Show Notes
Carl Lewis:
Welcome to The Connected Enterprise podcast. I’m Carl Lewis, your host from Vision33, and my guest is Ganesh Christian, a security expert. Ganesh, we're here to talk about security, but first, please tell us about your journey and why security is important to you.
Ganesh Krishnan:
It's great to be here, Carl. I’ve been in cybersecurity for 25 years. I was introduced to it in my master's program at Purdue, where I was a research assistant at a cybersecurity lab in 1996.
Afer that, I worked in cybersecurity development at Intel Labs in Hillsborough, Oregon. But Oregon was too rainy, so I moved to Silicon Valley, where I worked with an elite group of cybersecurity professionals at a company called Securify. It was started by Taher Elgamal, a well-known person in the industry. He’s behind the Elgamal signature stand algorithm, which is now the digital signature standard. We were a consulting business back then, and few people knew what cybersecurity was.
Then I worked at Yahoo when it was one of the up-and-coming internet companies before the internet took off. I spent 9ish years building a team and watching it grow at Yahoo, then left in 2010 to help LinkedIn build its cybersecurity practice. I spent 5-6 years there, then went to run identity and security at Atlassian.
That's when I realized, “I've been doing this for too long. If I keep going, I might go native!” So, I switched completely, but I’m still passionate about cybersecurity. It’s in my DNA. We called ourselves paranoid at Yahoo, and that's how I think.
I started a cybersecurity company in 2017—a startup in cloud security. In 2019, we were acquired by Sofos, another cybersecurity company.
I stayed at Sofos for a few years but left last year and started my newest company, Anzenna. It’s still cybersecurity, but we’re trying to build great products that help cybersecurity practitioners, the community, and cybersecurity in general.
Carl Lewis:
That’s a lot of experiences, and you must have seen so many changes over all those years. It seems like a bigger problem recently—I call it the pandemic effect. But what's changed for security experts through the decades? What did they care about when you started, and what's the big thing now?
Ganesh Krishnan:
People always ask me this, and things have changed as much as they’ve stayed the same. In the beginning, people didn't know what cybersecurity was—or didn't think it was that important. It was hard to get people to pay attention and make changes and hard to get funding for things we wanted to change.
That’s changed with all the breaches and the press. And rightfully so. If you look at the threats and what people worry about, the higher-level threats are mostly the same. People used to worry about viruses in the two thousands; now they worry about malware. Because it’s no longer checking a blacklist, it’s things that can evolve as they sit on your machine. Or ransomware, or spyware.
Also, phishing. I first saw phishing in 2003, and it's amazing—it’s been around for 20 years, and it’s still the biggest attack vector we see. And it’s still getting more sophisticated.
Application security was and is a big problem. When the internet was starting, it was easy to hack internet companies. You could easily change a value in the form and pretend to be something else because people didn't understand how to secure things.
Those attacks have gotten more complicated, but the threat is the same. What’s new is cloud security. The cloud didn't exist 20 years ago. Everything was within four walls—no AWS, Azure, Google Cloud, etc.
But now, people have to address the risks outside their walls. So, that’s changed. The people threatened are the same. People are a huge vector. Over time, especially as we’ve moved to the cloud and SaaS, the surface area has dramatically expanded.
Individual employees and businesses are becoming mini-IT people. Because IT itself is decentralizing. As an employee, I could sign up for an application like Canva if it would help with my marketing designs. That was harder when you were within the four walls—you needed approvals, contracts, etc.
The people problem is worse because the attack surface and the complexity have expanded dramatically.
Carl Lewis:
Personal devices have expanded dramatically, and now companies have bring-your-own-device policies and things like that, and it seems never-ending. When the pandemic occurred, my buddies told me we provided laptops to everybody so they could work remotely. The surface threat was expanded instantaneously in a huge way.
Ganesh Krishnan:
Absolutely.
Carl Lewis:
How concerned should organizations be about what they've done over the last two or three years to create a mobile workforce? Is that a big threat?
