October 30, 2020

Q&A with the Data#3 Group Security Practice

The Data#3 group Security practice spans a national team of experienced individuals with decades of combined deep cybersecurity expertise. We sat down with some of them to understand a bit more about their roles. Featured in this Q&A are:  

Q: What is your security specialty?

Within the Data#3 group security practice, the team have a breadth of deep expertise across a range of specialties. From cloud security to infrastructure and endpoint security to access management, the team are highly versed at helping customers across a range of security requirements.

Devesh:  My specialty is helping our customers negotiate the complexities of securing their digital assets.

Nicole:  I work closely with our clients, developing a strong understanding of our customers’ security goals to help identify and develop practical Data#3 solutions, leading to positive outcomes for the customer.

Ameen:  Enterprise Security and OT (operational technology) Security.

Mitch:  Staying current with industry trends and taking the time to speak with many potential customers to understand their infosec priorities and problems, and find a resolution or preventative measure to help protect their business.

Brendon:  Cybersecurity consulting – best practice standards assessment and roadmaps, risk assessment, security strategy, Business Continuity and Disaster Recovery Planning. Essentially, helping our customers understand their current and emerging requirements for security and business continuity and helping them define and implement the appropriate controls in a cost-effective manner while managing risk and meeting their regulatory and compliance requirements.

Paul:  Identity and Access Management, specifically federated identity across cloud services.

Q: How long have you been in the cybersecurity industry?

Devesh:  I’ve been in the IT industry for 15 years, working with vendors such as Cisco and VMware, and have maintained a dedicated security focus since 2015.

Nicole:  I’ve spent over 25 years ithe ICT industry, with a core focus in security for six years.

 Ameen: 7 years.

 Mitch: I’ve been in the industry for over 10 years. The first security solution I sold to a customer in the primary industries industry goes back to 2011.

Brendon:  About 25 years: I started my career in security in the banking industry in the mid 90’s. Viruses and malware were just taking off in a big way, my first project was looking after a team of banking specialists that visited commercial clients- they were inadvertently spreading viruses to their clients with floppy discs. Interestingly, we got a request into the security group that the marketing folks needed a dial-up connection to the Internet, which started a flurry of activity around how to secure this newfangled business tool called the Internet.  We suggested it had to be a standalone PC, i.e. not on the network- needless to say that didn’t last long and we switched our efforts to evaluating Internet firewalls. Things have changed a lot since then!

Paul: I’ve been in the industry for over 20 years, my first experience was with RAPTOR firewalls back in the late 90’s.

Q: What do you find the most interesting aspect of cybersecurity? 

Devesh: We no longer live in a world where we can solely rely on technology to keep organisations secure. Instead, we rely on our people, our processes, and the technology we use to work seamlessly to keep our environments safe. Its rewarding to work with our customers as they embark on their cybersecurity journeys.

Nicole: The evolution of protection is particularly interesting: the need to stay ahead of the ‘bad guys’ is a unique aspect and definitely a driver for many when they look to make security improvements in their organisation.

Ameen: The relevance of cybersecurity ties into a lot more than just how we protect our data, but also with considerations to national security, livelihoods, shareholder value and as a business differentiator.

Mitch: Security is constantly and rapidly changing. Cybercriminals are getting smarter and there is always something new to talk to customers about: whether it’s a story, trends, or education on new threatsIt’s important that organisations are informed, so they can better protect themselves and their people.

Brendon: While not a new concept, a key aspect has been the increasing move from security being a blocker to security being an enabler to the business.  Many years ago, the culture of security in many organisations was that of a traffic cop mentality. To be effective, security teams need to work with the business and understand their business. The security guys don’t belong in the back room, they need to be out consulting with the business and understanding the business.

Paul: The speed from which hacking went from young kids sitting in their bedrooms to organised and professional gangs working across the globe and assisting each other. There is now a whole market built around the stealing, selling and using of personal and confidential information. It’s an industry, there are some very big organised groups playing in the space. In some respects, they are more resourced than many of the big multi-nationals that they prey on. The cybersecurity industry and Government regulation is constantly on guard to detect and prevent the attacks, and hunt down the gangs.

