Cybersecurity is about loving other people

Transcription

[00:41] Andra Zaharia: Today's guest is a bearer of ancient wisdom. We've known each other for almost a decade, and ever since I launched Cyber Empathy, he's been nothing but supportive and excited about it; constantly feeding me ideas and suggestions for guests, and just keeping me on my toes and keeping me coming back to this project. Anastasios Arampatzis is one of the most generous and kind people in this space. He is an excellent information security content writer, and he's using his experience that spans decades to bring nuance and clarity into this piece and to make sure that people have the right information to make thoughtful decisions. He is actually a retired officer that served for over 20 years in the Greek Air Force. He handled a lot of IT and cybersecurity projects there, and you will have a chance to learn about some incredible stories from that time. Besides all of his knowledge about cybersecurity policy and governance, encryptions, security, and so many other topics, he also combines this with the spirit that is steady, but also very adaptable to all of the changes that we face in this industry. One thing that Tasios said during this episode really stuck with me ever since; he said that cybersecurity is about loving other people. That is one of the most beautiful ways to capture what cybersecurity is really about. And I'm just incredibly honored and excited to share this episode with you and to give you the opportunity to meet Tassos, because that's what friends call him, and find out all about his story, his background in the example that he sets in this industry. So I'll see you on the other side.

[02:47] Andra Zaharia: Γεια σας, Tassos! I'm really happy to have you on the Cyber Empathy podcast. 

[02:51] Anastasios Arampatzis: Γειά σου Andra!

[02:53] Andra Zaharia: Oh, yes, that was the right way to say it, right? I forgot that it is gendered. I'm sorry about that. So, for the non-Greek speaking people, which I am a part of but I do understand and speak just a tiny bit of it. “Γεια σας” (Geiá sas) means hello, it's a casual way of saying hello. Tasios has been a longtime listener and such a big supporter of the podcast, and you've been also an inspiration for it. So I'm really glad that we're finally able to bring up your story and share your story with listeners to just give them a glimpse into the work that you do and your contribution to the industry because I believe that's incredibly important and you're such a great example of being an empathetic, energetic supporter of everyone's work constantly, which is, again, something that's so generous and wonderful to watch. So, thank you for being that kind of person in this industry.

[03:52] Anastasios Arampatzis: Thank you for your kind words, Andra. And thank you for having me in your podcast. It's a real pleasure and honor for me to be talking to you. And you know that I love your work. Even since back in the day, 2015 I think was the first time that we remotely met each other. So, it's a relationship that built up for the last eight years now.

[04:20] Andra Zaharia: That's so true. So we actually met at the beginning of my introduction to cybersecurity. So we've become friends along with this journey, which has been so fantastic. I didn't even realize it's been almost a decade, that's fantastic. So there's so much that I want to ask you, but first, I wanted to start by asking you to just share a bit about your background with listeners because I think that you come from such an interesting background and your story is so unique, and that's something that I think will inspire many people to see themselves potentially pursuing a career in cybersecurity. So, how did it all start? And what was the trigger behind you choosing this specialization?

[05:11] Anastasios Arampatzis: First of all, I don't consider myself to be a digital native person. I am one of the last of Mohicans, let’s say, of analog era. I joined the Greek Air Force back in 1990 when I was a cadet in the Air Force Academy. And I remained an officer for the Greek Air Force until 2015 when I decided to retire from the Air Force with a specialization in communication and IT. The moment of truth that made me realize that cybersecurity is something that I could work with was when I held a lecture from the director of the cybercrime unit of the Greek police. He visited the Air Force headquarters and presented a presentation about the cyber threats, that was back in 2013-2014, so 10 years ago. Because at the time I was working with IT networks and building up security infrastructure to protect the classified information in the Greek Air Force, that made me realize that there is a need to communicate this message, not only within the borders of the Greek Air Force but also outside, and I was thinking of my children as well that they need to be aware, as they grow up in the digital era, of the potentials, of course, of the digital technology, but also of the dangers that lie within this technology. And when I left the airforce, the initial goal was to work in the educational part. So, for two years, I became an instructor for IT and security and started slowly to write some articles together with a friend of mine called Justin Sermon. Initially, those articles were for free because our goal was to let people know about ourselves. One thing led to another, my current boss, although he doesn't like to use the word, discovered my articles and offered me a part-time job as a content writer in Bora. That was back in 2018, and the part-time job became a permanent job. And that's a 50-year story in a few seconds.

