Test your systems and applications on a frequent and recurring basis. Continuous security testing allows a company to update and/or modify tools as needed, allowing it to identify and address any security vulnerabilities that may pop up between regular updates.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Tom DeSot, CIO at Digital Defense, Inc.
As CIO at Digital Defense, Inc., Tom DeSot is charged with key industry and market regulator relationships, public speaking initiatives, key integration and service partnerships and regulatory compliance matters. Additionally, Tom serves as the company’s internal auditor on security-related matters.
Prior to Digital Defense, Tom was vice president of information systems for a mid-tier financial institution with responsibilities including information security initiatives, the Y2K program, implementation of home banking and bill pay products, the ATM/debit card program and all ATM networking.
Tom holds a Master of Science degree in information technology with a concentration in information security from Southern New Hampshire University and a Bachelor of Arts in applied arts and sciences from Texas State University (summa cum laude). He also holds the National Security Agency’s INFOSEC Assessment Methodology (IAM) certification and is formally trained in the OCTAVE Risk Assessment methodology.
Tom currently serves on the information security curriculum advisory panels for Texas A&M University-San Antonio, Hallmark University — San Antonio and St. Mary’s University. He is an active member of the North San Antonio Chamber of Commerce IT Committee. Regularly, Tom delivers cybersecurity and cyber ethics presentations for these and various other organizations.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I went to a rural high school that was progressive for its time. We had computers, primarily Apple, that were used in the computer science classes and other classes throughout the school. This is where I fell in love with computing. I truly “caught the bug” so to speak. After that, I went to University and the love affair continued. Here, I was given the chance to actually help others with their computer issues. I was mastering programs like WordStar, VisiCalc and dBase (ancient in today’s time, but were cutting edge back then), not only for my own classes, but for the benefits of others as well.
As time passed, my affinity for computing only continued to grow and I was given the opportunity to run a MIS operation at a credit union in San Antonio, Texas. Here I was exposed to Unix, something I’d never used before, so I had a bit of a learning curve but overcame it in time.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
There’s not so much a story but more of an event. Picture the setting: Y2K just passed, and my boss asked me to theorize where the federal examiners were going to focus in the year 2000 when it came to IT. At the time, more and more companies were standing up websites and home banking systems. I knew, even then, that allowing systems to sit externally was a risk. I told my boss that it was going to be cybersecurity, and sure enough it was. When the examiners came next, they were very interested in our implementation and the fact that we had done what few others had — we had a penetration test done on our systems. It was during that penetration test that I caught the security bug. Seeing the “hackers” in their element made me want to be part of the scene as well. So, I immersed myself in anything I could find, from periodicals, like 2600, and security conferences.
Can you share the most interesting story that happened to you since you began this fascinating career?
Probably doing social engineering exams on organizations. It amazes me in this day and age with all that has happened in the world of cybersecurity, that people will still let you pass through barriers such as locked doors, protected elevators, etc. It’s been a while since I’ve had the opportunity to do a social engineering exam, but if the opportunity came up again I’d take it in a heartbeat.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I would say the person that helped me the most was my chief operations officer at the financial institution where I ran the MIS shop. He was the one that taught me to always go back to the document or program. He told me that technology could do many things, but it could not outline what actually needed to be done during an event.
Are you working on any exciting new projects now? How do you think that will help people?
My team and I have finished most of the big projects for the year and are already preparing for moving many of our in-house systems to the cloud next year. Additionally, we launched a new Managed Service Provider (MSP) partner program (August 2020), empowering partners to raise their brand profile, service offerings and proof of value to their clients in the new economics of cloud and on-premises security solutions. In this new reality, MSPs are under increasing pressure to prove their worth to clients who are reevaluating their spending and adjusting to new business models. Proof of value has become essential, and our program and solutions have been created with that in mind. For example, our Frontline.Cloud boasts a true multi-tenant architecture that streamlines administration of multiple clients so MSPs can operate at scale. The platform also enables quick and easy deployment for rapid monetization. Other benefits include easy productization with an open framework of APIs, documented integrations with leading ISV solutions and robust customizable reporting.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Balance work and life. Working in IT is a 24-hour job — the work never ends. You have to make time, not only for yourself, but for your family as well. Without doing so, burn out is inevitable.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Information security training — The human factor is still and always will be the weakest link in the security chain. Recurring, engaging information security training is the only way to lower the risk.
