Alexander Falatovich Of Identity Digital On Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry
An Interview With Fotis Georgiadis
Don’t be afraid to fail. A career in cybersecurity is about constantly encountering new and challenging problems, which almost inevitably results in some failures. If you are not willing to make and learn from mistakes, a career in cybersecurity may be a struggle. We learn so much from failure. At the start of my career, I had never written corporate policies nor used the NIST CyberSecurity Framework. Still, I took on the challenge, making some mistakes along the way, and ultimately succeeded.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry”, we had the pleasure of interviewing Alexander Falatovich.
Alexander Falatovich (Fal-uh-toh-vich) of Identity Digital brings over a decade of experience from the domain name space, having led large legacy generic top-level domain (TLD) anti-abuse programs as well as facilitated the successful launch of dozens of descriptive TLD anti-abuse programs. He is a member of multiple industry groups and collaboratives, such as the Anti-Phishing Working Group and InfraGard. He has earned his Certified Ethical Hacker, Certified Incident Handler, and Certified Cyber Security Architect certifications to accompany his bachelor’s degree in intelligence analysis from Mercyhurst University with a minor in Asian studies and a graduate certificate in Homeland Security & Defense from Pennsylvania State University.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I’m from a small town in Northeast Pennsylvania, about as far from anything associated with cyberspace or information technology. My parents were teachers. They gave me many opportunities to try activities I enjoyed, like basketball, while ensuring I put forth the effort in school. I did well in math and science but really enjoyed the social sciences. I eventually went to college at Mercyhurst University, at the time Mercyhurst College, to study Intelligence Studies because I wanted to work in the US Intelligence Community. While I spent four years enjoying all the natural wonders of Erie, Pennsylvania (Spoiler: snow and cold), I added an Asia Studies minor that allowed me to mix the logical-centric elements of intelligence analysis with the more spiritual components of many Asian cultures. The job market wasn’t great when I graduated, so I did some temp work before eventually getting my first job, not in government as planned, but in cybersecurity near Philadelphia. Since then, I bounced to Baltimore for a little while before ending up where I am now.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
A book called ‘How to Cook Your Life: From the Zen Kitchen to Enlightenment ‘offered many valuable ideas. Even more so in an industry like cybersecurity, where many days are long and stressful. It’s a manual about cooking in a monastery and the spiritual training involved, but it can apply to so much of life. The concept of moving meditations resonates with me. Many of us do this without realizing it. People tend to think of meditation as sitting in silence, but it is about being conscious of your being and being present. I find it calming, whether while washing dishes or something more work-related, such as diving through a spreadsheet full of domain registration details. Be present in those small moments, and the world opens up.
Is there a particular story or incident that inspired you to pursue a career in cybersecurity? We’d love to hear it.
So funny enough, I never intended to pursue cybersecurity growing up or even in undergrad. I got into it out of necessity. But there was something that struck me that made me stay. About two years into my career, talking to friends and former classmates (some who filled positions I had wanted) I realized how much of a difference working in cybersecurity and the impact some of the anti-cybercrime work I was doing had and could make. I grew up with some technology, but the way society was moving, even back in 2013, if I wanted to help the public, staying in cybersecurity was right for me.
It has been said that our mistakes can be our greatest teachers. Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
There was one instance when I was responding to a report by a member of the public concerning material on a domain in one of our top-level domains (TLDs). They believed the domain was involved in supporting terrorism. As an enthusiastic cybersecurity greenling, I gathered information and submitted it to the FBI portal since that seemed the right thing to do. I had forgotten about it until two FBI special agents showed up two days later with my CEO, wanting to speak with me about a report filed. I had made the unglamorous mistake of not informing key leadership. Understandably, the leadership team was very surprised and not in an “oh, that’s so thoughtful” way. After the agents left, I got a friendly but stern lecture stating I wasn’t wrong to report the case but to notify our legal team next time. Lesson learned. Communicate with your legal team when you are engaged in any activities with serious legal implications. This protects you so you don’t put yourself or the company in an undesirable position.
Are you working on any exciting new projects now? How do you think that will help people?
