Security Expert Interview Series: Laura Voicu
See one of our recent interviews below with Laura Voicu who is a Principal Information Security Assurance Professional at Elastic. Laura has a PhD in data management and has previously held different positions in roles revolving around data, security and the intersection of the two: enterprise data architecture and governance, data operations, AI and robotics process automation, security architecture and cyber risk quantification. She is passionate about (big) data and machine learning and currently focuses her work on exploring the use of data science and machine learning to improve information security assurance.
1. Firstly, thank you for taking part in this campaign, Laura. Can you tell us about your professional background and areas of interest?
Thank you very much for this opportunity, it is a pleasure to be a part of this campaign. My journey to an information security career is not exactly typical, I would say, and I hope that sharing my experience will help others, particularly women to find their path in this field.
I’ve always been fascinated by numbers and working with data. I have a PhD in data management and have worked throughout most of my career in roles revolving around data: enterprise data architecture and governance, data operations, AI and robotics process automation before officially jumping into cold water and moving into an exclusive information security role.
In my first information security role, I was responsible for introducing cyber risk quantification practices based on FAIR (Factor Analysis of Information Risk). It was challenging and rewarding at the same time and not necessarily because of its technical aspects, but because it meant working inter-disciplinary across different units and learning to be comfortable asking uncomfortable questions.
The rest is history, so to say. I joined the security assurance team at Elastic and, staying true to my roots, my day to day work revolves around topics at the intersection of security and data.
Currently, my favourite topic is exploring the different ways we can use data science and machine learning to automate and improve information security assurance.
2. We noticed that you are currently serving as Principal Information Security Assurance Professional. According to you, what are the top skills, both technical and soft skills that are greatly needed in that role?
I strongly believe that in any information security role we need more than technical skills. There’s a lot of good advice out there on the technical skills needed in the information security world. But soft skills can easily be more valuable than technical skills. As security professionals, we need to communicate with people. Information security is a shared responsibility across a company. Our job is to work collaboratively and at all levels to foster a culture of security. We need to make sure security policies are not only in place but followed.
Critical thinking is something that everyone wants, but it’s difficult to define clearly. In my mind, critical thinking means starting with the result you want to achieve and mapping out a logical path to that result. In the case of information security, the result is protecting business assets and processes. Anything we do should support that end goal. If not, it can be eliminated.
Last, but not least, as security professionals, we are here to help the business be successful and enable the business to succeed – that’s the bottom line and having this mindset is extremely important.
3. One of your interest areas include AI and robotics process automation. What are your thoughts on the security problems that AI and automation systems can suffer?
Automation and AI are the future of security and are already changing the field (for better or worse). But the AI algorithms that we rely upon to help us also have a problem: by virtue of the way they learn, they can be attacked and controlled by an adversary. AI attacks are different from the typical information security problems that companies have had so far.
These AI attacks are not bugs in code that can be fixed – they are inherent in the heart of the AI algorithms. Let me explain a bit what I mean by that: An AI attack is the purposeful manipulation of an AI algorithm with the end goal of causing it to malfunction. These attacks can take different forms that strike at different weaknesses in the underlying algorithms:
• Input Attacks: manipulating what is fed into the AI system in order to alter the output of the system to serve the attacker’s goal. At its core every AI system can be reduced to a simple machine – it takes an input, performs some calculations, and returns an output – manipulating the input allows attackers to affect the output of the system.
• Poisoning Attacks: corrupting the training process during which the AI system is created so that the resulting system malfunctions in a way desired by the attacker. One direct way to execute a poisoning attack is by corrupting the data used during the training process.
Exploiting these AI vulnerabilities doesn’t require a “hacking” of the targeted system in the traditional sense. This is a new set of problems, and cannot be solved with the existing information security and policy toolkits. Addressing this problem will require new approaches and solutions.
4. What has been the most important lesson you have learned in 2021 so far through your work in information security?
I guess the most important lesson is to employ a risk-based approach to security. Regulatory compliance alone can’t protect our data. Each industry has its own specific and hidden risks, so focusing on compliance and meeting all the standard regulations isn’t enough to protect the most sensitive data. We need to pay attention to the actual risks that we face and how they affect the bottom line.
Any company that can produce daily assessments of the risk posed by different security threats and combine that with a daily check of the health of its controls, will be able to act more quickly to reallocate resources and tailor its information security investments in individual lines of business to help reduce the risk – in line with set risk tolerances.
5. How do you stay up to date with industry news and updates regarding information security and technology? Feel free to share the sources and websites with us.
Being up to date on information security issues, even if it seems simple, has its challenging part. There is a sea of information out there and the important thing is to be able to identify what is really relevant. There is always something interesting being developed that I’d like to be aware of, as well as topics that I’d like to continue to learn about.
A good quality network of LinkedIn contacts and colleagues is a frequent source for sharing relevant information. Our teams at Elastic for example rely much on chat and many news and developments in the security world are shared and discussed in one or the other chat room. I can also recommend the NewsBites series from SANS.
6. Security is a constant battle, with demand for skilled talent continuing to increase and outpace supply. Where does the situation stand today?
The talent problem is not new. Information security is obviously a job sector of the future. That’s the good news. It’s also the bad news. The main reason it’s a job of the future is because the security risks of an increasingly connected world keep expanding and evolving. Hackers and bad actors will continue to go after our data and intellectual property. Without the right people and right tools, this problem will continue to grow.
Sometimes I wonder though whether it is a skills gap or a people gap? When we talk about the skills gap, are we talking about needing people who already have the skills or having people who need to learn the skills? I believe security is everybody’s responsibility, and while there is definitely a set of very specialized skills that are needed, many controls can be managed by people already in the company.
If we enable our employees to take on this responsibility they will become more engaged and motivated while building a culture of information security. And we shouldn’t forget security awareness training. A company full of security-minded people is more effective than a small team struggling to shoulder the burden of securing an entire company.
7. Our last question: what would you say to a group of young women who have not considered a career in the world of information security due to lack of knowledge or lack of programming experience?
I would say: Be resilient, find your own path, and don’t ever be intimidated by the men-to-women ratio in the tech industry. Put a strong accent on transferable skills such as a passion for security, a curiosity to tinker with how things work, and outside-of-the-box thinking. Information security is a vast field.
We need to do better at promoting this fact. Should you choose to, you can work in Infosec even if you have a different background like psychology, analytics, communications, etc. (This is not an exhaustive list. I should know!)
My advice is to stay confident about the skills you bring to the table and be just as assertive about your thoughts. Security is a really fun line of work with a lot of varied opportunities.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.