Hackmanac’s CEO, Sofia Scozzari Shows How to Win in Cybersecurity with Her Inspiring Story

We invited Hackmanac for an interview to learn its story for our women’s day campaign, LeadHER in Security, and we were awestruck by the response.

HackManac offers accurate and timely threat intelligence and strives to uncover critical dark web activities. The company is determined to monitor the evolution of real global cyber threats and help fortify defenses against them.

Hackmanac is on a mission to support companies understand their cyber defense plans and optimize their cyber security budgets. It has taken center stage as a torch bearer and has turned into a highly recommended threat intelligence platform.

The CEO of Hackmanac, Sofia Scozzari, touched upon not just cybersecurity but also how women can be encouraged in this industry. She is a lifelong technology enthusiast and has over 18 years of experience in cybersecurity and over 30 years in ICT.

She served in various roles ranging from System Administrator to Cyber Security Manager, as well as CEO of an ICT Security Consulting company.

Scozzari is a Steering Committee Member of Clusit (Italian Association for Information Security) and Women For Security (a Community for Italian women working in Cybersecurity). She is also the Assistant Coordinator of Assintel (Italian ICT Companies Association) and Cyber Think Tank.

Read on to find what the CEO of HackManac, Sofia Scozzari, had to share about women in cybersecurity, threat intelligence, and more.

1. How did your journey into cybersecurity begin? What do you like the most about this industry, and what are some of the challenges you faced?

The beginning of my cybersecurity journey is a direct result of my lifelong passion for IT and technology.

At the age of 16, I started assembling PCs out of passion and curiosity, then chose to study computer engineering in college and began my career as a system administrator and IT consultant.

Over time, in the early 2000s, I became interested in cybersecurity, particularly in managing security projects such as vulnerability assessment and penetration testing.

This passion led me to become a cybersecurity expert and to start a company in Italy specializing in cybersecurity consulting and training.

After moving to Dubai with my family 8 years ago, I founded Hackmanac, a company specializing in cyber-attack analysis and strategic cyber threat intelligence.

What makes cybersecurity fascinating is also its greatest challenge: it is a rapidly evolving field, very dynamic and stimulating, with a constant need to stay up to date.

2. Can you tell us about Hackmanac and how it was formed? What are some of the solutions that it offers?

Hackmanac is based on a simple, but powerful idea: organizations need a clear understanding of the real-world impact of cyber threats in order to make smart security decisions.

Around 2018, after nearly 15 years of working in this space, both as an entrepreneur and as an SME for large consulting firms, I realized that traditional approaches weren't enough - they often lacked the context and actionable insights that decision-makers needed. They were either too technical or too high-level. So, together with my partners, we decided to research and find a solution, which later became our company's mission.

Today, we analyze hundreds of cyberattacks every week, classifying them by victim industry, threat actor tactics and techniques, geography, size, revenue, and many other technical and non-technical variables.

We then assign them an impact score, which allows us to see hidden patterns in the raw data and compare different situations in a meaningful way.

To do this, we created ESIX®, our Estimated Severity Index. It goes beyond the technical jargon and inevitable "noise" created by thousands of successful attacks worldwide each year to provide a clear, concise measure of the potential impact of cyber threats on assets such as finances, operations, market share, and reputation.

Think of ESIX® as a cyber threat GPS for business and government. It helps leaders understand what's really at stake, define highly customized, real-world risk scenarios for their organizations, and optimize their security investments accordingly.

3. In a report, Hackmanac mentioned situational awareness and understanding why cybercriminals target specific organizations. Can you share your observations about these topics?

Year after year, our research shows that cybercriminals are becoming more targeted and damaging in their attacks. They're no longer just casting a wide net and hoping for a bite - they're carefully researching and selecting victims based on factors such as industry, size, location, and perceived vulnerability, whether for economic gain, espionage, or ideological reasons.

This means that situational awareness at the executive level is more important than ever, even more so in light of rising geopolitical tensions and social issues. Organizations need to understand why they are attractive targets and the specific threats they face. At Hackmanac, we help our clients develop this understanding by providing in-depth strategic threat intelligence tailored to their unique circumstances.  

I firmly believe that understanding our adversaries' motives, tactics, and the potential impact of their activities is the first step in building effective (and cost-effective) defenses.

4. Threat actors have an unending list of potential victims. They can search everywhere in a target’s infrastructure for a security gap. After a successful attack, security professionals trace back the attack and try to recover from the damage. Can the defensive team be everywhere on their client's digital infrastructure? Is it possible to patch all channels to threat?

While security teams strive to cover as much of their digital infrastructure as possible, the complexity and scale of today's ICT systems make it difficult to achieve omnipresence.

Threat actors are constantly evolving their methods, and the attack surface is so vast that it is technically and financially challenging to systematically defend against every potential vulnerability.

But with well-defined security policies, good monitoring, robust business continuity plans, and a deep understanding of threat actors, their goals, and their real-world impact, organizations can achieve "good enough" security and reduce risk to a manageable level.

5. Do you think CISOs can be held responsible for cybercrimes and damage caused to a company? Please share your perspective about it.

Cybersecurity should not be seen as the responsibility of a single executive, or even the CISO. It is like being on a sports team, everyone has to do their part.

While CISOs play a key role in developing a good cybersecurity posture and implementing appropriate measures, they are not in a position to thwart all risks. Cybersecurity is a cross-cutting issue that requires shared ownership among senior management, IT, and other employees.

This is because, in most cases, it is systemic failures that lead to breaches, so I think a systemic approach to accountability is also warranted.  Blaming the CISO alone for a successful cyberattack is like blaming the coach when a sports team loses - everyone should share some responsibility for both success and failure.

6. Being a woman in cybersecurity, what is your prime focus when you start working?

When I begin a project, my primary focus is to take a comprehensive and strategic approach to problem solving. I like to analyze issues from multiple perspectives to find solutions that are both effective, innovative and practical.

In addition, the natural female tendency to multitask and empathy helps me manage projects more effectively, ensuring that the needs of all stakeholders are considered and met.

My goal is not just to solve problems, but to raise awareness and develop sustainable solutions that add real value in the long term.

7. Please share a message for female cybersecurity professionals on this International Women's Day 2025. Is there a skill or approach that women need to develop or improve to thrive and make a meaningful impact to the workforce?

Women often feel uncomfortable or inadequate in technical roles, and even more so in cybersecurity. My first piece of advice is to silence those doubts and focus on recognizing and leveraging your skills and professionalism.

Cybersecurity, like any other profession, is something you can learn - just as no doctor can perform surgery without many years of study. Moreover, the field is not limited to technical roles. There is also a strong demand for professionals with strong backgrounds in communications, law, marketing, and many other fields. This means that any previous experience can be an asset, even for those who move into cybersecurity later in their careers.

Women should focus on developing a combination of hard and soft skills. Technical expertise can always be acquired, but soft skills such as critical thinking, adaptability, and problem-solving are what set professionals apart.

Finally, natural strengths such as multitasking and empathy are incredibly valuable in cybersecurity, helping to manage complex projects and successfully navigate the ever-changing threat landscape with both vertical expertise and a broad view of the issues at hand.