IoT Security, Academia, and Career Wisdom: A Chat with Dr. Irene Anthi

Dr. Irene Anthi is a senior lecturer at the School of Computer Science & Informatics at Cardiff University. With a PhD in cybersecurity, Irene Irene combines her passion for teaching with cutting-edge research on the security of Industrial Control Systems and Internet of Things devices. She leverages Capture The Flag platforms to provide her students with a hands-on, interactive approach to learning essential cybersecurity concepts. I had the pleasure of interviewing Irene to explore her insights on lecturing, her experiences as a PhD student, and the unique challenges of IoT security.

Can you share the moment or experience that sparked your interest in computer security? What motivated you to transition from industry to teaching?

My journey into cybersecurity began about 14 years ago during my undergraduate studies in Computer Science at Cardiff University. It all started when I came upon the digital forensics module —it felt like being a detective, piecing together clues in a virtual world. The challenge of uncovering hidden information was so exciting, almost like solving a complex puzzle, and that’s what first drew me in. This initial spark led me to explore Capture The Flag (CTF) events. At the time, I had no idea what they were or how to get involved, but I was determined to figure it out. The more I dug into these challenges, the more hooked I became. CTFs were not just games; they were a hands-on way to learn and apply cybersecurity concepts in real-time, which is why I’m so passionate about organising them for my students. It’s incredibly rewarding to see students, even those from non-technical backgrounds, catch the cybersecurity bug and switch their career paths after participating in our events.

In my final year, I was committed to dive deeper, so I chose to focus my dissertation on a cybersecurity research project. My professor suggested a project on smartphone security, investigating where sensitive data goes, which opened the door to network security and cryptography for me. This project was pivotal—not only did it lead to published research, but it also confirmed that my passion wasn’t just limited to cybersecurity. I loved the process of discovery and the intellectual challenge that comes with research. This naturally led me to explore related fields like IoT, OT, and the role of machine learning in protecting these systems.

As for teaching, it feels like it’s always been a part of me. I come from a family of educators—my grandmother was a teacher, and many of my uncles were too. One of them introduced me to computers when I was about seven, sparking a lifelong fascination. Academia is where my passions for teaching and research intersect. I’m naturally curious and driven by a desire to innovate and improve, and academia provides the freedom to explore and experiment in ways that align with who I am. That’s why transitioning from industry to teaching felt like a natural progression for me. It allows me to share my knowledge and enthusiasm with the next generation while continuing to push the boundaries of what’s possible in cybersecurity.

In your experience, what are the key differences between securing IoT/ICS environments and traditional IT systems? Are there any unique challenges or vulnerabilities that stand out?

Securing IoT and ICS environments presents unique challenges compared to traditional IT systems, largely due to their complexity and criticality. With IoT, the challenge is threefold: the number of devices, which continues to grow exponentially every year, their incredible diversity, and their limited computational power. We’re dealing with countless devices from different vendors, each using different protocols and serving different functions. This diversity makes it ztye board. Additionally, many IoT devices have limited computational resources, which makes it challenging to incorporate robust security mechanisms. In addition, these devices are often deeply embedded within our networks and have access to sensitive data, which raises the stakes even higher. The potential consequences of a breach in these environments can be severe.

On the other hand, Operational Technology (OT) systems, such as Industrial Control Systems (ICS), were never originally designed to be connected to the Internet. However, with the push towards digitalisation, they’ve been brought online, introducing new vulnerabilities. These systems often rely on legacy equipment and software that hasn’t been updated in years, sometimes because of the risk of causing malfunctions. This outdated technology can be a breeding ground for vulnerabilities, and given the critical nature of these systems, the implications of an exploit can be devastating, even life-threatening. The stakes are incredibly high, and defending these systems requires a deep understanding of both their operational intricacies and the potential cybersecurity risks they face.

Reflecting on your journey as a PhD student, what were some of the most significant challenges you faced, and how did they shape your approach to research and teaching?

Pursuing a PhD was one of the most challenging yet rewarding experiences of my life. It truly felt like a rollercoaster of emotions, where I had to navigate through rejections, criticism, and even my own self-doubt. The journey was like climbing a mountain, with each turn presenting a new obstacle to overcome. My journey may have been more challenging than expected, but by the end of it, I had accomplished far more than what is typically expected of a PhD student.

