Understand and validate the device being used to access the network. There are two device types everyone has to deal with every day: devices that organizations manage and control, and devices that they do not manage and control, but often have access to data, information and systems inside of the environment. Whether or not there are threats on the device needs to be considered prior to validating the device access to the system.
Check and understand the applications users are operating to access the data. Just because you have an application or a service like Salesforce.com doesn’t mean that is the only application everyone is uses to connect to Salesforce. There are more than 100 different third-party applications users can go and download Salesforce data. Other services out there will take your data from Salesforce.com and copy it, which could put data at risk.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Alex Mosher, Global Vice President of Sales Strategy and Solutions Marketing at MobileIron.
In his role, Alex is responsible for MobileIron’s go-to-market plan and aligning mobile, security, and cloud solution strategy with execution. Before joining MobileIron he spent 12 years at CA Technologies — responsible for CA’s 1.4B dollars+ cybersecurity business strategy and go-to-market plan. In his last role with CA Technologies, Alex was a global vice president responsible for all sales and go-to-market integration of CA’s 612 million dollars acquisition of Veracode, which was sold to Thoma Bravo just 16 months later for 965M dollars.
Today, Alex leads a global team that works to develop and implement action plans that enable customers to take control of security, identities, access, and information across platforms and devices. As a 20-year information technology industry veteran, he has amassed hands-on experience in virtually every aspect of the business, including sales and marketing, development, and deployment services.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Minneapolis, Minnesota. At University, I got a degree in Management Information Systems, which is the business side of Computer Science degrees today. After obtaining my bachelor’s, I attended MIT for grad school, where I received an executive master’s in Business Analytics with a focus on Innovation and Strategy.
I didn’t always want to pursue a career in tech. After starting university fulltime at the age of 16, I initially thought I wanted to be an attorney. However, I soon realized that law wasn’t how it was depicted on television, in real life. I later pivoted to technology, as I’d always had a knack for computers.
I got my first PC when I was eight years old, when they were first introduced to the mainstream consumer at home market. At that time, any young kid who wanted to play a “video game” had to create the game for him or herself. This is how I learned to code. As technology advanced and I grew up, I loved tearing down and building computers. Working with computers came naturally to me and fueled my interest in pursuing a career in technology.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Telling my parents that law school wasn’t going to work for me inspired me to find a cybersecurity job. In those days, you had to look in the newspaper to get a job, and I vividly remember my Dad throwing me the newspaper and saying, “you better finish school and get a job; you need health insurance and a place to live because it’s not going to be here.” My father’s words were the push I needed to seek and quickly find a job in support and development at a cybersecurity tech company, and I have worked in the space ever since.
Can you share the most interesting story that happened to you since you began this fascinating career?
I’ve traveled to countries worldwide, spoken to organizations large and small, attended and led countless conferences, and visited customers on almost every continent; I’ve lived in nine different cities across the U.S., and over the years, I’ve watched the entire industry evolve. The technological transformation I’ve experienced throughout my career, specifically the evolution of computing power from big clunky PCs back in the day, to the tiny handheld mobile phone devices we use now, is most fascinating. Traditionally, there’s been a narrow lens on advancing technology innovation and far less focus on those devices’ security. We’ve had lingering security issues for decades, and we still haven’t solved them yet, despite the problems being relatively easy to overcome. As cybersecurity solutions move into the mainstream, we will see these problems become irrelevant.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are three groups of people who have been instrumental in navigating this journey. First and foremost are my parents, then my amazingly brilliant and equally as beautiful significant other who makes this all possible by taking care of the rest of life. I also have a very good friend (that is the CRO of another software company) that gave me opportunities in the security space, that has been an incredible mentor over the years. These people have undoubtedly contributed as the most impactful sources of my success throughout my career journey.
Are you working on any exciting new projects now? How do you think that will help people?
MobileIron is working on multiple new projects and products. One of the most important is to eliminate the addiction we have with passwords with Zero Sign-On. I have over 300 different accounts and 300 different passwords to correspond with them. There are simple ways to get rid of passwords, make companies more secure while simultaneously increasing privacy, and make the user experience seamless.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
People talk about finding a ‘work-life balance,’ but it is actually about finding harmony and joy in what you are doing for work. You’ll worry less about how many hours you are spending doing work if you genuinely enjoy what you do. If you are burnt out, you are probably burnt out on the singular thing you are doing because you aren’t finding harmony or joy in it. My advice is to find a career or a job that brings you happiness, even if it’s an entirely different avenue than before. It would be best to wake up every morning eager to learn new things and be excited about what the day will bring. Albeit cliché, the quote “love what you do and you’ll never work a day in your life” is genuinely what I try to live by.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Technological innovation and how it’s transformed the cybersecurity industry, in general, is incredibly impressive. I thrive on the speed of change and knowing I can influence and affect change without it taking 200 years to revolutionize.
Second is the increasing mainstream awareness. October is Cybersecurity Awareness Month in the U.S. and it’s been exciting to see that, despite it being around for 17 years, it’s now becoming a more mainstream topic. I was on NBC News in the San Francisco Bay Area recently, talking about cybersecurity and how people can protect themselves. I’d never been part of a local news segment dedicated solely to cybersecurity.