Without getting into the details, exciting projects are in the works to take advantage of some technical registry and DNS data we have access to; data that nobody else has in such volume and as comprehensive in scope. It involves the ability to more rapidly and accurately identify domain names registered for cybercrimes, such as phishing, and learning where legitimate domains may be compromised to be used in similar abusive behavior. This will help people by reducing the uptime of malicious content. Studies repeatedly show that most of the damage in cyber attacks happens within the first few hours of a domain being deployed. Faster, accurate detection can lead to faster mitigation and, by extension, fewer victims of cybercrime.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
It’s an exciting time for the cybersecurity industry and the implications beyond. What excites me most is how accessible it is despite some negative elements in some communities. It is also increasingly diverse as one of the few areas where someone with no experience in technology can become a practitioner using free, open-source materials. This allows people from all kinds of backgrounds with different perspectives to join. I see the community adding needed voices via initiatives on social media like #sharethemicincyber and organizations of women in cybersecurity. Those voices profoundly impact creating a more fair and unbiased technological future.
The second thing that excites me is the growth potential in cybersecurity. You don’t need to look far to see the constant demand for more cybersecurity professionals, including in companies and spaces that you wouldn’t have just a few years ago. A report in CyberSeek underscores this, stating that nine of the ten top months for cybersecurity demand for the last decade came in the previous year. There’s a tremendous opportunity to find your niche and make an impact.
And finally, the third thing I’d single out is how amazing it is to be part of an industry when there is so much potential revolutionary technology starting to hit the mainstream that needs securing and protecting. Whether looking at one of the many text-to-image AI generators or visiting a website using a descriptive domain with a top-level domain I don’t commonly see, we’re constantly presented with new cybersecurity challenges. To me, that’s a gratifying part of cybersecurity work.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
You can’t have light without dark, and there are certainly concerns about the industry. Many are related to topics I just highlighted as positives. One area of concern involves gatekeeping in the community. Hiring can be overly focused on who is “qualified” or actually “doing cyber.” This can take many forms. For instance, considering anyone without a particular certification as not serious or a fit for cybersecurity if they don’t come from a network engineering background. Sometimes companies block aspiring new professionals by requiring certifications or experience far beyond what the job posting would require. We can call out these types of behaviors. However, it’s a culture change, and that takes time. I believe this will diminish as we continue to grow as an industry and some old guards retire or phase out.
My second concern is that so much new technology needs to be secured. Still, standards and regulations are lagging. While there is progress in many frameworks and industry bodies maintaining those, legal gaps strain the community and the public. For example, Internet of Things products can be challenging to secure. When you have lawmakers who are not comfortable with technology, it is a receipt for disaster. We need the community to support technology-aware politicians and engage in the process. Many elected officials didn’t grow up with the cyber resources that are so present these days. They can’t legislate properly without industry engagement to secure those technologies.
Lastly, I worry about the number of questionable, overpromising buzzwords companies use that sound great to an executive but fail to provide the protection they claim against the constantly shifting threat of cyber threat actors. Many new startups and security consulting firms are popping up doing great work. Others take advantage of the growth and demand for cybersecurity skills prioritizing profit over security. I’m not saying anyone needs to work for free. Still, when data breaches and compromises at one entity have such strong ripple effects on other organizations, they weaken the wider community. Beyond possibly advocating for standards and regulation, we can address this by being open and honest with our colleagues in the community. If you experience objective underperformance or questionable behavior by a vendor or provider, share that with your peers. Collective understanding and demanding better from providers allows us to strengthen the industry and produce better products and services.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Even though many threats are on the horizon, a couple stand out to me. First, hyper-realistic misinformation and disinformation campaigns target organizations, investors, and customers. With advances in machine learning and AI-generated content, particularly videos involving synthetic media, hostile actors can spread damaging stories about an organization that can lead to financial pressure. This could take the form of consumer boycotts or even violence from lone wolves of fringe ideologies. If an organization doesn’t have the means to identify and respond to this risk scenario, it will struggle to react if the threat becomes real.
