Cybersecurity is a journey, not a destination. There is something new every day. We have to continually keep up with new threats, rules, and compliance. It’s a constant evolution that requires us to never stop educating, tuning, and refining ourselves and our tactical strategy.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing David Nuti.
David Nuti is a Senior Vice President, North America Channel at Nord Security. David is a reputable technology and business development professional who is working on scaling the Nord Security business offerings — NordPass, NordLocker, and NordVPN Teams — to the North American market.
David Nuti has over 20 years of experience in sales leadership and business development, as well as an extensive background in disruptive technologies, hardware, wireless, IT, and cybersecurity.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised just outside of Chicago. When I was a teen, my family moved to Northern California, where I went to highschool, university, and began my career. Other than a decade in Dallas, Texas, my professional life has primarily happened in California. I’ve also been fortunate to travel pretty extensively around the world in Europe, APAC, as well as the Americas. The opportunity to experience so many diverse cultures has provided me with a broad perspective that I really appreciate.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I have always worked in technology. I have over 20 years of experience in sales leadership and business development within disruptive technologies, hardware, silicon, wireless, and IT industries. My shift to cybersecurity came very naturally. Around 2015, while leading the charge on the emerging cloud SD-WAN space, I began to notice that our clients’ security teams were showing up in evaluation meetings. What I was experiencing head-on was the earliest stages of today’s SASE conversation, the merging of security and networking automation into managed platforms. When you dramatically change routing and access configurations, and introduce hybrid networking, you equally impact the security responsibilities and threat plane. Security teams became more and more active in those calls, and wanted answers. For the most part, security teams have project veto power. With there being no compromise to an effective security policy aligned with network intelligence, I quickly realized that security operations are the tail that wags the dog and I needed to align to that. So, it was a combination of the industry pulling me into cybersecurity and my desire to aggressively push my way in. And I’ve loved every moment of it.
Can you share the most interesting story that happened to you since you began this fascinating career?
That’s a great question. There’s quite a few interesting stories, but one of them was meeting a CISO who in one of our conversations said: “The best thing I’ve ever done is getting out of the cybersecurity business.” When asked what he meant by that, he said that the CISO role today is far more than security tech acquisition and implementation. He explained further that, when he goes to meetings with company leadership, he doesn’t get asked what sort of hardware he is purchasing, where tech is evolving, or if he’s implementing AI. The only questions that they asked were whether the company’s customers and intellectual property were secure, and if they had something scalable to continue the growth. The questions didn’t come around the technology side. That’s when he noticed a firm strategic shift toward working with solution providers that manage the complexity out of cybersecurity without compromising the quality of the cybersecurity that they get. That was an eye-opening conversation that shaped the way I talk about cybersecurity to our partners or end customers. It’s critical to have a true vested and authentic interest in the client’s desired outcome.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Hm, that’s a good question. There are many people whom I met along the way during my sales career… If I had to pick one, it would be Ajit Gupta. He was the CEO of Aryaka Networks at the time. He was a dynamic and charismatic leader who placed great trust in me, allowing me to lead a team and transform our business development engine with channels and partners. This was a new concept for Aryaka, which later proved to be very successful, and this experience had a huge impact on my career path. If it wasn’t for that trust, I may have never discovered my abilities and resulting passion for working alongside partners to accelerate growth. It really was transformational to my career.
Are you working on any exciting new projects now? How do you think that will help people?
The biggest project I’m working on right now is setting up Nord Security in North America, driving win-win selling partnerships aligned to the Nord Security business solutions — NordPass, NordLocker, and NordVPN Teams. It’s a unique opportunity to build something like this in a new market, so I’m incredibly excited to be able to make a big impact for the company and make that explosion in the North American market.
Cybersecurity is presumed to be very complex, and it generally lives up to that expectation. An enterprise needs, with zero compromise to quality, an easy-to-use solution for cloud-native security and software-defined perimeter. Nord Security delivers on that. In addition, I’m currently hiring an all-star team that will have immediate impact on driving success in North America.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
IT and cybersecurity are such exciting and fast-paced spaces that you must be a ravenous consumer of knowledge. There is new information that you can learn every day. Stay humble and realize that you can never know everything. That, in my opinion, keeps things fresh and interesting, which prevents that “burn out” feeling. For me personally, speaking with different partners, meeting new people and clients is something that keeps the internal fires burning. I’ve never been bored in this industry, and I think that really prevents “burning out”.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The first one would be that security is not an option. This is something that is so crucial that we work with customers to determine not whether they need security solutions in place, but rather what kind of solutions would work best for them.
