“The business owns the zero-trust project, because everything you do in zero trust must be aligned with your business objectives, or else it will fail.” – Abbas Kudrati, CISO at Silverford.
Cybersecurity professionals face one of the most challenging jobs in modern businesses: dealing with a constantly evolving threat landscape. Every day, they must navigate challenges and obstacles to get their security posture to where it needs to be—a goal that requires both strategic vision and the ability to balance business enablement with risk management.
In this series, we will be interviewing cybersecurity professionals from a wide range of backgrounds, industries, and experiences to bring you their unique insights into cybersecurity today, what challenges they are facing currently and expect to face in the near future, the realities of what it takes to defend complex global environments, and what advice they would offer to other CISOs and cybersecurity professionals.
Abbas Kudrati is a CISO at Silverford who has been working in the information security industry for the past 27 years. With a previous working relationship with Microsoft and a varied work history across multibed regions and industries, Abbas has a wealth of knowledge. He also shares this knowledge at Latrobe University as a part-time professor, offering lectures on cybersecurity, cyber-range, and cyber-governance, and is and author of multiple books on topics such as zero trust, digital risk management, and threat hunting in the cloud.
We spoke to Abbas to get his perspective on the challenges of maintaining ongoing cyber resilience. Read on for his insightful responses to our questions:
What cyber security challenges do your team deal with day to day?
There are multiple daily challenges, from nation threat actors to insider risk to accidental leakage of data. But most recently what we have been seeing is nation state actors targeting identities as their main attack vector, often through phishing emails, social engineering attacks, deep fake audio messages, deep fake video messages, and many other methods. They use these methods to target humans to get access to their identity, and it’s not only human identities; they are also targeting non-human identities such as service accounts and API keys. Every day is a new challenge.
How have you dealt with these challenges and how have they evolved over the last few years?
If you go five to six years back, the attacks we used to see most often were on the endpoint, and ransomware was one of the biggest nightmares for all security folks. But we as cybersecurity professionals have become smarter and better, and we have invested heavily in protecting our endpoints such as laptops, desktops, and mobile phones, etc. We did this by implemented EDR, XDR, bit blockers, encryption and so much more, and we have made security very strong. So, attackers have had to find a new path.
Now they’ve moved away from targeting the endpoint and have instead moved on to targeting cloud infrastructure. But again, we as defenders and as a cybersecurity industry are getting better day by day. We have so many great technologies such as web application firewalls, cloud workload protection, cloud threat protection, CWPM, CWP, monitoring and logging, and others to protect our cloud environments. We have made our cloud strong, but one thing we have been missing out on is protecting our identities – and now attackers are aware of this too.
Attackers know that people are working from home as COVID led to an adaption to the hybrid culture of work. They also know they will struggle to find success in targeting the company firewall and company infrastructure, so instead they target individuals’ identities. If they can successfully target an individual in your company, then using that person’s identity they can navigate to the on-prem environment, from there they can go to the cloud environment, they can take data and use it for all sorts of purposes.
Identity is a new attack vector that we are seeing a lot of, and this includes the leveraging of AI as well. This is a big concern for organizations, who are wondering ‘what can I do to govern the usage of this GenAI product and monitor all the activities happening behind the scenes?’
So that’s the landscape shift we have seen. Ransomware is still the number one attack target; however, the success rate of ransomware has reduced almost 60 % because we are getting better at dealing with it. Ransomware is still the number one, but the impact is less. Now attackers are switching to trying to approach using the identity as a key attack vector.
How have you set your team and yourself up for success dealing with these challenges?
We need to always stay vigilant to what’s happening around the world. Threat intel is very important, as is making sure we collect the right threat intelligence from our environment. That is why we subscribe to bodies who are sharing threat intel like Microsoft and ISAC bodies. Information can come from proprietary threat intel, private intel, or publicly available threat intel data. All of this is used to keep a track of what has been targeted in certain industries or countries, and how the threat landscape is changing. I would say that understanding the threat landscape is really, really important, and that’s what we’re trying to do.
AI is one of the biggest concerns these days, especially the agents, because of shadow IT. There are many employee-radical companies who fire up their own AI and gen-AI system, and this could open up the floodgate of leaking sensitive company information if there is no governance or monitoring process in place to manage it.
Awareness is a key. Having the right public-private partnership is also key. And educating your employees goes long way as well.
Making your employee aware is essential, and we are talking about this a lot in the month of October as it is cyber security awareness month around the world. This year a lot of initiatives are being put in place by many organizations, including Microsoft, several banks, and my own company. We have created an awareness program to help employees recognise the current threat landscape and how and what they have to watch out for when they are working in the corporate environment, using a corporate machine, or handling corporate data.
What technology partners and vendors are helping you deal with these challenges?
I would say it always starts with the people; because security is not a technology problem, it’s a people problem. That’s my humble opinion and my personal belief.
This is why we always say ‘people process technology’. We keep technology as the third priority, because to stay secure you need to handle your people and your processes first.