Ganesh Krishnan:
Yes. If you look at it at a high level, employees need to be as secure at home as they are at work. That's a huge challenge. You're not just talking about making sure employees handle stuff correctly at work—you’ve broadened that and said they have to do the same stuff at home. And you should teach your kids, your spouse, and anyone else who uses your laptop.
And we all know that they follow certain best practices. That's why the surface area has expanded tremendously. It’s unavoidable after what happened. Even if people can't go to work, they have to do their jobs.
Companies had to scramble to get Zero Trust infrastructure and things like that. But it's not just about technology. It's about how people handle their daily work. So, the threat surface expanded. BYOD was prevalent before the pandemic, and that does cross the boundaries.
If you look at it from security and business lenses, that's a good thing. It doesn't get talked about much—people say, “My company tried to block me from doing X.” But when employees work remotely, it benefits businesses. Because you're not working eight hours, you're working longer. That's good for companies.
So, it's about balancing risk. The risks have expanded, and there are no easy answers. Technologies like Zero Trust have come up to mitigate those risks, but there’s no silver bullet.
Carl Lewis:
We're always training people to be cautious—especially about email. You mentioned phishing. It’s easy to not pay attention and click an email you shouldn't click. I understand why IT people are always watching out and training new staff.
You mentioned training your family. We haven’t gotten to that level yet, but it would be a smart thing to do.
I don't know what you'd consider the cloud’s start date, but more companies are moving there. The pandemic really pushed that. They weren't prepared for remote work, and the cloud enabled them tremendously. From a security perspective, is moving to the cloud a good thing?
Ganesh Krishnan:
10-plus years later, I say it's a net positive. But everybody said, “Oh my god, this is a security disaster. Never move to the cloud. All your data will be gone.” That’s how it always is with new things. Right now, it’s what ChatGPT and AI will do to cybersecurity.
It’s a legitimate concern when new things come out. But 10 years into the cloud, I say—as a security professional—that cloud solutions and services are a net positive. One, because they're more standardized. Individually, if you're behind four walls, you must develop your own standards and then seek help.
But in the cloud, everything is standardized. If you understand and deploy them correctly, your path to security is easier. But understanding and deploying them is where we see challenges.
Carl Lewis:
From your perspective, are the cloud providers the primary providers of that security framework? But the users still routinely maintain it and deploy it throughout the organization.
Ganesh Krishnan:
Yes. And this question keeps coming up: “Does moving to the cloud mean the cloud providers will secure everything?” The answer is absolutely not. Because the only thing you can’t outsource in life is responsibility. You’re still responsible for running your business, running your services and securing them, and being answerable to your customers. You can’t outsource that.
Cloud providers provide what they call a ‘shared responsibility.’ So, if you use a service, the underlying service has the right security properties as guaranteed by AWS, Azure, Google Cloud, and other major cloud providers. But they can’t guarantee what you run on top of that.
If you run your own code and applications, it's your responsibility to secure them. And I would go a step further and say to make sure the underlying infrastructure is behaving how you want. You want to take responsibility for the whole thing, not circuit.
Carl Lewis:
Some people would put too much trust in the big guys and not take responsibility. But what about the companies subject to laws/regulations that prohibit them from being in the cloud? And what about those who are stuck on the idea that they’ll lose their data in the cloud? What should they do in their four walls for security?
Ganesh Krishnan:
Now it's the reverse problem. When the cloud started, everybody said, “We know better how to secure stuff in our four walls.” That’s shifted—there’s more standardization on the cloud, so how do we secure the four walls now?
You want to minimize your data center footprint. Some companies are massive, and when they become massive, they can't use cloud providers. That's a different problem. But if you’re a small to midsized business that can move to the cloud, move as much as possible and apply the standard methodologies to secure it.
Whatever footprint you have left should be for the right business reasons. Because either you can move it for compliance reasons, or the cost issue, or certain technologies that aren’t supported. Those are fine to keep on-premises.
