Daniela Cruzes, Lead Security Researcher in Visma, recently received two prestigious awards. Both play an important role in showcasing female role models in technology. She won the “DigIT woman of the year”, and was featured on “Norway’s top 50 leading women in tech” list.
Daniela has a long and impressive background in research and plays an essential role in Visma’s security team, providing us with a data-driven approach to implementing a security program.
We interviewed Daniela to learn more about her and her views on cyber security, her field of expertise within technology.
Tell us about your background?
I am a Professor in software engineering software security at the Norwegian University of Science and Technology (NTNU). I am also a Lead Security Researcher at Visma. Previously, I worked as a senior research scientist at SINTEF in Norway for eight years. I have also been a research fellow at the University of Maryland-USA and Fraunhofer Center for Experimental Software Engineering in Maryland-USA. I received my doctorate in experimental software engineering from the University of Campinas – UNICAMP in Brazil in 2007. And my master’s degree was in computer science. My research interests are empirical software engineering, research methods and theory development, synthesis of SE studies, software security, software testing in agile and DevOps software development.
Why did you choose cyber security?
In 2014 there was a need to focus more on security during development. Security breaches were happening all around us. Software systems have developed to the point that we use and depend upon them daily in the same way we depend upon traditional infrastructures and utilities. Still, measures to reduce the resulting vulnerabilities were not developed simultaneously. The fundamental way of solving the security problem is by building secure software, defending against exploitation from the earliest stages of development, with consistent maintenance of the “security-push” throughout the whole development life-cycle. The companies were not all prepared for this.
Today’s software development business requires high-speed software delivery from the development team. Agile software development has a significant impact on how software is developed worldwide, and Norway is leading the research in this area, where almost all software companies use agile methods. One crucial aspect was that agile teams are self-managed, and the approaches to security were not accounting for this when proposing how the teams could prioritise security in a good way.
We proposed a project named Science of Security in Agile (SoS-Agile), financed by the research council of Norway. We had interactions with many companies in Norway, and Visma was one of the main cases in this project. It was the beginning of the security program in Visma, and this case supported the research in an extensive way.
How can we attract more women to choose a tech career?
To be honest, I do not know for sure. But I believe that awards for women in IT are great for attracting more women to the field. Women are inspired by role models. When I see a successful woman in my field, I get inspired. I am inspired by the courage and determination that many women show. So maybe what we need is to be more visible and encourage more women to take roles in IT.
According to you, what are the future trends we’ll see within the field of cyber security?
The security research area is far from establishing a science of security comparable to the traditional sciences and even from other software engineering areas. The area lacks credible empirical evaluation, a split between industry practice and academic research, and many methods and method variants, with little understood and artificially magnified differences.
Empirical studies are a powerful approach to be used in security research. Evidence with data is a powerful tool for the improvement of security. And at Visma, we have been investing heavily to bridge this gap between research and practice. Exactly what we will focus on, we don’t know. But more and more, there is a need to have a whole-team approach to security. Everyone needs to know which parts they have to cover and work collaboratively for better security. That means that security knowledge has to be spread to everyone in the team. Of course, we will still need the specialists in security to do some specific activities and also support the work of the whole development team. Security will become a routine, and we will all be involved somehow with security work!
Learn more about how we work with cyber security at Visma