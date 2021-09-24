“Never trust, always verify” is a key tenet of the Zero Trust framework. A highly effective application of this framework approaches access by verifying all aspects of a user beyond their identity alone. For example, establishing trust of a user and making sure the user is coming in from a device that has AV installed and up-to-date patches with a device posture check. In simple terms, the Zero Trust journey starts by only allowing what you trust, stopping what you don’t know, and progressively allowing transactions as you gain trust. It’s a process of “building the muscle” for long-term cybersecurity effectiveness.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity,” I had the pleasure of interviewing Corinne Breuil.

Corinne Breuil is a marketing manager at ColorTokens, a leading innovator in SaaS-based Zero Trust cybersecurity solutions. As a female Zillenial in the cybersecurity industry, Breuil sees an opportunity for young women to realize the value of their perspectives and experiences as digital natives to show how adding more women to the cybersecurity industry provides business value beyond catering to inclusivity efforts.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised in the San Francisco Bay Area, and I also spent my summers living on the East Coast in Connecticut, where I made many friends through my swim team, diving, tennis, and in the neighborhood. At one point, my mom used to joke that I had more friends in Connecticut than I did at home in California. I think this gave me a bicoastal perspective that I am grateful to have. But, as cheesy as it sounds, I will always be a “California girl” and an SF Giants fan!

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I started my career at a fast-growing startup that defined what the customer success industry is today. The startup became customer success’s first unicorn, and I felt all the excitement of being at a well-positioned startup in a rapidly growing industry. The most exciting part was that at a software startup like that, you get to wear so many hats you otherwise might not have and have access to many growth opportunities, which is perfect for someone early in their career. When I chose to work for ColorTokens, it was a startup, and I felt the same excitement and potential. Cybersecurity is one of the fastest-growing industries, and Zero Trust security has an enormous market opportunity. Even President Biden became a proponent when he recently mandated that all government agencies implement Zero Trust security. For me, that kind of potential validated the risk of making the jump to the cybersecurity industry, and I never looked back!

Can you share the most interesting story that happened to you since you began this fascinating career?

It always fascinates me when we deploy our visualization solution on a customer’s network, and they discover assets and vulnerabilities they had no idea existed. Their minds are blown every time, and it does not get old.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I owe a lot to my mom! I am so grateful to have an intelligent, confident, and graceful role model like her to look up to for guidance. As a young girl, I remember coming to work with her and thinking she was so cool (I still do). My dad has set a great example, but having a female mentor like my mom has been paramount. I think there is an art to knowing when to be tenaciously bold and when to stay humble that she has mastered and instilled in me. I feel very lucky.

Are you working on any exciting new projects now? How do you think that will help people?

I recently entered the SXSW ’22 Conference panel picker to speak on the need for female Millennials and Gen Zers on the front lines of cyberspace. If selected, I would be thrilled to speak about the enormous opportunity that exists for young females in cybersecurity, a field where men outnumber women by 3 to 1. We can realize the value of our female perspective, along with our experience as true digital natives, having grown up with technology unlike those before us. Combined with the fact that studies are showing that each new generation is more diverse and better-educated, we’re exactly what the front lines of cybersecurity needs. We are fighting a battle in cyberspace, and as a country, we’re losing.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I know many of us are still working from home, and sometimes “working from home” feels more like “living at work.” I feel the most balanced when I can get outside or get moving. I take meetings from my patio, and I even go for a walk around my neighborhood with my earbuds in if I’m on a more casual call that doesn’t require me to be at my computer. When I return to my desk, I feel like a new person, which is when I do my best work.

OK super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

There is a literal war going on in cyberspace that, as of now, we are losing. This war, of course, is not a “good thing,” but it means that brilliant people are getting called to the front lines, which is absolutely inspiring to be a part of this experience. Cybersecurity is at the forefront of U.S. government policy discussions for the first time in nearly 20 years. The president’s recent cybersecurity executive order is just a start. This industry’s rapid growth and innovation are simply unparalleled, and for a good reason. As the recent Colonial Pipeline and JBS hacks have shown, cyberattacks are threatening society at large.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

