Do you have what it takes to become a Chief Scientist in the infosec industry?

Igor Baikalov, Chief Scientist at security analytics firm Securonix, is a trained scientist: he spent over 16 year working on various aspects of Structural Biology, developing new methods for determining the structure of basic building blocks of life: proteins, DNA, and their interactions.

“A lot of this work had to do with processing and interpreting massive amounts of data and writing tons of code to do that – something I realized I was pretty good at and enjoyed immensely,” he shared with Help Net Security.

Next he jumped into the fray of the dot-com craze and he became a software developer. After the bust, he joined the ranks of enterprise software developers. Then, as the explosion of globally accessible web applications made security paramount, his next career move was straightforward: he moved from writing applications to infosec, to work on application security.

For the next ten years, he covered pretty much every security domain, and ultimately headed the infosec Research & Development group at Bank of America – a role that gave him a unique perspective on the digital complexity of large enterprise, and on how much data enterprises have and how little information they can glean from it.

He also realized that, even at the cutting edge of cybersecurity, the available tools were inadequate to change this situation.

“All my experience from academic research to programming to cybersecurity made me firmly believe that computers can and should augment our abilities as humans to comprehend, navigate and positively affect digital universe. I wanted to teach machines how to extract intelligent information from raw data, learn from it, and present results in an efficient and human-friendly way. Cybersecurity was in desperate need of such capabilities, and that’s why I joined Securonix,” he noted.

What a Chief Scientist should be and have

Baikalov was fortunate to accumulate the “essential ingredients” for the Chief Scientist role during his earlier career: he has a good understanding and deep appreciation of the scientific method from academia, a broad knowledge of information security challenges and innovative solutions from his R&D work at the bank, and a hands-on experience in transforming ideas from the back of the napkin into a product.

“While it is not a must-have requirement for the role, I consider application development experience a big plus, as it allows me to focus company’s efforts on actionable insights instead of chasing unrealistic expectations. I see a significant synergy between information security and application development: to protect systems, one has to know how they are built, and to build secure systems, one has to know how they can be broken,” he pointed out.

The fact that he has a good track record when it comes to creating and protecting intellectual property – out of the 12 patents he applied for, 9 have been granted so far – was also a definite plus for him.

Above all, the role of Chief Scientist role demands curiosity

Baikalov advises those aspiring to fulfil the role one day to stay inquisitive (both on and off the clock) and to try to understand the reason behind every phenomenon.

“Keeping an open mind and engaging in critical thinking is very important. For a scientist, there’s nothing more dangerous than entrenched and unacknowledged bias, so be honest with yourself,” he counsels.

Another necessary skill is the ability to maintain strategic direction in the face of tactical challenges and market pressures.

“Innovation is expensive and time-consuming, and cannot be performed on demand. You have to have a portfolio of actionable ideas well in advance, each supporting your strategic goal and ready to be productized whenever the opportunity arises. That, in turn, requires significant multitasking capacity: the ability to juggle a multitude of projects in various stages of completion, from ideation to experimentation to prototyping to handoff,” he explains.

A Chief Scientist also has to be able to manage risk. Baikalov doesn’t subscribe to the notion that a successful innovation program has to have over 90% failure rate, but he says that it has to be managed to constantly produce results while maintaining a competitive edge.

Throughout his professional life, Baikalov also tried to follow the advice of a scientist friend who said that, to stay sharp, one should change his or her field every five years or so.

“Finding interesting joints between loosely related fields can greatly amplify your creative power. As an example, I found it extremely satisfying when in my recent work on phishing detection I could successfully apply a bioinformatics algorithm that I first used some thirty years ago,” he added.

Hopes for the future and advice for infosec professionals

While there’s talk about AI-driven attacks, self-healing networks, and data exfiltration through quantum entanglement, Baikalov says he’d most like to see three fundamental advances in securing users, resources and data:

• Real soon: Expanding support and rollout of password-less authentication based on the WebAuthn specification by W3C and FIDO Alliance.
• Hopefully soon: Broad adoption of network micro-segmentation with embedded analytics to support a zero-trust model.
• Eventually: Transforming “dumb” data into “smart” data by wrapping a chunk of it into protective container that carries additional metadata (ownership info, encryption key, etc.).

But, in the meantime, security professionals should not underestimate the most important and timeless lessons in information security: defense in depth and cyber hygiene.

“No one security control is perfect and layered defense is not only effective, but also cost-efficient way to stop even the most determined attackers. Cyber hygiene is simply return to basics: last year, 90% of the organizations were attacked with at least three years old vulnerabilities,” he says.

“So, before you start worrying about nation-state hacking your air-gapped computers using drone-mounted ultrasonic transmitters, take care of the basics: know your assets, patch your systems, clean up access privileges, prioritize risk and you’ll sleep a lot better at night.”