Another current and growing threat involves attacks on multi-factor authentication. The “Oktapus” phishing attacks are an example. This large-scale campaign targeted Twilio, Okta, and other companies to receive text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, which harvested Okta credentials and two-factor authentication (2-FA) codes. Many companies and vendors are using less secure second factors like SMS OTP or have likely not educated their users about hackers targeting their traditional credentials, such as username and password, and their second-factor authentication. Even though these security measures are better than nothing, companies must move away from these weaker second factors and adopt social engineering-resistant solutions such as hardware tokens and WebAuthn. Many companies, even major organizations that likely know better, still use these less secure mechanisms. Most companies are just lucky because there are still plenty of non-MFA-enabled accounts. Because of that, attackers haven’t had to switch to targeting MFA-enabled accounts for many attacks.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I haven’t explicitly been part of responding to a cybersecurity breach, but I can speak to having potentially prevented some. My primary role involves mitigating domains used by cybercriminals and cyber attackers to victimize individuals and organizations. As part of that role, I am frequently in contact with the private sector, law enforcement, and national security colleagues. In some instances, I’ve received direct, timely intelligence regarding domain names registered specifically to target employees of organizations of interest to particular nation-states. I evaluate and neutralize the domains so they can’t be used in spear phishing attacks. My main takeaway from this story, which is true for so much of cybersecurity, is that networking with peers and colleagues across the space is essential. We only have visibility into a slice of what is happening online. Identity Digital has a robust domain abuse mitigation program. Yet, our partners often bring items we don’t see to our attention. This is because of their specialized focus on a particular threat actor. Collaboration is key to a more robust defense; no organization is an island.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
This is so true; IBM released a finding that in 2022 it is taking almost nine months to identify and contain a breach, so there’s an excellent chance someone other than the company may notice first. For the layperson, a breach identification can be challenging because they need to determine whether it is isolated (i.e., the user’s account was compromised) or organization-wide. However, it is doable if you’re attentive to details. One way is to use available services that check for compromised assets in data dumps. Many identity protection services offer some form of monitoring. But other free options, such as ‘Have I Been Pwned,’ can give individuals some insight into whether their credentials were posted following a breach. An average user may also discover a violation if they notice strange account activity. This can include more serious actions like unauthorized purchases or more subtle things like outgoing messages you didn’t send. Alternatively, if the individual is getting spammed with account notifications, particularly if they have MFA enabled, there is likely something amiss. It might be just that their account was compromised, but if they use a long, strong, unique passphrase, that may be unlikely, short of a data breach.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Companies aware of a breach should initiate their incident-response playbooks, which should include plans for involving legal and public relations personnel. The organization should try to understand what they are dealing with and avoid making incomplete assessments or downplaying the incidents. This could muddy the waters as customers and observers follow the event. If appropriate, working with law enforcement can bring additional support and resources and should be considered for critical infrastructure. One key element that helps protect customers is being clear about what is happening and what steps have been taken to secure their data. When you leave your customers in the dark or provide unclear updates about what has been done, you leave them more susceptible to scams and attackers looking to exploit your already painful situation. An example of this was the Equifax breach, and their eventual site to allow users to check if they were impacted spawned multiple phishing campaigns and scams because the messaging wasn’t unified.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
One of the most common mistakes is for companies to have a false sense of security with only one security tool or feature deployed. There’s a lot of “fire and forget” regarding cybersecurity efforts, and the reality couldn’t be further from the truth. The DMARC Record a company implemented doesn’t stop criminals from spoofing its domain to customers if it has the policy configuration set to “none.” And that fancy threat-intelligence platform purchased isn’t automatically “Mission Accomplished” once deployed; it requires ongoing maintenance and tweaking. Threat actors are constantly updating their approaches, poking and prodding our defenses. This means companies need to actively maintain their defenses. One way to avoid this mistake is to ask a few questions about anything you’re doing for cybersecurity:
- What are we seeking to protect against with this?
- Is that happening with how we are currently using it?
- What is it *not* providing us with?
