Episode 2: What Budget? with Alexandra Godoi
Hello, and welcome to what the hack is a CISO anyway podcast. This podcast will help you in your journey to be a better CISO and cybersecurity leader altogether. It's supported by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Aina Stamboliska, your digital ambassador covering the intersection of tech, security, and policy, and the CEO at our strategy. In this week's episode, I'm talking to Alexandra Godoi, information security lead at Oxfam.
Rayna Stamboliyska:Welcome, Alexandra.
Alexandra Godoi:Hello, Rayna. Thank you so much for having me, and hello, everyone.
Rayna Stamboliyska:So, Alexandra's work involves specialist support for vulnerability management, incident management, and cybersecurity awareness. You know, all the fun things, but also building capacity and improving the security posture among staff and partners. So you've got quite the resume, but as every superhero does, you have an origin story. Right? So how did you get the cybersecurity bug?
Alexandra Godoi:It was by accident almost. I've been working at Oxfam for about 5 years now. Initially, I started on their service desk, And I was there for a year and a half. And one day, I saw a job posting internally. And I went to the hiring manager at the time, which is now my manager, and I didn't know anything about cybersecurity.
Alexandra Godoi:I don't think I ever realized that it is a thing in itself and how big it is. So I just went in and I was like, oh, it's just a job. Let let me see. So I went in and I've asked him for us to have a conversation because as I said I didn't knew too much about it. And we had a chat and I've asked him, so what exactly it is that you want in the the new hire?
Alexandra Godoi:What will they do? And my manager answered pretty much, well, you can make it whatever you want it to be, which wasn't very helpful. It still didn't answer my question of what is cybersecurity and what the the role was. But I said, I will just apply and see how it goes. And it went well or at least well enough, so I got the I got the job.
Alexandra Godoi:So the initial role was senior information security analyst. That's when the biggest part of my role or the the introduction that you gave me, that's where I did the the most chunks. So I've set up the basis of vulnerability management and incident management for this organization, and I've also taken on doing the training and awareness for for staff. Right now, I've kind of moved on a bit in a more specialized role, and I'm doing governance risk and compliance for the organization. But, yeah, that's pretty much it.
Alexandra Godoi:It's not a fantastic journey. I kind of stumbled upon it, and I loved it, and I stayed. And I will stay.
Rayna Stamboliyska:Well, I kind of beg to disagree. I find it super nice that you come up with it, like, you know, what's the worst thing that could happen if I asked about it? That someone tells me no?
Alexandra Godoi:Yes. You know?
Rayna Stamboliyska:But, yeah, I find it, you know, on the contrary, I find it very encouraging also for other people following up on our work here because you shouldn't be afraid to ask. Yes. Absolutely. You know? Let's not diminish our achievements.
Alexandra Godoi:No. I think my origin story shows that you can just apply for the job and see how it goes. If you like it, amazing. If not, nothing bad will happen. It's not the end of the world.
Alexandra Godoi:I just so happened to to enjoy it very much, so I stayed. But, yeah, I think anyone could just join in. It's pretty much like any other field as long as you look into it and you have some level of interest. That's pretty much all you need.
Rayna Stamboliyska:Right. So, you know, we're talking about superheroes here, and they have superpowers. So learning from past messes and successes is a superpower. So what lessons have you learned, perhaps the hard way, around delivering security when you are, as you are, in a purpose driven organization?
Alexandra Godoi:Oh, I think there are a lot of a lot of mistakes, but good mistakes. Maybe I shouldn't call them mistakes. Learning opportunities would be better. I do want to say that I pretty much learned everything on the spot as I was doing the job. And that in itself was a very steep steep learning curve.
Alexandra Godoi:So I think being comfortable with the uncomfortable and realizing from the start that this is just a journey. It's a learning experience altogether. You don't have to get it perfect. Yes. There are high stakes, of course, as with every other company.
Alexandra Godoi:But being dedicated and and driven and willing to to make mistakes helps a lot. As you said, it's a value driven company. Our aim is not to protect the company's assets necessarily. It goes a bit beyond of course, it's our staff and colleagues, but they do operate in, let's say, environments with political instability or natural disasters. And their their risk appetite or understanding of risk is quite different than someone who does an office job.
