Interview With Cybersecurity Specialist Szilveszter Szebeni

For the next interview in our series speaking to technical leads from around the world, we’ve welcomed experienced cybersecurity specialist Szilveszter Szebeni, CISO at Tresorit.

Tell us about the business you represent, what is their vision & goals?

At Tresorit, we believe that privacy is a human right. Too often, we heard that companies struggle to create a balance between security and usability. Security tools were cumbersome, creating burdensome processes. Our mission is to create a secure workspace that eliminates these barriers.

Tresorit’s vision is to give you full control over your data across all business processes while making it easier for employees to incorporate security and privacy into their daily activities.

What inspires and energises you within your work?

End-to-end encryption will revolutionize IT. Being at the forefront of this technology and putting it in the hands of more and more people and organizations is what drives me every day.

Can you share a little bit about yourself and how you got into cybersecurity?

I grew up in South Africa. I was extremely competitive, participating in swimming and math competitions. My father was an electrical engineer, so I knew from an early age that I wanted to work with computers. I took seriously the subjects that were essential for achieving this.

It was in Hungary that I continued my studies and began studying electrical engineering. It became clear to me that algorithm competitions in computer science were even more challenging. I learned to code effectively by participating in one at least once a week. After that, I moved into the field of computer science as electrical engineering seemed too "old school."

My journey to cybersecurity has multiple aspects based on my life experience. Growing up in South Africa your everyday physical security is baked into your genes, everyday life especially commuting is very different there than here in Europe where I live today.

At university, I became obsessed with encryption after realizing its power. The state with its vast resources is perceived as a superpower that has access to every bit of information in your life. I personally feel that it limits freedom so I decided that I would like to build a product that can create a personal space in the digital world that remains private.

How would you explain your role to a non-technical audience?

I am surrounded by a constant noise of information regarding different threats that may affect my organization, there are literally hundreds of things on our radar that can be improved, and my job is to make sure that my team understands what our top risks are. The next step is to have the plan to mitigate these risks, each plan will have a different cost and affect everyday work at the company.

Each potential project has three key attributes: risk, time and cost, and the human element. The first two are straightforward, the human element is always the most underestimated, changing the way people work is never easy, and the change always must make their work easier. My job is to make sure these three aspects are continually in balance.

What advice would you give to someone wishing to start their career in cybersecurity?

Cybersecurity in my opinion is a specialization of a developer. Without a stable engineering background, you will limit your cybersecurity career. Supporting developers by being part of a security operations centre may be an easily attainable step. The end goal, however, is to serve developers as security engineers building and maintaining tools they can use to develop secure code. To get here you need to know how to build software.

Can you give an example of security issues at your jobs, and how you and your team fixed them?

Fixing security issues is a cat-and-mouse game. The attacker finds a way to cause harm, then we change the playing field to make the particular attack fail for the attacker. One example on this front is the way attackers try to divert our 2FA voice calls to premium-rate phone numbers to make money. Our job is to differentiate attackers from legitimate users.

Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?

IT infrastructure can be very complex with a huge number of components that are maintained by a relatively small workforce if you compare it with the workforce maintaining physical infrastructure. For this reason, extensive logging and monitoring of those logs are very important. Any change in behaviour is investigated, this not only improves security but also the performance and availability of our service.

What are common weaknesses in IT security strategies that companies often overlook?

The most common mistake by far is not thinking about company data at all. In other words, many companies do not think about their data as an asset. The most vulnerable companies are small organizations that have a few dozen laptops with employee files.

In this case, the only recoverable files will be the ones sent to each other via e-mail. The second most common mistake is not treating company credentials like an asset. A company that does not have a strategy to protect credentials, like using single sign-on and password managers, is the easiest to get into for hackers.

What are your thoughts on companies looking to prepare for CMMC compliance?

The capability domains of CMMC are very similar to those of SOC2 or ISO27001. When preparing for any compliance audit look at all the controls one by one. For each control find at least one area in the organization where you are doing a good job or where it would be the easiest to introduce. The next step is to make sure that company policies cover the controls you have implemented.

For smaller organizations new to compliance standards, I believe the easier approach is implementing an ad-hoc process based on a few bullet points first and then documenting it thoroughly because you never get it right the first time around. Finally, have a plan in place on how each control will be introduced company-wide. If you can show continual improvement in each area over a year you should be ready for an audit.

Most important of all is management support there is a reason why all standards start with this point, without management support no project is successful.

What are your takes in response to the Log4shell incident?

The main issue is that you have a component (Log4j) that is a part of multiple systems that you are running and there is no practical way to update it in every system for a lot of organizations. Now the obvious recommendation to any CIO is to never get in such a mess. The most important process for every software application is the update process. (This was by the way the first formal process Tresorit introduced back when it was a young company)

As a software vendor:

• Only use components in your stack that a regularly maintained. (The use of Log4j was not a sin, fixes came really fast)
• Be able to update components at lightning speed and push them to your customers.
• Vulnerabilities do not only appear in components you use, but in your own code
• Perform regular penetration tests and implement a vulnerability disclosure and handling process.
• Review your components regularly and make sure that they are still maintained. If the component is abandoned, then immediate action is needed.

As a software buyer:

• Think about the maintenance of the software, will your organization maintain it or will it be hosted for you as a service?

If it is a SaaS product

• Look into the company's track record in managing vulnerabilities and put this into the review process

If you host the product

• Look into the company's track record in managing vulnerabilities and put this into the review process
• Make sure you can take immediate action on updating the software when needed.
• Do Not create custom integrations that may break after a potential update, a lot of organizations are stuck with legacy software because of this.
• Review your software inventory, and take immediate action if an application becomes unsupported. Not taking action will come back to bite you. It is exactly the shortsightedness of organizations when delaying such projects everywhere in the industry that cause issues in the long term. Putting a vulnerable application behind a firewall is a brandade that will hurt when it gets ripped off.

Would you like to share any cybersecurity forecasts or predictions of your own with our readers?

I believe that the cloud together with end-to-end encryption will play a bigger and bigger role in the IT sector. The cloud provides capabilities that are extremely easy to use at a fraction of the cost compared to maintaining everything in-house. The one downside of the cloud is the fact that there is a huge concentration of data in a few hands. Leveraging end-to-end encryption technologies organizations can retain control over their data rendering it opaque for the service provider.

End-to-end encryption is not a walk in the park for developers, it cannot just be added to a product by swapping out a few components, each product needs to be designed from the ground up to support it. The transformation is a slow and steady process: We first saw it proliferate in the chat space; end-to-end encryption is not a novelty anymore, it is expected by customers, they want a guarantee that the chat service cannot read their private messages even if the chat service wanted to.

During the coronavirus pandemic, major video conferencing solutions have also introduced end-to-end encryption. The next step is the storage space with Tresorit in the lead. After the storage space comes basic business applications such as internal wikis, CRMs and so on. With end-to-end encryption everywhere hacking a server will not reveal any information to the hackers making their job much more difficult.

If you enjoyed this article then why not check out our previous guide to what is Prometheus or our article all about Opensearch vs Elasticsearch?