Implement a Zero Trust model: With remote working being the new normal, identity access requirements are inverted, with more users, devices, applications and data located outside of an enterprise than inside. Keep your operations and customers secure by implementing a Zero Trust model for devices.
Focus cybersecurity education on remote workers: With changes to the way we are working during this pandemic, cyber criminals are looking to exploit remote work vulnerabilities. Organizations must ensure that employees do their part to keep the enterprise secure while working from their home office.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Satya Nanda, Vice President — Head of Managed Services & Security at Fujitsu Americas. Over the years, Satya has served in various leadership capacities for technology consulting, strategy, product design, portfolio management & operations. He has led many transformation programs at Fortune 500 companies driving telco, cloud, security & OSS transformations. He holds an MBA, a Master’s Degree in Computer Science, a Bachelor’s Degree in Biomedical Engineering and several industry certifications such as Certified Information Security Manager (CISM) & Certified Information Systems Security Professional (CISSP). He has been an active contributor and speaker in various forums involved with Telecom, Cloud, IoT, Security, Privacy & Safety including IEEE, TMForum, AMCHAM and Utilities Telecom Council. His current interests are to leverage Biometrics, Artificial Intelligence and Machine Learning to provide adaptive security and workplace solutions to support secure remote ways of working.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Odisha, on the eastern coast of India, with a younger brother and two loving parents, who were both busy doctors serving the community. When not in school, I spent time playing and watching cricket and learning about various countries through collecting postage stamps and coins. In middle school, I also had opportunities to visit various countries in North Africa and Europe learning about the different languages and cultures, though I spent most of my time seeking out new topics to learn, feeding my innate need to fix and understand things. I recall, at a very young age, marching into the principal’s office to report things that I found broken or wrong at the school. I have always wanted to be an agent for change, whether it was at school, home or at the office.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I’ll go back to the statement I made in the previous question: Seeing something broken and wanting to be an agent for change. During my early career in Telco, following the dot-com bubble, when many jobs were being moved outside the U.S./Canada, one of our clients was facing numerous access control issues. With a very short runway, we were to create a robust multi-factor authentication (MFA) solution, which was quite challenging given that many underlying technologies were premature, unlike today. The setbacks and struggles during this program inspired me to learn more and pursue a career in cybersecurity. I wanted to contribute to resolving the many existing and emerging challenges the industry encounters in this area.
Can you share the most interesting story that happened to you since you began this fascinating career?
Once I got a text from a major U.S. airline for a pre-boarding notification with my name and loyalty ID on it. This is when I was at home with no immediate travel plans. It seemed a traveler had impersonated me and flown the first leg of a journey from the west coast and needed to board the next flight on the second leg. Given the short duration between this notification and the flight time, I got a bit worried about the motives and what-if scenarios in case there was any malice involved. I immediately called the airlines, the airport and the loyalty desk to report this. It took quite a few hours until I was able to establish my identity and trust with appropriate authorities to investigate and take necessary actions for resolution. Incidents such as these only reinforce the importance of security and how we can never be too careful.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Success is a relative term. However, there are many who have contributed to where I am today. Starting with my family, there were several leaders, situations, teachers, colleagues and clients who have greatly influenced me in what I have valued most, EMPATHY. My parents being doctors instilled this in me at a very young age by asking me to volunteer with them in health camps for people who couldn’t afford annual screenings. Later in my formative years, life stories of great leaders like J.R.D. Tata (Entrepreneur & former Chairperson of Tata Group), Mahatma Gandhi and Nelson Mandela strengthened the value of empathy in me, which I continue to treasure.
Are you working on any exciting new projects now? How do you think that will help people?
I am fortunate to work for a company who carries a focus on Human Centric Innovation, so in most things we do, we are not only solving challenges for our customers, but we are embracing solutions that put people at the center. Right now, we are embarking on a set of offerings to address the need (accelerated by COVID-19 and work-life shifts) for organizations to focus on enabling their employees to work from home, or to operate safely in the field with adequate security, privacy and compliance to regulations.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
There is no easy answer. However, I would recommend working together for the greater good. That is leveraging the TEAM vs. trying to solve everything on their own. The unprecedented nature of the challenges that security teams are facing means that many are constructing new security strategies and formulating responses rapidly and with limited information. We are all facing the same challenges and attempting to solve them alone does not benefit anyone.
