In this Sofia Scozzari interview with TCE, the Hackmanac CEO offers a grounded look at how today’s cyber threat landscape is evolving, and where organisations are still falling short. Drawing from her experience tracking real-world cyberattacks globally, Scozzari moves the conversation beyond tools and technology to focus on impact, decision-making, and preparedness.
She describes a threat environment where attackers are constantly adapting, collaborating, and scaling their operations, while many organisations continue to treat cybersecurity as a technical function rather than a business risk. The result is a widening gap between how threats operate and how they are managed.
In this Sofia Scozzari interview, she also reflects on recurring patterns, from known vulnerabilities being repeatedly exploited to the continued underestimation of human behaviour in security incidents. Her insights point to a clear need for stronger alignment between cybersecurity strategy and business priorities.
Here’s what she shared:
Sofia Scozzari Interview: Why Cybersecurity Must Move Beyond Technology
TCE: If you had to explain today’s cyber threat landscape using a real-world analogy (outside of technology), what would it be—and why?
Sofia Scozzari: I often describe the current cyber threat landscape as being like walking inside a beehive. If we haven’t been stung yet, we will be in the future. Threat actors constantly evolve, adapting to technological innovations, geopolitical shifts, and trending topics.
They collaborate, specialize, and operate with “as-a-service” models that make offensive capabilities scalable and accessible. In contrast, defenders often act in isolation and hesitate to openly share incidents, which unintentionally preserves the attacker’s advantage.
The result is a structural asymmetry between offense and defence, with offense taking advantage of collaboration. Even with the perfect defence strategy, we should assume exposure and breach are inevitable. The real strategic question is not “if,” but rather how prepared we are when it happens.
Just as biological systems develop resilience through collective immunity, cybersecurity requires structured information sharing and awareness to rebalance the attack–defence equation.
TCE: You’ve spent years analyzing cyberattacks globally through Hackmanac. What is one common assumption about cyber threats that you believe is completely misunderstood?
Sofia Scozzari: In my opinion, the most misunderstood assumption is that cybersecurity is exclusively a technical issue, a subset of IT, often resulting in a fraction of a company’s IT budget. Today, cyberattacks can disrupt far more than technological systems, affecting core business assets, operations, reputation, and even endanger human lives, as in healthcare, connected medical devices, or electric vehicles. Cyber risk extends beyond technology and has evolved into a strategic business risk. Therefore, it should be governed accordingly.
TCE: Looking back at your career journey, was there a single moment or decision that quietly changed your direction in cybersecurity? What did it teach you?
Sofia Scozzari: Looking back, the turning point in my career was my decision to leave traditional consulting and corporate roles to build my own company. This choice gave me the flexibility to determine how to intervene and effect change in the consideration and management of cybersecurity.
After studying the problem more deeply, I realized that most cybersecurity decisions are mistakenly based on the volume of attacks (and not always the ones that really matter) rather than their impact. For this reason, we focus specifically on successful cyberattacks (an indication of where defences failed) and impacts (operational, financial, reputational consequences), providing executives and managers with precise, actionable strategic insight to guide cyber risk management.
TCE: In threat intelligence, patterns often repeat. Have you noticed any “cyber déjà vu” moments where organizations keep making the same mistakes despite better tools?
Sofia Scozzari: One recurring pattern in cybersecurity is the continued exploitation of known vulnerabilities. While it may be easy to interpret this as simple organizational negligence, the reality is that many companies operate highly complex environments built on legacy systems or mission-critical software certified only for specific versions. Updating these systems can introduce operational risk, making patch management far more challenging than it appears from the outside.
The root cause, however, goes deeper: security by design is still not consistently embedded in the development process of systems, software, and applications. Instead, security is often treated as an additional layer applied after deployment rather than integrated from the outset.
Moreover, unlike manufacturers of physical products, software vendors rarely face direct legal consequences when vulnerabilities in their products are exploited. The burden of mitigation largely falls on the end user, resulting in frequent preventable breaches.
TCE: Cybersecurity is often seen as highly technical, yet much of it is about human behavior. What human factor do you think organizations still underestimate the most?
Sofia Scozzari: Cybersecurity is often framed as a technological issue, which naturally drives attention toward software, infrastructure, and technical controls, underestimating the human factor. Consequently, a significant portion of compromises still originate from human interaction: credential misuse, poor security hygiene, insider risk, or simple misjudgement under pressure. Attackers understand this very well, which is why phishing and social engineering remain effective entry points.
