In an era where the digital landscape is constantly under siege from cyber threats, professionals specializing in Compliance and Security Technology play a pivotal role in safeguarding organizations from potential risks.
A distinguished expert in this field is Liliane Scarpari. With over 15 years of experience, Ms. Scarpari has cultivated a remarkable career marked by her extensive knowledge and impressive certifications.
Her journey through various high-profile roles showcases her commitment to enhancing cybersecurity and promoting best practices.
Hi Ms. Scarpari, How are you today?
I am delighted to meet you and to have this opportunity to talk about my career. Thank you for giving me this chance. Over the years, I have learned that having a woman share her path can inspire others in this field. When I started, there weren’t many female role models in tech. However, strong women in my family inspired me to never give up on my dreams, and here I am today.
Q1: Conducting industrial control audits is challenging. Please share with us some challenges that you have faced.
Ms. Scarpari: I’d like to share a short story with you. I was working for a global company and my ultimate aspiration was to become part of the cyber security operations team. Despite my skills, I was informed that my geographical location made it impossible for me to join the team. I was disappointed and considered quitting my job to find an opportunity elsewhere. That’s when I received an invitation to join the Audit Team. Initially, I thought that this was not what I wanted, as I had always envisioned a cyber security professional working in a Security Operations Center (SOC) kind of job. However, during a meeting with a mentor, he opened my eyes to the great opportunities that comprised assessing the risks of a vast number of systems and networks that I had never worked with before. And that’s when I fell in love with the cyber security of industrial controls and audit.
Testing the security of industrial controls in a refinery, chemical plant or a vessel involves deep analysis of exposures and potentical vulnerabilities that, if exploited, could lead to major disasters and even fatalities. In the field, you will learn that in terms of the CIA Triad, availability comes before confidentiality as it is more important to keep safety and critical systems working to then achieve secrecy. Another challenge is ensuring that legacy systems, which are still a reality in many of these locations, have sufficient controls to keep them secure since they were not designed with cyber in mind. Finally, when we think of critical services and infrastructure of a country, it is paramount that cybersecurity becomes mandatory and effective controls are designed and maintained to protect against never-ending threats.
Q2: Could you share an example of a particularly complex technical issue you’ve had to translate into business terms for high-level management?
Ms. Scarpari: Audit was a great fast-paced school that has shown me that you must be able to assess the business risks of security vulnerabilities and threats. What is the downtime cost of a critical system? What are the impacts of the loss of sensitive data? Security terms can be complex and difficult to understand for non-technical stakeholders, which can lead to misunderstanding, miscommunication, and misrepresented risk assessments.
Translating technical terms can provide insights for the decision-making process and support investments in security and the adoption of controls. Sometimes it can be like buying a new product; you don’t necessarily need to understand every single aspect of its manufacturing process. On the other hand, you have a team of specialists to ensure that the product is financially viable, safe, and fulfills your expectations.
Q3: As an RSA Archer instructor, what key takeaways do you aim to impart to business and IT users regarding risk assessment and controls management?
Ms. Scarpari: Risk assessment is a multifaceted discipline that can be applied to assess complex and critical systems, as well as daily operations routines. The main takeaway is to have a comprehensive understanding of your assets. While it may sound simple, it is not an easy task. Underestimating the value of an asset could lead to insufficient controls, resulting in incidents that could compromise confidentiality, integrity, availability, reputation, and more. Conversely, overprotecting an asset could result in financial loss. In summary, it is essential to spend enough time and resources to effectively evaluate the asset and then make informed decisions around the controls you need to implement to protect it against threats.
Q4: Considering the dynamic nature of cyber threats, how do you approach the task of enhancing security in cloud-based applications and databases?
Ms. Scarpari: Cloud-based applications and databases have several advantages over traditional on-premises software. Cloud computing benefits include the ability to scale up and down quickly and easily, cost-effective storage, high availability, and uptime, just to name a few. Nevertheless, moving workloads and assets to the cloud can pose risks. Poor access management is number one on the list of cloud computing security risks. Access management is nothing new; we have been dealing with it for decades, and the risks associated with it are significant.
Whether you decide to store your data on-premises or on the cloud, the absence of effective management could still be disastrous.
Q5: How do you perceive the evolving industrial cybersecurity, and what measures do you recommend to mitigate emerging threats?
