Cybersecurity Insights
VPNOverview: With your extensive computer science skills and education, experience working for top research universities, as well as Fortune 100 financial institutions, what insights could you share with us on cybersecurity in general? After witnessing the SolarWinds breach and similar recent attacks, are you concerned about cybersecurity in general, and what do you expect in 2022? Indir: After over 20 years of experience in the industry, I am very concerned about the recent spike of emerging threats and well-crafted information security attacks. Cybercriminals have taken advantage of the COVID-19 pandemic and the increase in remote work, attacking both technical and social vulnerabilities. This historic increase in cybercrime resulted in a growing trend of ransomware and software supply chain attacks like the SolarWinds attack.
Cyber Attacks Expected to Continue in 2022
VPNOverview: You also have experience at Harvard University as Director of Information Security and ERM & Director of Computing as well as Director of Information Security & Executive Int. Director of Information Technology. What are the detective, preventative and corrective measures that academic institutions employ to prevent cyberattacks? Indir: In 2022 I expect that the frequency of attacks will remain high, their sophistication will continue to grow, and new breaches will be the inevitable result. To protect their brand and reputation from cybersecurity incidents, both academic and financial institutions need to: continuously review, fine-tune, and enhance detective, preventative, and corrective information security controls.
Brand Reputation Can be Easily Lost
Indir: The brand and reputation remain the “holy grail” for all companies and are easily lost. However, the reputational impact of information security breaches outstrips financial impact. The main difference between protecting academic or financial institutions is that financial institutions have much higher levels of regulatory compliance that mandate much bigger investment in information security controls. However, the academic institutions’ advantage is their learning and teaching resources that enable a significantly higher level of information security and privacy awareness and training.
The Importance of Training And Awareness
VPNOverview: How does employee training and education factor into cybersecurity at your current position at AdTheorent Holding Company Inc.? What do you do differently than others in the field? Indir: I believe that the first and last line of information security defense for both public and private organizations is having prepared and trained leaders, and employees. In all these years that I have been involved in information security, security awareness and training have been the most valuable — yet the most overlooked — and underfunded mechanisms for improving the implementation of information security. This is, unfortunately, true for both public and private sectors not because it isn’t recognized as important, but because it isn’t seen as the “silver bullet” that everyone seeks to solve security problems overnight.
Infosec Is More of a People Problem
Indir: In retrospect, it may in fact be that silver bullet because information security is now realized by many experts to be more of a people problem than a technical one. The main question is how to make employees aware of security and train them in safeguards requirements and infosec best practices and provide motivation to make them effective? Unfortunately, motivation has largely been missing from the information security vocabulary. Therefore, you can’t achieve more than superficial and cosmetic information security, until you have achieved motivation to make security awareness and training effective.
Approaches to Improve Employee Motivation
Indir: To achieve motivation, security must become part of annual job performance as well as part of bonus programs. For example, I always suggest identifying a set of infosec tasks for data owners or managers and leads to complete. A percentage of their bonus and/or performance review then depends on whether they complete these tasks.
The ISA Program
Indir: I also like to implement the Information Security Ambassadors (ISA) program. In this program, we engage a group of employees from different departments and locations and their role is to be liaisons between their teams and the Information Security Office. They help test all new InfoSec tools during the Proof of Concept (PoC) phase as well as assist in communicating information security tips and best practices to their teams. For all their work, they get awarded with gift cards, gadgets, quarterly events in different locations, and team-building events.
Having Fun While Being Responsible
Indir: We ensure that Information Security Ambassadors have fun and are motivated to help the Information Security Office in the execution of the information security program company-wide. Reaching each and every employee with information security best practices is key. Finally, one of the annual tasks for managers is to regularly invite ISAs (at least quarterly) to provide information security updates to their teams. This approach ensures that all employees are covered with the Information Security Ambassadors program from both managerial and individual end-user perspectives and helps promote the “we are all responsible” when it comes to information security.
Insights Into Internet Privacy
VPNOverview: As you know, internet privacy has become a very sensitive issue nowadays; people are much warier about privacy. How would you comment on user privacy on the internet today? Indir: I think data privacy and security are foundational issues of the digital world. Information security and privacy are converging. For the private and public sectors alike the advantages of as much access to and flexibility with data seem obvious, but for individuals, this can be less clear.
