Creating Cyber Security Solutions for SMBs

Small-medium businesses (SMBs) often struggle to create effective cyber security solutions. On Episode 40 of The Cyber Security Matters Podcast, we spoke to Amanda Berlin, the Director of Incident Detection Engineering at Blumira, about her company’s innovative solutions that are specifically tailored to SMBs. Amanda is also the Author of The Defensive Security Handbook, Co-Host of the Breaking Down Security Podcast, and CEO of Mental Health Hackers, giving her a wealth of insights into the space. Read on for her insights on cyber security solutions for SMBs. 

What challenges do SMBs face from a security perspective, and how do their challenges differ from larger enterprises?

Enterprises usually are bigger targets. When they get a breach, they have a budget, people, software and all the implementations necessary to deal with it. SMBs, even if they are breached, don’t necessarily get that afterwards. They have to make do with the software that they have at their disposal, and usually not many people. There are multiple roles that these people play. SMBs don’t have a CISO or anybody in charge of cyber security. Many times, they won’t even have a security team. There are just one or two tech people who are fixing everything from printers to security breaches. 

How have you seen the awareness of SMB business security changing over your time in the space at Blumira? 

When we started Blumira, people said it’s not changing that fast. They thought we were crazy for creating a product for SMBs because it’s a hard market to reach. A lot of them don’t realise that they need the security that they do, or they think they can’t afford it. There are all of these software platforms that are built for enterprises that SMBs are trying to implement themselves, but they can’t maintain it forever. We saw the constant struggle for SMBs to implement anything that was designed for a larger scale, and having worked at SMBs for pretty much my entire life, it’s a problem that I’m really passionate about fixing. I tried to implement a SIM once too, and it was terrible.

How does Blumira fit into the SIM and XDR market, and what’s your approach to securing those businesses? 

When we started Blumira, our leadership talked about making a sim for SMBs that you could implement in under a week. I thought they were insane because our onboarding process was at least six months in the companies I’d worked in before. You had to set up the servers and ingest the logs, which was a two-month-long process. You had to talk to them about all their use cases and work with the customer one-on-one. Coming from that, I was like, ‘There’s absolutely no way we can create a product that you can do in three months.’ But then we did it. And that’s why I’m still here because I never thought it would happen. We’ve had customers roll out their entire infrastructure in less than an hour. Just from the technology perspective, that’s a really difficult thing to accomplish. 

When you work in a SOC, there are a lot of level-one analysts who are fresh out of college or really new to the space and are doing a lot of repetitive work and missing things. Because they’re seeing 10,000 alerts a day, they have to make sure they don’t miss escalating something that could be worse. We’re leaving that to the most junior people in the company. Instead, we automated everything that we possibly could in a SOC and the platform. Anytime we have a network scan done, we would get an email from every single UPS device underneath somebody’s desk. That’s how a lot of SIMs are, but we just automated all of that because you shouldn’t have to deal with 10,000 alerts every time you do a scan.

To hear more from Amanda, tune in to Episode 40 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

How to Mitigate Insider Threats & Other Cyber Security Risks 

As we rely more and more on technology, our risk of cyber attacks or information leaks is also increasing. On a joint episode of The Cyber Security Matters Podcast we spoke with Jake Bernardes, the Field CISO at anecdotes, and Ido Shlomo, the Co-founder & CTO of Token Security, about their advice for people and companies who are looking to secure their cyber assets. Read on for their insights on how to reduce your cyber security risks, including insider threats. 

Jake: “Insider threats are divided into two categories; intent and incompetence. But insider threats are real. If I look at most attacks and incidents that I’ve worked out in my time, 90%  of the insider threats have been in the incompetence category. People accidentally hard-coded credentials into IDP. That’s like identity providers leaving the credentials for the entire customer database on a public-facing URL. But there are different ways to catch them. 

