Sille Arikas: “What it is often missed is that it’s your own paycheck that is on the line in case of falling victim to a cyber-attack that hinders provision of the services””

Mini-interviews with EU CyberNet experts. Sille Arikas has been part of the Expert Pool for 3 years and has contributed to the work of EU CyberNet.

EU CyberNet is a EU-funded cyber capacity building project aimed at establishing a pan-European expert network to help solve cybersecurity challenges around the world. And cybersecurity experts are the core of EU CyberNet and instrumental to the objective of building and promoting the model of an open, free, secure and stable cyberspace. This growing EU Cyber Experts Pool consists of over 400 experts so far, on topics such as cybersecurity, cybercrime, cyber diplomacy, cyber defense, AI, etc. that connects to a wider pan-European Stakeholder Community to assess partner countries’ needs, organise trainings and offer our experts’ cyber expertise to support various initiatives around the world.  

What is less brought to the foreground in the work we do is the human factor and the work of individuals driving the progress forward across the globe. 

In this mini-interviews series, we will meet our Cyber Experts as industry leaders and discover the essential contributions they make in shaping the cyber world and ensuring its seamless operation!  

In the June interview we’ll meet Sille Arikas, Cyber Exercises Manager of Clarified Security in Estonia. She joined the EU CyberNet Expert Pool exactly 3 years ago.

Please introduce yourself and the work that you do. What are the reasons for your interest in the cyber world?

My name is Sille and I am a Cyber Exercises Manager at a small Estonian company called Clarified Security. What makes Clarified Security special is that we teach practical security through the perspective of attacks instead of defence. 

My interest in computers began like a classic infosec heritage story (at least in Estonia) – through games and cheat codes. My first IT related job was a classical helpdesk job “Have you tried turning it on and off again” which progressed to an e-commerce fraud analyst position. I believe that if you want to do anything well, you also have to go an extra mile and learn new skills until you can do your job independently and do not have to ask assistance unless something out of the ordinary happens. These two positions taught me more than all the previous years of education – how to think critically, how to filter out the relevant from massive amounts of noise, effective time management (navigating between work, university and private life) and how to troubleshoot. 

After preventing fraud at a global level, I thought it would be a wise idea to contribute to the safety of Estonian cyberspace. The time I worked at CERT-EE was, modestly said, awesome! There was something new to learn every day and an out of the box solution to be found more often than I wished for. And you never run out of things to do! If you ever want to get the best experience in incident response and/or defensive side of cybersecurity – there’s no better place to send your CV to than a national CERT.    

It is said that all good things come to an end someday, but one day I made the decision that I will be more useful working as Cyber Exercises Manager at Clarified Security, an Estonian company focusing on teaching defense through offensive aspects. Although our company is small, in addition to our own exercises, we are a red teaming service provider for the world’s largest live-fire cyber exercise Locked Shields, organised by NATO CCDCOE. Additionally, to my daily job, I am also a visiting lecturer at Tallinn University of Technology, where I am teaching the future experts the foundations of cybersecurity, as well as cybersecurity management.  

Although computer literacy has advanced over the past decades, the main causes behind the incidents remain the same – credentials obtained from a phishing campaign, use of outdated software and weak or default passwords.

What do you think are the current challenges in the field of cyber that you see in your daily work?

In my opinion the biggest challenges have remained nearly the same since the Morris Worm and the first international incident in 1988. The first challenge is focusing on prevention rather than mitigation. Although computer literacy has advanced over the past decades, the main causes behind the incidents remain the same – credentials obtained from a phishing campaign, use of outdated software and weak or default passwords. Over recent years it’s unfortunately common to add a new fancy tool or take a single training that is perceived as a silver bullet instead of focusing on fixing the basics. Despite good marketing punchlines and features, no tool or training alone can fix everything. This brings us to the second challenge – a shortage of qualified and dedicated personnel. Good employees are hard to find in every industry, but working in information security quite often requires very specific skillsets and the people with specific skillsets are of high market value. There is something that is perceived as a joke – LinkedIn is like the vice versa Tinder where HR sends job offers to infosec people and gets ignored. Another big challenge is that for companies and organisations who are neither cybersecurity service providers or a responsible authority, cybersecurity is perceived as a support function and something that is taking attention away from the main service, instead of being considered as an added value. Regardless of which part of the world we’re discussing, it is often the case that only the bare minimum is done to meet compliance standards and avoid penalties.

EUCN: Based on your experience, what practical measures do you recommend enhancing cybersecurity?

