Secret CSO: Dimitrios Stergiou, Trustly

Secret CSO: Dimitrios Stergiou, Trustly

Name: Dimitrios Stergiou

Organisation: Trustly

Job title: Chief Information Security Officer

Date started current role: August 2018

Location: Stockholm, Sweden

Dimitrios Stergiou is currently Group Chief Information Security Officer for Trustly AB. He is an experienced senior Information security and Risk professional with over 20 years' experience in Risk Management, Privacy, and Information security. Before joining Trustly AB, Stergiou held positions at Modern Times Group, NetEnt, Entraction, Innova S.A and Intracom S.A.

What was your first job? My first job was working as a sysadmin (and all around "technology guy") for an internet cafe in Athens. My particular highlight was teaching people how to use the internet.  

How did you get involved in cybersecurity? I was heavily influenced by movies such as Wargames and Hackers. During that time, I was lucky enough to meet a bunch of people playing with Linux which introduced me to the world of system administration and security. Back then the main goal was to "mess" with your friends' Linux systems, but eventually I realised that I loved building as much as breaking and decided to build my career around security.

What was your education? Do you hold any certifications? What are they? I have a BSc in Computer Science from the University of Portsmouth, UK and an MSc in Information Security from the University of Lulea, Sweden. Currently I am also in the process of graduating from an MBA programme from the University of Blekinge, Sweden.

When it comes to certifications, I hold: CISSP, CISA, CISM, CRISC, CIPP/E, CIPM and ISO 27001 LI.

Explain your career path. Did you take any detours? If so, discuss. No detours for me. I fell in love with security as soon as I encountered it and I am still in love with the field. My first paying job was as a sysadmin for an internet cafe. From there, I transitioned to a sysadmin/netadmin role for a small ISP. Then, I landed at Intracom, one of the biggest technology companies in Greece, where I worked a split sysadmin/security admin role for over six years before transitioning into a security consultant role. For the last 10 years I have been working as an in-house CISO at multiple companies including Modern Times Group, NetEnt, Entraction and finally Trustly.

Was there anyone who has inspired or mentored you in your career? Absolutely: "No man is an island". I have been inspired and helped by a number of people throughout my career. I will not mention any of the "famous" practitioners, but I would like to pay tribute to three people who taught me skills and leadership: Takis Samanis, Notis Iliopoulos and Nikos Varzakakos. Takis introduced me to Linux and the pains of securing it back in the 90s, Notis helped me transition from "technical security" to "information security", and Nikos chose me for my first CISO role when I moved to Sweden.

What do you feel is the most important aspect of your job? Embedding security into all functions of the organisation. I don't believe in large security departments which provide bolt-on security after developments or operations are complete. Instead, I believe every department should assume their respective security responsibilities and own the security of their deliverables. The result of this approach, and the biggest challenge, is to convince all functions (from senior management to the junior developers) that security is their responsibility as well. They should see the CISO as a trusted consultant, not the security police. The way to succeed is to be by their side, help them with facts and dates to make educated decisions and acknowledge that security might not be top-of-mind for everyone.

What metrics or KPIs do you use to measure security effectiveness? We use a combination of technical and administrative KPIs to ensure that our security posture improves, some of which are: adherence to the security policy and standards, time of response for security incidents, time to remediate known vulnerabilities, training and awareness completion rate, to name a few. There are also some "softer" metrics used. For example, the number of due diligence audits the organisation passes without any findings.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Sweden, Stockholm in particular, has exploded as a start-up/technology hub and it is becoming increasingly difficult to find the right competencies among potential candidates. It's even harder when it comes to security because you need people who have an operational background to understand systems and networks, a development background to understand code, and social skills to be able to sell the security requirements within the organisation.

The most difficult roles to fill are usually cloud service or platform roles. Given these services are quite new and ever changing, it's challenging to find knowledgeable people who also fit in well with the team.

Cybersecurity is constantly changing - how do you keep learning? I use three broad categories of sources: Peers, online media and conferences. Looking to my peers helps me understand how other practitioners handle a specific case, what works and what doesn't, in a pragmatic way. Online media is a vast resource on its own, ranging from Twitter, Facebook and LinkedIn to Github and Reddit. On the other hand, conferences provide a mix in knowledge acquisition, as well as providing an opportunity to meet with peers and discuss new original research.

What conferences are on your must-attend list? The must-attends for me are the OWASP conferences, since I have an interest in the AppSec world, and appreciate the OWASP community. Occasionally I attend BlackHat/Defcon but I tend to prefer smaller, local conferences, as they provide the opportunity to compare practices with peers in the same "area" as I operate in.

What is the best current trend in cybersecurity? The worst? With the introduction of GDPR, privacy has become a core issue within all European organisations. This inherently has had the same effect on security. Although GDPR and privacy is not usually a CISO-driven activity, CISOs can use the GDPR framework to establish security controls that were previously considered "unneeded".

In my view, the worst trend is the use of buzzwords by security vendors. Terms like Artificial Intelligence, Machine Learning and APT are thrown around and draw the focus away from what the product can actually do for the organisation.

What's the best career advice you ever received? Users don't purposefully try to do the wrong thing. Users do the wrong thing because they are either not aware, or the wrong thing is easier to do than the right thing. Your job is to provide users with an easy and secure way to do things.

What advice would you give to aspiring security leaders? Whatever role you choose within the security field, remember security is there to serve the organisation and its business needs. You don't "do security" for the sake of security, you do it because the business needs to safeguard its existing business opportunities and, hopefully, acquire more. Sometimes things will not make sense, and management will not take your advice, but your job is not to have the final say - your job is to help management take educated risks.

What has been your greatest career achievement? Security people tend to have the negative reputation of being the "no people". I have always tried to be more of a "yes, but let's…" security person and I think my greatest achievement is that my colleagues refer to my functions positively and with terms like "agile" and "service-minded". To pinpoint a specific example, my greatest achievement is turning the function within an organisation that chases other people into one chased by other people because they want security involved in their projects.

Looking back with 20:20 hindsight, what would you have done differently? I grew up in Greece and moved to Sweden approximately 10 years ago. The opportunities and knowledge that exists in my field in Sweden is something I would have never expected or dreamt of. Looking back, I should have moved out of Greece a lot sooner!

What is your favourite quote?Socrates: "γηράσκω δ' αἰεὶ πολλὰ διδασκόμενος." (As long as I live, I learn).

What are you reading now? I am reading Tribe of Hackers by Marcus J Carey. It's a compilation of thoughts, interviews and essays from 70 security practitioners, and although I haven't finished it yet, it is fascinating.

In my spare time, I like to… Spend as much time as possible with my 11-year old. Thankfully we both like video games and the same genre of movies, so that makes me a "cool dad".

Most people don't know that I… Have been playing World of Warcraft for the past 14 years, and although I am not enjoying the game that much anymore, I stay for the group of friends that I made throughout the years.

Ask me to do anything but… Use my Social Engineering training for evil - unless I have to use it to convince my young one that broccoli is better than burgers!


« Pioneering low-code: Mendix CEO on growing a business in the US


AI arms race: LogMeIn on the rise of intelligent cyberattacks »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?