A universal vulnerability disclosure program for security companies and businesses that is actually adopted. Our company operates in the security industry, and as a result, during the course of our testing we find vulnerabilities in platforms and software that we need to disclose to the world. While we have our own disclosure policy, that doesn’t mean the associated vendors will or can abide by it. There truly needs to be a federally mandated policy that all companies need to abide by. This would make things much easier for the reporter.
The impact of artificial intelligence on cybersecurity — While humans will always need to interact with a system to test it, I am seeing more and more companies incorporating AI into their projects, taking them to the point of almost acting as a human and pivoting from system to system until domain or root access is obtained.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The biggest threat that I see is more and more people going online with no idea of the threats that they will face every time they log on. This includes new companies that are coming online. There really should be a national training program to teach new business owners how to protect themselves and their online assets.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
There was a financial institution that called us, concerned they had been breached via a phishing email. We reached out to our partner for phishing attacks and they became involved in the issue. Luckily, they were able to determine where the attack was coming from and shut down the phishing origination site.
On our side, we were fortunate that they did not have ransomware or other malware installed as part of the attack. We ran a vulnerability scan, but there was nothing that needed to be resolved.
This is one of the best turnouts I’ve seen for a company.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I use the Frontline.Cloud vulnerability scanning and penetration testing platform. It’s state of the art and does exactly what I need during security evaluations.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
I think that all companies, regardless of size, need a CISO or an ISO at the very least. There is simply too much going on for someone to attempt to multitask and stay on top of all of the security events and tools available in the market.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- Are users complaining that their computers are acting weirdly (mouse moving without request, monitor turning on and off, etc.)?
- Are things printing out on printers when no one is printing?
- Is the system frozen and won’t unfreeze even after a reboot (i.e. ransomware)?
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Unplug the affected systems from the network but do not turn them off to ensure anything that is contained in memory is preserved. Hire a consultant that specializes in forensics to aid your company in doing a root cause analysis on the issue and how it started.
Legislation like this is a good thing as it means that everyone is going to have to start using the same playbook when it comes to protecting the information of the customer. Right now, you have a mishmash of policies and programs. Wide sweeping legislation like this is a way to ensure that the consumer stands a fighting chance to keep their information secure.
What are the most common data security and cybersecurity mistakes you have seen companies make?
- Default user accounts and configurations left in place
- Easily guessable passwords
- Poor firewall configuration
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Luckily, I have not seen any of note. Most organizations, especially in the financial and healthcare spaces have a pandemic response program due to regulatory requirements and were prepared when the pandemic hit so they could make the necessary adjustments in workforce, computing and other matters.
This has also made a change to work lifestyle. Many companies have shifted to a work from home (WFH) model, given that there is no real timeline to work and no vaccine that is ready so that people can return to the office. Some companies, such as Twitter, have transitioned to a permanent remote workforce.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Train, train, and train some more. Training should be recurring to ensure that employees retain the information and use it in their daily work. With recurring and consistent training, you stand a much better chance of protecting corporate data assets and equipment.
- Establish a CISO or ISO role for your company. There are simply too many security events on a daily basis and available tools in today’s market for employees handling other areas of the business to also take on a security/IT role.
- Harden systems before, not after, they are deployed. Having a proactive security approach can prevent major incidents and help companies avoid a potentially devastating breach event that can lead to crippling losses.
- Develop a robust set of policies that guide your cyber security department. Any businesses, small or large, can be a target. Having a set policy in place that all company and team members understand will only further help protect the company’s most valuable assets.
- Test your systems and applications on a frequent and recurring basis. Continuous security testing allows a company to update and/or modify tools as needed, allowing it to identify and address any security vulnerabilities that may pop up between regular updates.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I’ll say it again, train your staff, at every level.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!