Cesar Cerrudo is the CTO of IOActive, a security research company that approaches security from the attacker’s mindset.
The US firm’s team of security consultants work with some of the world’s largest organisations to find flaws in their cyber defences. As CTO, Cerrudo leads a team of ethical hackers that have hijacked technology throughout the stack, including jeeps and robots, and often presents his research at leading cybersecurity conferences such as Black Hat and RSA.
In this Q&A, the 17th in our weekly series, Cerrudo explains why machine learning can help fill the cybersecurity talent shortage, how the pandemic highlights the fragility of our digital infrastructure, and how he initially learned to hack without a PC.
Rob Scammell: Tell us a bit about yourself – how did you end up in your current role?
Cesar Cerrudo: My company, Argeniss Consulting, was acquired by IOActive in 2011, but I had worked with them for several years as a contractor before that. We had a great relationship, so I was asked to bring my staff onboard and we’ve been at IOActive for 9 years. As CTO, I focus on security research, finding problems in technology so they can be secured. Besides my role at IOActive, I have my own software company and am a founder of Securing Smart Cities, a not-for-profit global initiative working to solve the cybersecurity problems of connected cities.
What’s the most important thing happening in your field at the moment?
Securing new technologies as they develop. As new technologies come out every day, they become integrated into our lives and we become more dependent on them. But this makes us vulnerable if that technology is found to be insecure. Unprotected technology impacts people’s daily lives, look at the number of companies and individuals across the globe victimised by ransomware attacks, losing valuable data and sometimes money. We need to educate the public on cybersecurity and about the simple steps they can take to protect themselves.
Which emerging technology do you think holds the most promise once it matures?
Machine learning holds a lot of promise in my field, because one of the greatest challenges we face is a shortage of skilled people. This is in large part because it takes time to develop the skills needed to do a good job as a cybersecurity professional. Machine learning could help solve this problem by automating a lot of the work that is currently done manually, giving security specialists the time to focus on other more interesting areas of the job.
How do you separate hype from disruptors?
It’s difficult to do this without specific knowledge of the tech, especially with the constant stream of news and articles and product releases. If you lack this expertise, you should go to someone with technical know-how who doesn’t have an interest in your product choices. For instance, at IOActive, we have the expertise to provide customers with vendor-neutral guidance on the best ways to improve their cybersecurity.
What’s the best bit of advice you’ve been given?
Focus on doing research into technology that impacts a great number of people’s lives. If you’re researching a technology which has only 100 users, you’re only protecting that number of people. If you do the same for technology that is used by millions of people, you could end up helping millions of people.
Where did your interest in tech come from?
I have always liked technology. My background is in software engineering, but I was always interested in learning to hack. When I got to college, I learnt the Assembly language without a PC, just from reading books and looking at virus code printed in papers. Later, when I did have some internet access (an hour or so a week), it became easier to try the things I read about and start to build my own tools.
What does a typical day look like for you?
Attempting to make some headway on my never-ending list of things to read, talking to people and coordinating different projects.
What do you do to relax?
I like to go to the gym, meditate, and spend time with my family.
Who is your tech hero?
I wouldn’t say I see anyone person as my hero. I think there are important people that have helped humanity and technology with the work they have done, but we need to appreciate multiple aspects of people’s lives, not just their careers. Some individuals are wildly successful in their professional tech careers, but they may have problems in other aspects of their life. I’d say I respect people who have equilibrium in their lives with respect to work, family and health. It is easy to get just one thing right, but it is more difficult, and I’d say more admirable, to have that balance.
What’s the biggest technological challenge facing humanity?
I think the biggest technological challenge we face is from unprotected technology, and I’m not just saying that because I work in cybersecurity! As the adoption of technology continues, there will come a point when we are 100% dependent on technology. If at that point we don’t know how to properly use and protect it, we will suffer huge consequences.
If we look at the current situation, where 1.5 billion people are being asked to stay at home, it really shows just how important technology has become to us – without it, we would be completely cut off from one another. Imagine if a hacker were to attack our critical communications networks now – it would be completely crippling and dangerous.