For Daria Catalui, top cyber educator at Allianz and an advisor at European Union Agency for Cybersecurity (ENISA), effective cybersecurity starts not with technology, but with empowering people to become part of the human firewall.

From contributing to early cybersecurity education policy programs for the ENISA and the European Commission, to heading up cybersecurity awareness at the financial services firm Allianz, she has long championed a people‑first approach to security.

Her focus is on equipping individuals with the information and behaviors they need to stay safe online, both in the enterprise and at home.

In this conversation with Infosecurity, Catalui details her passion for cybersecurity education, the concept of the ‘human firewall’, how to deliver appropriate, futureproof cybersecurity training in the age of AI and how she balances the roles as top cyber wducator at Allianz and an advisor for ENISA

Infosecurity Magazine: How has cybersecurity and your role in promoting cybersecurity awareness changed throughout your career?

Daria Catalui: When I started, it was an emerging topic and part of my role at ENISA was building up the human firewall aspect for the EU and all the member states. Another part was making sure they had a cybersecurity strategy and topics like cybersecurity awareness and training were embedded there.

I was involved in building something called the European Cybersecurity Challenge competition, building the skills of tomorrow which we started [in 2014], now it’s really building momentum.

Now I take care of and lead the human firewall aspect of Allianz. I enjoy the topic a lot, which is good, as I’ve spent my entire professional life in it.

IM: Can you explain what it the Human Firewall is and how it can help people and businesses stay cyber-secure?

DC: The human firewall is complimentary to the technical firewall. The idea of the human firewall is that you and me, the people who work for an organization, or we as citizens, do what we can do stay secure online.

And of course, it’s to the advantage of our organizations to stay secure with your business data. But it’s also useful for you to stay secure at home. To keep your accounts safe or avoid being a victim of phishing or voice phishing.

Social engineering is one of the most challenging aspects of cybersecurity. And it affects the human firewall, you and me. So, what we can do is to be on top of the situation and know what’s going on.

Nowadays, emails need to be checked to be sure who they’re coming from. Is it a link you want to click on or not? On a phone call, do you want to trust it and tell them all the information they’re asking you or not?

I work for my company to secure the human firewall, but at the same time, I want to work in partnership with the authorities of the countries of where my employees are, because it’s a win-win situation for everyone.

If I teach ‘Bob and Eve’ in my organization about what it means to be secure, then Bob and Eve will also benefit in their daily life. Or if their governments teach them how to be secure, it’s a benefit for me, working at a private company.

That’s why I have this double hat for ENISA and working for my own company on this.

IM: How do these roles compliment each other and how do you balance between them?

DC: It’s complex but it’s simple at the same time. It’s a public private partnership that I try to embed in my everyday work. I use the innovation I do for my company, for example, around voice phishing exercises, and try to bring it to public institutions. Then I try to see what public institutions are doing and try to bring it to my company.

For example, there is an awareness-in-a-box toolkit on the ENISA website, and everybody can use it, all businesses. So, I will use it too, because it’s useful.

IM: How do you do you apply security awareness to ensure that people and organizations can stay as safe as possible against cyber-attacks like phishing?

DC: Social engineering techniques, they always use urgency and hierarchy. They will always say it’s from your boss or someone higher up.

So, the first rule is to have a codeword with your team at work, or your family. So, if I say the code is the name of a book, if something is suspicious on the call, I will ask them to tell me the book we talked about. It’s a verifying question, it’s easy and basic, but it’s something which we can use to protect against deepfakes and voice phishing (vishing).

You should have exercises to remember the code when you are face to face, or in a team meeting, because otherwise they will forget it.

Another rule is to tell users to check the trusted sources. Don’t just click the link, go to the trusted source to verify it.

IM: What is the best way to provide users with cybersecurity training?

DC: It’s not only about phishing, it’s about cyber education overall. And if we take into the account that now we have artificial intelligence embedded in business and society, then things become even more complex. We have to think about how to stay on top of all this.

My call to action would be for everyone to understand the technology. It’s not so difficult, you just have to test and play around with it to understand how it works and what you can do to learn the basics of cyber education.

It’s also important to ensure that employees take proper care of business data. That’s essential.

IM: How do organizations ensure that data is secured?

DC: All of those usual things that you would expect; complex passwords, multi-factor authentication etc. Plus, a key thing is to classify your data, to know where you put most of your security controls.

If it’s very valuable for your business, you classify sensitive business data very differently than a press release, for example. The security controls should always play along with the business needs.

I would call for organizations to be using security by design and privacy by design. Because the business should be secure, yes? But if you only start applying cybersecurity at midpoint of developing a product, that’s not the way to go. It will be very difficult to embed security controls in afterwards.

So why not start from the beginning and you start applying security by design, privacy by design. Then you can have a product that is viable for the cyber world that we’re living in.

I’m of the opinion you can run fast to innovate. But you can also not break things. So, I don’t think it’s “let’s run fast and break things.”  It’s “Let’s run fast and try to apply to security by design.”

IM: What impact is AI having on cyber security and cyber security strategy?

DC: It’s a jungle out there. AI has become a keyword, and everyone talks about it. We should pay attention to the governance and use cases of it. You should not use it everywhere, only where it makes sense.

The ethics of AI are very important. You need to understand what’s happening and you need to understand the controls. You can’t run through the jungle without a map; you will get lost if you don’t have a sense of where you go.

IM: What is the biggest challenge in cybersecurity which CISOs should be thinking about right now?

DC: I think they need to think about integrating the human firewall with the technical firewall. The technical firewall needs automation and AI speed, but it needs the integration of humans-in-the-loop.

At the same time, the business needs to understand that cybersecurity isn’t a silo in the basement: cybersecurity needs a place at the decision table.

IM: What is the key to ensuring cybersecurity isn’t siloed, but an active part of the business?

DC: Our community, CISOs, we need to learn to speak business language to be understood better by the other parts of the business. We need to reach out to the board and make this a frequent interaction and not be afraid of speaking to the business.

Another tip would be to not just communicate after an incident, but also how issues are being mitigated, speak about things before they happen. Then if they happen, don’t be afraid to speak about the learnings and how you recovered.

On the other side, the business should be integrating the CISO role as part of their governance at the highest level possible.

And for countries and authorities, for sure, more of them have cybersecurity strategies, which is a good thing to have, and they should be updated as frequently as they can.

I want to mention cyber education, because it’s always a collaboration with different parties and stakeholders and see what’s going on to see what’s going on in cybersecurity initiatives.

IM: What has been the biggest success story in cybersecurity in recent years?

DC: I was working in 2013 on the original European cybersecurity strategy. Back then, you didn’t really have CISOs.

Nowadays, you have a CISO in most organization. If your friends ask what you do for work, if you say cybersecurity, they will have an idea about what you do. There is a maturity level of the field and it’s a success story.

IM: What is one piece of advice you would give to CISOs?

DC: Enjoy your role, you are more needed than ever. And don’t forget to reach out to other business leaders.