In this edition of Cyber Frontlines, meet Claire Nuñez, also known by her hacker handle, Onion Baby, Creative Director at IBM X-Force Cyber Range. She draws from experience in privacy, consumer advocacy, marketing and production to create immersive scenarios. We caught up with Claire to learn more about her work and recommendations for those looking to start a career in security.
I’ve been an IBMer for about six years, and a part of IBM X-Force for 3.5 of those years. I have a unique job, which is – quite literally - to scare C-suite executive teams. I lead all the creative strategy for the X-Force Cyber Range, which provides clients with an immersive cyber crisis experience. Part of my job is to make clients feel the pressure of a cyber crisis without actually living through one first. My team and I craft scenarios for clients based on threat intelligence and case studies, but my job is specifically to use psychology and theatrical elements to make the whole engagement as life-like as possible.
I’ve always had a knack for finding information on people with a very tiny breadcrumb as a starting point. This brought me into the world of privacy, which eventually took me to security. I’ve always been fascinated by the science of decision-making as well. I studied political psychology, and a lot of the same theories apply to day-to-day human decisioning, especially in security.
Even though I am not a part of the social engineering practice in X-Force, I am often social engineering client emotions in our Cyber Range experiences. I am really trying to get our audiences to feel a certain way, so they understand the importance of security.
In 2024, my colleague Marco Simioni and I won an award from IBM Consulting leadership for our work on developing a deepfake offering for our clients.
I think deepfakes and AI-generated content are fascinating. I work with one of my teammates on deepfakes for our clients, and it is so interesting to see how different audio or video inputs work. Sometimes the output content is good, other times, not so good. We have such short attention spans these days that often, a reasonable quality deepfake can trick people who aren’t fully alert or paying attention. It is scary to see, but part of my job is to help people understand the tools they need to recognize these threats.
My answer is corny, but true: my colleagues.
Since I mostly focus on the business impact of cyber crises, I generally just keep up to date on what companies are being attacked via different news outlets.
I am not a huge conference attender! I’ve been working on the backend of conferences since I’ve been a part of the Cyber Range team. I really enjoy developing activations, thinking about attendee journeys and telling the IBM story.
I get this question a lot, even from just friends asking. My recommendation is always the same: change your passwords, please. No one actually does it, so that is why I am constantly recommending it. It is annoying to have a bunch of passwords or a password manager— until someone hacks all of your accounts.
No matter what industry or role you are in, respect and listening are paramount. It is also key to be able to fail and learn quickly. It is important to get back up and keep moving.
A lot of people have a similar response, but I am curious to see how the quantum story evolves. It will be interesting to see when and how encryption is broken in the near future. It may not be 2025, but it is coming.