…One, is that companies need to invest in the right level of preparedness to combat a potential threat or breach. The second, is for companies to test themselves and assure that the level of security they do have in place is effective. Third, is for companies to invest in the right places according to their own risk landscape. Forth- increase the awareness of human factor — many of the security exploits are a result of human action, not being aware to such type of threats And lastly, is to always continue to invent and innovate to keep up with the rapidly changing security landscape.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Norm Merritt.
Norm is the CEO of the world’s largest software testing company, Qualitest. Norm has had a storied career in business services — driving excellent performance and world-class client service. Norm has experience growing businesses through organic growth and through acquisitions, running large BPO companies like iQor with a revenue of 700M dollars, as well as later stage start-ups like ShopKeep, an ISV in the payments space. He has also worked closely with private equity firms, such as Marlin, to help grow and develop businesses.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
My father was a colonel in the United States Air Force, so I had the opportunity to live in lots of places on military bases around the world, including overseas in Germany. At one point, my dad was the chief economist for the Air Force and worked on some really incredible projects, which is what inspired me as I was growing up to get into technology.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My dad worked on a project that was related to the North American Air Defense Command, which is a project where they have all of the computer servers track any objects coming into the North American air space. They had the ability to scramble jets or missiles to take down an enemy aircraft. At the time, when my dad first got involved with that project, all of the servers were under a mountain in Colorado Springs. They built a whole city under the mountain, trying to make it impervious to any attack. By the time my father got involved, our enemies had developed the ability to basically blow that mountain off the face of the earth. So my father worked on a project to ensure security of the servers. (Mind you, this was in the days before the cloud and multi-zone redundancy.) They came up with the 1970s equivalent of a decoy network — putting the servers in various areas around the country and moving them around periodically. This was “dark-ages” cyber-security but it was formative for me to imagine the possibilities in the space.
Can you share the most interesting story that happened to you since you began this fascinating career?
Since joining Qualitest, I have been blown away by how many companies spend a very large portion of their quality assurance dollars on manual functional testing. Because of this we spend time working with our clients to raise their sights as they strive for speed to market — to first automate but then to invest in non-functional testing — Cyber-security for sure but also reliability, accessibility or end-to-end customer journey testing. Our goal is to help our clients delight their customers through software that not only works but fulfills the business purpose for which it was created, I won’t be specific but we had one client who was so stuck in the mode of waterfall, functional testing that they got hacked — and it set them back quite a bit — almost dealing a mortal blow. We had been discussing how they should, through automation, divert some QA spending to resilience and cyber but they were too little, too late.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
One of my great mentors was a man I worked with when I was at Disney many years ago, Chairman of the Walt Disney attractions, Judson Green. As an up-and-coming executive, I was just learning the ethos of leadership, and he taught me how to really value everybody on the team.
I’ll never forget this one time I was working late with him one night. As we got up and walked out to the elevator, I was deep in conversation with him about a project we were working on. A member of the janitorial staff pushed her cart up and was waiting to go down as well. So when the door opened, Judson stopped me from what I was saying, and signaled the woman to join us on the ride down. When we got in the elevator, I picked up the conversation and he stopped me again, turned to her, and just said “You know, I really appreciate what you do for us.” Just in that short elevator ride, he expressed to this woman that her role at the company was important, and thanked her for her hard work. I learned not only on that short elevator ride, but in many other instances, the importance of really valuing each individual for the contribution they make to the team.
Are you working on any exciting new projects now? How do you think that will help people?
One of the things that’s most interesting right now is the notion of “shift left” cyber.Many companies work in a circle instead of in a line, meaning they design the code, they develop the code, they test the code, and then maybe it iterates back.A lot of them wait until the end, when the code has been developed, to test for code resilience and security, While Pen testing is important to do, it’s expensive and not always fool proof.
What they should be doing is shifting left their whole notion of cybersecurity in the development cycle: 1) creating a security architecture that provides structure for developers 2) designingsoftware alongside quality engineers who can point out issues at inception and 3) doing code level reviews (automated where possible) to find known vulnerabilities and back doors early in the process.Involving people who understand what those vulnerabilities are early in the process is really the key to shift left cyber.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I think the way to not burn out is to prioritize. If you think about everything you do, you can fit it into a matrix of Urgency: from low urgency to high urgency, and by Importance: low importance to high importance.
