Don’t be afraid of applying a non-standard approach to solving complex issues. To prevent cyberattacks you need to think like hackers, and these guys are experts in applying creativity. When working on testing client security, we always try to think a step ahead of hackers.
As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Evgenia Broshevan, the Head of HackenProof Bug Bounty Platform, Co-Founder of Hacken.io.
Evgenia is a co-founder of a global security ecosystem Hacken and a Product Manager for European bug bounty platform HackenProof. In her role, she unites the efforts of bug hunters, internal security team, as well as sales and product teams to provide security excellence for responsible business. She is also in charge of one of the largest cybersecurity conferences in Eastern Europe — HackIT. Evgenia has taken part in numerous security scientific conferences and summer schools in Europe. Last but not least, she holds a master’s degree in cybersecurity and is a Certified Ethical Hacker.
Thank you so much for doing this with us! Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
Honestly speaking, I do not strongly believe that a particular book, film, or podcast can have a fundamental impact on individuals. In my opinion, the environment in which we live and work and our closest friends and colleagues are the only factors behind who we are today. An individual can experience personal and professional development only when interacting with other people sharing similar beliefs and life considerations. Books and films are just for finding some answers or insights.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Yes, here I can share a very interesting story. When I was a child, I used to watch films about spies, or better to say, computer geniuses who could individually change global business development as well as have an impact on the decisions made by public officials, somebody, you know, “cyber kingmakers”. Common people do not see them or even know about their existence, but such “cyber kingmakers” may be referred to as a global power. And I also want to be a power in this changing world, that is why I have decided to work in the field of cybersecurity.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
Well, in my profession, even the most qualified specialists commit both minor and fundamental mistakes when working on almost every project. If we don’t make a mistake and identify the way to correct or prevent its occurrence in the future, then a cybercriminal will do this job for us. Based on my professional experience, when you make a mistake and admit it, only then you do you really grow as a leading cybersecurity specialist. You should not be afraid of making a mistake, you should be afraid of failing to admit it.
Are you working on any exciting new projects now? How do you think this will help people?
Yes, I am currently working on amazing projects within the Hacken ecosystem. One of these projects is HackenProof. We help companies detect security flaws and prevent data breaches by conducting security audits and organizing bug bounty programs during which ethical hackers can get rewards in exchange for bugs reported. The leading industry players, and even government agencies, apply for services provided by HackenProof. And I can also mention such projects as disBalancer and HAPI that have been recently launched within the Hacken Foundation. All these projects are aimed at making the world a safer place by utilizing innovative security solutions and combining the expertise of leading specialists.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give examples?
I fully agree with you! The first and perhaps most exciting thing is the constantly changing nature of the industry. New challenges arise every day and, thus, we always need to work on developing new solutions. The work in this industry is full of new discoveries and exciting opportunities. The second thing is professional relationships. You work with highly qualified people who apply a non-standard approach and creativity to solving complex issues. You can always get new skills and insights when working with these people. And the third important thing is the understanding that you perform the job that makes the life of thousands or even millions of people safer and more convenient. The most exciting component of my work on these projects is the possibility to interact with leading experts and white hat hackers from all over the world.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
The increasing scale of damage that may be caused by a single cyberattack. For example, a powerful cyberattack against governmental websites may block access of millions of people to key public services. The second and very important concern is the role of the state in the world of cybercrimes. There are governments that are backing organized hacker groups or providing them resources that are later used to commit massive cyberattacks. And the third serious concern is reputational damage to the profession of a cybersecurity expert. People wrongly suggest that all hackers are criminals and do not even try to recognize the role played by white hackers in making the world a safer place. The global cybersecurity community should strive to establish strong communication with the public by organizing industry events, forums, and meetings on a regular basis so that business people, officials, and students would realize the scope of cybersecurity threats existing in the world and treat cybersecurity specialists, not as potential criminals, but rather as their safeguards.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Honestly speaking, companies should have started preparing for upcoming threats many years ago but, fortunately, or unfortunately, the pandemic has forced them to prioritize cybersecurity right now. One of the main threats is the intensification of cybercrimes with the use of social engineering techniques. People suffer from a lack of communication, and cybercriminals actively manipulate user trust for malicious purposes. Also, online business has become a new reality, but hackers actively try to benefit from this trend by carrying out DDoS attacks aimed at crashing the victim’s websites or other resources in order to require a ransom to cease the attack. And, of course, cloud service vulnerabilities may constitute the risk faced by companies when trying to ensure ultimate data protection.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I can share many stories, but a particular one will surely boost the interest of every individual. Our main clients are crypto exchanges. When I was working on testing the security of the crypto exchange X, sorry I cannot disclose its name, the white hat hackers detected a vulnerability that could be exploited by malicious actors to withdraw digital assets worth even a few million USD, and the exchange could not even see such transactions. Our work allowed the exchange to prevent colossal financial and reputational losses. When speaking about the main takeaways, even the companies that consider themselves as resistant to cyberattacks should not neglect the importance of regular security reviews performed by third parties and bug bounty programs. And of course, companies should always be prepared to face a cyberattack since hackers work 24/7.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The 2 most frequently used tools are penetration testing and bug bounty programs. The former tool (may have a form of web and mobile applications and network penetration testing services) provides for detecting vulnerabilities in clients’ resources by professional testers before malicious actors can exploit such weaknesses to compromise a products’ security. The latter tool has a form of public or invitation-only (private) programs during which external researchers (white hackers) work on identifying bugs or vulnerabilities in a client’s resources in exchange for rewards.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Although each cyberattack may have its distinctive features, in most cases, a layperson can detect that something has gone wrong by noticing the following signs:
- your resources start working slowly;
- you face uncommon issues when trying to access webpages, servers, etc.;
- you see a large number of suspicious emails or notifications;
- you detect unknown software.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First of all, a company needs to admit that it has been hacked. There are no companies in the world that can be 100% sure of their resistance to cyber threats. Then it needs to notify both its employees and clients (partners) of the hack and the corresponding details. And only then should it start working on fixing issues using internal resources or inviting external cybersecurity specialists to address the outcomes of the attack. The elimination of the reasons behind the experienced attack, and identification of vulnerabilities that can be potentially exploited by malicious actors during future attacks, is the key way to mitigate security risks in the future.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
I have seen very different mistakes made by companies, thus, it is difficult to outline the most common ones. But I have traced some patterns that make companies vulnerable to cyberattacks:
- cutting down expenditures on cybersecurity;
- negligence of security testing tools;
- absence of special training on cybersecurity for employees;
- underestimation of hacker skills and creativity.
To correct such errors companies should regularly audit their data security using verified professional software or applying for security testing services provided by specialized vendors. Also, companies need to prioritize security both when working from the office and remotely. There is no sense to construct so-called security walls against hackers in offices while allowing employees to access corporate databases using public Wi-Fi and weak personally secured devices. And, of course, companies need to hire qualified cybersecurity staff and refrain from moving into new business directions unless there is a strong cybersecurity basement.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
Currently, the situation is changing in a positive direction. I see a growing number of women working in leading STEM projects. However, there is still a lot of room for improvement. Employers in STEM still demonstrate some forms of prejudice in their attitude to women. I think that women should have broader access to training opportunities and it is important to popularize STEM among teenagers as well as destroy common myths related to STEM. Women need to be sure that they can achieve professional success in the field of STEM. And, of course, we need to speak with industry leaders about the positive changes women can bring to the industry.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
The main myth is that to work in this field you need to be a genius and know everything about digital technologies, code, etc. However, today there are many opportunities for you to get the required skills and knowledge to work in this field. For example, many educational institutions offer high-quality programs for future developers and security engineers. You can also attend specialized courses, apply for internships in leading IT companies, and attend professional events. But, honestly, many specialists working in this field do not have any relevant background and they are so-called ‘self-taught’ cybersecurity experts.
Also, there is a popular myth that once you get basic cybersecurity knowledge and skills you can consider yourself a cybersecurity expert for the next few years or even decades. However, I have to disappoint you. To be a cybersecurity expert you need to constantly look for new information on the changes taking place in the industry, analyze technological trends, investigate recent cyberattacks and, of course, try to identify new security opportunities such as the ones existing in the world of crypto.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- Don’t be afraid of applying a non-standard approach to solving complex issues. To prevent cyberattacks you need to think like hackers, and these guys are experts in applying creativity. When working on testing client security, we always try to think a step ahead of hackers.
- Do not estimate your leadership power. Often women who are leaders very effectively perform their professional functions but are afraid of leading changes and, as a result, very promising ideas just remain on paper. In my work, I always share all ideas I have with my colleagues, and most of them have already brought visible results.
- Always follow up. Your colleagues, friends and, of course subordinates, want to get feedback on their work. Feedback allows them to realize how to achieve higher targets. Follow up should be your main instrument to increase an employee’s motivation. In Hacken, I always provide transparent feedback on the work performed by our specialists, even when they are not my direct subordinates, and that is why my colleagues treat me like a true friend and advisor rather than just as a manager.
- Always try to find your female mentors. There are many women in the industry who have already achieved amazing results and have fundamental knowledge which they are ready to share with other women to strengthen our role in STEM. For example, during professional events in which I participate, I try to establish communication with women representing other companies. It is a win-win situation since, only together can women make a difference in the industry.
- Consider failures as an opportunity to overcome barriers and reach new heights. I have experienced a number of situations during my professional career when only by committing a number of mistakes could we develop really breakthrough solutions. Don’t give up, women are much stronger than men can even imagine.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US, with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them
Yes, Katie Moussouris. Her background and professional activities deserve the attention of even the most prominent experts. She does a really great job! In my opinion, she feels the industry and can share many interesting insights. I would like to have a private breakfast with her.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!