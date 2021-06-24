Encrypt all devices — because work is an activity, and people are on the move. People are working from anywhere and often use their own devices for work purposes.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Santosh Devaraj, CEO and founder TrustGrid Pty.

Santosh leads TrustGrid™ to enable privacy-preserved tracking of vaccinations and health records, allowing people and organizations to present proof of vaccinations with ultimate confidentiality.

Previously Santosh was the Founder and CEO of the Secure Logic Group, a high-profile and successful group of companies specializing in delivering bespoke Cyber Security and Managed Service solutions to government and non-government clients in Australia.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born in India. I came from a low-income family and had to work hard to get to Australia to further my education. I studied in Melbourne, finished my Masters in Network Security. I worked in the Middle East, Europe, Asia, finally came back to Australia, settled in Sydney.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I always look for something different, a challenge. For me, from an educational point of view, there are two challenging categories: engineering and medicine. Both are good for innovation. I choose to engineer because I’m good with math, and I’m kind of an equation character, and I have always been fascinated by algorithms. Cryptography is what I wanted to specialize in, and cryptography is cybersecurity. Cybersecurity 20 years ago was always a challenge, very few people knew about it. I saw that this sector had news to be invented and much to grow.

Can you share the most interesting story that happened to you since you began this fascinating career?

To be frank, it’s not fascinating. The challenge for any entrepreneur who starts with the business journey, is I call it, a saturation point. Everyone will hit the saturation point. Everyone will start, but not all will finish, and quitting is not a finish. When you hit the saturation point, you have two choices to make. You leap over the saturation point, and you roll the dice. It’s not an easy choice because you’ll probably lose everything you make to get to that saturation point. Only a few people would jump over and take that risk. I’ve hit this point a few times; I did make that choice. That’s why I started eight years ago in making what today is TrustGrid.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

These three people are my Dad, my Mom, and my Wife. My parents slaved their entire life to send me over to Australia. Without them, I could not reach or achieve what I have today. Once my partner became the partner of my life, and once I hit the saturation point that I talked about, she was the one to say, ‘I know you’ll do it.’ Outside of that, the company, everyone here is very supportive.

Are you working on any exciting new projects now? How do you think that will help people?

I’m working on a project that will change the way we interact and alter for the better how credential compromises impact both physical societies and in the virtual world. We are going to be world leaders in digital collaboration, privacy, and that’s the platform we’ve built. We want to drive worldwide adoption and use of the platform.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

While burning, also have some fun! Don’t burn yourself out. It’s not the reality of the fact as much as we don’t want to. You need to have passion, you need to enjoy time and find balance.

The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. Not many people understand what Cybersecurity is today. The knowledge and how to deal with the challenges need to be taught and educated.

2. It’s an exciting industry! I deal with many challenges in the security industry.

3. There is so much to be developed, Innovated, re-engineered, adopted, and unlearnt.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

There’s a shift in the attacks. The biggest threat is stealing a business IP and attacking their critical infrastructure. For example, organizations that provide services for the government are the target, not the government itself. We call it a 3M: means, motive, and money. I think for businesses, it’s not just about money. If you look at two key categories where most cyberattacks are: you have your ransomware crypto lockers, that’s about money, but you have a motive. The motive at the moment has been state-based attacks like critical infrastructure attacks.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

We have fixed many cybersecurity threats, attacks, and compromised assets. The biggest takeaway from the majority of these compromises is that the companies weren’t surprised about these compromises. Everybody knows their weakness, but what do you do about it? Do you put controls in place to protect aspects of it? Unfortunately, not a lot of businesses can realize that impact until it has happened.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

From my point of view, the main tool that I use is education. Every day I spend just half an hour reading. Understanding how and what the trends are for particular industries. Running a business can be educational. Meaning that I have expertise in security, and 15 years of experience running companies. I can clearly match in my mind the right protocols and tools to cover myself. The really important thing is every business is different and unique, and therefore requires a tailored approach.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency or hire their own Chief Information Security Officer?

