Secure your small business:
Apps → Data →

Identity in Cybersecurity Ep. 2 — Follow the Data

Ian Paterson talks to Ajay Sood of Armis Security and Symantec fame about how data is changing the cybersecurity universe—and how the data in the cybersecurity universe is changing.

How is our understanding of cybersecurity changing as technology becomes more central to society? What do these changes mean for organizations that aren’t large enterprises? What’s a V-CISO, and why is this role becoming a thing? How is the role of the corporate IT organization changing?

In this episode, Plurilock™ CEO Ian Paterson interviews Ajay Sood, senior cybersecurity executive at Armis Security, thought leader, and technologist, for answers to these questions—and more.

Host:      Ian L. Paterson
Guest:      Ajay Sood
Length:      33 minutes, 12 seconds

Ready to listen in? Click play below.

Transcript

Ian: Welcome to the Identity in Cybersecurity Podcast. I am your host, Ian L. Paterson, and today I’m speaking with Ajay Sood, a seasoned IT veteran and author, with over 20 years of cybersecurity experience with Symantec, FireEye and McAfee. In this episode we discuss how security is not just an IT problem anymore, the concept of human capital, and the growing pains of managing cybersecurity for a mid-sized company. Let’s get to it.

Ian: So I would love to fill the viewers in on your background, how did you actually get started in cybersecurity?

This whole notion of having a secure enclave and saying, “Okay, we’re going to put the data here and we’re going to secure it.” That’s over. And so many organizations— they haven’t figured that part out yet.”—Ajay

Ajay: You know, cybersecurity at the time was one of those things that actually found me. When you grow up on the computer counterculture side of things in the early 1990s with the advent of the internet and computing in general. I mean, it was one of those things where I found that was what I wanted to do with my Friday and Saturday nights, right? And so I spent time doing things like BVS, connecting to other people in other parts of the world and computers and using protocols like finger and Archie and Veronica and AltaVista. As I say, all of this stuff, I’m aging myself. But it was actually just so miraculous because it was just so new. And so when you start to play with internet technology, you start to realize very, very rapidly you could get into other schools and you can use their systems and you can misuse their systems. And so we used to do a lot of fun things, like just everything from making a big set of eyes, you know, GIFS and things pop up on screens across the country and just causing disruption, and so you start to learn how to disrupt and have fun with that sort of thing. You can rapidly see how that could spiral into an interest in internetworking and internetworking security, and more importantly, subverting it. So, we all run havoc in our university school networks. And so I’d like to say the rest is history, but it really isn’t because it was actually not very deliberate.

So when you start looking at the principles of identity, a lot of folks are like, “oh identity: username and password?” Not really—not anymore. Now we’re talking about authenticating users—yes the users.”—Ajay

Ajay: I had gotten through my degree in engineering and then was offered a telecom position at a large telecom provider based here in Canada, and I was bored on this on a break one day at school, and I applied to what I thought were the most influential and networking companies on the planet and put as my hobby “hacking” —I think it was hacking TCP IP, because remember TCIP—it was a software package. Back in the day, you had to install it electively. So I get a call from this company within 24 hours. “Tell me about…what do you mean by hacking TCP IP?” And I told him I was messing around, opening up on ports and hacking SMTP and forging email messages and doing all sorts of fun stuff like that. He’s like, “Oh, we need to meet.” And so they met me and they shipped me off to Toronto and I ended up starting my cybersecurity career there, even though I didn’t know I was doing cybersecurity at the time because it really wasn’t a field.

Ian: And so with that wealth of experience, how has just plain vanilla things like access to data, how has that changed over the last, I don’t know, 10 years or so from where you started, to where we are now?