I recommend starting from the very basics – start from your personal habits to improve the overall organisational resilience because it is you directly who’s salary is depending from the security of the organisation. Use a passphrase instead of a “Spring2024!” type of password and do not complain about having to insert a code when logging into a corporate environment. Another accident waiting to happen is the lack of attention being paid when inserting your credentials or payment details. This, unfortunately, is also not being made any easier by mobile operating systems or e-mail clients where you must put in extra effort to see who the actual sender of the message is or what is the actual website where you are located. What it is often missed is that it’s your own paycheck that is on the line in case of falling victim to a cyber-attack that hinders provision of the services. There are a lot of punchlines in the category of cybersecurity being a shared responsibility, so I will not add another one to the list, but it is important to realise that the actions of individuals have an impact on a wider scale.  

Nothing is useless, it can always be used as a bad example!

Can you give us an example from your work that you believe makes a difference in advancing cybersecurity?

I can give 2. Once upon a time I really hated getting a notification that there will be another cyber exercise since I was already busy with solving real world incidents. But this is a casual Tuesday when you work in an incident response team. A few years later I had a random idea of putting all my lessons learnt from the exercises down to one presentation and shared that at a conference. I did not foresee the number of questions and follow-up questions that presentation got, with people actually speedwriting to get everything I said down. Some more fine-tuning and this random idea has been developed into a cyber exercise design workshop that ends with a tabletop.   

Another example is from a crisis communication workshop. Also, my own lessons learnt put to a workshop. Reading the feedback from one of these workshops has been one of my favourite feedbacks to read where over 10 participants said exactly the same thing in their comments section: “I’m so happy I participated, I got so many new phrases to use!”. As my mom always says: “Nothing is useless, it can always be used as a bad example!“.

How do you think is EU CyberNet playing a role in building this community of experts and advancing cyber capacity building efforts around the world?

By having been included as an expert since Cyber4Dev started and seeing the kickoff and progress of EU CyberNet, it has been my pleasure to see an actual development. When I started as an expert, the level of delivered training courses and workshops was on a rather basic level. Over the years the maturity of the audience has advanced greatly and the basic level training courses are no longer sufficient. Just like with any organisation, when your people get to a more advanced level, you must mature and advance your own skillset as well. From the trainer’s perspective, it is a great challenge to prepare workshops and training courses to mature teams because you get to develop with them. Another great success of EUCN is that not only has it created a network of cyber experts who share their knowledge with the trainees, but also advanced the local communities. It is great to hear feedback from the locals that they are very happy to know that they are not alone with their problems and know now whom to ping in case of a problem.  

Keep reading similar articles
Panel: Cyber Resilience Builds on Situational Awareness, Trainings and Exercising

On 18 June the EU CyberNet’s Training and Services Lead Lauri Aasmann took part of the EuRepoC Conference 2024 “Promises & Pitfalls for the EU’s Cyber Foreign and Security Policy” which focused on the attribution capacities of EU and private actors; emerging hybrid threats; the EU’s role in capacity building; and the intricate relation between critical infrastructure protection and conflict resolution in Europe.

Panel: Awareness-raising is a Complex, Non-linear Process Requiring Sustained and Multi-faceted Efforts, and International Cooperation

Liina Areng, Director of EU CyberNet and LAC4, participated in a panel at the Seminar on Security in the Digital Economy, hosted by Brazil under its G20 presidency in São Luís. The panel focused on raising public awareness about digital security.

Panel: Cyber Security Implications for Port Infrastructure and Maritime Systems

EU CyberNet hosted a panel discussion at NATO CCD COE conference CyCon2024 “Over the Horizon” focusing on critical sector service provider’s resilience building.

EU CyberNet Participated in International Discussions on Cyber Capacity Building at UNHQ

This month, Silja-Madli Ossip, the Community Lead of EU CyberNet participated in multiple discussions at the United Nations Headquarters (UNHQ) – Global Roundtable on ICT Security Capacity-Building, OEWG Inter-sessional meeting on cyber threats posed by emerging technologies and a Side-Event on the future of responsible state behaviour in an evolving cyber capacity ecosystem.  

Annual Cyber Project Community Meeting Concluded in Brussels

On 15th May, EU CyberNet hosted the annual Cyber Project Community (CPC) meeting in cooperation with the European Commission’s Service for Foreign Policy Instruments and the European External Action Service (EEAS) to provide for a fora to the EU funded external cyber capacity building projects’ implementers to share information, facilitate cooperation and learn from each other’s best practices.   

Jorge Mora-Flores: “I propose the 5 C’s for cybersecurity success – Creativity, Communication, Confidence, Collaboration and Commitment. “

Mini-interviews with EU CyberNet experts. Jorge Mora-Flores has been part of the expert pool for over two years and has contributed to the work of EU CyberNet