Mohit Tiwari is now the CEO and co-founder of Symmetry Systems. Before Symmetry, Tiwari was a cybersecurity professor at University of Texas, Austin where his lab was funded by DARPA and National Science Foundation, collaborating with teams at General Dynamics, Lockheed Martin, Intel, ARM, Google, and others. His work on high-assurance systems has received multiple industry and scientific awards for applied cybersecurity research, was transitioned to production by a startup (TortugaLogic) and large companies, and ultimately led to Symmetry Systems via pilots with cloud-providers and hospitals.
Here, we talk to Tiwari about the current threat landscape, the role of Chief Information Security Officers (CISOs) and the unique challenges COVID-19 and work-from-home (WFH) pose to CISOs.
Security Magazine: Overall, how has the threat landscape evolved due to the COVID-19 pandemic? What are some lasting changes or trends you expect to see over the next six months?
Tiwari: Strategically, there has been a massive change in digital use by both consumers and organizations’ employees. Businesses have also been forced to experiment very quickly - with business models, customer engagement and retention, etc. - with fewer resources than before. All of this has created major new challenges and opportunities.
One direct impact (anecdotally for now, and no hard data yet) is that fraud has increased - consumers see more organizations conduct business with them online and hence more fraudulent contacts can slip through.
A larger, second-order effect on the attack surface is that a lot more data being created (e.g., more financial transactions are online) and new types of data are being created (e.g., existing healthcare data has come online, and data for new studies is online). These habits will persist even after offices reopen safely, and teams are beginning to put longer term plans in place to protect data.
Business teams are rushing to create digital experiences just to see what works. Treating security as an after-thought is exceptionally risky - with the perfect storm of more data quickly spun up on the cloud where security controls are different and complex. Hence, over the next six months, we expect to see business and security teams function closer together than ever before.
Security Magazine: How has the role of CISOs changed since the pandemic?
Tiwari: One major outcome has been that security and business teams now have better alignment than before - since getting security in place for new business-tools is now an existential threat. Another major change is that health data (PHI) is now all over - to support people coming into offices, security teams have to now protect employees’ health data even in organizations that never had to do this before. Further, while some financial institutions always placed cyber- and physical security in the same organization, most institutions are now beginning to do this as well, since organizations have to comply with safety and distancing regulations.
Security Magazine: How can security teams support CISOs during this time, and how can CISOs support security teams as well?
Tiwari: Security teams and CISOs can help each other by being additionally aware of business needs - to reach out and partner with business teams that are managing liquidity risk and pro-actively help manage security risk, (e.g., Capital One just got an $80 million fine for an error that is very easy to make, given complex cloud controls and likely affected many organizations, even if only one is in the news.) But moving fast, and using cloud services remotely instead of in-person data-centers, is a decision many companies will have to make now. It is up to CISOs and security engineers to learn and communicate effectively.
Security Magazine: What are some unique challenges that COVID-19 and WFH poses to CISOs?
Tiwari: Partly due to COVID testing and health checks, health care data can now spread inside enterprise systems if left unchecked. Working from home, with computers being used by families, corporate machines are likely to see a large range of new uses. For example, for private browsing. As discussed previously, the attack surface on an organizations’ data and its systems is much larger - and security teams have to protect this with fewer people and smaller budgets. Security teams are also actively planning for remediation or clean-up for when an incident does occur.
Security Magazine: Alternatively, what are some of the opportunities CISOs have/will encounter as a result of the pandemic?
Tiwari: Security teams have the opportunity to dramatically level up an organizations’ security posture. Migrating to the cloud is complex, however, with good tools and careful planning, can enable far more robust defenses (to detect, respond and protect against attacks). Map out where the sensitive data is, how it is used and protected and help business team move faster and safely. Additionally, they can train their employees to use recent best practices, like hardware tokens to protect identities. As part of partnering with business teams, set up a process dedicated to reviewing security.