There’s a lot more complex elements to data management than there ever has been.”—Ajay

Ajay: In the last decade, I think the biggest change has been an evolution away from the secure enclave, and I’ll qualify that. So about a decade ago, we used to buy things like firewalls and we used to build secure enclaves on the inside of networks DMZs and so on where we kept our database servers or we kept our web servers—wherever we kept the jewels, right? And so this notion of the secure enclave became really, really important. Well, the game that we’re playing right now is not so much, “Hey, house the data and then armor it, now it’s follow the data, right?” The data is everywhere! The data’s moving. The data is moving with the users. The data’s in the cloud, it’s in Azure, it’s in AWS, it’s in Google. It can be on a handset, it can be on a watch. And so this whole notion of having a secure enclave and saying, “Okay, we’re going to put the data here and we’re going to secure it.” That’s over. And so many organizations— they haven’t figured that part out yet.

Ajay: And so when you start looking at the principles of identity, a lot of folks are like, “oh identity: username and password?” Not really—not anymore. Now we’re talking about authenticating users—yes the users. We’re talking about authenticating devices. We’re talking about authenticating their access. We’re talking about their levels of access to what data and what time and what frequency. And so that data can be anywhere and live anywhere at any time. And then at the end of all of it the data, it has to die. And then GDPR happened, right? And then we started talking about a right to forget voluntary and involuntary data destruction. And so you can see how data is no longer adopted—”this whole have got a database of usernames and passwords, and I’m leaving it in this secure enclave behind a firewall.”

We’re going away from this just being an IT problem to being more of a regulatory problem and being more of a human issue.”—Ajay

Ajay: Now I’ve got data that is created. Data that it is stored, data that is moved, data that is evolved, dated. It has to be kind of repudiated and authenticated in a lot of certain ways. And then that data has to be destroyed, right? And we have to do that all securely, and we have to document that and we have to step up with an ISO standard. There’s a lot more complex elements to data management than there ever has been. And by the way, as more and more legislation continues to get passed, specifically or in Canada cause let’s have a little bit of a Canadian spin on that, we have PIPA last year, penalties, still TBD and terms still TBD but as that gets more sophisticated as well, we’re going to have to get a little bit more serious than how we manage our data.

Ian: So it seems like the shift has been from a technology conversation to a regulatory or a policy conversation given. Given how the trend has evolved, where do you see us going in the next 10 years?

Ajay: Definitely more towards the individual. When we started looking at technology as being a solution, we’re rapidly going to see how quickly that technology will fail us. At the end of the day, IT became notoriously synonymous with IT security, right? When we start talking about cybersecurity, we always think of it as an IT problem, but when you start looking at breaches and issues that we’ve had over the most recent years, the people who are in the crossroads now are like the CEOs, the CIO, CLL, CPO, legal officers, and so on—executives.

We’re talking about stealing a country’s worth of data, a country’s worth of population information! This isn’t just someone stealing your credit card and buying a subscription to magazines anymore… the stakes are much larger.”—Ajay

Ajay: Security has visibility now at the highest levels, first step. The second thing here is now you’re starting to look at a lot of regulatory pressure behind data management, data protection. And so, your question is about where is this going, right? Look, we’re going away from this just being an IT problem to being more of a regulatory problem and being more of a human issue. And I say this because I was one of those people, right? I used to believe that when we started talking about capitalization on cyber crime, we talked a little bit about intellectual property: financial capital, intellectual capital, natural capital, financial capital. And we also have this third category called “human capital”. I mean, this emerged and “wow, this is a new thing.” But now if you look at the biggest reaches that you’re talking about Facebook and there’s been millions of accounts getting stolen. You’re talking about insurance companies again and these breaches are in millions of records— tens of millions of records! We’re talking about stealing a country’s worth of data, a country’s worth of population information! This isn’t just someone stealing your credit card and buying a subscription to magazines anymore, which as annoying as that is… the stakes are much larger.

Ajay: So to your point, when you start looking at being a custodian of data, you’re no longer a custodian only of intellectual capital and financial capital, and I’ll even add political capital to that list. Right? Because you’ve got political capitalization of cyber crime, right? Hey, I live in a country. You live in a country. I don’t like your country. We’re going to do bad stuff, right? That’s also material. And so as we kind of get away from, “Hey, I have credit card numbers and you want them” now to, “I want to know everything about your population base, and I want to capitalize on that to destabilize your government.” Right, well, in Canada, we’re in election year so the stakes are much higher. And so now we’re entering an arena of a legal conversation. We’re entering in human—this is an anthropological conversation now more than a technological conversation. And so from my perspective, that’s a huge change.

