Discover more from Views
#34 Daniel Cuthbert: top hacker, leading cybersecurity at SensePost (acq by Orange) & Banco Santander, using tech against child abuse
Global Head of Cyber Security Research at Banco Santander, US & UK govs cyber sec advisory, Board at Sentinel Foundation, ex COO at SensePost (renamed Orange Cyberdefense after Orange acquisition)
We are Pol Fañanás and Gerard García, two friends passionate about tech, startups, and VC, getting views from exceptional people doing cool things and sharing it for free with those who lack access. Thanks for reading!
Daniel Cuthbert is a renowned hacker and cybersecurity expert, currently working as Global Head of Cyber Security Research at Banco Santander, global financial powerhouse with >150 years of history, >160m customers worldwide, €1.15t in customer funds, €9.6bn profit in 2022, and a €57.7bn market cap.
He is also an advisor in matters of intelligence and cyber security to governments such as the US and UK, Board member at Sentinel Foundation (non-profit organization mixing tech and combat experienced professionals to fight against child sexual exploitation), and co-author of OWASP ASVS or Open Worldwide Application Security Project Application Security Verification Standard (OWASP is a greatly recognized non-profit foundation playing a pivotal role in promoting application security via community-led open source projects, and ASVS is one of its highly valuable security frameworks).
Previously, Daniel held multiple cybersecurity roles, highlighting his work as COO at SensePost (reputed company in the cybersecurity industry, focused in offensive security testing and research). SensePost eventually became Orange Cyberdefense after an acquisition by Orange (multinational telecommunications company with 287m customers, 136k employees, €43.5bn in revenue in 2022, and a €27.7bn market cap).
Summary
1️⃣ Starting as self-taught hacker
2️⃣ Becoming COO of Orange Cyberdefense and cybersec lead at Banco Santander
3️⃣ Sentinel Foundation and using tech to fight against child abuse
4️⃣ Lessons from a hacker life
5️⃣ Biggest threats in cybersecurity right now
6️⃣ Hottest opportunities in the space
7️⃣ Insider view of the future
8️⃣ Surprising facts about cyber attacks
8️⃣ Are we on an escalating global cyber cold war?
1️⃣ How did you start in cybersecurity and why?
I started not in security but in hacking.
Maybe a normal cliché for the space but I just had great curiosity around this new thing called the internet and started to pursue it on my own as a hacker.
It was not so much about going to school to learn about this stuff (we could say the real security industry didn’t even exist back then), but more about self learning - the best way to grow in this world still today if you ask me. And in the mid-90s and early 2000’s there were a lot of opportunities to do so. A big chunk of hacking happened in that period since lots of things were being built horribly wrong on the internet which left room for really exciting hacker creativity.
Following a deep rooted curiosity, having huge excitement for new tech, always looking at new stuff, learning on my own, reverse engineering it … that was my beginning!
2️⃣ How was your path from hacker to leading security roles in relevant players like SensePost / Orange Cyberdefense and Banco Santander?
One of my first dedicated security roles was at Financial Times helping build ft.com. I had a title of systems engineer but my main task was trying to break what they were building. A penetration tester type of role. So I grew up into that angle.
Afterwards, I helped set up KPMG’s Penetration Testing capabilities. The main idea was analyzing systems and applications for vulnerabilities and security gaps, and then attacking to test them while providing measures to reduce risks.
Eventually I joined SensePost (now Orange Cyberdefense after an acquisition by the Orange Group) which became a renowned cybersecurity company focused in offensive security testing and research. This mainly involved simulating real-world attacks to identify weaknesses in systems and providing recommendations for risk mitigation. There I started as Assessment Manager responsible of evaluating risks associated with client architecture and software whilst providing support to the client, and ended up as COO helping lead in a strategic role global operations while still involved at a technical level. At SensePost I had the chance to build really exciting things with some of the baddest hackers in the world. Having this chance to work with the best people and really become a force in the industry was exceptional.
After almost 7 years at SensePost and working with a lot of finance world players along the way, I wanted a change, and I came across what to me seemed a unique opportunity in a unique place - Banco Santander. Even though I understand it is a challenge in the hacker world to convince people that Santander is not a normal bank, I have truly experienced a singular place to develop best in class cyber security research capability. The bank’s leadership mentality was aligned with my vision and ultimately I became responsible for leading the research direction for cyber security.
3️⃣ What is Sentinel Foundation and why does it matter?
Sentinel Foundation is a very interesting and important non-profit endeavour leveraging tech and combat experience to track down and stop child sex exploitation.
Glenn Devitt, the Co-Founder and CEO, was one of my students in a course I gave to U.S. intelligence units on tracking. We met, became friends, and I remember sharing our thoughts regarding how every day there are increasingly more undesirable uses of tech to mask the awful ugliness of abusing children. Sentinel was born from saying “look, we have the capabilities to do something about it, so let’s go, let’s help”.
