EU CyberNet is an EU-funded cyber capacity building project aimed at establishing a pan-European expert network to help solve cybersecurity challenges around the world. And cybersecurity experts are the core of EU CyberNet and instrumental to the objective of building and promoting the model of an open, free, secure and stable cyberspace. This growing EU Cyber Experts Pool consists of over 400 experts so far, on topics such as cybersecurity, cybercrime, cyber diplomacy, cyber defense, AI, etc. that connects to a wider pan-European Stakeholder Community to assess partner countries’ needs, organise trainings and offer our experts’ cyber expertise to support various initiatives around the world.  

What is less brought to the foreground in the work we do is the human factor and the work of individuals driving the progress forward across the globe. 

In this mini-interviews series, we will meet our Cyber Experts as industry leaders and discover the essential contributions they make in shaping the cyber world and ensuring its seamless operation!  

In the July interview we’ll meet Marcel Gerardino, cybersecurity professional based in Barcelona, Spain, originally from Dominican Republic. He joined the EU CyberNet Expert Pool exactly 3 years ago.

Please introduce yourself and the work that you do. What are the reasons for your interest in the cyber world?

First and foremost, thanks for inviting me to this series. My name is Marcel Gerardino, a cybersecurity professional based in Barcelona, Spain, originally from Dominican Republic, and I am happy to share my journey and experience working in this important and exciting field.

I consider myself essentially a computerphile who very early discovered cybersecurity and became obsessed with it ever since. I started doing cybersecurity for a leading telecom operator in Dominican Republic in the late 90s. That being said, I have seen the evolution of cyber from the early days of Internet adoption to the essential and developed capacity that it is today, where threat landscape and technology have shaped it into a critical component for organisations at every scale, from small businesses to nation states.

In these 20+ years I have had the opportunity to work on many facets of cyber, from management-related activities such as risk and compliance to more technical work such as red teaming, application security testing and DFIR.

I have always been inclined to learn new technologies and had a fascination earlier in my career to figure out how systems work internally and how an attacker could exploit flaws to make them behave in unintended ways. This is what we might call hacking, but for the ethical and constructive purposes we use it every day. That is, to find and fix security issues that might pose cyber risk.

If I had to summarise why I like cybersecurity, I would say technology has great value for advancing societies, but in the wrong hands it has the potential to cause a lot of harm. I feel it is my duty to help protect systems, it is kind of a moral thing for me.

Businesses of all sizes as well as entire nations are still ill prepared to face the current threat landscape and effectively manage cyber risk. In my opinion, the turning point came following the pandemic as well as the current geopolitical tensions.

What do you think are the current challenges in the field of cyber that you see in your daily work?

The most significant challenge I see is the lack of attention cybersecurity had up until very recently, often taking a backseat to profitability. This was the case for decades and it is still true to a great degree today. Many tech vendors neglected security in their products for long and it ended up costing the companies and individuals who use these products a lot both in economic, reputation and privacy damage.

Because of this, businesses of all sizes as well as entire nations are still ill prepared to face the current threat landscape and effectively manage cyber risk. In my opinion, the turning point came following the pandemic as well as the current geopolitical tensions. These two events marked a shift in how organisations operate and in their exposure to online risks. Also, AI is helping threat actors augment their capabilities, the same way it helps coding, cybersecurity and many other areas. Keeping ahead of the threats has always been a challenge, but in this hyper digitised and AI driven world it is even more important to find ways to close the gap and shift the balance in favour of defenders.

On a more specific level, I must emphasise the importance of user awareness and education. While it may seem obvious and repetitive when discussing cybersecurity, it remains paramount due to the continuous targeting of users by threat actors who exploit the multitude of collaboration and interaction avenues.

EUCN: Based on your experience, what practical measures do you recommend enhancing cybersecurity?

Cybersecurity needs to be treated as a formal process and follow well established practices. It needs to be managed like the mission critical process that it is. It starts with situational and cyber risk awareness: knowing your assets, the threats and risks these are exposed to, security requirements and capabilities. Only then you can make informed decisions that are actionable and will minimise risk.

Luckily there are many control frameworks and standards to guide through this process, some more prescriptive than others. Depending on your industry or region, you might be required to follow one or many, for example NIS 2.0, GDPR, PSD2, PCI-DSS and so on. Keep in mind these are great resources but not silver bullets. You need to constantly identify and protect, but just as important and even more so lately, you must be able to detect early and respond to cyber threats when these preventive measures fail.

On a more specific level, I must emphasise the importance of user awareness and education. While it may seem obvious and repetitive when discussing cybersecurity, it remains paramount due to the continuous targeting of users by threat actors who exploit the multitude of collaboration and interaction avenues, such as social networks, coupled with the vast amount of personal information accessible online from past breaches, making this a very effective attack vector.

Equally important is that defenders adopt an “assume breach” posture, where multiple layers of defense keep the network safe even if your outer layers are compromised. An example would be MFA (multi-factor authentication), that would protect the system even if the first set of credentials are compromised.

Can you give us an example from your work that you believe makes a difference in advancing cybersecurity?

The work we do at EU CyberNet as part of the expert pool is a perfect example. Being able to work with CISOs, IT managers, regulators and other stakeholders measure and treat cyber risk in critical infrastructures, as well as delivering awareness and training on a regular basis, bringing knowledge and experience that they can leverage to enhance their capabilities and security posture which contributes to a safer society and cyberspace as a whole.

Also, I am very proud of the work done for the private sector, where we continuously test and fix vulnerabilities in critical systems like 4G/5G networks, core banking and payment systems, among others; and help them adopt best practices in threat detection and response. I feel these measures increase the resilience of critical infrastructures on which entire economies and well-functioning of society relies.

I have also worked alongside regulators and public/private sector entities in advancing the legal and regulatory framework of the Dominican Republic regarding cybercrime and cybersecurity in the Telecommunications sector. These measures have proved to be just as important as technical ones.

How do you think is EU CyberNet playing a role in building this community of experts and advancing cyber capacity building efforts around the world?

I think EU CyberNet is a groundbreaking initiative, particularly in the realm of cyber capacity building. I think it has been successful in fostering collaboration and knowledge exchange among cybersecurity professionals from various regions, which is precisely the approach required to fight global cyber threats and advance the state of cybersecurity around the world. I’m not certain there has been another initiative that has managed to unite cybersecurity professionals from various backgrounds and regions as successfully as EU CyberNet has.

On a personal level, it is also a great opportunity as an expert to gain access to a diverse network of peers and mentors, facilitating continuous learning and professional development.

The positive feedback we’ve received wherever we’ve had the chance to engage really speaks volumes about the significance of our collective efforts.