Then the challenge will be a firewall. How do you manage that infrastructure—racking and stacking machines? That's getting old. And you're talking about using 10-year-old technology to secure your data center. But the world has moved on to the next thing.
That’s been the best practice for the four walls. Start with a firewall, deploy your malware agents, manage your security machines, find the people to do it. It’s a challenge.
Carl Lewis:
If a business is routinely affected by intrusions from email or other things getting into their data, what should they do?
Ganesh Krishnan:
It depends on the size of the business and what the attack surface is. The first thing is to take it seriously and invest in cybersecurity. Don't ignore the problem. Be proactive. Understand your risks.
These problems happen after the fact. But if you understand the risks and know you have a lot of email—or sensitive email—you need those controls. Whether that’s spam controls, phishing solutions, employee awareness training, or simulations.
Phishing is shifting to other things too, like SMS, so you need to do those things depending on where you are as a company in terms of risk.
Carl Lewis:
Everybody uses their personal phone for text messages, and I've noticed suspicious stuff. Is there a big phishing risk on phones that can transfer to the company's network?
Ganesh Krishnan:
Absolutely. Your phone may have access to company systems, or at least company data. And if you click a link and log into your company systems via single sign-on, and that was a fake login, or people can send you fake MFA spoofing.
If your company has multifactor authentication enabled, the more advanced attacks will trigger a fake approval. If you give approval, they have access to your account and data.
Data is what attackers want, and that can easily be enabled through the phone. Phones are machines too. You can do everything on them.
Carl Lewis:
It's more powerful than the first computer I had. Crazy.
Ganesh Krishnan:
Absolutely.
Carl Lewis:
You mentioned businesses can deploy many software and hardware solutions. But the responsibility comes down to the people. How can companies educate and reeducate their employees about their part in security?
Ganesh Krishnan:
Great question. Today, employees have annual training, which we all know is ineffective. It’s telling employees, “It's fine to exercise once a year, even though you see daily cybersecurity threats.”
Would you be fit if you exercised once a year? Absolutely not. And it’s more than training—it’s engaging employees so they understand cybersecurity is everyone’s problem, not just the cybersecurity team’s problem.
Because if the company is letting you innovate and use the tools you want, you must feel responsible for securing the data in that landscape.
Engage with employees and have systems, processes, leadership, and messaging to make sure that’s continuously conveyed to employees.
Checking the training box only works for compliance. It doesn't work for security.
Carl Lewis:
Right.
Ganesh Krishnan:
You want to democratize information to employees. There are several ways to do this. It’s, “Let’s make the cybersecurity things employees need to care about very visible.”
Empower them to participate and fix those problems. If I make a mistake as an employee—for example, I share a file with sensitive data outside the company—don’t slap me on the wrist, block me, and not tell me how to do better. It’s a learning opportunity for me. It’s contextual to me.
When I share that file, and it gets flagged, they can notify me and say, “Everybody makes mistakes, but here’s the right way to do this.” The more contextual and empathetic we make it, the more we incentivize and reward employees for participating, the more engagement we’ll foster. And that will be much more effective than a training module, video, or test.
Carl Lewis:
I agree. There's been a lot of talk in the news about politicians and TikTok. Should American companies worry about foreign tools like TikTok from a security perspective?
Ganesh Krishnan:
There’s always a worry when a government can just walk into any business and take over their machines or take data without due process. We’re fortunate to live in the US, where that's hard to do. They have to follow due process, and that's a great thing.
Unfortunately, that's not the case with TikTok. We all know that, and that's why these discussions are happening. If the government walks into TikTok’s offices and says, “Give me the data for US users,” they don’t have a choice. That's not a good situation.
But what can we do from here? It's a moral question for businesses that are, for example, advertising on TikTok. Is that okay if I get advertising data? Or if I share my advertising metrics or data, or maybe even share who my users are with TikTok for doing business with them. Should I be doing that, morally? That's one way to solve it.