Finally, I’d say the opportunity. There are vast opportunities for the next generation, and they are continuing to grow exponentially. In Dallas, Texas alone, pre-pandemic, there were tens of thousands of open jobs in cybersecurity. Those considering a change or struggling with defining their future career should look into cybersecurity.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Overall, companies should be investing in educating employees to be more cyber aware. Attacks are expanding and becoming more sophisticated. We don’t tend to think about threats across our mobile devices but we are seeing this become more prevalent when we have more devices than ever before. IT professionals should seek to understand what users are doing with data and information because it isn’t as simple as when everyone came into an office and people physically plugged into a network. Now, they are accessing and communicating with customers and coworkers who are located everywhere. We call this the Everywhere Enterprise, where customers, workers and infrastructure are everywhere. Companies should be concentrating on how to embrace this trend and change infrastructure where it is needed across the board.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The most interesting breach I’ve been involved in was with Sony Pictures. A few years ago, Sony came out with the film The Interview, a comedy involving the North Korean leader, Kim Jong Un. Before the movie’s release, we were helping Sony understand how to leverage the security investment they made and other areas they needed to look at to further protect data. One of these areas was ‘privileged users,’ which are the organization’s IT super users. We explained to Sony that they needed to protect these privileged user accounts further because they have incredible data and information access.
North Korea was not happy with the derogatory nature of how it’s leader was painted in the movie and wanted it stopped. As the U.S. values freedom of speech, Sony continued with the film and got hacked by North Korea. The hackers dumped the movie on the internet ahead of its release, costing millions of dollars in potential revenue, but also dumped a whole host of other movies and television being produced.
They hacked the system by finding ‘Joe User’ with a weak password and then elevated their credentials, a process hackers use to climb the internal ladder to access more information and data. On that back end of that situation, I went with Sony on a speaking tour, with the Head of the Cybersecurity Division from the FBI in Los Angeles, and the three of us discussed what happened and how to prevent its recurrence. The question always came up: what did the FBI do to the North Koreans, and the response was: nothing. No one is going to send the army because Sony’s movie got released. It was then when CIOs and CISOs realized that they and their workforce’s security protocols were the only things standing in between their companies and a breach.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Whatever device I am using connects to a network, I make sure all entry points are secure. Even my home Wi-Fi has security at the highest level. I use complex passwords, change them regularly, and try and be proactive at looking at how many devices are connected to that network. Also, updating your devices, laptops, phones, computers, etc. certainly helps keep devices secure. Always download the latest and most up to date anti-virus and anti-malware software on your devices. Those are more important today than they’ve ever been.
From a work-life security perspective, you want to have a separation of work and personal devices. Technologies like unified endpoint management enable you to do just that. It would be best to have mobile threat detection software for laptops, desktops, phones, and tablets. I’d encourage everyone to use a VPN as well. If you have a device that is a hybrid work and personal, you should use a split-tunnel VPN when utilizing work applications so the VPN captures and secures the data, but doesn’t when you are using the device for personal reasons as it will funnel the data back to your company.
I also use a password vault. Even if you think you will set up an account one time, and use the password one time, you’ve got to make it as complicated and robust as possible to protect yourself. I use a company called 1Password, but there are many different ones out there. It is worth noting that you should also make sure to turn on multi-factor authentication. Yes, these actions can be annoying, yes they take up extra time, but they make you safer.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
If I had a small company, even an IT staff of one or two, I would find IT staff focused on cybersecurity. The ramifications of not being secure, no matter what you think you are saving or what you think you are trying to protect or prevent, are dire. Hiscox’s research found that in 2019, the average cost of a cyber-attack was 200,000 dollars. The cost of security breaches for smaller businesses can often force them to close their doors. If you aren’t going to have a dedicated cybersecurity team or a CISO, then at a minimum, your IT professionals should be trained or certified in cybersecurity.
Also, I think “over the counter” software can be as good as some other options. We produce at MobileIron off the shelf software you can buy from anyone, deploy it, and then configure and customize it for your organization. The difference lies in having someone with knowledge and expertise deploy the solution and customize it for your business’ security needs.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- Speed. For example, if your device becomes incredibly slow, this may be due to the fact there is a malware or a virus in the background
- Battery Life. If your battery isn’t damaged and is draining incredibly fast, and you cannot make it throughout a day yet are barely using your device, there is a pretty good chance there’s been a breach.
