The State and Future Trends of Cybersecurity. An Interview With Tanya Janca

Today, we have the awesome opportunity to sit down with Janca and go deep into the rabbit hole that is cybersecurity. Without further ado, let’s jump in.

What got you into the field? How did you become a cybersecurity expert?

I was a software developer for many years, and I also played music professionally. I was a folk singer and played as part of several different rock bands. One day my office hired an ethical hacker, who was also in a band, and we became friends. Over the next year and a half, he tried to convince me to become a penetration tester. I apprenticed under him for a short while but very quickly realized that there was a lot more to securing applications than just running a scanner and calling it a day. The more I learned, the more I wanted to learn, and the rest is history.

What would you say to people who are interested in knowing more about cybersecurity? Where do you start?

The first thing to realize with cybersecurity is that there are several subfields within our field, and all of them are quite different. I wrote an article to help people understand some of the different types of job, so they would know where to start.

Figure out which areas interest you, then join online or local communities on that topic, follow people’s blogs or social media who share info on those topics, then try to find a professional mentor in that area.

For help finding a professional mentor, every Monday I host an informal mentor matching program on Twitter. Use the hashtag #CyberMentoringMonday to ask for a mentor, or just follow the hashtag and reply to people who offer. Meet them online, talk to them, ask for advice. You may be surprised just how many wonderful individuals are out there just waiting to help someone new in our field.

Many people seem to be unaware even if they face cyber threats. How would you shift this mindset, and what’s the path to true awareness? Does the carrot or stick method work?

While it is true that the average citizen has very little idea of the cyber threats they face, I personally feel that they shouldn’t have to be aware. Our systems should protect them properly. When we start a car we know we have to put a seatbelt on, follow the traffic regulations, and we are good. With computers, the industry seems to expect the average person to have an extensive amount of knowledge and technical ability (which is not possible). This leads to gaps in knowledge and the average citizen not being overly “safe” on the internet and while using digital devices.

What is the answer? I feel it’s two-fold. 1) Our industry needs to do better. Car owners aren’t expected to adjust their own brakes or install various car parts themselves. We need to make computers similar; we need to handle almost everything for our users, especially security. 2) Governments need to create educational programs aimed at the average citizen. They also need to create regulations and standards for our industry.

When it comes to passwords, our research shows that people use super simple insecure ones – why do you think it is so hard to change these behaviors?

Again, I’m going to blame our industry. The average person has over 100 passwords they are supposed to remember, on top of all the things in their life that are important to them (their child’s birthday, for instance). Remembering 100+, long, random passwords is not normal human behavior. They also don’t understand the importance of password hygiene.

The best solution, with the way the industry currently works, is for users to get a password manager. It remembers everything for you.

Hopefully, in the future, we will move towards being passwordless. But for now, password managers are an excellent compensating measure.

What are the most popular stereotypes about cybersecurity and cybercriminals in society and in popular culture, maybe even in the industry itself?

I would say the most popular stereotype is the angry young man in his parent’s basement, in the dark, wearing a black hoodie, taking out his angst on individuals and corporations using free/open-source hacking tools. It’s not a nice picture.

I would also say we have a problem with glorifying red teamers (people who do offensive security, testing boundaries and defenses). All of the jobs are important. We cannot create an excellent defense without looking at the problem from all angles. Movies and other media make it seem as though malicious actors and “hackers” (good or bad) effortlessly intrude systems, and people who are new to our industry falsely believe that work is simple. It also means we have fewer candidates for the rest of the jobs that also need to be filled.

How can companies implement a security-first culture?

Creating any culture requires leadership from the top. A security-first culture would require leadership that understands the problems that our industry faces – as well as good training.

Training for everyone, not just leadership. Quite often when companies or individuals make poor security choices, it's because of the lack of information, not because they don't care about consequences or don't find security to be a priority.

Most people do their best at work every single day, and this includes keeping their organization safe. I realized that I founded a security training company, so it may seem as though I am biased in my answer.

However, I started my company because I believe this is a huge hole in our industry. I believe that the cost of training puts it out of reach for many organizations, and I believe our lack of sharing of information that is pertinent to securing our systems and organizations is part of why cybercriminals are so incredibly successful. In 2020, 1% of the GDP of the entire world went to cybercrime. That's both astounding and horrible.