[08:03] Andra Zaharia: Thank you so much for giving us a glimpse. I find that you already had the mindset of a defender when you came out of the Greek Air Force. And I was wondering what you actually took from that experience that you're still applying today, because being part of any military organization comes with a lot of discipline, obviously, with a lot of background on geopolitics and a lot of understanding, especially for those who are listening, who don't know, Greece plays a huge part in the geopolitical dynamic in Europe, but also globally. And it's been just beside the actual history of Greece, the modern history of Greece is very, very important to European safety to shaping relationships on the continent. So, again, I was wondering what you took from that experience in the Air Force that serves you well today in your current role and for your current contribution.

[09:01] Anastasios Arampatzis: If I can summarize my experience, it will be two things: leadership, one, and how you exercise leadership, of course; and the other one is about having a broader understanding of how things may work or work globally. So, let's start with the latter. Yes, when you are an officer in any armed forces, you eventually tend to read a lot about conflicts, interests, and how the strategy works, and you get to understand a little bit more about the interconnections between relations between countries and between companies, et cetera. So, yes, that is something that I gained from my years in the Air Force that I get to understand, I hope, a little bit better, how the global economy and how relations work between countries. And that is important because cybersecurity is not siloed from global politics and economics; they work together. That's one thing. The second thing about leadership is that I have seen a lot of bad leaders in the Greek Air Force, but I have seen also a few great leaders as well. And when you see a great leader, one that works with empathy, one that works with understanding, and one that walks into your shoes and tries to give you the resources and the knowledge and the mentality on how to work within the Armed Forces environment, then you say that this guy is your mentor. So, I have tried during my presence in the Greek Air Force to become such a person, to become more empathetic, and not to lead by fear but leading by example. I hope I have succeeded in this one. And this kind of empathy also has become, let's say, an integral part of my work as a cybersecurity content writer.

[11:23] Andra Zaharia: And I can see this. This is so true. And one of the things that I really appreciate and admire about your work is how flexible and open your mindset is, because there's this stereotype that people who have, let's say, a background in the army are quite inflexible and tend to be quite stern and just not that prone to listening to other people, they tend to be more forceful in how they present themselves. But you really combine very well discipline with kindness and with flexibility and openness, and that's something that I really appreciate. And I was wondering was there kind of a particular experience where you received empathy from other people, especially in cybersecurity, that also gave you one of those behavior models — the positive ones — that you saw in the Greek Air Force, and you found something similar in the cybersecurity industry? Do you remember a moment like that or people who have inspired your journey so far?

