Accessibility

Marcel Gerardino: “Technology has great value for advancing societies but in the wrong hands it has the potential to cause a lot of harm.”

Mini-interviews with EU CyberNet experts. Marcel Gerardino has been part of the Expert Pool for 3 years and has contributed to the work of EU CyberNet.

EU CyberNet is an EU-funded cyber capacity building project aimed at establishing a pan-European expert network to help solve cybersecurity challenges around the world. And cybersecurity experts are the core of EU CyberNet and instrumental to the objective of building and promoting the model of an open, free, secure and stable cyberspace. This growing EU Cyber Experts Pool consists of over 400 experts so far, on topics such as cybersecurity, cybercrime, cyber diplomacy, cyber defense, AI, etc. that connects to a wider pan-European Stakeholder Community to assess partner countries’ needs, organise trainings and offer our experts’ cyber expertise to support various initiatives around the world.  

What is less brought to the foreground in the work we do is the human factor and the work of individuals driving the progress forward across the globe. 

In this mini-interviews series, we will meet our Cyber Experts as industry leaders and discover the essential contributions they make in shaping the cyber world and ensuring its seamless operation!  

In the July interview we’ll meet Marcel Gerardino, cybersecurity professional based in Barcelona, Spain, originally from Dominican Republic. He joined the EU CyberNet Expert Pool exactly 3 years ago.

Please introduce yourself and the work that you do. What are the reasons for your interest in the cyber world?

First and foremost, thanks for inviting me to this series. My name is Marcel Gerardino, a cybersecurity professional based in Barcelona, Spain, originally from Dominican Republic, and I am happy to share my journey and experience working in this important and exciting field.

I consider myself essentially a computerphile who very early discovered cybersecurity and became obsessed with it ever since. I started doing cybersecurity for a leading telecom operator in Dominican Republic in the late 90s. That being said, I have seen the evolution of cyber from the early days of Internet adoption to the essential and developed capacity that it is today, where threat landscape and technology have shaped it into a critical component for organisations at every scale, from small businesses to nation states.

In these 20+ years I have had the opportunity to work on many facets of cyber, from management-related activities such as risk and compliance to more technical work such as red teaming, application security testing and DFIR.

I have always been inclined to learn new technologies and had a fascination earlier in my career to figure out how systems work internally and how an attacker could exploit flaws to make them behave in unintended ways. This is what we might call hacking, but for the ethical and constructive purposes we use it every day. That is, to find and fix security issues that might pose cyber risk.

If I had to summarise why I like cybersecurity, I would say technology has great value for advancing societies, but in the wrong hands it has the potential to cause a lot of harm. I feel it is my duty to help protect systems, it is kind of a moral thing for me.

Businesses of all sizes as well as entire nations are still ill prepared to face the current threat landscape and effectively manage cyber risk. In my opinion, the turning point came following the pandemic as well as the current geopolitical tensions.

What do you think are the current challenges in the field of cyber that you see in your daily work?

The most significant challenge I see is the lack of attention cybersecurity had up until very recently, often taking a backseat to profitability. This was the case for decades and it is still true to a great degree today. Many tech vendors neglected security in their products for long and it ended up costing the companies and individuals who use these products a lot both in economic, reputation and privacy damage.

Because of this, businesses of all sizes as well as entire nations are still ill prepared to face the current threat landscape and effectively manage cyber risk. In my opinion, the turning point came following the pandemic as well as the current geopolitical tensions. These two events marked a shift in how organisations operate and in their exposure to online risks. Also, AI is helping threat actors augment their capabilities, the same way it helps coding, cybersecurity and many other areas. Keeping ahead of the threats has always been a challenge, but in this hyper digitised and AI driven world it is even more important to find ways to close the gap and shift the balance in favour of defenders.

On a more specific level, I must emphasise the importance of user awareness and education. While it may seem obvious and repetitive when discussing cybersecurity, it remains paramount due to the continuous targeting of users by threat actors who exploit the multitude of collaboration and interaction avenues.

EUCN: Based on your experience, what practical measures do you recommend enhancing cybersecurity?

Cybersecurity needs to be treated as a formal process and follow well established practices. It needs to be managed like the mission critical process that it is. It starts with situational and cyber risk awareness: knowing your assets, the threats and risks these are exposed to, security requirements and capabilities. Only then you can make informed decisions that are actionable and will minimise risk.

Luckily there are many control frameworks and standards to guide through this process, some more prescriptive than others. Depending on your industry or region, you might be required to follow one or many, for example NIS 2.0, GDPR, PSD2, PCI-DSS and so on. Keep in mind these are great resources but not silver bullets. You need to constantly identify and protect, but just as important and even more so lately, you must be able to detect early and respond to cyber threats when these preventive measures fail.

