The worlds of cybersecurity and AI are set to become fused as technology continues to adapt and evolve. Grant Powell MBCS spoke to Katerina Tasiopoulou to learn more.
Katerina Tasiopoulou has already had a remarkable career within a relatively short space of time. Awarded a BCS Young Professional Award in 2018 during her time as an Incident Response Engineer for IBM, Katerina’s determination, knowledge and skill led to her becoming CEO of her own successful cybersecurity business. Here Katerina explains the challenges of cybersecurity in the world of AI, her career journey and her advice for the next generation of cybersecurity professionals.
Can you tell us about your background and career to date?
I actually wanted to be an aerospace engineer, but this all changed when learning some basic computer coding at school. One day in school assembly we were shown some computer code on the screen, and I put my hand up because I knew it was wrong. There was an error in the logical flow of the code and when I pointed it out the teacher was shocked. I became very interested in coding from that point. I went on to study computer science and then cybersecurity at university level before working in various positions for several companies, including IBM.
After this I founded my own company, Exelasis. My current work is focused on advanced penetration testing and ethical hacking, or ‘red teaming’. I initially worked on the incident response and intelligence side, or ‘blue teaming’, because being able to defend against real threat actors taught me a lot of skills that I could use on the red teaming side. It’s a very interesting, exciting and rewarding career.
Did you find it daunting to enter a career in which women are sadly still in the minority?
It has been very challenging at times. At university there were no other women in my class, and at the time it was difficult for me to understand why. In the working world, while things are beginning to get better, it still has not dramatically changed. I have to admit that, as a woman working in cyber, sometimes I have not been appreciated in a room. I don’t feel that I have been listened to or treated seriously at times.
But, it’s important to make the point that I don’t want to be appreciated because I’m a woman, I want to be appreciated because I am educated, skilled, a team player, a collaborator, because I have input and because I’m a cybersecurity professional. Equality doesn’t have to be because of gender, but rather equality should be regardless of gender. There is still a lot of work to do and it’s fantastic that organisations like the BCS are helping to change attitudes.
You won a BCS Young Professional Award in 2018. What did this mean to you?
The Young Professional Award has been absolutely invaluable in helping me with recognition, eminence, confidence and networking. It really isn’t about the award itself, as a physical thing, it’s about how you use it. Even today as a CEO of a company I still mention the award in my presentations to show that I was recognised for my efforts, and to show others the progression that is possible with determination and self-belief. I imagine I’ll still be referring to it 10 years from now. It has also really helped me build my network. I always view the award as being a first step on the road to where I am today, because as I left the stage that night I set myself a goal; to run my own business.
In your role, what are the main challenges as a result of the evolution of cyber threat?
Technology is evolving incredibly quickly, but cybersecurity is not evolving at the same rate. The biggest challenge, from my perspective, is not the fact that there are new threats, although this is of course a major concern, it’s that we haven’t even fully addressed the old threats yet. Some organisations — banks for example — are built on some very old foundations and principles, with various systems and layers added on top over time. Add AI into the mix and suddenly it equates to a whole new layer of complexity. Cybersecurity means defending your assets, but how do you do this as technology evolves and the threat parameters change? As the goal posts move it can be hard, as a business, to know whether you have reached your objectives in terms of cybersecurity compliance.
How do you begin to address such challenges?
The only way is to get the basics right, not just in terms of compliance but also in terms of technical assessment. It's really important to take a step back. As a business, your objective is to protect your assets, but the only way to really be sure that you’ve done that is to try to hack your defences. So penetration testing or ethical hacking is the ultimate test. Starting with a basic penetration test allows you to identify current gaps and close the critical ones.
Only by carrying out these tests continuously can you really see your exposure. In cybersecurity there are many different elements and it changes daily. Secure coding or secure programming is not the same now as it was 10 years ago and even the biggest organisations need to release new patches all the time because new issues are continually arising. There is so much change, but penetration testing is the one solid approach, in my opinion, that consistently evaluates defences from a technical perspective.
What about advancements in AI in relation to hacking— what are the implications here?