Sharing cybersecurity challenges, best practices and lessons learned with peers and drawing on external sources of intelligence and inspiration will help with creative ideas to accelerate the development of a security strategy and will ensure resilience throughout the entire supply chain and industry. This will help my colleagues in this industry thrive and reduce the likelihood of “burn out.”
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The challenges, finding solutions to address them and the enormous potential a rapidly evolving cybersecurity industry presents keep me very motivated. Below are the top three things that excite me most about cybersecurity right now:
- Cyber criminals have always been a few steps ahead. Even though there are a lot of tools and technologies available, many of them still need to work in lockstep with each other to keep pace with detection and protection of emerging threats.
- The market potential in terms of growth is huge. This is due to the growing need of security and privacy requirements in digital transformation, adoption of new business models and digital commerce (i.e. online everything — shopping, banking, etc.).
- Changes to our workforce, workplace and societal behaviors due to COVID-19, which has accelerated the need for securing remote working, virtual collaboration, remote education, e-health etc., requiring enhancements to existing technologies and raising awareness of security, privacy and online safety.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
We are in the midst of a pandemic, which is creating a new normal in terms of how we live and work. We have been observing various types of cyber threats and working hard to help our clients maintain a better security posture during these unprecedented times. Related to COVID-19, we see many new potentially suspicious domains being created, as well as new phishing campaigns being launched, exploiting the general population who are eager to learn, help and get assistance during the pandemic. We also expect to see a rise in the number of malicious applications and fraudulent online services offering video conferencing, training platforms and food delivery. One thing to always keep in mind is that technology and security experts alone cannot stop this — stopping it requires a cultural shift to use mass media for educating everyone online.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
During the WannaCry ransomware worldwide cyberattack, which targeted computers with Windows OS by encrypting data and demanding ransom installment in Bitcoin cryptocurrency, our global presence was able to eliminate negative impact to our U.S.-based clients. Due to multiple Security Operations Centers (SOC) running 24×7 globally, which collaborate by sharing threat intelligence and remediation actions, we were able to avert the threat and potential damages by proactively executing steps in the U.S. using the lessons learned from our SOCs in Europe. This was a great team effort. Collaboration is essential when dealing with cybersecurity challenges, and should not just be limited to the company and its suppliers but be extended across to the broader private sector and government agencies.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Over the years, we have developed tool kits consisting of various open source tools as well as tools from our key partners and suppliers, and the list is quite long. Here are a few: Nmap to map network and ports, OpenVAS for vulnerability scanning, OSSEC for host based intrusion detection, Kali Linux for penetration testing with other security tools, Wireshark to view network traffic, Nikto for web server testing tool and Snort for real time traffic analysis.
We also use Security Information and Event Management (SIEM) systems from multiple partners deployed in different client environments to provide a single pane of glass for security events. We also use many other security systems for Identity & Access Management (IAM) and for detecting & protecting endpoints, applications & data in multi-cloud and hybrid environments.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can manage with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Today’s security demands are vastly different from those of the past — and they’ll keep changing with the emergence of new technologies, new business models and new threats. So, irrespective of the size of business, every company needs to be resilient to security and privacy threats for retaining trust with customers and other stakeholders to stay in business and continue growing.
A business with a small team should be very practical and selective to start with, prioritizing the most important security objectives tied to maximizing business benefits. Automation is key, and outsourcing to a Managed Security Service (MSS) provider is recommended. MSS providers are focused on addressing specific needs, which can provide services at a reasonable price due to shared costs and synergies with other similar clients they serve. Many MSS providers also offer virtual Chief Information Security Officer (vCISO) services, which can be optimal over a business hiring their own, due to business size or cost.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
As with anything, part of knowing that something is awry is knowing what is “normal.” Without some level of monitoring and awareness anything can be missed. There have been many attacks that start with some form of social engineering and phishing. To spot a phishing email, be on the lookout for poor spelling, grammar mistakes or a slight modification to a legitimate email address or domain name. Other signs of a threat are fraudulent phone calls that try to lure a person to provide personal or company information. Even slow internet or internal network performance due to high volume could be an early sign.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Responding to a data or security breach can be extremely complex without an established security governance, crisis management and incidence response plan with roles, responsibilities and steps clearly defined. Hence, the first recommendation is to adhere to an incidence response plan starting with a clear communication model between all internal and external stakeholders including law enforcement and clients.
