Hi, Alina! Can you please share a little bit about your background and what your career has looked like until now?
I have a bachelor’s degree in computer science and a master’s degree in component-based programming. During my university studies, I joined an European student programme where I did on-site training at an foreign company, developing ERP software components.
After graduating, I worked with software development for different companies before joining Visma. I have been working with Microsoft technologies most of my career; in the beginning I developed software in the .Net framework, and later on I deployed services to Microsoft Azure cloud.
In 2009 I started working as a software developer at Visma’s Timișoara office. At the time, there weren’t nearly as many people working at Visma as there are now. During those early years, I transitioned from software development to software architecture, and recently I moved on to software security.
What does your current role as a Lead Security Architect entail?
I assess the security posture of Visma products by getting to know each development team and understanding how they’ve built their software, and what security measures they have taken or should have taken. Sometimes we need to exemplify how to implement a specific security measure.
I’m part of a team that does a lot of threat analysis for these applications, and we try to uncover scenarios where the expected regular application flows could be disrupted and exploited in any way. My job is to help other teams secure their applications, data, cloud workloads, and delivery pipelines and avoid potential cybersecurity risks. For me, there’s usually a combination of reviewing security and doing software development-related activities each day.
Working with all these different teams, we’ve tried to establish a common guidance that applies to the majority of them. A security framework, if you will. We’re always on the lookout for new trends and what type of exploits are on the rise. We adjust our guidance based on what we find to ensure that none of our products are easily exploitable.
Do you work with all Visma companies, or are there specific companies that you mainly work with?
We work with all Visma companies, from any market, that create products. Right now there are over 700 applications that we know of, but many new companies join Visma each year and these usually come with plenty of new products.
So, our security framework constantly needs adaptation to accommodate such a large number of products and the specifics of their technologies. We want to make sure that our designed processes empower the development teams to make the best security decision for their applications, and allow them to have ownership over the security decisions that impact their products.
When you’re having these conversations, are the companies typically open to having your team come in and do these deep dives?
Yes. Recently acquired companies are typically very eager and open-minded because Visma’s processes and ways of working are new to them. In initial meetings, there’s never any judgement, but rather questioning and challenging current ways of working. Our aim is to understand their thought process and get ahead of any potential scenarios that could be unsafe.
So, usually, these teams will say things like “no one has explained this to us in the way that you have”. We come from the outside looking in, and we want to know: “How is this done? Have you thought of doing this the other way around?” Things like that. They obviously know their own products better than we do, but these reviews usually help us gain an even deeper understanding of potential risks. It’s a learning opportunity for both parties.
It’s a really nice feeling when someone tells you that you’ve contributed to opening their eyes to new perspectives on addressing cybersecurity risks.
It’s always valuable to have an outside perspective. Especially in software development where things are ever-changing. Everyone can take things for granted every now and then. It’s easy to fall into a routine of doing tasks in the same manner simply because it’s the way you’ve always done it. So, when someone outside of the team enters and questions things, it encourages you to think beyond conventional boundaries.
How would you describe your journey with Visma since you joined us over a decade ago?
I’ve met a lot of bright people that I admire and that have helped so much. Visma is a company where one can evolve and actively pursue new opportunities. Working for such a large organisation you get to experiment with so many different things.
I’ve gotten to do research, training reviewers and acquire different certifications. So, overall, I think I’ve done all the things that any software developer would dream of – from coding, to doing architectures, to conducting my own research, to teaching others, and now working at the Group level of Visma.
What do you think is crucial for staying happy at a workplace for a longer period of time?
Having mentors you can learn from is crucial, and we’re fortunate to have so many talented colleagues at Visma. I’ve been lucky to work with extraordinary people who have generously shared their knowledge with me. Personally, I believe that continuous learning motivates you to stay, combined with a good work-life balance. If you cannot effectively manage your time and energy between professional responsibilities and personal activities, I think you’re not going to be happy with your workplace. I feel lucky in that regard – I still enjoy coming to work every day.