This is an anthropological conversation now more than a technological conversation. And so from my perspective, that’s a huge change.”—Ajay

Ian: So what does that mean for us?So there’s a mid-market regulated enterprise, could be financial services, could be healthcare, could be something else. I mean, I think the reality is that most compliance standards have a lot of the same controls. So whether you’re talking about NIST or or ISO or similar PCI DSS, there’s still a lot of those, those commonalities between them all. But what I think what you’re talking about is a much larger conversation than simply, “hey, we need to deploy a new firewall and a new IAM solution, and we should probably update our AB? ” And so how does that translate into what the CSO has to do to secure the organization?

Ajay: Yeah, I’ve had a long history of working for various security vendors. As a vendor of a security product, I’ve always found that we’ve been at the source of that problem that you just described. “Hey, you know what? Buy this toothpaste and your teeth will be shiny, white, and bright forever!” Right? When you think a little bit about what you’re saying, now we’ve got to get beyond technology. We talk about that 1000 person company. I was with a client this morning and I said the 1000 seat company is an interesting one because if you’re a 60,000 seat bank chartered bank in Canada and you’re regulated and you have auditors and OSFI and you have all of these standards, and you mentioned PCI DSS, and you mentioned a whole collection of other ones.

Ajay: You have standards, you have to audit to these standards, and, I would say cut and dry, but you’ve got some very prescriptive things that you have to do when you’re an CISO in a 1000 person shop, you’re kind of on the cusp of unmanageability and I’ll qualify that statement. If you’re small and you’re a 100 or 200 seats, you’ve pretty much got IT locked up. You’ve got a hundred agents to deploy a hundred machines, and kind of know where those machines are at all different times. When you’ve got 60,000 machines, you understand that you need rigor, process—you got staff to back it up, back to your budget to back it up and all this good stuff and that piece, and this is Canada, by the way, that 500 to 2000 person enterprise, that’s basically Canada. That’s our bread and butter in terms of size of enterprise, you’ve probably got 40 companies in this country that are over 10,000 people in size, realistically, right? And then I’m talking about the ones that are not like in construction, heavy equipment, or mining, right? I’m talking about technology-heavy companies.

When you’re an CISO in a 1000 person shop, you’re kind of on the cusp of unmanageability…you’ve got the burden of complexity, but don’t generally have the resources behind you.”—Ajay

Ajay: And so you think of that thousand person shop, you say, okay, at this point you’ve got the burden of complexity, but you don’t generally have the resources behind you. And those people in the thousand person area are receiving that message from the vendor, right? So I set the stage with them and say, you know what? You buy the security in a box, you’re going to be great. Right? And so many people will do that. And I call it the “UTM approach to security”, where you’re going to buy this all in wonder, you know, firewall block—And I take nothing away from these vendors that are good products, good people behind them, and all this good stuff.

Ajay: But, in those boxes, you will not find procedure in those boxes. You will not find proper, proper configuration, best practices. You will not find visibility into the severity of the attack landscape or the intelligence necessary to counteract today’s cyber criminals. The biggest message I leave with CISOs and executives that I talked about, particularly on the smaller enterprise, is that you need to understand that you are a target. You need to understand that your data is important, your data is valuable. And if the answer is like, well, no, you know, all we do is manufacture tiny screws why would they care about us? And the answer to that as well, don’t you have customers, right? Don’t those customers have customers? Don’t you have people that care about you?

The biggest message I leave with CISOs and executives that I talked about, particularly on the smaller enterprise, is that you need to understand that you are a target. You need to understand that your data is important, your data is valuable.”—Ajay

Ajay: Right now I’m serving as a Regional Vice President of a company called Armis, right? So we help our clients secure their operational technology and IoT type technology. And I often hear this question about, “Why do I have to secure these devices?” And the answer is, well, very simple. In the IT world, a bad day is when you lose your data or somebody erases your database. In the OT world, operational technology world, a bad day is when somebody dies, right? When you take out an elevator, you know, an escalator. When you take out a power plant, when you take out water treatment facilities, the stakes are getting much higher. And so getting your head around your data, what it is and what its power is, is probably the biggest advice I could give to a security executive.