Policymakers Must Strike The Right Balance
Indir: For policymakers, to change the way they make policies to keep up with the rate of technological progress will be a very hard task. Therefore, the reality of user privacy in the future, and the overall public perception, will depend on whether policymakers and corporations have struck the right balance between personal data privacy, data security, and compelling content and applications that emerge from consumer tracking and analytics. VPNOverview: What are your views on new privacy regulations or policy updates in the near future? Indir: While it is impossible to predict the future, privacy laws are rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. Perhaps the best way for us to start predicting is to look at what has already been done. Most organizations did extensive work to comply with the GDPR law (EU privacy law) in the last couple of years. At the same time, new laws were introduced in the U.S. states of California, Washington, Massachusetts, Vermont, Nevada, and Maine, and around the world. This shows that data privacy regulations are in flux, not only at the state and national level but globally.
Privacy Regulations Are Constantly Changing
Indir: They are constantly changing and adapting to trends, international best practices, and regulatory rulings. I think that globally diverse regulations won’t work; they will simply open up more gaps than corporations and individuals can satisfy. However, as these changes continue, global requirements will likely align with one another more tightly to provide countries, individuals, and corporations with a more solid regulatory footing in the future.
The Role of AI and Machine Learning
VPNOverview: What about AI and machine learning? Do you see these fields as an integral part of our lives in the future, and where do you stand on this matter? Indir: I believe that artificial intelligence (AI) and advanced machine learning (ML) are already an integral part of our lives and the next frontier for business innovation, but security and privacy concerns are slowing progress. As data becomes more embedded in our lives thanks to the ever-growing power of AI/ML, companies and governments are aware of the need to build up trust. As the next frontier for business innovation, AI /ML is used by companies to drive more competitive customer services and digital experiences.
Security And Privacy Concerns Holding Back AI/ML Implementation
Indir: The majority of companies agree they would like to use more AI/ ML in their apps to improve security and services. However, security and privacy concerns are sometimes also holding them back from fully embracing AI/ML-based applications to improve business and security services. The main reason is that leadership teams feel increasingly worried about bringing new AI/ML-based apps/services to market because of the growing threat and damage data breaches/ attacks can cause.
AI/ML is Still Not Mature Enough
Indir: Simply said, AI/ML is not mature enough for some leadership teams to feel comfortable with the security of these solutions. This is no different than any other new technology challenges and will be overcome with the enhancement of security testing tools capable of the timely discovery of security issues before going to production.
The Role of The COVID-19 Pandemic
VPNOverview: With everything that has transpired with Covid-19, which has transformed the social status quo and how we work, has this situation changed our technological habits for good? Indir: COVID-19 changed the information security environment significantly and will continue to influence information security strategy. For its part, the information security industry must focus on delivering solutions that reduce operational complexity while robustly protecting the distributed work environments that will become the default future state for most companies.
Current Focus
VPNOverview: What are you working on currently? Indir: Along with basic security hygiene like; information security assessment, vulnerability and patch management programs, 3rd party pen testing, and information security insurance, I am focusing on the adoption and implementation of a Zero Trust security strategy by applying a “never trust, always verify” approach and utilization of high-power cloud and quantum computing resources. The idea is to deploy the Zero Trust controls across six technology pillars; Identity, Data, Application, Infrastructure, Network, Endpoints. Each pillar is interconnected by automated enforcement of security policy, correlation of collected security intelligence, with AI-based threat management and security automation to the final goal of near-real-time orchestration of all infosec tools.
Managing Risk by Looking at Data Lifecycle And Flow
Indir: Data must remain protected even if it leaves the organization’s devices, applications, infrastructure, and networks. While classification, labeling, encryption, and data loss prevention (DLP) remain core data security components, I believe organizations that effectively manage the lifecycle and flow of their sensitive data as part of their business operations make it much easier for data security and compliance teams to reduce exposure and manage risk. Reducing that risk means re-assessing how organizations conduct business with sensitive data to ensure its proper storage, access, flow, and lifecycle.
About Indir Avdagic
Indir Avdagic is an experienced global technology leader and international speaker with extensive information security, data privacy, cloud, and quantum computing expertise. Indir has more than 20 years of technology, business, and leadership experience that spans higher education (top research universities including Harvard University), financial services (Fortune 100 & top private banks), and data science companies (Big Data, Artificial Intelligence, Advanced Machine Learning) gained in Europe, Asia, and the United States. He holds graduate degrees in Electrical Engineering and Engineering and Technology Management. He is an Information Security industry-certified professional by the International Information Security Certification Consortium (ISC2) and the Information System Audit and Control Association (ISACA). In his free time, Indir enjoys traveling, playing tennis, and hiking as well as spending quality time with family and friends. [The content in this interview represents Indir Avdagic’s personal views]