[12:25] Anastasios Arampatzis: Allow me to go back in the Greek Air Force first. Back in 1995, my then boss, the chief of the IT department that I was working with, I say again, 1995, we had only one computer at the Air Force. He said to me, “Okay, it's time to go and participate in an IT course.” So, in 1995, that guy, called Nicholas, opened to me a whole new world with his decision to send me and participate in this IT course. I am always referring to this guy because he is the guy that, let's say, made me who I am today with that one decision. Now, I'm skipping 35 years in the Air Force and going into cybersecurity. There are many people that I admire for what they do and how they do it. Allow me to say two names, one is Jessica Barker. Jessica is a glamorous cybersecurity person that is so open-minded and so friendly that whenever I speak to her, either literally or virtually or through posts on social media, it's like she tries to give me a glimpse into her intelligence. That's one person. The other two persons are my bosses, David Turner and Joe Pettit, who both are so flexible and so open-minded, they always try to give you the space to work, to innovate. And at the same time, be punctual in what you are doing. They say to me whenever I am a little bit stressed about how to produce great content for our clients, “Relax, Tasios, we are not doing a brain surgery.” So, yes, in a world that is quickly evolving, that every day new technologies come up and new threats come up, you have the people that support you and make you have the perspective that is relaxed and calm so that you can work through the technicalities and all these issues that come up every day, not only in work but also in how we live. For example, when the pandemic broke up three years ago almost, and we had to work remotely, the whole company. For me, as a parent, it was a difficult period to transition because all my kids and my wife had to work also remotely. They gave me the time to work only with my family and set up computers and routers, be sure that everyone in my home was safe and secure, and easy to go on with their remote lessons, and then I was able to work again. So that was a great example of how empathy works. When somebody understands your position, understands where you are, and what are your problems, and give you, not the solution, but the time and space and resources to find out how things work for you.

[16:10] Andra Zaharia: That's just beautiful. You articulated that so wonderfully. You gave such a perfect definition to this, to what this term is; it's having that kindness, and just like you said, creating that space for people to feel grounded, to find their roots to connect to what's important to them so they can work on the base of that. Speaking of roots, because I feel like these people that you mentioned, and then I'm also lucky to have in my life, are kind of anchors that keep us grounded when the storm hits. And another thing that it led me to think about is how I've often found these kinds of rooting elements in the Greek culture, sharing similar roots to yours, obviously. I have a tie in with my great-grandfather, who was Greek actually. I've always been such an admirer of Greek culture, and I try to study it whenever I can because it has so much to offer. And because it's stood the test of time because I find myself, as time goes on, paying more attention to the things that don't change, versus to the things that continue to change, because there are some characteristics in human behavior that change very, very slowly, if ever. And then there are similar bits of culture that tend to exhibit the same behavior. So, I was wondering, is there something in the influence that Greek culture has on your work? I'm very curious about that because I believe that our cultural background really shaped the kind of work that we do and how we contribute to this industry. 

[17:56] Anastasios Arampatzis: Yes, I think our listeners understand that the Greek culture is embedded into our DNA. And not only in the Greek DNA but also in the global civilization DNA. So, when, for example, you speak of names like Socrates, Plato, or Thucydides, those are the foundations of our civilization. So one can understand that, when Socrates says, “However I grow up, I always continue to learn.” This is something that if you want to be a useful person, you have always to keep up with the advances, you have always to keep up with what's going on in your society. And since our society is so interlinked with technology and has become so digital in the last five years, let's say, and everything is about digital technology; if I want to become a good parent, first of all, and then a good professional, I have to keep up with those developments; otherwise, the gap between myself and my kids — the eldest one is only 16 years old — would be enormous and I couldn't understand what they are going through because they have their own problems using technology. So, I cannot say that it is these things that Plato said that have influenced the most or the other thing that Thucydides said that influenced the most. I think that inheritance is built within our mentality. Let me give you an example, going back to geopolitics. Thucydides has said that there are certain factors that make every conflict; fear, interest, and power. How can you neglect those three factors when you think about everything? So this is fundamental knowledge that everybody has to understand if we are to understand today's world.

[20:19] Andra Zaharia: That's a perfect way to put it in. And that ancient wisdom continues to give us clarity and to remind us of the things that are truly important in life because they've become such important principles for a reason because they, again, stood the test of time, they've proven themselves valuable and worthy of pursuing them over and over again throughout the course of human history, no matter how it's changed. And I think that they are also important reminders because even though the cybersecurity industry is so complex and it's so tied into our society right now, it's only been around for 30 years. So, yes, the speed is enormous at which things are evolving. But also, we must remember that it's only a glimpse into human history and that we have a lot to learn and bring into it from other disciplines, such as philosophy, such as sociology, obviously, psychology, and all of the other disciplines that bring value into it. So, it's definitely worth looking on the outside as well. And one interesting thing about your journey is how you combine technical knowledge with all of these, let's say, humanities, all of the disciplines that are more in the area of soft skills — which is a term that I do not like, but still, here we go until we find a better term for it. One of the things that I find interesting about your work is that you break down a lot of really complex topics in terms of policy changes, in terms of a lot of really complex stuff in a way that makes them so easy to understand. So I was wondering what your content philosophy is, and what your principles are in the work that you do for customers and also for your personal projects. What sits at the foundation of that work?