There is also the compliance piece, which is where anecdotes come in. We’re really good at identifying how people will divert from the norms and what control is best to use. We could connect a US to anecdotes and say, ‘This is what a normal VM looks like. This is what it has to look like to comply with PCI SOC or ISO’. As soon as someone creates one which doesn’t comply with that regulation, our system will flag a noncompliance and therefore show what was wrong. It gives you a chance to both logically correct it and then go and work with the person to educate them or uncover their intent. You have the visibility to fix it before it becomes an issue. That’s the key point of all compliance and regulation-based security; fixing things before you have a breach or before damage occurs.”

Ido: “Incompetence is a hard word, but most of the time, it’s just a lack of education or understanding. For example, one of them is people being off-boarded from a company, and the entire resource they’d created isn’t kept track of. That’s an insider threat, but the insider is still in the company because it’s people don’t take care of it that are the problem. You see a lot of those issues in identity space. People are so passionate about technology that they make every mistake possible. They plug in their CFO’s Excel, and they allow them to query all of the organization’s data with zero limiting on the permissions they have, and nobody’s keeping track of that. In the identity space, that’s crucial. We’ve just seen Ticketmaster, Santander Bank, and TNT suffering from those types of threats. Securing your own people is the hardest thing to do right now for security teams.”

Jake: “There are a few things ways to handle insider threats, one of which is slow down. We’re obsessed with being fast to market, so we almost encourage issues and errors. Look at the desire – and desperation – to get AI chatbots to the market last year. That resulted in a flight and a car that were both bought for $1 because these tools had been improperly tested. That will have happened because someone was pressured either internally by themselves or externally by their leadership to deliver and develop quickly, so they either skipped steps or just didn’t do them thoroughly enough. 

Another way to mitigate these threats is to understand what you’re doing. A lot of the time, people build stuff without really realising what they’re doing. It’s important to understand that a software development lifecycle goes from A to B, and it shouldn’t be limited. Understanding what the end goal is means you can make sure you have those steps lined up in the process. 

Finally, getting the client there when you talk about compliance and regulations always sounds boring, but when we get a bug, we can see everything happening in security. We can see everything from identity issues or cloud security issues, onboarding issues, lack of training and policies not being signed – all of that stuff. Once you get a holistic view, you can educate the leadership and filter down the necessary information.”

Ido: “It is still very important to keep the pace. You want to understand where you’re taking too big of a risk, and you need to understand how to do things securely. Security should really invest more time into the auto-remediation of problems; not when you have an incident but much before that.”

To hear more about securing your cyber assets, tune into Episode 39 of The Cyber Security Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

AI Governance, Security and Compliance

On Episode 38 of The Cyber Security Matters Podcast, we discussed changes to AI governance with Patrick Sullivan, the VP of Strategy and Innovation at A-Lign. He shared his insights on changing legislation and what that means for organisations that use AI as part of their workflow, as well as his definition of ‘AI governance’. Here’s what he said:

What does the term ‘AI governance’ actually mean? 

ISACA through COBIT has introduced control objectives for AI and has defined governance as a value-creation process. When we think about governance, we think about value creation. COBIT says that governance is creating desired outcomes at an optimized risk and cost. So for us, we need to ask ‘What do we want to create? What risk are we willing to bear? And what budget do we have to support all these things?’ Our practices are processes that are employed to ensure that we’re creating the outcomes that we want as an organization in both a risk-appropriate and resource-appropriate way. 

What frameworks or guidelines can organizations adopt to ensure AI systems are used responsibly and ethically, and does this vary based on the size of the organisation? 

Generally, we won’t see the applicable frameworks vary based on organizational size. In the market today, there are two frameworks that most organizations are using to build their AI governance systems to adhere to X number of regulations. For neuco as an example, we saw that the EU AI Act was written into the Official Journal last week. These regulations are pressing, which means many organizations that are bound to the AI Act now need to take significant action to prepare themselves. 

How do those frameworks and guidelines actually physically enhance trust within the supply chain?

ISO 42001 is a certifiable standard and management system. Organisations that implement ISO 42001 as their AI management system can have a third-party auditor certification body, of which A-lign is one, independently validate that appropriate processes are in place, that appropriate procedures and commitments have been made, and that the management system is running effectively to meet the intent of the standard. So there’s a certification mechanism that organisations can use to offer assurance to others in their supply chain and their value chain. 

