Identify the best way of protecting data. This includes not just exploring questions related to tools and infrastructure but also of continually updating and limiting who has access privileges. Be aware of the existence of the GDPR’s “right to be forgotten” according to which individuals can ask organizations to delete their personal data.
Develop a plan of action in case of attack. Invest time in working with different departments within your organization to create an in-depth process specifying the response to a breach. The plan should specify which external resources you may need to work with.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Tony Velleca who serves as Chief Information Security Officer of UST Global and is acting Chief Executive Officer of CyberProof, a subsidiary that develops cybersecurity services. Tony leads the vision behind UST Global’s cyber solutions, driving rapid growth of CyberProof, and leveraging its capabilities to stay at the forefront of IT security.
Tony is a seasoned and decorated IT executive, named by Computerworld as one of 2010’s Premier 100 IT Leaders for driving positive change and innovation through technology. During his time with the company, he pioneered a new framework for global services implementation and spearheaded the “Personal Brand and Thought Leadership” project, a company-wide leadership development program. Tony holds several patents and sits on the board of XTV Inc.
Tony holds a Bachelor of Science degree in aerospace engineering from the Georgia Institute of Technology and graduated cum laude from the University of California, Irvine, with a Master of Business Administration.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Atlanta, Georgia. It’s in the Southeastern U.S., an area that’s famous for its warmth and generous Southern hospitality. In the period of my childhood and early adulthood, it still had its own distinct culture where they liked to say that time slows down so that you can enjoy the simple pleasures in life. I don’t know about time slowing down — for me, personally, that wasn’t so relevant — but the values of the South at that time were oriented toward being warm and welcoming, with an emphasis on treating each person fairly — and that’s still my fundamental orientation.
These things are so deeply embedded that they stayed with me even after I moved out to California in 1987 to pursue my work in the aerospace industry.
Is there a particular story that inspired you to pursue a career in cybersecurity?
Looking back on my career prior to getting involved in cyber security, my undergraduate degree was in aerospace engineering from the Georgia Institute of Technology and I worked for Boeing and Rolls-Royce, Inc. — focusing on conceptual design and optimized propulsion system for next-generation aircraft. If you look at aerospace, the reason I got into it was because it was cutting-edge — designing new things and thinking outside of the box. And I guess it’s these same qualities that drew me to cyber security.
Cyber security is one of the most fast moving, most innovative areas of IT. And as we get into digital, it is going to be part of every aspect of our lives — it becomes an overlay to thinking about an endless array of possibilities. In fact, “Endless Possibilities” is my personal brand — and I view cyber security as the fundamental enabler for developing endless possibilities. You can’t establish new means of doing things, be they self-driving cars or self-flying transportation — without addressing the issue of cyber security. This is what will open up — or restrict — our ability to progress into new markets.
Can you share the most interesting story that happened to you since you began this fascinating career?
Cyber security had always been an infrastructure-driven discipline. We buy a new “box” and see how it helps us improve. From a hacker’s point of view, doing things this way is predictable. It’s easier to find ways to exploit the system. With hackers increasingly innovative and infrastructure continuing to move to the cloud, cyber security needs to move in a new direction.
I believe cyber security should look more like application development — with a life cycle that includes defining requirements, figuring out how to meet them, and implementing the solution. This approach became clear to me personally because I came out of a software development and system engineering environment where we followed requirements-driven processes. But this approach is a “blind spot” for many people in the industry.
Here at CyberProof, our challenge was in finding the right customers — innovative CISOs, clients interested in trying a new approach. What is fascinating to me is that “Aha!” moment.
CyberProof-a UST Global company became a leader and established a disruptive approach, but the journey to get where we are today involved a lot of customers looking at us like were out of our minds! We searched for effective ways to get our customers on board, and that’s where we decided to develop our Use Case Factory and things like that.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Yes, there is.
Rolf Sellge led Customer Engineering for Boeing. I worked for him for years. Engineering is a conservative field but Rolf was open-minded. He was always interested in innovation.
Even more important, from my perspective, was that Rolf was a leader who made a point of spending time mentoring his people.
Rolf had a real influence on how I look at challenges. He encouraged me to try new things. Because of his mentorship, throughout my life I’ve tried new approaches and methods that otherwise I might not have gone for.
Are you working on any exciting new projects now? How do you think that will help people?
With the onset of COVID-19, so many organizations are working remotely and this creates new security vulnerabilities. Existing WFH setups can be a stopgap measure for small numbers of employees. But there are unreasonable risks involved in having all of an organization’s employees accessing enterprise applications and assets on home devices, over a home Wi-Fi.