[22:14] Anastasios Arampatzis: The foundation of my work is that the content that I create is digestible by the one that is going to read it. So, there are so many regulations, standards, technical standards, and norms, etc., that if you just let somebody read through GDPR without having any knowledge about how laws are being articulated, they are going to be lost. It is important to make all those technical jargons translated into plain English. Otherwise, if we use difficult-to-understand language, then what we are achieving is that we let our audience in the dark. So the content somehow has to provide a glimpse into the knowledge that is out there in a way that is easy to be understood, not by you and me — that we have some kind of background — but it is easy to be understood by our parents or by our kids. Breaking up the complexities of technology is a problem that we see a lot, not only in how we write content but also how we develop technology and how we communicate the features and benefits of technology. Let's take, for example, multifactor authentication, MFA. Everybody agrees that MFA is the best way to protect our identities and our data against attacks. But if we see the statistics of how many people are using MFA, it's very worrying: 2.6% of active Twitter users have enabled MFA; 8% of CEOs are using MFA on their apps. And if we take it on the corporate level, between employees, it's around 50% of employees that are using MFA mostly, but it's employees, administrators, or executives, and those that are forced to be working remotely, not the ones. 

[25:01] Anastasios Arampatzis: So, this is an indication that something is going wrong. Is it the technology that is difficult to be deployed and be used? Could be. Is it how you communicate the use of this technology? Also. Is it that the content that we are writing is mostly used about business-to-business cases and not business-to-citizens cases, not employees, not customers? What have we done to enable our fellow citizens, people like my next-door neighbor, what have we done to communicate to them that whatever you are doing, doesn't matter if you are a farmer or a CEO, you have to have MFA on your mobile phone, you have to have MFA on your Facebook, Twitter, Instagram, or whatever other application you're using. That's a problem. And this is how, at least I am trying and many other content writers, of course, are trying to communicate as simply as possible that you have to have certain security controls installed on your desktop, tablet, and mobile phone. And don't forget, the mobile phone is just a computer that makes calls.

[26:29] Andra Zaharia: That's so true. Thank you for highlighting that. And thank you for offering that example that I think many people can resonate with because they must have come across using multi-factor authentication one way or another. And that's why I deeply, deeply disliked how Twitter handled communicating that two-factor authentication through SMS will be just for paying customers, just for the ones who pay for Twitter Blue or whatever. And I thought that was such a lousy way to do things and such a blow to people's perception of how this mechanism works and how it is important, because people may only hear that bit and remember that “oh, that's a paid thing. I don't want to pay for that.” And they might take that idea and apply it to something else. And that's not true, and that doesn't help anyone, and I thought it was such a bad thing. And this is one of the things that obviously distorts perception just as the last past hack did. I think that it really affected people's trust in password managers in general, which is totally unfair. And also, this highlights the problem that we have in the industry, which is acknowledging failure, acknowledging our shortcomings. Because cybersecurity is the source of, obviously, security of safety, I think that we have a big issue with acknowledging, first, technology is not perfect, obviously, that we have a long way to go, that we're not doing certain things as well as we could. And that's a big, big problem. Have you seen things start to change around acknowledging failure or shortcomings?