Many in the security space are already very familiar with security questionnaires. We’re currently seeing a lot of pressure on organisations to answer AI questions because the market is really educating itself about what’s important. That is then driving the need to respond to those questions or unknowns to or from suppliers. While regulation will always be a pressing concern, self-policing in the market is where I see us go with responsible AI use.

How do you expect AI governance and compliance to change in the coming years?

Over the next five years, I think we’ll see the skills gap become more pronounced. I don’t know that there’s necessarily the awareness that there needs to be. We’re seeing groups come online like a group called the International Association for Algorithmic Auditors, which helps new algorithmic auditors or AI auditors understand what skills they need to be successful, and I think we’ll see more organisations like that come online as the recognition of the AI governance and AI assessment skills gap becomes more pronounced. As that happens, the market will really largely start self-policing, and we’ll enter the hype cycle. But, once that begins to simmer down, AI governance will become more of an operational process just like any other governance, risk governance, or vulnerability management process. 

To hear more from Patrick, tune into Episode 38 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cerby’s Best Practices for Securing Cloud Native Applications

Matthew Chiodi, the Chief Trust Officer at Cerby, joined us on Episode 37 of The Cyber Security Matters Podcast to share his insights into the industry. One of the topics that stood out to us was the best practices that he shared from Cerby’s work on securing cloud-native applications. Here are the highlights of his answers: 

“When people say cloud-native application, that refers to applications that are built cloud-first. If you have a VM that’s running on-prem and you move it to run in the cloud, that’s not cloud-native – that’s just cloud transferring. Quite frankly, it’s a waste of time and money to do that. Cloud-native means that your infrastructure was not built manually, but it was built using infrastructure as code templates, defining what your infrastructure would look like in code first. Then you’re using code to bring up things like lambda functions that only work during a certain period of execution. That doesn’t use a typical VM, it’s usually a microservices-based architecture. 

When it comes to cyber security, the basics still apply. Organisations have a massive data sprawl issue in the cloud because it’s so easy to upload to. If you go back 5+ years ago, if you needed a new data store, you had to open a ticket with your IT department and wait 2-3 weeks or even months, depending on the size of the organisation, before you got access to it. Data also tended to be much more centralised, and there were checks and balances. For a lot of cloud environments, that’s not a problem anymore. Developers generally have a fairly high level of access to create new services and they can create new data stores on demand by calling APIs, so you tend to get data in all different places. 

You have to know where your data is and what it is because if you don’t, sensitive data, like personally identifiable information, can easily end up in the wrong place. Health information that was intended to only be in a production environment can very easily be moved to lower environments that don’t have the same level of governance. I’d advise having a good tool that can tell you what you have and who has access to it. 

Knowing your code – specifically your application security code – is still highly important because you might know where your data is, and who has access to it, but if you’re writing crappy code, you’re introducing a vulnerability to your digital environment. So, you have to know who has access to your data and your code. If I get access to your data, I can do what I want with it. Or, if I get access to your code, I can inject things into your code that will then give me access to your data. 

In terms of what Cerby does; I usually say that in all organisations, you have two different types of applications. A lot of times we think of cloud apps versus on-prem apps, and that’s true, but really it comes down to identity and access management. You have standard apps that you can very easily integrate with your identity provider, and your IT team can manage them centrally in terms of who should have access through that type of identity provider. The other category is what we call non-standard applications or disconnected applications. This is a massive problem space because the apps that fall into the nonstandard category can’t be managed with your central identity systems. Cerby is focused on that non-standard space. 

We connect those non-standard applications back into identity platforms on trial ID. We did a little bit of research last year, and what we really wanted to understand was the scope and scale of the problem, and we found that organisations have a median of about 175 of these non-standard apps. We’ve spoken to some large healthcare companies who have 1000s of these, and we know there are hard costs associated with these applications because if you as an IT admin in one of these organisations have an employee who needs access to one of these non-standard apps, they can’t go through any kind of automated process – they can’t go into your access request system, they’re going to put a ticket in. Once you get to it, you have to manually log into this app, figure out what access they need, etc. and it’s all a lot of hassle. We make it so that you can centrally manage these non-standard disconnected apps, using your existing native tools.