By asking these questions, a company can at least understand current cybersecurity maturity to determine wether that’s acceptable to its risk appetite or if it may need to invest in additional measures.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
The biggest myth is having to be super technical to get into cybersecurity. If you want to eventually get a technical cybersecurity role, there are plenty of resources to skill up for it. But many non-technical roles are also offered. Training is available in cybersecurity policy, standards and auditing, security awareness, and more. Understanding the technical elements to some degree is a boon, but you don’t necessarily need to understand how to exploit vulnerabilities or reverse malware to get into cybersecurity. If you look at all the options on CISA’s NICCS career pathway tool, you see how diverse the options are.
Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?
First, there’s no one way to have a successful career in the cybersecurity industry because everyone’s journey is different. With that in mind, these five things helped drive my success as well as others in the community:
- Don’t be afraid to fail. A career in cybersecurity is about constantly encountering new and challenging problems, which almost inevitably results in some failures. If you are not willing to make and learn from mistakes, a career in cybersecurity may be a struggle. We learn so much from failure. At the start of my career, I had never written corporate policies nor used the NIST CyberSecurity Framework. Still, I took on the challenge, making some mistakes along the way, and ultimately succeeded.
- Next, make time to give back to the community. Even if you feel you don’t have anything to contribute, someone can always benefit. Many people who have risen in the community are willing to take that chance and share what they know to help others. This contribution can come in many ways. For example, mentoring those new to the space, giving a talk, participating in a panel discussion, or reviewing résumés. These roles present an opportunity to grow and strengthen your knowledge. I’ve been fortunate enough to talk about my career and experience in cybersecurity with colleagues and youth groups. The benefits always outweigh the work put in.
- Find your passion in the industry and master it. There are so many paths in cybersecurity it is impossible to master everything. Every job has a less enjoyable aspect. Still, strive to find a cybersecurity area that satisfies you. Once you find that, learn everything you can and moderate levels of understanding on related topics. Going to one extreme or the other, deep specialization or shallow jack-of-all-trades, can place obstacles in your growth trajectory. For many years, I wore all hats, but as the team grew, I could find what I really enjoyed, cybercrime investigations, and focus on investigating and disrupting those operations.
- Find your tribe and your mentors. Cybersecurity is a team sport in every operation. Whether you are part of a team with dozens of teammates or a single staffer in a small startup, your success depends on working with others. Having peers that support and guide you can be invaluable, particularly if they have more experience. I am so thankful to the friends I’ve made by participating in industry groups like the Anti-Phishing Working Group and public-private partnerships like the NCFTA; it’s produced some amazing opportunities that led to unexpected discussions and collaboration.
- Build a reputation of transparency, reliability, and integrity. The cybersecurity industry is one giant community with some subgroups, but there’s so much intermixing you can’t pretend to be someone you are not and expect nobody to find out. Be transparent in your intentions in interactions. Demonstrate being reliable and recognize when you won’t be able to deliver. Operate with integrity even when nobody seems to be watching. Someone almost always is. A former professor told our class the worst thing someone could do to risk a peer’s chances of getting into the intelligence community was to portray them as untrustworthy. I know of vendors passed over and collaborations that never materialized because one party had ethical, integrity-related concerns about a member of the other party. People talk up those who represent the best of our industry and share warnings about those who tarnish it.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂
And I can only pick one? That’s an exclusive brunch when there are so many people doing fantastic work I’d love to meet. But if the rules say I can only pick one, I will go with Jen Easterly, the current Director of CISA. She’s been amazing since she stepped into the role, continuing a lot of the great work Chris Krebs had begun and strengthening our critical infrastructure. Looking at her background and how she handles incredibly important and challenging tasks, I believe it would be an insightful conversation. Plus, she seems very genuine, which makes talking over a meal more enjoyable. It’d be particularly appealing because, being in the domain name space, we play such a critical role in the operation of the internet; I find myself feeling an affinity with CISA and many of the more “traditional” critical infrastructure sectors that people think about.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!
Alexander Falatovich Of Identity Digital On Five Things You Need To Create A Highly Successful… was originally published in Authority Magazine on Medium, where people are continuing the conversation by highlighting and responding to this story.