Alexandra Godoi:Not that I'm not naming and shaming or anything. It's a completely different profile with a different set of people and personalities and what have you. And even beyond that, we're doing capacity building with the local partners in a country. And when I'm saying partners, what I mean is imagine of a small organization with 4 or 5 people. They do not necessarily have the capacity to invest in technology.
Alexandra Godoi:They absolutely don't have capacity to to invest in cybersecurity. So we're coming in and help them understand what the risks are and help them train in certain situations on specifically what it is that they can do to protect themselves. So it's it's not just the technical controls that we're looking at implementing inside Oxfam. We're also trying to extend this to smaller organization to make the entire almost like the entire ecosystem more safe. But, yeah, it's, you do need a unique set of skills to work in an organization, in in an international NGO.
Rayna Stamboliyska:Oh, yeah. I I completely get what you mean. I mean, I came to cybersecurity because I used to work in international NGOs and realized cybersecurity was just not even an afterthought. Like, nobody even knew about it, which is particularly dangerous when you're dealing with people who are already at risk.
Alexandra Godoi:Mhmm.
Rayna Stamboliyska:Be it from their own position as human rights defenders or journalists, or from the, like, wider situation around them, like geopolitical instability, conflict, and so on. So, yeah, real challenge. But it gets me to an observation that cybersecurity is ultimately a discipline where people are the perimeter. Right? You said so yourself.
Rayna Stamboliyska:So let's, you know, talk about us, the ones who do, the ones who endure, the ones who decide or who execute. And we often hear, you know, cybersecurity leadership voices from the corporate world or people who are in positions with the government. Yet, we rarely hear from leaders like yourself who are with value or purpose driven, and even non profit organizations. So what is it like? What are the boundaries of your position?
Rayna Stamboliyska:How do you manage budgets? I guess that things haven't changed much in the past 10 years, and donor organizations are not big on funding cybersecurity. So, you know, how how do you do that?
Alexandra Godoi:Well, you started with the right point. And then I wanted to say, first of all, what budget? Almost. So absolutely do not afford the the the luxury of other companies, private companies that do invest quite heavily in their cyber security, which is absolutely great. But we're in a place where we have to to really balance out what we are trying to do, what tools are we buying, what skills are we investing in.
Alexandra Godoi:And I think you almost become this jack of all trades, and you wear all the hats possible in any team. So in other organizations or just by default if cybersecurity, if we are to take the entire domain of cybersecurity, you have different specialized teams that do very specific things. In this sector, a lot of times, you don't even necessarily have people that have dedicated cyber security training. They're just an IT person doing infrastructure management or service desk or whatever other role. And you also wear the hat of cyber security in this.
Alexandra Godoi:So I'm very fortunate to to first of all have this role in the INGO. But also it's it's pretty much anything. I was I was trying to to think anytime someone asks me, so what do you do? My answer is, I think it's easier to tell you what I'm not doing and start from there. From my experience, it's really important to invest in the people that you're working with.
Alexandra Godoi:And I'm not necessarily meaning the cybersecurity team, but genuinely the colleagues. The ones that are in HR. The ones that are in the finance teams. The ones that are on the ground doing data collection for beneficiaries and project participants. The ones that are responding in a natural disaster or any other crisis.
Alexandra Godoi:Those are the people that are at the heart of the organization and those are the ones that are being exposed to most of the risk. So spending time with them and helping them understand what are the risks that they're being exposed to and what measures that they can take is what ultimately help us. You can have all the tools in the world. You can have the best security measures implemented. You're doing annual pen testing and you patch everything on time.
Alexandra Godoi:It doesn't matter when your people are out in the field with really poor Internet connection, and they're still using the USBs to transfer data because that's the only way to do their job. We have to imagine that they operate with no Internet, no electricity. They have to travel great, great distances. So what exactly are we trying to protect in that space when nothing that we've been taught that usually works doesn't work in those environments.
Rayna Stamboliyska:Yeah. I'm having images of past projects when you when listening to you. But it's interesting because, you know, how do you I'm not going to ask you what you're not doing because, you know, unless you really want to tell us what you're not doing, which I think is pretty short in terms of bullet points. But, yeah, let's focus on the humans. So it's indeed a very wide spectrum of, you know, profiles and skill sets.