To find out more about securing cloud-based applications, tune into Episode 37 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Addressing Common Hiring Challenges in Cyber Security

As the Cyber Security industry expands, growing your team has become more difficult than ever. On Episode 36 of The Cyber Security Matters Podcast we spoke with Julia Doronina, the Co-founder and CMO at G-71 Security, about the challenges she’s faced when it comes to scaling her team. Julia is also a passionate advocate and mentor for women in tech, giving her some valuable insights into diversifying the sector’s talent pool and making it more accessible. 

What are the key talent topics that need addressing the most?

I believe that it’s important to focus on employee development and to provide opportunities for career growth. With the rise of artificial intelligence, there are many new solutions and projects on the market, so companies and executive teams need to encourage their employees to learn new things and understand these new approaches because they can help optimise processes. The main thing is to support your employees and help them to grow themselves.

Do you struggle to hire based on talent shortages?

We’re a startup and we don’t have a big team right now. We were dealing with different outsourced people who can help us with different activities, like design, copywriting, analysis, and so on. I think that it’s very important when you’re talking with people who you want to attract to your company, to talk to them about the use cases for their skills, not just their CV, to understand how they think and how they can implement their skills into your business. Figure out how they can expand your current situation or activities. 

Early in my career, my skill set was straightforward. I knew the general and traditional channels, and I implemented them. Now I’m trying to use AI. I use Chat GPT, about 20, 30 or even 40 times per day for different tasks because it can help me optimise my processes. My worldview and approach to problem-solving are changing as the world evolves, and I think that we need to encourage people to develop themselves in the same way.

There’s a lack of diversity at a grassroots level, so what can we do to address this?

We need to create an inclusive culture in companies, even in startups. We need to include different inclusivity training and actively attract candidates from diverse demographic groups because they have a lot of insights and skills. It can be great to create programmes to support the development of underrepresented people. It’s important for companies to actively support these initiatives, mostly from the executive point of view, because they are the drivers of the company, so they need to support it.

To hear more from Julia, tune into Episode 36 of The Cyber Security Matters Podcast here.

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Inside Cyber Security Startups

Cyber Security is a growing sector, with plenty of startups evolving in the space to meet the need for unique solutions. On Episode 35 of The Cyber Security Matters Podcast we were joined by Alexandre Sieira, the Co-Founder and CTO of Tenchi Security, to talk about his experiences of startups and entrepreneurship within the sector. Alexandre is an executive with over two decades of experience in cyber security who is currently focused on helping companies leverage the benefits of cloud computing with security compliance through his startup, giving him some great insights into the topic. Here are the highlights of our conversation. 

What’s it like running a security startup?

It seems so glamorous – like it’s all staying in swanky hotels and talking to high-flying financiers in the VC world. Actually, it’s a lot of hard work. It’s it’s long hours. There’s no limit to the work you have to do – you can’t just say, ‘This is not my job description’ because, as an entrepreneur, your job description is infinite. When you’re an early-stage employee or a founder, you have to do everything from carrying boxes to making customers their coffee. You’re writing proposals, paying the accountant, double-checking the tax calculations, interviewing, hiring and leading people. It’s super hard to find people that are decent at all of those things or that enjoy doing all of those things, so at least 40-50% of the time, you’re doing stuff you’re not very good at or that you don’t enjoy until the company becomes big enough to hire people who are specialised in that task. You have to have a lot of energy to keep working, and you need a high tolerance for doing things you don’t enjoy. But the upside is getting to build something from scratch, and that’s super amazing.

You’ve been involved in several startups. Can you pinpoint any key themes that have made them successful?