The urgent, important stuff needs to be prioritized, and put at the top of the list. For things that are urgent, but not important. we need to get them off the plate or find somebody else to do them. You need to convince those that are making it urgent that it’s not that important, shouldn’t be done and shouldn’t be prioritized. That’s probably the hardest category. The low urgency, low important stuff, forget about it, get it off your plate.
That leaves the gem to help us thrive in the long-term — we need to be sure to overtly and conscientiously invest in things that are important but not urgent — these are magical areas in our lives, that if we are disciplined and devote the time, resource and mind-space will blossom into incredible platforms for growth and fulfillment. (Raising kids is probably one of the most obvious examples but there are many, many others.)
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first thing that excites me most about the industry is that it’s ever-changing, so we have to adapt to be able to combat new threats for example against the plethora of new IoT devices, autonomous vehicles and smart medical devices. Second, cybersecurity is something that helps the general public, whether or not they actively realize it. Security is no longer just about identity theft, it can have life and death implications. Third, cyber security and resilience is at the absolute forefront of innovation. Every device, every tech stack, every new app all need to be protected. There are a lot of nefarious players out there who are always looking for vulnerabilities. Such constancy of threats requires the best and brightest minds to be constantly innovating.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The most critical threat is our reliance on technology, and the increasing availability of technology. Every company in every industry is using technology to transform their value chain. Software and technology is literally everywhere. Whenever we become more reliant on something, the risk associated with it also increases. That’s why companies must invest in a AppSec strategy right off the bat, and cybersecurity teams need to be on top of it and ahead of the curve when it comes to new technologies. We can observe the impact COVID-19 had on the tech industry, companies from many sectors transitioned overnight to “working from home” methods, imposing new challenge on any existing IT and security team, to open all types of access to all types of company assets to maintain business continuity. This unprecedented change is constantly imposing a risk for organizations, and those who will not continuously examine their strategies might find themselves in a world of hurt. Security is a race that has no winners, and companies can influence their destiny of, at least, not being a loser IF they make the needed investments now.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The cybersecurity technology industry is booming, and with that growth, we’re starting to see so many tools that have become more and more niche, dealing with more niche issues. To effect true shift-left cyber, where vulnerabilities are engineered out up front and not post facto once code revisions become very expensive, one should definitely implement Static or Dynamic Application Security Testing tools (AKA SAST or DAST). When used correctly, these tools can create high value by automatically discovering severe vulnerabilities earlier in the application development life cycle, One last note on tools, while a tool is part of the solution, no solution is complete without the help of the technology, the people, and the processes to effectively use that tool to actually effect the desired outcome of secure, resilient software solutions.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
In my opinion, over the counter software is nothing more than a bandaid, and won’t prove to be a reliable solution or be able to provide enhanced security in the long run. If they have the resources, a company should always contact an specialist like Qualitest that specializes in cybersecurity and specifically in AppSec . Cyber Security is sometimes perceived as an after thought. For those not willing to make the investment up front, getting hacked is matter of when no if. So companies tend to ignore it — it is a costly service that consumes time and they can’t grasp the value of an operational, resilient, defensive AppSec strategy until it is too late. My strong advice is to act now, in advance, to secure tech stacks from top to bottom. Consider starting with an architecture review with cyber testing experts. I believe that digital resilience is not only the job of the CISO, it is part of the product Quality and covers business assurance areas as well, hence software delivery leaders need to “own” security and make sure it is built into every part of the software delivery cycle, from requirements to release and deployment in production and monitoring.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
That’s an interesting question. From our experience many of the exploits indeed occur after several weeks or months even since the initial breach. This is mainly for the attacker to perform reconnaissance and avoid being detected. In many organizations, especially the ones who are “best prepared”, the likelihood of enterprise social hacking is high as such hacking attacks the human factor. The best way for a lay person to “catch on” would be to look for:
- Any deviation of known routines through electronic message (email\whatsapp\IM etc) might indicate a breach, especially if it relates to financial aspects
- Urgent requests to send asset (file or any other propriety information) to a person which you are sure already possesses this knowledge, thus looking for logical failures that just doesn’t make sense
- Urgent and unusual financial transaction requests