Ian: So, we’ve talked a little bit about securing access to data and also securing access to systems. And I think in some cases they will revolve around the same thing, which is Who, right? Who is accessing that data? Who is accessing those systems? Do you see that there are tools and techniques that are doing a better job than others in terms of validating that it’s the right “who”, that it is in fact, the right person accessing the right systems or the right data?

In the IT world, a bad day is when you lose your data or somebody erases your database. In the OT world, operational technology world, a bad day is when somebody dies.”—Ajay

Ajay: So what we’re really talking about Ian, is context who is only one part of the equation. And so what we’ve graduated from is this era where we had a who accessing a what, right? Actually, we didn’t even have a who accessing “what”—we just had a who, right? We had a who accessing a system and there you go. And so we graduated from that to it, who accessing what and then who accessing at what time.

Ajay: And so now where we are in this era is, “Hey, we need to establish a context of access, period, end of story.” And how does that work? Well, I’ll use myself. An example is you’ve got this guy, AJay, he accesses this type of information generally from this time to this time. Great. So if Ajay just started accessing this data in a different context. Wrong time of day, wrong, geolocation, wrong —or something different in general—the context doesn’t match. And so the interesting part here is we’re no longer trying to build a book of “here’s AJay, here’s his username, his password.” Now it’s, here’s an entity, right? We’re going to call it an Ajay. But here’s the context of data access in general. So this is the data. This is how it’s generally accessed. There’s a class of person that usually accesses it, and these are the ways that they generally access it, and we’re going to build a baseline, use this kind of analytics element to it—a data science element to it.

Ajay: And so, getting away from usernames and passwords, and that’s why when we talk about IAM modern, IAM today. People are like, “Well, yeah, I have an, (I’m just picking one out of the air here) CyberArk. I have a password keeper, so I’ve got, IAM nailed! My answer to that is no, you have a really good password. Right? But you don’t necessarily have, IAM put together, because IAM as a general notion, you’re going to have to have an element of authentication. So there’s your, there’s yourCyberArk, there’s your product, right? Coming right back to your point, you’ve got this product (and I didn’t want it to be about product.) So you’ve got this product that does a great job being a product, but you don’t have a way to check and see what the checks and balances of utilization of those credentials are. So what data was accessed? Should that data be accessed? Is that data even classified? And so this comes right back to the beginning of this podcast, right? We were talking about “follow the data.” Organizations today— first thing as a CISO and as a CIO, chief information officer is you need to understand what data you have, right?

What data are you collecting? What data do you have? You are the custodian of this data. And if you don’t think you’re the custodian of this data, you probably need to read up on it one more time because it doesn’t matter if you’re storing it in a cloud or if you’re storing it in a cloud provider.”—Ajay

Ajay: What data are you collecting? What data do you have? You are the custodian of this data. And if you don’t think you’re the custodian of this data, you probably need to read up on it one more time because it doesn’t matter if you’re storing it in a cloud or if you’re storing it in a cloud provider. You know, a CRM service: ServiceNow, Salesforce, pick one doesn’t matter. You’re responsible as the collector of that data, as a custodian of that data. Therefore, if your cloud service provider gets popped and your client’s data is all over the place, you can’t just say, “Well, it was them”. Right? If you read the T’s and C’s of any of the cloud service providers, they will tell you that they’re responsible for the security of the cloud, or they’re going to do whatever they can to secure the infrastructure. But if your data in the cloud gets popped, reached due to to, you know—Amazon S3 bins left wide open—we see this, we’re seeing it over and over and over again. Is that a failure of authentication? Is that a failure and IAM? No, not so much. That’s a failure in properly building a structure that will support IAM.