It seems obvious when you say it, but you need to be doing something that people need. In technical startup terms, that’s called product market fit. You need to be building a product or service that people actually need and are willing to pay good money for. Then you need to execute it well because even if you are building something that people are willing to pay for, if you don’t make them aware that you exist, or you’re spending more than you’re earning on marketing, you’ll go broke. It all comes down to ideas and execution.

What do you think are the key ingredients you need to get investment?

I’ve been involved with three companies, one of which we started bootstrapped, then raised private equity for very late in the game. That was CIPHER. With a services company, it’s super easy for you to finance yourself, and you typically don’t need a lot of investment at the beginning like you do when you’re building a product. It’s very easy to get started and generate cash flow if you’re in the services business and you know what you’re doing. We wanted to do international expansion, so that’s when we raised private equity, which is a whole different ballgame from venture capital. 

Then with Niddel, we were a product company, but we weren’t bootstrapped. We could afford it because we had sold CIPHER, so we were using our own money to work for a year without getting paid because we had our savings. With Tenchi, this is our first VC-backed company, which is a completely different experience. It’s a different kind of sale. But, if you know how to run a company and you know how to sell, you just need to figure out what the buyer wants. You need to find the right buyers for what you’re selling and figure out the best way to communicate what you’re offering to them. Fundraising is no different. You need to be able to describe what you’re doing and why it’s interesting, and you need to find the right VCs who are active in your industry or sector but don’t have a conflict. 

The biggest difference is that when you’re talking to a customer, you’re saying, ‘Hey, this is the product, these are the technical features, these are the benefits of using the product’. Whereas with VCs, they’re looking for different things. They’re trying to assess the team background, dynamics, founders etc, especially if you’re an early-stage startup. The thing you need to think always when you’re talking to VCs is that much like security people, they’re trying to mitigate their risks. They’re so interested in founders because a lot of companies and founders fight amongst themselves and split up. Venture capital is a high-risk investment strategy, so you need to try to mitigate your risk for them as much as possible. 

What makes a good entrepreneur?

You need to have a high tolerance for pressure, handling setbacks and adjusting to doing everything yourself. There are a lot of people who flourish in the large enterprise environment where your job is narrow, and they get super specialised in what they do. They get to know everyone, work the political channels inside the company to get things done and they get joy out of it. One of my startups was acquired by a large company, and we were able to deliver amazing results there, but I did not enjoy the process of working there as much as doing entrepreneurship. 

If you get the right person in the wrong environment, they’re not going to succeed. There are people that would be amazing at an enterprise that would suck at being entrepreneurs. I’m the reverse; I think I’m good at entrepreneurship, but if you put me in a large political enterprise with lots of well-established processes and bureaucracy, I’ll slowly wither and die. It’s just I’m not going to enjoy myself and I’m not going to flourish. It’s all about matching the person with the environment. 

To hear more from Alexandre, tune into Episode 35 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Championing Women in Cyber Security 

Gender diversity has been a pressing issue within the cyber security industry for a number of years. On Episode 34 of The Cyber Security Matters Podcast, we were joined by Julia Weimer, the Director of Professional Services, EMEA at Lacework, to discuss the issue. Julia is passionate about gender diversity in cyber security, and actively participates in industry events and forums as an advocate for women. Julia regularly shares her insights and guidance with aspiring professionals to empower them in entering the cyber security space. 

Do you think mentoring and public speaking are good ways to spread awareness of women in STEM and tech? 

Absolutely. This is an opportunity for women to speak but also hear about the struggles of women in the industry. That helps people in the room feel like they’re going through a similar experience to the speaker or maybe find a nugget of inspiration to take on a new challenge or do something different. I think that it’s worthwhile to explore events like that with women and men. I say that based on the sheer numbers alone because there are more men in the industry, so we will need their help to get us to the next stage. 

I’ve witnessed the benefits of sponsorship in my own career. If we can bring more men into the mission that we’re on, we’ll have an equal composition of men and women in tech in the industry much faster. I really do believe that the more we can bring our male allies in the better the industry will be. We can empower them to speak on our behalf when we are not able to, bring a woman to a meeting that she wasn’t invited to, and speak up on our behalf when they know that we’re not being paid the same as our male counterparts. Those are opportunities for us to bring men into the conversation and realise it’s a men and women problem.

