Security Expert Interview Series: Nuno Teodoro
In this interview, Nuno Teodoro who is a Cyber Security Officer at Huawei talks about his professional background and areas of interest. Nuno is executive-level cybersecurity professional with experience in engaging with regulating bodies and managing international wide certifications and cyber programs. He previously held the position of Global Chief Information Security Officer (CISO) and served as an Information Security Expert and Information Security Officer in multinational organizations like Vodafone and Allianz. To learn more about his thoughts around the malware trends and what organizations should do to adapt their security to be ready for tomorrow’s malware attacks, continue reading.
1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Nuno?
Thank you, I’m excited to be part of it. I was lucky enough to figure out while in my computing engineering master’s, I wanted to work in the information security field. So this means I have pretty much less than 2 years of professional experience in a non-information security-related area. That said, I started as most people did back in my time, as a penetration tester, white-hacking mostly web applications. And I say as most people did back in my time because around 10 years ago, finding an opportunity in the information security field (especially in Portugal) was really hard due to the low demand. Eventually, I got the opportunity to work in some big consulting companies providing information security services in Portugal, which allowed me to work in pretty much every vertical sector and across a wide range of activities ranging from penetration testing web, mobile, networks, and equipment, to more strategic and processual activities such as ISO 27001, policies, procedures, strategies and guidelines for critical cybersecurity activities and programs.
Most of my background was built around the telecom and financial sectors, where I have built my career as a chief information security officer, working in companies such as Vodafone, Allianz, and Truphone where I got the opportunity to build high-performance teams and tackle a wide range of cybersecurity areas ranging from building CSIRTs to GSMA and ISMS/BCM certification processes, along with the implementation of CIS Top 20 and NIST CSF controls. Basically put, as every CISO, the goal is to try to be one step ahead and do the best with the available resources to make your Organization impenetrable (laughing while I write this).
Eventually, I moved to the role of Cyber Security Officer in Huawei where I tackle all the internal cybersecurity requirements of the Organization and into country-specific cybersecurity laws and regulations, understand government, regulators, and customers’ requirements on cybersecurity, while developing local specific cybersecurity solutions and incorporate cybersecurity into corporate business/product planning.
Although the cybersecurity field is limitless nowadays, my main areas of interest and focus are on threat intelligence, cyber warfare, cyber terrorism, and cybercrime. There is something in the way that an IP connection can completely disrupt a society that I find extremely interesting and worth studying and dedicating further.
2. As we noticed, you are a Cyber Security Officer at Huawei. Could you please share with us what are the challenges that excite you in that position?
Needless to say, this is a highly challenging position. I’ve always been moved by professional challenges and I found a really good one here. Not only Huawei is one of the biggest technology companies in the world, ranging from consumer to enterprise products, which by itself brings a lot of cybersecurity challenges and requirements to tackle, it is also surrounded by geopolitical challenges. This brings another set of difficulties we as a company need to overcome and eradicate, demonstrating that cyber espionage and cybercrime cannot be associated with Huawei merely due to its country of origin.
On one hand, there is a highly technological cybersecurity challenge as we operate in virtually every sector with technologies ranging from 5G, IoT devices, solar panels, smartphones and intelligence computing in our clouds, just to name a few, and on the other, there is an everyday growing number of cybersecurity requirements for suppliers such as Huawei from national cybersecurity authorities, customers, regulators and governments, that Huawei needs to get aware of, analyze, implement and comply.
Personally, this represented an increased focus from my side to cyber geopolitical, regulatory and legislation cyber requirements rather than a purely technical information security role which has always been my environment. Huawei allows me to get the best of both worlds, especially as in the cybersecurity officers team we count on extraordinary support from our public affairs and communication teams, which work very closely with our West European Union teams in Brussels.
Additionally, it is remarkable to work in a company where we can see the direct effort in working and collaborating with organizations such as the GSMA, 3GPP and ENISA, along with the focus on movements that benefit the society such as the digital with purpose and several initiatives that bring digitalization and sustainability hand to hand.
