Cyber Frontlines: Marco Simioni

In this edition of Cyber Frontlines, meet Marco Simioni, Executive Advisor for IBM X-Force Cyber Range. Marco is a seasoned expert in cybersecurity, specializing in the design and delivery of immersive Cyber Crisis Simulations for executive leadership, as well as technical response teams worldwide. He also provides strategic guidance to clients in assessing and developing comprehensive Cyber Crisis Management Plans and Playbooks. Holding a PhD in Digital Investigations and the distinguished title of Master Inventor, Marco brings a unique blend of academic rigor and innovative expertise to his work.

As an Executive Advisor with the IBM X-Force Cyber Range team, I specialize in designing and delivering immersive Cyber Crisis Simulations that empower clients to enhance their crisis response capabilities and resilience. I have had the privilege of serving as a member of the X-Force team for three years, building on a foundation of seven years of experience between IBM Research and IBM Software, totaling a decade of service with IBM.

I’ve always been curious about how things work, and that curiosity is what got me into security research and hacking. I started coding at a really young age. I wrote my first lines of BASIC code when I was just four or five years old, and moved on to C by the time I was seven. From there, I was hooked. I loved building software and systems, but I also loved trying to figure out how to break them. For me, it’s all about understanding how things work and solving tough challenges. That’s what keeps me motivated and driven to this day.

My security research focus is pretty straightforward—I dive into topics that I think are crucial for C-Suites and Executives to know about. Right now, I’m really interested in exploring the intersection of AI and security, particularly when it comes to DeepFakes. I think it’s an area that’s often overlooked, but has the potential to be a huge threat to organizations. I’m talking about things like AI-generated phishing emails, fake audio or video recordings and other types of synthetic media that can be used to deceive or manipulate people. My goal is to raise awareness about these threats and help organizations understand how to protect themselves against them.

One of the highlights was being named a Master Inventor in 2022 by IBM, which was a huge honor. This award recognized the value I’ve been able to bring to IBM’s portfolio, as well as my ongoing commitment to innovation and leadership. I’ve also had some success in academic circles. Back in 2021, while I was working on my PhD, I won the Best Student Paper award at the Digital Forensic Research Workshop (DFRWS) APAC for my work. It was a great validation of my research and a wonderful way to cap off my studies.

I’m a total tinkerer at heart, and I love hacking code together to see what’s possible. Right now, I’m really fascinated by the latest advancements in AI and machine learning, so I’m spending a lot of time experimenting with speech-to-text recognition, text-to-speech, large language models (LLMs) and generative AI (gen AI). I’m also playing around with video and image generation tools, which is an area that’s rapidly evolving and has some really interesting implications for security. In the past, I used to be really into exploring anonymity networks like TOR and I2P. I found it fascinating to learn how they work, and of course, to try and figure out how to break them (all in the name of improving security, of course!)

I’ve got a lot of respect for several security experts and hackers who consistently share valuable insights and knowledge. Some of my favorites include Bruce Schneier, who always seems to cut through the noise and offer a nuanced perspective on the latest security issues. I’m also a big fan of Jack Rhysider—his work on the Darknet Diaries podcast is always informative and entertaining. And of course, Brian Krebs is another must-follow. His reporting on the cyber crime world is always thorough and thought-provoking. I love to stay up-to-date on the latest developments in the security space thanks to them.

If I had to recommend just one cybersecurity resource that all security professionals should follow, it would be the Risky Biz podcast. I think Patrick Gray and his team do an amazing job of breaking down complex security topics into easy-to-understand insights, and their interviews with industry experts are always informative and engaging. Whether you’re a seasoned pro or just starting out in the field, Risky Biz is a great way to stay up-to-date on the latest security news and trends.

Hands down, my favorite security conference has now become DEF CON. In full disclosure, DEF CON 32 was my first ever time at the con, and there was just something about the energy and vibe of the conference that made it stand out from the rest. I loved the mix of technical talks, hands-on workshops and social events that brought together some of the brightest minds in the security community. A highlight for me was spending time at the Social Engineering village, which is run by our Cyber Range Lead, Stephanie (Snow)—it was a fantastic experience. The sheer scale and diversity of the attendees made it an amazing opportunity to learn from others, share knowledge and get inspired by the latest developments in the field. Whether you’re a seasoned security pro or just starting out, DEF CON has something for everyone, and I left feeling motivated and energized.

“Expect the unexpected” is a mindset that’s essential in today’s fast-moving security landscape. Bad things will happen, but by being proactive and preparing for the unexpected, organizations can minimize the damage and reduce the financial and reputational hit. The key is to have a solid foundation for incident response and crisis management in place, including clear protocols and procedures that employees are trained to follow. My team’s approach is built around the motto “train like you fight”, which means training employees in a realistic and immersive way, so they’re prepared to respond to real-world incidents with confidence and precision. By building this foundation and training people to respond quickly and effectively, businesses can reduce the impact of unexpected events and keep things running smoothly, even when things go wrong. It’s all about being prepared, so when the unexpected happens, you can respond quickly and get back to business as usual.

If you’re looking to start a career in cybersecurity, my advice would be to follow your passion and interests. 10 years ago, I would have recommended starting with development, as understanding how things are built is crucial to understanding how to break them. However, the field of computer engineering has evolved significantly since then, and the rapid advancements in AI and gen AI have created numerous entry points. Whether you’re fascinated by networking, development or AI, there’s a place for you in cybersecurity. The key is to have a security researcher and hacker mindset—be curious, be creative and be willing to learn and experiment. If you enjoy what you do, you’ll not only have fun, but you’ll also bring significant value to the field. So, don’t be afraid to explore different areas and find what resonates with you. With dedication and passion, you can build a rewarding and challenging career in cybersecurity.

As we look ahead to 2025 and beyond, I’m closely watching the potential threat vectors related to Deepfakes and AI. The rapid advancements in artificial intelligence and machine learning are creating new opportunities for attackers to leverage these technologies to launch sophisticated and convincing attacks. Deepfakes, in particular, pose a significant threat, as they can be used to create highly realistic and deceptive audio, video and image content that can be used to manipulate individuals, influence public opinion or even impersonate high-profile individuals. As AI-generated content becomes increasingly indistinguishable from reality, I expect to see a rise in AI-powered social engineering attacks, phishing campaigns and disinformation operations. It’s essential for organizations and individuals to stay vigilant and develop strategies to detect and mitigate these types of threats, as they have the potential to cause significant harm to reputation, finances and national security.