What advice do you have for male allies who want to stand up for women more?

Invite them to that meeting, include them in the conversation, and get their advice. Getting feedback from diverse perspectives is so important in the business world, because business can be quite boring if everybody has the same perspective and the same opinions. It’s it’s healthy to be challenged and see problems from a different viewpoint. Invite women to meetings, speak up for them, and if you notice a woman is quiet in the room, ask for her advice after the fact or ask what she thinks during the meeting to make her feel included.

What advice would you give as a mother who is successful in your career?

Being a woman and mother in tech specifically makes you realise that so many things outside of motherhood really don’t matter. It’s given me the confidence to know that if I need to take my child to a doctor’s appointment rather than taking a meeting, I will do it every day. I’m privileged to have a job where that’s okay and where my peers respect that. My advice to other full-time working mums is to lean into both. You can absolutely have both. Don’t let anyone make you feel bad for choosing that lifestyle. 

A lot of mothers have faced judgement for choosing not to stay home – there’s a lot of judgement that’s passed on women in general. But as a mum in tech, I truly lean into both. However, realising that you can’t do it all is important too. By that, I mean making sure that you can let your to-do list carry over to the next day. If you have responsibilities at home and in your job, you have to recognise that you may not get to everything that day, but be able to make the right decision for yourself. One of the key points when you look for a new role is whether you will have the people around you to support what you’re trying to do as a mum but also as a full-time employee.

What’s one piece of advice you give to someone entering the industry?

Women statistically do not apply to jobs that we do not feel qualified for. If there’s a job that seems interesting to you, apply for it. It just takes the first meeting for someone to see your potential or hear what you have to say. I think there’s no problem in saying ‘Why not’ and just going for it and giving it your best. 

Breaking into the industry has seemingly become harder. It is about using relationships to open a door. The more networking events you can attend, the more people you can meet and interact with, the better. You’ll meet respectable people in the industry who can help you and connect with you on LinkedIn so that when you’re asking for help and using the network to be able to do that, the right people will see it.

To learn more about gender diversity and the opportunities for women in the industry, tune into Episode 34 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Attracting Talent in Email Security

Email security is an often overlooked area of the cyber security industry. On Episode 33 of The Cyber Security Matters Podcast, we spoke with Sam Hutchinson, the Co-Founder and CEO of Sendmarc, about how we can attract more engineers to the email security sector. Read on to find out more. 

What are the biggest opportunities for talent in email security?

It’s quite a crowded space, but email security is quite a big topic. But there are pockets of that topic which are not crowded at all. We operate in a macro area of that large sphere, where there isn’t much competition, or knowledge, either. That’s the weird thing about email; every company in the world uses it, yet engineering is focusing on much more popular things like AI or blockchain. No engineers come out of school and want to focus on email. It’s just not interesting enough or popular enough, but the opportunity is insane. It’s an unlimited market that shows incredible opportunity. Because it’s such a historical space, there’s been a lack of innovation for quite a long time, so there’s plenty of space for disruption.

What are the key talent topics that need addressing the most? 

I think we all admit that there is a small pool of talent, so the question which we often ask ourselves is, how do we become relevant to that talent? As we progress through different changes, what that talent needs in life changes too. If you think about a person who’s leaving university, what do they want out of a career? A person who’s 35 with a career, a working parent or a single person all need different things. You have to understand who you’re hiring and what they want, and then customise the position to be attractive to them. Ultimately, there’s an oversupply of work and an undersupply of talent. 

How are you securing talent at Sendmarc? 

We’ve gone on a journey with investors, and we’ve been able to raise funding so that we can hire top talent. Here’s a very interesting thing about top talent though: many people between 35 and 45 are highly skilled, but they’re frustrated with the machine. They’re searching for meaning. So we hired leaders first in our company, and then all of those leaders brought their teams with them. It was an incredibly efficient way to attract high-quality talent. Not only did we pay those people well so that they could look after their families, but we also gave them meaning. If you can create a high-performance environment that gives people the meaning that they’re looking for, you can attract the top talent in that sector.