One of the first big challenges was securing funding. Before I could get the support I needed, as I started my studies being self-funded, I took on a lot of teaching to support myself. Looking back, this turned out to be a blessing in disguise. It gave me the chance to discover my own teaching style, and I became passionate about creating a classroom environment that students actually enjoy. I wanted to be the kind of teacher who students don’t find boring, someone they’re excited to learn from. This led me to experiment with gamified teaching techniques, something I still love to use.

Another pivotal moment was getting a research position at Airbus; which became my main source of funding for my PhD. This opened up so many opportunities—industry experience, networking, attending events, and even travelling around the world to present my work. I’ve always been nervous about public speaking (and to be honest, I still am), but I had to push through that fear. I realised how crucial it is to be able to communicate your work to people from all kinds of backgrounds. It’s a skill that can open doors, and I’ve seen many brilliant researchers struggle because they couldn’t clearly explain their ideas. This exposure to some of the best people in the field significantly shaped my research ideas and methods. 

Balancing my responsibilities at Airbus with my PhD work was another big challenge. I had to learn how to manage my time effectively and, more importantly, believe in myself. Battling imposter syndrome was tough—I constantly questioned whether I was "good enough" for the role. Keep in mind, I had just graduated from my BSc degree. As I completed my studies with a First Class Honours, I decided to skip doing an MSc and went straight for a PhD. 

Then there was the challenge of handling rejections and criticism for my work, which seemed relentless at times. As someone working in applied cybersecurity, my work was often scrutinised intensely. It was hard not to take it personally, but over time, I learned to see feedback as an opportunity to improve. This was a tough lesson, but an essential one. Academia is demanding, and you have to constantly push the boundaries of knowledge while competing on a global stage. It can be overwhelming, but I learned the importance of resilience—never giving up, always improving, and trying again.

In the end, I managed to publish all my work in top journals, and one of my papers even won two awards—one for its impact and another as the best paper in the Journal of Information Security and Applications.

These experiences have shaped not just my career but also how I approach life. They taught me the value of persistence, how to take criticism in stride, and the importance of believing in myself, even when it’s hard.

Looking back, what advice do you wish someone had given you at the beginning of your career in cybersecurity?

Looking back, I wish someone had told me early on in my cybersecurity career to embrace the learning curve and not be afraid to get my hands dirty; something which I was also scared to do to begin with. Cybersecurity is a constantly evolving field, and the best way to learn is by diving in—experimenting, trying new things, and even breaking things along the way. It’s through those mistakes that you really start to understand how things work. I’ve seen many students shy away from technical challenges because they’re afraid of messing up or because they don’t understand it straight away, but I’d say that’s exactly how you grow.

Another piece of advice I wish I’d heard sooner is to be brave. Don’t hesitate to ask for help, seek out resources, or request funding to attend conferences. You’d be surprised how often people are willing to support you if you just ask. Whether it’s advice from a mentor or an opportunity to present your work, being proactive can open up doors you didn’t even know were there.

For aspiring researchers, lecturers, and professors, I’d emphasize the importance of balancing persistence with adaptability. Research can be tough, with plenty of rejections and setbacks, but sticking with it is crucial. At the same time, be open to changing your approach based on feedback or new information—it’s all part of the learning process!

When it comes to teaching, be the teacher you always wanted to have! Make things interesting, challenge your students in a supportive way, and don’t just rely on constant lectures—nobody enjoys that. Use a variety of methods to communicate the material, and whenever possible, incorporate hands-on labs. Engaging students through practical exercises helps them connect with the subject matter and builds their confidence in tackling technical challenges.

Lastly, never underestimate the power of communication. Being able to clearly explain complex ideas to different audiences is a skill that will serve you well throughout your career. Whether you’re presenting research or teaching a class, effective communication can make all the difference in how your work is received and how you connect with others.

For those just starting out in cybersecurity, particularly in IoT security, what foundational skills or knowledge do you consider essential?

First and foremost, a solid understanding of networking is crucial. IoT devices rely heavily on network communication, so knowing how networks operate, including protocols, IP addressing, and how data flows through a network, is fundamental. This knowledge will help you understand how IoT devices communicate and where potential vulnerabilities might lie.

Next, a strong grasp of basic cybersecurity principles is key. This includes understanding common threats like malware, phishing, and DDoS attacks, as well as knowledge of encryption, authentication, and access control mechanisms. These concepts are foundational across all areas of cybersecurity, and they’re particularly important when dealing with the diverse and often resource-constrained devices found in IoT environments.

