By Tal Folkman, security researcher at Checkmarx

Tal Folkman, a senior malware searcher and cybersecurity expert at Checkmarx, has nearly eight years’ of experience and excels in detecting and analysing malicious code in open-source software supply chains. Previously leading the IDF’s Cybersecurity Red Team for five years, gaining expertise in offensive and defensive cyber operations, her diverse background in computer science and unwavering dedication to combating software supply chain attackers make her an invaluable asset in ensuring the safety and security of the digital landscape.

I have worked as a Security Researcher for nearly eight years, the last two within Checkmarx’ Supply Chain Security research group. Before joining Checkmarx, I had the honour of leading a red team within an elite unit of the Israel Defence Forces.

My military service provided me with invaluable insights into the offensive and defensive dynamics of cyberattacks. Adding to my professional standing, I hold a B.Sc. in Computer Science.

One of my core objectives is to inspire a broader spectrum of people to venture into the cybersecurity field, with a special emphasis on encouraging women to pursue their ambitions. I’m a firm believer in the potential of many women to excel in roles traditionally deemed ‘male-oriented’. Furthermore, I am a staunch advocate for merit-based recruitment, believing that professional capabilities, not gender, should determine career prospects.

What is a security researcher? What are your main responsibilities and tasks?

Security researchers embody the role of seasoned computer specialists, applying their comprehensive technical knowledge to uncover vulnerabilities and scrutinise potential threats to enhance an organisation’s cybersecurity defences. My affiliation is with a software supply chain security research team, our principal objective being the identification of malicious threat actors and the harmful open-source code packages and techniques that seek to compromise the cybersecurity of unsuspecting individuals.

Can you describe a typical day in your role?  

The dynamism of my role means that no two days are exactly alike. My daily operations encompass a spectrum of tasks, but the focal point remains the detection of system vulnerabilities and active threat hunting— a strategic approach to seeking out potential cyber threat actors. I employ an array of sophisticated tools to facilitate this process, ensuring that we remain one step ahead of any potential threats.

Adversaries are continually innovating ways to inflict damage, so it’s imperative for security researchers like myself to be proactive. My overarching mission is to stay at the forefront of these developments, discovering robust methods to safeguard the company against any imminent cyber threats.

What are some of the most rewarding and challenging aspects of your daily role?

Undeniably, the most rewarding aspect of my role lies in the successful prevention of an attack. I feel so good knowing that I have helped save companies and people from malware attacks.

Cybersecurity is notoriously technical and fast-paced. This complexity often translates into extended working hours, which can be challenging. We, as security researchers, serve as the crucial protective barrier between users and threat actors—a role that can be both demanding and challenging. Our working hours are not rigidly defined, and with various countries operating in disparate time zones, it can be a struggle to keep up at times.

How did you become interested in the field of cybersecurity and what inspired you to pursue a career as a security researcher?

My fascination with computers took root when I was a little girl. I have never really followed societal gender norms and believed in doing what I want to do.

When I was 16, we had a summer camp organised by the Israeli army that focussed on technology and cybersecurity. That is where my professional interests were ignited. The invaluable insights I gained into potential career avenues during this camp proved instrumental in shaping my future career trajectory. Within a year, I was fortunate to secure a role that I had aspired to, providing me with a robust start in the field. The knowledge and experience I garnered during that time were immeasurably enriching.

What advice would you give to women who are interested in pursuing a career in cyber security?

One of the crucial requirements for pursuing a career in cybersecurity is an innate interest in the field, paired with an eagerness to continually research, develop, and refine your skills. There’s an array of conferences you can attend to deepen your understanding of the discipline, and numerous free courses offer excellent introductions.

Moreover, I firmly believe that genuine passion for your work is pivotal to excelling in your role. While financial remuneration can serve as a motivator, it ultimately boils down to enjoying what you do. If you don’t derive satisfaction from your job, it becomes increasingly difficult to make sacrifices and efficiently navigate the challenges that come your way. The occasional long hours can seem daunting if you don’t enjoy your work. Therefore, while having relevant skills is essential, it’s your love for the field that will fuel your persistence. Open-mindedness and problem-solving abilities are important qualities that will naturally follow if you genuinely enjoy your role.

What specific skills are essential for a security researcher?

Creative thinking is paramount in this role, as is the ability to learn quickly, demonstrate independence, and collaborate effectively within a team. Communication skills are also vital, as they enable you to engage with other researchers and to understand their approach to a task. Perseverance in the face of adversity and maintaining motivation are key— believing in the potential of a positive outcome even when circumstances seem unfavourable. Above all, motivation and excellent research skills are the bedrock upon which a successful security researcher’s career is built.

If you’re motivated, you can overcome any hurdle, maintaining positivity whilst finding ways to turn possibilities into reality.

Which projects or achievements are you particularly proud of in your career?

Over the years, I’ve had the privilege of contributing to numerous noteworthy projects. Within Checkmarx, certain initiatives particularly stand out, such as our endeavours to uncover malicious packages and the full extent of their origins and implications.

Roughly a year ago, I came across an intriguing find which required several months of research. I unearthed the operations of a sizeable Brazilian group known as LofyGang. This group had uploaded countless packages, stealing login credentials from thousands of users. Bringing their operations to a halt was indeed a significant achievement.

The group’s activities weren’t restricted to merely uploading malicious software; they also enticed individuals on their Discord channel to download infected software. The downloaded applications and programs are designed to pilfer data from users’ computers.

What are the most critical challenges faced in recruiting the next generation of professionals into the industry?

The dynamic nature of cybersecurity necessitates continuous learning. It’s critical to provide training to bridge the gap between basic knowledge and the expertise required to handle specific issues.

The skills gap, in my opinion, represents the most significant obstacle. Individuals must dedicate time to stay abreast of the latest updates and developments, delving into the details to enhance their competencies. This can be daunting, but it is absolutely crucial.

Furthermore, the tech industry has undergone a paradigm shift regarding diversity. Women are increasingly becoming a common sight in what was once a male-dominated field. The past perception of women venturing into a “man’s world” has been significantly diluted, which is quite refreshing. Many women excel at roles traditionally considered ‘male-oriented’, and I firmly believe recruitment should be based on merit rather than gender. Some industry gatherings, such as AppSec Village events that occur within larger conferences like Black Hat, RSA, and DEFCON, omit all gender-identifying information from session submissions, ensuring everyone is provided with an equal opportunity. I find such initiatives highly commendable.

Check out our latest vacancies tech vacancies here.