How can businesses attract more diverse talent in this sector?

I completely believe in diversity, but if I look at my engineers, they’re mostly male. What we have to do when we hire somebody who doesn’t fit the stereotypes is embrace them so that they feel psychologically safe. We have zero tolerance for racism, sexism, or any sort of xenophobia, which means the minority always feel safe in our environment. If we start with getting it right with one or two diverse placements, and those people feel good, we’re more likely to attract more diverse talent. 

However, the fundamentals need to improve. How do we get more minority groups into engineering or finance, for example? How do we get more males into human resources? It’s more about generating interest in all these sectors. But I am trying at least to make minorities feel comfortable when they’re bucking the trend so that positive action keeps happening. 

To hear more from Sam, tune into Episode 33 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Exploring Software Supply Chain Security

The software supply chain is ever-evolving. On Episode 32 of The Cyber Security Matters Podcast, we were joined by Luis Rodríguez Berzosa, the Chief Technology Officer at Xygeni, to explore the topic. He’s a physicist and mathematician who brings significant experience to the field of software engineering security, focusing on static analysis and software supply chain security. Here are his thoughts. 

How have you seen software supply chain security change over the last 20 years?

20 years is a long time in the IT industry, so our product security has improved a lot in that time. We’ve worked with APB security, position analysis, and static analysis – that’s the API security testing web application firewalls – which nobody uses anymore. Cloud-native protection has been another hot topic in recent years, and there are better mechanisms for patching or avoiding memory-related and other low-level security flows now. However, we are no better at securing the server product itself. 

Unfortunately, in the software supply chain, fewer resources are assigned to protecting the server infrastructure at the factory where software is built and deployed. Modern infrastructures have a large exposed attack surface, so the bad guys, who are always motivated to gain the most with the least effort, shifted their campaigns from the better-protected applications to the public packages and even the internal build and deployment systems. They attack the weaker points, so when we protect one thing, the attackers will look for another place to get in. Now they they use the software supply chain as an attack amplifier. 

What was your inspiration in founding the business? 

In the summer of 2021, we realised that software infrastructure security was lagging behind the rest of the sector. We started defining the project by establishing what exactly the needs were, analysing the potential market and testing what ideas could work. Then in December 2021 came the Log4J vulnerability, which created a shockwave in the entire software industry. That was the push we needed to start to decide to go on. In fact, we had been looking at cloud-native security during 2020 and 2021, but we were out of our element there because we are more traditional guys. With server security, we were at home. So we started with the project and went to market last year. We are now active in marketing and selling the platform.

What are the traditional methods of securing the software supply chain, and why aren’t they enough in today’s environment?

In the past, organisations would compile software artefacts, package them, and then digitally sign them with a code signing certificate for integrity protection. They then deployed them on an update site and were done. Now, attackers can penetrate a build system, inject malware in your software dependencies and embed malicious behaviour in your source code. They have changed their tactics and techniques. All the old methods do not work anymore because the attackers inject malicious code that will pass onto your customers. The problem is that the traditionally simple ways of protecting integrity by cold signing don’t work anymore.

One of the challenges within software supply chain security is keeping DevOps running while not whilst not falling under the supply chain attack. How does Xygeni solve this challenge?

You have to take a look at many different things. You have to automate those checks, compiling inventory and context because you have to know what is going where. You also need an alignment with industry standards because there are so many initiatives, ideas and best practices out there in supply chains. You have to get the best of them and put them on the ground to convert the generic principles into real actionable things. 

We have to try to take all the great ideas that are arising and figure out how they could be used in the real world. We put the emphasis on topics that we feel offered the best cost-benefit trade-off, such as detecting unusual activity or misconfigurations in real time. Our business is mainly international organisations who want to create software, but they feel they don’t need to secure the infrastructure. That means that features like semi-automated guidance will resolve a problem for them. They are looking for things like automation workflows and so on, so we try to provide them in our platform. Our focus is on helping users cope with a huge number of issues and the complexity of modern software.