An example of putting your people first is this; while identities are a big attack vector that need to be secured, which can be done using tools like MFA, the way to do this effectively is not to make your employees lives miserable every time they open their laptop. If every time they go to open a corporate website or application you are prompting them for MFA, that is a very poor user experience. And if your security is making the experience worse for your employees it will inevitably fail. So, you need to strike a balance between the security and the end user experience.
It needs to vary depending upon your risk posture. It all starts with educating your employees on when and why they will be prompted for MFA, then you must ensure this prompting does not happen every minute of every day, but rather happens because of a change in the risk profile. Then you implement the technology accordingly.
I’m a firm believer in a platform approach to security, meaning having a platform of products which focus on one area. Identity security as a one platform, EDR and XDR as a one platform, visibility as one platform etc. Some people believe in a best of breed and they want 200 different solutions to implement everything, but I personally believe in having a single platform for each of my technologies.
How do you evaluate new vendors in the cybersecurity space?
I always look at what problem the technology is going to solve for me. Can I solve it with my people? And can I solve it by implementing a policy or a procedure? And will technology help me reduce the friction of process and people? In that case I would ask myself, do I have a vendor already who could help me to solve the problem. And if not, if there is a vendor gap, I would first ask my existing vendors “Who is your current partner who could help me solve this problem?”.
I will always choose a new technology partner based on my existing partner ecosystem. It’s important to know how well they will integrate and to ask, will they solve my issue and fill that gap?
How do you balance security with business agility?
Security has to go hand in hand with the end user experience. As security professionals we often consider security the showstopper, but it shouldn’t be. As an experienced CISO, I always say to the budding CISOs who are just starting their careers that a CISO should be a business enabler, not a business stop gate.
That is what the reputation of the CISO has been in past. Business teams are afraid to engage with CISOs as they fear we will block their project and stop innovations by putting up barriers and slowing everything down. That was the reputation of security teams in past, but we are seeing a changes in recent years. Now, security has the potential to give you a competitive edge, if you have the right partnership with your security team and with your CISOs.
The analogy I give for this situation is a fast car. Say you have a Ferrari and the business is your track that you want to race down, and the engine of the car is your team, and the brakes of the car is your security. The purpose of the brakes isn’t to keep the car from moving down the track, it’s to give the driver confidence that they can go, and go fast, because their brakes are reliable and can temper their speed when needed.
What misconceptions do organizations still have about implementing zero trust effectively?
The biggest misconception people have about Zero Trust is that it is an IT project or a security project. And I always tell them Zero Trust is not an IT or a security project: it’s a business project. And when I asked my audience during the conference, who owns the Zero Trust project? Everybody says, the architecture team, IT team, security team. No – the business owns the zero-trust project, because everything you do in zero trust must be aligned with your business objectives, or else it will fail.
You have to map your initiative of zero trust with the business, because you understand that businesses have a deadline for launching new features, and if your actions are not supporting the launch then this is going to impact the bottom line, which will affect profits. And this is bad news for everyone.
What impact do you see new technologies like AI having on your day to day, if any, do you see AI having a long-term impact?
Of course! AI is a double-edged sword, I would say. There are opportunities, but of course it comes with certain threat risks as well. The opportunities come from being able to get your work done much faster, since AI gives you ways to automate many things, freeing up your time by removing repetitive tasks. On the flip side, if you have not done the basics like data classification and access control right, you could run into issues.
When I worked at Microsoft and I was selling copilot for security and copilot for M365, I used to have to warn them, “Don’t get carried away with shiny new technology”. Yes, it’s great that it can help you, but it’s also vital that you have those basic controls in place because if you don’t, AI will have too broad access, and data you want to keep sure could be leaked.
A real-life case study of this is one insurance company we worked with, where when the M365 copilot was launched they received a demo, got very excited, and implemented it the very next day. After just one week they called to tell me they were closing it down and, when I asked what happened, they explained that copilot was giving out answers to questions regarding sensitive data. And I explained, well of course it’s giving those answers out, you haven’t done the data classification to stop that from happening.
So now I always make sure to say, do the basic things first. Ask yourself, do you know where your data is? Do you know what classification of the data has been done? Do you know who has access to your data? If those things are done correctly, only then should you go and enable this technology.
What advice would you give to fellow CISOs and industry practitioners?
We just released a book recently that delves into this topic, it’s called A Day in the Life of a CISO. This book was written by twenty-four top CISOs, and in it there is a wide range of advice which could benefit new CISOs.
But to give you a specific answer to that question, I’d say to future CISOs; you need to make sure that when you are hired as a CISO, your first 100 days are spent learning and understanding what the business objective are, what is the business strategy is, the industry you are working in, and what compliance requirement and legal requirement your organization must adhere to.
Understand the business is the number one priority. Once you have strong understanding, then you prove yourself to be an ally within the company in terms of supporting the business. That means being careful not to overly limit or disrupt the business, because that is how you wind up losing the job altogether. I’ve been there and done that. I’ve been fired as a CISO in my career by making that mistake. So, take my advice, and don’t learn it the hard way – always prioritize understanding the business, aligning your objectives, ensuring your strategy is based on those business objective, and work with the people around you to begin implementing security objectives.
Why not read further insights from other CISOs:
