Featured CyberDefendHER: Joao @ Lead Threat Investigator within our PSIRT

Who are you and what is your work focus?

My name is João Collier de Mendonça (João is Portuguese for John/Johannes), and I work at Siemens Healthineers AG as a Lead Threat Investigator within our PSIRT (Product Security Incident Response Team).

In my current position, I investigate cybersecurity incidents affecting healthcare institutions and medical devices. My work combines cyber incident analysis, digital forensics, and threat investigation to support sustainable recovery, meet regulatory obligations, and, most importantly, help prevent similar incidents from happening again.

How did you get into cybersecurity? / What excites you most about working in Cybersecurity?

I got into cybersecurity from the network and IT infrastructure side of things. During my bachelor’s studies, I had a side job managing the IT infrastructure of small companies, including network and firewall administration.

At that time (early 2000s), most SMEs in the northeast of Brazil had just started digitizing their processes, and IT security often meant keeping antivirus up to date and reducing the attack surface. Together with a friend, we used a hardened Slackware Linux system with some custom firewall rules to get the (1337) job done :).

From the very beginning, I found the cat-and-mouse nature of cybersecurity really exciting. Curiosity also played a role, as I was always interested in understanding how systems worked and how they could be used in ways they were not originally intended to be used.

In most of my positions, I’ve had to deal with urgent issues, typically incident response cases or investigation requests that require immediate attention. That kind of work requires the ability to handle uncertainty well. While planning and exercises are essential for any response function, the ability to adapt and to work with the resources you have at hand is an invaluable asset. Even after years in this field, I still feel thrilled when starting a new case, investigating a new threat, or facing a new challenge.

What inspired you to join CyberDefendHERs?

When people with different backgrounds and perspectives work toward shared goals, the resulting solutions are usually stronger and more resilient. 

CyberDefendHERs addresses a real structural weakness in the field by broadening participation and perspectives. More inclusive discussions lead to better decisions by reducing bias and groupthink. Count me in!

What do you think is the biggest power of diversity?

Having different perspectives across expertise, experience, and knowledge leads to better problem-solving. In practice, that results in more robust decisions and more resilient solutions.

Why do initiatives like CyberDefendHERs matter?

Improving access to the cybersecurity field for underrepresented groups and people with non-STEM backgrounds directly increases cognitive diversity. Cognitive diversity improves innovation and the resilience of the solutions we propose to address the challenges in this field.

Why do you think it’s important to share expertise in Cybersecurity?

The complex and constantly evolving threat landscape, paired with a chronic lack of resources and expertise, makes sharing knowledge essential. When we share what worked, what did not, and what we learned from investigations and incident response, we improve faster.

How do you think we can best improve Cyber Defense capabilities?

Root-cause investigation and acting on the insights gained are essential to improving cyber defense and resilience. Other industry sectors such as marine, transportation, and energy have a long track record of investigating incidents with the explicit goal of preventing reoccurrence. In cybersecurity, there is still a long way to go. Systematically learning from incidents, sharing what we learn, and acting on those lessons are essential to improving cyber defense and resilience.

What impact would you like to make through your work?

There is a significant gap between the current cybersecurity incident investigation practices and how more mature sectors approach the challenge.

Continuous improvement is required by most cybersecurity standards and regulations; root-cause analysis is already integrated in some form into them. However, in cybersecurity we still do not foster a culture of investigating and acting upon learnings after an incident. Most public examples come from SRE (systems reliability engineering) practitioners and network and infrastructure providers. Closing that gap would materially improve cyber resilience. 

We do not need more regulation or more detailed standards. What we need is a stronger focus on root-cause investigation, sharing actionable improvement recommendations, and most importantly, acting on those recommendations. The latter is possibly the hardest part, as the decision to implement them is often made by someone else.

Through my work, I would like to deliver insights that enable continuous improvement of the security architecture, incident detection capabilities, and care and maintenance processes, leading to a more resilient healthcare system.