I believe that the best way of handling the “new normal” involves shifting the organization’s focal point to the identity of the user and/or device — rather than the data center. This that can be achieved using Security Access Services Edge — SASE (pronounced “Sassy”) — a new cloud service architectural model. A subcomponent of SD-WAN, it allows organizations to extend corporate security policies to specific users so that the employee is protected, and corporate data being accessed from home is not at risk.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Find something you are passionate about. Follow your dreams. That’s the key!
At the end of the day, your energy per se doesn’t matter as much as having clarity of vision and direction. This applies to everyone in the organization: Build a team that’s aligned to your vision and is energized each and every day by that vision.
What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- It’s increasingly relevant. Cyber security has become an issue on the scale of national security — meaning that as we become more integrated with other cultures, we become increasingly interdependent — and this is having a broad-ranging impact on the world. And as our work and play become more digital, cyber security becomes an inherent aspect of every aspect of our lives. It is a crucial component of our reality — a key enabler of both corporate and personal security in a world that’s increasingly “flat.”
- It’s impact is spreading. The question of cyber security is a long-term issue that continues to apply to new areas of life. Over the long term — as we start using self-driving cars, for example, and other innovations that will emerge out of the next generation of 5G technology– everything will be severely dependent on how we manage security.
- It demands that we continue to innovate. For cyber security to be effective, we need to think out of the box and continue to change. Bad actors are constantly upping their game, and we need to do the same. This requires that we be on the cutting edge, that we consistently continue to learn, and that we think laterally about issues as they arise.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
5G is on the horizon, bringing with it even more connected devices. Information Technology (IT), Internet of Things (IoT) and Operational Technology (OT) are all areas of increased risk. These shifts increase the attack surface and allows new types of attacks and new vulnerabilities on the network. Whether we’re talking about automated manufacturing areas or other innovations, bad actors will have an incredible array number of options — new ways in which they can do harm.
And this leads to a fundamental point: We need to be very clear on the distinction between what we do vis-à-vis regulatory controls, like the General Data Protection Regulation (GDPR) — and what we do to reach a very different goal, which is to actually provide protection.
This is a distinction that is true across the board. So if we’re talking about a Financial Services organization, we must protect the crown jewels. But if we’re talking about self-driving cars, we need to be sure we’re protecting the driver.
It’s a radically different approach to cyber security — and that’s the sort of strategy that we need to adopt, in order to protect ourselves effectively in the future.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Among our customers, one of the most common breaches that we see today is intentional or unintentional data theft.
Here’s the problem: Many of our customers are battling new regulations like the GDPR, which has stiff penalties. And at the same time, we may see that their employees download sensitive data, using applications. Frequently, we don’t have the means of detecting this, because it’s downloads.
The solution, when you think about this from a fresh perspective, is to require that we go back to the application development team and put security rules within the application itself — or alerts within the application itself — i.e., the ability to detect anomalies. This is a far cry from conventional security.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
CyberProof- a UST Global company, is developing next-gen security operations, bases our work on the belief that adequate security is not about prevention. It’s about the ability to detect and respond in order to reduce risk. Our primary tools, therefore, are not only the SIEM but our own proprietary technology, which we call the CyberProof Defense Center (CDC) platform. The CDC platform allows us to obtain context, enrich alerts, focus on what is critical, and continually improve response automation — in order to contain attacks.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
We believe that working with an advanced MSSP, like CyberProof- a UST Global company, allows you to put the focus on your core business. It allows you to ensure that you can continue to operate with confidence. Not all MSSPs are created equal — but working with an advanced Managed Security Services Provider (MSSP) can help you focus time, money, and effort on what matters most. And this makes all the difference.
An advanced MSSP starts with an in-depth assessment on-site. We probe business processes, identify cyber security threats and learn about IT and your security ecosystem. Our in-depth assessment allows you to put an effective strategy into place.
There’s also the question of automation. Advanced MSSPs are continually looking for ways to further integrate orchestration and automation to provide a faster, more effective engagement process. This allow you to find the vulnerabilities that are not only exploitable and exposed, but are relevant to your business.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Security is like finding the proverbial “needle in a haystack.” The more sophisticated the attack, the greater the damage done to the victim.
This isn’t something that can be condensed into three or four signs, as there are so many different kinds of attacks. Having said that, there are many attacks that can be identified because they start using common methods — a phishing email, brute force, stolen credentials. If you can identify or at least minimize your vulnerability to these starting points for attack then you greatly reduce your risk.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
In the next generation, cyber security is looking more like disaster recovery. That’s because most CISOs today recognize that even with the best protection mechanisms, it’s not a question of “if” but “when.” The key question is how to proactively respond during an attack and mitigate the damage.