3. Please, describe a way that you help your company understand the value of information security.
I am lucky enough to work in a company such as Huawei, where the CEO commits with a public statement that Huawei guarantees that its commitment to cybersecurity will never be outweighed by the consideration of commercial interests.
That said, as a Cyber Security Officer, my role is to act as a middleware between customers, organizations, regulators and legislators and the internal World of Huawei, cascading all of those requirements and obligations to our operational teams, products and R&D.
A Cyber Security Officer has his life made a bit easier to explain to the Organization the value of information security if we by default already have a top-down endorsement, which is the case, and the entire ecosystem is surrounded by the understanding that we are in the spotlight when it comes to security and privacy issues. Luckily, everyone is highly aware of their own responsibility of information security and privacy objectives as Huawei makes it very transparent that every business area has a risk owner for security and privacy.
My roles become fully supported by the intrinsic understanding of everyone, ranging from HR to Procurement, from Legal to Product, that our core differentiation is a high-quality product with security and privacy by design.
4. What key malware trends has dominated 2020 and what should we expect in 2021 and years to come?
Indeed malware has dominated 2020 and will continue to do so in years to come, especially regarding ransomware. We saw a big increase in malware throughout the World, taking advantage of COVID19, where organizations had not prepared for a decentralized operation, with the proper controls in place. Moreover, many organizations still lacked effective endpoint protection and secure remote connections that allowed to prevent and isolate malware dissemination, also further aggravated by the lack of capacity to restore data and backups.
From Jupyter (a Russian info-stealing malware) to Emotet, from the Cognizant Ransomware Attack to Ryuk ransomware that hit six hospitals in the U.S., the stories are becoming scarier as the trends move from damaging organizations to affecting human lives.
I believe 2021 and beyond we will see an increase of targeted malware for IoT devices, smart cities, and smart cars. As the world becomes more and more connected, malware trends will adapt to proliferate through those new ecosystems, thus moving from the organizational level impact to society or nationwide level, where disruption will magnify exponentially.
5. How can organisations adapt their security to be ready for tomorrow’s malware attacks? Please walk us through your top recommendations.
I cannot stress enough the benefits of everyone starting to move to a Zero Trust approach, with a proper strategy for detecting and containing such attacks. The traditional anti-malware software is not enough anymore, and the traditional network architectures are obsolete when containing these malicious agents. The two main pillars that will support organizations to be ready for tomorrow’s malware attacks rely on reducing the attack surface combined with the identification and prevention of unknown threats.
Often are disregarded the benefits of full visibility over our networks and endpoints, but in today’s ecosystem, that is mandatory. We cannot block what we do not see and we cannot develop proper IOCs without fully understating behavior and operation models of malware running in the networks. I suspect moving forward we will need to rely much strongly on behavior analytic tools and AI models to predict potential attack patterns in our organization’s ecosystem.
6. What are your main go-to-sources of information when you are stuck? Feel free to share the sources/websites with us.
I wouldn’t say there are go-to sources when I am stuck but rather for some specific topics there is the need to further dig on the Web. And as any other person would do, sometimes the best information is found on the most unknown and unexpected sources. I do have some peers I like to rely on and give a call to pick their brains.
7. What is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in information security?
Get a mentor or follow someone you believe is a role model in this area and learn. Learn as much as you can, practice, investigate, be curious, and do not be afraid to take your time. The basics of the cybersecurity area are strong pillars of what you will be able to do with your career in the future, so consolidate knowledge around the core topics, frameworks, and events you see throughout the cyber ecosystem.
I will strongly advise to, instead of rushing to security certifications as often people do, to have something to show, actually put your hands on and understand how to execute what you would only be reading through these certification manuals.
8. Our last question: where do you go for inspiration or resources that you use in your own personal development?
I am a big fan of reading and I like to consume as many InfoSec and cyber books as possible. Usually, a random search on Amazon for keywords such as cyber warfare security and forensics takes me to nice books. Also, I am a big fan of reading some well-known blogs such as Krebs on Security, TaoSecurity, Schneier on Security, and some podcasts such as CISO Tradecraft and Obscura.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.