For our latest expert interview on our blog, we’ve welcomed Babak Pasdar to share his thoughts on the topic of cybersecurity and his journey as the CTO of Acreto.
Babak Pasdar is a globally recognized innovator, cybersecurity expert, author, and entrepreneur best known for his multiple innovations in the area of cloud security.
Tell us about the business you represent, what is their vision & goals?
Acreto’s vision is to democratize cybersecurity. Today, organizations need too many products, from too many vendors, that need too many experts. The current approach to cybersecurity is meant for large organizations who can afford the products and experts. But what about mid-market and small organizations? Security today is too complex and expensive.
Acreto has innovated a new technology that eliminates the need to control what you need to secure by consolidating all security functions into the connection. Simply put, if it is connected, it’s secure.
This approach replaces the complex and expensive array of products, vendors and experts with a single, simple, security utility that can be turned on in minutes. Acreto is one security for any technology, on any network, anywhere in the world.
What inspires and energizes you within your work?
Since the inception of cybersecurity, the model has been the same. Stringing along tools for each technology silo that needs to be secured. Today, organizations focus all of their efforts on security tools and keeping them functional. However, the complexity remains significant, the security gaps too numerous, and the cost overwhelming.
I am energized by solving some of the most complex cybersecurity challenges the industry faces. For the past ten years, this has included bringing a new security model to the industry called Ecosystem Security. This model delivers advanced security in a single, simple service that is easy to manage and affordable by organizations of any size.
This has required many innovations including a new networking technology called Network Wormholing -- the consolidation of security in the connection and delivering a dedicated security infrastructure per application, not per organization as is the case today.
Can you share a little bit about yourself and how you got into cybersecurity?
In the mid-1990s I discovered a vulnerability in the Microsoft operating system that would give me access to all files on any targeted computer. I called Microsoft and asked to speak to the security department. They sent me to the front gate guards who had absolutely no idea what I was talking about.
Confused by the interaction, they in turn sent me to the public relations department where I left a message describing the vulnerability. I was expecting a call back from a technical team. In turn, I received a voicemail from the head of the PR department thanking me for reaching out to Microsoft before sharing that what I had discovered was an undocumented feature, not a vulnerability.
I knew this was clearly not the case and at that moment I realized two things. First, that the Internet had introduced a completely new dynamic that even the largest companies like Microsoft did not have a full sense of. And second, that this new dynamic could be an asset, or in the case of the vulnerability I had stumbled upon, a threat.
It was at that moment that I knew I had to shift the entire focus of my company and my professional career, which had been on multi-platform integration, to security.
How would you explain your role to a non-technical audience?
My role focuses on one key thing -- democratizing security. Today, security needs too many products, from too many vendors, that require a ton of expertise. This expertise just does not exist in the market today. In fact, in the U.S. alone we are short one million cyber jobs. We cannot train our way through this problem.
Cybersecurity has become something only large organizations can afford, albeit at a great cost and burden.
My role is to make security more effective while making it accessible and sustainable for organizations of all sizes. Democratized security is the only way to protect industries, economies, societies and even democracy itself.
What advice would you give to someone wishing to start their career in cybersecurity?
Learn the difference between privacy and security! I cringe every time someone refers to an encrypted connection as secure. It is not -- it is private. And privacy is the antithesis of security. Hackers depend on and use encrypted connections to bypass security controls.
During an ethical hack, my team once compromised a major financial company that had spent millions on their security in 136 different ways -- all over encrypted connections.
Private connections bypass inline security tools. Creating a scenario where the first and last point of defence becomes the end-point. But what about IoTs, IoMDs, Operationalized Technologies (OT) and all the different technologies that don’t have or even support end-point security?
The net-net is that encryption is good for privacy but bad for security. And the industry’s push for HSTS or Certificate pinning is grossly misguided and reduces many organizations’ ability to ensure the integrity of communications, systems, applications and data.
Does your organization use log and metrics data to improve and secure your systems? How do you find managing logs assists your day to day work?
Many organizations look at event data (logs) purely as post-event visibility. Acreto looks at events as mid-event data because we leverage event data, both individually and as a collective to identify and mitigate threat sources -- not just threat events.
Eliminating threat sources actually reduces threat volume, which in turn lowers risk while delivering greater insight due to increasing the signal and reducing noise.
What are common weaknesses in IT security strategies that companies often overlook?
Security Products! The way organizations work today is very different from even a few years ago. Not only are the technologies organizations use highly diverse and distributed, but they are also connected to many third parties.
Traditional security products are designed to control what they secure. However, there is no control over third parties or their security.
What are your thoughts on companies looking to prepare for CMMC compliance?
CMMC compliance using today’s one-off technologies is not a reality for many organizations. Especially resource-challenged organizations. Acreto has spent a lot of time addressing CMMC with an extensive assessment workbook that works in conjunction with our “Rapid Compliance” technology.
Together they are designed to deploy quickly and easily address the vast majority of the technology-driven aspects of CMMC without products, logistics or complex implementations.
When augmented with process and documentation, this is the fastest, easiest way to achieve CMMC compliance.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
I predict that the product-driven model for delivery of cybersecurity fundamentals will be completely replaced by the security-as-a-utility model in the next three to five years.
When it comes to fundamentals including connectivity, segmentation, zero-trust, security and visibility, investments in traditional cybersecurity products will soon not survive their amortization period.