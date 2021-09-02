Antivirus software does not detect ransomware: Check out any one of a number of healthcare organizations whose systems were infiltrated by ransomware because someone opened an email attachment, downloaded a suspicious file, or visited an infected website. With ransomware constantly changing and evolving, it’s incredibly difficult for antivirus to detect it in time.

I was born into a military family. My dad was stationed in Germany at my birth, but I grew up along the south coast of the U.K.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

There’s no one story that led me here. It was more like a natural progression from all of the work that came before. I spent the first part of my career with the British army and the British intelligence services, which led to a cybersecurity gig with a management consultancy firm. After that, security became my career: I held senior leadership roles for big global companies like Monster Worldwide, CDK Global, and Fujitsu, all of which laid the groundwork for my position at Cyvatar.

Can you share the most interesting story that happened to you since you began this fascinating career?

During the first part of my military career I was deployed to Iraq, where I was involved in many intelligence-based operations. On one occasion, my unit was out on patrol and a small Iraqi girl handed me a brass doll trinket that her mum explained I was to keep as a “thank you” for helping them. It wasn’t the first time I was overwhelmed by the happiness and generosity of children in a war-torn country, but taken together, I’ve found it’s their resilience under the toughest of circumstances that continues to inspire me to this day.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Ultimately, success is all about people, and there are loads of people who have helped me get to where I am today. That said, my mother has probably been the single greatest influence on my career. Her background in military intelligence with the U.K. government led me down a similar path — the path that ultimately brought me to cybersecurity. To see the communication and people skills that she acquired, inspired me to take the same route — without that background in human intelligence, I wouldn’t be where I am today.

Are you working on any exciting new projects now? How do you think that will help people?

I co-founded Cyvatar with security veteran Corey White last year with the precise goal of helping people in mind. We’ve created the industry’s first cybersecurity-as-a-service (CSaaS) offering to make robust security defense and cyber resilience accessible and affordable for any size organization with any size budget, even if they don’t know anything about cybersecurity. We deliver the human talent, proven process, best practices, and state-of-the-art technology at a fixed monthly cost. We never sell customers tools or services they don’t need, and because we have a membership-based subscription service, customers can cancel anytime. They also benefit from the best technology as it becomes available: We’ll gladly swap out any solution we install if a better offering comes to market — at no additional cost to our customers. I don’t know any other security organization that can say they’re helping people to the same extent that we are, because we’ve rooted the company in prevention and continuous remediation. We want to profit from successful cyber defense — not from failing to keep our customers’ data safe from attack — so we’re always enhancing our platform and upgrading the security tools we deploy. Every day is an exciting new project for us.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I know people say this all the time, but you have to find a balance to prevent burnout. Physical fitness also helps. I’m a huge believer that being fit in your body keeps your mind clear, allowing you to operate at your best. These days, I do lots of road cycling. The freedom it provides along with the space to think and be alone with my thoughts is meditative — and it definitely kept me sane during the COVID crisis. Staying fit makes me a much better co-founder and co-worker.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Prevention. Prevention. Prevention. And continuously remediating vulnerabilities so threat actors can’t find an easy way in. I’m tired of watching companies lose the battle against hacks and breaches; time and again, the security industry has failed customers by not protecting adequately the data and information they need to run their businesses, which is why we built the CSaaS model. Cyvatar CSaaS delivers continuous remediation that provides customers with a clean, “solved’’ security environment — and keeps them there over time. It’s easy to get excited about the ability to provide that level of resilience for a low monthly investment. We’re on a mission to make security as simple as flipping on a light switch — effortless and affordable for everyone.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

There are always critical threats on the horizon, but for sure ransomware is an area that continues to grow at an alarming rate. It’s a multibillion-dollar industry for threat actors, and most companies are unprepared to defend against it.

