out one major issue that the field of cybersecurity is facing, and that is the lack of diversity. She gave examples of job descriptions for the openings such as junior Security Analysts, which are already asking for cyber-security certifications. Biljana sees the problem of perceiving cybersecurity as some requirement that has to be fulfilled, but in reality, what’s important is the understanding of what exactly can happen. „To do the proper risk assessment and risk management within your company, you need to have people who understand whatever security controls they are taking care of, and what are the possible impacts of something happening to the business processes. The important thing is to have knowledge and experience to properly evaluate and assess information security risks“.
IT: We could say that the most secure practices come from combining people, processes, and technology. Without those three you cannot have a secure system. But sometimes big companies and huge systems make these ‘rookie’ mistakes and they approach the whole problem very naively. How do you explain that paradox?
„Big companies should have a very mature security posture. If they don’t, that only means that management itself is not aware of how important security is and that they do not invest enough“. In other words, Biljana sees the core problem as the lack of communication between management and the people who know about the security problems. „Management is mostly looking for financial figures – they want to know how much it is going to cost. If the people who understand where the problem is don’t have a good way of presenting it to those decision-making people, that is the actual problem. There is a huge gap between people who do have information and make decisions, and those who see the actual problems but do not have the right type information to present the problem to the management“.
In her vast experience, it all comes down to the maturity of the company. „When you have a company that is looking forward to developing new products and solutions and putting them into the market, they want to make sure information security is an integral part of all those solutions and products. These companies are aware and they are not waiting for some kind of compliance or legal requirement to make sure security or privacy is integrated into their business. They are doing it themselves to protect their businesses„.
IT: Let’s talk about your very beginnings! You were a software developer at the beginning of your career and then you kind of went from being more of a tech-oriented person to being on a bridge between the business and technology world. How did you figure that out and started talking to people? Did you have some projects where you had to communicate with a lot of people?
Biljana told us that while working on a project for a public health institution, she became familiar with standards in security that were not the same as technical standards, but more of a business process management standards. She noticed people talking about security from different aspects than just the technical side.
Years later, when Croatia brought the information security law for the first time, she thought: „There’s no one in Croatia that knows something about all this, let’s find out who are the people who are already doing this!“, so she started looking for people worldwide who are familiar with information security laws at the national level and have experience in implementing these requirements in their companies. She found out that the people that were top experts in the field are very different in their areas of expertise: some of them leaning more towards governance, risk, and compliance, and some moving more towards technical aspects of security. While working with her company at that time Biljana invited them to Croatia. The first conference was in 2005. which gathered 30 top-notch experts to share their knowledge. These people were mostly from the UK and USA, and from that moment they became her network of people!
After that few more conferences happened which led to many projects, which then led to new job opportunities and collaborations.
„That’s when I figured out what it is all about: you have those two sides, the management track, and the technical track. You have to adjust the message you want to give to the audience who is listening, and my affiliation was more with the people on the business side because I was able to understand the technical side of the story, but also efficiently present it to the business people“.
Biljana said that the problem of communication with both sides still exists, but it feels like it’s getting better! „This is a struggle and we need people that have enough social skills to understand and connect both worlds“.
IT: You moved a bit more to the organizational part of cybersecurity and you started dealing with things that are called risk assessments, governances, and compliances. Can you tell us a bit more on that, what those mean?
„The thing I like to do most is setting up the processes that define how these things that you mentioned are going to be implemented within the company“, explained Biljana. „When the company doesn’t have an actual risk assessment and management process, it cannot really say they are taking good care of security“.
In this context, Biljana pointed out that when it comes to risk assessment and management, many companies think this must be something complicated. What happens is that they turn to different templates they can find online and they’ll try to download and implement them. A problem that often happens is that none of them works because they are not adjusted to their specific environment. Biljana pointed out the importance of establishing a methodology that works, which will involve people working with different processes in different teams and different departments. The goal is to see where lies a potential danger for one of the three components of information security: confidentiality of information, integrity, or availability.
Another issue is security controls, which are in most cases „designed and well documented but not implemented. The biggest problem is no one is measuring the efficiency and effectiveness of these controls“, says Biljana.
Biljana said that the important thing is to do risk assessment continuously, so anyone can report a risk or any kind of problem they see not just once a year in some “mandatory” risk assessment. „Doing it once a year doesn’t mean anything, risks happen every day“.