AI is going to be the new battlefield. At the moment it’s people versus people. In cyber, adaption and evolution always comes from one side or the other. Attackers are using AI so now we have to start using AI to continue to defend our assets. And we’ll need to adapt and widen the parameters of attack and defence whenever the next advancement comes along, which will probably be quantum. AI is a relatively new tool and we’re still learning. In my line of work it is bound to prove very useful for threat detection, incident response, and the correlation and analysis of data.
Breaches are based on knowledge and they are all related to data, and AI can help us understand data and look for patterns in hacker activity much more readily. On the flip side, AI use in cyber warfare poses many questions. I don’t know how we’re starting off and it’s difficult to understand who has the advantage here.
Could AI be a helpful tool for penetration testing and red teaming tasks?
AI is not just a button you press and it carries out an activity, you’re actually constantly feeding it information. If AI starts to be used for penetration testing, collecting threat data and learning advanced hacking techniques then it’s going to be a very dangerous weapon if it falls into the wrong hands. I think a moral code around what we teach AI, and the ethics around its use, is absolutely critical, because once we start teaching it we can’t take that back.
If we train AI to become the most powerful hacking weapon in the world, then what happens? We need moral and ethical codes, but who is going to enforce compliance? Many businesses are still struggling to comply with GDPR correctly, and the intricacies of AI and how to govern its use creates a whole different problem that certainly requires some serious thought in the very near future.
What are your thoughts on the idea of AI replacing human roles within cybersecurity?
I personally see AI as a tool to enhance, not replace. I read an article recently which mentioned that AI could replace some of the more entry level roles in IT and security, like a SOC Analyst, for example. This is actually one of the crucial developmental roles that I always recommend for those looking to get into a career in security. If this role doesn’t exist in the future, then what does that mean for those wishing to enter the industry? You have to start with the basics because no one can automatically become an expert overnight.
Be part of something bigger, join BCS, The Chartered Institute for IT.
So I feel that those entry level jobs can be enhanced and made more exciting by AI; that there is a positive outcome here rather than a negative one. Also, the human element is still very integral because, at the end of the day, it’s not going to be AI that decides to attack an organisation, behind that is still going to be a human, so you still have to understand the human element. AI doesn’t have feelings or know that it wants to steal credit card data. It’s all about people, so the human element needs to always be there.
Is the world of cybersecurity now becoming overwhelming, or is it still exciting?
It is very exciting. If we consider how reliant we are on technology internationally then cybersecurity is going to become absolutely huge and infinitely more significant as technology becomes even more integral to every aspect of our lives. Our money and our identities are now digital; if someone wants to wipe out your digital identity, you no longer exist. As businesses apply more focus to protecting their key assets, my team and I are becoming involved in some incredible cybersecurity hacking projects.
For example, we might be instructed to ‘try and steal a million dollars’, ‘try and re-route this ship’, or ‘try and change medicine doses’. The objectives are becoming increasingly more interesting and this is driven by more organisations realising the damage that a breach can cause and the implications for them if their data and systems are not secure.
As a role model for young people entering the industry, what advice can you give?
In terms of your career, you have to build it for yourself — no-one else will do it for you. As a tactic I was always told to write down your soft skills and tech skills and then plan how to gain the skills required for the role you eventually want. That plan is your career. Career should be all strategy — I have never left anything to chance. You might not love the first role you have but it’s a valuable stepping stone along your career pathway.
Next, it’s important to work on your own eminence and build your personal brand. Excel in your work, let people know of you before they meet you. Offer a lot to your organisation and invest in your own personal development. Finally I would say that networking is extremely important. Get out to events, meet key people within your field and build strong relationships with colleagues and customers. You spend every day in your career so it’s certainly not something that you want to leave to chance.
Finally, you are a judge at this year’s IT Industry Awards. What are your thoughts and expectations?
It really is a huge honour to be invited to judge. I wanted to give something back, to help others and particularly to help women that are where I was a couple of years ago. I think talent in the industry is growing so much and I’m very excited to see what this year’s applicants will be doing.
I think we’ve evolved so much as a technologically adept society and early professionals are achieving a lot — their skillset is phenomenal — so I’m expecting to see applicants that have incredible skills and knowledge. It’s going to be very difficult to judge. It’s great to be involved with such an important event, and if I’m able to pass on any knowledge that will help people, or share my story with them, then that would be fantastic too.