Ajay: The person who would access that data probably had credentials, they probably have access rights. Does it mean the access rights are correct? And so getting back to your point, we need to get away from a productized and a simplified version of IAM and start building context around data access. And I think that’s going to be the next phase. So analytics engines, you’re seeing those pop out, you’re seeing SIMs and SIEMs getting smarter, you’re seeing all sorts of other analytics-type companies who are bringing much smarter ways to authenticating users. I like UEBA as a term, right? User and Entity Behavior Analysis. That’s a really great area to attach to IAM impact infrastructure.

Ian: So I think, I think that you hit upon one area there, which is challenging, particularly for that mid sized, financials or, or regulated institution, which is, okay, you’ve got some tools and you have enough complexity there where you don’t know everybody’s name anymore, and you probably don’t physically go see these, these desktops on a regular basis, and who knows where the mobile devices are at. But the reality is that even if you had the budget to go hire another five people, the five people aren’t necessarily going to be there. Right? We live in a world where, I think the stat I saw recently was a million cybersecurity jobs left unfilled this year alone. What do you think about security organizations within larger institutions having to staff up and maybe that staff not being there?

We need to get away from a productized and a simplified version of IAM and start building context around data access.”—Ajay

Ajay: It’s a difficult, very, very difficult situation right now because of the skills gap that we have. And more so the formidability of the adversary, right? So let’s say you’re a small company, but you’re brokering in very, very critical information, right? So let’s say you happen to be a provider to a bank or a small payment processor, whatever the case may be, you’ve got sensitive data, access to sensitive data, HR systems, whatever the case may be. Your data is important. You have to understand your attack surface. You have to understand the type of data that you have, the formidability of the, of the adversary.

Ajay: And so generally speaking, most folks in that 1000ish area are probably going to be less successful staffing themselves and more successful augmenting their staff with the service provider, or a second tier or a red phone type provider who can help them be the next best thing when it comes to security. The role that I’m seeing right now and proliferating the most of the V-CISO role, the virtual-CISO, where you’ve got access now to seasoned CISO professionals who no longer are CISOs of single entity but rather are acting as a CISO or many entities or acting as advisors to CISOs because they’ve got this level of experience.

Ajay: This is actually becoming a broadening field. As a matter of fact, my network is starting to fill more and more with these V-CISOs and we talk to them frequently to ask them, “Are you guys looking for gigs or like that?” They’re turning them away actually because of the fact that we don’t have enough skills. Again, they’re suffering the same problem we are. But in that 1000 seat, you know, area where you’re going to have to go out there and attract, train, retain, right? And then keep interested, right? These highly volatile, I’ll call them volatile, security resources, is probably not going to be a workable solution for the short term.

Because if you don’t know where and what your data is, it doesn’t matter what controls you have in place. They’re not going to stop that data from being accessed or moved around by the wrong people.”—Ajay

Ajay: I see what’s going to happen is where you’re going to start enlisting the help of external agencies like, IR professional shops and security consulting outfits and so on. And these V-CISOs are a virtual extension to your team and they will participate in your board meetings. They’ll participate in your strategy sessions and help you build a security framework and then maybe then partner with a managed security service provider, right? To deploy that. And sometimes they can be one in the same. Or if you really wanted to do a proper separation of duties, going to V-CISO, on one hand who is not affiliated with your MSSP. And so then you have the series of checks and balances or organizationally in place that you can make sure that the right things are happening at the right time.

Ian: So if you were thrust into a mid-sized institution and whatever the reason was, maybe there was a breach or maybe they just hadn’t hired a CISO yet and hadn’t prioritized it. And for some reason, there’s a compelling event that says, “yeah, we’ve got to hire this role right now and we need an Ajay in there today”, what does that 30-60 day plan look like for you to come into a new organization? Maybe there hasn’t been as much infrastructure put in place yet. How do you prioritize and how do you go about securing that organization?

Ajay: Yeah, it comes back to my original thought about follow the data. So that first 30 days, it’s unfortunately going to sound a lot like an interrogation, but it’s basically going to be talking to the stakeholders of the business— make sure they understand what they’re in the business of doing. Right? So if you’ve got client information, where is it stored? Right? I talked to a government official a little while ago, of a certain country—I’m not going to get into any specific details. I just said:

Ajay: “Hey, listen, you’re the custodian of citizen information.”