Rayna Stamboliyska:All the organization is basically your team. So how do you ensure that team builds those skills? How do you ensure that they are comfortable with the friction? That this adds up to their already quite friction full day, you know, and line of work.
Alexandra Godoi:I'm not gonna say that this method is perfect. It's the method that I found to work for myself. You just have to make friends with everyone. What I mean by this is you can write the policies. You can put the technical controls in on their laptops, on the network, and whatnot.
Alexandra Godoi:But I find it to be more efficient if you just sat down with them at some point and have a conversation, an honest conversation with them, and you really listen to them and their worries. And based on their perception of risk and and danger, that's when you can come in and say, okay. So here are the things that we can do. You can also make friends with other key people in the organization. So our, INGO has a global security team, the physical security team.
Alexandra Godoi:And we've recognized that in this lovely modern day, physical security and digital security intertwined. And I've had meetings with them, and we've made some plans that if something happens that transcends the boundary of physical security, they would just get in touch with me, and I can have a meeting with these people and talk to them about the things that they can do. It's really it goes beyond the just the technical skills. You have to just sit down and talk to people and help them understand that if they're doing what you're recommending ultimately, they're not just gonna help the company. They're gonna actually help themselves and their families and their friends and whoever is close and and dear to them.
Alexandra Godoi:Of course, all the other measures are important. I'm not saying no to that. But just sitting down with people and talking with them has been more effective. And the reason why I'm saying this is, again, let's say I'm doing training and awareness and that's a big part of my role. I wrote the internal course that they have to take once a year.
Alexandra Godoi:I'm doing regular communications on fishing or what have you. You have to to think about the fact that, again, we're talking about people that are on the ground having to deal with crises. They don't have time to sit an hour through a course. It they won't assimilate that information to the level that we need them to. So making it very personal in their own setting has been more efficient at times.
Alexandra Godoi:So I think from my experience, talking with people has been the greatest thing that we could do in terms of security.
Rayna Stamboliyska:Yeah. Nothing beats human interaction, especially when, you know, the threat models are personal and risk risk competence is personal.
Alexandra Godoi:Yeah. And if I may, it's a light motif now that human are the weakest link in security. Right? I absolutely hate that concept. I do not agree with it at all.
Alexandra Godoi:I think it's a pretty lax attitude, and it kind of points to victim blaming a bit. Again, especially in in our context, sure, we could find arguments for why they are the weakest link. But do you have that chat with the people that are on the ground? You'll realize that they don't have a choice but being quote unquote the weakest link. Putting pressure on them or putting the expectation onto them to make sure that they identify the phishing and that they're always updating their software and their OS updates and whatnot.
Alexandra Godoi:That's a very unfair power dynamic to have and it's an unfair expectation. And we can go on a very long tangent on how the digital products are not necessarily designed to take, as you said, certain risks and they're not taking certain threat actors into consideration. So if from the get go, the tool is not designed to account for different situations, putting the blame on, again, quote unquote, the user and making it so like this abstract concept of some dude sitting in a cushy office somewhere, and he is so bored that he clicked on a phishing link. That's just not realistic at all. Based on that, I think if we realize that the user is not that abstract concept, they're just actual real people, and you work with that in mind, do you have a higher chance of getting through to them and designing better security controls based on their profile and what they're going through at that time?
Rayna Stamboliyska:Yeah. No. Very true. I mean, we we could, you know, have a dedicated podcast about, you know, what the user is. But I have a lot of other questions.
Alexandra Godoi:Of course.
Rayna Stamboliyska:So we were talking and you were very adamant about helping people understand and so on. But I know that you yourself are not letting yourself without training. So you are nearly finished on your masters. I think it's coming in October of this year.
Alexandra Godoi:Yeah.
Rayna Stamboliyska:So what has that helped you with, you know, and who do you recommend the experience to others, you know, especially people who, well, are, you know, jack of all trades and have a nonexistent list of things that I'm not doing.
