COVID-19 brought with it a massive influx of data, most of it moving from a centralized location to the cloud (and other environments). Now, these businesses are trying to understand how to re-engineer their environment for the next 10+ years, in the advent of Zero Trust, SASE and more. How has COVID-19 impacted the need for cybersecurity consulting, specifically new trends, and Zero Trust? Here, we speak with Todd Waskelis, AVP of AT&T Cybersecurity, who leads AT&T’s cybersecurity consulting services. 

Security: What is your background and current role?

Waskelis: I have over 25 years of leadership and practitioner experience in information technology, networking, systems management, and information security management. Over the years, I have accumulated extensive experience in the management, design, development, and implementation of cyber risk management programs. My role currently is to work with business leaders in helping them understand and implement cyber risk strategies as business and trust enablers. As part of my role, I have collaborated with organizations to mature their overall security posture and worked across many industries helping them transform their cyber strategy as they have moved from an era of compliance to an era of complexity and cyber everywhere. My primary focus has been assisting clients in strengthening trust with their key stakeholder communities to develop and implement cyber risk management solutions for IT and OT, making these organizations more cyber resilient.

Today, I lead the AT&T Cybersecurity Consulting business with responsibility for driving the growth of the global cybersecurity business through strategic investments, acquisitions, and innovation programs. I am responsible for the strategic direction, service delivery, and operations of a group of over 150 diverse client-facing cybersecurity professionals.

Security: Let’s talk about cybersecurity consulting. How has COVID-19 impacted the need for cybersecurity consulting, specifically new trends, and Zero Trust?

Waskelis: COVID-19 highlighted the need for business resilience, as organizations rapidly shifted to a distributed business model, which included moving applications to the cloud for collaboration, moving storage to the cloud for convenience, and adding licensing for VPNs. Organizations that fully embraced cybersecurity before the pandemic did a better job adjusting to the implications of it. But others didn’t even have a grasp on what their resilience capabilities were.

With the massive influx of data moving from a centralized location to the cloud, organizations are still trying to understand how to re-engineer their environments not just for today, but for the next ten years ahead. They’re turning to cybersecurity consulting services, and in doing so, they’re getting a full team of business strategists and technical specialists, all with significant experience in the organization’s industry. These services not only help businesses to embrace cloud security and address security gaps, but they also help organizations get started on their journeys in implementing Zero Trust and SASE, while prioritizing risk management.

 Security: What are the trends in high-touch, co-management security and why is consulting not a “one and done” process/activity?

Waskelis: Security, in general, is never a “one and done” type of activity. The business is constantly changing – threats continuously evolve, the attack surface continues to expand, and new technologies permeate the workforce each day. Additionally, new, emerging frameworks, like SASE and Zero Trust, gain traction in the industry, creating a need for organizations to regularly evaluate, adjust and deploy updated security strategies. With consulting services, this ongoing evaluation and adjustment is conducted on behalf of the organization - simplifying risk management during a time when it’s needed most.

Security: How can consulting services help organizations achieve the Cybersecurity Maturity Model Certification (CMMC) certification, which is required to conduct business with government entities like the DoD?

Waskelis: A cybersecurity consultant can help organizations understand the requirements of CMMC, how it differs from DFARS 7012 and NIST 800-171, best practices for a path to compliance, and what it means for the future of cyber compliance.

Security: Why may consulting be key to helping organizations shift from researching Zero Trust to fully implementing it?

Waskelis: Many organizations don’t know where to begin with Zero Trust. A cybersecurity consultant can help with strategy and planning including key factors to consider ahead of time such as the desired business outcome, where to start when assessing an organization’s Zero Trust readiness, how to assemble a Zero Trust team, and how to avoid common pitfalls.