Ajay: “Yes.”

Users will always trade convenience for security. All day long, every day.”—Ajay

Ajay: “Where’s it stored?”

Ajay: He goes, “You know what, as the information officer of this organization, I can’t even tell you.”

Ajay: That’s right! But, that’s what we are staring down today!

Ajay: So if you go into an organization today, and let’s say there’s a breach, or let’s say there’s a leak, or maybe just a regulatory finding, right? Or a lot of what’s happening, gosh, there was a chapter in the 2020 edition of Canadian Cybersecurity was on vendor management, right? Vendor management. Now people are asking for things like “right to audit.”

Ajay: If you’re going to be a vendor of mine, I want to right the audit you, the right to see, or you need to put forward ISO certifications where I want to see there SOC2 paperwork and things like that. This is real, right? If you can’t present that stuff, you’re going to get whacked by your own clients, which is not what you want to do. It’s hard enough to get clients in general! You don’t want it to be at odds with them. And so to your point, entering into something, let’s figure out what the data is. Right? Great! Now that we’ve identified the data, and now we have to see what the processes are around that data creation, storage, movement, destruction, and lay down that framework.

What you don’t want you don’t want your general climate to be such that security is viewed as an obstruction—to getting things done, to getting business done.”—Ajay

Ajay: Because if you don’t know where and what your data is, it doesn’t matter what controls you have in place. They’re not going to stop that data from being accessed or moved around by the wrong people. Great example I can give you is CASB, right? These CASB type products and involved in “all the rage” over the last couple] of years, people are buying these CASB products to secure the data because it’s stored in the cloud. But once people have credentials into your cloud system that they have access to all the data, it doesn’t really matter because if you’ve got CASB saying, “Yep, there’s your data… and there it goes…” from it. I mean. Great! , as opposed to, you know what, no, we’re going to tag the data. We need to identify the data, and now the CASBis going to be leveraging those [stat] tags to make sure the right people are accessing that data. “Oh, wait a minute, they’re trying to send it? “No, they can’t do that.” Well, that data can’t move in this way— it has to be encrypted.

Ajay: So you can see, let me give you an example of a CASB—great product, but a CASB poorly deployed is like a firewall poorly deployed. Like ananti-virus poorly deployed—- It doesn’t matter. And so. This is the data.This is the type of data that is, these are the types of people who should have access to this data for this period of time.We’re going to tag the stat, identify it, and using this whatever technology that we have watermarking, regardless, right? It’s almost regardless, because you can literally pick what the technologies are going to be in whatever sectors that you choose to deploy them.

Ajay: And so that 30 days identify the data, identify it, then 60, follow it. Okay? How does that data move around. Right. How does that data get created? How does it get collected as it being collected securely? Are using forms? Are the forms HTTPS encrypted? Yes. I know it sounds pedantic to say that. Are certificates expired? What do we do to manage our certificate? So you can see we’re starting with the basics of what’s my data and it’s, where’s that data? And then 90 we’d probably put together a real program around managing that data and yeah, somewhere in there we started looking at buying product to make sure that happens properly.

Look, it’s going to be detrimental to the business if this occurs. So what we need to do is we need to find a way that would be very, very convenient for our users to deploy the security measure, but that make it more sustainable for our business.”

Ian: So in those conversations that you’re having with stakeholders, how do you juggle the tradeoff between having a really secure organization and actually enabling the business to function? Because I think the trap that folks can fall into is if you turn everything up to 11 you’re going to be super safe and super secure and no work is going to get done, period. On the other hand, of course, is the opposite where, yeah, data is freely accessible. It’s cause it’s beatable by everyone in the world, like back to your S3 bucket example. Right. Great. Super accessible, not super secure! How do you, how do you juggle or how do you balance those conversations?