Alexandra Godoi:The masters, it set the basis of the knowledge that you need to have. For example, I did 3 months of cryptography. I thought that would be the worst course I'm doing. I thought that I wouldn't understand anything. It turned out to be one of the best courses that I've had, both in terms of the grades because, I surprised myself with how well I understood.
Alexandra Godoi:Obviously, it it didn't go absolutely in-depth, but it offered me enough knowledge to feel confident in the decisions that I'm making and to identify quickly if there are any issues with the project or when we're evaluating vendors that would come in and connect to our systems. Doing that vendor assessment has been very useful and for me, the masters offered me that basic knowledge that I need to make decision. But I think the other advantage of the academic setting is that it's also constant debate, and you're asked to think about things in from different perspectives. So even if you learn about the rules, you also learn how to apply these rules in different settings. And they're also taking a more humanist approach to it, and they do take into consideration a holistic approach to to security.
Alexandra Godoi:So, again, it's not just the technical controls. It's about the people around them and the situations. So to me, that's been a great asset to have. I do not have any other certificates. In time interest, I thought that doing a full time job and a master's is more than I can handle.
Alexandra Godoi:But the reason why I'm calling this out is because I don't have the experience to compare it and tell people, yes, you should do a master's as opposed to doing the certificate. It has its advantages. And for me, it absolutely prepared me to be a better professional and help make decisions more and more quickly. And it very much helped with my imposter syndrome because that that was a thing at some point.
Rayna Stamboliyska:Yeah. That's a topic for, you know, 4 hour discussion.
Alexandra Godoi:Of course.
Rayna Stamboliyska:This brings me to the sort of the last part of our conversation. So so far, we've talked about the past, about our roots, where we come from. We've talked about the present, what keeps us up late at night. And now I would like us to talk about the future. You know, this is why we get up in the morning, to see what comes next.
Rayna Stamboliyska:So, you know, so far, planning for things that you know might go wrong, this is about getting ahead of things. Hopefully, having some budget at some point, or at least having the trust of people who will do and will build with you. But how do you do, you know, planning for things that you don't know about? You know, this is about strategy. This is about anticipation.
Rayna Stamboliyska:This is about structure and experience that you can use to pivot. So what, according to you, is the risk that you think needs more attention, you know, for for cybersecurity leaders? Or if we want to frame it in a slightly different way, is there, like a black swan event that you could imagine would affect cybersecurity leaders and that they should consider? So the black swan event is explained as something that happens that is not anticipated at all, but that has a huge, like, significant negative impact on the system.
Alexandra Godoi:I mean, haven't we've just gone through a black swan event that no one anticipated? The CrowdStrike incident that happened a few weeks ago, luckily, we've not been affected by it. Otherwise, it would have been catastrophic. Not because we would necessarily lost access, but it would have taken us months and months to have all, let's say, all the laptops back on the systems. Again, you have to imagine that we have offices all over the world with very poor Internet connection or no Internet connection at all.
Alexandra Godoi:So trying to send those assets back to fix them and then send them back to to our staff. As I said, absolutely catastrophic. I think it's I was so relieved and happy. I felt really bad for our colleagues and other people that have gone through it. But even in cases like that, the reality is if they will happen in the future, it's a matter of when, not if.
Alexandra Godoi:I'm gonna go a bit into disaster recovery and business continuity. Personally, I think that's the only thing that can help. Having plans with people, having plans your leaders, and telling them about the necessity of doing that preparation in advance. Making sure that not necessary that every you have all your ducks in order, but at least have a plan on a paper. So when when the crisis hits, you can go and reference that half a pager if that's necessary.
Alexandra Godoi:If that's all you have, that's a very good start. But at least it will give you a starting point and it will help you be a bit more organized and it will help you plan your next steps. Again, from experience, for us, crisis is pretty much the the status quo. And I can give you example, like, a normal day would be I'm starting in the morning, checking my emails and my messages, and I have planned to do a, b, and c. And all of a sudden, I'm being asked to join a meeting because, I don't know, let's say, again, the most recent example is there's a political situation in in Bangladesh, and let's figure out how we can help people there or Myanmar or South Sudan or any other country that we operate in.
