Have We Lost the Spark? Sasha Biskup Unravels the Evolution of Cyber Security Through His Growth Journey

I’ve always been fascinated with computers from a young age, starting with the Commodore. I got into the geek side of things, learning about copy protection, hardware hacking, and eventually moving into computer engineering. 

After following my passion for music in my teens, I studied computer engineering and landed my first job in information security. That set me on my path. I’ve been lucky throughout my career to work with great people on interesting projects, including an interesting role working for Craig Wright (of the recent COPA Bitcoin case). 

The move to Silicon Valley came during a tech boom, which provided ample opportunities. 

The Bay Area during that time was extraordinary. Its openness to innovation, dream-big mentality, and supportive community made it special. It taught me the importance of pushing boundaries and the value of community and mentorship in fostering growth. This period shaped my approach to cyber security and taught me the need for innovation and a proactive stance in addressing security challenges.

It’s been an uphill journey since then.

The root cause of ethical issues in cyber security is multifaceted. It is a mix of ego, overconfidence, and the nature of the subject matter itself. 

Cyber security used to be a dark art, and some of the fables and myths perpetuated into what some call hacklore (i.e., cybersecurity folklore). 

Reflecting on my career, I see how the competitive nature of security professionals can sometimes overshadow engineering work. This competitive ethos is not always conducive to ethical behaviour, so we must reflect and avoid such pitfalls.

As the digital world grows, so does the potential for misuse of technology, and ethics become a cornerstone of cyber security practice. 

I’m constantly reminded of the concept of market for lemons, which refers to situations in which buyers are less informed than sellers and might not know how to evaluate the quality of a product. That’s a typical scenario, and it happens when selecting technology vendors. Clients sometimes need help figuring out what to look for under the hood.    

The problem is that some companies overpromise. For example, there are discrepancies between the data, the products, and what the marketing pages say. They may need to be updated, but some of the features they talk about aren’t as effective as they say. 

But how much of the problem is a faulty solution, and how much sits with faulty implementation?

In the early days, it was just about getting a system in, and it was isolated. Now, it’s interconnected with how the business operates.

Every technology solution requires contextualisation for the business, which means getting engineering involved somewhere along the way. With engineering comes power yet tempered with complexity.  

I quickly learned that engineers were the most important group in the organisation because revenue is tied to their velocity. My experience, including that at LinkedIn, taught me that the symbiosis between security and engineering is non-negotiable. At Microsoft, I learned that a 1% increase in developer productivity is essential. 

Always put developers first. Do not compromise their workflow, and don’t let ego create unnecessary interactions. The more you delay engineers, the more friction you create. 

An engineering-led approach to cyber security is crucial. We need rigorous technical solutions to combat increasingly sophisticated threats, and engineering expertise can be leveraged to design robust security architectures.

Not all risks are equal and warrant the same level of attention. Some companies promise to automate contextualisation, but for now, a lot of human decision-making is still involved. 

If good frameworks, guides, and education programs are in place, engineers can make those assertions. That’s where threat modelling comes into play, transferring the security team’s burden to the engineers. This gives security a leg-up because they don’t have to review everything but have a threat model already done.

In this way, security becomes an enabler, not a stump on the road, asking developers to re-engineer everything.

In security projects, people don’t stay around long enough. Sometimes, consultants come in for the first parts of the project and then walk away. That is also often the case with security professionals who leave for another position mid-project or even after it’s done—taking the knowledge with them. 

On the one hand, approaches to sustainability have to be independent of particular people. On the other hand, if you want to retain expertise, give people opportunities to do well. 

Cyber security and engineering are crafts, just like music. People have a passion for their craft, which energises them. But we must also recognise that it’s a hard, life-long journey.   

Has the spark gone out of the cyber craft? Are we getting numb to cyber news? Have we just accepted that we’re going to get breached? 

Let’s raise the standards and recover some of the energy of the earlier days. Sometimes, it’s just as simple as calling out a bad idea and challenging people to come up with a much better solution. That’s what happens in brave companies. 

At Chaleit, we work with bold companies to develop proactive solutions and become a seamless part of their team, enabling processes rather than interrupting them. We are curious and education-focused, so follow us for more insightful conversations with top cyber experts.