I think the approach would be not the size of the team, but first, the core business that you’re in. This can determine what kind of measures need to be in place. For example, a law firm offering legal advisors for the government. It’s a very different requirement for cybersecurity. If I’m a small team with five lawyers advising, I still need to make sure the privacy element is there. I need to be already thinking about my systems and how the data is secure. There are many ways of doing this, you could have a virtual team without hiring full time. But how do you know you don’t have to go and hire a Chief security officer? It’s tough to say what point in need of cybersecurity personnel to be full-time or part of your team because it depends on the business type.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?

a. There are only two kinds of businesses: one is you are already being hacked, or you will be hacked. For an organization, the most problematic cyberattack today would be your espionage, which goes undetected, or malware that is sitting there. The reason it’s undetected is that it is designed in this way. Some of the key points that everybody needs to keep an eye on are: any changes in the normal behavior pattern of the network or the processes changed within the organization, or the user behavior patterns changed. Over time, they need to track those metrics and understand them.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The first and foremost important thing they have to do is to understand the depth of the breach. That defines how to get out of the breach and how do they recover from that point. Mitigating measures could be technical people, the presence of notifications, and more. Once you’ve done it, you are also assessing the impact of the breach throughout the journey, which by the way, is one of the most important things. Remediating the breach is also very important. And how you do that is also critical. Now when there’s a breach with an organization, how do you then assure customers? You need to take steps so that the same breach is not going to happen again. That means you will have to build those controls in place that are effective, no matter what changes you’re doing internally. The next thing is transparency, being honest with your customers about what has happened. Put a plan in place about how you communicate a breach to your customers.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR, and other related laws affected your business? How do you think they might affect business in general? (Please feel free to speak as an expert in how these can affect the cybersecurity industry)

All good aspects of policy statements are guidelines to be followed as an organization or to multiple organizations, and the government and individuals to be able to perform, to be able to use, and adopt. But the challenge for almost everyone is these standards don’t actually provide an industry road map. And an interpretation of the standard is also becoming challenging. I think everybody suffers to implement any standard. Our callout for all of these global standards is not to write just the standard anymore. Or private policy statements. Instead, provide organizations with tools, and road maps to be able to implement those standards. Make policy statements a turnkey solution that can be utilized. Now understand this — the majority of the problem is for SMBs because they don’t have the skillset to understand or deal with it. They literally have no idea unless they’re spending hundreds of thousands of dollars, and I think that’s where the focus should be for large global standard institutes. In summary, let’s provide baseline standards and, most importantly, the tools, even free tools, that can be utilized to protect the top four or five standards.

Then, we will have a more effective implementation of the challenges, standards, and policies.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The most common mistake from a data security point of view is understanding the value of the data. Some data is more valuable than others, and some data might not be valuable at all. To me, it’s about internal data and so-called customer data. Putting in controls to understand the datasets and attributes so that they can actually begin to grasp what is worth protecting. Without knowing that, we can’t use any rule of thumb in terms of “I should have basic cybersecurity”. That means all your systems should be patched as an example, but you know to be honest, not all the systems can be patched in reality. The way ICT has to evolve means it’s tough to keep up effective baseline security modeling. Think instead about the critical aspects of those data assets that you want to protect 1st and how much protection needs to be in play.

Since the COVID-19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

One thing for sure, fast-tracked digitalization. Not from a location POV yet, but at least awareness POV. Everybody is now aware of transacting differently. From a business point of view, they don’t want to take cash anymore. Cash is a big thing. It’s all a lot of these countries where cash was the only thing. Now when you look at the attack surface, it’s opened up. It’s much bigger, and we are still reacting and playing catchup to that. That means your strategy has gone out of the window. Additionally, now we have forced accelerated digital transformation. But, are we thinking enough about the security implications of this? Think about this — bad actors are now formulating a massive wave of next-generation attacks that will come soon (we see it already). We need to be ready for that. In the next few years, we will be working on fixing this; in fact, we need to start right now.

What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Protect the data itself, not just the perimeter — we are long past the days where perimeter defense is all we need to do. Encrypt all devices — because work is an activity, and people are on the move. People are working from anywhere and often use their own devices for work purposes. Employee education — a security program in many ways is only as good as end-user awareness. Sanitize your data — meaning that only keep what you need to keep. Have a data breach plan — meaning that you have already mapped out your response to an almost inevitable data breach.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. (Think, simple, fast, effective, and something everyone can do!)

What I would probably say instead is not so much mass movement for good as a movement for an individual. Everyone is always starting something, but how many finish? It’s all about an outcome, whether it’s a failure or success. It’s about the journey. The journey you go through teaches you, makes you a new person. It can beat you up or pick you up, it does everything for you. No matter where you start, it’s how you finish.

How can our readers further follow your work online?

This was very inspiring and informative. Thank you so much for the time you spent with this interview!