On the other hand, cybersecurity awareness among collaborators, including employees, consultants, and suppliers— is often overlooked as a key component of an effective cybersecurity defence strategy.
TCE: As a founder and leader, how do you personally stay ahead of constant change without getting overwhelmed by the speed of the cybersecurity industry?
Sofia Scozzari: I genuinely love cybersecurity because it evolves constantly: in this field, boredom is impossible. Continuous change forces you to think out of the box and to focus on the bigger picture rather than isolated details. In my role especially, understanding how technology, geopolitics, business dynamics, and human behaviour intersect is far more important than concentrating on a single technical dimension.
I also don’t believe that stepping away, even temporarily, means falling behind permanently. Throughout my career, I’ve taken pauses — sometimes by choice, sometimes not — and each time I returned with broader perspective and stronger judgment.
Soft skills such as adaptability, critical thinking, and strategic vision are just as important as technical expertise in cybersecurity field. Equally important is maintaining a healthy balance between professional and personal life. For this reason, at Hackmanac we have chosen to work fully remotely, enabling flexibility and trust within the team.
Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026
TCE: On International Women’s Day, many conversations focus on representation. From your experience, what truly helps women stay and grow in cybersecurity—not just enter the field?
Sofia Scozzari: I strongly believe that cybersecurity, as a profession, has no gender. The perception that it is male-dominated field is largely rooted in cultural conditioning. Many young women grow up internalizing the idea that they are less suited for technical subjects and are not always encouraged to pursue STEM paths. In reality, there are no inherent barriers. I personally know several extraordinary women in cybersecurity who bring passion, creativity, expertise, and talent to the field. Three factors truly help women grow in cybersecurity: early encouragement, inclusive environments (not only related to gender), and a strong focus on competence.
First, early encouragement is important for students to choose their academic and future career paths. They should consider cybersecurity because it is a fast-growing industry with huge global demand, a meaningful impact, and strong long-term career prospects. Second, we must highlight the diversity of roles within cybersecurity. The field is not limited to highly technical positions. Legal, compliance, risk management, communications, strategy, and business roles are also essential. This makes the industry accessible to professionals from varied backgrounds who may wish to pursue a change in their careers.
Finally, my advice for women already in the field is simple: focus on competence and results. Although challenges and biases may exist, sustained professionalism, expertise, and consistency build credibility over time. Cybersecurity needs diversity, not just for representation, but because complex global challenges require diverse perspectives.
TCE: The theme of our initiative is “Give to Gain.” What is one piece of knowledge or opportunity you received in your career that you now consciously pass forward?
Sofia Scozzari: One of the most valuable gifts I received in my career was trust. I was just a curious young girl looking into computers and learning how to assemble them. I was supported and encouraged to pursue that curiosity. Much of what I learned came more from hands-on experience rather than from formal education.
I was fortunate to study in inclusive environments focused on preparing capable IT professionals, and equally fortunate to move across diverse roles — from system administrator to IT consultant, project manager, presales, and cybersecurity manager. Each transition expanded my perspective and forced me out of my comfort zone.
What I consciously pass forward is that same encouragement: do not fear stepping beyond what feels familiar. Growth rarely happens inside comfort. I encourage professionals — especially younger ones — to focus less on self-doubt and more on how they can create value in any context, leveraging both technical expertise and soft skills, expertise and passion.
TCE: If you could redesign how organizations approach cybersecurity from scratch—without legacy systems or old processes—what would you do differently first?
Sofia Scozzari: If I could redesign how organizations approach cybersecurity from scratch, I would start by rethinking their decision-making structures. Currently, cybersecurity is often evaluated based on compliance checklists, budget constraints, or emergencies. Rarely is it fully integrated into strategic planning, performance metrics, or executive accountability.
I would embed cyber risk directly into core business KPIs, forcing a reevaluation of budget allocation. This would enable security to influence product design, supply chain selection, partnerships, and investment decisions.
Finally, I would ensure that security intelligence is continuously translated into board-level language. Leaders who don’t usually receive technical alerts should at least receive strategic insights related to business exposure and impact to fully understand and manage their company’s specific threat scenario.
