Dear Mr. Portelli, please tell our readers more about yourself and your professional background?
I’ve been involved professionally in the IT world, based in my home country of Malta and working with international oganisations, for just over 15 years now. I’ve worked in almost all tiers of the IT sector, from support all the way up to management, meaning that I have experience with both the technical and strategic side of the IT world. I’ve been specialising in Information Security for almost 5 years now and am excited to be part of an industry that is both interesting and constantly evolving. When I’m not at my full-time job in Information Security, I work on web design and eCommerce solutions with my business partner as part of our Malta Virtual Mall project, and also love spending time with my family, travelling when possible, hiking and being in nature, as well as working with a couple of mental health focused charities here in the Maltese Islands.
What was your first “win” that made you confident that you were doing the right thing?
Most people in the Information Security world will know that wins are hard to come by, for the simple fact that we are our own worst critics. There is even a term for what I’m talking about – “imposter syndrome”. Nevertheless, I try to find those moments that motivate me to push harder and aim higher in my professional and personal life. With this in mind, I would say that a general “win” for me is coming up with a solution to a security problem that has plagued a company for years and then seeing the solution through to its implementation. My first “win” would be debatable but from an information security perspective, it most probably has to be receiving phishing email notifications from employees who identified that they were being phished. This came after spending time teaching and training everyone in the global organisation about what phishing is, how to spot it and what to do if you are a victim. This was great, as it showed I was slowly but surely changing the culture of the organization in a positive way when it came to security.
In your opinion, what is the biggest challenge in the cybersecurity industry at the moment?
Most people would probably mention ransomware as a huge challenge in our industry, but I believe that awareness is the number one challenge when it comes to information and cyber security. Most studies and reports on breaches and attacks consistently have shown that the majority of these take place via phishing, business email compromise or some form of social engineering, as opposed to via direct hacking or exploitation of vulnerabilities. Therefore, the majority of breaches and attacks can be stopped by ensuring that employees are more aware of what threats and risks are out there and how they can play a part in keeping the organization safe. This awareness and education has a double effect of keeping the organization safe, as well as empowering employees to feel that they are playing a part in the protection of the organization.
Which are the main trends that shape the industry nowadays?
Some of the main trends these days from an attack and defend perspective seem to revolve around hacking-as-a-service organisations. These allow everyday users with almost no technical knowledge to carry out ransomware, DDOS or other malicious attacks aimed at anyone they choose. This is dangerous, as it opens up the world of malicious hacking and malware to the masses, some of whom may not even fully understand what they are doing or the level of damage they may be causing.
A secondary trend that is more focused on the side of security administration and architecture, is zero-trust. This ensures a level playing field for the set-up of authentication systems where it doesn’t matter where you’re authenticating from or to, you are treated in the same manner. This type of architecture, in my opinion, is a great way to add extra levels of protection to any environment and makes organisations more secure as well as easier to manage.
In your opinion, what are the main steps that organisations should take in order to protect their data?
Know what data you have, where it is and what the classification of your data is. These are definitely the first steps to take when dealing with any form of data. Before you have this information, you will not be able to protect your data. The next step is to ensure that this data is both protected and backed up appropriately. When dealing with backups, the 3-2-1 rule is always a great place to start. Ensure that you have at least 3 different copies of your data (including the production data), on 2 different types of media, with 1 stored off-site.
The above is probably standard, but what I would suggest over and above all this is ensuring that your people are also aware of all of the above (ensuring the principle of least privilege obviously, whereby only people who need to know are made aware of the information). It’s also important to ensure that training on disaster recovery is carried out and a plan is created, tested and implemented. Like security awareness, this helps protect your data while also making your employees wardens of your data.
What advice would you give to your younger self at the start of your career?
This is a hard one. I try to live by a “no regrets” mantra since we are not in a position to change the past but can only learn and move on, so I don’t hold on to too many of the mistakes that I’ve made throughout the years. However, if I was pressed to think of a single piece of advice, it would be to listen more attentively to those in your team and those above you. All teams disagree at some point and all managers will have a disagreement with a team member from time to time, but it is important to understand the other person’s perspective when analysing a problem as they may see things that you don’t. This is why working in a team is so beneficial – different perspectives assembled together, more often than not, create innovative solutions.