Luca Berni is an analyst in the cyber threat intelligence team at Control Risks, where his focus is on researching sophisticated cybercriminal threat actors, and on analysing the geopolitical motives of cyber espionage. Luca is a certified ethical hacker and has a BA (Hons) in International Relations, gained in Italy. Luca holds an MA (Distinction) from King’s College London, where he read intelligence and international security.
Tell us about yourself?
I have been working in the cyber threat intelligence team at Control Risks, a global risk consultancy based in London, for almost two years. Prior to that, I worked for a year in a boutique security consultancy, also based in London. In my time at Control Risks I have been exposed to numerous projects, ranging from threat assessments for major international corporations to targeted investigations for public sector clients. It is a challenging and fast-paced job, but companies increasingly rely on the kind of analysis we produce to secure their most valuable information assets.
What made you choose a career in cyber security?
I think I am a somewhat unusual cyber security professional as I do not come from a technical background. My undergraduate studies focused on international relations, and I approached cyber security only as a postgraduate student.
What I immediately liked about it was the intersection of a technical, practical aspect of the discipline with a more abstract and political one. I could explore the geopolitical implications and the intelligence motives behind a nation-state cyber espionage campaign while learning how to use scripts similar to those exploited in that campaign. You can’t do that with tanks and jets.
What are the greatest positives about working in Cyber Security?
I like that it is a constantly evolving field that requires a great deal of innovation and dynamism. As cyber threat actors are always upgrading their tactics, techniques and procedures, we need to be as proactive in predicting, identifying and mitigating the threat. It is a constant game of cat and mouse that rewards original and innovative thinking.
Also, being a relatively recent industry, there are always new opportunities to grow and projects from which to learn new skills, which keeps the job interesting.
What are the greatest challenges in Cyber Security?
My field, cyber threat intelligence, is as interesting as it is challenging, even frustrating at times. The intelligence work requires a lot of patience, meticulous research and an ability to pick up even the smallest details. In a fast-paced commercial environment, sometimes there is just not enough time to explore every possible lead, or there is not enough data to reach a satisfying conclusion over a particular incident. This can be frustrating for an analyst, but I guess it is pretty much the same in almost every line of work.
What are the highlights of your career?
Participating in multiple CBEST engagements has definitely been very important for my professional development. CBEST is an intelligence-led pen-testing exercise mandated by the Bank of England for major UK financial institutions. It is a project that has real impact on the security of financial transactions in the UK and sees concerted action by multiple stakeholders, both from the public and the private sectors.
I believe more countries will take a similar intelligence-led approach to secure their own critical national infrastructure against cyber threats. Being part of the first such project is something I can be thankful to Control Risks for.
What/Who has been the biggest influence on you?
As I mentioned, I owe my career in cyber security to my postgraduate studies. My supervisor at the department of War Studies at King’s, Professor Thomas Rid, certainly had a big role in shaping my understanding of cyber security as closely linked to geopolitics and strategy, rather than a merely technical matter. He also introduced me to quite a few cyberpunk novels that I did not know before, which I massively appreciate.
Where do you see cyber security in 10 years?
I think that we will begin to lose the adjective cyber before security. The increasing reliance on software for every aspect of our lives will render – and indeed is already rendering – the securing of that code a matter we would today describe as physical security.
Avoiding a car crash today is mostly a result of the smooth functioning of a machine and the driving skills of its human driver. Self-driving cars will soon render this equation obsolete, instead transferring control over our physical safety to a network of self-learning computers. The security of those computers will become, quite literally, a matter of life and death.
Cyber space could have been a cool concept, good enough for William Gibson’s imaginary sci-fi words in the 1980s. In 10 years, ‘cyber’ and ‘real’ space may not have such a clear distinction anymore – think about the way augmented reality blends holographic images and everyday environments.
To paraphrase the cryptographer Bruce Schneier, cyber security will become everything security.
What are your career ambitions? (5-20 years)
I want to continue to grow my understanding of cyber threats and increasingly apply that to help organizations mitigate their own unique risks. More than that, it is hard to say as the industry is an ever-evolving one. I would surely like to travel more and understand first-hand how different countries approach cyber in their own way.
What would you do if you were not a threat analyst?
Be an astronaut, obviously.
Joking aside, I would consider a career in an international organization in relation to cyber security policy. I think that there is a need for serious policy engagement on an international level in order to shape the future of technology and how we, and the countries we live in, interact with it.
What advice would you give young people hoping to enter a career in the field?
Get technical, but don’t get lost in the jargon. An understanding of technical issues is indeed of paramount importance to succeed in this field. But a career in cyber security also requires soft skills and an open, curious mind able to understand multiple facets of a problem.