On a more specific level, I must emphasise the importance of user awareness and education. While it may seem obvious and repetitive when discussing cybersecurity, it remains paramount due to the continuous targeting of users by threat actors who exploit the multitude of collaboration and interaction avenues, such as social networks, coupled with the vast amount of personal information accessible online from past breaches, making this a very effective attack vector.

Equally important is that defenders adopt an “assume breach” posture, where multiple layers of defense keep the network safe even if your outer layers are compromised. An example would be MFA (multi-factor authentication), that would protect the system even if the first set of credentials are compromised.

Can you give us an example from your work that you believe makes a difference in advancing cybersecurity?

The work we do at EU CyberNet as part of the expert pool is a perfect example. Being able to work with CISOs, IT managers, regulators and other stakeholders measure and treat cyber risk in critical infrastructures, as well as delivering awareness and training on a regular basis, bringing knowledge and experience that they can leverage to enhance their capabilities and security posture which contributes to a safer society and cyberspace as a whole.

Also, I am very proud of the work done for the private sector, where we continuously test and fix vulnerabilities in critical systems like 4G/5G networks, core banking and payment systems, among others; and help them adopt best practices in threat detection and response. I feel these measures increase the resilience of critical infrastructures on which entire economies and well-functioning of society relies.

I have also worked alongside regulators and public/private sector entities in advancing the legal and regulatory framework of the Dominican Republic regarding cybercrime and cybersecurity in the Telecommunications sector. These measures have proved to be just as important as technical ones.

How do you think is EU CyberNet playing a role in building this community of experts and advancing cyber capacity building efforts around the world?

I think EU CyberNet is a groundbreaking initiative, particularly in the realm of cyber capacity building. I think it has been successful in fostering collaboration and knowledge exchange among cybersecurity professionals from various regions, which is precisely the approach required to fight global cyber threats and advance the state of cybersecurity around the world. I’m not certain there has been another initiative that has managed to unite cybersecurity professionals from various backgrounds and regions as successfully as EU CyberNet has.

On a personal level, it is also a great opportunity as an expert to gain access to a diverse network of peers and mentors, facilitating continuous learning and professional development.

The positive feedback we’ve received wherever we’ve had the chance to engage really speaks volumes about the significance of our collective efforts.



Keep reading similar articles
EU Cyber Diplomacy Fellowship Concluded with a Visit to New York

The EU Cyber Diplomacy Fellowship, aimed to enhance global cooperation and contribute to the United Nations’ framework for responsible state behaviour in cyberspace, concluded this week after series of monthly activities with a visit to New York where the Fellows participated in the 8th United Nation’s session of the Open-ended Working Group (OEWG) on ICTs and several side-events.

At CAMP 2024: AI-age incident response needs to evolve with technology

This week, Liina Areng, the Director of EU CyberNet participated in the CAMP 2024 Annual Meeting in Seoul to share Estonia’s and Europe’s perspective in cybersecurity with special emphasis on ransomware and artificial intelligence.

Conclusions from the Workshop to Strengthen Regional Cyber Norms Guidance through Practice-Based Approaches and the Case of Ransomware

EU CyberNet and LAC4 co-hosted on 8th July a workshop in New York in the premises of Estonian Mission to the UN to strengthen regional cyber norms guidance through practice-based approaches and the case of ransomware as a side-event of the UN Open-ended Working Group on ICTs together with RUSI, Estonia, Chile and the Dominican Republic.

EU Cyber Diplomacy Fellowship to conclude with the visit to New York

EU Cyber Diplomacy Fellowship (EU:CD Fellowship) will have its final activity this week with the fellows’ visit to New York to participate at the UN’s Open-Ended Working Group on ICTs.

C-DAYS Conference “+Prevention”: Level your skills UP to advance efforts in building cyber capacity worldwide

Cecilia Popa, Experts Lead of EU CyberNet, participated as a Keynote Speaker at the 10th edition of the C-DAYS conference on the topic of “EU projects for Skills”, highlighting the EU CyberNet’s skillset framework which forms the foundation of our Experts Pool deployed worldwide to build cyber capacity.

Panel: Cyber Resilience Builds on Situational Awareness, Trainings and Exercising

On 18 June the EU CyberNet’s Training and Services Lead Lauri Aasmann took part of the EuRepoC Conference 2024 “Promises & Pitfalls for the EU’s Cyber Foreign and Security Policy” which focused on the attribution capacities of EU and private actors; emerging hybrid threats; the EU’s role in capacity building; and the intricate relation between critical infrastructure protection and conflict resolution in Europe.