Programming skills are also essential. You don’t need to be an expert programmer, but being comfortable with scripting languages like Python or Bash will allow you to automate tasks, analyse data, and even write simple exploits or security tools. Additionally, some familiarity with embedded systems and the basics of how software interacts with hardware can be very beneficial, given the nature of IoT devices.

Another key area is understanding the specific challenges and limitations of IoT devices. As mentioned above, unlike traditional IT systems, IoT devices often have limited computational power, memory, and energy resources. This makes it difficult to implement traditional security measures, so you need to be creative and resourceful in finding ways to secure these devices.

Finally, I’d recommend getting hands-on experience as much as possible. Try setting up your own IoT lab with various devices, experiment with securing them, and participate in Capture The Flag (CTF) competitions or online challenges related to IoT. This practical experience will solidify your understanding and prepare you for real-world scenarios.

Outside of cybersecurity, what hobbies or interests do you pursue to unwind and maintain a balanced life?

Outside of cybersecurity, I have a lot of hobbies and interests that help me keep a balanced (and somewhat interesting) life - I have to say, I am never bored! There is a popular saying that says; have three hobbies—one for the mind, one for the soul, and one for the body—and that advice has stuck with me.

For the body, I’ve always had a natural talent and passion for sports. Growing up, I was involved in everything from track and field—100m sprints and long jump—to team sports like football (yes, I was also part of a boys team when I was young), handball, volleyball, and basketball. But my real love has always been racket sports like tennis, badminton, and ping pong. Without much formal training, I was able to win a few medals and trophies along the way. My love for sports even led me to pursue a BSc in Sports Science at the National & Kapodestrian University of Athens (with a specialisation as a tennis coach) before I decided to study Computer Science. Given my background in sports and my dedication to taking care of my body, I also took up cooking. My friends and family insist I’m a great cook, so I’ll let their opinions speak for me—but I do really enjoy preparing tasty and healthy Mediterranean dishes.

For the soul, music plays a big role in my life. My grandmother introduced me to music at a very young age, specifically the guitar, and I've been playing it ever since—classical, acoustic, and electric. Over time, I developed a deep love for composing and writing new songs in pop, indie, and soul styles, which led me to learn how to record music at home. Since I didn’t have anyone else to play with, I also taught myself to play bass, basic drums, and keyboard, so now I can pretty much record complete songs on my own!

For the mind, I love to travel and explore new places. I’ve been lucky enough to visit many parts of Europe, Asia, and America, and each trip brings new inspiration for both my work and personal life. Travelling also lets me indulge in another hobby—photography. I enjoy capturing the essence of the places I visit, and if you’re curious, I’m happy to share my Instagram!

Lastly, I’m a bit of a bookworm. I always carry a book with me, no matter where I go—otherwise, I feel a bit lost! I tend to read about psychology, spirituality, and entrepreneurship, as they help me stay grounded and keep learning new things.

I noticed from your LinkedIn that you have a background in coaching tennis. Do you still find time to play or coach, and how do you think sports coaching has influenced your teaching style in cybersecurity?

To be honest, I haven't played tennis properly in a few years, mainly because I haven't found many people to play with and I think I got my fill when I was younger. These days, I’m really into badminton and have been training consistently with the goal of starting to compete soon. Staying active through badminton, yoga, and strength training at the gym helps me stay both physically fit and mentally balanced—I try to train almost every day. Occasionally, I also do some personal training for others, which I find incredibly rewarding. 

My background in sports coaching has definitely influenced my teaching style in cybersecurity. The active and interactive approach that's essential in coaching translates perfectly into the classroom. Just like coaching athletes, I believe in engaging students through practical, hands-on experiences that not only teach them the theory but also how to apply it in real-world scenarios.

Moreover, coaching has taught me the importance of tailoring my approach to meet the individual needs and skill levels of each student. In sports, you have to recognise that each athlete has their own strengths, weaknesses, and learning styles—the same goes for students in cybersecurity. I make an effort to understand where each student is coming from and adjust my teaching methods accordingly, whether that means breaking down complex concepts into more digestible parts or providing extra challenges to keep them engaged.

Another aspect I've carried over from sports coaching is the emphasis on building confidence and resilience. In both athletics and cybersecurity, facing and overcoming challenges is part of the journey. I encourage my students to view obstacles as opportunities for growth and to persist even when things get tough. Celebrating small victories along the way is also important—it keeps motivation high and reinforces the progress being made.

Thanks Irene!

Thank you Irene for sharing your story and thank you for reading!

Want to share your own cybersecurity story and insights with us? Learn how here 👉 https://www.hackerasks.com/share/