There are a lot of standard common-sense things that you know you should take care of if you haven’t already. For example, antivirus, patching, and firewalls. Make sure this gets done.
Change the mindset around security to make it a first-class priority with consideration throughout all of the relevant processes rather than at the end. It’s easier to implement as you go than retrofit systems that are done. This is where some of the pain in GDPR and CCPA comes from.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Elon Flegenheimer, Chief Technology Officer at AerialSphere.
Elon brings more than 20 years of software, systems, and product development expertise to AerialSphere, including software development, software architecture, DevOps, information security, and compliance. Most recently, Mr. Flegenheimer was CTO at Kryterion, where he was responsible for the strategic technical direction of Kryterion’s product offering, internal IT, information security, and compliance programs. He enjoys applying lessons learned from the Fortune 100 to stealth startups and from transitioning legacy applications to building cutting edge products.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I’m a Phoenix native. I’ve always liked building things. I went to the University of Arizona and majored in Management Information Systems and Entrepreneurship.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I didn’t intentionally set out to get into cybersecurity. My first exposure was as a developer learning about some of the mistakes that I needed to avoid to make my applications more secure. It then evolved as a natural part of the job as my career advanced. I built my first Information Security Management System as part of an ISO27001 certification effort. Then I got into PCI compliance. Next was creating a SOC 2 program from inception through a successful Type 2 report. Each of these certification and compliance efforts exposed me to new aspects of Information Security that are now a normal part of what I do.
Can you share the most interesting story that happened to you since you began this fascinating career?
I’ve found leading stakeholders to come to terms with the large scope of some of the compliance programs to be an interesting journey. They usually start out as a clearly defined goal, but with little understanding as to what it takes to reach that goal. As with most complex things once you break it down into little enough actionable steps, they’re not that hard. However, at first exposure, people don’t often understand that they will also have a role in executing controls or that priorities will have to shift to accomplish all of the steps that will need to be executed. In the end, each of the compliance programs sets out to accomplish something specific but generally results in maturity of the business.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
It’s cliche of course, but my parents did a great job of setting me up for success. They helped instill values such as hard work and integrity that you can’t achieve much without.
Are you working on any exciting new projects now? How do you think that will help people?
I recently joined AerialSphere as Chief Technology Officer. We’re introducing a new way to build maps using 360-degree aerial photography with geographic data overlays. This will help people in a number of industries including real estate, travel, government, and many more to provide new solutions to their audiences.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
A friend of mine in the Information Security industry has an easy button on his desk. He really seems to like it.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first is that it’s always changing. Reading about the latest attacks and what is possible is always interesting. Second, information security products keep advancing to defeat those attacks. The advances in AI are impressive. There’s a ton of information to sort through when reviewing solutions, but it’s always interesting to watch as things change. Finally, I find the challenge of finding a balance between risk and cost to be interesting.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
It’s a constant arms race. There are always new attacks surfacing and new solutions to implement. It’s always a balance between risk vs cost. By not spending any time or money there is an enormous risk for any business. As more is spent there are eventually diminishing returns. Regardless of how much is spent there will always be risk. What is appropriate for a given business depends on how much risk they are willing to accept.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
My advice on breaches is to have an attorney on retainer. Call them immediately. The law is its own specialty. Ensure you do as much as you can to prevent it in the first place. If it happens, the notification timelines come very fast. Each US state has a different law. Different countries have other laws. Customer contracts often have notification clauses. Legal counsel is necessary to navigate complying with so many varied constraints.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
One of the most important tools is finding one or more frameworks to keep your efforts comprehensive. Whether it’s PCI DSS, ISO 27001, SOC2, or another framework it’s important to have perspective on the broad range of controls that need to be put in place and to guide your efforts so as not to overlook major areas that need to be addressed. Training for staff is essential at all levels. People are one of the weakest links in security. They need to be exposed to the risks, the solutions, and the rationale for what they’re being asked to do and for their various roles. They need follow through and repetition. Education from security companies and conferences is important to staying on top of current trends. Third party assessments are important. Of course, device protection such as anti-virus and firewalls are essential and as a group are always improving.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Just start. Pick a framework, pick a control, and start getting it in place. Then move on to the next one. As for whether to move to a 3rd party or CISO it’s a matter of cost vs risk. Smaller budgets require more tradeoffs. Larger budgets can help accomplish more. Some things like penetration testing are initially cheaper to do externally over hiring a specialist. There are also benefits to having a reputable 3rd party do this kind of work. Also, audits are an important part of maintaining compliance programs and these can be done by 3rd parties and/or internal audit.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Anything that’s unexpected or unusual that can’t be tied back to a person or policy should be looked into. For example, machines are showing up in logs that don’t follow established naming conventions, people are logging in at weird times or from weird locations, and applications or processes are running that should not exist all fall into this category. One can search online for dump sites to see if their data comes up in a search. You can also do something as simple as opening the Chrome password checker and seeing if any of your corporate passwords show up.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Escalate to the rest of your executive team and call legal counsel immediately. Be transparent with your leadership team and make decisions as a group with expert counsel.
These laws are important. They’re also a great deal of work to get on top of. The laws themselves are not always clear on particular points. The interpretations evolve. They’re sometimes in conflict with certain industries in ways which aren’t easily resolved. I hope that the US government steps up to deal with privacy in a holistic way.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The first mistake is not spending enough time or effort on it until it’s too late. It’s one of those things that can be easier if you consider the implications of your choices as you go rather than trying to retrofit it at the end.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I think a lot of companies aren’t prepared to deal with the risks of adding home networks to the mix and aren’t really on top of BYOD. There are a lot of decisions that have to be made to tighten each of those up, and it can be a challenge to get people on board to make those changes.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. There are a lot of standard common-sense things that you know you should take care of if you haven’t already. For example, antivirus, patching, and firewalls. Make sure this gets done.
2. Pick a compliance or certification framework to base your next steps against and start implementing high impact controls that are relevant to your business. Examples include PCI DSS, SOC 2, ISO 27001, and NIST 800–53. Each of these frameworks offers a comprehensive way to move forward.
3. Start training your staff. People can be the weakest link. They should be exposed to information security, privacy, and phishing training. This needs to be ongoing.
4. Change the mindset around security to make it a first-class priority with consideration throughout all of the relevant processes rather than at the end. It’s easier to implement as you go than retrofit systems that are done. This is where some of the pain in GDPR and CCPA comes from.
5. Invest in your own training. It’s an evolving field. Staying on top of it takes time, effort, and money.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Try to get some more sleep and appreciate what you have.
How can our readers further follow your work online?