Q: In your experience, what is the most common cybersecurity ‘sin’?

Devesh: There is often a misunderstanding that securing your environment is a static process, when it is really a continuous process. With evolving business needs, technological, market and personnel changes, it’s challenging for organisations to keep track and finetune their security– whether its technology, policy or human education to reduce their vulnerabilities and improve the security culture.

Nicole: I often see organisations fail to create a company culture of understanding. It’s so important that an organisation and its people are aware of the importance of the need to be securityaware in everything you do – even if it’s just sharing a document over email.

Ameen: Equating complexity with security. They are not the same thing.

Mitch: Most often it is ‘committing password abuse’, which is something I am sure many of us can relate to!

Brendon: One of the most common problems we see is IT complexity, which can introduce security problems. Generally, the more complex an IT environment is, the more complex it is to secure. Further, the more complex the security controls, the more specialised the human resources need to be – this is further exacerbated in the current climate, where we see a shortage of good security skills and resources. Complexity does not equal good security.

Paul: Trusting anyone. All good cybersecurity starts with a zero-trust philosophy. You need to put in place controls to provide you with assurance that only the appropriate users are accessing the right information. This involves starting with a ‘detect and prevent’ architecture, and having applicable monitoring and logging to manage and understand the environment.

Q: In your own words, why is security more important than ever for organisations? 

Devesh: Hindsight is always 20/20- just ask any organisation who’s had their security perimeters broken in the past. An attack on an organisation leads to brand and reputational damage, loss of revenue, and in the worst-case scenario, disruption to business potentially leading to closure. At a personal or individual level, it can lead to bad credit ratings, fraud and loss of financial savings (unless you are a member of Ashley Madison – then potentially a loss of family or your relationship!).

Nicole: The need to protect citizens from exploitation.

Ameen: It is critical to remember that when it comes to security, business resilience is a direct function of an organisation’s security posture.

Brendon: Organisations are increasingly relying on their information and the value of this information is continually increasing- both to them and to adversaries. A loss of information or integrity can have catastrophic impacts on a business and its operations.  For healthcare and utilities this is even more so as the impacts are not only reputational and financial but can be life-threatening or cause a disruption to citizen wellbeing.

Paul: More information is now available in easy-to-index and search services. This information can be used by authorised people to make business decisions and complete transactions; but in the wrong hands it can be used against the organisation, to assist the competition; or simply to exfiltrate money (ransoms).

As more and more of our daily lives exist online, there is a greater risk of harm from the misuse of the information and assets that we have online.

Q: If you could offer one piece of advice to help organisations avoid the 7 Deadly Sins of Cybersecurity, what would it be and why?

Devesh: It’s important for any organisation to remember that security is a continuous process of changes, upgrades and developments. Don’t assume you can just set and forget: by doing so, you won’t get the most out of your security technology.

Nicole: Company culture is of importance to organisational security. It is important to remember that your people and their behaviour are your best first line of defence.

Ameen: Reduce the number of security tools that you have by 50%. Increase security capability adoption to at least 70% across each security tool you decide to keep.

Mitch: Security is a team sport – It is everyone’s responsibility. Establishing a security culture is critical.

Brendon: Develop a top-down approach to cybersecurity, starting with robust policy that defines the top level principles for information and cybersecurity.  This should be supported by good-practice aligned guidelines and processes, as well as well-managed technology and toolsets to support the control environment, and of course a good security culture and awareness. Top-down also means ensuring that the Board, Executive and management believe in the security culture and this will filter down the organisation.

Paul: Have good security practices: documented, reviewed regularly, and monitored/enforced. Ensure that everyone (from the CEO down to the janitor) understand their responsibilities and why cybersecurity is important to them. Make the message relevant to the audience.