Blocking TikTok may or may not solve those problems. We could block TikTok and make it inaccessible, but it's unclear if that would solve the problems. It's a hard situation.
Businesses must decide for themselves, if they want to advertise on TikTok. There’s no direct threat to a business because it's a consumer service. But there is a direct threat to users. So all Americans with TikTok accounts should consider that. Some won’t care, but some will, and those people can stop using TikTok.
Carl Lewis:
I heard there are 150 million US TikTok users.
Ganesh Krishnan:
Yep.
Carl Lewis:
That's a lot of personal devices TikTok is gathering information from. Think of the footprint they have with 150 million devices. Maybe most are 13- to 16-year-olds, but even so, the potential for malice is there. I wonder—and not just because this is from China—about any government agency or bad actor gaining that size audience and using it for nefarious purposes.
Because you talked about the surface area, right? That's a big surface.
Ganesh Krishnan:
It is. And from that standpoint, there’s a tangential risk for businesses. Because it might be the same device I use to check my work email. If they have an MDM solution, businesses can prevent their employees from having TikTok.
But they need to be transparent with the employees and say, “We’re not comfortable with TikTok.” What businesses don't do well is tell employees the reason they're doing something. They’ll install software and say, “You can't do X, Y, or Z.” Which is fine, but you should always tell them why you're doing it.
Employees will get it. So businesses that want to do that can do that. Businesses that advertise with TikTok can put financial pressure on TikTok by not doing it.
Blocks are possible, but people who want to use the service can also overcome blocks with VPNs and a bunch of other means.
Carl Lewis:
True. Okay, Ganesh, pretend you can see into the future. What’s on the horizon for security? What should we expect in the next three to five years?
Ganesh Krishnan:
The risks will be similar: malware, phishing, AppSec, cloud security, people. Even scalability of security organizations, which we haven't discussed. Because many of the security organizations are small, and with the expanding attack surface, you need a much better way to scale those organizations.
There are companies that are, depending on their maturity scale, putting people, process, and technology efforts into these areas. I don't think that will significantly change. There isn't a switch we can flip and say, “Okay, these things have dramatically improved.” Because these are risks that come with being on the internet and doing business. And you must continuously mitigate them.
I don't see those threats and risks changing dramatically in the next three to five years since they haven't changed in the last 15-20 years.
Carl Lewis:
The better we get at security, the better the bad actors get at breaking it down anyway. It's a constant cycle—we improve, then they improve their nefarious techniques.
Ganesh Krishnan:
That's right. Security is a process, not a product. That's the way to put it. It's a continuous cat-and-mouse game.
Carl Lewis:
But it seems like people are more aware of it now and are putting resources into it, in terms of products and people. Security will probably become a more important role within companies than it has been.
And once you've experienced a malicious event, you can't stop thinking about it. Your awareness increases dramatically. And you can be hurt badly.
Ganesh Krishnan:
It’s better to be proactive. Having been in the industry so long, I know you can't be proactive on everything because you have a limited set of things, but you have resources you can prioritize.
Then you make continuous improvements. Periodically measure your security program and see the top risks to address year after year. In five, ten years—whatever the time horizon is—you'll be at a much better place than where you started. That's the way to go.
Carl Lewis:
That's good advice, especially for small companies. Prioritize because you can't do everything at once. Deal with the biggest risks first.
Ganesh Krishnan:
Yeah. And don't look at it just from a compliance lens. It's easy to get certified and check a box, but it's hard to get secure the right way.
Carl Lewis:
I like that. The difference between compliance and security is significant.
Ganesh Krishnan:
That’s right.
Carl Lewis:
Well, Ganesh, thank you. This has been helpful. We appreciate you joining us today. And since cybersecurity keeps popping up, we’ll get you back if something new happens.
Ganesh Krishnan:
It was great to be here. Thanks for all the great questions.
Carl Lewis:
And thanks, everyone. Until we see you again for the next episode of The Connected Enterprise, stay connected.