In the coming years, we will see more attackers use AI and machine learning (ML) to get whatever foothold they can, particularly around critical infrastructure. This is already changing the threat landscape. Their AI and ML sophistication will be very tough to combat, even for companies with large resources. The best way to prepare is for companies to shift to the “assume breach” mindset of the Zero Trust framework to protect the attack surface. AI and ML will make it easier for attackers to develop a way to sneak in. So, we must assume the bad guys will get in (as they have proven time and time again) and devote resources to limiting the blast radius of a breach with Zero Trust framework. Companies that don’t implement a Zero Trust framework could allow any attacker that has breached the surface to move laterally throughout the network and go undetected for months. These threats take advantage of trusted processes or access, so antivirus or antimalware that only detect the “known-bad” signatures or behaviors are useless in this case.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I am personally not on the front lines, but I work with many people who are. One story that sticks out is from our board member Tony Scott, the former federal CIO under the Obama administration. In 2015, the U.S. government suffered a cyberattack and loss of more than 21 million records of government employees’ and job applicants’ personal information. Tony Scott oversaw the investigation of the breach and the development of the response plan. He carefully studied what fundamental structural changes could make a major long-term difference in cybersecurity effectiveness, and Zero Trust security stood out above anything else.

A Zero Trust framework builds security on the idea that no user or system should be allowed access to a resource until a level of trust has been established, and even then, that access should be controlled on a strict “need-to-know” basis. This is especially effective in a world where the default design principle is “connect to everything,” creating massively interconnected networks of attack vectors for hackers to take advantage of.

Tony was actually so impressed by the value of Zero Trust security that after leaving the government, he joined the board of directors of ColorTokens, one of the vendors with award-winning Zero Trust technology.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I like to avoid being tracked by brands and advertisers for personal cyber hygiene and privacy, so I use a browser extension for an extra layer of protection. There are a lot of extensions on the market, but the one I use is called Ghostery. I probably put greater value on anonymity because I work in the cybersecurity industry, but anyone can benefit from knowing they are protecting their data from being collected. If a targeted ad has ever saved your day (unlikely), then this tool may not be for you.

I also use a password vault that uses AES 256-bit encryption, which the military uses because of its amazing strength. I don’t use this because I believe any U.S. adversaries are going to target my passwords specifically. I use it because if I save my passwords in my browser, they become a very easy target for cybercriminals. My bank and medical passwords are gateways to my Social Security number, routing numbers, etc., which can make cybercriminals good money on the dark web. I feel safer using a password vault, and it makes my life easy by storing credentials in one place.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

This really depends on the amount of cyber risk that a company has and how much of its IT infrastructure the company owns and controls. Some tools can help quantify this risk for you and determine your level of exposure, like Xquantify. The result of that survey and analysis can tell you if you need to invest in a part-time CISO, a security team, a managed services provider, or if you can suffice with an off-the-shelf tool.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?

Security pros wish it was this simple. Many security teams are struggling with an overwhelming 95% false-positive rate. But companies that implement a Zero Trust framework and mindset of “never trust, always verify” can significantly reduce this as they build the Zero Trust muscle — meaning that their “whitelist” of safe behaviors grows and, conversely, the “blacklist” of bad behaviors shrinks.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The first step would be to mitigate risk immediately. For example, take systems off the network to contain the damage. You don’t want to power systems down as you might lose forensic data, so you can preserve the evidence for analysis by taking them offline. From there, it’s a good practice to disclose the breach to the FBI and authorities. Upon analysis of forensic data, you can determine what data was taken or tampered with. If you discover a breach of personal information, you’ll also need to disclose the breach to your customers. The forensic data can also tell you where the attack came from and which user or machine was breached, so you can learn what protective controls to put in place to ensure the breach doesn’t happen again.

How have recent privacy measures like the California Consumer Privacy Act (CCPA), CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?

These privacy measures are more about the data privacy of the consumer. So, as a cybersecurity company that does not deal directly with consumers, they don’t necessarily impact us. However, many of our customers do have to meet these new compliance standards and are more sensitive to where specifically their data lies and how they track their data. As a cybersecurity platform company, we can help them with various audit and configuration reports that they need and provide the required security level. You can look at compliance as a bar that is continuously rising. Meeting these standards is an ongoing effort.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The most common mistake is the general misconfiguration of IT systems and security products. And, when system settings are misconfigured, it creates a security risk. For example, if a firewall does not have the right configuration settings, it could be letting traffic in that it shouldn’t. Misconfiguration can also result in “overprivilege.” It’s very common to see misconfigured access control lists, which define who can access something, giving users more privileges than they need and posing a security risk.

Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

There is some anecdotal evidence to indicate that the number of attacks has risen because of the scale of remote workforces. But I wouldn’t say there is necessarily a correlation. In general, 2020 and 2021 have seen more breaches, and hackers are becoming more sophisticated. But if you look at the major breaches that have happened this past year, none of them took advantage of the fact that employees were remote. That being said, many companies’ IT environments weren’t built for today’s volume of remote workforces. So, for companies with remote workforces, the attack surface and risk are greater. It is important for those companies to move away from traditional perimeter security as the perimeter lines are now blurred. That has a lot to do with the uptake in adoption of the more proactive Zero Trust security.

There have also been many scams and phishing via calls, texts, and emails related to vaccine availability. Hackers take advantage of events where people are likely to click on something, and the vaccine shortage was something hackers took an opportunity to piggyback on.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Understand the data that you hold

This may seem trivial, but often, companies aren’t fully aware of what data they have and are unaware of the regulations and life cycles required for that data. Companies should start by conducting an exhaustive inventory of all the data they’re holding. From there, determine how long the data can be held and when it must be destroyed. Companies may be required to hold some types of data for a certain number of years. In that case, make sure you have enough backup to hold data for that specific period. If certain data your company holds is not affected by regulations, it’s also a good practice to determine how long you want to hold that information for and even to communicate that plan to your customers. For example, what happens to their data if they cease to be a customer?

2. Implement principles of ‘least privilege’

One of the most common cybersecurity mistakes is called “overprivilege.” Overprivilege occurs when users have more access privileges than they need, and it’s a major attack vector. Companies have to tackle this by understanding the complete context of their users, applications, and data. By knowing what applications and data you have, you can create a matrix of who needs access and what kind of access they need to do their jobs (administrative or standard). From there, specific privileges for each role can be determined and enforced for “least-privilege” — e.g., a legal employee may need access to HR policy documents but not to the accounting system.

3. Have a disaster recovery plan

Things will happen, so it’s important to tighten up your disaster recovery plan for natural disasters that may affect the IT infrastructure and cyber disasters. This typically includes identifying secondary sites, warm standbys, cold standbys, alternative cloud providers, etc. Companies should also have a disaster recovery policy that includes the “time to recovery,” the number of hours or days a company will have to recover to keep the business running. Another important metric is the “recovery point objective,” which says how many hours or days of data a business is willing to lose. Companies can work backward from these metrics to build a bulletproof plan and a strong strategy to execute the plan.

4. Adopt a proactive approach to security versus a reactive approach

If my experience working in cybersecurity has taught me one thing, it is that breaches are inevitable. Companies have to assume that the bad guys will get in, as they have proven repeatedly, and instead adopt a proactive “assume-breach” mindset. When we assume that there will be a breach, we can design environments with that in mind. With the volume of noise in today’s IT environments, relying on reactive technology can often leave companies weeks, and even months, behind an incident as these tools only detect the “known-bad” signatures or behaviors. Unlike reactive security, proactive security is built to limit the blast radius of an attack by only allowing the “known-good” processes and access across known and unknown attack vectors in the network. Micro-segmentation, Zero Trust endpoint protection and Zero Trust Network Access (ZTNA) are all examples of proactive technologies that shrink the attack surface and deliver the highest level of security.

5. Never trust, always verify.

“Never trust, always verify” is a key tenet of the Zero Trust framework. A highly effective application of this framework approaches access by verifying all aspects of a user beyond their identity alone. For example, establishing trust of a user and making sure the user is coming in from a device that has AV installed and up-to-date patches with a device posture check. In simple terms, the Zero Trust journey starts by only allowing what you trust, stopping what you don’t know, and progressively allowing transactions as you gain trust. It’s a process of “building the muscle” for long-term cybersecurity effectiveness.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

I would choose to inspire kindness: Its power is underestimated, and it’s contagious.

How can our readers further follow your work online?

You can see me at SXSW ’22 by voting for me in the Panel Picker. Or follow me on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!