The GDPR makes it very clear: Plan proactively how you will respond before an attack happens. Make sure you have the ability to contain the damage as quickly as possible. There are stiff penalties — and the mitigation of those penalties is based on having a fast notification period within 72 hours.
Don’t try to hide! Notify folks very quickly. The ideal is to notify customers as fast as possible that there has been a breach. This provides risk reduction with regard to fines as well as brand loss.
How have privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and related laws affected your business? How do you think they might affect business in general?
CyberProof is a data processor. We do not collect or process personal data as part of our day-to-day processing. But in emergency situations, there is a clause in the GDPR regarding acting for the greater good which allows us to put the right information together to respond effectively to attacks.
Put very simply, these regulations prevent organizations from obtaining personal information from users without their consent or permission. One of the results of these privacy measures is that our contracts have become much more complex. The degree of liability has gone up and we need to be extremely careful about what data we collect and how we process it.
What are the most common data security & cybersecurity mistakes you see companies make?
Many companies focus on implementing tech solutions — believing that with these solutions, they are “covered.” However, it’s not just about having the technology but also about having good hygiene.
Focus on making sure users have proper access rights — and are removed from the access rights they don’t need. Check that you don’t have vulnerabilities on your systems for critical systems. Make sure you haven’t given users the wrong access to system accounts.
In the majority of attacks, bad actors focus on mistakes that have been made. For example, it’s crucial to make sure intrusion prevention systems and firewalls are properly configured. You want to make sure attackers can’t get inside, because once they are on the inside they can find different ways of escalating privilege. So make access to the network is as tight as possible — while still allowing access to those who need it to do their work. This reduces the level of risk.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes — there are more and new types of attacks. Primarily, the issue is that there has been a massive shift to working at home using Zoom, and other video-conferencing platforms. The types of vulnerabilities in attacks has shifted to being more personal attacks that may not even be detectable — for example, if an employee is working on a home network.
There has been a lot of focus in the news this year on Zoom bombings. Threat actors show interest in specifically targeting Zoom by joining random meetings to interfere with Zoom sessions. Threat actors also published leaked meeting information along with tools created allowing other threat actors to find meetings on their own.
There have also been numerous specialized phishing attacks that leverage the fear and confusion people feel due to COVID-19. Malicious emails are common that pretend to offer victims information about the pandemic or financial assistance.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Understand the risks. The risks include regulatory penalties but they also include knowing the risk to your brand. At CyberProof, we believe the best way to assess risk involves using the MITRE ATT&CK framework, which helps organizations visualize and then quantify their level of risk.
- Know thyself. Understand exactly what tools you have and why you’re using them. Know exactly what data you collect and where each type of data is stored.
- Map out how you use the data. Perhaps you need customer data for marketing, and employee data for human resources. Document the purpose of each type of data you collect.
- Identify the best way of protecting data. This includes not just exploring questions related to tools and infrastructure but also of continually updating and limiting who has access privileges. Be aware of the existence of the GDPR’s “right to be forgotten” (see https://gdpr.eu/right-to-be-forgotten/) — according to which individuals can ask organizations to delete their personal data.
- Develop a plan of action in case of attack. Invest time in working with different departments within your organization to create an in-depth process specifying the response to a breach. The plan should specify which external resources you may need to work with.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would it be? You never know what your idea can trigger. (Think, simple, fast, effective, something everyone can do!)
The movement I am most passionate about is information sharing. I want to drive is a new mindset: the understanding that data is the new currency.
Let’s take a step back: I believe that cyber security is a national security risk and the well-being of citizens is at risk. Corporations are on the front line. No single corporation can solve this independently and we need to develop collectives to share information and address this challenge effectively, because it’s too big to solve alone.
It’s true that today, CISOs communicate. And Financial Services Information Sharing and Analysis Centers (ISACs) exist. But it’s not enough. What we need is to develop collectives for real-time information sharing that facilitate sharing response plans, etc.
It’s a question of creating formal information-sharing mechanisms — which currently don’t exist, partly because of corporate laws preventing the effective and timely sharing of the right information at the right time. Companies like CyberProof- a UST Global company can be the intermediary for this kind of a collective.
How can our readers further follow your work online?
The CyberProof team is openly publishing information on our blog about new threats. We post thought leadership pieces. And we share even more in-depth information with our customers.
Our belief is that there is too much work to be done by the current number of experts in the field, and information sharing is key.
- Website: www.cyberproof.com
- Blog: https://blog.cyberproof.com/blog
- CyberHub: https://www.cyberproof.com/cyber-hub/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.