Security is a very dynamic field with new challenges constantly unveiling themselves. What parts of working with security do you find most intriguing?
I find it intriguing that there isn’t any golden rule that one should follow and that can guarantee that your system is secure. It’s a combination of security practices together with a constant focus on resilience. The digital landscape is always changing, and so are the threats related to it. Threat actors are always a few steps ahead, and with the rise of AI they have even more weapons at their disposal.
So, even if you think you have good security protections in place, threat actors are constantly working to find new ways of breaking it. Think of it as a house that has doors with locks, windows with curtains, a roof with a chimney. Each of these is an attack surface and potential entryway that needs to be protected. And even if you do secure them, the mailman can always come and leave you a phishing envelope with a damaging surprise. These risks are evolving so rapidly that keeping up with them is a full-time effort all on its own.
There’s a balance between usability and security, and product owners sometimes lean towards usability – at the expense of security. This is why we need to support and inform the teams so that they can maintain a good balance between the two.
And what about working with security do you find most rewarding?
My focus doesn’t really lie on reacting to a specific event – let’s say, someone accessing unauthorised data – but rather to anticipate it and prevent it from happening. It’s about predicting potential risks, which is a key component of the security review I’m doing.
So, when it comes to what I find most rewarding, it’s mostly the discussions I have with the teams and witnessing them having that lightbulb moment when they go, “oh, I haven’t thought of this before”. That’s when I know that my work – explaining and exemplifying – has really hit home. We’re talking about potential problems that may or may not happen if we didn’t anticipate them and fix things. It’s more on the preventive side of security.
It’s different from the security operations team that responds when an attack is already in progress. We try to be one step ahead of that. Our job is to make sure that those attacks never even get a chance to happen. Being proactive is a really big part of what I do, and when that proactivity positively impacts others is when I feel the most rewarded.
What are some current topics of concern in your work?
A big topic of concern in security right now is how AI impacts our field of work. Now, we can tell an AI tool to write code for us. But how secure is that code? Do we have the correct measures in place to verify it? The whole software development life cycle is affected by the increased use of AI tools, and by the new data and machine learning (ML) model engineering practices.
The threat landscape has definitely expanded. It doesn’t start with the developer writing code that’s pushed into production and monitored by operations. Before this stage, there’s a data engineer that prepares data, trains an ML model, or uses an existing one. This is the model the developer will use to build an application. So, as security professionals, we need to adapt our measures to protect the AI pipeline as well.
Have you taken part in any hackathons or the bug bounty program at Visma?
Yes. When the Visma Security Program (VSP) was taking shape, I was a part of one of the development teams. They had organised a security event in our office and prepared a vulnerable application for us to test. We were supposed to break into that application and find as many vulnerabilities as we could. Every time you found a new clue you were rewarded with a chocolate coin. It was a really fun way to compete.
By getting all new Visma companies aboard the VSP, we make sure that each and every one of them gets the attention they deserve and the tools they need. That means securing all of their products.
We also had internal cyber security war game simulations that were a lot of fun. You’re either part of the red or the blue team, trying to either attack or defend a given application. You see how attackers are progressing and infiltrating into the application, and then you retaliate. This was a great way of putting yourself in the shoes of an attacker to see how they’d exploit the given application.
What advice do you have for others looking to get into the field of security?
Depending on what you’re interested in, there are so many different paths you can take – whether it’s application security testing, monitoring and triaging security events, doing red/blue team activities, or working with the security design and architecture. There’s an abundance of possibilities out there. You should explore as many as you can to find out what suits you the best.
Learn as much as you can and take courses on, for example, security testing of an application. You can opt for free courses, free training platforms, and join online security testing events. You can even experiment with using AI tools for doing detection and classification of security findings. Like I’ve said, the security field is ever-evolving, so you’ll never stop learning new things.
It’s very valuable to have an analytical mindset. Question everything and seek verification. If someone says “go left”, you should always question why the path is going left and not right, up, or down. Never take things for granted, be attentive to details, seek solutions to any potential problem, and most importantly, be a trustworthy and honest person.