„The last thing you want from information security is to be an obstacle – it should be a business enabler. If you do it right your business should thrive because of information security. Sometimes people perceive it as something that is stopping them from doing business but this is not true, this is only true if you are not doing it right!“.
IT: So risk assessment could be an email that someone can send to you and say „Hey, I consider this a risk“ or it could be practically an essay of some sort where someone can send you to different departments where they can talk to you, and you compile it all together and have a risk assessment. Is that somewhat true?
Biljana explained that risk assessment, by all means, should not be an obstacle, but there should be a well-defined channel in communicating these issues. In other words, if someone sees a problem, there should be a place where they could report the problem; there should be a methodology to assess that problem; there should be a team working on fixing those issues or gathering more information.
„I think the best approach is security by design for whatever project that you are working on. The important thing is to develop it before you start with the project, and you should do the risk assessment related to that specific project“. Good governance is crucial, especially in large organizations, because when the structured approach is lacking, people send the same message over and over and it’s not getting anywhere.
IT: With risk assessment, you get the picture, the current state of the company. What happens next?
After risk assessment comes risk management. „For risk management to be to be efficient, you need to have good governance, communication, and well-defined budgeting“, says Biljana. Basically what happens in this step is making sure that the amount of money, time, and people that we are going to invest in mitigating some risk is justifiable and fast enough. Risk assessment usually gives you results in different levels of various categories of risks and you have to decide what risks should be treated first and how.
IT: It seems like really hard work when you have to dive deep into a company and figure out how to make peace or at least some truces to have some work done. Did you have any unexpected situations?
„Now that you mentioned, quite recently something happened to me I did not expect is ever gonna happen – I had a project where I had to audit the auditors“, Biljana told us!
Using this quite anecdotal story, Biljana explained why she dislikes the so-called checkbox approach and why it is, in her opinion, flawed. „When you use a checklist you limit yourself so much. Instead, you need to take a proactive approach and you have to handle the people, the issues, and you have to get to know the process itself to understand what the company does and what is important for this company, etc.“. When in an inconvenient position, that is when the social skills come into place.
IT: Could it be that this stems from the bureaucracy, or to be exact, an approach that this is something we HAVE to do? Or maybe the reason is fear – like GDPR, and in that case, people are motivated to implement their policies (sometimes very just badly) into their companies because of fear of fines?
„You will always have those companies that are motivated by fear and not willing to do anything else until they have to, and that’s when I say security driven by compliance is the wrong type of security“, explained Biljana. Also, she pointed out that sometimes it is helpful because if there are no laws or constraints, most of those companies wouldn’t even do the basics. „Now we have something that is pushing them to do at least basics although this is all wrong because if they are driven by fear they do not understand the common sense of all those regulations“. For example, GDPR is a great regulation, said Biljana, because it’s driven by common sense, privacy, security by design, risk management.
IT: What do you recommend to all of the people that are interested in some sort of cybersecurity and are perhaps software developers,dev-ops, project managers or are working in a bank? How should they approach cybersecurity? Is there even a way for someone who has just finished eg. law school to be in cybersecurity?
Regarding this question, Biljana offered some very valuable advice!
Firstly, she pointed out that the best way to approach the field is to understand if you have a passion for it!
Secondly, the best and easiest way to enter the field in her opinion is through mentorship. Biljana recommends that you find yourself a mentor through many available mentoring programs.
„If you are coming from a technical background or you have already some knowledge I would recommend going for those cybersecurity certifications as soon as possible!“. Biljana is a member of the Board of Directors of (ISC)2, association which offers a number of certificates but you have to prove experience. Before you gain the experience you can study for (and pass) the exam – this will likely force you to work on projects!
„If you are coming from a legal background I think now it’s a perfect time to enter. You will become familiar with a legal part that deals with cybersecurity, privacy, or information security laws. There are many initiatives around cybersecurity as a strategy on a European level“.
In short: education, mentorship, certifications, projects – as soon as you grab either one of those components it’s good, said Biljana, and the most important of all it’s really to network with the right people to which you can connect through LinkedIn or various groups online!If you have any follow-up or constructive questions, you can look up Biljana on LinkedIn, we are certain that she inspired many of you to dig deeper into cybersecurity!