Ms. Scarpari: Proper risk assessment is fundamental. It starts with a complete inventory of systems and devices, understanding the threats that could impact them, and mitigating them with effective and well-measured controls. If you don’t know what you have, then you don’t know what to protect, and this scenario can occur in large manufacturing operations. Secondly, protect the process network. Corporate networks are often the target of malware and phishing campaigns, so it’s important to protect your production network from such threats.
Finally, trust no one and verify everyone and everything that could harm your production network. It is not uncommon to have third-parties involved in the maintenance of industrial control systems, so it’s important to verify that they follow the same security standards and controls to protect against malicious threats.
Q6: What is the importance of a diverse and inclusive workplace for you?
Ms. Scarpari: According to research by Zippia, the global cybersecurity workforce is predicted to have 30% of women by 2025 and 35% by 2031. However, the percentage of underrepresented groups is more concerning. Diversity can foster innovation, creativity, and opportunities, while inclusion ensures that everyone has a seat at the table and the same chances to contribute and grow.
In Latin America, there are several organizations that promote women’s participation in cybersecurity. One such organization is WOMCY Latam, a non-profit organization made up of women with a focus on the development of cybersecurity. They work to minimize the knowledge gap and increase the opportunities for women in the cybersecurity industry.
I had a great career impulse because of the sorority of fellow women professionals that gave me the honor to be part of the group of the Top Women in Cybersecurity in Latin America.
Q7: How do you prioritize security measures when dealing with legacy systems, which often present unique challenges?
Ms. Scarpari: That’s a great question. Legacy systems were designed without security in mind, and that can be concerning nowadays. Security measures should ensure that the boundaries and access to such systems are properly managed. Trust no one, always verify that authorizations are up to date, and access permissions are restricted.
Modern monitoring systems can assist in this task by orchestrating incidents and issuing alerts when an anomaly is identified. These systems can help organizations identify potential threats in real-time and take corrective action before any damage is done.
Doing nothing is not an option. The fact that a system is not security-designed doesn’t mean you can simply ignore the threats. Organizations must take proactive steps to secure their legacy systems, including regular audits, patch management, and employee training.
Q8: Could you share your perspective on the role of documentation in cybersecurity audits, and how it contributes to effective risk management?
Ms. Scarpari: Properly documenting security gaps is important because it helps ensure that the organization can work on a response plan against identified threats. By documenting the threat analysis process and the business impact, organizations can develop strategies to mitigate them and reduce the likelihood of a successful attack against that system or network.
Stakeholders must be aware of potential risks and non-compliance and work towards a common goal of remediating them. This can be achieved by creating a culture of security awareness, where employees are trained to identify potential risks and report them to the appropriate personnel. Additionally, organizations should conduct regular audits to identify gaps in their security posture and take corrective action as necessary.
Q9: How do you envision the future of cybersecurity, and what emerging trends do you believe will shape the industry?
Ms. Scarpari: According to a report by the World Economic Forum, the future of cybersecurity is a topic of great interest and concern. The industrialization of cybercrime is a growing concern, and today we face a mature industry operating with a well-defined goal: profit. The growth of complex attacks and malware has raised the bar and exposed that the cybersecurity discipline must progress, have a holistic approach, and invest in technology against never-ending threats. Artificial intelligence will play an increasingly important role in improving the way we identify and handle cyber incidents.
Finally, investing in education and the future generation of cybersecurity professionals is crucial. We need to promote diversity and cooperation to learn from each other and use this knowledge to build effective cybersecurity strategies.
Q10: Finally, What do you think are the most important qualities for someone to excel in this role?
Ms. Scarpari: Persistence is key. Cybersecurity is not a static discipline; it is dynamic and fast-paced. To keep up with the speed at which new threats are emerging, you must commit to continuous learning. To all women and misrepresented groups reading this, do not give up on your dream of being part of this world. I have faced many obstacles in my career, and I know how hurtful it can be to hear that you cannot be part of something. However, I used that as an impulse to climb higher.
For me, holding a master’s degree from an accredited university has helped me build the foundation I needed to have discussions with C-level executives and translate cybersecurity into business language. For you, it could be something different. There are many paths to success, and it’s important to find what works best for you. Keep up the good work!
Anas Hasan
October 20, 2023
7 months ago