To hear more from Luis, tune into Episode 32 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Mobile Application Security 

Mobile application security is a growing part of the Cyber Security industry. To help us understand and address those challenges, we were joined by Chris Roeckl, the Chief Product Officer at Appdome, on Episode 31 of The Cyber Security Matters Podcast. He shared his perspectives on the state of the sector, his insights into the key challenges of keeping mobile applications secure and its impact on compliance. Read on to find out what he said. 

How do you assess the state of the mobile security space as a whole?

The mobile app security market is rapidly changing. There are lots of reasons for that. Probably the most important one is that mobile apps are now the dominant channel for interacting with digital brands. It’s not about websites anymore, it’s all about mobile. The bad news here is that people who break into networks are zeroing in on mobile apps, which is driving the mobile security market. 

The challenge, particularly in today’s economy, is that CISOs and other decision-makers within mobile app security don’t have as many resources as they had in the past. They are either freezing their hiring or letting go of developed cybersecurity engineering teams just to cut costs. It’s like that old analogy of cutting off your nose to spite your face, but it is the reality of business today. They’re also trying to zero in on how to do more with less because 

budgets are under scrutiny. The thing is, bad actors aren’t taking the day off because of budget cuts and personnel reductions. The number of attacks just continues to grow and grow and grow. 

We don’t like to focus on scaring our customers or prospects, we want to help them. We don’t spend much time talking about the bad actors doing bad things, but they are, and the mobile brands we support know that. We don’t have to take that message to the market, so our focus is on getting them to an outcome. How do we how do we solve this problem? Every mobile brand’s challenge is unique, and our goal is to make sure that we can solve those unique challenges for them. 

How are these key challenges within mobile application security addressed?

The first thing that you have to realise is that web-based and desktop apps basically all have the same technological components, which makes it fairly simple to solve security problems. Now, in the mobile world, apps are built with 15 different development frameworks, which you can mix and match. You may have heard of things like Swift, Java, or Kotlin. They’re all different languages that you can code in. That creates unique scenarios. It’s not homogenous; it’s heterogeneous, which makes mobile app security difficult. 

The other thing is that there are a couple of different approaches to solving that. If you go back 5, or 10 years, software development kits were developed by security companies for mobile, and they basically give you some code. Your job as an enterprise or mobile brand was to add and maintain that code in your own application, which had its own challenges. The most simple challenge was that the software development kit you got might only work with 3 of the 15 development frameworks, so as a mobile developer, you have to make a choice to say either I need to rewrite my app to get in the security bits, or I need to go look for some other solution and then cobble it all together. 

At Appdome, we decided to take a completely different look at the market. We built a machine that takes account of all these frameworks and then builds an implementation of the security based on the buttons you tick on the platform for the security protections you need, and delivers that solution, with no coding needed. In a world where you’re losing resources, we think the movement to more of a machine-based approach to mobile app security is going to win the day. 

How does that impact the compliance side of things?

Cyber compliance is a really critical topic. Firstly, there are external regulatory compliance requirements. Secondly, there are a bunch of internal-facing requirements. Mobile brands oftentimes publish some sort of cyber pledge on their website for general security, saying ‘We protect your data this way.’ What is becoming very apparent is that those cyber pledges apply to the mobile app too – it’s not just about the website anymore. It’s not just about the way that your data is protected in the backend infrastructure; it is all about the mobile end user using a mobile app. 

Being able to do things like ensure that the cyber protections are actually built into the app is a cyber requirement, but the work is done by developers. So how do you bring the developers and cyber team together? Do you produce artefacts within the production process that say, ‘This encryption was added’, ‘Obfuscation was added’, or do you reverse engineer whatever the features are that the mobile brand is looking for? The ability to do things like UI testing is super important too. All of those compliance elements have to fit together into this jigsaw puzzle called mobile app development. Over the last two years, we’ve seen this go from kind of a low-level thing to a high priority within cyber organisations.

To find out more about securing mobile applications, tune into Episode 31 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.