Following the initiation of the plan, isolate the systems impacted and follow the investigation with internal experts and external help, as needed for forensics. Depending on the type of breach, consult with legal counsel and provide notice to impacted customers and stakeholders. Maintaining and improving TRUST with clients and stakeholders is of utmost importance, so frequent and accurate communication is key.
Once the breach has been contained and the remediation plan has been executed additional policies, procedures and updating technology will be required to prevent reoccurrence.
How have recent privacy measures like the California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
Organizations are gathering a lot of valuable information about consumers to understand buying patterns and behaviors, while simultaneously trying to do everything possible to protect their businesses from cyberattacks. In this environment, the protection of individuals’ data can become an afterthought. With the introduction of recent privacy measures like CCPA and CPRA GDPR, the days of organizations leaving the responsibility for privacy protection to someone else are about to end. These measures put the responsibility for personal data protection in the hands of the businesses that collect, store, analyze and manage individuals’ personal data.
As a provider of cyber security services, we help our customers understand what is at stake for non-compliance and help them identify and implement the required solutions. The near-term impact to our business and other businesses may mean added costs to implement additional measures, but in the longer term this will reduce the amount and impact of data breaches, associated penalties and significantly improve TRUST of consumers in businesses to enable better participation in business growth.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Some of the most common data security and cybersecurity mistakes include:
- Not having enough security budget, which is proportional to the business it’s protecting.
- Decision makers not being well informed about data security and privacy.
- Not having the baseline security information available to know which security gaps to address first.
- Not having an employee security awareness program.
- Failure to view security from a business perspective and not just an IT perspective.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, as I have mentioned before, we see new phishing campaigns being launched with a rise in the number of malicious applications and fraudulent online services offering video conferencing, training platforms and food delivery. We also see increasing fraudulent activity related to tourism and travel. With holiday plans, flights and hotels changing or being cancelled, scams are emerging online, offering compensation or reimbursement due to travel disruption. Education surrounding what malicious emails look like can reduce the risk that phishing campaigns pose. In addition to educating employees about how to work remotely securely using enhanced security options in collaboration tools, VPN etc., it’s also important to ensure that devices and software are kept up to date with the latest security patches.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
From my point of view, the most important things are:
- Don’t let perfect be the enemy of good: While the ambition to create a “perfect” comprehensive security and privacy program is honorable, I would recommend starting small, with a security baseline self-assessment to understand and address the most critical gaps in phases.
- Automate, automate, automate: With so many new tools and technologies now available — including Robotic Process Automation (RPA) — to automate basic tasks such as vulnerability management and patching, more time is freed up for engineers to focus on complex analysis and remediation work.
- Seek external help: For most businesses, having all security and privacy skills in-house is cost prohibitive. Take help from external consulting and MSS providers as necessary to fill the gaps.
- Implement a Zero Trust model: With remote working being the new normal, identity access requirements are inverted, with more users, devices, applications and data located outside of an enterprise than inside. Keep your operations and customers secure by implementing a Zero Trust model for devices.
- Focus cybersecurity education on remote workers: With changes to the way we are working during this pandemic, cyber criminals are looking to exploit remote work vulnerabilities. Organizations must ensure that employees do their part to keep the enterprise secure while working from their home office.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
(Think, simple, fast, effective and something everyone can do!)
A movement I would like to inspire would be a Cyber Wellbeing Program, which would include security awareness and education for all. Specifically, the program would be for anyone who is a digital user and connected to the internet. It needs to be a shared responsibility between every cyber-savvy individual and learners to spread basic security and privacy awareness based on a common framework.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!