If we want to survive and thrive, with cybercriminals all over the world currently raking in the profits, education needs to be either cheaper or free. We must start sharing information if we want to do better.

What do you see as the biggest threats and dangers these days?

The biggest threat to most organizations is generally crime. Theft of intellectual property, theft of information, or theft of customer information. Most organizations are robbed rather than “hurt” like a nation state might be. The threat within the company is generally lack of inventory (unknown systems which are insecure), the inability to use all the tools that they own properly, and systems and processes that do not allow for fast patching and other fast actions that are required during an emergency.

The biggest threats and dangers for an individual, though, is that our industry is not properly protecting them from cyber threats. That we, the industry, are failing. The average user has to take on their own cybersecurity measures, such as using a password manager or VPN, which is utterly ridiculous. Imagine someone in a car deciding that they would wear a helmet, a chest plate, and other protective gear because they knew their car couldn't be trusted to keep them safe. This is what we're seeing currently in the industry. Although I am glad there are companies that create these tools that help to protect the average individual, I wish that we could have them built right in from the start. I wish that our industry produced phones, operating systems, and even smart light bulbs that protected the average person adequately. But that is not the case right now.

What are some of your predictions about cyber trends for the future? Do you think we will see new threats emerging?

As this is the year of “The Great Resignation,” technology workers are leaving unpleasant working conditions left and right, searching for something better. I personally have seen a turnover of approximately half of the people I know, looking for (and finding) new work. As a result, salaries have skyrocketed, making it difficult to find and afford qualified staff. On top of this, the industry continues to recruit almost exclusively at the senior level, even when this is not necessary for the role at hand, further intensifying this problem. Lastly, with understaffing being an issue throughout our industry, plus the pandemic and all its negative consequences, this has led to widespread burnout, leaving our industry with even fewer defenders than in recent years.

I think understaffing, burnout, and lack of training is a huge threat.

Companies need to take this issue seriously by training and taking care of their staff. I believe (as a manager) in touching base with every single employee regularly (at least every month), to ensure all their needs are met, they are not overwhelmed, and they are content. Asking them what they want to achieve in their careers, then help them get there. Finding out what would make their jobs more satisfying, and then providing. Train them so they can do their jobs more efficiently and effectively. Give them regular feedback on their job performance, especially on things they do well, to help them become their best self. If they are overwhelmed, drop some projects; it’s worth letting a few things go so that your employee stays. Treat them as though you are lucky to have them, and they will be more likely to stay. Invest in your team now, and you will profit in the long term.

Other trends I predict are more cybercriminals being creative in new ways. I believe that the log4J thing is not going away anytime soon, and I fear that cybercriminals will have such a wide recipe of attacks that work very often that we just won't be able to stop them.

I really hope that cybercriminals do not come up with something better than ransomware. Because we're already doing an awful job at defending ourselves against ransomware. If they up their game and continue to be innovative, I fear the worst.

What do you think of the passwordless future?

A passwordless future sounds beautiful. If we could figure out a way where it actually works, it would be glorious. If we could create authentication and authorized systems that worked perfectly every time, that were not breached constantly, we could gain back the confidence of the everyday user. I have personally refrained from giving my fingerprint and a lot of other biological data to technology companies because they have messed up so many times in the past. I believe that in order for a passwordless future to work, we are going to need to regain the confidence of many people. But I believe we can do it.

I think that, if we end up going passwordless, it’s probably going to be one or two or three organizations that are innovating and creating a product or some sort of protocol that then can be accessed by many companies.

My prediction of what will happen – one or a few companies will come up with a good solution that works and until then, it’s gonna take time.

What does the future of data privacy look like in terms of personal, business, and nationwide security? Who do you think needs to lead the way – organizations, governments, businesses, industry, or society?

I feel that governments need to lead the way in regard to data privacy. In Canada, we actually have a pretty darn good privacy policy that our government created, but unfortunately they rarely actually enforce it. We need not only excellent policies, but we need verification and enforcement. Private industry will never actually lead, because it is in their best interests not to respect our privacy.

Quite often, I actually have to speak to the vendors for my company about their privacy policies. My customers have the right to be forgotten, even if their tools do not implement that by default. I, as a business owner, should not have to argue the merits of the right to be forgotten when GDPR exists. The entire thing is quite frustrating, to be honest. So I do not believe that private organizations will ever lead the way on this when it is a direct conflict of interest in regard to how many of them earn money.