Alexandra Godoi:They do have some level of instability. So in that case, handling the crisis, it's almost like my middle name at this point. It's what we're doing every day. That's again been the thing that has helped the most. Having just an idea of what you can do in in that situation.
Alexandra Godoi:And of course, it's hard to think of them in advance, especially since you're always firefighting. You're there's always something happening. But even if you have at least once a week with your colleagues, half an hour, just pick a subject, discuss it, throw in all the ideas, and just write them down. And from that point on, as I said, you don't need to do even much more than that, but just having an idea of what's your first point of action. I think what helped us respond to a lot of these crises and respond in an effective and and timely manner.
Alexandra Godoi:Because otherwise, you're just running around like headless chickens trying to figure out, oh my god, who who I need to get in touch with? What what do I need to do now? So, yeah, that's the only thing that I can say. Just have an idea. Write a half pager on it and save it somewhere and call it, I don't know, worst case scenario 1 and one case scenario 2, and you'll know what to pick up.
Rayna Stamboliyska:Yep. So in one word, what is the biggest hope, the biggest opportunity, if you wish, for the cybersecurity leader role over the next, say, 7 to 10 years?
Alexandra Godoi:Hope. We're already the we're living in really interesting times where things are changing very very fast. And we also have the the advent of AI that that seems to be like this topic doesn't, I I don't think it will go away anytime soon. But stepping back for a second and looking beyond the the latest fashion, if I if I can call it like that, and trying to think about what new things will will come because they won't stop. If it's not AI, it will be something else.
Alexandra Godoi:So I think there's a big opportunity for any professional to develop their forward thinking. And the reason why I'm saying this is I've mentioned AI, and it's the hot topic right now. But it's important for them to learn, but also take time to think a bit outside the box, if I can put it like that, in such a way that it doesn't really matter what you're presented with on any given day. But you have enough knowledge to at least guess some things and again prepare for them. I'm not sure how well that answers your question.
Alexandra Godoi:I've gone a bit too philosophical. But cyber at times, it can get philosophical. It's as I said, it's I don't think it's just about the technical controls that we can implement. It's an industry and an area that, if nothing else, is defined by change. So being comfortable with change, being comfortable with being comfortable, being comfortable with making decisions is the opportunity here, both on a professional level and on a personal level.
Rayna Stamboliyska:Yeah. Thank you for this. I mean, there are no good or bad answers. Right? But, yeah, future proofing whatever we do, especially when our mission, not even it goes beyond the job, is protecting people.
Alexandra Godoi:Yes.
Rayna Stamboliyska:You know, it's yeah. Forward thinking is a must. Taking the long view is a must as well. Name the easiest thing about being a cybersecurity leader in a purpose driven nonprofit organization. The easiest.
Alexandra Godoi:Implementing technical controls.
Rayna Stamboliyska:Okay. What's the one thing you wish you had known when you started your career in cybersecurity?
Alexandra Godoi:I really wish somebody would have told me how fast it's changing and how much I need to be on top of pretty much everything. I am lucky that I've discovered this to be my passion as well. So it's really easy for me to take this even in my personal life. So I would start my morning with having my coffee and reading the cyber news, not the normal news. I don't know what's happening in the world, but I I know what's happening in cyber.
Alexandra Godoi:However, I I really wish somebody would have told me that this will kind of take my life. I enjoy it very much. Don't get me wrong. But I think I'm becoming a bit more annoying to my friends to always hear me talk about cyber.
Rayna Stamboliyska:Oh, I can relate. Last question is, you have one cyber security wish that can come true. What would that be?
Alexandra Godoi:I really wish that people would realize how important it is on a deeper lever. And not just for personal reasons or if nothing that, at least for personal reasons, but the INGO sector really needs support from everyone, from the big tech companies, from the government. Were struggling with the entire spectrum of threat actors at any given moment. Having a good structure or good legislative structure to be able to to protect ourselves, That would be that would be good start.
Rayna Stamboliyska:Thank you. That was Alexandra Godoy sharing her experience and insights. I'd like to thank her for her time and for highlighting that protecting humans and organizations is also about being comfortable about the uncomfortable and developing forward thinking. That's all for this episode of what the heart is a CISO supported by Sysdig. I'm, and I'll see you next time.
