14 Dec A chat with cybersecurity industry veteran Andy Kim
This interview is part of our Cybersecurity Insights Series, where we tap our partners and industry experts for the latest trends, thoughts, and predictions for cybersecurity and beyond.
From the shift toward remote work to the ever-expanding list of laws and regulations around data privacy and security, cybersecurity professionals have to navigate sweeping changes in their industry. This is why it has never been more important for companies to develop holistic and agile cybersecurity platforms, which means getting buy-in at the executive level, establishing a cyber-aware culture, and protecting every aspect of the business from a growing list of cyberthreats.
Andy Kim has spent two decades helping a wide range of companies build cybersecurity into all their operations, and he recently took some time to chat with NINJIO’s Matt Lindley about everything from companies’ cyber risk tolerances to common myths about cybersecurity to the consequences of COVID-19 for his industry.
Matt Lindley: You’ve worked with companies ranging from global financial institutions to regional banks. Could you talk a bit about the unique cybersecurity challenges faced by companies of different sizes?
Andy Kim: There’s a saying: the more chefs you have in the kitchen, the more likely they will ruin the stew. I’d say big banks face a challenge in consistently applying controls and measuring risk across multiple businesses. This is a decidedly different problem for smaller regional banks. These companies struggle with budget and headcount, so it’s more difficult for them to achieve basic cybersecurity capabilities.
ML: Do you think companies’ risk tolerances have changed in recent years? If so, how?
AK: Yes. Many executives distrust compliance activities in general and CISOs are being pushed to demonstrate “real” security. Board members are also getting more involved with cybersecurity because they see it as a business necessity in a competitive marketplace. The real problem is not only recognizing the need, but actually doing something about it. Few organizations do the latter, which is why we continue to have breaches. In many cases, these breaches are not as sophisticated as you would think, which means they’re entirely preventable.
ML: With the emergence of major cybersecurity regulations like GDPR and CCPA (as well as other initiatives at the state level), what do you think the future of the regulatory environment in your industry will look like? How should companies prepare?
AK: While regulations provide a minimum standard of conduct, companies need a common framework for security beyond compliance and continuous controls testing. I believe organizations will inevitably have to adopt NIST [National Institute of Standards and Technology] and Zero Trust as key frameworks to achieve this goal.
ML: We’ve seen an explosion of COVID-related cyberscams over the past year and a half, but do you see any long-term changes to companies’ cybersecurity platforms coming as a result of the pandemic?
AK: Absolutely! COVID has blurred the difference between working and living. Most businesses are moving toward a fully remote workplace, which will need to have the same cybersecurity controls that were in place in the office. The challenge is figuring out how to do that when everyone has their own ISP to connect to the company’s network. Because employees struggle to use VPNs, I expect to see heavy adoption of SD-WAN [software-defined wide area network] and SASE [secure access server edge] solutions for the foreseeable future.
ML: What are the biggest challenges companies face when it comes to developing coherent and holistic risk mitigation strategies? How can they overcome those challenges?
AK: As an industry, we are quick to sell a cybersecurity product as the next silver bullet for problems we read about like the SolarWinds or Accellion hacks. What we have to do is determine whether our cybersecurity tools are working as intended. We make cybersecurity products unnecessarily complex and difficult to use, which is why I think the best way to build a holistic cybersecurity program is to make vendors demonstrate various use cases in which the product actually did what it was designed to do.
ML: Could you talk about the process of getting buy-in across leadership teams and managers for organization-wide cybersecurity strategies?
AK: A critical first step is to gain the trust of your CIO. I know that sounds counterintuitive, but in my experience, the CIO is able to open doors for you. The CIO is also the person who can quickly place a vote of no confidence on what you want to do as CISO. Most CISOs don’t want to believe that, but in practice it absolutely happens all the time.
ML: What are a few of the most stubborn myths about cybersecurity?
AK: First, that hackers are sophisticated people with advanced training and knowledge. Second, journalists who write cybersecurity articles are cybersecurity experts. And third, CISOs are always cybersecurity experts.