Ajay: Yeah, security is interesting cause there’s a couple of trends that are a couple of themes that I’ll revisit here. So the first thing is people will always, people, users will always trade convenience for security. All day long, every day. You know, logging into your bank. Do you need a password? Yes. Okay. Do you want to pick a complex password? I don’t know. It has to be something I can remember. Oh, you know, I’ll just cash it in my browser—-game over. Then somebody gets access to the computer to access your bank and yada yada. You get the idea. So that’s, that’s the human intervention part. And then on the flip side of that, you’ve got this constant trade-off between usability and security in general. And so what you don’t want you don’t want your general climate to be such that security is viewed as an obstruction, right. To getting things done, to getting business done. And so the right way to do this is to align security with the business goals of your organization. I’ll qualify that as well.

Ajay: So for example. If I’m sitting in a room with an operating committee of a large corporation, doesn’t matter what they are—let’s say they’re in tech and you talk to them about, “Hey, we need to do, deploy multi-factor authentication.” Really simple, right? So when people log into their stuff, we’re getting rid of usernames and the passwords are going to do, yeah. bio[metrics], or we’ll use a little fob or token. It doesn’t matter— multi-factor. Okay. “Oh, you know what, I, that’s going to be complicated.” A lot of people are going to be like “cost and people, and then support and help desk and things like that” to say. Okay, great. So let’s talk a little bit about what it means to NOT have multi-factor. Right? What are we in the business of? We’re in the business of technology. Okay. So we have intellectual property, correct? “You don’t want that intellectual property to be breached.” And example after example after example, right? “We’ve got a carrier, here where their source code was on the internet. Same thing for a major Canadian bank—source code that’ll get it out in places like Pastebin, right? Pastebin, and you know, all of these general file slash code—sharing stub systems. And so you have a business discussion about it, saying, “Look, it’s going to be detrimental to the business if this occurs. So what we need to do is we need to find a way that would be very, very convenient for our users to deploy the security measure, but that make it more sustainable for our business.”

You’ve got to have that business conversation around it because otherwise it does become an annoyance.”—Ajay

Ajay: I always encourage the executives to answer the question of “What the Cyber Armageddon looks like in your world.” And Cyber Armageddon can mean a lot of different things to a lot of different people. So for example, if you’re in the business of intellectual property— code—whatever the case could be. Your code stolen, your code leaks. The next thing you know, there’s a generic version of your software coming out of some part of the world that doesn’t necessarily have a lot of appreciation for copyright and your businesses under the table, right? That’s an example. And so to just say, “Hey, we’re going to do MFA, and people start to moan and groan about, you know, having to carry a little key fob, which by the way, that’s like 2000 and late, if that’s what you’re going to do with MFA.” But I’m giving you that example. Rather than say, “Listen, we’re deploying this stuff and it’s gonna make our business better, and it’s gonna make our products better and it’s gonna make our product cheaper, or we’re going to have a competitive advantage”, or whatever the case may be.

Ajay: You’ve got to have that business conversation around it because otherwise it does become an annoyance. And you do walk that line between security and convenience that people will cast away security all the time. And that starts at the Exec, by the way. The executives aren’t generally very tech savvy sometimes, especially in certain sectors of business. Not everybody is the head of a software programming company and has those deep technical chops, sometimes going to deal with somebody who’s in food preparation, has been a baker his entire career and just knows how to bake quality bread and use quality ingredients. It’s not a bad thing to articulate to them, “Hey, look, you know what? If over the Christmas period our assembly line gets shut down by a piece of malware…we’re not making bread anymore, and if we’re not making bread anymore, we’re disappointing our customers. If we’re disappointing our customers, they’re going to go buy stuff from somebody else.” You know, you’re putting that into a business context as opposed to, “Hey man, here’s a quote for some anti virus—It’s going to cost $50,000. Can I have some money now?”

Ajay: “No, go away. I’m going to forget you called.”

Ajay: You know what I’m saying? It’s a different answer.