No matter what the threats are though, time would be better spent on covering the basics, like vulnerability and patch management, asset management, and related activity.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Earlier in my career, one of our subsidiary businesses suffered an insider attack from a rogue employee — and it was covered widely in Automotive News, so even our competitors knew about the breach. Fortunately, we were able to analyze and identify the cause quickly, allowing us to prevent any of our customers from being affected and preserving the continuity of our business. This experience was my first real-world example of the ways cybersecurity can be a competitive differentiator, and it informed strategic decisions in subsequent positions I held.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Endpoint protection. Endpoints connect to networks, so unprotected endpoints are a security gap. We ensure servers and PCs are safe from malware and other threats. Vulnerability scanners. We continually screen computers, networks, and applications for known weaknesses. Patch management. We’re continually looking for and applying software updates. Asset management. We take inventory of the assets we have, then build security around them.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Now you’re getting to the heart of CSaaS. When it comes to cybersecurity, most organizations are basically going to the supermarket and stocking up on all of the best ingredients without a recipe or general know-how to turn those ingredients into a meal. If they want to eat, it doesn’t make sense to just keep buying more ingredients; at some point, they have to combine the ingredients they’ve purchased in the proper order and prepare them at the right temperature to create the necessary outcomes — and that’s what Cyvatar CSaaS does. Our expert teams use the Cyvatar platform to remediate all vulnerabilities in the customer’s systems and provide ROI in 90 days or fewer with full transparency into every action performed. We also use a proprietary methodology called ICARM — for installation, configuration, assessment, remediation, and maintenance — because we don’t think anyone can “suffice” with over-the-counter software without ensuring the software is installed, used, and maintained properly. Our customers can choose subscription packages that best meet their unique needs and they can cancel their subscription anytime. That means no more shelfware, no multi-year licensing agreements, no expensive MSSP engagements, and no need to find budget to hire in-house staff (CISO or otherwise). You get everything you need — and nothing you don’t — when you need it for a fixed monthly price. No large team required!

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Well, there is certainly no dearth of software that can alert an organization that something is not right, but all too often those solutions also come with lots of noise — false positives, and alerts that come only after an incident has occurred. But reactive technologies and processes don’t actually make organizations — or their data — any safer.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Obviously, it’s better if the breach never has a chance to take hold in the first place. We know you can’t be 100% safe 100% of the time, but you know the saying about an ounce of prevention, right? So start with a strong preventative posture and complement that with automated, continuous vulnerability assessments, and threat remediation. Too often, companies are made aware of a breach but they don’t have the right tools or expertise to combat them effectively — and in the time it takes to get help, the damage gets worse. CSaaS provides the right people, process, and technology to help companies bypass many hacks altogether and defend against the ones that squeak by successfully.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Look, privacy legislation has done a lot to shine a light on the need to protect and secure consumer data, but unfortunately, lots of organizations out there have approached compliance requirements as a substitute for a strong security posture in the mistaken belief that if they are compliant they are secure. Standards are a good first step, but they won’t take you across the finish line. Focus your operations on regularly covering the security basics, and you’ll find compliance requirements easy to maintain.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Many companies make mistakes unwittingly or as a result of marketing hype — they buy security solutions and think they’re protected from threat actors. If only it were that simple! The only way organizations can achieve true cyber resilience is through the proper integration and configuration of their security tools in addition to the continuous assessment, remediation, and maintenance of those tools. A pen test once or twice a year might enable you to check a compliance box, but it won’t keep your data secure.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Of course. Having so many employees so suddenly working remotely exposed many security gaps in countless numbers of organizations. Insufficient employee security training and poor user hygiene contributed to an explosion in phishing scams during the pandemic; other forms of business email compromise also rose substantially during the last 18 months or so. But perhaps most worrisome has been the proliferation of ransomware attacks, because threat actors can infiltrate systems through unwitting employees, poorly integrated or configured security tools, unpatched BYOD devices, absent or inadequate risk controls, and more. Remote and hybrid workers are here to stay, so our policies and technologies need to keep pace with the evolving threat landscape.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Multifactor authentication: MFA can be hacked using a phishing email. Just ask Google. Or Yahoo. Antivirus software does not detect ransomware: Check out any one of a number of healthcare organizations whose systems were infiltrated by ransomware because someone opened an email attachment, downloaded a suspicious file, or visited an infected website. With ransomware constantly changing and evolving, it’s incredibly difficult for antivirus to detect it in time. Unpatched systems: Without installing patches and updates, you could become the next Equifax. Insufficiently backed up backups: VFEmail knows all too well what happens when all server data is destroyed — along with backup systems. No digital asset inventory: You can’t protect what you don’t know you have — Equifax again is a good cautionary tale.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Be transparent. Whether in your personal or professional life, being open about who you are — all of your flaws and all of your strengths — is the best way to make a difference, to be effective.