[28:14] Anastasios Arampatzis: I think we have seen, in the last few years, a big shift towards more human-centric cybersecurity. And I think this is the base from the past that we are missing. We are talking a lot about technology, solutions, more solutions, extra more solutions, and processes, processes, processes. But we forget to discuss people, about humans, about people like you and me, my grandma, and my kids because, ultimately, technology is from people, about people, and the impact is on people. So if we fail to communicate all those things, the possibilities, the features, the dangers, the solutions, effectively to the people, then I think that we will have a major issue in the next years. And there are many, many professionals out there. I mentioned Jessica Barker before, there is also Lance Spitzner, it's you, of course, that are talking a lot about empowering people with cybersecurity, that we have to stop blaming people for mistakes that they are doing. Stop blaming people because something went wrong. “Always something will go wrong.” Another thing of Greek philosophy — there is always something that may go wrong. Okay, we'll have to go ahead. We blame people, but we forget to reward people that every day, they do things well. There are a huge number of cyber attacks happening every day that are being prevented because people either detected a physical campaign or have configured correctly the security solutions in place to stop those attacks. And we never learned the names of these people, but we always learn the name of the one person that will do tbe mistake. I think that's wrong.

[30:38] Andra Zaharia: It definitely is. And something that I saw in the past few days was an example from Coinbase. They put out an article explaining that they had an attack, but how someone on the team detected it and what they did to make sure that the damage was limited and that things went okay. And it was basically an example of “this happened to us, but look at all the things that actually worked to make sure that this didn't evolve in a bigger incident.” And I thought that was such a great example, actually, Jake Williams, someone who I deeply admired, shared this example, and I actually saved it. I thought to myself when I save this and put it in the app where I keep all of the things that I want to make sure that I keep as examples, I hope this is the start of a lot more articles like this, I hope this is the start of more stories like this because, obviously, the media finds it appealing when banks are broken into or when movie heist scenarios happen in real life because they're so interesting to report on. But what we need is a lot more positive examples, not more negative examples because we have a lot of those. And those, we've seen, do not work because they make people feel scared, intimidated, and ultimately disengage with just cybersecurity, in general. They don't want to hear about it. So, making that a source of good, like you mentioned, I think is such a powerful example because, ultimately, that's the core mission; to bring good into the world; good in the form of safety; good in the form of education, in the form of awareness. And that's a big goal that the industry has, but there are also plenty of incredibly intelligent and kind people making this happen — yourself included. This is why I think it's such a privilege to work in this space, and this is why I feel so strongly about it, and I know that you do, too.

[32:43] Anastasios Arampatzis: To quote a person - I don’t recall now his name. He said that in cybersecurity instead of promoting fear, we should promote hope. That's it. And we need more heroes, we need more everyday heroes in our lives, and this is how we're going to make our world safer and better for us, for our kids, because it is our kids that are going to live in a totally digital world. 

[33:15] Andra Zaharia: So true. And I know that you do a lot of work on this and I was wondering if you could share a bit about the volunteer work that you do, and how you create these hero-based stories for children to relate to. And again, that's something that's very evocative of the Greek culture and mythology, which dominates this mythological space so, so much and it's given us so many powerful stories that we still turn back to today. 

[33:42] Anastasios Arampatzis: You said about mythology and then I remembered Hercules when he was forced to select a path to follow and he selected the parts of virtue, which was the most difficult one but the one that was leading to a high goal. For kids, my volunteering work is with a privacy group here in Greece called Homo Digitalis. It's the one and only privacy group here in Greece protecting the digital rights of citizens. Homo Digitalis is also cooperating with other privacy groups across Europe like EDRi, the European Digital Rights Organization, and privacy groups in Serbia, Romania, France, and all the countries. Part of our job is to provide awareness, not training, but seminars to pupils in schools. So we visit schools and we try to provide students some information in a digestible format about cyber-bullying, which is a huge problem for kids, about protecting the digital footprints that we create on the internet, about the basic protections that GDPR offers. And it is amazing to see how many things those kids know about technology. And it is awesome to listen to their questions and to see how they think about the world that they grow up in and that we live in. And the message that we're trying to communicate to these kids is that they have to sit down with their parents and discuss, that's the only way that you can bridge the gap, the digital gap between parents and kids. Parents are not digital natives; they are still digital immigrants. Their kids, being natives, know a whole lot more about technology, applications, and features, et cetera. They have to bring this knowledge to the Sunday lunch table and ask for guidance from their parents on how to address the risks that there are in the cyber domain because parents have the experience of addressing risks every day in society. And if you merge those two holds, then you have families that are safer. And since family is the core of our society, they eventually have local communities and bigger societies that will become more safe against cyber risks.