- Increased Pop-ups and Ads. If you notice a tremendous amount of ads and pop-ups outside the norm coming up on your machine, this is another good indication of an issue
- Crashing Apps. If your regularly used applications start crashing and running strangely, this is another sign pointing to an infraction
- Unusual Activity. Abnormal network activity is another suggestion someone’s infiltrated. If your device is next to you, with no one using it, yet it is reporting lots of activity across your network from an application, that is cause for concern
Stay educated and aware of harmful sites or applications that may seem trusted or legitimate. Take TikTok; for example, a video-sharing social networks app has seen rapid growth in the United States. Government officials have become increasingly concerned that the app, which is owned by the Beijing-based company ByteDance. By law in China, this could give the Chinese government access to a wide range of user data, gain control of TikTok accounts, change the privacy settings on TikTok videos, upload videos without permission, and obtain user data email addresses and location history.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- Be open and honest with yourself, with your employees, and with your customers. Admit fault and accept responsibility. Of course, it isn’t your fault, but any alternative to this is going to reflect poorly on the brand in the long run
- Make assurances to your customers, to your employees, and to others affected that you are taking the steps to resolve the problem and work to a solution
- As details become available, remain transparent. Explain what happened in the situation and what you are doing moving forward to mitigate. Outline what happened and why it happened to educate the public. Open dialogue is critical for learning for the future
The introduction of these measures is fantastic. GDPR and the California Consumer Privacy Act, while disruptive of course, also created an opportunity for the cybersecurity world and put a better focus on privacy and protection. All of us in tech haven’t focused enough on privacy. There are ways to protect people’s data and to be profitable as a business. These laws have really forced bringing privacy to the forefront for companies in the way they operate.
What are the most common data security and cybersecurity mistakes you have seen companies make?
This can be summed up in one major idea: we keep a legacy ways of thinking. Perimeter-based security is a good example of this. Going back to the first days of computers and desktops, when everyone came to the office and plugged into their machines, the focus was on protecting what’s known as the business’s perimeter or the network. We continually have perpetuated this idea, even as we’ve seen a shift to the Everywhere Enterprise.
We don’t take into account modern ways of working when considering cybersecurity policy and protocol. When we don’t think ahead, and in the modern age, considering how we can adapt to protect our data to the best of our abilities, we give way for the criminals to outpace us.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Google stated that the pandemic led to an explosion of over 18 million Covid-19 scam emails daily back in April. Cybercriminals caught onto the fact that all these people working from home had potentially insecure networks with little to no security set in place.
Organizations thought this way of working would be temporary, then two weeks became six weeks and six weeks became six months. The major flaw is the inaction before this happened. No parameters were set in place to have a plan of action. We spend a large amount of time in IT considering, what if there is a fire where I am storing my data? What about a flood? But no one took into account what if there’s a pandemic and no one can come to the office for a year?
Companies could have taken advantage of some of the offerings to make working from home so much more effective and efficient. Suppose you look now at the thriving companies despite the pandemic and are posting fantastic earnings results. In that case, it isn’t that they had this great pandemic plan. They adopted some of these technology solutions and security strategies that made the transition from the office to the Everywhere Enterprise easier.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Every company needs to take a zero trust approach to security. Zero trust is based on the notion that we must assume bad actors are on our network, no matter what security controls or technologies we have in place. Instead, we take a ‘never trust, always verify’ approach to security. The five ways to approach data privacy and cybersecurity are really around the five ways to achieve zero trust:
- Understand and validate the device being used to access the network. There are two device types everyone has to deal with every day: devices that organizations manage and control, and devices that they do not manage and control, but often have access to data, information and systems inside of the environment. Whether or not there are threats on the device needs to be considered prior to validating the device access to the system.
- Tighten security beyond usernames and passwords. Instead, establish a contextual relationship between the user and the subsequent data that they are accessing. It’s not just good enough to have Alex’s username and password. We need to look at things like “Where is Alex connecting from?” “What is the device?” “What is the network he is connecting from, is it secure?” “What’s the time and location?” For example, if I had just logged in from Texas 10 mins ago, and then I logged in from London or Singapore directly after, that’s not physically possible.
- Check and understand the applications users are operating to access the data. Just because you have an application or a service like Salesforce.com doesn’t mean that is the only application everyone is uses to connect to Salesforce. There are more than 100 different third-party applications users can go and download Salesforce data. Other services out there will take your data from Salesforce.com and copy it, which could put data at risk.
- Verify networks. You may allow someone to gain access from an insecure network, like a Starbucks, or open network, if they are accessing trivial, non-critical data, but in other cases you’ll need users to be on stable networks. You could make them stay on a secure network, or use a VPN connection before verification
- Protect and remediate threats. You need to understand the threat posture: Does the device have anti-malware or antivirus software? Does it have a mobile threat detection solution in place? These measures mitigate the threat across devices to ensure it’s not infiltrated, causing a downstream effect to your organization
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would love to inspire a movement that focused on young kids at age five or six, and inspired them to begin interacting with technology, and to learn to code. Coding was instrumental in my career and is part of why I am where I am. In the long term, it will be incredibly important. Fast forward ten or so years, coding will be the dominant language we use to communicate in tech. By educating kids about security in coding, it will change how they develop the next big app or service, so that they focus on security at the core.
How can our readers further follow your work online?
I frequently post blogs on MobileIron’s website that explore important topics in the industry. I also have a podcast that my colleague and I hold every two weeks called MobileIron Musings. They episodes are typically 10–15 mins long and give a quick and digestible analysis of what’s going on in the world of cybersecurity and mobility.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!