By: Tatianna Harris
May 11, 2022
Reduce Risk: How to combat threats through cybersecurity development - Q&A
By: Tatianna Harris
May 11, 2022
On May 5, 2022, Global CISO of Teleperformance, Jeff Schilling, joined Cybrary's CEO, Kevin Hanes, for a Fireside Chat discussing threat actors and the importance of cybersecurity development in mitigating risks.
Below are some of the atendee questions recieved during the live event, and the answers from Jeff and Kevin.
To get all the answers and information from the live chat, view the on-demand version on our event page.
Question: How does the military/defense ensure an air gap environment to secure their network. What mode of transport is used to connect different locations?
Answer: (Jeff) Military/US Government uses Cross Domain solutions between its classified and unclassified networks that have special filters and DLP monitoring to ensure classified information is not leaked to the internet.
Question: No one has a Computer Chip in their Brain. What value does your company hold on Certifications versus Experience? As ISC2 states there are not enough people in the field and are offering a CISSP pilot program to Cybersecurity. However, would that be enough to open doors for individuals with no experience who have gained the knowledge; passed the exam and are trying to open doors in this field?
Answer: (Jeff) I value experience over certifications. Our entry level one security analyst roles do not require any security certifications. If someone is applying for one of our higher level positions in our CSIRT or Cyber Threat Intel team, we would expect that those more seasoned positions would be filled with prospects that have the appropriate certifications related to their previous job experiences.
Question: Do you see AI having a role in Security operations and not just replacing level 1 soc analysts for example?
Answer: We answered this question during the live session. You can view the free replay to hear the answer.
Question: How rigorous are you regarding Separation of Duty? How is AI changing and will be changing an analyst's job? Does current training give enough consideration to AI?
Answer: (Jeff) Separation of duties is still a critical concept for compliance. It is getting harder to manage in cloud devops environments where developers are also sometimes managing operations in the production environment.
Question: What are your expectations for the current online students’ progress? What problems do you see and how do you solve and improve online learning?
Answer: (Kevin) Our mission at Cybrary is to equip cybersecurity professionals with the skills they need to succeed against ever-evolving cyber threats at all stages of their careers. We often start by helping students become very interested in cybersecurity and learning the fundamentals. We hope to foster a sense of curiosity, engagement, and create an awareness of the problems and opportunities. In these early stages we hope students progress to the point of completing courses, preparing and earning certifications, and exploring career paths. We are also obsessed with making sure our students have the hands-on skills, knowledge and confidence to perform in their professional roles in cybersecurity.
Question: For someone just coming into the tech world, what advice would you give to the person considering going into cyber security?
Answer: This was answered during the live session. Watch the free replay to learn more.
Question: Does Teleperformance leverage machine learning? If you do, how are you handling the lack of effective labeled data to build effective models?
Answer: (Jeff) We do use Machine learning for one of our proprietary security tools (TP Protect). We are leveraging trained models from various cloud providers to accelerate our product development. They get us to the 80-85% true positive rate and then adjust our models as appropriate.
Question: Who should a CIO/CISO report to?
Answer: (Jeff) Most in the executive world are starting to worry less about who they work for and concentrate more on who they are working for. At Teleperformance, the CIO and I both report into the same C-Level exec who reports to the CEO. But the CIO and I are partners and we work for each other. I am also accountable to the Chief Legal Officer and the Chief Client Officer. I don’t think about who I work for, I make sure I am driving value in the business with our data security program and I am accountable to all of the senior stakeholders.
Question: What's the best way to start implementing security controls if the customer/management is adverso to change? (perhaps explain the risk of NOT implementing)
Answer: (Jeff) Focus on the basics, advocate for three things to start with: 1- MFA requirement for all remote access to your environment. 2- An email security gateway that can prevent malware and malicious links from being delivered to your email systems. 3- Apply LAPS/SLAM to your elevated privilege management process to ensure you are controlling your elevated privileges.
Question: A big challenge is noted in the number of people with certifications that are not aligned to experience or proven hands-on skills in implementation of security in most environments. Noting the volatility of the cybersecurity professionals sticking in one place and the professionals moving from company to company due to lucrative pays, how do organizations ensure that talent is retained and how much motivation is required here? One could invest only to advance another company with your investment hence reluctant in support.
Answer: This was answered during the live session, so watch the replay to get an in-depth answer.
Question: Do You believe that the use of platforms like the one we are using (zoom) has increased the cybersecurity risk after the pandemic. Have we left a third door open for hackers?
Answer: (Jeff) Zoom and other collaboration platforms do increase operational risk, but with the right lockdowns that are available in these tools, you can effectively mitigate these risks to near zero.
Question: What should we consider and make sure to include, when setting up information security strategy for the coming few years? What are the key areas to include? Is there anything that was or is currently a key component in cyber security which is expected to fade away in next year?
Answer: (Jeff) If you can do these four things well, your cyber security program will be strong: 1- 100% MFA for remote connections, 2- Apply a reputable email security gateway to catch malware and malicious links, 3- Hard and protect your elevated privileges (Zero trust tools), 4- Manage your public facing vulnerabilities (e.g. web servers, applications)
Question: What new threats may exist through innovative digital social-spheres (metaverse, etc)? Will we see new tactics and techniques with social engineering when there is "direct" (as opposed to webcam, IM, phone call, etc) contact between users?
Answer: (Jeff) Social engineering and impersonation will be the biggest risk. There is no one really looking at how you properly confirm/validate identities in the Metaverse. Additionally, the AR/VR devices are not alway compatible with our current mobile device management tools, so it is difficult to ensure you manage these android based systems safely.
Question: What commonality is there between current & historic cyber threats (if any) and is their mitigation merely a matter of patching software, employing suitable firewalls/antivirus and employee training to prevent phishing etc?
Answer: (Jeff) The most important thing you can do to protect your environment from a major security incident is to focus on protecting your elevated privileges. THere has never been a major infosec incident (e.g. ransomware or data breach) where elevated privileges were not compromised.
Question: Is there a future in Penetration testing due to imminent disruption by automation?
Answer: (Jeff) Penetration testing will always be needed. I think we will see it done differently as our IT teams evolve more into cloud and virtualization strategies.
Question: What would be the best way to start implementing controls in an organization with a lot of technical debt? Especially if management is resistant to change.
Answer: (Jeff) Start applying LAPS/SLAM to your active directory to protect elevated privileges. It does not cost anything, it is just a really hard task and requires organizational buy-in, especially from IT.
Question: How do your respective companies plan to address or respond to the cyber skill gap regarding the demand for such professionals and the supply of qualified candidates?
Answer: (Jeff) Investing in training.
Question: How can I level up knowing too well that the threat landscape is evolving at breakneck speed? Attackers are too many steps ahead of Cyber-security Officers. How can AI be deployed to use the best defense or offense mechanisms against cyber criminals?
Answer: (Jeff) Make cybersecurity your passion, your hobby and connect to as many meet up groups (e.g. BeSides or OWASP) as your time allows. If you want to become an expert, you have to spend 1000s of hours training and in seminar learning.