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The most important thing is to let the relevant authorities and affected clients know as soon as possible. Moving quickly will allow affected clients react and protect themselves and it will mitigate or minimize fines for the target company. The longer you wait, the higher the fines can be. The second thing is to already have a contingency plan in place in the event of a hack, consisting of how to technically recover from disaster (backup at the data or service level), contact clients, and how to reestablish perimeter security. We see today that there are companies that are small in size, but large in data. They may only employ 20 people, but hold huge amounts of data. Oftentimes these companies think that they don’t need to have these plans in place. To the contrary, hackers look for data. Having plans in place, no matter the size of the company, is the most important thing, and then having practiced the plans is the second most important thing. Immediately when things are back to normal, the company leaders should conduct a comprehensive cyber forensics investigation by experts to learn what technically lead to the breach, and how to automatically fix it and the correlated findings of the investigation ASAP. Usually if companies following best practices and compliance, such risks can be reduced
Nowadays, end consumers are more and more aware to regulations designed to protect them. The laws and regulations are ofter too late to help however. What we do at Qualitest is very cutting edge in terms of security and pushing security to the left, and we’ve always been helping companies to do security the right way. Whatever new regulations come along won’t have a big effect on what companies need to do and how they need to do it. A well-structured security architecture taking into account new regulatory requirements, shifting cyber practices to the left in the development life cycle so code is written with security in mind, and good hygiene with standard cyber practices are three critical components that will keep any company in the clear of regulatory snags. For example, GDPR requires companies to allow any customer to get his information stored at the company databases. Without proper architecture in place at the early stages of the development, implementing such capabilities will not only increase engineering costs but also cause the company to run afoul of the regulators when a more informed public demand their rights.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest mistake is companies not really having a comprehensive security strategy. As an example, companies will often put their full faith in a penetration test as a good sign of security assurance, which it really isn’t. A penetration test is just one single point in time, and a “single point of view” exercise. Companies think that if they do a penetration test, they’re covered. Or companies will invest too much in security, but in the wrong places, purchasing many tools but from the operational side of them do not use their full capabilities or often don’t treat alerts due to false positives and overwhelming amount of works it adds to them. Essentially they don’t have the right processes in place to converge the CISO requirements and the tools results at the critical time of the SDLC.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, we’ve seen an uptick. This situation made mature security practices, and even normal security practices, very difficult to maintain. Granting access is one example. All of a sudden, companies needed to grant access to anyone to help them keep on working remotely. Hackers have taken advantage of the new lowered protocols. That’s a huge problem that we’ve seen.
The second problem is that many companies are now quickly adopting cloud solutions without much thought for the sake of working remotely. So that opens a very large threat vector for a lot of these organizations that they haven’t planned for adequately. A classic attack for new cloud services customers is the distributed denial of service ( DDoS) that targets resources or services in an attempt to render them unavailable by flooding system resources with heavy amounts of unreal traffic. Such attacks occur daily across the cloud vendors and without proper configuration being constantly assessed, customers are highly vulnerable especially during this pandemic-triggered cloud migration.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
One, is that companies need to invest in the right level of preparedness to combat a potential threat or breach. The second, is for companies to test themselves and assure that the level of security they do have in place is effective. Third, is for companies to invest in the right places according to their own risk landscape. Forth- increase the awareness of human factor — many of the security exploits are a result of human action, not being aware to such type of threats And lastly, is to always continue to invent and innovate to keep up with the rapidly changing security landscape.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would teach the younger generation about the value of what I call moderated capitalism. I think the younger generation doesn’t understand, and doesn’t have a deep and abiding appreciation for the value of people putting their own capital at risk to generate a return, and how that system actually taps into the basic human instinct of self advancement.
Everybody wants to self advance or self preserve, and because everybody is like that, everybody is ultimately out for themselves. Capitalism has a way of tapping into that and giving people an opportunity to put their capital or their time at risk, they can actually generate a return that is beneficial to them and helps them advance themselves. However, that all needs to be moderated, which is why I call it moderated capitalism. There are negative externalities that come from unbridled capitalism, that causes people to dump stuff into streams that they shouldn’t, or concentrate wealth in too few hands.
So, I think there is a place for government and regulation, and to moderate capitalism. I think moderated capitalism and an appreciation for that can have the most benefit, because if we throw that model out, and we adopt other models that have been proven to not distribute wealth appropriately, and not give people an opportunity, and provide disincentives, I think there’ll be more people in poverty and more people without upward mobility. So when I think about doing the most good to the most people, it’s making sure that people have an appreciation for that, and then making sure that our governmental systems support that.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!