- Second is the way it’s being delivered. It used to be such a complex process: purchasing the hardware, then managing, updating, and eventually replacing it. Rinse and repeat. But now, cybersecurity can be delivered as a fully managed service, consumed on demand and scaled up in real time according to the customer requirements. This is extremely important and has truly revolutionized the cybersecurity industry.
- Finally, I would say, the distribution model. As someone who has been in the technology industry for a really long time, I appreciate the innovation that has led to driving the complexity out of the model. Subscription- and service-based models have made world-class cybersecurity available to a much broader audience. It is exciting to be on the front line of all of this, together with Nord Security.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Bring Your Own Device (BYOD) is emerging as a significant threat. While this threat existed pre-pandemic, the COVID-19 situation has really brought this up to light. According to research by NordPass, 62% of people admit they use their personal devices for work, and even more switch between them, using corporate computers one day and personal devices another. Now, the thing with personal devices is that they are not properly secured. In a recent third-party study, 82% of companies polled allowed BYOD, with over half also willing to admit that they have no means of identifying vulnerabilities on personal devices. In addition, there is concern with the inability to control endpoint security with BYOD. While there is obvious efficiency and collaboration value for employee BYOD allowance, such as smart phones, tablets, and home PCs, there is a big threat vector there. Employers must be aware of this, because I 100% guarantee you that collaborative, malicious threat actors are all over the world.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
One particular story immediately comes to mind. We were working with a new customer, and, together with their security team, we were implementing a security sensor and monitoring technology. In the middle of deployment, we discovered a breach that had been in progress for months, right under the noses of the security team. Bad actors had full access to our client’s system, literally reading the security team email. We estimated they were only a few days, perhaps hours away from launching a ransomware attack that would have locked the client out of their systems, crippling the company. This is a near worst-case scenario. We immediately called up an emergency Sunday meeting and, ultimately, together with the client’s IT team, were able to dismantle what had been taking place. It is not an overstatement to believe that we saved the entire company! 60% of SMBs that experience a breach do not recover. Ransomware can be lethal to a business, not only by the financial impact, but also to reputation and public/customer trust. Having had this opportunity to see this play out in real time was an incredible experience, and, needless to say, we gained one very loyal new customer!
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
For me, the most important thing is multi-factor authentication (MFA). The most common cause of a breach is, sadly, the user. Lazy, reused passwords are a huge problem. NordPass releases annual reports on the most common passwords of the year, and guess what — the top password “123456” doesn’t change year after year…
Phishing and malware are other constant threats alongside lazy passwords. People underestimate the sophistication of phishing attacks. With so much employee information on social media networking platforms, it’s increasingly easy to create a custom phishing email that would truly speak to the victim. So, I put a lot of emphasis on MFA when I talk to partners and clients. I think that’s one of the few simple things the user can do. IT leaders need solutions that also solve the problem that exists between the keyboard and the chair!
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Apart from a few Fortune 500 companies, no one has a large enough team. In IT security, there are over 3 million open and unfilled jobs in the US alone: they’re in such high demand that there’s simply not enough talent. Managed Security Service Providers (MSSPs) have had a transformative impact on the consumption of cybersecurity. It is no longer exclusive to the “Fortune Few”. Virtually, any sized company now has access to security services scaled precisely to their requirement, without compromise to quality. Nord Security, for example, is able to deliver on that with an entirely cloud-native platform.