These guys made frozen food, for God sakes! It’s malware and security is not just an IT problem anymore.”—Ajay

Ajay: And, you know, I’ve gotten the call, I got the call on December 26th from a food manufacturing company that was shut down by malware and the whole Christmas break from 26 to whatever they were shut down. They lost millions of dollars and just they couldn’t ship product and their clients were disappointed, their distributors were disappointed. They had to find alternate products. These guys made frozen food, for God sakes! It’s malware and security is not just an IT problem anymore. Trust me on this one, you’re seeing municipalities getting popped by ransom incidents because of their poor security controls. Ransomware! People are paying the ransom! And you got to understand this for business continuity, “Hey, I got to pay the ransom because I have to continue, you know, making tiny screws. That’s what my company does if I don’t pay the ransom.” But then you think about what you’re financing here and you’re like, hmm.. now we’re making this problem worse. (Whisper: you’re making it worse, stop doing t!”) But yet, by the same token, you have to continue making these tiny screws. If you don’t have the conversation before this happens, you’re going to find that you’re going to have a very difficult conversation and you’re not going to be able to actually have an intelligent conversation while you’re panicking.

Ajay: It’s like those games shows when they ask people questions while they’re on the roller coaster and they’re very simple questions like, you know, like spell “cat.” And the guy’s are like, “Ahhhhh C-A-P!!” You know, it’s terrible. I mean, they’re making these terrible mistakes. This is literally what we’re doing in cybersecurity right now!

Ajay: We’re asking people to make really impactful technology and possibly policy decisions in times of crisis. And I’d like to keep that one, actually, “The Cybersecurity Rollercoaster.” Okay? Don’t take that one away, Ian.

Ian: Well, maybe for your third book.

Ajay: No, I think I think that one might be on ice for now, but then again, you never know.

We’re asking people to make really impactful technology and possibly policy decisions in times of crisis.”—Ajay

Ian: So it’s actually a perfect segue to my final question and I’ll give you a little bit of air cover for this question. So the question is, what is the highest stress cybersecurity incident you’ve been involved with or, and (this is the air cover maybe heard from somebody else), and what were the lessons learned that you took from it?

Ajay: I will try to be diplomatic, the highest severity one was because there was loss of life. And at the end of everything we do is a person. There’s people that were materially affected by a lot, right? We live in an era of isolation and social media and mental illness and whole bunch of things where people are just not being very empathetic. I was involved in a situation where people’s personal information or personal situations, I guess you could say a situation of a very personal nature—I will leave it at that—was divulged and as a result of that, unfortunately, the sad reality of trial by social media and shaming and resulted in very negative outcome for some people. And actually, I think about it very, very often. I, and not unlike anybody else, is far from perfect, you know, not empathetic, not a model-anything all the time and I don’t claim to be an—I never would—but you think of stuff like that, and it’s very sobering. You think of data and computer-related crime, you want to call it that. There’s personal things people don’t want out there, and then they get out there and then people get very, very affected and their families get affected.

Ajay: And so. I talked about it earlier on, right? You had financial capital, intellectual capital, and political capital. You know, Ajay just had it all figured out, right? In Cybersecurity 2018 that was my introduction. I talked about that. You know, these are the three types of cyber-stalking or cybercrime capitalization. And then bam, the advent of you know, the fourth category, personal capital, right? And then Facebook happened, and then Cambridge Analytica happened, and then Humana happened. And then, Ashley Madison happened and all this stuff, and this is human capital. This is like not the Caramilk secret, right. This is people’s lives! And so I try to remind myself that on the edge of everything I do is a human being and you gotta remember that. So, in terms of being involved with stuff, the worst stuff I’ve ever been involved with is when human safety and human well being was affected. And that’s impactful. Very, very impactful.

And so I try to remind myself that on the edge of everything I do is a human being and you gotta remember that.”—Ajay

Ian: Well, I really appreciate your time. Where can folks go to learn more about the book that you have coming out?

Ajay: Well, the book has come out already. It came out in October you can go to CLX forum.org. If you want a soft copy of that, of course you can always hit me up on Twitter @akssecure and my LinkedIn is: https://www.linkedin.com/in/akssecure/. But it’s always a pleasure, Ian.

Ian: Awesome. Thanks.

Ajay: Take care, man. ■

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.