Child sex trafficking is a huge problem. It is not like I have a big concern about what adults prefer to practice with each other, but if you abuse a child you have crossed the line. We know how to track and we find those people.
4️⃣ What positive and negative lessons would you highlight from your journey as a hacker in cybersecurity?
The positive lesson would be, without a doubt, learning about the great importance of how to attract and work with the best people. Lots of times, you see the huge need for great technical talent however at the same time the weak efforts to make them feel properly welcomed and free to create. If you force people (specially in a highly technical realm like cybersecurity) into an old fashioned culture, and you are expecting them to come and do the job without respecting idiosyncrasy - I don’t think you are going to leave room for the best work to happen. Giving people the creative space to be cool and giving them the proper tools, is something I learned that showed me very positive fruits.
About the negative, well, there are quite a lot of hard lessons I can’t talk about because the nature of confidentiality in the industry. But I’d say probably the biggest one could be helping develop tools that end up being used by undesirable people with bad intentions.
5️⃣ Biggest threats in cybersecurity right now?
What I see most is that lots of companies struggle with the basics. Simple things like understanding what they have are the origin of some of the most significant threats.
Related to that, I’d add that we have a growing number of software vendors that build products which are not fully secure. This ends up as catalyst of the pre-existing vulnerabilities of the company, thus brings to the table more potential hacks.
Attack surface has dramatically increased in the last years. We went from small isolated networks to remote, hybrid, on prem, mobile devices, etc - having all this secure is an ongoing threat.
6️⃣ Hottest opportunities in the space?
There are lots of things I can’t talk about (again because confidentiality issues), but a couple of opportunities come to my mind: quantum cryptography and AI.
I know quantum cryptography quite well and I’ve been personally working on it for some time. If we put aside the threat that it will imply to traditional cryptography, I believe it is a really exciting opportunity because it can give everybody a much needed kick in the butt to finally fully understand where are you using cryptography. OK, men and women who wear sandals with socks say that this works, but do you understand what is truly happening under the hood? Quantum is making people finally discuss the fact of how do you use cryptography in a world where a lot of people uses it (or at least needs it), but struggle to understand what they have and how they use it.
And about artificial intelligence, this year’s hot topic, I’d highlight three things. First, I don’t thing it is going to take everyone’s job. Second, copilot is phenomenal at doing documentation for code and unit test, it just makes it easier. And third, if you can train GPT models on lots of documentation that people might find boring or complex, that could be very interesting.
7️⃣ What are your views regarding the future of the industry?
I am amazed about the power we have unlocked during the last years regarding how to make huge impacts with relatively low resources, maybe specially regarding media manipulation.
At the present time, individuals, entities, and governments can access data easier and almost have an industrial approach to hacking in a way. Media hacks or misinformation at mass scale was an expensive endeavour not so long ago and now is so much easier. This will bring (and in fact is already bringing) a lot of interesting new things happening in the intersection of cybersecurity and geopolitical stuff.
A few examples of this:
ISIS built a far-reaching manipulation of social media to spread Islamic State propaganda and exhort online followers to carry out attacks. As a result, key players in the war against terrorism like the U.S. ended up thinking that ISIS was way more big and influential than it really was
A Chinese spy used linkedin to hunt UK secrets on an industrial scale for at least five years, targeting thousands of British officials
Struggle to find clarity regarding the truth about what is happening in the Russia-Ukraine war in key contexts such as the fatal plane crash of Wagner’s Yevgeny Prigozhin
8️⃣ What fact about cyber attacks surprised you the most?
Probably, the most surprising fact for me it is how effective ransomware ends up being. The impact that it has had on the industry is so profound. It still surprises me today how a small group of people can make such obscene amount of money through crime and escape any consequence - so lucrative and unknown.
The effort that criminal bands need to do for any given crime tends to be huge, however with ransomware it is easy to do crime at scale with relatively low effort. Also, everything kind of happens in the shadows. No one is seeing the big picture because when this happens, victims such as well-known companies end up paying in silence to avoid admitting they have been hacked.
9️⃣ Are we on an escalating global cyber cold war with targets such as the definition of truth?
Interesting and tricky question. I know some argue in this direction and I do not really want to comment too much on this, but I don’t think so.
To me, it looks like the history of mankind is always full of this type of conflict situations and lately some governments are starting to be more interested on using technology to shape narratives on massive scale. But I’m not really into the cyber cold war scheme.
I believe it is more about needing a superior collaborative approach between tech communities and governments policies to ensure proper security while at the same team being able to attract the best talent so we are as ready as possible to face any challenge that can come across.
Big thanks Daniel for sharing your views with us!
Big thanks to you, reader, for your time and interest!
If you enjoyed it, subscribe and we’ll be back with you. 🙏🏼
Subscribe to Views
Getting views from exceptional people doing interesting things and sharing it for free with those who lack access