I fear what the future holds for data privacy. I fear for younger generations, who put all sorts of images and information about themselves onto the Internet without thinking first. I am grateful that I am of an age where the Internet did not exist when I was young.

I do hope that with a lack of data privacy, that some taboos will no longer be taboo. For many years, there have been double standards for women, people of color, and other groups. With a complete lack of data privacy, perhaps in the future we will realize that all of us are equal? That we all do stupid things, sometimes? And that perhaps we should all be held to the same standards? Unfortunately, this is not what I predict, only what I hope.

Did you face any challenges as a woman in the previously male-driven cybersecurity field? Maybe even new opportunities? If yes, tell us about that.

Yes, I face challenges as a woman who works in a currently male-dominated field. I've been paid less for the same work and promoted later (or not at all). I've been sexually harassed on many occasions and sometimes still am. It's getting better, but it's still not acceptable.

In one of your interviews, you said, “Because I’m a woman, I’ve been asked many silly questions in interviews.” What were they?

So the question that you just asked me… “did you face any challenges as a woman...” That's the type of question that I get asked in interviews. Men don’t get asked things like that. I also get asked if I have children, if I'm pregnant or planning on having children, what my “family” is like. I get asked, “Can you really have it all?” Which is a stupid question, in general.

I want to talk about cybersecurity. I want to talk about making better systems. I want to talk about protecting everyday citizens from risks that they shouldn't even have to know about. I don't generally want to talk about how outdated views (sexism, racism, homophobia, etc.) continue to hold many talented individuals back. It's not that it's not important, it's that it's so frustrating, it's hard to talk about. It pisses me off.

What about being a role model for others? I can imagine lots of girls look up to you and think, “I want to do STEM as well.”

I definitely support that and I’ve spoken at tons of schools, tons of programs for girls at computer science or girls at cyber camps. I’ve started an international non-profit in 2018 called WoSec – Women of Security and so I’ve worked on that as well. I’ve also mentored tons of women and spoken at many women-only events. It is really important to me to support other women.

Why is community so important in cybersecurity?

Community is where I learned almost all of my cybersecurity skills. Community and networking are how I got almost all of my jobs in this field. Community is where I met many friends who I am still close friends with to this day. Without the information security communities it would be significantly more difficult for newcomers to join our field.

Do you see a connection between mental health, peace of mind and cybersecurity? If yes, what are your thoughts on this?

I'm not a mental health expert, but I definitely sleep better when I know my systems are secure. With the log4J situation that happened recently, when I knew that I could see every single code repo in my client organizations because we had performed an excellent inventory exercise in advance, I could sleep better. I could worry less. Knowing you are secure, rather than hoping, is definitely keeping peace of mind for an InfoSec pro.

What about regular users – would they feel better knowing their digital life is secure, and what about you personally?

I think that the average person would feel better. If the average person would have a bit of education, if they could learn how to use a password manager and they could learn to turn on MFA and they could learn what personal information not to share with strangers – I feel the average person would have a bit less stress.

If they had a bit more education on phishing and how to spot when something is not right – I do think it would reduce overall stress. Especially when something bad happens, they would know what to do.

Seriously, I would not be able to do my job without a password manager. I just wouldn’t – it makes my life infinitely better.

I am always trying to tell people – turn on 2FA and get a password manager, and let it generate all your passwords for you. Never make a password again – you don’t have time for that crap – save your brains for good stuff.

What can we all do to make the tech industry a better place?

Kindness. Whenever possible, start with kindness. Understanding, second chances, asking more questions rather than assuming. A tiny bit of kindness can go a very, very long way.

Why do you think a career in cybersecurity is a wise choice? How would you convince young talent to consider it?

Cybersecurity, as an industry, has very good job security. If you have any level of experience and a decent reference, you will never be out of work unless you want to be. It also pays very well, even higher than software development.

That said, I enjoy this field because I believe the work is noble. I believe protecting others is a form of doing good. Not “doing a job well,” but like how Superman “does good.” It is important to me personally that I perform good as part of my life.

I also feel that cybersecurity is fascinating. It is constantly changing and quite demanding. I enjoy a challenge; I like it when things are hard. I enjoy solving tough problems.