[36:59] Andra Zaharia: And change starts always with a few people that care deeply about something and manage to spread a message in these communities. That's how change happens always around all of the topics. And that's why I think that we should focus on the less glamorous things, the less publicized things, but on things that actually work, which is talking to people one-on-one if need me or in small groups where we have their attention. They're involved when they have some level of trust with the person that’s talking because they think that that's where it starts. And just like you mentioned, from the beginning of our conversation, about mentors and leaders who change people's lives, that's the thing that happens in these communities as well and in these conversations. Getting children to listen to these bits of wisdom that we've accumulated over time is no easy task because if it's not part of their universe, they don't have the mind space for it. But it's such an interesting challenge and it all comes back to building these relationships. Because I strongly believe, still, that relationships are what make the world work. Technology happens and gets implemented and gets improved because the relationships are there because someone cares enough to do something about it because someone else trusts another person to do their job and that they're progressing and aiming towards better things. And to me, this is kind of built into this period of cybersecurity. It's built into the hacker ethos — another Greek word. It reminds me, I know I'm diverting a bit from the conversation, but in My Big Fat Greek Wedding, there's this line, “Give me a word, any word, and I'll show you that it comes from Greek.” And that always happens to me. And I was trying to pick up Greek on Duolingo and studying it. It always came back to me, that is like, “Did you know that that word is actually Greek at its origin?” And yes, that's always so much fun. Again, culture, diversity, and digging back into our past can reveal, obviously, a lot of lessons for the future as well. I went a bit on a tangent there, but I had to.

[39:29] Anastasios Arampatzis: About building relationships, allow me to say two things. First of all, one of the co-founders of Homo Digitalis says, “Even if we manage to persuade one person to protect more effectively their data, that's a huge benefit.” And the second is about relationships, “If we don't care about people if we don't love people, then we will never build those security protections.” We will build them for ourselves, and that's it, finished. But cybersecurity is about loving other people. This is what I love about cybersecurity, that all those people that are talking, building, and communicating messages and solutions about cybersecurity and about protecting our identities and our data, it's a huge demonstration of love.

[40:34] Andra Zaharia: That's absolutely fantastic. I just want to sit with this for a while and feel this entirely. It is beautiful. I bet that people who listen to this and who are listening to this now, this will be such a surprising thing, such a spark that I hope kindles their curiosity to find out more. And speaking about finding out more, I wanted to ask where people can connect with you and explore your work and follow your words of wisdom because you have a lot of those coming, contributing to the industry like that, over and over, on a daily basis. So, where can they find you? And how can you connect?

[41:17] Anastasios Arampatzis: They can find me on LinkedIn, which is my most professional profile. And also, they can find me on Twitter, where they can also discover my music preferences.

[41:28] Andra Zaharia: Yes, which are exquisite, absolutely exquisite if I do say so me. It's been wonderful to really understand more about the work that you do, and then help people see all of these stories, all of these people that make things happen, and to see how it all connects into this network of beautiful relationships that give us hope for the future, and that keeps us going even in the face of real complex, really challenging issues that we face today. Thank you so much for sharing so honestly and for being here. This has been just one of my favorite experiences ever.

[42:09] Anastasios Arampatzis: I thank you for inviting me, Andra. And allow me to finish in Greek: Ευχαριστώ πάρα πολύ (Efcharistó pára polý)!

[42:16] Andra Zaharia: “Thank you so much as well.” Just as a quick translation for everyone.