The main takeaway here is that very few companies can do it alone. There’s simply not enough manpower to cover it. Therefore, I always advise customers that they NEED to work with a technology partner that acts as a powerful force multiplier for their internal team to execute a sound security policy.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
My advice to any customer is pretty simple: you need to act as if you were in a constant state of breach. Bad actors constantly evolve their methods, and businesses need to do the same in order to keep up. I see that the moment a security team relaxes is the moment where things go wrong. Constant, automated monitoring is very important in order to see the true positive signs. I would advise people to look for behavioral oddities. One of them could be impossible logins. Let’s say, if I see that someone has logged in at 2 a.m. from California and then two hours later from Taiwan, I can already suspect that something dodgy is happening. Another thing could be odd email repetition, sent at odd times, or someone downloading a large quantity of information or large files. These kinds of network and behavioral oddities could be the first signs that something is wrong, so proper visibility into those is a must. In addition, I would advise providing easy-to-use, unobtrusive tools to employees in order to encourage and enforce good basic cyber hygiene. Business password managers, such as NordPass, have a Password Health feature, where the organization admin can see how many of the team’s passwords are weak, reused, or old. This way, the admin could enforce good password hygiene and catch those lazy passwords early on.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
This is always a really difficult conversation to have with clients. Of course, the most important thing is to stop the breach in progress, but it’s also very important to look backward and see the root cause of the breach. Most of the time, these breaches have been in progress for an extensive amount of time, going unnoticed. It’s always important to understand where it actually originated and what mistakes were made. This is how you prevent re-occurrence and establish an effective proactive security policy, rather than reactive. If all you have are courses of action for after the incident has already occurred, you are rolling the dice on the future of your company.
I think these compliance have shined a lot of light on data security, which is great. However, in order to comply, businesses require not only technology but also proper education. That’s where I think the biggest change is — suddenly, everyone has become interested in cybersecurity and keen on educating themselves on the matter. These compliance can get confusing very quickly, and, needless to say, the penalties are very stiff, so education here is vital. And, as a cybersecurity company, Nord Security ensures we are providing solutions that enable our customers to execute within their required compliance framework.
What are the most common data security and cybersecurity mistakes you have seen companies make?
I would have to mention lazy passwords again — they are a huge threat to company security. NordPass research shows that even the largest companies in the world use very simple passwords to safeguard their corporate accounts. Instead of coming up with a complex passphrase, a lot of people simply use commonplace names, even their company name. It is a disaster waiting to happen.
Another mistake that I see people doing is close-mindedness. Many businesses still haven’t realized that they need to work with partners in order to ensure all-round security. Lack of humility and not working with others is something that I really advise against — businesses need to realize that there are partners out there that can really deliver capable solutions. Cyber insurance and hope is not a strategy.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely. It comes back to the Bring Your Own Device policy. Before COVID-19 hit, a company with 10,000 employees had, let’s say, 100 security endpoints. Now, they have 10,000. And while securing 80 end-points seems doable, 10,000 becomes a real challenge. We also must remember that bad actors don’t take breaks during hard times. It’s quite the opposite — realizing that businesses are exposed and struggling, hackers pounce on the opportunity. And to hope that you won’t be targeted is silly.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Cybersecurity is a journey, not a destination. There is something new every day. We have to continually keep up with new threats, rules, and compliance. It’s a constant evolution that requires us to never stop educating, tuning, and refining ourselves and our tactical strategy.
- Act as if you’re in a constant state of breach. Monitor everything tirelessly and make sure your policies are always up to date. Bad actors tend to hit hard as soon as companies relax. The vigilance that comes from operating under a constant state of threat is a way to be effective.
- Leverage force multipliers. No company can do this alone. There are simply not enough resources in any company for this. Work with strong partners that can elevate your cybersecurity and be the enormous bench of talent and expertise that you do not need to try and build yourself.
- Best of breed is dead. The platform is rising. Security has become so complex: monitoring, MFA, integrations. There are so many components that companies need to think about, and there are many different solutions on the market. The average company has north of 40 security technologies in their environment, making self-management and unification all but impossible.
- Which brings me to my last point: the best of platforms is rising. I advise companies to look for a platform solution that brings those disparate solutions together in an on-demand consumable model that scales at your pace.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Not a movement per se, but I’m a huge believer in finding passion in what you do. Whenever I’m hiring, I’m always looking for desire, discipline, and passion. I can train on product, solutions, industry, and sales techniques, but I can’t train passion and discipline. And those things cannot be faked. One of the great compliments someone gave me was that they thought I was the founder and CEO of the company, because I was talking about it so passionately that they thought it was mine. I’m just very excited about what I do, and that’s why I’m successful at it. So that would be my advice — find something that you’re passionate about!
How can our readers further follow your work online?
You can follow me on LinkedIn: https://www.linkedin.com/in/davidnuti/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!